Updates from: 07/21/2021 03:09:48
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove Former Employee Step 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-1.md
- TRN_M365B - OKR_SMB_Videos - AdminSurgePortfolio
+- m365solution-removeemployee
search.appverid: - BCS160 - MET150
If you have email as part of your Microsoft 365 subscription, sign in to the Exc
2. In the Exchange admin center, navigate to **Recipients** \> **Mailboxes**. 3. Double-click the user and go to **Manage email apps settings** under **Email apps**. Turn **Off** the slider for all the options; **Mobile (Exchange ActiveSync)**, **Outlook on the web**, **Outlook desktop (MAPI)**, **Exchange web services**, **POP3**, and **IMAP**. 4. Select **Save**.+
+## Related content
+
+[Exchange admin center in Exchange Online](/exchange/exchange-admin-center)
+[Restore a user](restore-user.md)
admin Remove Former Employee Step 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-2.md
- TRN_M365B - OKR_SMB_Videos - AdminSurgePortfolio
+- m365solution-removeemployee
search.appverid: - BCS160 - MET150
description: "Learn how to save the content of a former employee's mailbox."
# Step 2 - Save the contents of a former employee's mailbox
+In this step, place a Litigation Hold or In-place Hold on the user or export their Outlook data to a .pst file.
+
+## Place hold or export user's data to a .pst file
+ Once you've blocked a user from being able to log into your organization you can save the contents of their mailbox. There are two ways you can save the contents of the former employee's mailbox. 1. Place a Litigation Hold or In-Place Hold on the mailbox before the deleting the user account. This is much more complicated than the second option but worth doing if: your Enterprise plan includes archiving and legal hold, litigation is a possibility, and you have a technically strong IT department.
Once you've blocked a user from being able to log into your organization you can
**OR** 2. Add the former employee's email address to your version of Outlook on Desktop, and then export the data to a .pst file. You can import the data to another email account as needed. Check out [Step 6 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-6.md).+
+## Related content
+
+[Exchange admin center in Exchange Online](/exchange/exchange-admin-center)
+[Restore a user](restore-user.md)
admin Remove Former Employee Step 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-3.md
- TRN_M365B - OKR_SMB_Videos - AdminSurgePortfolio
+- m365solution-removeemployee
search.appverid: - BCS160 - MET150
Follow these steps on how to [convert the user's mailbox to a shared mailbox](..
4. Turn on **Forward all email sent to this mailbox**. In the **Forwarding address** box, type the email address of the current employee who's going to get the email. 5. Select **Save**. 6. Remember, don't delete the former employee's account.+
+## Related content
+
+[Open and use a shared mailbox in Outlook](https://support.microsoft.com/office/open-and-use-a-shared-mailbox-in-outlook-d94a8e9e-21f1-4240-808b-de9c9c088afd)
+[Access another person's mailbox](https://support.microsoft.com/office/access-another-person-s-mailbox-a909ad30-e413-40b5-a487-0ea70b763081)
+[Exchange admin center in Exchange Online](/exchange/exchange-admin-center)
+[Manager another person's mail and calendar items](https://support.microsoft.com/office/manage-another-person-s-mail-and-calendar-items-afb79d6b-2967-43b9-a944-a6b953190af5)
admin Remove Former Employee Step 4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-4.md
- OKR_SMB_Videos - AdminSurgePortfolio - AdminTemplateSet
+- m365solution-removeemployee
search.appverid: - BCS160 - MET150
To give access to the email messages, calendar, tasks, and contacts of the forme
## Related content
-[Add and remove admins on a OneDrive account](/sharepoint/manage-user-profiles#add-and-remove-admins-for-a-users-onedrive) (article)\
-[Restore a deleted OneDrive](/onedrive/restore-deleted-onedrive) (article)\
+[Add and remove admins on a OneDrive account](/sharepoint/manage-user-profiles#add-and-remove-admins-for-a-users-onedrive) (article)
+[Restore a deleted OneDrive](/onedrive/restore-deleted-onedrive) (article)
[OneDrive retention and deletion](/onedrive/retention-and-deletion) (article)
+[Share OneDrive files and folders](https://support.microsoft.com/office/share-onedrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07)
admin Remove Former Employee Step 5 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-5.md
- TRN_M365B - OKR_SMB_Videos - AdminSurgePortfolio
+- m365solution-removeemployee
search.appverid: - BCS160 - MET150
If your former employee had an organization phone, you can use the Exchange admi
5. Select **Save**. > [!TIP] > Be sure you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if you need specific steps on how to disable the user.+
+## Related content
+
+[Exchange admin center in Exchange Online](/exchange/exchange-admin-center)
admin Remove Former Employee Step 6 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-6.md
- TRN_M365B - OKR_SMB_Videos - AdminSurgePortfolio
+- m365solution-removeemployee
search.appverid: - BCS160 - MET150
admin Remove Former Employee Step 7 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-7.md
- TRN_M365B - OKR_SMB_Videos - AdminSurgePortfolio
+- m365solution-removeemployee
search.appverid: - BCS160 - MET150
admin Remove Former Employee https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee.md
- OKR_SMB_Videos - AdminSurgePortfolio - AdminTemplateSet
+- m365solution-removeemployee
search.appverid: - BCS160 - MET150
admin Use Qr Code Download Outlook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/use-qr-code-download-outlook.md
As the Microsoft 365 administrator, you can enable your users to sign in to Outl
In Outlook on the web or other desktop Outlook applications, users may see notifications informing them that they can use Outlook on their mobile device. These notifications can be managed by the administrator using Exchange Powershell. If users choose to send themselves an SMS text message to download the app on their mobile device, a QR code will appear on their computer. They will be able to scan the QR code to log into Outlook on their phone or tablet. This QR code is a short lived token that can only be redeemed once.
