+Defender TI provides proprietary reputation scores for any Host, Domain, or IP Address. Whether validating the reputation of a known or unknown entity, this score helps users quickly understand any detected ties to malicious or suspicious infrastructure. The platform provides quick information about the activity of these entities, such as First and Last Seen timestamps, ASN, country/region, associated infrastructure, and a list of rules that impact the reputation score when applicable.

+17. **WHOIS Country:** Select ΓÇÿWHOISΓÇÖ > ΓÇÿCountryΓÇÖ from the Threat Intelligence Search drop-down and type in ΓÇÿUSΓÇÖ in the Threat Intelligence Search bar. Press Enter or select the right-hand arrow to perform the search. This action results in a WHOIS Country/region search.

+- **Country:** the flag next to the IP Address indicates the country/region of origin for the artifact, which can help determine its reputability or security posture. This IP Address is hosted on infrastructure within the United States.

+- **Country:** any countries/regions listed in an address associated to the record, and the type of contact it is associated with.

+- **Subject Country:** The country/region where the organization is located.

+- **Issuer Country:** The country/region where the issuer organization is located.

+| **Location** | Country/region the IP address is hosted in |

+ Title: "Microsoft 365 admin center Microsoft 365 Copilot usage"

+audience: Admin

+ms.localizationpriority: medium

+- Tier2

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+- Adm_NonTOC

+search.appverid:

+- BCS160

+- MST160

+- MET150

+- MOE150

+description: "Learn how to get the Microsoft 365 Copilot usage report and gain insights into the Microsoft 365 Copilot activity in your organization."

+# Microsoft 365 reports in the admin center ΓÇô Microsoft 365 Copilot usage

+The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill into individual product-level reports to give you more granular insight about the activities within each product. Check out the [Reports overview article](activity-reports.md).

+In the **Microsoft 365 Copilot report** (which is in continuous enhancement), you can understand the summary of how users’ adoption, retention, and engagement are with Microsoft 365 Copilot, and the activity of every Microsoft 365 Copilot user in your organization.

+## How do I get to the Microsoft 365 Copilot report?

+1. In the admin center, go to **Reports** > **Usage**.

+2. Select the **Microsoft 365 Copilot** page.

+## Interpret the Microsoft 365 Copilot report

+You can use this report to see the usage of Microsoft 365 Copilot in your organization. You can see the following summary charts in this report:

+**Enabled Users** shows you the number of users enabled to use Microsoft 365 Copilot for the time frame value.

+**Active Users** shows you the number of users who performed an intentional activity, including have either tried a user-initiated Microsoft 365 Copilot feature or kept the content for Microsoft 365 Copilot initiated features, in the product for the time frame value.

+**Current view** shows you the snapshot usage of Microsoft 365 Copilot among Microsoft 365 products of the time frame.

+**Trend view** shows you the daily time trend of Microsoft 365 Copilot of Microsoft 365 products of the time frame.

+You can switch between Current view and Trend view.

+In the hover status, you can see the selected time frame and data refresh time.

+You can also export the report data into an Excel .csv file by selecting the ellipses and then **Export** in the top-right corner.

+Select **Choose columns** to add or remove columns from the table.

+You can also export the report data into an Excel .csv file by selecting the Export link. This exports the Microsoft 365 Copilot usage data of all users and enables you to do simple sorting, filtering, and searching for further analysis.

+The Microsoft 365 Copilot report can be viewed over the last 7 days, 30 days, 90 days, or 180 days.

+To ensure data quality, we perform daily data validation checks for the past three days and will fill any gaps detected. You may notice differences in historical data during the process.

+## User activity table

+| **Item** | **Description** |

+||--|

+| User name | The user's principal name. |

+| Display name | The full name of the user. |

+| Last activity date (UTC (Universal Time Code)) | The latest date the user had activity in Microsoft 365 Copilot among all Microsoft 365 products, including any of the intentional activities. |

+| Last activity date of Word Copilot (UTC) | The latest date the user had activity in Word Copilot, including any of the intentional activities. |

+| Last activity date of Teams Copilot (UTC) | The latest date the user had activity in Microsoft Teams Copilot, including any of the intentional activities. |

+## Make the user-specific data anonymous

+To make the data in the Microsoft 365 Copilot usage report anonymous, you must be a global administrator. This will hide identifiable information (using MD5 hashes) such as display name, email, and Azure Active Directory Object ID in report and their export.

+1. In Microsoft 365 admin center, go to the **Settings** \> **Org Settings**, and under **Services** tab, choose **Reports**.

+2. Select **Reports**, and then choose to **Display anonymous identifiers**. This setting gets applied both to the usage reports in Microsoft 365 admin center and Teams admin center.

+3. Select **Save changes**.

+ **C - Location** Choose a location from a drop-down list of countries/regions.

+> - [Macao SAR](../support/macau-sar.md)

+Regions that have statutory regulations about parental consent include the United States, South Korea, the United Kingdom, and the European Union. For those regions, a minor will be blocked (via Azure Active Directory) from getting any new Office Add-ins from the Store and running add-ins that were previously acquired. For countries/regions without statutory regulations, there will be no download restrictions.

+- Some information you provide or upload to the service may be stored outside of the country/region in which you reside.

+|LocationCountry <br/> |Country/region data represented in Azure Active Directory for this user. <br/> |

+## July 2023

+> [!TIP]

+> **Read all about the exciting, new capabilities releasing in July 2023 in the [Tech Community blog: New SMB security innovations from Microsoft Inspire 2023](https://aka.ms/SMBSecurityJulyBlog)**.

+- **Mobile threat defense is rolling out**. Mobile threat defense includes operating system-level threat and vulnerability management, web protection, and app security. It's not generally available in Defender for Business and Microsoft 365 Business Premium. [Learn more about mobile threat defense](../security/defender-business/mdb-mtd.md).

