Updates from: 07/14/2021 03:11:32
Category Microsoft Docs article Related commit history on GitHub Change details
admin Office 365 Groups Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/office-365-groups-ww.md
The Microsoft 365 **Reports** dashboard shows you the activity overview across t
## How to get to the groups report
-1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
+1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
+ 2. From the dashboard homepage, click on the **View more** button on the Active users - Microsoft 365 Apps or the Active users - Microsoft 365 Services card to get to the Office 365 report page. ## Interpret the groups report
-You can view the activations in the Office 365 report by choosing the **Groups activity** tab.<br/>![Microsoft 365 reports - Microsoft Office 365 groups activity.](../../media/ab90e30b-8938-4110-ab3d-ee472a4cfe21.png)
+You can view the activations in the Office 365 report by choosing the **Groups activity** tab.
+
-Select **Choose columns** to add or remove columns from the report. <br/> ![Office 365 groups activity report - choose columns](../../media/1600556a-f5f1-47d9-b325-cd77c78f4004.png)
+Select **Choose columns** to add or remove columns from the report.
+ You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. If you have less than 2000 users, you can sort and filter within the table in the report itself. If you have more than 2000 users, in order to filter and sort, you will need to export the data.
-|Item|Description|
+|Metric|Definition|
|:--|:--|
-|**Metric**|**Definition**|
-|Group name <br/> |The name of the group. <br/> |
-|Deleted <br/> |The number of deleted groups. If the group is deleted, but had activity in the reporting period it will show up in the grid with this flag set to true. <br/> |
-|Group owner <br/> |The name of the group owner. <br/> |
-|Last activity date (UTC) <br/> |The latest date a message was received by the group. - This is the latest date an activity happened in an email conversation, Yammer, or the Site. <br/> |
-|Type <br/> |The type of group. This can be private or public group. <br/> |
-|Emails received in Exchange <br/> |The number of messages received by the group.|
-|Emails in Exchange (total) <br/> |The total number of items in the group's mailbox. <br/> |
-|Mailbox storage used for Exchange (MB) <br/> |The storage used by the group's mailbox. <br/>|
-|SharePoint files (total) <br/> |The number of files stored in SharePoint group sites. <br/> |
-|SharePoint files (active) <br/> |The number of files in the SharePoint group site that were acted on (viewed or modified, synched , shared internally or externally) during the reporting period. <br/> |
-|Total site storage used for SharePoint (MB) <br/> |The amount of storage in MB used during the reporting period. <br/> |
-|Messages in Yammer (posted) <br/> |The number of messages posted in the Yammer group over the reporting period. <br/> |
-|Messages in Yammer (read) <br/> |The number of conversations read in the Yammer group over the reporting period. <br/> |
-|Messages in Yammer (liked) <br/> |The number of messages liked in the Yammer group over the reporting period. <br/> |
-|Members <br/> |The number of members in the group. <br/> |
+|Group name |The name of the group. |
+|Deleted |The number of deleted groups. If the group is deleted, but had activity in the reporting period it will show up in the grid with this flag set to true. |
+|Group owner |The name of the group owner. |
+|Last activity date (UTC) |The latest date a message was received by the group. - This is the latest date an activity happened in an email conversation, Yammer, or the Site. |
+|Type |The type of group. This can be private or public group. |
+|Emails received in Exchange |The number of messages received by the group.|
+|Emails in Exchange (total) |The total number of items in the group's mailbox. |
+|Mailbox storage used for Exchange (MB) |The storage used by the group's mailbox. |
+|SharePoint files (total) |The number of files stored in SharePoint group sites. |
+|SharePoint files (active) |The number of files in the SharePoint group site that were acted on (viewed or modified, synched , shared internally or externally) during the reporting period. |
+|Total site storage used for SharePoint (MB) |The amount of storage in MB used during the reporting period. |
+|Messages in Yammer (posted) |The number of messages posted in the Yammer group over the reporting period. |
+|Messages in Yammer (read) |The number of conversations read in the Yammer group over the reporting period. |
+|Messages in Yammer (liked) |The number of messages liked in the Yammer group over the reporting period. |
+|Members |The number of members in the group. |
|External members |The number of external users in the group.|
-|||
+ ## Related content
admin Content Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/productivity/content-collaboration.md
Understand how many users are attaching physical files in email rather than link
- Numerator: The number of people who attach files to email that weren't saved to OneDrive or SharePoint within the last 28 days. - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both within the last 28 days. - **Links to online files:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represent the percentage of people using attachments and attaching links to files in emails.
- - Numerator: The number of people attaching links to online files (saved to OneDrive or SharePoint) to emails within the last 28 days.
+ - Numerator: The number of people attaching links to online files to emails within the last 28 days.
- Denominator: The number of people who have access to Exchange and OneDrive, SharePoint, or both within the last 28 days. 4. **Link to resources:** Select this link to view help content.
business-video Move From Google Workspace Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/moveto-microsoft-365/move-from-google-workspace-overview.md
Complete the following steps to move your data, email, and users from Google Wor
|Step 5 | [Install Office apps and Microsoft Teams](../install-office.md).</br> All the people who have Microsoft 365 licenses should install the Office apps on their work devices.| |Step 6 | [Migrate everyone's email and calendar items](migrate-email.md).</br> In this step you will run an Exchange Online migration to move everyone's email, calendar, and contacts from Google Workspace. | |Step 7 | [Connect domain to Microsoft 365](connect-domain-tom365.md). </br> After you connect the domain email will start going to Microsoft 365, and all your Microsoft 365 services will work.|
-|Step 8|Use [Mover to move everyone's data](mover-migrate-files.md) from Drive to OneDrive and from shared Drives to Team sites.</br> In this step, all the data in personal and shared Drives is copied and moved to Microsoft 365.|
+|Step 8|Use [Migration Manager to move everyone's data](/sharepointmigration/mm-google-overview) from Drive to OneDrive and from shared Drives to Team sites.</br> In this step, all the data in personal and shared Drives is copied and moved to Microsoft 365.|
|Step 9| [Discontinue Google Workspace](cancel-google.md) but keep your domain. </br> If Google manages your domain, you can keep it there even after you discontinue your Google Workspace subscription. You can also choose to move it to another DNS host if you want.|
-|||
+
compliance App Governance Anomaly Detection Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-anomaly-detection-alerts.md
+
+ Title: "Investigate anomaly detection alerts"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Investigate anomaly detection alerts."
++
+# Investigate anomaly detection alerts
+
+ Microsoft app governance provides security detections and alerts for malicious activities. The purpose of this guide is to provide you with general and practical information on each alert, to help with your investigation and remediation tasks. Included in this guide is general information about the conditions for triggering alerts. Because anomaly detections are non-deterministic by nature, they're only triggered when there's behavior that deviates from the norm. Finally, some alerts may be in preview, so regularly review the official documentation for updated alert status.
+
+## MITRE ATT&CK
+
+To make it easier to map the relationship between Microsoft app governance alerts and the familiar MITRE ATT&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT&CK tactic. This additional reference makes it easier to understand the suspected attacks technique potentially in use when Microsoft Application Security and Governance alert is triggered.
+
+This guide provides information about investigating and remediating Microsoft app governance alerts in the following categories.
+
+- Initial Access
+- Execution
+- Persistence
+- Privilege Escalation
+- Defense Evasion
+- Credential Access
+- Collection
+- Exfiltration
+- Impact
+
+## Security alert classifications
+
+Following proper investigation, all Microsoft app governance alerts can be classified as one of the following activity types:
+
+- True positive (TP): An alert on a confirmed malicious activity.
+- Benign true positive (B-TP): An alert on suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.
+- False positive (FP): An alert on a non-malicious activity.
+
+## General investigation steps
+
+Use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action.
+
+- Review the App severity level and compare with the rest of the app in your tenant. This review will help you identify which Apps in your tenant pose the greater risk.
+- If you identify a TP, review all the App activities to gain an understanding of the impact. For example, review the following App information:
+
+ - Scopes granted access
+ - Unusual behavior
+ - IP address and location
+
+## Initial access alerts
+
+This section describes alerts indicating that a malicious app may be attempting to maintain their foothold in your organization.
+
+### Encoded app name with suspicious consent scopes
+
+**Severity:** Medium
+
+**Description**: This detection identifies OAuth apps with characters, such as Unicode or Encoded characters, requested for suspicious consent scopes and that accessed users mail folders through the Graph API. This alert can indicate an attempt to camouflage a malicious app as a known and trusted app so that adversaries can mislead the users into consenting to the malicious app.
+
+**TP or FP?**
+
+- **TP**: If you can confirm that the OAuth app has Encoded the display name with suspicious scopes delivered from unknown source, then a true positive is indicated.
+
+ **Recommended action**: Review the level of permission requested by this app and which users granted access. Based on your investigation you can choose to ban access to this app.
+
+ To ban access to the app, on the OAuth apps page, on the row in which the app you want to ban appears, select the ban icon. You can choose whether you want to tell users the app they installed and authorized has been banned. The notification lets users know the app will be disabled and they will not have access to the connected app. If you do not want them to know, unselect Notify users who granted access to this banned app in the dialog. We recommend that you let the app users know their app is about to be banned from use.
+
+- **FP**: If you are to confirm that the app has an encoded name but has a legitimate business use in the organization.
+
+ **Recommended action**: Dismiss the alert.
+
+#### Understand the scope of the breach
+
+Follow the tutorial on how to [investigate risky OAuth apps](/cloud-app-security/investigate-risky-oauth).
+
+### OAuth App with read Scopes have suspicious Reply URL
+
+**Severity**: Medium
+
+**Description**: This detection identifies an OAuth app with only Read scopes such as User.Read, People.Read, Contacts.Read, Mail.Read, Contacts.Read.Shared redirects to suspicious Reply URL through Graph API. This activity attempts to indicate that malicious app with less privilege permission (such as Read scopes) could be exploited to conduct users account reconnaissance.
+
+**TP or FP?**
+
+- **TP**: If youΓÇÖre able to confirm that the OAuth app with read scope is delivered from an unknown source, and redirects to a suspicious URL, then a true positive is indicated.
+
+ **Recommended action**: Review the Reply URL and scopes requested by the app. Based on your investigation you can choose to ban access to this app. Review the level of permission requested by this app and which users have granted access.
+
+ To ban access to the app, on the OAuth apps page, on the row in which the app you want to ban appears, select the ban icon. You can choose whether you want to tell users the app they installed and authorized has been banned. The notification lets users know the app will be disabled and they will not have access to the connected app. If you do not want them to know, unselect Notify users who granted access to this banned app in the dialog. We recommend that you let the app users know their app is about to be banned from use.
+
+- **B-TP**: If after investigation, you can confirm that the app has a legitimate business use in the organization.
+
+ **Recommended action**: Dismiss the alert.
+
+#### Understand the scope of the breach
+
+1. Review all activities done by the app.
+1. If you suspect that an app is suspicious, we recommend that you investigate the appΓÇÖs name and Reply URL in different app stores. When checking app stores, focus on the following types of apps:
+ - Apps that have been created recently.
+ - Apps with a suspicious Reply URL
+ - Apps that haven't been recently updated. Lack of updates might indicate the app is no longer supported.
+1. If you still suspect that an app is suspicious, you can research the app name, publisher name, and reply URL online
+
+## Persistence alerts
+
+This section describes alerts indicating that a malicious actor may be attempting to maintain their foothold in your organization.
+
+### App with Suspicious OAuth scope creates Inbox Rule
+
+**Severity**: Medium
+
+**MITRE IDΓÇÖs**: T1137.005, T1114
+
+This detection identifies an OAuth App that consented to suspicious scopes, creates a suspicious inbox rule, and then accessed users mail folders and messages through the Graph API. Inbox rules, such as forwarding all or specific emails to another email account, and Graph calls to access emails and send to another email account, may be an attempt to exfiltrate information from your organization.
+
+**TP or FP?**
+
+- **TP**: If you can confirm that inbox rule was created by an OAuth third-party app with suspicious scopes delivered from an unknown source, then a true positive is indicated.
+
+ **Recommended action**: Disable and remove the app, reset the password, and remove the inbox rule.
+
+ Follow the tutorial on how to Reset a password using Azure Active Directory and follow the tutorial on how to remove the inbox rule.
+
+- **FP**: If you can confirm that app created an inbox rule to a new or personal external email account for legitimate reasons.
+
+ **Recommended action**: Dismiss the alert.
+
+#### Understand the scope of the breach
+
+1. Review all activities done by the app.
+1. Review the scopes granted by the app.
+1. Review the inbox rule action and condition created by the app.
+
+## Collection alerts
+
+This section describes alerts indicating that a malicious actor may be attempting to gather data of interest to their goal from your organization.
+
+### App made anomalous Graph calls to read e-mail
+
+**Severity**: Medium
+
+**MITRE ID**: T1114
+
+This detection identifies when Line of Business (LOB) OAuth App accesses an unusual and high volume of user's mail folders and messages through the Graph API, which can indicate an attempted breach of your organization.
+
+**TP or FP?**
+
+- **TP**: If you can confirm that the unusual graph activity was performed by the Line of Business (LOB) OAuth App, then a true positive is indicated.
+
+ **Recommend actions**: Temporarily disable the app and reset the password and then re-enable the app.
+
+ Follow the tutorial on how to Reset a password using Azure Active Directory.
+
+- **FP**: If you can confirm that the app is intended to do unusually high volume of graph calls.
+
+ **Recommended action**: Dismiss the alert.
+
+#### Understand the scope of the breach
+
+1. Review the activity log for events performed by this app to gain a better understanding of other Graph activities to read emails and attempt to collect users sensitive email information.
+1. Monitor for unexpected credential being added to the app.
compliance App Governance App Policies Create https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-app-policies-create.md
+
+ Title: "Create app policies"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Create app policies."
++
+# Create app policies
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+Along with a built-in set of capabilities to detect anomalous app behavior and generate alerts, app policies in Microsoft app governance are a way for you to:
+
+- Specify conditions by which app governance can alert you to app behavior for automatic or manual remediation.
+- Implement the app compliance policies for your organization.
+
+You can create app policies from provided templates that can be customized, or you can create your own custom app policy.
+
+To create a new app policy, go to **Microsoft 365 Compliance Center > App protection & governance > Overview page > Policies**:
+
+- To create a new app policy with templates designed for app usage, select **Create policy** under **Create an app usage policy**.
+- To create a new app policy with templates designed for app permissions, select **Create policy** under **Create a permissions policy**.
+- To create a new app policy for app certification or for a custom policy, select **Create new**.
+
+## App policy templates
+
+To create a new app policy based on an app policy template, on the **Choose App policy template page**, select a category of app template, select the name of the template, and then select **Next**.
+
+App governance has three categories of app policy templates.
+
+### App users and data access
+
+App governance includes these templates to generate alerts for app usage.
+
+| Template name | Description |
+|:-|:--|
+| New app with a high volume of data access | Highlights any recently registered apps with high volume data access to ensure those data patterns are expected. <br><br> By default, this policy will flag all apps that have been registered in the last 7 days and that have had more than 1 GB in data access over that period. This policy can be customized with more conditions and actions. |
+|||
+
+### App Permissions
+
+App governance includes these templates to generate alerts for app permissions.
+
+| Template name | Description |
+|:-|:--|
+| Overprivileged apps | Highlights any apps with more granted permissions than are being used by those apps to identify opportunities for potential permission reduction. <br><br> By default, this policy will flag all apps that are marked as Overprivileged if not used for 90 days. This time period filter can be customized with more conditions and actions. |
+| New app with high-privilege permissions | Highlights all new apps with high privilege permissions to identify potential high-footprint apps that may need further investigation. <br><br> By default, this policy will flag all apps registered within the last 7 days that have high-scoped permissions. |
+|||
+
+### App certification
+
+App governance includes these templates to generate alerts for app certification.
+
+| Template name | Description |
+|:-|:--|
+| New uncertified app | Highlights new apps that haven't been through the app certification process to ensure that they are expected in the tenant. <br><br> By default, this policy will flag all apps that were registered in the last 7 days and are uncertified. |
+|||
+
+## Custom app policies
+
+Use a custom app policy when you need to do something not already done by one of the built-in templates.