+The notification is only generated if the following conditions are met:
+
+1. The QR code experience is enabled for the tenant (this experience is enabled by default).
+
+2. The user is not already using Outlook for iOS and Android.
+
+3. The user has an empty state at reading pane (does not select the option of auto opening the first email).
+
+4. The user did not dismiss the notification.
+ > [!NOTE] > In some cases, your users must re-authenticate on their computer to generate the QR code.
compliance Advanced Ediscovery Large Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/advanced-ediscovery-large-cases.md
search.appverid:
description: "Use large cases in Advanced eDiscovery so you can add more items to review sets and take advantage of other increased limits."
-# Use large cases in Advanced eDiscovery
+# Use large cases in Advanced eDiscovery (preview)
More organizations are using the Advanced eDiscovery solution in Microsoft 365 for critical eDiscovery processes. This includes responding to regulatory requests, investigations, and litigation. As usage of Advanced eDiscovery increases, a common customer requirement is to expand the total amount of content that can be managed in a single Advanced eDiscovery case. To help accommodate significant increases in case size, both for total data volume and the total number of items, you can now choose a large case format when you create an Advanced eDiscovery case.
compliance Archive Data From Celltrustsl2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-data-from-celltrustsl2.md
description: "Learn how to set up and use a CellTrust SL2 data connector to impo
# Archive data from CellTrust SL2 to Microsoft 365
-CellTrust SL2 captures mobile communications data and integrates with the leading archiving technologies to meet the electronic discovery requirements for regulations such as FINRA, HIPAA, FOIA, and TCPA. The SL2 Data Connector imports mobile communication items to Microsoft 365. This article describes the process for integrating SL2 with Microsoft 365 by using the CellTrust SL2 Data Connector for archiving. Completing this process assumes that you have subscribed to CellTrust SL2 service and are familiar with the SL2 architecture. For information about SL2, see <www.celltrust.com>.
+CellTrust SL2 captures mobile communications data and integrates with the leading archiving technologies to meet the electronic discovery requirements for regulations such as FINRA, HIPAA, FOIA, and TCPA. The SL2 Data Connector imports mobile communication items to Microsoft 365. This article describes the process for integrating SL2 with Microsoft 365 by using the CellTrust SL2 Data Connector for archiving. Completing this process assumes that you have subscribed to CellTrust SL2 service and are familiar with the SL2 architecture. For information about CellTrust SL2, see <https://www.celltrust.com>.
After data is imported to user mailboxes in Microsoft 365, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, Microsoft 365 retention policies, and communication compliance. Using the CellTrust SL2 Data Connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
CellTrust's SL2 platform captures communication data from multiple sources. SL2
![Archiving workflow for CellTrust SL2 service](../media/CellTrustSL2ConnectorWorkflow.png)
-1. SL2 users send and receive data to and from SL2 services in the Microsoft Azure cloud.
+1. SL2 users send and receive data to and from SL2 services in Microsoft Azure.
2. Your organization has an SL2 domain in CellTrust's SL2 Cloud Service environment. Your domain may have one or more organizational units (OUs). The SL2 Cloud Service transfers your data to a highly secure area in the Microsoft Azure platform, so that your data never leaves the Microsoft Azure environment. Depending on your SL2 plan (Enterprise, SMB, or Government), your domain is either hosted on Microsoft Azure Global or Microsoft Azure Government.
compliance Sit Edm Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-edm-wizard.md
[Creating a custom sensitive information type with Exact Data Match (EDM) based classification](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) involves many steps. You can use this wizard to create your schema and sensitive information type (SIT) pattern (rule package) files to help simplify the process.
-> [!NOTE]
-> The Exact Data Match Schema and Sensitive Information Type Wizard is only available for the World Wide and GCC clouds only.
- This wizard can be used instead of the: - [Define the schema for your database of sensitive information](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md#define-the-schema-for-your-database-of-sensitive-information)
compliance Teams Workflow In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/teams-workflow-in-advanced-ediscovery.md
description: "Learn how to preserve, collect, review, and export content from Microsoft Teams in Advanced eDiscovery."
-# Advanced eDiscovery workflow for content in Microsoft Teams using large cases
+# Advanced eDiscovery workflow for content in Microsoft Teams using large cases (preview)
This article provides a comprehensive set of procedures, guidelines, and best practices for using Advanced eDiscovery to preserve, collect, review, and export content from Microsoft Teams. The goal of this article is to help you optimize your eDiscovery workflow for Teams content.
contentunderstanding Create A Classifier https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/create-a-classifier.md
Title: "Create a classifier"--
+ Title: Create a classifier in Microsoft SharePoint Syntex
++ + audience: admin ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn how to create a classifier"
+description: Learn how to create a classifier in Microsoft SharePoint Syntex.
# Create a classifier in Microsoft SharePoint Syntex
description: "Learn how to create a classifier"
</br>
-A classifier is a type of model that you can use to automate identification and classification of a document type. For example, you may want to identify all *Contract Renewal* documents that are added to your document library, such as is shown in the following illustration.
+A classifier is a type of model that you can use to automate identification and classification of a document type. For example, you might want to identify all *Contract Renewal* documents that are added to your document library, such as is shown in the following illustration.