+- **Automatic attack disruption** is rolling out. During an ongoing attack, automatic attack disruption capabilities swiftly contain compromised devices to help stop lateral movement within the network and minimize the overall impact of the attack. Automatic attack disruption is included in Defender for Business and Microsoft 365 Business Premium. [Learn more about automatic attack disruption](../security/defender/automatic-attack-disruption.md).

+- **Security summary reports** are rolling out. Use these reports to view threats that were prevented by Defender for Business, Microsoft Secure Score status, and recommendations for improving security. See [Reports in Microsoft Defender for Business](../security/defender-business/mdb-reports.md).

+- **Streaming API (preview) is now available for Defender for Business**. For partners or customers looking to build their own security operations center, the Defender for Endpoint streaming API is now in preview for Defender for Business and Microsoft 365 Business Premium. The API supports streaming of device file, registry, network, sign-in events and more to Azure Event Hub, Azure Storage, and Microsoft Sentinel to support advanced hunting and attack detection. See the [Microsoft 365 streaming API guide](../security/defender/streaming-api.md).

+- **Managed detection and response integration with Blackpoint Cyber**. This solution is ideal for customers who donΓÇÖt have the resources to invest in an in-house security operations center and for partners who want to augment their IT team with security experts to investigate, triage, and remediate the alerts generated by Defender for Business and Business Premium. [Learn more bout Blackpoint Cyber](https://aka.ms/BlackpointMSFT).

+- **Customizable security baselines and configuration drift reports in Microsoft 365 Lighthouse**. For Microsoft Managed Service Providers (MSPs), Microsoft 365 Lighthouse includes security baselines to deploy a standardized set of configurations to customersΓÇÖ tenants. Microsoft 365 Lighthouse now lets MSPs customize baselines based on expertise and tailor them to customersΓÇÖ unique needs. [Learn more about Microsoft 365 Lighthouse](../lighthouse/m365-lighthouse-overview.md).

+- **New training resources for Microsoft partners**. To provide step-by-step guidance for partners on how to build services based on critical CIS cybersecurity controls, a Security Managed services kit and a three-part digital training series are now available. See **IT partner resources to help build security services** in the [Tech Community blog: New SMB security innovations from Microsoft Inspire 2023](https://aka.ms/SMBSecurityJulyBlog).

+- [Onboard mobile devices using the Microsoft Defender app](#onboard-mobile-devices-using-the-microsoft-defender-app) (Mobile threat defense capabilities are now generally available!)

+You can now onboard Android and iOS devices using the Microsoft Defender app. With [mobile threat defense capabilities in Defender for Business](../security/defender-business/mdb-mtd.md), users download the Microsoft Defender app from Google Play or the Apple App Store, sign in, and complete onboarding steps.

+For countries/regions where the registration number is mandatory, the label above the text box indicates what type of number is required.

+For countries/regions where the registration number is optional, you can choose to provide a company legal registration number. Don't enter a personal ID in this field.

+Some customers receive Web Direct (Azure and Microsoft 365) invoices billed by a Microsoft entity located in a foreign country/region. If your organization makes cross-border payments to that entity, the Tax Authority in your country/region might require you to withhold part of the cross-border payment as withholding tax (WHT). If you withheld taxes as required by your Tax Authority when remitting payments to Microsoft, this article explains the process for claiming a credit for the tax withheld.

+> As of January 26, 2021, new bank accounts are no longer supported for customers in Belgium, France, Italy, Luxembourg, Portugal, Spain, and the United States. If you're an existing customer in one of those countries/regions, you can continue paying for your subscription with an existing bank account, and you can add new subscriptions to it, but only as long as the bank account is in good standing.

+- Hong Kong Special Administrative Region - Code of Banking Practice and Payment Card

+4. The Microsoft support engineer logs into the Customer Lockbox request tool and makes a data access request that includes the organization's tenant name, service request number, expected start time of access (starts immediately post-approval if not specified), the estimated amount of time the engineer needs access to the data, and the service the request is for.

+ As previously stated, you can perform a search and purge operation on a maximum of 50,000 mailboxes (even if less than 50,000 contain items that match the search query). If you have to do a search and purge operation on more than 50,000 mailboxes, consider creating temporary search permissions filters that reduce the number of mailboxes that would be searched to less than 50,000 mailboxes. For example, if your organization contains mailboxes in different departments, states, or countries/regions, you can create a mailbox search permissions filter based on one of those mailbox properties to search a subset of mailboxes in your organization. After you create the search permissions filter, you would create the search (described in Step 1) and then delete the message (described in Step 3). Then you can edit the filter to search for and purge messages in a different set of mailboxes. For more information about creating search permissions filters, see [Configure permissions filtering for Content Search](ediscovery-permissions-filtering-for-content-search.md).

+- **Financial Services** - Resources elaborating regulatory compliance guidance for FSI (by country/region)

+> At this time, drive shipping to import PST files is not available in Germany and Switzerland. This FAQ will be updated when drive shipping is available in these countries/regions.

+ - For **User** and **Microsoft 365 Group** scopes, use [OPATH filtering syntax](/powershell/exchange/recipient-filters). For example, to create a user scope that defines its membership by department, country/region, and state:

+The format for each country/region is slightly different. The IBAN sensitive information type covers these 68 countries:

+- four digits that correspond to the area code specific to the municipality where the person was born (country/region-wide codes are used for foreign countries/regions)

+**Phone numbers**: Phone numbers can come in many different formats, including or excluding country/region prefixes, area codes, and separators. To reduce the false negatives while keeping load to a minimum, use them only as secondary elements, exclude all likely separators, like parenthesis and dashes and only include in your sensitive data table the part that will be always present in the phone number.

+- The _Tenant_ _Default Geography_ must be one of the countries/regions included in the _Local Region Geography_ (Australia, Brazil, Canada, France, Germany, India, Japan, Poland, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, and United Kingdom).

+ - User location by city and country/region

+ - Network egress location by city, state and country/region

+You can only assign licenses to user accounts that have the **UsageLocation** property set to a valid ISO 3166-1 alpha-2 country code. For example, US for the United States, and FR for France. Some Microsoft 365 services aren't available in certain countries/regions. For more information, see [About license restrictions](https://go.microsoft.com/fwlink/p/?LinkId=691730).