+
+To create a new custom app policy, first select **Create new** on the **Policies** page. On the **Choose App policy template page**, select the **Custom** category, the **Custom policy** template, and then select **Next**.
+
+On the **Name and description** page, configure the following:
+
+- Policy Name
+
+- Policy Description
+
+- Select the policy severity, which sets the severity of alerts generated by this policy.
+
+ - High
+ - Medium
+ - Low
+
+On the **Choose Policy settings and conditions** page, for **Choose which apps this policy is applicable for**, select:
+
+- All Apps
+- Choose specific apps
+
+ A pane allows you to select one or more apps.
+ Select **Add**.
+
+Select **Next**.
+
+On the **Choose Policy settings and conditions** page, select **Set new conditions for policy**, and then select **Next**.
+
+The **Create rule** pane allows you to select conditions for a new rule. Select **Add condition** and select from the list of conditions, and then specify the value of the condition. You can add multiple conditions.
+
+Here are the available conditions for a custom app policy.
+
+|Condition | Condition values accepted | More information |
+|:-|:--|:-|
+| App registration age | Within last X days | |
+| App certification | Basic compliance, MCAS Compliance, or N/A | [Microsoft 365 Certification](https://docs.microsoft.com/microsoft-365-app-certification/docs/enterprise-app-certification-guide) |
+| Publisher verification | Yes or No | [Publisher Verification](https://docs.microsoft.com/azure/active-directory/develop/publisher-verification-overview) |
+| Application Permission | Select one or more API permission from list | [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) |
+| Delegated Permission | Select one or more API permission from list | [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) |
+| High privilege | Yes or No | This is an internal designation based on the same logic used by MCAS. |
+| Overprivileged app | Yes or No | Apps with more granted permissions than are being used by those apps. |
+| App data access | Greater than X GB data access per hour | |
+| App data access trend | X% increase in data usage in last 7 days | |
+| App API Access | Greater than X API calls per hour | |
+| App API Access trend | X% increase in API Calls in last 7 days | |
+| Users consented | (Greater than or Less than) X consented users | |
+| Priority user consented | Yes or No | A user with a [priority account](https://docs.microsoft.com/microsoft-365/admin/setup/priority-accounts). |
+| App consented by | Select user(s) from list | |
+| Consenting userΓÇÖs role | Select one or more: Teams Administrator, Directory Readers, Security Reader, Compliance Administrator, Security Administrator, Helpdesk Administrator, SharePoint Administrator, Exchange Administrator, Global Reader, Global Administrator, Compliance Data Administrator, User Administrator, Service Support Administrator | Multiple selections allowed. <br><br> Any Azure AD role with assigned member should be made available in this list. |
+| Workload accessed | OneDrive and/or SharePoint and/or Exchange | Multiple selections allowed. |
+| Error rate | Error rate is greater than X% in the last 7 days, where X is an admin-defined value | |
+||||
+
+<!--
+NOTE TO WRITER: Replace X in the above table with correct values.
+-->
+
+All of the specified conditions must be met for this app policy to apply.
+
+When you are done specifying the conditions, select **Save**, and then select **Next**.
+
+On the **Define Policy Actions** page, select **Disable app** if you want app governance to disable the app when an alert based on this policy is generated, and then select **Next**.
+
+On the **Define Policy Status** page, select one of these options:
+
+- **Audit mode**: Policies are evaluated but configured actions will not occur. Audit mode policies appear with the status of **Audit** in the list of policies.
+- **Active**: Policies are evaluated and configured actions will occur.
+- **Inactive**: Policies are not evaluated and configured actions will not occur.
+
+<!--
+## Configure a user-based policy
+
+## Create an app metadata-based policy
+
+Publish metadata-based policies
+
+## Configure access permissions
+-->
+
+## Test and monitor your new app policy
+
+Now that your app policy is created, you should monitor it on the **Policies** page to ensure it is registering an expected number of active alerts and total alerts during testing.
+
+![The MAPG policies summary page in the Microsoft 365 Compliance Center with a highlighted policy](..\media\manage-app-protection-governance\mapg-cc-policies-policy.png)
+
+If the number of alerts is an unexpectedly low value, edit the settings of the app policy to ensure you've configured it correctly before setting its status.
+
+Here is an example of a process for creating a new policy, testing it, and then making it active:
+
+1. Create the new policy with severity, apps, conditions, and actions set to initial values and the status set to **Audit mode**.
+2. Check for expected behavior, such as alerts generated.
+3. If the behavior is not expected, edit the policy apps, conditions, and action settings as needed and go back to step 2.
+4. If the behavior is expected, edit the policy and change its status to **Active**.
+
+![The create app policy workflow](../media/manage-app-protection-governance/mapg-create-new-policy-process.png)
+
+## Next step
+
+[Manage your app policies.](app-governance-app-policies-manage.md)
compliance App Governance App Policies Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-app-policies-get-started.md
+
+ Title: "Get started with app policies"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Get started with Learn about app policies."
++
+# Get started with app policies
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+App policies for Microsoft app governance are the way that you can implement more proactive or reactive conditions to create alerts or automatic remediation for your specific needs for app compliance in your organization.
+
+To see the list of current app policies, go to **Microsoft 365 Compliance Center > App protection & governance > Policies**.
+
+![The MAPG policies summary page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-policies.png)
+
+## WhatΓÇÖs available on the app policies dashboard
+
+You can see the number of active, inactive, and test policies, and the following information for each policy:
+
+- **Policy name**
+- **Status**
+
+ - **Active**: All policy evaluation and actions are active.
+ - **Inactive**: All policy evaluation and actions are disabled.
+ - **Audit mode**: Policy evaluation is in audit mode. The policy is active but policy actions are disabled.
+
+- **Severity**: Severity level set on any alerts triggered because of this policy being evaluated as true, which is part of the configuration of the policy.
+- **Number of active alerts**: Alerts generated by the policy that have an **In Progress** or **New** status.
+- **Number of total alerts**: Both active alerts and resolved alerts for this policy.
+- **Last Alert Date**: Date of last generated alert due to this policy.
+- **Last Modified**: Date when this policy was last changed.
+
+The policy list is sorted by **Last modified** by default. To sort the list by another attribute, select the attribute name.
+
+When you select a policy, you get a detailed policy pane with these additional details:
+
+- **Description**: A more detailed explanation of the purpose of the policy.
+- **Created by**: user principal name (UPN) of the account that created the policy.
+- A list of the active alerts generated by this policy.
+
+You can edit or delete an app policy by selecting **Edit** or **Delete** in the detailed policy pane or by selecting the vertical ellipses of the policy in the policy list.
+
+You can also:
+
+- Create a new policy. You can start with an app usage policy or a permissions policy.
+- Export the policy list to a comma-separated value (CSV) file. For example, you could open the CVS file in Microsoft Excel and sort the policies by **Severity** and then **Number of Total Alerts**.
+- Search the policy list.
+
+## Next step
+
+[Create an app policy.](app-governance-app-policies-create.md)
compliance App Governance App Policies Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-app-policies-manage.md
+
+ Title: "Manage app policies"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Manage your app governance policies."
++
+# Manage app policies
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+To keep up with the latest apps your organization is using, respond to new app-based attacks, and for ongoing changes to your app compliance needs, you might need to manage your app policies in these ways:
+
+- Create new policies targeted at new apps
+- Change the status of an existing policy (active, inactive, audit mode)
+- Change the conditions of an existing policy
+- Change the actions of an existing policy for auto-remediation of alerts
+
+Here's an example of a process for managing an existing policy:
+
+1. Edit the policy:
+
+ - Change the settings of the policy.
+ - If needed, change the status to **Audit mode** for testing.
+
+2. Check for expected behavior, such as alerts generated.
+1. If the behavior is not expected, go back to step 1.
+1. If the behavior is expected, edit the policy and change its status to active (if needed).
+
+![The manage app policy workflow](../media/manage-app-protection-governance/mapg-manage-policy-process.png)
+
+## Editing an app policy configuration
+
+To change the configuration of an existing app policy:
+
+- Select the policy in the policy list, and then select **Edit** on the app policy pane.
+- Select the vertical ellipses for the policy in the list, and then select **Edit**.
+
+For the **Edit policy** page, step through the pages and make the appropriate changes:
+
+- **Description**: Change the description to make it easier to understand the policy's purpose.
+- **Severity**
+- **Policy settings**: Change the set of apps to which the policy applies. You can also choose to use the existing conditions or modify the conditions
+- **Actions**: Change the auto-remediation action for alerts generated by the policy.
+- **Status**: Change the policy status.
+
+## Deleting an app policy
+
+To delete an app policy, you can:
+
+- Select the policy in the policy list, and then select **Delete** on the app policy pane.
+- Select the vertical ellipses for the policy in the list, and then select **Delete**.
+
+An alternative to deleting an app policy is to change its status to inactive. Once inactive, it will not generate alerts. For example, rather than deleting an app policy for an app with a specific set of conditions that are useful for a future policy, rename the app policy to indicate its usefulness and set its status to inactive. You can later return to the policy and modify it for a similar app and set its status to audit mode or inactive.
compliance App Governance App Policies Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-app-policies-overview.md
+
+ Title: "Learn about app policies"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Learn about app policies."
++
+# Learn about app policies
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+Microsoft app governance detects anomalous app behavior in your Microsoft 365 tenant and generates alerts that you can see, investigate, and resolve. Beyond this built-in detection capability, you can use a set of default templates to create your own app policies that generate other alerts.
+
+These policies for app and user patterns and behaviors can protect your users from using non-compliant or malicious apps and limit the access of risky apps to your tenant data.
+
+Here's a quick review of required administrator roles for app policy management.
+
+| Role | Read policies | Create, update, or delete policies |
+|:-|:--|:-|
+| Compliance Administrator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) |
+| Compliance Reader | ![Check mark](..\media\checkmark.png) | |
+| Global Administrator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) |
+| Global Reader | ![Check mark](..\media\checkmark.png) | |
+| Security Administrator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) |
+| Security Reader | ![Check mark](..\media\checkmark.png) | |
+| Security Operator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) |
+||||
+
+<!--
+How app policies are the method by which MAPG detects app anomolies resulting in detection (alerts) and remediation (manual or automatic)
++
+CFA #2 Scenario 1: As an admin, I can quickly set up policies to govern M365 apps in my tenant using MAPG out-of-the-box templates
+CFA #2 Scenario 2: As an admin, I can create customized policies to govern M365 apps in my tenant to meet my organizations requirements.
+CFA #2 Scenario 3: As an admin or policy reviewer, I can view all policies created in my environment and quickly see which policies have associated alerts.
+CFA #2 Scenario 4: As an admin, I can adjust policies efficiently to meet changing needs.
+
+App policy templates
+
+- Basic info
+- Policy settings and conditions
+- Actions
+- Status
+
+-->
+
+## Next step
+
+[Get started with app policies.](app-governance-app-policies-get-started.md)
compliance App Governance Detect Remediate Detect Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-detect-remediate-detect-threats.md
+
+ Title: "Remediate app threats"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Remediate app threats."
++
+# Remediate app threats
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+You remediate app threats to your Microsoft 365 tenant through the **Alerts** page of the Microsoft app governance section of the Microsoft 365 Compliance center.
+
+![The app governance alerts summary page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-alerts.png)
+
+The **Alerts** page by default lists new threat alerts generated by app governance and policy-based alerts generated by active app policies. You can view the details of a specific alert by selecting it, which opens an alert pane with additional alert information and the ability to change its status.
+
+![The app governance alert detail page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-alerts-alert.png)
+
+From this pane, you can get this additional information:
+
+- Additional details on the alert from the **Description** field.
+- The name of the app policy that generated the alert from the **Policy name** field. You can also select **View policy** to go to the app policy that generated the alert.
+
+App policies that you configured for automatic remediation from the **Action** will have a status of **Resolved**.
+
+You can remediate an app alert with these steps:
+
+1. Investigation: Examine the information in the alert and change its status to **Mark in progress**.
+2. Resolution: After your investigation and, as needed, the determination of app policy changes or continued app support in your tenant, change its status to **Resolved**.
+
+Based on app alert patterns, you can update the appropriate app policy and change its **Action** setting to perform automatic remediation. This removes your need to investigate and manually resolve future alerts that are generated by the app policy. For more information, see [Manage your app policies](app-governance-app-policies-manage.md).
compliance App Governance Detect Remediate Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-detect-remediate-get-started.md
+
+ Title: "Get started with app threat detection and remediation"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Get started with app threat detection and remediation."
++
+# Get started with app threat detection and remediation
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+Microsoft app governance collects threat alerts that are generated by built-in app governance detection methods based on malicious app activities and policy-based alerts generated by active app policies that you create.
+
+The first place to view app alerts is the app governance dashboard at [https://compliance.microsoft.com/appgovernance](https://compliance.microsoft.com/appgovernance).
+
+![The app governance overview page in the Microsoft 365 Compliance Center with the Detection and policy alerts section highlighted](..\media\manage-app-protection-governance\mapg-cc-overview-alerts.png)
+
+On this overview page, the **Detection and policy alerts** section lists the latest alerts. You can use this to quickly see the current app alert activity for your tenant.
+
+To see all of the alerts, select the **Alerts** tab.
+
+## WhatΓÇÖs available on the Alerts page
+
+The **Alerts** page lists all of the app governance-based alerts for your tenant.
+
+![The app governance alerts summary page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-alerts.png)
+
+Each listed alert has the following information:
+
+- **Alert name**: The type of anomalous behavior.
+- **App name**: The app that generated the alert.
+- **Severity**: The severity assigned by app governance for alerts it creates or the severity of the app policy that generated the alert.
+- **Source**: Origination of the alert, which can be results from policy (user-created policies), detection (built-in detection policies), or MCAS.
+- **Status**: **New** indicates an alert that has not been assigned a status. Once assigned, the status is either **In progress** while being investigated or **Resolved** for alerts that have been addressed through automatic or manual remediation.
+- **Date created**: The date the alert was generated by either app governance detection or through an app policy. All dates shown are in the local time zone of the Microsoft 365 compliance center.
+- **Last activity**: The date the status of the alert was last changed. All dates shown are in the local time zone of the Microsoft 365 compliance center.
+
+The alert list is sorted by **Date created** by default. To sort the list by another attribute, select the attribute name.
+
+You can also export the current alert list to a comma separated value (CSV) file. For example, you could open the CVS file in Microsoft Excel and sort the list of alerts by **Severity** and then **Date Created**.
+
+## Next step
+
+[Remediate app threats.](app-governance-detect-remediate-detect-threats.md)
compliance App Governance Detect Remediate Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-detect-remediate-overview.md
+
+ Title: "Learn about app threat detection and remediation"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Learn about app threat detection and remediation."
++
+# Learn about app threat detection and remediation
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+With Microsoft app governance, you can:
+
+- Easily monitor the threat alerts that are being generated by built-in app governance detection methods for malicious app activities and policy-based alerts generated by active app policies that you create. These alerts can indicate anomalies in app activity and when non-compliant, malicious, or risky apps are used. You can also use patterns in alerts to create new app policies or modify the settings of existing policies for more restrictive actions.
+- Easily remediate alerts either manually after investigation or automatically through the action settings on active app policies.
++
+>[!Note]
+>Anomalous activities from Azure-only apps that are not granted permissions to access Microsoft 365 resources are not included in app governance detection and alerting.
+>
+
+See the [administrator roles](app-governance-get-started.md#administrator-roles) for which roles can access app governance pages.
++
+## App governance integration with Azure Active Directory and Microsoft Cloud App Security
+
+App governance, Azure Active Directory (Azure AD), and Microsoft Cloud App Security collect and provide different data sets:
+
+- Azure AD provides foundational app metadata and detailed information on sign-ins to apps.
+- App governance provides detailed information about an appΓÇÖs activity at the API level.
+- Microsoft Cloud App Security provides app risk information.