![Contract Renewal document](../media/content-understanding/contract-renewal.png)
The first step to create your model is to give it a name:
2. In the **New document understanding model** pane, in the **Name** field type the name of the model. For example, if you want to identify contract renewal documents, you could name the model *Contract Renewal*. 3. Choose **Create**. This creates a home page for the model.</br>
- ![Classifier model home page](../media/content-understanding/model-home.png)
+ ![Classifier model home page.](../media/content-understanding/model-home.png)
When you create a model, you are also creating a new site content type. A content type represents a category of documents that have common characteristics and share a collection of columns or metadata properties for that particular content. SharePoint content types are managed through the [Content types gallery](https://support.microsoft.com/office/create-or-customize-a-site-content-type-27eb6551-9867-4201-a819-620c5658a60f). For this example, when you create the model, you are creating a new *Contract Renewal* content type. Select **Advanced settings** if you want to map this model to an existing enterprise content type in the SharePoint Content types gallery to use its schema. Enterprise content types are stored in the Content Type Hub in the SharePoint admin center and are syndicated to all sites in the tenant. Note that while you can use an existing content type to leverage its schema to help with identification and classification, you still need to train your model to extract information from files it identifies.</br>
-![Advanced settings](../media/content-understanding/advanced-settings.png)
+![Advanced settings.](../media/content-understanding/advanced-settings.png)
## Add your example files
To add example files:
2. On the **Select example files for your model** page, select your example files from the Training files library in the content center. If you had not already uploaded them there, choose to upload them now by clicking **Upload** to copy them to the Training files library. 3. After selecting your example files to use to train the model, click **Add**.
- ![Select example files](../media/content-understanding/select-sample.png)
+ ![Select example files.](../media/content-understanding/select-sample.png)
## Label your example files
After adding your example files, you need to label them as either positive or ne
2. In the viewer on the top of the first example file, you should see text asking if the file is an example of the model you just created. If it is a positive example, select **Yes**. If it is a negative example, select **No**. 3. From the **Labeled examples** list on the left, select additional files that you want to use as examples, and label them.
- ![Classifier home page](../media/content-understanding/classifier-home-page.png)
+ ![Classifier home page.](../media/content-understanding/classifier-home-page.png)
> [!NOTE]
To create an explanation:
c. In the **Type here** box, type the string. For the sample, add "Request for additional disclosure". You can select **Case sensitive** if the string needs to be case sensitive.</br> d. Click **Save**.
- ![Create explanation](../media/content-understanding/explanation.png)
+ ![Create explanation.](../media/content-understanding/explanation.png)
-5. The Content Center now checks to see if the explanation you created is complete enough to identify the remaining labeled example files correctly, as positive and negative examples. In the Trained Files section, check the **Evaluation** column after the training has completed to see the results. The files show a value of **Match**, if the explanations you created was enough to match what you labeled as positive or negative.
+5. The content center now checks to see if the explanation you created is complete enough to identify the remaining labeled example files correctly, as positive and negative examples. In the **Trained files** section, check the **Evaluation** column after the training has completed to see the results. The files show a value of **Match**, if the explanations you created was enough to match what you labeled as positive or negative.
- ![Match value](../media/content-understanding/match.png)
+ ![Match value.](../media/content-understanding/match.png)
-If you receive a **Mismatch** on the labeled files, you may need to create an additional explanation to provide the model more information to identify the document type. If this happens, click on the file to get more information about why the mismatch occurred.
+ If you receive a **Mismatch** on the labeled files, you might need to create an additional explanation to provide the model more information to identify the document type. If this happens, click on the file to get more information about why the mismatch occurred.
+
+Once you've trained an extractor, that trained extractor can be used as an explanation. In the **Explanations** section, this is shown as a **Model reference**.
+
+![Screenshot of the Explanations section showing the type Model reference.](../media/content-understanding/explanations-model-reference.png)
## Test your model
-If you received a match on your labeled sample files, you can now test your model on your remaining unlabeled example files that the model has not seen before. This is optional, but a useful step to evaluate the ΓÇ£fitnessΓÇ¥ or readiness of the model before using it, by testing it on files the model hasnΓÇÖt seen before.
+If you received a match on your labeled sample files, you can now test your model on your remaining unlabeled example files that the model has not seen before. This is optional, but a useful step to evaluate the ΓÇ£fitnessΓÇ¥ or readiness of the model before using it, by testing it on files the model hasnΓÇÖt seen before.
-1. From the model home page, select the **Test** tab. This runs the model on your unlabeled sample files.
+1. From the model home page, select the **Test** tab. This runs the model on your unlabeled sample files.
2. In the **Test files** list, your example files display and shows if the model predicted them to be positive or negative. Use this information to help determine the effectiveness of your classifier in identifying your documents. ![Test of unlabeled files](../media/content-understanding/test-on-files.png)
contentunderstanding Create A Content Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/create-a-content-center.md
Title: "Create a content center in Microsoft SharePoint Syntex"--
+ Title: Create a content center in Microsoft SharePoint Syntex
++ + audience: admin ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn how to create a content center."
+description: Learn how to create a content center in Microsoft SharePoint Syntex.
# Create a content center in Microsoft SharePoint Syntex
description: "Learn how to create a content center."
</br>
-To create and manage document understanding models, you first need a content center. The content center is the model creation interface and also contains information about which document libraries published models have been applied to.</br>
+To create and manage document understanding models, you first need a content center. The content center is the model creation interface and also contains information about which document libraries published models have been applied to.