+ **Considerations for a satellite network**: A satellite network is useful when a terrestrial network is not feasible, such as the back country/region, a cruise ship, or a remote scientific area. These networks rely on satellites positioned in a geosynchronous orbit 22,000 miles above the equator. However, a transmission actually travels about 90,000 miles, and so a satellite network has a slower latency (500 ms or more) than a terrestrial network (20 to 50ms). Under the best of conditions, you may not notice this latency, but for downloading large files, streaming videos, and playing games, you probably will. Another issue is "rain fade" in which heavy weather, such as thunderstorms and blizzards, can temporarily interrupt satellite transmission.

+|**UsageLocation** <br/> |No <br/> |This is a valid ISO 3166-1 alpha-2 country code. For example, *US* for the United States, and *FR* for France. It's important to provide this value, because some Microsoft 365 services aren't available in certain countries/regions. You can't assign a license to a user account unless the account has this value configured. For more information, see [About license restrictions](https://go.microsoft.com/fwlink/p/?LinkId=691730).<br/> |

+|**Customers with signup country/region in**|**Request period begins**|**Request deadline**|**Migration Commitment**|

+|**Customers with signup country/region in**|**Original Opt-in: migration commitment date**|**Final Opt-in (above): migration commitment date**|

+### Will Microsoft 365 _Tenants_ hosted in the new datacenters be available to users outside of the country/region?

+Tenant has a sign up country/region included in Local Region Geography, the European Union or the United States.

+1. Tenant has a sign-up country/region included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a sign-up country/region included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a sign up country/region included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a sign up country/region included in _Local Region Geography_, the European Union or the United States.

+1. _Tenant_ has a sign-up country/region included in _Local Region Geography_ or _Expanded Local Region Geography_.

+Teams files are stored in SharePoint Online and Teams chat files are stored in OneDrive for Business. Voicemail, calendar, and contacts are stored in Exchange Online. In many cases, Exchange Online, SharePoint Online, and OneDrive for Business are already used by the customer in the local datacenter _Geography_ and are also part of the Microsoft 365 migration program for eligible customer countries/regions.

+1. _Tenant_ has a sign-up country/region included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a sign-up country/region included in _Local Region Geography_ or _Expanded Local Region Geography_.

+Voicemails are stored in Exchange. Contacts are stored in Exchange-based cloud data store. Exchange and the Exchange-based cloud store already provide data residency in each of the worldwide datacenter geos. For all teams, voicemail and contacts are stored in-country for Australia, Canada, France, Germany, India, Japan, the United Arab Emirates, the United Kingdom, South Africa, South Korea, Switzerland (which includes Liechtenstein), and the United States. For all other countries/regions, files are stored in the US, Europe, or Asia-Pacific location based on tenant affinity.

+Files (including OneNote and Wiki) that somebody shares in a channel are stored in the teamΓÇÖs SharePoint site. Files shared in a private chat or a chat during a meeting or call are uploaded and stored in the OneDrive for work or school account of the user who shares the file. Exchange, SharePoint, and OneDrive already provide data residency in each of the worldwide datacenter geos. So, for existing customers, all files, OneNote notebooks, Teams wiki content, and mailboxes that are part of the Teams experience are already stored in the location based on your tenant affinity. Files are stored in-country for Australia, Canada, France, Germany, India, Japan, the United Arab Emirates, the United Kingdom, South Africa, South Korea, and Switzerland (which includes Liechtenstein). For all other countries/regions, files are stored in the US, Europe, or Asia Pacific location based on tenant affinity.

+- Leverage your existing private network to carry Microsoft 365 network traffic between China office networks and offshore locations that egress on the public Internet outside China. Almost any location outside China will provide a clear benefit. Network administrators can further optimize by egressing in areas with low-latency interconnect with the [Microsoft global network](/azure/networking/microsoft-global-network). Hong Kong Special Administrative Region, Singapore, Japan, and South Korea are examples.

+For customer specific reporting the aggregations are sliced by the customer and by detected network provider and by work location type. They're also sliced by office location for drill-down capability. For the NPI Chart views including Target Baseline metrics are aggregations sliced by network provider and by country/region and state. The NPI Chart data is aggregated from all Office 365 customers.

+For network providers the aggregations are sliced by network provider, by geography (including country/region, state, and city), and by /24 public network.

+The Network Provider Index Chart (NPI Chart) shows aggregated performance and availability for network providers for a given State (or Province) and Country/region. The chart shows the largest network providers in that geography ordered by network performance. The chart also includes a Target Baseline entry, which shows average performance and availability for the best performing five network providers in the geography, excluding network providers with insignificant Office 365 usage.

+The Network Provider Index Chart (NPI Chart) shows in an office location summary and lists large network providers that are being used by Office 365 customers in the same country/region and state as your office. We include availability and performance information attributed to these providers. This chart also shows a target baseline that shows what good performance observed in the same country/region and state looks like.

+Name resolution works best and most quickly when it takes place as close to the client's country/region as possible.

+> 2. You can use *either* [mobile threat defense](mdb-mtd.md) *or* Microsoft Intune to onboard iOS and Android devices. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+Microsoft Defender for Business provides advanced threat protection capabilities for devices, such as Windows and Mac clients. **Defender for Business capabilities now include mobile threat defense**! Mobile threat defense capabilities help protect Android and iOS devices, without requiring you to use Microsoft Intune to onboard mobile devices.

+The following table summarizes the capabilities that are included in mobile threat defense in Defender for Business:

+Mobile threat defense capabilities are now generally available to [Defender for Business](get-defender-business.md) customers. Here's how to get these capabilities for your organization:

+1. Make sure that Defender for Business has finished provisioning. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Assets** > **Devices**.

+2. Review, and if necessary, edit your [next-generation protection policies](mdb-next-generation-protection.md).

+3. Review, and if necessary, edit your [firewall policies and custom rules](mdb-firewall.md).

