+- must-keep

+Payment instructions depend on your payment method and are provided at the bottom of the invoice PDF. If your payment method is a credit or debit card, we automatically charge the card within 10 days of the invoice date. If your payment method is by electronic payment (wire transfer, SEPA, and so on), see the information under **Payment Instructions** in the PDF.

+If you chose "invoice" as your subscription payment method, page one contains the **Electronic Funds Transfer** section that shows the Microsoft bank account information for electronic payments (wire transfer, SEPA, and so on). Usually, your bank has a reference field that you complete when you send a payment. Make sure that you reference the invoice number in that field.

+If you have a Microsoft Customer Agreement (MCA) billing account type, you can use the <a href="https://go.microsoft.com/fwlink/p/?linkid=2201187" target="_blank">Cost management</a> page in the Microsoft 365 admin center to view, analyze, and manage your service costs. To get to the **Cost management** page, in the admin center left navigation pane, select **Billing** > **Cost management**.

+- [Find out what type of billing account you have](manage-billing-accounts.md#view-my-billing-accounts).

+- You must have a Microsoft Customer Agreement (MCA) billing account type and have any billing account role, or any billing profile role to use the features described in this article. For information about billing account roles, see [What are billing account roles?](manage-billing-accounts.md#what-are-billing-account-roles). For information about billing profile roles, see [What are billing profile roles?](billing-and-payments/manage-billing-profiles.md#what-are-billing-profile-roles)

+You can use cost management features to review your invoiced costs and manage access to billing information. In larger organizations, procurement and finance teams usually conduct billing tasks.

+When you sign up to use a Microsoft 365 for business product, a billing account is automatically created for you. You use your billing account to manage your invoices and payments, and track costs. It's possible for you to have multiple billing accounts. For each legal entity or sold-to address for your organization, you receive a separate billing account.

+The **Cost management** page in the admin center has a default tab with a link to the **Products + Services** smart view where you can see the breakdown of the products and services used during the selected period. The chart on the page breaks down the daily costs for the top services. Use the date picker to look back at historical costs and use different date ranges to compare cost trends.

+Budgets let you monitor your charges and ensure you're aware when you go over specified thresholds. You can create a quick budget where you set a threshold amount that you want to stay under each month. The budget sends you a notification when your costs exceed this threshold. Notifications are only sent to the admin who created the budget. To create a budget, select **create**, enter a threshold amount, then select **Save**.

+To customize the budget, select **Configure advanced settings**. You can give your budget a name and change the threshold amount. You can also set up a monthly, quarterly, or annual budget, and choose the period for which budget notifications are sent.

+## Steps to follow to configure and enable Hybrid Modern Auth

+To enable Hybrid Modern Authentication (HMA), you must ensure that your organization meets all necessary prerequisites. Additionally, you should confirm that your Office client is compatible with Modern Authentication. For more details, refer to the documentation on [How modern authentication works for Office 2013 and Office 2016 client apps](modern-auth-for-office-2013-and-2016.md).

+1. Make sure you [meet the prerequisites](#exchange-server-specific-prerequisites) before you begin.

+2. [Add on-premises web service URLs to Microsoft Entra ID](#add-on-premises-web-service-urls-as-spns-in-microsoft-entra-id). The URLs must be added as `Service Principal Names (SPNs)`. In case that your Exchange Server setup is in hybrid with **multiple tenants**, these on-premises web service URLs must be added as SPNs in the Microsoft Entra ID of all the tenants, which are in hybrid with Exchange Server on-premises.

+3. [Ensure that all virtual directories are enabled for HMA](#verify-virtual-directories-are-properly-configured). If you want to configure [Hybrid Modern Authentication for Outlook on the Web (OWA) and Exchange Control Panel (ECP)](#enable-hybrid-modern-authentication-for-owa-and-ecp), it's important to also verify the respective directories.

+4. [Check for the EvoSTS Auth Server object](#confirm-the-evosts-auth-server-object-is-present).

+5. Ensure that the [Exchange Server OAuth certificate](/exchange/plan-and-deploy/integration-with-sharepoint-and-skype/maintain-oauth-certificate) is valid. The [MonitorExchangeAuthCertificate script](https://aka.ms/MonitorExchangeAuthCertificate) script can be utilized to verify the validity of the OAuth certificate. In the event of its expiration, the script assists in the renewal process.

+6. Ensure that all user identities are synchronized with Microsoft Entra ID, especially all accounts, which are used for administration. Otherwise, the login stops working until they're synchronized. Accounts, such as the built-in Administrator, will never be synchronized with Microsoft Entra ID and, therefore, can't be used on any OAuth login once HMA has been enabled. This behavior is due to the `isCriticalSystemObject` attribute, which is set to `True` for some accounts including the default administrator.