- ![Select a doc library](../media/content-understanding/content-center-page.png)</br>
+ ![Select a doc library.](../media/content-understanding/content-center-page.png)
-You create a default content center during [setup](set-up-content-understanding.md). But a SharePoint admin can also choose to create additional centers as needed. While a single content center may be fine for environments for which you want a roll-up of all model activity, you may want to have additional centers for multiple departments within your organization, which may have different needs and permission requirements for their models.
+You create a default content center during [setup](set-up-content-understanding.md). But a SharePoint admin can also choose to create additional centers as needed. While a single content center may be fine for environments for which you want a roll-up of all model activity, you may want to have additional centers for multiple departments within your organization, which might have different needs and permission requirements for their models.
> [!NOTE] > In a [Microsoft 365 Multi-Geo environment](../enterprise/microsoft-365-multi-geo.md), if you have a single default content center in your central location, you can only provide a roll-up of model activity from within that location. You currently cannot get a roll-up of model activity across farm-boundaries in Multi-Geo environment. - ## Create a content center A SharePoint admin can create a content center site like they would [create any other SharePoint site](/sharepoint/create-site-collection) through the admin center site provisioning panel.
To create a new content center:
5. For the new site, provide a **Site Name**, **Primary administrator**, and a **Language**.</br> > [!NOTE]
- > You can select a content center site to render in any of the available languages, but note that currently models can only be created for English files. Also note that like other site templates, the default site language isn't editable after the site is created.</br>
+ > You can select a content center site to render in any of the available languages, but note that currently models can only be created for English files. Also note that like other site templates, the default site language isn't editable after the site is created.
6. Select **Finished**.
After you create a content center site, you will see it listed on the **Active s
After you create the site, you can give additional users access to the site through the standard [SharePoint site permissions model](/sharepoint/modern-experience-sharing-permissions).
+### Roll up of models in the default content center
+
+In SharePoint Syntex, the first content center created during setup is the *default content center*. If subsequent content centers are created, their models are shown in the default content center view.
+
+![Screenshot of the Model library in the default content center.](../media/content-understanding/model-library-default-content-center.png)
+
+The **Models** library in the default content center view groups the created models by content center for a summary view of all document understanding models and form processing models that have been created.
+
+> [!NOTE]
+> You can't change the designated default content center. It's always the first content center created during setup.
+ ## See Also [Create a classifier](create-a-classifier.md)
contentunderstanding Difference Between Document Understanding And Form Processing Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/difference-between-document-understanding-and-form-processing-model.md
Title: "Difference between document understanding and form processing models"
+ Title: Difference between document understanding and form processing models
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Describes key difference between document understanding and form processing models"
+description: Learn about key difference between document understanding and form processing models.
# Difference between document understanding and form processing models
Form processing models are created in PowerApps [AI Builder](/ai-builder/overvie
When you create a document understanding model, you create a new [SharePoint content type](https://support.microsoft.com/office/use-content-types-to-manage-content-consistently-on-a-site-48512bcb-6527-480b-b096-c03b7ec1d978) that is saved to the SharePoint Content Types gallery. Or you can use existing content types to define your model if needed.
+Once a content type is created and associated with a model, you can also reference that model from the **Site Content Type** property panel.
+
+![Screenshot of the Site Content Type panel showing the Document understanding model highlighted.](../media/content-understanding/site-content-type-panel.png)
+ Form processing models also create new [SharePoint content types](https://support.microsoft.com/office/use-content-types-to-manage-content-consistently-on-a-site-48512bcb-6527-480b-b096-c03b7ec1d978), and are also stored in the SharePoint Content Types gallery. ## Where they can be applied
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
Read and apply the [ADFS Migration steps](ms-cloud-germany-transition-add-adfs.m
|Step(s)|Description|Impact| ||||
-|Limit SharePoint 2013 workflows, use during the SharePoint Online migration.|Reduce SharePoint 2013 workflows and complete in-flight workflows before transitions.|Inaction may result in user confusion and help desk calls.|
+|Limit SharePoint 2013 workflows, use during the SharePoint Online migration.|Reduce SharePoint 2013 workflows and complete in-flight workflows before transitions.|Inaction may result in user confusion and help desk calls.|
+Export SharePoint search configuration if any modifications have been applied. |The SharePoint search configuration will not be migrated. If any modifications in SharePoint search have been applied, ensure you take note of any changes and export the search configuration. The settings have to be imported again after the SharePoint transition has been completed.|Any custom solutions based on a modified search schema will be unavailable until the search modifications have been re-applied.|
## Exchange Online
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
Additional considerations:
- Microsoft Cloud Deutschland customers whose SharePoint Online instance is not yet migrated need to stay on SharePoint Online PowerShell module/Microsoft.SharePointOnline.CSOM version 16.0.20616.12000 or below. Otherwise, connections to SharePoint Online via PowerShell or the client-side object model will fail. - During this phase, the IP addresses behind the SharePoint URLs will change. After the transition to Office 365 Global services, the addresses for the preserved tenant URLs (for example, `contoso.sharepoint.de` and `contoso-my.sharepoint.de`) will be changed to the [Worldwide Microsoft 365 URLs and IP address ranges (SharePoint Online and OneDrive for Business)](/microsoft-365/enterprise/urls-and-ip-address-ranges#sharepoint-online-and-onedrive-for-business). - While SharePoint and OneDrive services are transitioned, Office Online may not work as expected.
+- If a custom search configuration has been applied, import the search configuration after the transition is finished. The search configuration has to be exported before the transition as described in the [pre-migration steps for SharePoint Online](ms-cloud-germany-transition-add-pre-work.md#sharepoint-online).