+4. Review, and if necessary, edit your [web content filtering](mdb-web-content-filtering.md) policy.

+5. To onboard mobile devices, see the "Use the Microsoft Defender app" procedures in [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+ - **Mobile** (new capabilities are available for iOS and Android devices!)

+- [Use the Microsoft Defender app](#use-the-microsoft-defender-app)

+### Use the Microsoft Defender app

+[Mobile threat defense capabilities](mdb-mtd.md) are now generally available to Defender for Business customers. With these capabilities, you can now onboard mobile devices (such as Android and iOS) by using the Microsoft Defender app. With this method, users download the app from Google Play or the Apple App Store, sign in, and complete onboarding steps.

+> 1. Defender for Business has finished provisioning. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Assets** > **Devices**.<br/>- If you see a message that says, "Hang on! We're preparing new spaces for your data and connecting them," it means that Defender for Business hasn't finished provisioning. This process is happening now, and can take up to 24 hours to complete. <br/>- If you see a list of devices, or you're prompted to onboard devices, it means Defender for Business provisioning has completed.

+> 2. Users have downloaded the Microsoft Authenticator app on their device, and have registered their device using their work or school account for Microsoft 365.

+ - [Learn about new mobile threat defense capabilities](mdb-mtd.md).

+> [!TIP]

+> **Read all about exciting, new capabilities releasing in July 2023 in the [Tech Community blog: New SMB security innovations from Microsoft Inspire 2023](https://aka.ms/SMBSecurityJulyBlog)**.

+| Mobile devices | To onboard mobile devices, such as iOS or Android OS, you can use [Mobile threat defense capabilities](mdb-mtd.md) or Microsoft Intune (see note 1 below).<br/><br/>For more details about onboarding devices, including requirements for mobile threat defense, see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). |

+ Title: Investigate domains and URLs associated with an alert

+# Investigate domains and URLs

+You can investigate a URL or domain by using the search feature, from the incident experience (in evidence tab, or from the alert story), from advanced hunting, from the email page and side panel, or by clicking on the URL or domain link from the **Device timeline**.

+- Incidents and alerts related to this URL or domain

+- Most recent emails containing the URL or domain

+- Most recent clicks to the URL or domain

+The URL worldwide section lists the URL, a link to further details at whois, the number of related open incidents, and the number of active alerts, the number of affected devices, emails, and the number of user clicks observed.

+Microsoft verdict of the URL or domain, a devices prevalence, emails and user clicks section. In this area, you can see the number of devices that communicated with the URL or domain in the last 30 days, and pivot to the first or last event in the device timeline right away. To investigate initial access or if there's still a malicious activity in your environment.

+### Microsoft verdict

+The Prevalence section provides the details on the prevalence of the URL within the organization, over the last 30 days, such and trend chart ΓÇô which shows the number of distinct devices that communicated with the URL or domain over a specific period of time. Below you can find details of the first and last device observations communicated with the URL in the last 30 days, where you can pivot to the device timeline right away, to investigate initial access from the phish link, or if there's still a malicious communication in your environment.

+## Emails

+The Emails tab provides a detailed view of all the emails observed in the last 30 days that contained the URL or domain. This tab includes a trend chart and a customizable table listing email details, such as subject, sender, recipient, and more.

+## Clicks

+The Clicks tab provides a detailed view of all the clicks to the URL or domain observed in the last 30 days.

+2. Enter the URL in the **Search** field. Alternatively, you can navigate to the URL or domain from the **Incident attack story tab**, from the **device timeline**, through **advanced hunting**, or from the **email side panel and page**.

+**

+6. If you disagree with the verdict of a URL or domain, you can report it to Microsoft as *clean*, *phishing*, or *malicious* by selecting **Submit to Microsoft for analysis.

+ Title: Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux

+description: eBPF-based sensor deployment in Microsoft Defender for Endpoint on Linux.

+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, events, ebpf

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux

+> [!IMPORTANT]

+> Some information relates to prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+**Applies to:**

+- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+The extended Berkeley Packet Filter (eBPF) for Microsoft Defender for Endpoint on Linux provides supplementary event data for Linux operating systems. eBPF can be used as an alternative technology to auditd because eBPF helps address several classes of issues seen with the auditd event provider and is beneficial in the areas of performance and system stability.

+Key benefits include:

+- Reduced system-wide auditd-related log noise

+- Optimized system-wide event rules otherwise causing conflict between applications

+- Reduced overhead for file event (file read/open) monitoring

+- Improved event rate throughput and reduced memory footprint

+- Optimized performance for specific configurations

+## How eBPF works

+With eBPF, events previously obtained from the auditd event provider now flow from the eBPF sensor. This helps with system stability and improving CPU and memory utilization and reduces disk usage. Also, when eBPF is enabled, all auditd-related custom rules are eliminated which help reduce the possibility of conflicts between applications.

+In addition, the eBPF sensor uses capabilities of the Linux kernel without requiring the use of a kernel module that helps increase system stability.

+> [!NOTE]

+> In the preview version eBPF will be used in conjunction with auditd while auditd will be used only for logging data and network protection events and will capture these events without any custom rules and flow them automatically. Be aware that auditd will be removed in future versions.

+## System prerequisites

+The eBPF sensor for Microsoft Defender for Endpoint on Linux is supported on the following minimum distribution and kernel versions:

+| **Linux Distribution** | **Distribution version** | **Kernel version** |

+||--|--|

+| Ubuntu | 16.04 | 4.15.0 |

+| Fedora | 33 | 5.8.15 |

+| CentOS | 7.6 | 3.10.0-957 |

+| SLES | 15 | 5.3.18-18.47 |

+| RHEL | 7.6 | 3.10.0-957 |

+| Debian | 9.0 | 4.19.0 |

+| Oracle Linux | 8.0 | 4.18.0 |

+When the eBPF sensor is enabled on an endpoint, Defender for Endpoint on Linux updates supplementary_event_subsystem to ebpf.