+
+By sharing information across app governance, Azure AD, and Microsoft Cloud App Security, you can display aggregate information in one portal and easily link to another portal for more information. Here are some examples:
+
+- App sign-in information in app governance:
+
+ From the app governance portal, you can see the aggregated sign-in activity for each app and link back to the Azure Active Directory admin center for the details of sign-in events.
+
+- App API usage information in the Azure Active Directory admin center:
+
+ From the Azure Active Directory admin center, you can see the aggregated app usage information and link to the app governance portal for the details of app usage.
+
+- API usage information in the Microsoft Cloud App Security portal:
+
+ From the Microsoft Cloud App Security portal, you can see API usage level and aggregate data transfer and link to the app governance portal for the details.
+
+Here's a summary of the integration.
+
+![The integration of app governance with Azure AD and Microsoft Cloud App Security](..\media\manage-app-protection-governance\mapg-integration.png)
+
+Additionally, app governance sends its alerts as signals to Microsoft Cloud App Security and Microsoft 365 Defender for more detailed analysis of app-based security incidents.
+
+<!--
+
+CFA #3 Scenario 1: As an admin, I can investigate alerts associated to my M365 apps through MAPG.
+CFA #3 Scenario 2: As an admin, I can manually remediate
+CFA #3 Scenario 3: As an admin, I can configure policies to perform automatic
+-->
+
+## Next step
+
+[Get started with app threat detection and remediation.](app-governance-detect-remediate-get-started.md)
compliance App Governance Feedback https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-feedback.md
+
+ Title: "Send feedback on app governance"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "How to send feedback for app governance."
+++
+# How to submit feedback on app governance
+
+In order to submit feedback on the app governance add-on to Microsoft Cloud App Security:
+
+- In the lower right corner of any portal page youΓÇÖd like to submit feedback on, click the black feedback button.
+
+- If submitting feature feedback:
+ 1. Provide a star rating and comments in the text box
+ 1. If you select **Include this screenshot** a screenshot of the page you are on will be shared.
+ 1. If you select **You can contact me about this feedback**, your email address will be shared with Microsoft.
+ 1. Select **Submit** to send your feedback.
+
+- If you are submitting feedback on malicious app activity:
+
+ 1. Provide a five star rating (itΓÇÖs a required field).
+ 1. In the text box, type the app name and app ID of the app you are flagging as malicious and any supporting detail you can provide.
+ 1. If you select **Include this screenshot** a screenshot of the page you are on will be shared.
+ 1. If you select **You can contact me about this feedback**, your email address will be shared with Microsoft.
+ 1. Select **Submit** to send your feedback.
compliance App Governance Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-get-started.md
+
+ Title: "Get Started with app governance"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Get started with app governance capabilities to govern your apps."
++
+# Get started with app governance (in preview)
+
+To begin using the app governance feature for Microsoft Cloud App Security:
+
+1. Verify your account has the appropriate level of licensing. App governance is an add-on feature for Microsoft Cloud App Security (MCAS), and thus MCAS must be present in your account as either a standalone product or as part of the various license packages listed below.
+1. You must have one of the administrator roles listed below to access the app governance pages in the portal.
+
+## Licensing for app governance
+
+Before you get started with the app governance, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans) and any add-ons. To access and use app governance, your organization must have one of the following subscriptions or add-ons:
+
+- Microsoft Cloud App Security
+- Microsoft 365 E5
+- Microsoft 365 E5 Compliance
+- Microsoft 365 E5 Developer (without Windows and Audio Conferencing)
+- Microsoft 365 E5 Information Protection and Governance
+- Microsoft 365 E5 Security
+- Microsoft 365 E5 with Calling Minutes
+- Microsoft 365 E5 without Audio Conferencing
+- Microsoft 365 A5 Compliance for faculty
+- Microsoft 365 A5 Compliance for students
+- Microsoft 365 A5 for faculty
+- Microsoft 365 A5 for students
+- Microsoft 365 A5 Information Protection and Governance for faculty
+- Microsoft 365 A5 Information Protection and Governance for students
+- Microsoft 365 A5 Security for faculty
+- Microsoft 365 A5 Security for students
+- Microsoft 365 A5 student use benefits
+- Microsoft 365 A5 with Calling Minutes for Faculty
+- Microsoft 365 A5 with Calling Minutes for Students
+- Microsoft 365 A5 without Audio Conferencing for faculty
+- Microsoft 365 A5 without Audio Conferencing for students
+- Microsoft 365 A5 without Audio Conferencing for students use benefit
+
+## Administrator roles
+
+One of the following administrator roles are required to see app governance pages or manage policies and settings:
+
+- Application Administrator
+- Cloud Application Administrator
+- Company Administrator
+- Compliance Administrator
+- Compliance Data Administrator
+- Compliance Reader (read-only)
+- Global Reader
+- Security Administrator
+- Security Operator
+- Security Reader (read-only)
+
+Here are the capabilities for each role.
+
+| Role | Read the dashboard | Read all apps |Read policies | Create, update, or delete policies | Read alerts | Update alerts | Read settings | Update settings | Read Remediation | Update Remediation |
+|:-|:--|:-|:-|:-|:-|:-|:-|:-|:-|:-|
+| Application Administrator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) |
+| Cloud Application Administrator | ![Check mark](..\media\checkmark.png) | | | | | | | | | |
+| Company Administrator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) |
+| Compliance Administrator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | |
+| Compliance Data Administrator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | |
+| Compliance Reader | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | | | |
+| Global Reader | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | | | |
+| Security Administrator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | |
+| Security Operator | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | |
+| Security Reader | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | | ![Check mark](..\media\checkmark.png) | |
+|||||||||| | |
+
+For additional information about each role, see [Administrator role permissions](/azure/active-directory/roles/permissions-reference).
+
+## Add app governance to your Microsoft 365 account
+
+For existing Microsoft 365 customers:
+
+1. In your [Microsoft 365 admin center](https://admin.microsoft.com), navigate to **Billing - Purchase services** and click **Add-ons**.
+1. In the app governance card, click **Details**.
+1. Click **Start free trial**.
+1. Complete the requested information to add app governance to your selected tenant. I you are a new customer, you must first provide information to establish an account and create a tenant for your trial period. Once this is done you can add app governance to the trial.
+
+For new Microsoft 365 customers:
+
+1. At the top of this page, click the **Free Account** button.
+1. Under **Try Microsoft 365 for business** click **Try 1 month free**.
+
+For both:
+
+1. In the sign-up portal, provide your email address to use for the trial. If you are an existing customer, use the email associated with your account. Click **Next**
+1. Once you have signed in, click **Try now** to get the free trial.
+1. Click **Continue** to close page and begin trial setup. For new app governance customers, it will take up to two hours for your app governance instance to become available. For existing customers, there will be no interruption of existing services.
+ > [!NOTE]
+If you do not already have an account you will be prompted to set up a new account before you can proceed with the trial.
+
+1. Enter in an available domain name for your AAD tenant and click **Check availability**. You will automatically be assigned an Admin role (if you donΓÇÖt have an existing role for app governance) and can always change the domain name and/or purchase more tenants later through the Microsoft 365 admin center.
+1. Enter the username and password you would like to use to login to your account. Click **Sign up**.
+1. Click **Get started** to go to the app governance portal or **Manage your subscription** to go to the Microsoft 365 admin center.
compliance App Governance Manage App Protection Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-manage-app-protection-governance.md
+
+ Title: "App governance in Microsoft 365"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Implement Microsoft app governance capabilities to govern your apps."
++
+# App governance add-on to Microsoft Cloud App Security (in preview)
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+Cyberattacks have become increasingly sophisticated in the ways they exploit the apps you have deployed in your on-premises and cloud infrastructures, establishing a starting point for privilege escalation, lateral movement, and exfiltration of your data. To understand the potential risks and stop these types of attacks, you need to gain clear visibility into your organizationΓÇÖs app compliance posture to quickly identify when an app exhibits anomalous behaviors and to respond when these behaviors present risks to your environment, data, and users.
+
+The app governance add-on feature to Microsoft Cloud App Security is a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions.
+
+<!--
+The scale of ongoing cybersecurity incidents affecting large enterprises and smaller businesses highlights the dangers of supply chain attacks and the need to strengthen the security and compliance posture of every organization. Accelerated cloud adoption with Microsoft 365 and its rich application ecosystem are constantly growing. Attackers are gaining organizational footholds through applications because:
+
+- Users are typically unaware of the risks when consenting to the use of applications.
+- App developers and independent software vendors (ISVs) do not yet have Security Development Lifecycle (SDL) best practices in place to address attacker techniques.
+-->
+
+App governance provides you with comprehensive:
+
+- **Insights**: See a view of all the third-party apps for the Microsoft 365 platform in your tenant on a single dashboard. You can see all the appsΓÇÖ status and alert activities and react or respond to them.
+- **Governance**: Create proactive or reactive policies for app and user patterns and behaviors and protect your users from using non-compliant or malicious apps and limiting the access of risky apps to your data.
+- **Detection**: Be alerted and notified when there are anomalies in app activity and when non-compliant, malicious, or risky apps are used.
+- **Remediation**: Along with automatic remediation capabilities, use remediation controls in a timely manner to respond to anomalous app activity detections.
+
+App governance is a platform-based solution that is an integral part of the Microsoft 365 app ecosystem. App governance oversees and governs OAuth-enabled apps that are registered with Azure Active Directory (Azure AD) and access data through the Microsoft Graph API. App governance provides you with application behavior controls to help strengthen the security and compliance posture of your IT infrastructure.
+
+<!--
+Unlike other application governance products in the marketplace, MAPG is a platform-based solution that is an integral part of the Microsoft 365 application ecosystem. MAPG's initial focus is on OAuth-enabled apps published to the Microsoft 365 platform that are registered with Azure AD and access data through the Graph API. For the initial release, MAPG does not support other, non-OAuth-enabled M365 apps, add-ins (such as PowerBI), or other app vendor ecosystems such as Google, Facebook, Amazon Web Services, Workplace, and Salesforce. MAPGΓÇÖs focus is on third-party published apps for the Microsoft 365 application platform.
+
+Microsoft allows developers to build cloud applications using Azure Active Directory (Azure AD), MicrosoftΓÇÖs cloud identity platform, and other resources and access to tenant data through the Microsoft Graph. Because of MAPG's visibility, insights, and control capabilities, app developers have the incentive to comply with publisher verification, self-attestation, and Microsoft certification, and can build high-quality productivity apps that are secure and compliant.
+-->
+
+## A first glimpse at app governance
+
+To see the app governance dashboard, go to [https://compliance.microsoft.com/appgovernance](https://compliance.microsoft.com/appgovernance). Note that your sign-in account must have one of the [administrator roles](app-governance-get-started.md#administrator-roles) to view any app governance data.
+
+## App governance integration with Azure AD and Microsoft Cloud App Security
+
+App governance, Azure AD, and Microsoft Cloud App Security collect and provide different data sets:
+
+- App governance provides detailed information about an appΓÇÖs activity at the API level.
+- Azure AD provides foundational app metadata and detailed information on sign-ins to apps.
+- Microsoft Cloud App Security provides app risk information.
+
+By sharing information across app governance, Azure AD, and Microsoft Cloud App Security, you can display aggregate information in one portal and easily link to another portal for more information. Here are some examples:
+
+- App sign-in information in app governance:
+
+ From the app governance portal, you can see the aggregated sign-in activity for each app and link back to the Azure Active Directory admin center for the details of sign-in events.
+
+<!--
+- App API usage information in the Azure Active Directory admin center:
+
+ From the Azure Active Directory admin center, you can see the aggregated app usage information and link to the app governance portal for the details of app usage.
+-->
+- API usage information in the Microsoft Cloud App Security portal:
+
+ From the Microsoft Cloud App Security portal, you can see API usage level and aggregate data transfer and link to the app governance portal for the details.
+
+Here's a summary of the integration.
+
+![The integration of app governance with Azure AD and Microsoft Cloud App Security](..\media\manage-app-protection-governance\mapg-integration.png)
+
+Additionally, app governance sends its alerts as signals to Microsoft Cloud App Security and Microsoft 365 Defender, and app governance receives alerts from Microsoft Cloud App Security, to enable more detailed analysis of app-based security incidents.
+
+<!--
+Integration of alerts with MCAS and M365 Defender
+Azure AD IP detections in progress to surface in M365 Defender
+
+## Integration with Azure AD
+
+**Feedback from Anand:** We should add some details on how MAPG works with M365 Defender (previously MTP). Also, we should highlight the integration with MCAS and AAD.
+
+Key cross-reference resources:
+
+- [What is application management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-application-management)
+- [Common application management scenarios for Azure Active Directory (especially scenarios 3-4)](https://docs.microsoft.com/cloud-app-security/monitor-alerts)
+- [Azure Active Directory Identity Governance documentation](https://docs.microsoft.com/azure/active-directory/governance/)
+- [Managing access to apps using Azure AD](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-access-management)
+
+## Integration with Microsoft Cloud App Security
+
+Key cross-reference resources:
+
+- [Cloud App Security anomaly detection alerts investigation guide](https://docs.microsoft.com/cloud-app-security/investigate-anomaly-alerts#unusual-addition-of-credentials-to-an-oauth-app)
+- [Monitor alerts raised in Cloud App Security](https://docs.microsoft.com/cloud-app-security/monitor-alerts)
+- [Control which third-party cloud OAuth apps get permissions](https://docs.microsoft.com/cloud-app-security/manage-app-permissions)
+
+-->
+
+## Using app governance
+
+Using app governance to protect your tenant and its data from potentially malicious or ill-behaved apps falls into these three core capabilities:
+
+| Capability | Description |
+|:-|:--|
+| [App visibility and insights](app-governance-visibility-insights-overview.md) | Get a 360┬░ view on traffic and activity of the Microsoft 365 applications in your tenant. |
+| [App policies for reinforced governance](app-governance-app-policies-overview.md) | Create proactive or reactive app policies, which will allow you to enforce governance for your Microsoft 3635 apps. |
+| [Detection and remediation](app-governance-detect-remediate-overview.md) | Based on platform detection alerts or policy-generated detection alerts, monitor your apps for anomalous app behavior and remediate them, either automatically based on app policy settings or manually. |
+|||
compliance App Governance Visibility Insights Compliance Posture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-visibility-insights-compliance-posture.md
+
+ Title: "Determine your app compliance posture"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Determine your app compliance posture."
++
+# Determine your app compliance posture
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+Microsoft app governance allows you to quickly assess the compliance posture of the third-party apps and their access to data in your Microsoft 365 tenant from the app governance Overview page in the [Microsoft 365 Compliance Center](https://compliance.microsoft.com/appgovernance).
+
+![The app governance overview page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-overview.png)
+
+>[!Note]
+> Your sign-in account must have one of [these roles](app-governance-get-started.md#administrator-roles) to view any app governance data.
+>
+
+From this page, you can see:
+
+- For OAuth-enabled apps that use the Microsoft Graph API:
+
+ - How many are in your tenant
+ - How many might be overprivileged
+ - How many are high privilege
+
+ From this information, you can determine the level of risk to your organization by overprivileged and high privilege apps.
+
+- For alerts:
+
+ - How many active alerts your tenant has
+ - How many are based on app governance detections (**Threat alerts**)
+ - How many are based on app policies you have in place (**Policy alerts**)
+ - The 10 latest alerts
+
+ From this information, you can determine how quickly alerts are being generated and the relative number of detected and policy-based alerts.
+
+- For data and resources access:
+
+ - The application API data access in the last 90 days
+ - The usage of the top resources in the last 90 days
+
+ From this information, you can determine if there are anomalous spikes in access to the data in your Microsoft 365 tenant.
compliance App Governance Visibility Insights Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-visibility-insights-get-started.md
+
+ Title: "Get started with visibility and insights"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Get started with visibility and insights."