> [!NOTE] > In case you are using eDiscovery, make sure you are aware of the [eDiscovery migration experience](ms-cloud-germany-transition-add-scc.md).
enterprise View Service Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-service-health.md
audience: Admin
-localization_priority: Normal
+localization_priority: Priority
f1.keywords: - CSH
managed-desktop Win11 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/win11-overview.md
We'll consult and advise admins to develop and implement migration plans for eac
More than 95% of Microsoft Managed Desktop devices are eligible for Windows 11, so you might want to preview the upgrade on test devices prior to production deployment. For more about Windows 11 system requirements, see [Windows 11 requirements](/windows/whats-new/windows-11-requirements). You can request details about the eligibility status of your devices from Microsoft Managed Desktop.
-For Microsoft Managed Desktop devices, you can request to add test devices to the **\[Modern Workplace\] Windows 11 Pre-Release Test Devices** device group. This group receives Windows 11 preview builds along with a Microsoft Managed Desktop baseline configuration. Microsoft Managed Desktop doesn't manage the release cadence of Windows 11 preview builds, so members of this device group might receive updates more frequently than Windows 10 device groups.
+For Microsoft Managed Desktop devices, you can request to add test devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** device group. This group receives Windows 11 preview builds along with a Microsoft Managed Desktop baseline configuration. Microsoft Managed Desktop doesn't manage the release cadence of Windows 11 preview builds, so members of this device group might receive updates more frequently than Windows 10 device groups.
For your devices that aren't managed by Microsoft Managed Desktop, you can join the [Windows Insider Program](/windows-insider/) to download preview builds and get guidance on deploying Windows 11 yourself. If you have devices running Windows 11 pre-release builds and later enroll them in Microsoft Managed Desktop, they won't revert back to Windows 10.
Application compatibility is one of the most common concerns in any platform mig
### Reactive measures
-If you encounter app compatibility issues in test or production environments, you can get support by engaging [App Assure](/fasttrack/products-and-capabilities) or FastTrack, as appropriate. For Windows 11, this includes any functionality with Office, Microsoft Edge, and Teams applications running on the latest operating system builds. App Assure directly engages app publishers to prioritize and resolve app compatibility issues.
+If you encounter app compatibility issues in test or production environments, you can get support by engaging [App Assure](/fasttrack/products-and-capabilities) or FastTrack, as appropriate. For Windows 11, this includes any functionality with Office, Microsoft Edge, and Teams applications running on the latest operating system builds. App Assure directly engages app publishers to prioritize and resolve app compatibility issues.
managed-desktop Test Win11 Mmd https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd.md
To date, more than 95% of Microsoft Managed Desktop devices meet [eligibility cr
## Add devices to the Windows 11 test group
-Start by adding devices to the device group (**\[Modern Workplace\] Windows 11 Pre-Release Test Devices**) created for testing and evaluating Windows 11. Devices in this group get new Windows 11 builds and Microsoft Managed Desktop baseline configurations as they become available and are monitored for reliability issues.
+Upon request, we will create the device group (**Modern Workplace - Windows 11 Pre-Release Test Devices**) for testing and evaluating Windows 11. Devices in this group get new Windows 11 builds and Microsoft Managed Desktop baseline configurations as they become available, and are monitored for reliability issues.
You can choose any of your existing or new devices for Windows 11 testing, but you shouldn't enroll production devices in this group due to the elevated risk of defects or compatibility issues in pre-release builds. Prior device group assignments are removed upon assignment to this group.
security Device Discovery Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md
ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPN
## What is the amount of traffic being generated by the Standard discovery active probe?
- Active probing can generate up to 5K of traffic between the onboarded device and the probed device, every probing attempt
+ Active probing can generate up to 50Kb of traffic between the onboarded device and the probed device, every probing attempt
## Why is there a discrepancy between "can be onboarded" devices in the device inventory, and the number of "devices to onboard" in the dashboard tile? You may notice differences between the number of listed devices under "can be onboarded" in the device inventory, "onboard to Microsoft Defender for Endpoint" security recommendation, and "devices to onboard" dashboard widget.
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
localization_priority: Normal
- next-gen - edr Previously updated : 07/13/2021 Last updated : 07/20/2021 - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
## What is EDR in block mode?
-[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode remediates malicious artifacts that are detected using EDR. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach, on a device.
+[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product.
> [!IMPORTANT] > EDR in block mode does not provide all the protection that is available when Microsoft Defender Antivirus real-time protection is enabled. All features that depend on Microsoft Defender Antivirus to be the active antivirus solution will not work, including the following key examples:
security Linux Update MDE Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-MDE-Linux.md
CRON_TZ=America/Los_Angeles
> #!RHEL and variants (CentOS and Oracle Linux)
-`06**sun[$(date +\%d) -le 15] sudo yum update mdatp>>~/mdatp_cron_job.log`
+`0 6 * * sun [ $(date +%d) -le 15 ] && sudo yum update mdatp >> ~/mdatp_cron_job.log`
> #!SLES and variants
-`06**sun[$(date +\%d) -le 15] sudo zypper update mdatp>>~/mdatp_cron_job.log`
+`0 6 * * sun [ $(date +%d) -le 15 ] && sudo zypper update mdatp >> ~/mdatp_cron_job.log`
> #!Ubuntu and Debian systems
-`0 6 * * sun [$(date +\%d) -le 15] sudo apt-get install --only-upgrade mdatp>>~/mdatp_cron_job.log`
+`0 6 * * sun [ $(date +%d) -le 15 ] && sudo apt-get install --only-upgrade mdatp >> ~/mdatp_cron_job.log`
> [!NOTE] > In the examples above, we are setting it to 00 minutes, 6 a.m.(hour in 24 hour format), any day of the month, any month, on Sundays.[$(date +\%d) -le 15] == WonΓÇÖt run unless itΓÇÖs equal or less than the 15th day (3rd week). Meaning it will run every 3rd Sundays(7) of the month at 6:00 a.m. Pacific (UTC -8).