+## Use eBPF

+The eBPF sensor will be automatically turned on and gradually rolled out across all insider machines over the coming days following this publication. You will need Microsoft Defender for Endpoint version 101.23062.0005 or later to experience the most recent improvements using the new sensor.

+If you're running a production build and interested in evaluating the eBPF preview functionality, you can use the following mdatp config command (requires privileges):

+```bash

+sudo mdatp config ebpf-supplementary-event-provider --value [enabled/disabled]

+```

+> [!IMPORTANT]

+> If you disable eBPF, the supplementary event provider switches back to auditd.

+### Troubleshooting and diagnostics

+You can check the agent health status by running the **mdatp** health command. Make sure that the eBPF sensor for Defender for Endpoint on Linux is supported by checking the current kernel version by using the following command line:

+```bash

+uname -a

+``````

+The following two sets of data help analyze potential issues and determine the most effective resolution options.

+1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md)

+2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information)

+> [!NOTE]

+> In the preview version, diagnostic capabilities for top processes consuming eBPF resources and troubleshooting capabilities for configuring eBPF exclusions are not supported. These functionalities will be available in future versions.

+## See also

+- [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md)

+- [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information)

+- The eBPF-based sensor for Microsoft Defender for Endpoint on Linux is available for public preview on all supported Linux devices. For more information, see [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](linux-support-ebpf.md).

+- [Manage endpoint security policies in Defender for Endpoint is now in public preview](manage-security-policies.md) <br> You can now configure security settings directly in Microsoft 365 Defender.

+- A new file page is now available in Defender for Endpoint. The file page now includes information like file details and file content and capabilities. For more information, see [Investigate files](investigate-files.md).

+- Microsoft Defender Antivirus scan response action is supported for macOS and Linux for client version 101.98.84 and above. It is in preview. See [Run Microsoft Defender Antivirus scan on devices](respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-devices).

+- Performance mode for Microsoft Defender Antivirus is now available for public preview. This new capability provides asynchronous scanning on a Dev Drive, and doesn't change the security posture of your system drive or other drives. For more information, see [Protecting Dev Drive using performance mode](microsoft-defender-endpoint-antivirus-performance-mode.md).

+|`Country`|`string`|Two-letter code indicating the country/region where the client IP address is geolocated|

+| `Location` | `string` | City, country/region, or other geographic location associated with the event |

+ Check whether the user received alerts prior to creating the rules. This could indicate that the user account might be compromised. For example, impossible travel alert, infrequent country/region, multiple failed logins, among others.)

+Use this query to check whether the country/region is common for the user by looking at the history of the user.

+- Auto-triage infrequent country/region alerts

+- Country/region where the client IP address is geolocated

+Customers using preview features are now automatically redirected to Microsoft 365 Defender from the classic Microsoft Defender for Cloud Apps portal. Admins can still update the redirect setting to continue using the classic Defender for Cloud Apps portal.

+## July 2023

+- A new URL and domain page is now available in Microsoft 365 Defender. The updated URL and domain page provides a single place to view all the information about a URL or a domain, including its reputation, the users who clicked it, the devices that accessed it, and emails where the URL or domain was seen. For details, see [Investigate URLs in Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/investigate-domain.md).

+In our new taxonomy, a weather event or *family name* represents one of the above categories. In the case of nation-state actors, we have assigned a family name to a country/region of origin tied to attribution, like Typhoon indicates origin or attribution to China. For other actors, the family name represents a motivation. For example, Tempest indicates financially motivated actors. Threat actors within the same weather family are given an adjective to distinguish actor groups with distinct tactics, techniques, and procedures (TTPs), infrastructure, objectives, or other identified patterns. For groups in development, where there is a newly discovered, unknown, emerging, or developing cluster of threat activity, we use a temporary designation of Storm and a four-digit number, allowing us to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the operation.

+ - **From these countries***: Select **On** or **Off** from the dropdown list. If you turn it on, a box appears. Start typing the name of a country in the box. A filtered list of supported countries/regions appears. When you find the country that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

+ Title: Usage card in Microsoft Defender for Office 365

+keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, response, remediation, threats, advanced, threat, protection

+f1.keywords:

+- NOCSH

+audience: ITPro

+ms.localizationpriority: medium

+search.appverid:

+- MET150

+- MOE150

+- m365-security

+- tier2

+description: Learn about your organizationΓÇÖs active usage of Microsoft Defender for Office 365 licenses versus the actual number of licenses purchased.

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+# Usage card in Microsoft Defender for Office 365

+In Microsoft Defender for Office 365, the usage card is available to help admins and Security Operations (SecOps) teams understand their organizationΓÇÖs active usage of Defender for Office 365 licenses in comparison to the actual number of licenses purchased.

+> [!NOTE]

+> The usage card is enabled for tenants with at least one paid Defender for Office 365 plan 1 (P1) or Defender for Office 365 plan 2 (P2) license.

+Usage cards can help determine:

+- Active usage of Exchange Online licenses and how many of those are active usage of Microsoft Defender for Office 365.

+- Breakdown of active usage across key P1 and P2 capabilities (P1: protection and detection; P2: SecOps capabilities).

+- Number of active P1 and P2 licenses that are purchased.

+## View the usage card

+The usage card is available in the Microsoft 365 Defender portal at https://security.microsoft.com. Go to **Reports** > **Email & collaboration reports and insights**. YouΓÇÖll find Defender for Office 365 usage under the **Email & collaboration insights** section. Or, to go directly to the **Email & collaboration reports and insights** page, use https://security.microsoft.com/emailandcollabreport.

+In the usage card for the global and billing admins, thereΓÇÖs a **Add more licenses** link at the bottom of the card, which takes you to the billing portal to purchase more licenses for your organization.

+The **See licensing details** option is available only for global and billing admins. For global readers, security admins, SecOps, and security readers, this option isn't available.

+## Understand the usage details

+To learn more about the active user count, license details, and other information, select **Show details** on the usage card. A flyout opens that shows data from the last 28 days.

+The **Details** flyout contains the following information:

+- Number of active users in your organization and P2 licenses.