+7. (Optional) If you want to use the Outlook for iOS and Android client, make sure to [allow the AutoDetect service to connect to your Exchange Server](#using-hybrid-modern-authentication-with-outlook-for-ios-and-android).

+8. [Enable HMA in Exchange on-premises](#enable-hma).

+<a name='add-on-premises-web-service-urls-as-spns-in-azure-ad'></a>

+ $x.ServicePrincipalNames += "https://mail.corp.contoso.com/"

+ $x.ServicePrincipalNames += "https://owa.contoso.com/"

+ Update-MgServicePrincipal -ServicePrincipalId $x.Id -ServicePrincipalNames $x.ServicePrincipalNames

+4. Specify your `OWA` and `ECP` URLs and update your application with the reply URLs:

+ $servicePrincipal.ReplyUrls += "https://YourDomain.contoso.com/owa"

+ $servicePrincipal.ReplyUrls += "https://YourDomain.contoso.com/ecp"

+5. Verify that the reply URLs have been added successfully:

+6. To enable Exchange Server on-premises ability to perform Hybrid Modern Authentication, follow the steps outlined in the [Enable HMA](#enable-hma) section.

+7. (Optional) Only required if [Download Domains](/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-download-domains) are used:

+### **Move a SharePoint site or SharePoint Embedded container site**

+#### **Move a SharePoint site or SharePoint Embedded container site to a different _Geography_ location**

+With SharePoint site _Geography_ move, you can move SharePoint sites and SharePoint Embedded container sites to other _Geography_ locations within your Multi-Geo environment.

+- SharePoint Embedded container sites (excluding those where the owner is a group)

+#### **Start a SharePoint site _Geography_ move for a site with no associated Microsoft 365 group or a SharePoint Embedded container site**

+This capability to rename the site as part of the move is not applicable for SharePoint Embedded container sites.

+To get the SourceSiteUrl for a SharePoint Embedded container site, you must use the SharePoint Embedded admin cmdlets. You can use the `Get-SPOContainer` PowerShell cmdlet and pass the container ID as the `-Identity` parameter to determine the site URL of a specific container.

+If the SharePoint Embedded container site is owned by an individual user, the container site can only be moved to the geography matching the Preferred Data Location (PDL) of the user.

+And to start the site move while also renaming the site (excluding SharePoint Embedded container sites), run:

+- [Get-SPOSiteContentMoveState](/powershell/module/sharepoint-online/get-spositecontentmovestate) (non-Group-connected sites and SharePoint Embedded container sites)

+|VMware Workspace ONE Launcher |If youΓÇÖre using VMware, the Workspace ONE Launcher is a tool to curate a set of apps that your frontline needs to access. VMware Workspace ONE Launcher doesnΓÇÖt currently support shared device mode. [Learn more](https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2306/Launcher_Publication/GUID-AWLAUNCHERINTRO.html).|

+|Conditional Access |**[Conditional Access](/sharepoint/control-access-from-unmanaged-devices)** is supported.|**[Conditional Access](/sharepoint/control-access-from-unmanaged-devices)** supported.|

+|Multi-Geo |**[Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo)** capabilities are supported, including creation of .loop files in a user's OneDrive in the geo that matches the user's [preferred data location](/microsoft-365/enterprise/plan-for-multi-geo#best-practices) and ability to move the user's OneDrive when their preferred data location changes.|**[Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo)** capabilities for Loop workspaces are supported using the [same mechanism as SPO sites](/powershell/module/sharepoint-online/start-spositecontentmove), including rehome. Manage the location of shared Loop workspaces like you would other collaboration artifacts, like SharePoint sites or Teams channels. <br><br>**Not Yet Available**: <br>Loop does not create user-owned workspaces. All workspaces are created as tenant-owned, in the tenant default geo.|

+|User leaves organization |When a user leaves an organization, [OneDrive retention policies](/sharepoint/retention-and-deletion) apply to the .loop files in their OneDrive just as they do to other content created by the user. See [Loop storage](#loop-storage) for more information.|Manage the lifetime of shared Loop workspaces like you would other collaboration artifacts, like SharePoint sites or Teams channels. <br><br>**Not Yet Available**: <br>Loop does not create user-owned workspaces. All workspaces are created as tenant-owned.|

+- All Loop workspaces are created as tenant-owned, in the tenant default geo. Loop does not create **user-owned workspace types**, so when an employee leaves the organization, their non-shared Loop workspaces such as Ideas become ownerless, remain in the tenant and are not automatically deleted.

+Intune provides a list of all the app licenses your tenant currently has in use. You can see the license name, the total number of licenses, the available licenses left to use, and the current licenses in use. When you view this list, you can also sync your volume purchased (VPP) licenses to be certain the list is up-to-date. For related information, see [Monitor app information and assignments with Microsoft Intune](/mem/intune/apps/apps-monitor).