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
ms.sitesec: library
ms.pagetype: security
-localization_priority: Normal
+localization_priority: Priority
audience: ITPro
The attack surface reduction set of capabilities provides the first line of defe
<a name="ngp"></a>
-**[Next-generation protection](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**<br>
+**[Next-generation protection](next-generation-protection.md)**<br>
To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. <a name="edr"></a>
security Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md
Linux
## Microsoft Defender for Endpoint on Android Microsoft Defender for Endpoint on Android is our mobile threat defense solution for
-devices running Android 6.0 and higher. Devices that are registered within a customer's tenant (enrolled or unenrolled) are supported. Both Android Enterprise (Work Profile)
-and Device Administrator modes are supported for enrolled devices. On Android, we offer web
+devices running Android 6.0 and higher. Both Android Enterprise (Work Profile)
+and Device Administrator modes are supported. On Android, we offer web
protection, which includes anti-phishing, blocking of unsafe connections, and setting of custom indicators. The solution scans for malware and potentially unwanted applications (PUA) and offers additional breach prevention capabilities
Android
## Microsoft Defender for Endpoint on iOS Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for devices
-running iOS 11.0 and higher. Devices that are registered within a customer's tenant (enrolled or unenrolled) are supported.
-On iOS, we offer web protection, which includes anti-phishing, blocking unsafe connections and
+running iOS 11.0 and higher. Devices that are registered within a customer's tenant (enrolled or unenrolled) are supported. Both supervised and unsupervised enrolled devices are supported. On iOS, we offer web protection, which includes anti-phishing, blocking unsafe connections and
setting custom indicators, and jailbreak detection. For more information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
As a recipient of a quarantined message, what you can do to the message as a non
||::|::|::| |Bulk|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)| |Spam|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
-|Phishing (not high confidence phishing)|![Check mark](../../media/checkmark.png)||![Check mark](../../media/checkmark.png)|
+|Phishing (not high confidence phishing)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
| You view and manage your quarantined messages in the Microsoft 365 Defender portal or (if an admin has set this up) in [end-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md).
security Identity Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
For device compliance policies to be deployed, they must be assigned to user gro
For step-by-step guidance on creating compliance policies in Intune, see [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy) in the Intune documentation.
+### Recommended settings for iOS
+
+iOS/iPadOS supports several enrollment scenarios, two of which are covered as part of this framework:
+
+- [Device enrollment for personally owned devices](/mem/intune/enrollment/ios-enroll) ΓÇô these devices are personally owned and used for both work and personal use.
+- [Supervised automated device enrollment for corporate-owned devices](/mem/intune/enrollment/device-enrollment-program-enroll-ios) ΓÇô these devices are corporate-owned, associated with a single user, and used exclusively for work and not personal use.
+
+The iOS/iPadOS security configuration framework is organized into several distinct configuration scenarios, providing guidance for personally owned and supervised devices.
+
+For personally owned devices:
+
+- Basic security (Level 1) ΓÇô Microsoft recommends this configuration as the minimum security configuration for personal devices where users access work or school data. This is done by enforcing password policies, device lock characteristics, and disabling certain device functions (e.g., untrusted certificates).
+- Enhanced security (Level 2) ΓÇô Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts data sharing controls. This configuration is applicable to most mobile users accessing work or school data on a device.
+- High security (Level 3) ΓÇô Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration enacts stronger password policies, disables certain device functions, and enforces additional data transfer restrictions.
+
+For supervised devices:
+
+- Basic security (Level 1) ΓÇô Microsoft recommends this configuration as the minimum security configuration for supervised devices where users access work or school data. This is done by enforcing password policies, device lock characteristics, and disabling certain device functions (e.g., untrusted certificates).
+- Enhanced security (Level 2) ΓÇô Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts data sharing controls and blocks access to USB devices. This configuration is applicable to most mobile users accessing work or school data on a device.
+- High security (Level 3) ΓÇô Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration enacts stronger password policies, disables certain device functions, enforces additional data transfer restrictions, and requires apps to be installed through AppleΓÇÖs volume purchase program.
+
+Using the principles outlined in [Identity and device access configurations](microsoft-365-policies-configurations.md), the Baseline and Sensitive protection tiers map closely with the Level 2 enhanced security settings. The Highly regulated protection tier maps closely to the Level 3 high security settings.
+
+|Protection level |Device policy |More information |
+||||
+|Baseline |Enhanced security (Level 2) |The policy settings enforced in level 2 include all the policy settings recommended for level 1 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 1. |
+|Sensitive |Enhanced security (Level 2) |The policy settings enforced in level 2 include all the policy settings recommended for level 1 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 1. |
+|Highly Regulated |High security (Level 3) |The policy settings enforced in level 3 include all the policy settings recommended for level 1 and 2 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 2. |
+
+To see the specific device compliance and device restriction recommendations for each configuration level, review the [iOS/iPadOS Security Configuration Framework](/mem/intune/enrollment/ios-ipados-configuration-framework).