+- Specific count of active users of Safe Links or Safe Attachments for Office 365.

+- Specific count of active users of Safe Links or Safe Attachments for emails.

+- Specific count of active users of Safe Links for Teams.

+- Number of active users who triggered manual or automated investigation.

+- Number of active users for whom remediation action were triggered.

+- Number of active users targeted by phishing simulation training.

+- Threat protection status report.

+- Add more licenses (admins and SecOps teams only).

+Click **See licensing details** to go to the billing page to purchase more licenses. Or, click **Close** to exit the flyout.

+## Frequently asked questions

+### What are the different types of active users?

+There are three types of active users:

+- **Defender for Office 365 active users**: The distinct user count with active usage of Microsoft Defender for Office 365 P1 and/or P2 licenses over a period of 28 days for a specific paid Microsoft Defender for Office 365 tenant.

+- **Active users**: The distinct user count with active usage of licenses over the past 28 days for a specific paid Microsoft Defender for Office 365 tenant.

+- **Other active users**: Active users without the Microsoft Defender for Office 365 active users.

+### What is the usage count?

+Usage count can be determined by:

+- **Users with Office 365 protection**: Distinct count of active users of Safe Links for Office 365 or Safe Attachments for Office 365.

+- **Users with email protection**: Distinct count of active users of Safe Links for email or Safe Attachments for email.

+- **Users for whom manual and automated investigations were triggered**: Manual investigations triggered from Threat Explorer or auto investigations actions approved or rejected by SecOps in Incidents or in Action center.

+- **Users for whom remediations were triggered**: Manual remediations in Threat Explorer, Email entity, Advanced Hunting, Automation, or Action center.

+- **Users targeted by phishing simulation training**: Users who were targeted as part of simulations over past 28 days.

+### I have Defender for Office 365 P1 or P2 paid license. Why can I not see the usage card?

+If you have at least one Defender for Office 365 P1 or P2 license, but you're still unable to see the card because of one of the following reasons:

+- You don't have the required role to be able to view the card.

+- Your organization had no active usage in the past 28 days.

+### What does Collecting license and usage data status mean?

+If you see **Collecting license and usage data** status in your usage card, it means Microsoft is still collecting your current licensing and usage data. When it's available, you'll be able to see the full usage card and other details.

+### Why does it still show overage even though you don't have any Microsoft Defender for Office 365 P2 license and no usage of SecOps capabilities?

+If you have overage across Microsoft Defender for Office 365 P1 licenses offering protection and detection, you can remediate this overage by purchasing more Microsoft Defender for Office 365 P1 licenses.

+- **Source**: Shows the HTML version of the message body with all links disabled.

+- **Plain text**: Shows the message body in plain text.

+#### Approve or deny release requests from users for quarantined Teams messages

+When a user requests the release of a quarantined Teams message, the **Release status** value changes to **Release requested**, and an admin can approve or deny the request.

+For more information, see [Approve or deny release requests from users](#approve-or-deny-release-requests-from-users-for-quarantined-email).

+# Manage quarantined messages and files as a user

+## Manage quarantined messages in EOP

+### View your quarantined messages

+#### View quarantined message details

+### Take action on quarantined email

+#### Release quarantined email

+#### Request the release of quarantined email

+#### Delete email from quarantine

+#### Preview email from quarantine

+#### View email message headers

+#### Block email senders from quarantine

+#### Take action on multiple quarantined email messages

+## Manage quarantined messages in Microsoft Teams

+When a potentially malicious chat message is detected in Microsoft Teams, zero-hour auto purge (ZAP) removes the message and quarantines it. Users can now view and manage these quarantined Teams messages in the Microsoft 365 Defender portal. Note that end user quarantine notifications are not supported for Teams workload.

+### View your quarantined messages in Microsoft Teams

+In the Microsoft 365 Defender portal at https://security.microsoft.com, go to **Email & collaboration** > **Review** > **Quarantine** > **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>.

+You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default columns are:

+- **Teams message text**: Contains the subject for the teams message.

+- **Date quarantined**: Showed when the message was quarantined.

+- **Status**: Shows whether the message is already reviewed and released or needs review.

+- **Sender**: The person who sent the message that was quarantined.

+- **Quarantine reason**: Available options are "High confidence phish" and "Malware".

+- **Expires**: Indicates the time after which the message is removed from quarantine. By default, this value is 30 days.

+To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**. The following filters are available in the **Filters** flyout that opens:

+- **Sender address**

+- **Time received**:

+ - **Last 24 hours**

+ - **Last 7 days**

+ - **Last 14 days**

+ - **Last 30 days** (default)

+ - **Custom**: Enter a **Start time** and **End time** (date).

+- **Expires in**:

+ - **Custom** (default): Enter a **Start time** and **End time** (date).

+ - **Today**

+ - **Next 2 days**

+ - **Next 7 days**

+- **Quarantine reason**: Available values are **Malware** and **High confidence phishing**.

+- **Status**: Select **Needs review** and **Released**.

+When you're finished in the **Filters** flyout, select **Apply**. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.

+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific Teams messages. Wildcards aren't supported.

+After you find a specific quarantined Teams message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).

+#### View quarantined message details in Microsoft Teams

+On the **Teams messages** tab, select the quarantined message by clicking anywhere in the row other than the check box.

+In the details flyout that opens, the following information is available:

+- **Quarantine details** section: Includes quarantine reason, expiry date, quarantine policy type, and other information.

+ - **Expires**

+ - **Time received**

+ - **Quarantine reason**

+ - **Release status**

+ - **Policy type**

+- **Message details** section: Includes date and time of the message sent, the sender address, Teams message ID, and the list of recipients.

+ - **Sender address**

+ - **Time received**

+ - **Recipients**

+ - **Teams message ID**

+To take action on the message, see the next section.

+### Take action on quarantined messages in Microsoft Teams

+On the **Teams messages** tab, select the quarantined message by selecting the check box next to the first column. The following options are available:

+- **Request release**: You can request to release the message from quarantine. Your organization's admin needs to approve the release.