++
+# Get started with visibility and insights
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+The first place to get started is the app governance dashboard at [https://compliance.microsoft.com/appgovernance](https://compliance.microsoft.com/appgovernance). Note that your sign-in account must have one of [these app governance administrator roles](app-governance-get-started.md#administrator-roles) to view any app governance data.
+
+![The app governance overview page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-overview.png)
+
+You can also access the app governance dashboard from **Microsoft 365 admin center > Microsoft 365 Compliance Center > App governance > Overview page**.
+
+## WhatΓÇÖs available on the dashboard
+
+The dashboard contains a summary of the components of the Microsoft 365 app ecosystem in the tenant:
+
+- **Tenant summary**: The count of key app and alert categories.
+- **Detection and policy alerts**: The most recent active alerts in the tenant
+- **Data and resources access**: Aggregate application API access and overall usage of top resources in the tenant. Mouse over each month column in the graph to see the corresponding value.
+- **Improve your app protection and governance**: Recommended actions such as creating an app usage or permissions policy.
+- **Top apps by categories**: The top apps sorted by these categories:
+
+ - **All categories**: Sorts across all available categories.
+ - **High privilege**: High privilege is an internally determined category based on platform machine learning and signals.
+ - **Overprivileged**: When app governance receives telemetry that indicates that a permission granted to an application has not been used in the last 90 days, that application is overprivileged. App governance must be operating for at least 90 days to determine if any app is overprivileged.
+ - **Unverified**: Applications that have not received [publisher certification](https://docs.microsoft.com/azure/active-directory/develop/publisher-verification-overview) are considered unverified.
+ - **App only**: [Application permissions](https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#permission-types) are used by apps that can run without a signed-in user present. Apps with permissions to access data across the tenant are potentially a higher risk.
+ - **New apps**: New Microsoft 365 apps that have been registered in the last seven days.
+
+## Next step
+
+[Get detailed insights on a specific app](app-governance-visibility-insights-view-apps.md).
compliance App Governance Visibility Insights Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-visibility-insights-overview.md
+
+ Title: "Learn about visibility and insights"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "Learn about visibility and insights."
++
+# Learn about visibility and insights
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+With Microsoft app governance, you can quickly gain visibility and meaningful insights on your Microsoft 365 application ecosystem. You start from the app governance dashboard that provides a high-level summary of the alerts and apps in your tenant that require administrator attention.
+
+With app governance visibility and insights, you can see:
+
+- A list of the OAuth-enabled apps that access Microsoft 365 data via Microsoft Graph APIs.
+- A rich view on app activities so that you can react or respond to them.
+
+>[!Note]
+>Azure-only apps that are not granted permissions to access Microsoft 365 resources are not displayed in app governance.
+>
+
+See [administrator roles](app-governance-get-started.md#administrator-roles) for an overview of required administrator roles for visibility and insights.
+
+<!--
+From messaging doc, page 21:
+
+View M365 App List & Metadata
+View M365 App List of Consented Users
+View M365 App Permissions
+View M365 App Permission Usage
+View Over permissioned Apps
+Aggregate M365 API Usage Data by Workload (count, download/upload)
+Per-App M365 API Usage Data by Workload (count, download/upload)
+Per-User M365 API Usage Data by Workload (count, download/upload)
+M365 API Usage Data For High-Value/Classified Assets (count, download/upload)
+M365 API Error Analysis per App
+-->
+
+With app governance, you can see:
+
+- A dashboard of all insights.
+- Data accessed by single and all apps with workload and user level insights.
+- App information and metadata, such as permissions, registration date, and certification.
+- Publisher information and metadata, such as name and verification status.
+- Usage of top resources (emails and files) across the tenant.
+- Insights on:
+
+ - High-privileged apps.
+ - Overprivileged apps.
+ - High-usage apps.
+ - Top consented users whose data a specific app can access.
+ - Priority accounts who have data that a specific app can access.
+
+- A cumulative view of users accessing apps.
+- Alerts insights.
+- Policy list insights.
+<!-->
+- Policies created in MCAS in the app governance portal.
+-->
+- Alerts for OAuth apps generated in MCAS, in the app governance portal.
+
+You can also:
+
+- Drill down to a single app (app page) with all its associated insights.
+- Drill-down into top users by data, and priority accounts within a single app.
+
+## Next step
+
+[Get started with application insights.](app-governance-visibility-insights-get-started.md)
compliance App Governance Visibility Insights View Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-visibility-insights-view-apps.md
+
+ Title: "View your apps"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Priority
+search.appverid:
+- MOE150
+- MET150
+description: "View your apps."
++
+# View your apps
+
+>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+
+Microsoft app governance allows you to quickly gain deep insights into the Microsoft 365 apps in your tenant. For example, you can see:
+
+- A list of OAuth-enabled apps in the tenant that use the Microsoft Graph API, together with relevant app metadata and usage data.
+- App details with deeper insights and information by selecting an app in the list.
+
+## Getting a list of all the apps in your tenant
+
+For a summary of apps in your tenant, go to **Microsoft 365 Compliance Center > App protection & governance > Apps**.
+
+![The MAPG app summary page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-apps.png)
+
+>[!Note]
+> Your sign-in account must have one of [these roles](app-governance-get-started.md#administrator-roles) to view any app governance data.
+>
+
+You will see a list of apps and this information:
+
+- App Name
+- Publisher
+- App certification
+
+ Indicates whether the app is compatible with Microsoft technologies, compliant with cloud app security best practices, and supported by Microsoft.
+
+- Last modified
+
+ Shows the date app governance was installed in client if that date is more recent than the date the app was last modified.
+
+- Date installed
+- Privilege level
+- Number of users
+- Data access
+
+ The sum of the appΓÇÖs data upload and download in the tenant over the last day, along with the change over the prior day.
+
+App governance sorts the app list by **App name** by default. To sort the list by another app attribute, select the attribute name.
+
+You can also select **Search** to search for an app by name.
+
+## Getting detailed information on an app
+
+For detailed information on a specific app in your tenant, go to **Microsoft 365 Compliance Center > App governance > Apps page > *app name***.
+
+![The app governance app details pane in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-apps-app.png)
+
+The app details pane provides additional information on these tabs:
+
+| Tab name | Description |
+|:-|:--|
+| Details | See additional data on the app such as the date first consented and the App ID. To see the properties of the app as registered in Azure AD, select **View app in Azure AD**. |
+| Usage | See the data accessed by the app in the tenant, plot the data usage, and show usage by the top \<x> users and users with [priority accounts](/microsoft-365/admin/setup/priority-accounts). |
+| Users | See a list of users who are using the app, whether they are a priority account, and the amount of data downloaded and uploaded. |
+| Permissions | See a summary of the permissions granted to and used by the app and the list of specific permissions. See the [Microsoft Graph permissions reference](/graph/permissions-reference) for more information. |
+|||
+
+For an enabled app, there is also a **Disable app** control to disable the use of the selected app and an **Enable app** control to enable the use of the disabled app. These actions require these [administrator roles](app-governance-get-started.md#administrator-roles):
+
+- Compliance Administrator
+- Global Administrator
+- Security Administrator
+- Security Operator
+
+## Next step
+
+[Determine your overall app compliance posture](app-governance-visibility-insights-compliance-posture.md).
compliance Archive Ringcentral Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ringcentral-data.md
description: "Admins can set up a connector to import and archive RingCentral da
# Set up a connector to archive RingCentral data (preview)
-Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the RingCentral platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [RingCentral](https://www.veritas.com/insights/merge1/ringcentral) connector that is configured to capture items from the third-party data source and import those items to Microsoft 365. The connector converts content such as chats, attachments, tasks, notes, and posts from RingCentral to an email message format and then imports those items to the user mailboxes in Microsoft 365.
+Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the RingCentral platform to user mailboxes in your Microsoft 365 organization. Veritas provides the RingCentral connector that is configured to capture items from the third-party data source and import those items to Microsoft 365. The connector converts content such as chats, attachments, tasks, notes, and posts from RingCentral to an email message format and then imports those items to the user mailboxes in Microsoft 365.
After RingCentral data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels. Using a RingCentral connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
compliance Compliance Manager Assessments https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-assessments.md
description: "Build assessments in Microsoft Compliance Manager to help you meet
## Introduction to assessments
-Compliance Manager helps you create assessments that evaluate your compliance with industry and regional regulations that apply to your organization. Assessments are built upon the framework of assessment templates, which contain the necessary controls, improvement actions, and Microsoft actions for completing the assessment. Setting up the most relevant assessments for your organization can help you implement policies and operational procedures to limit your compliance risk.
+Compliance Manager helps you create assessments that evaluate your compliance with industry and regional regulations that apply to your organization. Assessments are built upon the framework of assessment templates, which contain the necessary controls, improvement actions, and, where applicable, Microsoft actions for completing the assessment. Setting up the most relevant assessments for your organization can help you implement policies and operational procedures to limit your compliance risk.
All of your assessments are listed on the assessments tab of Compliance Manager. Learn more about [how to filter your view of your assessments and interpret status states](compliance-manager-setup.md#assessments-page).
Below are examples of two groups and their underlying assessments:
- ISO 27001:2013 - ISO 27018:2014
-When two different assessments in the same group share improvement actions that you manage, any updates you make to an action's implementation details or status will automatically synchronize throughout the group. This synchronization allows you to implement one improvement action and meet several requirements simultaneously.
+Different assessments within a group or groups may share improvement actions. Improvement actions may be changes you make within technical solutions mapped to your tenant, like turning on two-factor authentication, or to non-technical actions you perform outside the system, like instituting a new workplace policy. Any updates in details or status that you make to a technical improvement action will be picked up by assessments across all groups. Non-technical improvement action updates will be recognized by assessments within the group where you apply them. This allows you to implement one improvement action and meet several requirements simultaneously.
### Create a group
You can create a group while creating a new assessment. Groups can't be created
- Once you add an assessment to a group, the grouping can't be changed. - If you add a new assessment to an existing group, common information from assessments in that group are copied to the new assessment. - Related assessment controls in different assessments within the same group automatically update when completed.-- When a change is made to an improvement that appears in multiple groups, that change is reflected in all instances of that improvement action. - Groups can contain assessments for the same certification or regulation, but each group can only contain one assessment for a specific product-certification pair. For example, a group can't contain two assessments for Office 365 and NIST CSF. A group can contain multiple assessments for the same product only if the corresponding certification or regulation for each one is different. - Deleting an assessment breaks the relationship between that assessment and the group. - Groups can't be manually deleted. ## Create assessments
+To create an assessment, you will use a wizard to select the template it should use and set the assessmentΓÇÖs properties. Templates contain the controls and action recommendations for the assessment, based on certifications for different privacy regulations and standards. Your organizationΓÇÖs available templates may include one or more templates that were included as part of your licensing agreement, along with any additional premium templates that you have purchased. Each template, whether included or premium, exists in two versions: one for use with Microsoft 365, and a universal version that can be tailored to other products that you use. To learn more about templates, see [Working with assessment templates](compliance-manager-templates.md).
+ > [!NOTE] > Only users who hold a Global Administrator, Compliance Manager Administration, or Compliance Manager Assessor role can create and modify assessments. Learn more about [roles and permissions](compliance-manager-setup.md#set-user-permissions-and-assign-roles).
To begin building assessments, follow these steps.
3. **Select a template**: If you didn't already choose a template in step 2, choose a template to serve as the basis for your assessment. YouΓÇÖll see the list of templates divided into included and premium categories (see [Template types](compliance-manager-templates.md#template-availability-and-licensing) for more information). Select the radio button next to your chosen template, then select **Next**.
-4. **Name and group:** Set these properties to identify your assessment and assign it to a group.
+4. **Product, name, and group:** Set these properties to identify your assessment, choose which product it will be evaluating, and assign it to a group.
+
+ - **Product**: If you’re using a universal template, select whether you’re creating this assessment for a new product or an existing custom product you have already defined in Compliance Manager. If you choose a new product, enter its name. Note that you cannot select Microsoft 365 as the product when using a universal template. If you are using a Microsoft 365 template, this field will be populated for you to indicate Microsoft 365 and cannot be changed.
- **Name**: Enter a name for your assessment in the **Assessment name** field. Assessment names must be unique within groups. If the name of your assessment matches the name of another assessment in any given group, youΓÇÖll receive an error asking you to create a different name. - **Group**: Assign your assessment to a group. You can either: - Select **Use existing group** to assign it to a group youΓÇÖve already created; or
Beneath the chart, a table lists detailed information about each control within
- **Control ID**: the controlΓÇÖs identification number, assigned by its corresponding regulation, standard, or policy - **Points achieved**: the number of points earned by completing actions, out of the total number of achievable points - **Your actions**: the number of your actions completed out of the total number of actions to be done-- **Microsoft actions**: the number of actions completed by Microsoft
+- **Microsoft actions**: the number of actions completed by Microsoft
To view a controlΓÇÖs details, select it from its row in the table. The control details page shows a graph indicating the test status of the actions within that control. A table below the graph shows key improvement actions for that control.
-Select an improvement action from the list to drill into the improvement actionΓÇÖs details page. The details pages shows test status, implementation notes, and launch into the recommended solution.
+Select an improvement action from the list to drill into the improvement actionΓÇÖs details page. The details page shows test status and implementation notes, and launch into the recommended solution.
### Your improvement actions tab
Select an improvement action to view its details page, and select the **Launch n
### Microsoft actions tab
-The Microsoft actions tab lists all the actions in the assessment that are managed by Microsoft. The list shows key action details, including: test status, points that contribute to your overall compliance score, associated regulations and standards, applicable solution, action type, and control family. Select an improvement action to view its details page.
+The Microsoft actions tab appears for assessments based on the Microsoft 365 versions of the templates. It lists all the actions in the assessment that are managed by Microsoft. The list shows key action details, including: test status, points that contribute to your overall compliance score, associated regulations and standards, applicable solution, action type, and control family. Select an improvement action to view its details page.
Learn more about [how controls and improvement actions are tracked and scored.](compliance-score-calculation.md)
compliance Compliance Manager Quickstart https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-quickstart.md
When you're comfortable managing assessments in Compliance Manager, you can work
You can also set up automated testing of all or a subset of improvement actions. Visit the links below to understand more advanced functionality in Compliance -- [Extend a Compliance Manager template by adding your own controls and improvement actions](compliance-manager-templates.md#extend-an-assessment-template)
+- [Extend a Compliance Manager template by adding your own controls and improvement actions](compliance-manager-templates.md#extend-microsoft-365-assessment-templates)
- [Create your own custom template](compliance-manager-templates.md#create-an-assessment-template) - [Modify an existing template to add or remove controls and actions](compliance-manager-templates.md#modify-a-template) - [Set up automated testing of improvement actions](compliance-manager-setup.md#set-up-automated-testing)
compliance Compliance Manager Templates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates.md
description: "Understand how to use and manage templates for building assessment
## Templates overview
-A template is a framework of controls for creating an assessment in Compliance Manager. Our comprehensive set of templates can help your organization comply with national, regional, and industry-specific requirements governing the collection and use of data. We refer to templates by the same name as their underlying certification or regulation, such as the EU GDPR template and the ISO/IEC 27701:2019 template.
+A template is a framework of controls for creating an assessment in Compliance Manager. Our comprehensive set of templates can help your organization comply with national, regional, and industry-specific requirements governing the collection and use of data. We refer to templates by the same name as their underlying certification or regulation, such as the EU GDPR template and the ISO/IEC 27701:2019 template. Since Compliance Manger can be used to assess different types of products, each template comes in two versions: one that applies to Microsoft 365, and a universal version that can be tailored to suit your chosen product.
## Template availability and licensing
Templates will display an activation status as either active or inactive:
- A template is considered **active** once you create an assessment from that template. - A template is considered **inactive** if your organization isnΓÇÖt using it for an assessment.
-When you purchase a premium template and create an assessment from it, that template is active for one year. Your purchase will automatically renew unless you cancel.
+If you link any assessments to a purchased premium template, that template will be active for one year. Your purchase will automatically renew unless you cancel.