+
+### Recommended settings for Android
+
+Android Enterprise supports several enrollment scenarios, two of which are covered as part of this framework:
+
+- [Android Enterprise work profile](/intune/android-work-profile-enroll) ΓÇô this enrollment model is typically used for personally-owned devices, where IT wants to provide a clear separation boundary between work and personal data. Policies controlled by IT ensure that the work data cannot be transferred into the personal profile.
+- [Android Enterprise fully managed devices](/intune/android-fully-managed-enroll) ΓÇô these devices are corporate-owned, associated with a single user, and used exclusively for work and not personal use.
+
+The Android Enterprise security configuration framework is organized into several distinct configuration scenarios, providing guidance for work profile and fully managed scenarios.
+
+For Android Enterprise work profile devices:
+
+- Work profile basic security (Level 1) ΓÇô Microsoft recommends this configuration as the minimum security configuration for personal devices where users access work or school data. This configuration introduces password requirements, separates work and personal data, and validates Android device attestation.
+- Work profile high security (Level 3) ΓÇô Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration introduces mobile threat defense or Microsoft Defender for Endpoint, sets the minimum Android version, enacts stronger password policies, and further restricts work and personal separation.
+
+For Android Enterprise fully managed devices:
+
+- Fully managed basic security (Level 1) ΓÇô Microsoft recommends this configuration as the minimum security configuration for an enterprise device. This configuration is applicable to most mobile users accessing work or school data. This configuration introduces password requirements, sets the minimum Android version, and enacts certain device restrictions.
+- Fully managed enhanced security (Level 2) ΓÇô Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts stronger password policies and disables user/account capabilities.
+- Fully managed high security (Level 3) - Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration increases the minimum Android version, introduces mobile threat defense or Microsoft Defender for Endpoint, and enforces additional device restrictions.
+
+Using the principles outlined in [Identity and device access configurations](microsoft-365-policies-configurations.md), the Baseline and Sensitive protection tiers map closely with the Level 1 basic security for personally owned devices and Level 2 enhanced security settings for fully managed devices. The Highly regulated protection tier maps closely to the Level 3 high security settings.
+
+For Android Enterprise work profile devices:
+
+|Protection level |Device policy |More information |
+||||
+|Baseline |Work Profile: Basic security (Level 1) |N/A |
+|Sensitive |Work Profile: Basic security (Level 1) |N/A |
+|Baseline |Fully Managed: Enhanced Security (Level 2) |The policy settings enforced in level 2 include all the policy settings recommended for level 1 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 1. |
+|Sensitive |Fully Managed: Enhanced Security (Level 2) |The policy settings enforced in level 2 include all the policy settings recommended for level 1 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 1. |
+|Highly Regulated |High security (Level 3) |The policy settings enforced in level 3 include all the policy settings recommended for level 1 and 2 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 2. |
+
+To see the specific device compliance and device restriction recommendations for each configuration level, review the [Android Enterprise Security Configuration Framework](/mem/intune/enrollment/android-configuration-framework).
+ ### Recommended settings for Windows 10 and later The following settings are recommended for PCs running Windows 10 and later, as configured in **Step 2: Compliance settings**, of the policy creation process.
To require compliant PCs:
6. Under **Assignments**, choose **Cloud apps or actions**.
-7. For **Include**, choose **Select apps > Select**, and then select the desired apps from the **Cloud apps** list. For example, select Exchange Online. Choose **Select** when done.
+7. For **Include**, choose **Select apps > Select**, and then select the desired apps from the **Cloud apps** list. For example, select Office 365. Choose **Select** when done.
-8. To require compliant PCs (but not compliant phones and tablets), under **Assignments**, choose **Conditions > Device platforms**. Select **Yes** for **Configure**. Choose **Select device platforms**, select **Windows** and **macOS**, and then choose **Done**.
+8. To require compliant PCs (but not compliant phones and tablets), under **Assignments**, choose **Conditions > Device platforms**. Select **Yes** for **Configure**. Choose **Select device platforms**, select **Yes** and select **Any device** and under Exclude select **iOS** and **Android**, and then choose **Done**.
9. Under **Access controls**, choose **Grant** .
To require compliance for all devices:
6. Under **Assignments**, choose **Cloud apps or actions**.
-7. For **Include**, choose **Select apps > Select**, and then select the desired apps from the **Cloud apps** list. For example, select Exchange Online. Choose **Select** when done.
+7. For **Include**, choose **Select apps > Select**, and then select the desired apps from the **Cloud apps** list. For example, select Office 365. Choose **Select** when done.
8. Under **Access controls**, choose **Grant** .
security Set Up Safe Attachments Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-attachments-policies.md
Creating a Safe Attachments policy in PowerShell is a two-step process:
To create a safe attachment policy, use this syntax: ```PowerShell
-New-SafeAttachmentPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-Action <Allow | Block | Replace | DynamicDelivery>] [-Redirect <$true | $false>] [-RedirectAddress <SMTPEmailAddress>] [-ActionOnError <$true | $false>]
+New-SafeAttachmentPolicy -Name "<PolicyName>" -Enable $true [-AdminDisplayName "<Comments>"] [-Action <Allow | Block | Replace | DynamicDelivery>] [-Redirect <$true | $false>] [-RedirectAddress <SMTPEmailAddress>] [-ActionOnError <$true | $false>]
``` This example creates a safe attachment policy named Contoso All with the following values:
This example creates a safe attachment policy named Contoso All with the followi
- If Safe Attachments scanning isn't available or encounters errors, don't deliver the message (we aren't using the _ActionOnError_ parameter, and the default value is `$true`). ```PowerShell
-New-SafeAttachmentPolicy -Name "Contoso All" -Redirect $true -RedirectAddress sec-ops@contoso.com
+New-SafeAttachmentPolicy -Name "Contoso All" -Enable $true -Redirect $true -RedirectAddress sec-ops@contoso.com
``` For detailed syntax and parameter information, see [New-SafeAttachmentPolicy](/powershell/module/exchange/new-safeattachmentpolicy).