+- **Delete**: You can request to delete the message from the list of quarantined messages.

+- **Preview message**: You can view the details of the message you selected.

+Note that if you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the **Expires** column.

+

+# Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365

+Admins can view and manage these quarantined message in the Quarantine view. For more information, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages). Currently, you can't view or manage quarantined Teams messages unless you're an admin.

+### Zero-hour auto purge (ZAP) quarantine policies for Teams

+To protect your Teams chats and channels, go to the Microsoft 365 Defender portal at <https://security.microsoft.com/>, go to **Settings** > **Email & collaboration** > **Microsoft Teams protection**. The Zero-hour auto purge protection is turned on by default. Note that for this release, protection for Teams chats and shared and standard channels are supported.

+Admins can configure quarantine policy options for malware and high-confidence phishing. **AdminOnlyAccessPolicy** is the only quarantine policy available for both malware and high-confidence phishing for this release of the product.

+You can also configure exceptions to the ZAP policy.

+- User exceptions:

+ - You can select one or multiple users.

+ - Once you save the policy, the users in the exception list are exempt from the policy setting.

+ - Exceptions is only honored when all users in the chat are on the exception list.

+- Group exceptions:

+ - You can select one or multiple groups selected.

+ - Once you save the policy, the groups in the exception list are exempt from the policy setting.

+- Domain exceptions:

+ - You can select one or multiple domains.

+ - Once you save the policy, the domain exception list is exempt from the policy setting.

+For more information on creating policies, see [Quarantine policies](quarantine-policies.md). Note that creating custom policies is currently not supported in this release.

+#### Create ZAP quarantine policies in PowerShell

+You can also use PowerShell to create quarantine policies. Connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) or [standalone Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell) and use the `TeamsProtectionPolicy` cmdlet.

+All parameters and values are defined in the following table.

+|Parameter|Desciption|Value|

+||||

+|MalwareQuarantinePolicy|The quarantine policy to be applied for malware.|`AdminOnlyAccessPolicy`|

+|HighConfidencePhishQuarantinePolicy|The quarantine policy applied for High-confidence phish verdicts.|`AdminOnlyAccessPolicy`|

+|ExemptUsers|List of users exempt from ZAP.|`ExceptIfSentTo`|

+|ExemptGroups|List of groups exempt from ZAP.|`ExceptIfSentToMemberOf`|

+|ExemptDomains|List of domains exempt frpm ZAP.|`ExceptIfRecipientDomainIs`|

+ Title: Collaborate with guests in a team (IT Admins)

+# Collaborate with guests in a team (IT Admins)

+1. Log in to Azure Active Directory at [https://entra.microsoft.com/](https://entra.microsoft.com/).

+If you work with guests from multiple organizations, you may want to restrict their ability to access directory data. This prevents them from seeing who else is a guest in the directory. To do this, under **Guest user access restrictions**, select **Guest users have limited access to properties and membership of directory objects settings** or **Guest user access is restricted to properties and memberships of their own directory objects**.

+Teams has an on/off switch for guest access and a variety of settings available to control what guests can do in a team. The **Allow guest access in Teams** setting must be **On** for guest access to work in Teams.

+1. In the left navigation pane, select **Show all**.

+1. Under **Admin centers**, select **Teams**.

+1. In the Teams admin center, in the left navigation pane select **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2173122" target="_blank">**Guest access**</a>.

+1. Ensure that **Guest access** is set to **On**.

+1. Make any desired changes to the additional guest settings, and then select **Save**.

+1. Select **Org settings**.

+1. In the list, select **Microsoft 365 Groups**.

+1. Ensure that the **Let group owners add people outside your organization to Microsoft 365 Groups as guests** and **Let guest group members access group content** check boxes are both checked.

+1. If you made changes, select **Save changes**.

+If you want to allow file and folder sharing with unauthenticated people, choose **Anyone**. If you want to ensure that all guests have to authenticate, choose **New and existing guests**. Choose the most permissive setting that's needed by any site in your organization.

+1. In the SharePoint admin center, in the left navigation pane, expand **Policies** and then select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+1. Ensure that external sharing for SharePoint is set to **Anyone** or **New and existing guests**.

+1. If you made changes, select **Save**.

+The default file and folder link settings determine the link option that's shown to users by default when they share a file or folder. Users can change the link type to one of the other options before sharing, if desired.

+1. Under **File and folder links**, select the default sharing link that you want to use.

+1. If you made changes, select **Save**.

+To set the permission for the sharing link, under **Choose the permission that's selected by default for sharing links.**

+1. Select **View** if you do not want users to make changes to the files and folders.

+1. Select **Edit** if you want to allow users to make changes to the files and folders.

+Optionally, choose an expiration time for *Anyone* links.

+1. In Teams, on the **Teams** tab, select **Join or create a team** (**+**).

+1. Select **Create a team**.

+1. Select **From scratch**.

+1. Choose a sensitivity label if needed.

+1. Choose **Private** or **Public**.

+1. Type a name and description for the team, and then select **Create**.

+1. Select **Skip**.

+1. Select the site for the team that you just created.

+1. On the **Settings** tab, select **More sharing settings**.

+1. Ensure that sharing is set to **Anyone** or **New and existing guests**.

+1. If you made changes, select **Save**.

+ Title: Collaborate with guests in a site (IT Admins)

+# Collaborate with guests in a site (IT Admins)

+1. Log in to Azure Active Directory at [https://entra.microsoft.com/](https://entra.microsoft.com/).

+1. In the left navigation pane, expand **External identities**.

+1. Select **External collaboration settings**.

+1. Ensure that either **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions** or **Anyone in the organization can invite guest users including guests and non-admins** is selected.

+1. If you made changes, select **Save**.

+If you work with guests from multiple organizations, you may want to restrict their ability to access directory data. This prevents them from seeing who else is a guest in the directory. To do this, under **Guest user access restrictions**, select **Guest users have limited access to properties and membership of directory objects settings** or **Guest user access is restricted to properties and memberships of their own directory objects**.