You may also try premium templates on a trial basis. Trial licenses are good for up to 25 templates for 30 days. Once your trial begins, the templates should become available in your tenant within 48 hours. Trials can be activated through the Microsoft 365 admin center.
For example, if your counter shows 2/5, this means your organization has activat
If your counter shows 5/2, this indicates that your organization exceeds its limits and needs to purchase 3 of the premium templates in use.
+Microsoft 365 and universal versions of templates have joint licensing, so that you can use the same underlying certification across more than one product. Using either or both versions of the same template will only count as one activated template.
+ For further details, see [Compliance Manager licensing guidance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#compliance-manager). ## View and manage templates
The **Actions** tab is required. It designates improvement actions managed by y
- **actionScore**: In this required field, provide a numeric score value for your action. The value must be a whole number ranging from 1 to 99; it cannot be 0, null, or blank. The higher the number, the greater its value toward improving your compliance posture. The image below demonstrates how Compliance Manager scores controls:
-![Compliance Manager controls point values](../media/compliance-score-action-scoring.png "Compliance Manager controls point values")
+ ![Compliance Manager controls point values](../media/compliance-score-action-scoring.png "Compliance Manager controls point values")
- **actionDescriptionTitle**: This is the title of the description and is required. This description title allows you to have the same action in multiple templates and surface a different description in each template. This field helps you clarify what template the description is referencing. In most cases, you can put the name of the template you're creating in this field.
Only users who hold a Global Administrator or Compliance Manager Administration
7. The last screen confirms a new template has been created. Select **Done** to exit the wizard. 8. YouΓÇÖll arrive at your new templateΓÇÖs details page, where you can [create your assessment](compliance-manager-assessments.md#create-assessments).
-## Extend an assessment template
+## Extend Microsoft 365 assessment templates
Compliance Manager offers the option to add your own controls and improvement actions to an existing Microsoft-provided template. This process is called extending a Microsoft template. When you extend a template, it can still receive updates released by Microsoft, which may happen when there are changes to the related regulation or product (see [Accept updates to assessments](compliance-manager-assessments.md#accept-updates-to-assessments)).
+Note that if you're setting up assessments for products other than Microsoft 365, your process will differ. To learn more, see [Extend universal assessment templates](#extend-universal-assessment-templates).
+
+### Prepare template data and create extension
+ To prepare, youΓÇÖll need to assemble a specially formatted Excel spreadsheet to import the necessary template data. The Excel files follow the same general format outlined above, but there are special requirements for extensions. See these additional points to help prevent errors: - Your spreadsheet should contain only the actions and controls you want to add to the assessment.
After you format your spreadsheet, follow the steps below.
11. YouΓÇÖll arrive at your new templateΓÇÖs details page. From here you can create your assessment by selecting **Create assessment**. For guidance, see [Build and manage assessments](compliance-manager-assessments.md#create-assessments).
+## Extend universal assessment templates
+
+Universal versions of templates can also be extended to customize your product-specific assessments. You will receive a special extension template when you create an assessment using a universal template and the assessment has a unique product and certification combination. This can be modified to meet your needs. For guidance on how to edit the template, see the instructions below on modifying a template.
+
+When editing a universal template, all content in the template can be changed, but doing so will break inheritance with the parent template. This means that it will no longer automatically receive updates from Microsoft if the parent template is refreshed.
+ ## Modify a template You may want to modify a template youΓÇÖve already created, such as to add controls, or add or remove improvement actions. The process is similar to the template creation process in that youΓÇÖll upload formatted Excel file with your template data.
After your Excel file is completed and saved, follow these steps.
Your template will now include the changes you made. Any assessments that use this modified template will now show pending updates, and youΓÇÖll need to accept the updates to the assessments to reflect the changes made in the template. Learn more about [updates to assessments](compliance-manager-assessments.md#accept-updates-to-assessments). > [!NOTE]
-> If you use Compliance Manager in a language other than English, youΓÇÖll notice that some text appears in English when you export a template to Excel. The titles of actions (both your improvement actions and Microsoft actions) must be in English to be recognized by controls. If you make changes to an action title, be sure to write it in English so that the file imports correctly.
+> If you use Compliance Manager in a language other than English, youΓÇÖll notice that some text appears in English when you export a template to Excel. The titles of actions (both your improvement actions and, where applicable, Microsoft actions) must be in English to be recognized by controls. If you make changes to an action title, be sure to write it in English so that the file imports correctly.
## Export a template
-You can export an Excel file that contains all of a templateΓÇÖs data. YouΓÇÖll need to export a template in order to modify it, since this will be the Excel file you edit and upload in the [modification process](#modify-a-template).
+You can export an Excel file that contains all of a templateΓÇÖs data. YouΓÇÖll need to export a template in order to modify it, since this will be the Excel file you edit and upload in the [modification process](#modify-a-template). You can also export a template for reference if you want to use data from it while constructing a new custom template.
To export your template, go to your template details page and select the **Export to Excel** button.
compliance Compliance Manager Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-whats-new.md
description: "Find out whatΓÇÖs new in Compliance Manger and whatΓÇÖs to come. R
**In this article:** Learn about recent updates in Compliance Manager.
+## July 2021
+
+We added the capability to create assessments for products other than Microsoft 365, based on new universal versions of our templates. To learn more, start with [Working with assessment templates](compliance-manager-templates.md).
+ ## May 2021 ### New assessment templates
compliance File Plan Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/file-plan-manager.md
Although you can create and manage retention labels from **Information governanc
- You can bulk-create retention labels by importing the relevant information from a spreadsheet. -- You can export the information from existing retention labels for analysis and offline collaboration, or for bulk-editing.
+- You can export the information from existing retention labels for analysis and offline collaboration.
- More information about the retention labels is displayed to make it easier to see into and across the settings of all your retention labels from one view.
All columns except the label **Name** can be displayed or hidden by selecting th
File plan lets you include more information as part of your retention labels. These file plan descriptors provide more options to improve the manageability and organization of the content you need to label.
-By default, starting with **Reference ID**, the next few columns display these file plan descriptors that you can specify when you create a retention label, or edit an existing label.
+By default, starting with **Reference ID**, the next few columns display these optional file plan descriptors that you can specify when you create a retention label, or edit an existing label.
To get you started, there are some out-of-box values for the following file plan descriptors: - Business function/department
A *.csv file that contains all existing retention labels opens. For example:
## Import retention labels into your file plan
-In file plan, you can bulk-import new retention labels, and use the same method to bulk-modify existing retention labels.
+In file plan, you can bulk-import new retention labels by using a .csv file with a specific format. After the labels are imported, you can make edits in the .csv file and import the file again for easier bulk-editing of existing retention labels.
To import new retention labels and modify existing retention labels:
To import new retention labels and modify existing retention labels:
![Option to download a blank file plan template](../media/file-plan-blank-template-option.png)
-2. Download a blank template to import new retention labels. Alternatively, you can start with the .csv file that is exported when you export the existing retention labels in your organization.
+2. Download a blank template as instructed:
![Blank file plan template opens in Excel](../media/file-plan-blank-template.png)
To import new retention labels and modify existing retention labels:
- All other values: Unlimited length <br/>
- |Property|Type|Valid values|
- |:--|:--|:--|
- |LabelName|String|This property specifies the name of the retention label.|
- |Comment|String|Use this property to add a description about the retention label for admins. This description appears only to admins who manage the retention label in the compliance center.|
- |Notes|String|Use this property to add a description about the retention label for users. This description appears when users hover over the label in apps like Outlook, SharePoint, and OneDrive. If you leave this property blank, a default description is displayed, which explains the label's retention settings. |
- |IsRecordLabel|String|This property specifies whether the label marks the content as a record. Valid values are: </br>**TRUE**: The label marks the item as a record and as a result, the item can't be deleted. </br>**FALSE**: The label doesn't mark the content as a record. This is the default value.|
- |RetentionAction|String|This property specifies what action to take after the value specified by the RetentionDuration property expires. Valid values are: </br>**Delete**: Items older than the value specified by the RetentionDuration property are deleted.</br>**Keep**: Retain items for the duration specified by the RetentionDuration property and then do nothing when the duration period expires. </br>**KeepAndDelete**: Retain items for the duration specified by the RetentionDuration property and then delete them when the duration period expires. |
- |RetentionDuration|String|This property specifies the number of days to retain the content. Valid values are: </br>**Unlimited**: Items will be retained indefinitely. </br>***n***: A positive integer; for example, **365**.
- |RetentionType|String|This property specifies whether the retention duration is calculated from the content creation date, event date, when labeled date, or last modified date. Valid values are: </br>**CreationAgeInDays**</br>**EventAgeInDays**</br>**TaggedAgeInDays**</br>**ModificationAgeInDays** |
- |ReviewerEmail|SmtpAddress|When this property is populated, a disposition review will be triggered when the retention duration expires. This property specifies the email address of a reviewer for the **KeepAndDelete** retention action. You can include the email address of individual users, distribution groups, or security groups. You can specify multiple email addresses separated by semicolons.|
- |ReferenceId|String|This property specifies the value that's displayed in the **Reference Id** file plan descriptor, which you can use as a unique value to your organization.|
- |DepartmentName|String|This property specifies the value that's displayed in the **Function/department** file plan descriptor.|
- |Category|String|This property specifies the value that's displayed in the **Category** file plan descriptor.|
- |SubCategory|String|This property specifies the value that's displayed in the **Sub category** file plan descriptor.|
- |AuthorityType|String|This property specifies the value that's displayed in the **Authority type** file plan descriptor.|
- |CitationName|String|This property specifies the name of the citation displayed in the **Provision/citation** file plan descriptor. For example, "Sarbanes-Oxley Act of 2002". |
- |CitationUrl|String|This property specifies the URL that's displayed in the **Provision/citation** file plan descriptor.|
- |CitationJurisdiction|String|This property specifies the jurisdiction or agency that's displayed in the **Provision/citation** file plan descriptor. For example, "U.S. Securities and Exchange Commission (SEC)".|
- |Regulatory|String|Leave blank. This property isn't used at this time.|
- |EventType|String|This property specifies the retention rule that's associated with the label. You can use any value that uniquely identifies the rule. For example:</br>**Name**</br>**Distinguished name (DN)**</br>**GUID** </br>You can use the [Get-RetentionComplianceRule](/powershell/module/exchange/get-retentioncompliancerule) cmdlet to view the available retention rules. Note that because the EventType values are unique to an organization, if you export labels from one organization, you can't use the values for the EventType property from that organization to import labels into a different organization.|
+ |Property|Type|Required|Valid values|
+ |:--|:--|:--|:--|
+ |LabelName|String|Yes|This property specifies the name of the retention label and must be unique in your tenant.|
+ |Comment|String|No|Use this property to add a description about the retention label for admins. This description appears only to admins who manage the retention label in the compliance center.|
+ |Notes|String|No|Use this property to add a description about the retention label for users. This description appears when users hover over the label in apps like Outlook, SharePoint, and OneDrive. If you leave this property blank, a default description is displayed, which explains the label's retention settings. |
+ |IsRecordLabel|String|No, unless **Regulatory** is **TRUE**|This property specifies whether the label marks the content as a record. Valid values are: </br>**TRUE**: The label marks the item as a record and as a result, the item can't be deleted. </br>**FALSE**: The label doesn't mark the content as a record. This is the default value. </br> </br> Group dependencies: When this property is specified, RetentionAction, RetentionDuration, and RetentionType must also be specified.|
+ |RetentionAction|String|No, unless **RetentionDuration**, **RetentionType**, or **ReviewerEmail** are specified|This property specifies what action to take after the value specified by the RetentionDuration property (if specified) expires. Valid values are: </br>**Delete**: Items older than the value specified by the RetentionDuration property are deleted.</br>**Keep**: Retain items for the duration specified by the RetentionDuration property and then do nothing when the duration period expires. </br>**KeepAndDelete**: Retain items for the duration specified by the RetentionDuration property and then delete them when the duration period expires. </br> </br> Group dependencies: When this property is specified, RetentionDuration and RetentionType must also be specified. |
+ |RetentionDuration|String|No, unless **RetentionAction** or **RetentionType** are specified|This property specifies the number of days to retain the content. Valid values are: </br>**Unlimited**: Items will be retained indefinitely. </br>***n**: A positive integer in days; for example, **365**. The maximum number supported is 24,855, which is 68 years. If you need longer than this maximum, use Unlimited instead.</br> </br> Group dependencies: When this property is specified, RetentionAction and RetentionType must also be specified.
+ |RetentionType|String|No, unless **RetentionAction** or **RetentionDuration** are specified|This property specifies whether the retention duration (if specified) is calculated from the content creation date, event date, when labeled date, or last modified date. Valid values are: </br>**CreationAgeInDays**</br>**EventAgeInDays**</br>**TaggedAgeInDays**</br>**ModificationAgeInDays** </br> </br> Group dependencies: When this property is specified, RetentionAction and RetentionDuraction must also be specified.|
+ |ReviewerEmail|SmtpAddress|No|When this property is specified, a disposition review will be triggered when the retention duration expires. This property specifies the email address of a reviewer for the **KeepAndDelete** retention action. </br> </br> You can include the email address of individual users, distribution groups, or security groups in your tenant. Specify multiple email addresses by separating them with semicolons. </br> </br> Group dependencies: When this property is specified, **RetentionAction** (must be **KeepAndDelete**), **RetentionDuration**, and **RetentionType** must also be specified.|
+ |ReferenceId|String|No|This property specifies the value that's displayed in the **Reference Id** file plan descriptor, which you can use as a unique value to your organization.|
+ |DepartmentName|String|No|This property specifies the value that's displayed in the **Function/department** file plan descriptor.|
+ |Category|String|No|This property specifies the value that's displayed in the **Category** file plan descriptor.|
+ |SubCategory|String|No|This property specifies the value that's displayed in the **Sub category** file plan descriptor.|
+ |AuthorityType|String|No|This property specifies the value that's displayed in the **Authority type** file plan descriptor.|
+ |CitationName|String|No|This property specifies the name of the citation displayed in the **Provision/citation** file plan descriptor. For example, "Sarbanes-Oxley Act of 2002". |
+ |CitationUrl|String|No|This property specifies the URL that's displayed in the **Provision/citation** file plan descriptor.|
+ |CitationJurisdiction|String|No|This property specifies the jurisdiction or agency that's displayed in the **Provision/citation** file plan descriptor. For example, "U.S. Securities and Exchange Commission (SEC)".|
+ |Regulatory|String|No|This property specifies whether the label marks the content as a regulatory record, which is [more restrictive](records-management.md#compare-restrictions-for-what-actions-are-allowed-or-blocked) than a record. To use this label configuration, your tenant must be configured to [display the option to mark content as a regulatory record](declare-records.md#how-to-display-the-option-to-mark-content-as-a-regulatory-record), or the import validation will fail. Valid values are: </br>**TRUE**: The label marks the item as a regulatory record. You must also set the **IsRecordLabel** property to TRUE.</br>**FALSE**: The label doesn't mark the content as a regulatory record. This is the default value.|
+ |EventType|String|No, unless **RetentionType** is **EventAgeInDays**|This property specifies an event type used for [event-based retention](event-driven-retention.md). Specify an existing event type that's displayed in **Records management** > **Events** > **Manage event types**. Alternatively, use the [Get-ComplianceRetentionEventType](/powershell/module/exchange/get-complianceretentioneventtype) cmdlet to view the available event types. Although there are some built-in event types, such as **Employee activity** and **Product lifetime**, you can also create your own event types. </br> </br> If you specify your own event type, it must exist before the import because the name is validated as part of the import process.|
||| Here's an example of the template containing the information about retention labels. ![File plan template with information filled in](../media/file-plan-filled-out-template.png)
-4. Under step 3 on the **Fill out and import your file plan** page, click **Browse for files** to upload the filled-out template.
+4. Under step 3 on the **Fill out and import your file plan** page, click **Browse for files** to upload the filled-out template, and then select **Next**.
- File plan validates the entries and displays the import statistics.
+ File plan uploads the file and validates the entries, displaying the import statistics.
![File plan import statistics](../media/file-plan-import-statistics.png)
- If there's a validation error, file plan import continues to validate every entry in the import file and displays all errors referencing the line and row numbers in the import file. Copy the displayed error results so you can correct them when you return to the import file.
+5. Depending on the validation results:
+
+ - If validation fails: Note the row number and column name to correct in the import file. Select **Close**, and then **Yes** to confirm. Correct the errors in the file and save it, select the **Import** option again, and return to step 4.
+
+ - If validation passes: You can select **Go Live** to make the retention labels available in your tenant. Or, select the Close icon for the page, and **Yes** to confirm you want to close the wizard without making the retention labels available in your tenant at this time.
-When the import is complete, you can now add the retention labels to a new retention label policy, or auto-apply them. You can do this right from the **File plan** page by selecting the dropdown from **+ Create a label** and then **Policy to publish labels**, or **Policy to auto-apply a label**.
+When the imported labels are added to your tenant, you can now add them to a new retention label policy, or auto-apply them. You can do this right from the **File plan** page by selecting the dropdown from **+ Create a label** and then **Policy to publish labels**, or **Policy to auto-apply a label**.
## Next steps
compliance Get Started With The Default Dlp Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-the-default-dlp-policy.md
f1.keywords:
Previously updated : 8/10/2017 Last updated : audience: Admin
compliance Privacy Management Subject Rights Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-subject-rights-requests.md
To open a new request, see [Create a request](#create-a-request).
## Create a request
-Subject rights management administrators can use privacy managementΓÇÖs wizard to create requests. This wizard will guide you through the process of finding personal data about a data subject and fulfilling their request.
+Subject rights management administrators can use privacy managementΓÇÖs wizard to create requests. The wizard will guide you through the process of finding personal data about a data subject and fulfilling their request.
The four main steps include the following.
enterprise Planportallaunchroll Out https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/Planportallaunchroll-out.md
description: "This article describes how you can plan your portal launch in Shar
# Planning your portal launch roll-out plan in SharePoint Online
-A portal is a SharePoint site on your intranet that has a large number of site viewers who consume content on the site. In large organizations there could be several of these; for example, a company portal and an HR portal. Typically portals have relatively few people who create and author the site and its content. Most visitors to the portal only read and consume the content.
+A portal is a SharePoint site on your intranet with many site viewers who consume content on the site. Large organizations could have several portals. For example, a company portal and an HR portal. Typically portals have relatively few people who create and author the site and its content. Most visitors to the portal only read and consume the content.
-This article describes how to plan your deployment and roll-out plan to SharePoint Online. It also provides approaches to follow as traditional load testing is not permitted on SharePoint Online. SharePoint Online is a cloud service and the load capabilities, health and overall balance of load in the service are managed by Microsoft.
+This article describes how to plan your deployment and roll-out plan to SharePoint Online. It also provides approaches to follow as traditional load testing is not permitted on SharePoint Online. SharePoint Online is a cloud service and the load capabilities, health, and overall balance of load in the service are managed by Microsoft.
-To help in creating a successful portal, follow the basic principles, practices and recommendations detailed in the [Creating, launching and maintaining a healthy portal](/sharepoint/portal-health)
+To help in creating a successful portal, follow the basic principles, practices, and recommendations detailed in the [Creating, launching, and maintaining a healthy portal](/sharepoint/portal-health)
The deployment approach is highlighted below.
+## Portal Launch Scheduler
+
+Use the portal launch scheduler to release your portal to users in your organization in scheduled phases. Learn more:
+
+![Calendar icon](https://docs.microsoft.com/Office/media/icons/calendar.png "Portal launch scheduler") [Portal Launch Scheduler](https://docs.microsoft.com/microsoft-365/enterprise/portallaunchscheduler)
+++ ## Overview of capacity planning in SharePoint Online In order to efficiently use capacity and deal with unexpected growth, in any farm, we have automation that tracks certain usage scenarios. While exact growth is unpredictable for any one tenant in any one farm, the aggregated sum of requests is predictable over time. By identifying the growth trends in SharePoint Online, we can plan for future expansion. For more information on [Capacity planning and load testing SharePoint Online](capacity-planning-and-load-testing-sharepoint-online.md). A key part of a successful launch is the "wave" or "phased roll-out" approach detailed below. ## Can I load test SharePoint Online?
-SharePoint Online is a shared multi-tenanted environment which is balanced across farms and scale is adjusted in an on-going basis. Load testing an environment, like SharePoint Online, whose scale changes continuously will not only give you unexpected results but it is not permitted.
+SharePoint Online is a shared multi-tenanted environment that is balanced across farms and scale is adjusted in an on-going basis. Load testing an environment, like SharePoint Online, whose scale changes continuously will not only give you unexpected results but it is not permitted.
Learn more: [Capacity planning and load testing SharePoint Online](capacity-planning-and-load-testing-sharepoint-online.md)
Learn more: [Capacity planning and load testing SharePoint Online](capacity-pla
Pages from an on-Premise deployment should not simply be moved as they are onto SharePoint Online without reviewing them against recommended guidelines for SharePoint Online. The best approach is to always optimize any home page for any site or portal in SharePoint, as this is where most users in your organization will access as the starting point for your site(s). A few basic factors should be considered:-- On-Premise deployments can leverage traditional server-side caches like object cache, output cache and blob cache. With the topology differences in the cloud, these options are not necessarily available as the sheer scale differences make them less viable approaches.-- Any pages / features / customizations used for cloud consumption should be optimized for higher latency as well as the distributed locations of users, so that users in different areas or regions have a more consistent experience. Cloud offers optimizations like Content Delivery Networks (CDN) to optimize for a distributed user base as well as for modern SharePoint, the last known good (LKG) is utilized by our out of the box (OOTB) web parts.
+- On-Premise deployments can use traditional server-side caches like object cache, output cache, and blob cache. With the topology differences in the cloud, these options are not necessarily available as the sheer scale differences make them less viable approaches.
+- Any pages / features / customizations used for cloud consumption should be optimized for higher latency and the distributed locations of users, so that users in different areas or regions have a more consistent experience. Cloud offers optimizations like Content Delivery Networks (CDN) to optimize for a distributed user base and for modern SharePoint, the last known good (LKG) is utilized by our out of the box (OOTB) web parts.
### What to do:
+ - For all site pages in SharePoint Online use the [Page Diagnostics tool](./page-diagnostics-for-spo.md), which is a Chromium extension that assists with analyzing and providing guidance. This can be used by site owners, editors, administrators, and developers as it is designed to be a starting point for analysis and optimization.
+ - Developers should also use development tools like F12 browser developer tool and CTRL-F12 in the browser on modern pages. [Fiddler](https://www.telerik.com/download/fiddler) can also be used to review the size weight (how large the page is in megabytes) of the page and the number of calls and elements impacting the overall page load.
-This section was a brief summary for optimizing pages. To learn more see: [Creating, launching and maintaining a healthy portal](/sharepoint/portal-health).
+This section was a brief summary for optimizing pages. To learn more, see: [Creating, launching, and maintaining a healthy portal](/sharepoint/portal-health).
## Follow a Wave / Phased roll-out approach
-The traditional big bang approach for site launches will not allow verification that customizations, external sources, services or processes have been tested at the right scale. This doesn't mean that it will take months to launch, but it is recommended over at least several days dependent on your organization size. Following a wave roll-out plan therefore gives you the option to pause and resolve issues before proceeding with the next phase and therefore lowers the potential number of users impacted by any issues. SharePoint as a service scales your capacity based on usage and predicted usage and whilst we don't need you to notify us of your launch, you should follow the guidelines to ensure success.
+The traditional big bang approach for site launches will not allow verification that customizations, external sources, services, or processes have been tested at the right scale. This approach doesn't mean that it will take months to launch, but it is recommended over at least several days dependent on your organization size. Following a wave roll-out plan therefore gives you the option to pause and resolve issues before proceeding with the next phase and therefore lowers the potential number of users impacted by any issues. SharePoint as a service scales your capacity based on usage and predicted usage and whilst we don't need you to notify us of your launch, you should follow the guidelines to ensure success.
-As shown in the following image, often the number of users that are invited is significantly higher than those that actually use the site. This image shows a strategy about how to roll out a release. This method helps identify ways to improve the SharePoint site before the majority of the users see it.
+As shown in the following image, often the number of users that are invited is significantly higher than those that actually use the site. This image shows a strategy about how to roll out a release. This method helps identify ways to improve the SharePoint site before most the users see it.
![Graph showing invited and active users](../media/0bc14a20-9420-4986-b9b9-fbcd2c6e0fb9.png)
-In the pilot phase, it is good to get feedback from users that the organization trusts and knows will be engaged. This way it is possible to gauge how the system is being used, as well as how it is performing.
+In the pilot phase, it is good to get feedback from users that the organization trusts and knows will be engaged. This way it is possible to gauge how the system is being used, and how it is performing.
-During each of the waves, gather user feedback around the features as well as the performance during each wave of deployment. This has the advantage of slowly introducing the system and making improvements as the system gets more use. This also allows us to react to the increased load as the site is rolled out to more and more users and combined with following the guidelines for page optimization ensures a positive experience for your users.
+During each of the waves, gather user feedback around the features and the performance during each wave of deployment. Collecting feedback has the advantage of slowly introducing the system and making improvements as the system gets more use. This also allows us to react to the increased load as the site is rolled out to more users and combined with following the guidelines for page optimization ensures a positive experience for your users.
### What to do: - Decide on the timing of each phase and ensure that you have a contingency / pause opportunity, should you need to make adjustments before continuing-- Plan your first group of users that you want to enable, to ensure you receive the feedback you need to move forward. This means that where possible, select an active group of users that will provide feedback in a timely fashion-- As you plan each wave, try and start with a small user base (less than 5000 users), and then increase the group sizes as you proceed with each wave. This helps to create a staggered approach and allows easier pause opportunities that may be needed.
+- Plan your first group of users that you want to enable, to ensure you receive the feedback you need to move forward. Where possible, select an active group of users that will provide feedback in a timely fashion
+- As you plan each wave, try to start with a small user base (less than 5000 users). Increase the group sizes as you proceed with each wave. By creating a staggered approach, it allows for easier pause opportunities as needed.
enterprise Portallaunchscheduler https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
If you are planning to launch a portal with over 100,000 users, submit a support request following the steps listed below. Make sure to include all the requested information.
+> [!NOTE]
+>
+> - This process should only be followed if you meet the following requirements:
+> - The Launch Page has been completed.
+> - [Portal Health Guidance](https://aka.ms/portalhealth) has been followed.
+> - The Launch date is within 14 days.
+ **Follow these steps:** 1. Go to <https://admin.microsoft.com>.
enterprise Microsoft 365 Ip Web Service https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-ip-web-service.md
For more information, see:
These parameters are common across all the web service methods: -- **format=<JSON | CSV>** ΓÇö By default, the returned data format is JSON. Use this optional parameter to return the data in comma-separated values (CSV) format.-- **ClientRequestId=\<guid>** ΓÇö A required GUID that you generate for client association. Generate a unique GUID for each machine that calls the web service (the scripts included on this page generate a GUID for you). Do not use the GUIDs shown in the following examples because they might be blocked by the web service in the future. GUID format is _xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_, where x represents a hexadecimal number.
+- **format=\<JSON \| CSV\>** ΓÇö By default, the returned data format is JSON. Use this optional parameter to return the data in comma-separated values (CSV) format.
+- **ClientRequestId=\<guid\>** ΓÇö A required GUID that you generate for client association. Generate a unique GUID for each machine that calls the web service (the scripts included on this page generate a GUID for you). Do not use the GUIDs shown in the following examples because they might be blocked by the web service in the future. GUID format is _xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_, where x represents a hexadecimal number.
To generate a GUID, you can use the [New-Guid](/powershell/module/microsoft.powershell.utility/new-guid) PowerShell command, or use an online service such as [Online GUID Generator](https://www.guidgenerator.com/). ## Version web method
-Microsoft updates the Office 365 IP address and FQDN entries at the end of each month. Out-of-band updates are sometimes published due to support incidents, security updates or other operational requirements.
+Microsoft updates the Office 365 IP address and FQDN entries at the beginning of each month. Out-of-band updates are sometimes published due to support incidents, security updates or other operational requirements.
The data for each published instance is assigned a version number, and the version web method enables you to check for the latest version of each Office 365 service instance. We recommend that you check the version not more than once an hour. Parameters for the version web method are: -- **AllVersions=<true | false>** ΓÇö By default, the version returned is the latest. Include this optional parameter to request all published versions since the web service was first released.-- **Format=<JSON | CSV | RSS>** ΓÇö In addition to the JSON and CSV formats, the version web method also supports RSS. You can use this optional parameter along with the _AllVersions=true_ parameter to request an RSS feed that can be used with Outlook or other RSS readers.-- **Instance=<Worldwide | China | Germany | USGovDoD | USGovGCCHigh>** ΓÇö This optional parameter specifies the instance to return the version for. If omitted, all instances are returned. Valid instances are: Worldwide, China, Germany, USGovDoD, USGovGCCHigh.
+- **AllVersions=\<true \| false\>** ΓÇö By default, the version returned is the latest. Include this optional parameter to request all published versions since the web service was first released.
+- **Format=\<JSON \| CSV \| RSS\>** ΓÇö In addition to the JSON and CSV formats, the version web method also supports RSS. You can use this optional parameter along with the _AllVersions=true_ parameter to request an RSS feed that can be used with Outlook or other RSS readers.
+- **Instance=\<Worldwide \| China \| Germany \| USGovDoD \| USGovGCCHigh\>** ΓÇö This optional parameter specifies the instance to return the version for. If omitted, all instances are returned. Valid instances are: Worldwide, China, Germany, USGovDoD, USGovGCCHigh.
The version web method is not rate limited and does not ever return 429 HTTP Response Codes. The response to the version web method does include a cache-control header recommending caching of the data for 1 hour. The result from the version web method can be a single record or an array of records. The elements of each record are:
The version web method is not rate limited and does not ever return 429 HTTP Res
- latest ΓÇö The latest version for endpoints of the specified instance. - versions ΓÇö A list of all previous versions for the specified instance. This element is only included if the _AllVersions_ parameter is true.
-### Examples:
+### Version web method examples
-Example 1 request URI: [https://endpoints.office.com/version?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7](https://endpoints.office.com/version?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7)
+Example 1 request URI: <https://endpoints.office.com/version?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
This URI returns the latest version of each Office 365 service instance. Example result:
This URI returns the latest version of each Office 365 service instance. Example
> [!IMPORTANT] > The GUID for the ClientRequestID parameter in these URIs are only an example. To try the web service URIs out, generate your own GUID. The GUIDs shown in these examples may be blocked by the web service in the future.