+1. Click **Org settings**.

+1. In the list, click **Microsoft 365 Groups**.

+1. Ensure that the **Let group owners add people outside your organization to Microsoft 365 Groups as guests** and **Let guest group members access group content** check boxes are both checked.

+1. If you made changes, click **Save changes**.

+The organization-level settings determine the settings that are available for individual sites. Site settings cannot be more permissive than the organization-level settings.

+If you want to allow unauthenticated file and folder sharing, choose **Anyone**. If you want to ensure that all people outside your organization have to authenticate, choose **New and existing guests**. Choose the most permissive setting that's needed by any site in your organization.

+1. In the SharePoint admin center, in the left navigation pane, under **Policies**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+1. Ensure that external sharing for SharePoint is set to **Anyone** or **New and existing guests**.

+1. If you made changes, select **Save**.

+1. Select **Create**.

+1. Select **Team site**.

+1. Type a site name and enter a name for the Group owner (site owner).

+1. Under **Advanced settings**, choose if you want this site to be a public or private one.

+1. Select **Next**.

+1. Select **Finish**.

+1. In the SharePoint admin center, in the left navigation pane, expand **Sites** and select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+1. Select the site for the team that you just created.

+1. On the **Settings** tab, select **More sharing settings**.

+1. Ensure that sharing is set to **Anyone** or **New and existing guests**.

+1. If you made changes, select **Save**.

+1. Select **Members** link in the upper right which denotes the member count.

+1. Select **Add members**.

+1. Type the names or email addresses of the users that you want to invite to the site, and then select **Save**.

+ Title: Collaborate with guests on a document (IT Admins)

+# Collaborate with guests on a document (IT Admins)

+1. Log in to Azure Active Directory at [https://entra.microsoft.com/](https://entra.microsoft.com/).

+1. In the left navigation pane, expand **External identities**.

+1. Select **External collaboration settings**.

+1. Ensure that either **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions** or **Anyone in the organization can invite guest users including guests and non-admins** is selected.

+1. If you made changes, select **Save**.

+If you work with guests from multiple organizations, you may want to restrict their ability to access directory data. This prevents them from seeing who else is a guest in the directory. To do this, under **Guest user access restrictions**, select **Guest users have limited access to properties and membership of directory objects settings** or **Guest user access is restricted to properties and memberships of their own directory objects**.

+The organization-level settings for SharePoint determine the settings that are available for individual SharePoint sites. Site settings cannot be more permissive than the organization-level settings. The organization-level setting for OneDrive determines the level of sharing that's available in users' OneDrive libraries.

+For SharePoint and OneDrive, if you want to allow unauthenticated file and folder sharing, choose **Anyone**. If you want to ensure that people outside your organization have to authenticate, choose **New and existing guests**. *Anyone* links are the easiest way to share: people outside your organization can open the link without authentication and are free to pass it on to others.

+For SharePoint, choose the most permissive setting that's needed by any site in your organization.

+1. In the SharePoint admin center, in the left navigation pane, under **Policies**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+1. Ensure that external sharing for SharePoint or OneDrive is set to **Anyone** or **New and existing guests**. (Note that the OneDrive setting cannot be more permissive than the SharePoint setting.)

+1. If you made changes, select **Save**.

+The default file and folder link settings determine the link option that's shown to users by default when they share a file or folder. Users can change the link type to one of the other options before sharing, if desired.

+1. Under **File and folder links**, select the default sharing link that you want to use.

+1. If you made changes, click **Save**.

+1. Select **View** if you do not want users to make changes to the files and folders.

+1. Select **Edit** if you want to allow users to make changes to the files and folders.

+Optionally, choose an expiration time for *Anyone* links.

+1. Select the site for the team that you just created.

+1. On the **Settings** tab, select **More sharing settings**.

+1. Ensure that sharing is set to **Anyone** or **New and existing guests**.

+1. If you made changes, select **Save**.

+ Title: Collaborate with external participants in a shared channel (IT Admins)

+localization_priority: medium

+# Collaborate with external participants in a shared channel (IT Admins)

+- Team owners in your organization can invite people from other organizations to participate in shared channels.

+- Your organization's custom (line of business) apps are available in shared channels and external participants can access them.

+- Your organization's apps list is available in shared channels and external participants can access them.

+> [!NOTE]

+> Shared channels between Commercial and GCC clouds are not supported.

+1. Sign in to [Azure Active Directory](https://entra.microsoft.com/) using a Global administrator or Security administrator account.

+1. In [Azure Active Directory](https://entra.microsoft.com/), select **External Identities**, and then select **Cross-tenant access settings**.

+1. In [Azure Active Directory](https://entra.microsoft.com/), select **External Identities**, and then select **Cross-tenant access settings**.

+[Shared channels limits](/microsoftteams/limits-specifications-teams#limits-for-shared-channels)

+At least 71% of countries/regions have passed or introduced data privacy legislation, according to the United Nations. Chances are good that your organization is based in, or has customers or employees in, regions with data privacy laws. A prominent example of a data privacy law with broad impact is the European Union's [General Data Protection Regulation (GDPR)](/compliance/regulatory/gdpr). Many organizations are subject to multiple regulations that themselves are frequently updated. As the regulatory landscape expands, it's never been more critical for organizations to safeguard personal data while staying on top of changes. Failure to comply with data privacy laws and regulations can result in considerable financial penalties, legal and business repercussions, and erosion of your customers' trust.

+Content understanding in Microsoft Syntex starts with document processing models. Document processing models let you identify and classify documents that are uploaded to SharePoint document libraries, and then to extract the information you need from each file.

+When you create a custom model, you'll select the training method associated with the model type. For example, if you want to create an unstructured document processing model, on the **Options for model creation** page where you create a model, you'll choose the **Teaching method** option. The following table shows the training method associated with each custom model type.

+If you don't need to build a custom model, you can use a [prebuilt document processing model](prebuilt-overview.md) that has already been trained for specific structured documents.