-Example 2 request URI: [https://endpoints.office.com/version/Worldwide?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7](https://endpoints.office.com/version/Worldwide?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7)
+Example 2 request URI: <https://endpoints.office.com/version/Worldwide?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
This URI returns the latest version of the specified Office 365 service instance. Example result:
This URI returns the latest version of the specified Office 365 service instance
} ```
-Example 3 request URI: [https://endpoints.office.com/version/Worldwide?Format=CSV&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7](https://endpoints.office.com/version/Worldwide?Format=CSV&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7)
+Example 3 request URI: <https://endpoints.office.com/version/Worldwide?Format=CSV&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
This URI shows output in CSV format. Example result:
instance,latest
Worldwide,2018063000 ```
-Example 4 request URI: [https://endpoints.office.com/version/Worldwide?AllVersions=true&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7](https://endpoints.office.com/version/Worldwide?AllVersions=true&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7)
+Example 4 request URI: <https://endpoints.office.com/version/Worldwide?AllVersions=true&amp;ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
This URI shows all prior versions that have been published for the Office 365 worldwide service instance. Example result:
This URI shows all prior versions that have been published for the Office 365 wo
} ```
-Example 5 RSS Feed URI:
-[https://endpoints.office.com/version/worldwide?clientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7&allVersions=true&format=RSS](https://endpoints.office.com/version/worldwide?clientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7&allVersions=true&format=RSS)
+Example 5 RSS Feed URI: <https://endpoints.office.com/version/worldwide?clientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7&allVersions=true&format=RSS>
This URI shows an RSS feed of the published versions that include links to the list of changes for each version. Example result:
The endpoints web method returns all records for IP address ranges and URLs that
Parameters for the endpoints web method are: -- **ServiceAreas=<Common | Exchange | SharePoint | Skype>** ΓÇö A comma-separated list of service areas. Valid items are _Common_, _Exchange_, _SharePoint_, and _Skype_. Because _Common_ service area items are a prerequisite for all other service areas, the web service always includes them. If you do not include this parameter, all service areas are returned.-- **TenantName=<tenant_name>** ΓÇö Your Office 365 tenant name. The web service takes your provided name and inserts it in parts of URLs that include the tenant name. If you don't provide a tenant name, those parts of URLs have the wildcard character (\*).-- **NoIPv6=<true | false>** ΓÇö Set the value to _true_ to exclude IPv6 addresses from the output if you don't use IPv6 in your network.-- **Instance=<Worldwide | China | Germany | USGovDoD | USGovGCCHigh>** ΓÇö This required parameter specifies the instance from which to return the endpoints. Valid instances are: _Worldwide_, _China_, _Germany_, _USGovDoD_, and _USGovGCCHigh_.
+- **ServiceAreas=\<Common \| Exchange \| SharePoint \| Skype\>** ΓÇö A comma-separated list of service areas. Valid items are _Common_, _Exchange_, _SharePoint_, and _Skype_. Because _Common_ service area items are a prerequisite for all other service areas, the web service always includes them. If you do not include this parameter, all service areas are returned.
+- **TenantName=\<tenant_name\>** ΓÇö Your Office 365 tenant name. The web service takes your provided name and inserts it in parts of URLs that include the tenant name. If you don't provide a tenant name, those parts of URLs have the wildcard character (\*).
+- **NoIPv6=\<true \| false\>** ΓÇö Set the value to _true_ to exclude IPv6 addresses from the output if you don't use IPv6 in your network.
+- **Instance=\<Worldwide \| China \| Germany \| USGovDoD \| USGovGCCHigh\>** ΓÇö This required parameter specifies the instance from which to return the endpoints. Valid instances are: _Worldwide_, _China_, _Germany_, _USGovDoD_, and _USGovGCCHigh_.
If you call the endpoints web method too many times from the same client IP address, you might receive HTTP response code _429 (Too Many Requests)_. If you get this response code, wait 1 hour before repeating your request, or generate a new GUID for the request. As a general best practice, only call the endpoints web method when the version web method indicates that a new version is available.
The result from the endpoints web method is an array of records in which each re
- required ΓÇö _True_ if this endpoint set is required to have connectivity for Office 365 to be supported. _False_ if this endpoint set is optional. - notes ΓÇö For optional endpoints, this text describes Office 365 functionality that would be unavailable if IP addresses or URLs in this endpoint set cannot be accessed at the network layer. Omitted if blank.
-### Examples:
+### Endpoints web method examples
-Example 1 request URI: [https://endpoints.office.com/endpoints/Worldwide?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7](https://endpoints.office.com/endpoints/Worldwide?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7)
+Example 1 request URI: <https://endpoints.office.com/endpoints/Worldwide?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
This URI obtains all endpoints for the Office 365 worldwide instance for all workloads. Example result that shows an excerpt of the output:
The result from the changes web method is an array of records in which each reco
ΓÇö ips ΓÇö Items to be removed from the _ips_ array. ΓÇö urls- Items to be removed from the _urls_ array.
-### Examples:
+### Changes web method examples
-Example 1 request URI: [https://endpoints.office.com/changes/worldwide/0000000000?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7](https://endpoints.office.com/changes/worldwide/0000000000?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7)
+Example 1 request URI: <https://endpoints.office.com/changes/worldwide/0000000000?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
This requests all previous changes to the Office 365 worldwide service instance. Example result:
This requests all previous changes to the Office 365 worldwide service instance.
[ ```
-Example 2 request URI: [https://endpoints.office.com/changes/worldwide/2018062700?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7](https://endpoints.office.com/changes/worldwide/2018062700?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7)
+Example 2 request URI: <https://endpoints.office.com/changes/worldwide/2018062700?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7>
This requests changes since the specified version to the Office 365 Worldwide instance. In this case, the version specified is the latest. Example result:
This requests changes since the specified version to the Office 365 Worldwide in
] ```
-## Example PowerShell Script
+## Example PowerShell script
You can run this PowerShell script to see if there are actions you need to take for updated data. You can run this script as a scheduled task to check for a version update. To avoid excessive load on the web service, try not to run the script more than once an hour.
You can use a few different methods to get email notifications when changes to t
[Office 365 performance tuning using baselines and performance history](performance-tuning-using-baselines-and-history.md)
-[Performance troubleshooting plan for Office 365](performance-troubleshooting-plan.md)
+[Performance troubleshooting plan for Office 365](performance-troubleshooting-plan.md)
enterprise Office 365 Network Mac Perf Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-overview.md
Test reports are linked to a location if it was added with LAN subnet informatio
Measurement samples and office locations should start to appear 2-3 minutes after a test report is completed. For more information, see [Microsoft 365 network connectivity test](office-365-network-mac-perf-onboarding-tool.md). > [!NOTE]
-> When adding your office locations to Microsoft 365 network connectivity in the Microsoft 365 admin center, you can provide either IPv4 or IPv6 addresses for your LAN subnets. Egress IP addresses must use IPv4.
+> Currently, wWhen adding your office locations to Microsoft 365 network connectivity in the Microsoft 365 admin center, you can provide only IPv4 addresses for your LAN subnets. Egress IP addresses must use IPv4.
## How do I use this information?
A map of the perimeter network for your organization users at the location is sh
- **SharePoint optimal service front door** - One of the recommended SharePoint service front doors that users in this office location should connect to - **SharePoint sub-optimal service front door** - A SharePoint service front door that users are connected to, but is not recommended - **DNS recursive resolver server** - The location from a geo IP database of the detected DNS recursive resolver used for Exchange Online (if available)-- **Your proxy server** - The location from a geo IP database of the detected proxy server (if available)
+- **Your proxy server** - The location from a geo IP database of the detected proxy server (if available)
The office location summary page additionally shows the location's network assessment, network assessment history, a comparison of this location's assessment to other customers in the same city, and a list of specific insights and recommendations that you can undertake to improve network performance and reliability.
The details tab on the office location page shows the specific measurement resul
> [!div class="mx-imgBorder"] > ![Location-specific details](../media/m365-mac-perf/m365-mac-perf-locations-plan-details-all.png) - ## Sharing network assessment data with Microsoft By default, the network assessments for your organization and the network insights are shared with Microsoft employees. This does not include any personal data from your staff but only the specific network assessment metrics and network insights shown in the admin center for your office locations. It also does not include your office location names or street addresses so you would need to tell them the city and support ID of the office you want to discuss. If this is turned off, the Microsoft engineers that you are discussing your network connectivity with cannot view any of this information. Enabling this setting only shares future data starting the day after you enable it.
In the CSV file, a discovered city location shows in the userEntered column as b
1. **Address** (required): The physical address of the office 1. **Latitude** (optional): Populated from Bing maps lookup of the address if blank 1. **Longitude** (optional): Populated from Bing maps lookup of the address if blank
- 1. **Egress IP Address ranges 1-5** (optional): For each range, enter the circuit name followed by a space separated list of valid IPv4 or IPv6 CIDR addresses. These values are used to differentiate multiple office locations where you use the same LAN subnet IP Addresses. Egress IP Address ranges all must be /24 network size and the /24 is not included in the input.
+ 1. **Egress IP Address ranges 1-5** (optional): For each range, enter the circuit name followed by a space separated list of valid IPv4 CIDR addresses. These values are used to differentiate multiple office locations where you use the same LAN subnet IP Addresses. Egress IP Address ranges all must be /24 network size and the /24 is not included in the input.
1. **LanIps** (required): List the LAN subnet ranges in use at this office location. LAN subnet IDs need to have a CIDR network size included where the network size can be between /8 and /29. Multiple LAN subnet ranges can be separated by a comma or a semicolon.
-
+ 1. When you have added your office locations and saved the file, click the **Browse** button next to the **Upload the completed** field and select the saved CSV file. 1. The file will be automatically validated. If there are validation errors, you will see the error message: _There are some errors in the import file. Review the errors, correct the import file, and then try again._ Click the link **Open error details** for a list of specific field validation errors.
enterprise Use Microsoft 365 Cdn With Spo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-microsoft-365-cdn-with-spo.md
Title: Use Office 365 Content Delivery Network (CDN) with SharePoint Online
Previously updated : 2/19/2020 Last updated : 07/13/2021 audience: ITPro
You can use the built-in Office 365 Content Delivery Network (CDN) to host stati
The Office 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or _origins_, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Office 365 CDN, you can add **public** origins, **private** origins or both. See [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate) for more information on the difference between public and private origins.
-![Office 365 CDN conceptual diagram](../media/O365-CDN/o365-cdn-flow-transparent.svg "Office 365 CDN conceptual diagram")
+![Office 365 CDN conceptual diagram](../media/O365-CDN/o365-cdn-flow-transparent.png "Office 365 CDN conceptual diagram")
If you are already familiar with the way that CDNs work, you only need to complete a few steps to enable the Office 365 CDN for your tenant. This topic describes how. Read on for information about how to get started hosting your static assets.
The following is an overview of which links are automatically rewritten by the S
The following diagram illustrates the workflow when SharePoint receives a request for a page containing assets from a public origin.
-![Workflow diagram: Retrieving Office 365 CDN assets from a public origin](../media/O365-CDN/o365-cdn-public-steps-transparent.svg "Workflow: Retrieving Office 365 CDN assets from a public origin")
+![Workflow diagram: Retrieving Office 365 CDN assets from a public origin](../media/O365-CDN/o365-cdn-public-steps-transparent.png "Workflow: Retrieving Office 365 CDN assets from a public origin")
> [!TIP] > If you want to disable auto-rewriting for specific URLs on a page, you can check out the page and add the query string parameter **?NoAutoReWrites=true** to the end of each link you want to disable.
Access to assets in private origins is protected by dynamically generated tokens
The following diagram illustrates the workflow when SharePoint receives a request for a page containing assets from a private origin.
-![Workflow diagram: Retrieving Office 365 CDN assets from a private origin](../media/O365-CDN/o365-cdn-private-steps-transparent.svg "Workflow: Retrieving Office 365 CDN assets from a private origin")
+![Workflow diagram: Retrieving Office 365 CDN assets from a private origin](../media/O365-CDN/o365-cdn-private-steps-transparent.png "Workflow: Retrieving Office 365 CDN assets from a private origin")
#### Token-based authorization in private origins
lighthouse M365 Lighthouse Deploy Baselines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-baselines.md
Select **Baselines** from the left navigation pane to open the Baselines page. Y
## Related content
-[Overview of using baselines to deploy standard tenant configurations](m365-lighthouse-deploying-standard-tenant-configurations-overview.md) (article)\
+[Overview of using baselines to deploy standard tenant configurations](m365-lighthouse-deploy-standard-tenant-configurations-overview.md) (article)\
[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)
lighthouse M365 Lighthouse Deploy Standard Tenant Configurations Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview.md
+
+ Title: "Overview of using baselines to deploy standard tenant configurations"
+f1.keywords: NOCSH
+++
+audience: Admin
+
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+
+- AdminSurgePortfolio
+- M365-Lighthouse
+search.appverid: MET150
+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn about using baselines to deploy standard tenant configurations."
++
+# Overview of using baselines to deploy standard tenant configurations
+
+> [!NOTE]
+> The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
+
+Microsoft 365 Lighthouse baselines provide a repeatable and scalable way for you to assess and manage Microsoft 365 security settings across multiple tenants. Baselines also help monitor core security policies and tenant compliance standards with configurations that secure users, devices, and data.
+
+Designed to help partners enable customer adoption of security at their own pace, Microsoft 365 Lighthouse provides a standard set of baseline parameters and pre-defined configurations for Microsoft 365 services. These security configurations help measure your tenants' Microsoft 365 security and compliance progress.
+
+You can view the default baseline and its deployment steps from within Microsoft 365 Lighthouse. To apply baselines to a tenant, select **Tenants** in the left navigation pane, and then select a tenant. Next, go to the **Deployment plans** tab and implement the desired baseline.
+
+## Standard baseline security templates
+
+Microsoft 365 Lighthouse standard baseline configurations for security workloads are designed to help all managed tenants reach an acceptable state of security coverage and compliance.
+
+The baseline configurations in the following table come standard with the Microsoft 365 Lighthouse default baseline.<br><br>
+
+| Baseline configuration | Description |
+|--|--|
+| Require MFA for admins | A report-only Conditional Access policy requiring multifactor authentication for admins. It's required for all cloud applications. |
+| Require MFA for end users | A report-only Conditional Access policy that requires multifactor authentication for users. It's required for all cloud applications. |
+| Block legacy authentication | A report-only Conditional Access policy to block legacy client authentication. |
+| Enroll devices in Microsoft Endpoint Manager – Azure AD Join | Device enrollment to allow your tenant devices to enroll in Microsoft Endpoint Manager. This is done by setting up Auto Enrollment between Azure Active Directory and Microsoft Endpoint Manager. |
+| Antivirus (AV) policy configuration | A Device Configuration profile for Windows devices with pre-configured Microsoft Defender Antivirus settings. |
+| Window 10 Compliance policy set up | A Windows device policy with pre-configured settings to meet basic compliance requirements. |
+
+## Related content
+
+[Deploy Microsoft 365 Lighthouse baselines](m365-lighthouse-deploy-baselines.md) (article)\
+[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)
lighthouse M365 Lighthouse Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-overview.md
Note that CSP indirect providers aren't currently supported by Microsoft 365 Lig
For more information about the CSP program, see the [Cloud Solution Provider program overview](/partner-center/csp-overview). > [!NOTE]
-> A similar offering, Azure Lighthouse, helps service providers deliver managed services for Azure services by using comprehensive and robust management tooling built into the Azure platform. To learn more, see the [What is Azure Lighthouse?](/azure/lighthouse/overview)
+> A similar offering, Azure Lighthouse, helps service providers deliver managed services for Azure services by using comprehensive and robust management tooling built into the Azure platform. To learn more, see [What is Azure Lighthouse?](/azure/lighthouse/overview)
## Microsoft 365 Lighthouse benefits
lighthouse M365 Lighthouse Sign Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-sign-up.md
description: "For Managed Service Providers (MSPs), learn how to sign up for Mic
To verify that Microsoft 365 Lighthouse was successfully added to your tenant, look for Microsoft 365 Lighthouse under **Billing > Your Products** in the Microsoft 365 admin center.
-1. If you aren't redirected to the Microsoft 365 Lighthouse portal, go to `https://lighthouse.microsoft.com/`.
+1. If you aren't redirected to the Microsoft 365 Lighthouse portal, go to <a href="https://lighthouse.microsoft.com" target="_blank">https://lighthouse.microsoft.com</a>.
1. Select **Agree & Continue** to complete the partner agreement amendment.
description: "For Managed Service Providers (MSPs), learn how to sign up for Mic
## Next steps
-[Configure Microsoft 365 Lighthouse portal security]()
+[Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md)
## Related content
lti Teams Meetings With Canvas https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-meetings-with-canvas.md
As a Canvas Admin, you'll need to add the Microsoft Teams meetings LTI app withi
5. Select **Install**. The Microsoft Teams meetings LTI app will be added to the list of external apps.
+
+## Enable for Canvas Courses
+
+In order to use the LTI within a course, an instructor of the Canvas course must enable the integrations sync. Each course must be enabled by an instructor for a corresponding Teams to be created; there is no global mechanism for Teams creation. This is designed out of caution to prevent unwanted Teams being created.
+
+Please refer your instructors to [educator documentation](https://support.microsoft.com/en-us/topic/use-microsoft-teams-classes-in-your-lms-preview-ac6a1e34-32f7-45e6-b83e-094185a1e78a#ID0EBD=Instructure_Canvas) for enabling the LTI for each course and finishing the integration setup.
managed-desktop Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/apps.md
You can also deploy additional non-Microsoft apps to your users for self-service
## Apps provided by Microsoft
-Included with your Microsoft Managed Desktop license are 64-bit versions of the apps in the Microsoft 365 Apps for enterprise Standard Suite (Word, Excel, PowerPoint, Outlook, Publisher, Access, Skype for Business, and OneNote.) Click-to-Run versions of Microsoft Project and Visio are *not* included by default, but you can request them to be added. For more information about these apps, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md).
+Included with your Microsoft Managed Desktop license are 64-bit versions of the apps in the Microsoft 365 Apps for enterprise Standard Suite (Word, Excel, PowerPoint, Outlook, Publisher, Access, Teams, and OneNote.) Click-to-Run versions of Microsoft Project and Visio are *not* included by default, but you can request them to be added. For more information about these apps, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md).
### What Microsoft does to support the apps we provide
managed-desktop Device Images https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/device-images.md
If you're ordering a device from HP that has been approved as an [exception](cu
- Global: mmd@hp.com ### Lenovo
-When you order devices from Lenovo for use in Microsoft Managed Desktop, you'll need to indicate a specific part number included as part of the order. Contact your Lenovo sales representative or Lenovo Channel Partner and ask them to create a "*special bid model*" with a system that meets our [device requirements](device-requirements.md#minimum-requirements). To include a pre-loaded image compatible with Microsoft Managed Desktop, ask the sales representative to reference "*system building block part number SBB0Q94938 – MMD Enablement*."
-
-The following products are currently enabled for Microsoft Managed Desktop support:
--- L13 Gen 1-- L13 Yoga Gen 1-- L14 Gen 1 (Intel)-- L14 Gen 1 (AMD)-- L15 Gen 1 (Intel)-- L15 Gen 1 (AMD)-- X1 Carbon Gen 8-- X1 Yoga Gen 5-- T14 Gen 1 (Intel)-- T14 Gen 1 (AMD)-- T15 Gen 1-- X13 Gen 1 (Intel)-
+When you order devices from Lenovo for use in Microsoft Managed Desktop, you'll need to indicate a specific part number included as part of the order. Contact your Lenovo sales representative or Lenovo Channel Partner and ask them to create a "*special bid model*" with a system that meets our [device requirements](device-requirements.md#minimum-requirements). To include a pre-loaded image compatible with Microsoft Managed Desktop, ask the sales representative to reference "*system building block part number SBB0Q94938 – MMD Enablement*." Work with your Lenovo sales representative or Lenovo Channel Partner for recommended services, support, and imaging services.
### Microsoft All Microsoft devices that meet device requirements come with an image that works with Microsoft Managed Desktop. No other steps are required.
security Configuration Management Reference Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md
localization_priority: Normal
Previously updated : 05/06/2021 Last updated : 07/13/2021 ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)
You can manage and configure Microsoft Defender Antivirus with the following tools:
The following articles provide further information, links, and resources for usi
|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates | |[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters | |[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) |
-|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus |
+|[Manage Microsoft Defender Antivirus with the MpCmdRun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)| Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus |
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
The following steps are required to enable this integration:
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
+- [Offboarding using Group Policy](configure-endpoints-gp.md#offboard-devices-using-group-policy)
+- [Offboard devices using Configuration Manager](configure-endpoints-sccm.md#offboard-devices-using-configuration-manager)
+- [Offboard and monitor devices using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-devices-using-mobile-device-management-tools)
+- [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script)
++ For other Windows server versions, you have two options to offboard Windows servers from the service: - Uninstall the MMA agent
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
localization_priority: Normal
- next-gen - edr Previously updated : 06/11/2021 Last updated : 07/13/2021 - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
## What is EDR in block mode?
-[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.
+[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode remediates malicious artifacts that are detected using EDR. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach, on a device.
-EDR in block mode is also integrated with [threat & vulnerability management](next-gen-threat-and-vuln-mgt.md). Your organization's security team will get a [security recommendation](tvm-security-recommendation.md) to turn EDR in block mode on if it isn't already enabled.
+> [!IMPORTANT]
+> EDR in block mode does not provide all the protection that is available when Microsoft Defender Antivirus real-time protection is enabled. All features that depend on Microsoft Defender Antivirus to be the active antivirus solution will not work, including the following key examples:
+>
+> - Real-time protection, including on-access scanning, is not available when Microsoft Defender Antivirus is in passive mode. To learn more about real-time protection policy settings, see **[Enable and configure Microsoft Defender Antivirus always-on protection](configure-real-time-protection-microsoft-defender-antivirus.md)**.
+> - Features like **[network protection](network-protection.md)** and **[attack surface reduction rules](attack-surface-reduction.md)** are only available when Microsoft Defender Antivirus is running in active mode.
+>
+> It is expected that your non-Microsoft antivirus solution provides these capabilities.
+EDR in block mode is integrated with [threat & vulnerability management](next-gen-threat-and-vuln-mgt.md). Your organization's security team will get a [security recommendation](tvm-security-recommendation.md) to turn EDR in block mode on if it isn't already enabled.
-> [!NOTE]
+
+> [!TIP]
> To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](configure-machines-security-baseline.md)**. ## What happens when something is detected?
The following image shows an instance of unwanted software that was detected and
## Enable EDR in block mode
-> [!IMPORTANT]
+> [!TIP]
> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode.
-1. Go to the [Microsoft 365 Defender portal](microsoft-defender-security-center.md) and sign in.
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) and sign in.
-2. Choose **Settings** > **Advanced features**.
+2. Choose **Settings** > **Endpoints** > **General** > **Advanced features**.
-3. Turn on **EDR in block mode**.
+3. Scroll down, and then urn on **Enable EDR in block mode**.
> [!NOTE]
-> EDR in block mode can be turned on only in the Microsoft 365 Defender portal. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.
+> EDR in block mode can be turned on only in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or the former Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). You cannot use registry keys, Microsoft Intune, or Group Policy to enable or disable EDR in block mode.
## Requirements for EDR in block mode
-|Requirement |Details |
+| Requirement | Details |
|||
-|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](basic-permissions.md). |
-|Operating system |One of the following versions: <br/>- Windows 10 (all releases) <br/>- Windows Server, version 1803 or newer <br/>- Windows Server 2019 <br/>- Windows Server 2016 (only when Microsoft Defender Antivirus is in active mode) |
-|Windows E5 enrollment |Windows E5 is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Microsoft 365 E5 Security Add-on <br/><br/>See [Components](/microsoft-365/enterprise/microsoft-365-overview#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
-|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). |
-|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md). |
-|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
-|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
+| Permissions | You must have the Global Administrator or Security Administrator role assigned in [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). For more information, see [Basic permissions](basic-permissions.md). |
+| Operating system | Devices must be running one of the following versions of Windows: <br/>- Windows 10 (all releases) <br/>- Windows Server, version 1803 or newer <br/>- Windows Server 2019 <br/>- Windows Server 2016 (only when Microsoft Defender Antivirus is in active mode) |
+| Microsoft Defender for Endpoint | Devices must be onboarded to Defender for Endpoint. See [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md). |
+| Microsoft Defender Antivirus | Devices must have Microsoft Defender Antivirus installed and running in either active mode or passive mode. [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). |
+| Cloud-delivered protection | Microsoft Defender Antivirus must be configured such that [cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md). |
+| Microsoft Defender Antivirus platform | Devices must be up to date. To confirm, using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. <p> To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). |
+| Microsoft Defender Antivirus engine | Devices must be up to date. To confirm, using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. <p> To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). |
> [!IMPORTANT]
-> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.
+> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus, but not [indicators](manage-indicators.md) that are defined for Microsoft Defender for Endpoint.
## Frequently asked questions
-### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?
+### Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?
+
+The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product. However, we recommend keeping EDR in block mode turned on, whether Microsoft Defender Antivirus is running in passive mode or in active mode.
-We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
+- When Microsoft Defender Antivirus is in passive mode, EDR in block mode provides another layer of defense together with Microsoft Defender for Endpoint.
+- When Microsoft Defender Antivirus is in active mode, EDR in block mode does not provide extra scanning, but it does allow Defender for Endpoint to take automatic actions on post-breach, behavioral EDR detections.
-### Will EDR in block mode have any impact on a user's antivirus protection?
+### Will EDR in block mode affect a user's antivirus protection?
-EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except it also blocks and remediates malicious artifacts or behaviors that are detected.
+EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except that EDR in block mode also blocks and remediates malicious artifacts or behaviors that are detected.
### Why do I need to keep Microsoft Defender Antivirus up to date? Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](microsoft-defender-endpoint.md) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
-### Why do we need cloud protection on?
+### Why do we need cloud protection (MAPS) on?
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](microsoft-defender-endpoint.md) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
-### How do I set Microsoft Defender Antivirus to passive mode?
+### What is the difference between active and passive mode?
-Depending on operating systems, when devices that are running a non-Microsoft antivirus/antimalware solution are onboarded to Defender for Endpoint, Microsoft Defender Antivirus can go into passive mode automatically. For more information, see [How Microsoft Defender Antivirus affects Defender for Endpoint functionality](microsoft-defender-antivirus-compatibility.md#how-microsoft-defender-antivirus-affects-defender-for-endpoint-functionality).
+For endpoints running Windows 10, Windows Server, version 1803 or later, or Windows Server 2019, when Microsoft Defender Antivirus is in active mode, it is used as the primary antivirus on the device. When running in passive mode, Microsoft Defender Antivirus is not the primary antivirus product. In this case, threats are not remediated by Microsoft Defender Antivirus in real time.
+
+> [!NOTE]
+> Microsoft Defender Antivirus can run in passive mode only when the device is onboarded to Microsoft Defender for Endpoint.
+
+For more information, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
### How do I confirm Microsoft Defender Antivirus is in active or passive mode? To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows. - |Method |Procedure | |||
-| PowerShell | 1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results. <p>2. Type `Get-MpComputerStatus`. <p>3. In the list of results, in the **AMRunningMode** row, look for one of the following values: <br/>- `Normal` <br/>- `Passive Mode` <br/>- `SxS Passive Mode` <p>To learn more, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus). |
+| PowerShell | 1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results. <p>2. Type `Get-MpComputerStatus`. <p>3. In the list of results, in the **AMRunningMode** row, look for one of the following values: <br/>- `Normal` <br/>- `Passive Mode` <p>To learn more, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus). |
|Command Prompt | 1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results. <p>2. Type `sc query windefend`. <p>3. In the list of results, in the **STATE** row, confirm that the service is running. |
-### How much time does it take for EDR in block mode to be disabled?
+### How do I confirm that EDR in block mode is turned on with Microsoft Defender Antivirus in passive mode?
-If you chose to disable EDR in block mode, it can take up to 30 minutes for the system to disable this capability.
+You can use PowerShell to confirm that EDR in block mode is turned on with Microsoft Defender Antivirus running in passive mode.
+
+1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.
+
+2. Type `Get-MPComputerStatus | select AMRunningMode`.
+
+3. Confirm that the result, `EDR Block Mode`, is displayed.
+
+ > [!TIP]
+ > If Microsoft Defender Antivirus is in active mode, you will see `Normal` instead of `EDR Block Mode`. To learn more, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus).
### Is EDR in block mode supported on Windows Server 2016?
If Microsoft Defender Antivirus is running in active mode or passive mode, EDR i
- Windows Server, version 1803 or newer - Windows Server 2019
-If Windows Server 2016 has Microsoft Defender Antivirus running in active mode, and the endpoint is onboarded to Defender for Endpoint, then EDR in block mode is technically supported. However, EDR in block mode is intended to be extra protection when Microsoft Defender Antivirus is not the primary antivirus solution on an endpoint. In those cases, Microsoft Defender Antivirus runs in passive mode. Currently, running Microsoft Defender Antivirus in passive mode is not supported on Windows Server 2016. To learn more, see [Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions](microsoft-defender-antivirus-compatibility.md#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions).
+#### What about Windows Server 2016?
+
+If Windows Server 2016 has Microsoft Defender Antivirus running in active mode, and the endpoint is onboarded to Defender for Endpoint, then EDR in block mode is technically supported. However, EDR in block mode is intended to be extra protection when Microsoft Defender Antivirus is not the primary antivirus solution on an endpoint. In those cases, Microsoft Defender Antivirus runs in passive mode.
+
+Currently, running Microsoft Defender Antivirus in passive mode is not supported on Windows Server 2016. To learn more, see [Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions](microsoft-defender-antivirus-compatibility.md#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions).
+
+### How much time does it take for EDR in block mode to be disabled?
+
+If you choose to disable EDR in block mode, it can take up to 30 minutes for the system to disable this capability.
## See also
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
ms.technology: mde
> [!IMPORTANT] > On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+## 101.34.27 (20.121052.13427.0)
+
+- Bug fixes
+ ## 101.34.20 (20.121051.13420.0) - [Device control for macOS](mac-device-control-overview.md) is now in general availability
security Microsoft 365 Defender Integration With Azure Sentinel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-integration-with-azure-sentinel.md
The Microsoft 365 Defender connector for Azure Sentinel (preview) sends all Micr
Once you add the connector, Microsoft 365 Defender incidents&mdash;which include all associated alerts, entities, and relevant information received from Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Cloud App Security&mdash;are streamed to Azure Sentinel as security information and event management (SIEM) data, providing you with context to perform triage and incident response with Azure Sentinel.
-Once in Azure Sentinel, incidents remain bi-directionally synchronized with Microsoft 365 Defender, allowing you to take advantage of the benefits of both the Microsoft 365 security center and Azure Sentinel in the Azure portal for incident investigation and response.
+Once in Azure Sentinel, incidents remain bi-directionally synchronized with Microsoft 365 Defender, allowing you to take advantage of the benefits of both the Microsoft 365 Defender portal and Azure Sentinel in the Azure portal for incident investigation and response.
Watch this short overview of Azure Sentinel integration with Microsoft 365 Defender (4 minutes).
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
For other ways to submit email messages, URLs, and attachments to Microsoft, see
3. Use the **Submit to Microsoft for review** flyout that appears to submit the message, URL, or email attachment as described in the following sections.
+ > [!NOTE]
+ > File and URL submissions are not available in the clouds that do not allow for data to leave the environment. The ability to select File or URL will be greyed out.
+ ### Submit a questionable email to Microsoft 1. In the **Select the submission type** box, verify that **Email** is selected in the drop down list.
security Recover From Ransomware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recover-from-ransomware.md
You can report phishing messages that contain ransomware by using one of several
## Additional ransomware resources
-[Human-operated ransomware overview](/security/compass/human-operated-ransomware)
+Key industry information:
-[Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware)
+- [Human-operated ransomware overview](/security/compass/human-operated-ransomware)
-[The latest Microsoft Security Intelligence Report PDF)](https://www.microsoft.com/securityinsights/) (search for "ransomware")
+- [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware)
-**Ransomware: A pervasive and ongoing threat** report in the **Threat analytics node** of the Microsoft 365 Defender portal
+- [The latest Microsoft Security Intelligence Report](https://www.microsoft.com/securityinsights/) (see pages 22-24)
+
+- **Ransomware: A pervasive and ongoing threat** report in the **Threat analytics node** of the Microsoft 365 Defender portal (see these [licensing requirements](/microsoft-365/security/defender/prerequisites#licensing-requirements))
Microsoft 365 protection:
+- [Malware and ransomware protection](/compliance/assurance/assurance-malware-and-ransomware-protection)
- [Ransomware detection and recovering your files in OneDrive](https://support.microsoft.com/office/0d90ec50-6bfd-40f4-acc7-b8c12c73637f) - [Enable or disable macros in Office files](https://support.microsoft.com/office/12b036fd-d140-4e74-b45e-16fed1a7e5c6) - [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)