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
For detailed syntax and parameter information, see [Get-TenantAllowBlockListSpoo
For example, `contoso.com/*` is allowed; `contoso.com*` or `contoso.com/ab*` are not allowed.
- - All subpaths are not implied by a right wildcard.
-
- For example, `contoso.com/*` does not include `contoso.com/a`.
- - `*.com*` is invalid (not a resolvable domain and the right wildcard does not follow a forward slash). - Wildcards are not allowed in IP addresses.
security Use Dkim To Validate Outbound Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
Get-DkimSigningConfig -Identity <Domain for which the configuration was set> | F
> [!TIP] > This new 2048-bit key takes effect on the RotateOnDate, and will send emails with the 1024-bit key in the interim. After four days, you can test again with the 2048-bit key (that is, once the rotation takes effect to the second selector).
-If you want to rotate to the second selector, your options are a) let the Microsoft 365 service rotate the selector and upgrade to 2048-bitness within the next 6 months, or b) after 4 days and confirming that 2048-bitness is in use, manually rotate the second selector key by using the appropriate cmdlet listed above.
+If you want to rotate to the second selector, after four days and confirming that 2048-bitness is in use, manually rotate the second selector key by using the appropriate cmdlet listed above.
For detailed syntax and parameter information, see the following articles: [Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig), [New-DkimSigningConfig](/powershell/module/exchange/new-dkimsigningconfig), and [Get-DkimSigningConfig](/powershell/module/exchange/get-dkimsigningconfig).
Once you have published the CNAME records in DNS, you are ready to enable DKIM s
3. On the **DKIM** page, select the domain by clicking on the name.
-4. In the details flyout that appears, chang the **Sign messages for this domain with DKIM signatures** setting to **Enabled** (![Toggle on](../../media/scc-toggle-on.png))
+4. In the details flyout that appears, change the **Sign messages for this domain with DKIM signatures** setting to **Enabled** (![Toggle on](../../media/scc-toggle-on.png))
When you're finished, click **Rotate DKIM keys**. 5. Repeat these step for each custom domain.
+6. If you are configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain' you will have to use Windows PowerShell to enable DKIM signing as explained in the next step.
+ #### To enable DKIM signing for your custom domain by using PowerShell > [!IMPORTANT]
If at some point in the future you decide to add another custom domain and you w
## Disabling the DKIM signing policy for a custom domain <a name="DisableDKIMSigningPolicy"> </a>
-Disabling the signing policy does not completely disable DKIM. After a period of time, Microsoft 365 will automatically apply the default policy for your domain. For more information, see [Default behavior for DKIM and Microsoft 365](use-dkim-to-validate-outbound-email.md#DefaultDKIMbehavior).
+Disabling the signing policy does not completely disable DKIM. After a period of time, Microsoft 365 will automatically apply the default policy for your domain, if the default policy is still in the enabled state. If you wish to completely disable DKIM, you need to disable DKIM on both the custom and default domains. For more information, see [Default behavior for DKIM and Microsoft 365](use-dkim-to-validate-outbound-email.md#DefaultDKIMbehavior).
### To disable the DKIM signing policy by using Windows PowerShell
Disabling the signing policy does not completely disable DKIM. After a period of
## Default behavior for DKIM and Microsoft 365 <a name="DefaultDKIMbehavior"> </a>
-If you do not enable DKIM, Microsoft 365 automatically creates a 1024-bit DKIM public key for your default domain and the associated private key which we store internally in our datacenter. By default, Microsoft 365 uses a default signing configuration for domains that do not have a policy in place. This means that if you do not set up DKIM yourself, Microsoft 365 will use its default policy and keys it creates to enable DKIM for your domain.
+If you do not enable DKIM, Microsoft 365 automatically creates a 1024-bit DKIM public key for your Microsoft Online Email Routing Address (MOERA)/initial domain and the associated private key which we store internally in our datacenter. By default, Microsoft 365 uses a default signing configuration for domains that do not have a policy in place. This means that if you do not set up DKIM yourself, Microsoft 365 will use its default policy and keys it creates to enable DKIM for your domain.
-Also, if you disable DKIM signing after enabling it, after a period of time, Microsoft 365 will automatically apply the default policy for your domain.
+Also, if you disable DKIM signing on your custom domain after enabling it, after a period of time, Microsoft 365 will automatically apply the MOERA/initial domain policy for your custom domain.
In the following example, suppose that DKIM for fabrikam.com was enabled by Microsoft 365, not by the administrator of the domain. This means that the required CNAMEs do not exist in DNS. DKIM signatures for email from this domain will look something like this:
security View Email Security Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md
The aggregate view shows data for the last 90 days and the detail view shows dat
To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Compromised users** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/CompromisedUsers>.
-On the **Compromised users** page, you can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+On the **Compromised users** page, the chart shows the following information for the specified date range:
-- **Date (UTC)**: **Start date** and **End date**.-- **Activity**:
- - **Suspicious**: The user account has sent suspicious email and is at risk of being restricted from sending email.
- - **Restricted**: The user account has been restricted from sending email due to highly suspicious patterns.
-
-When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
-
-![Report view in the Compromised users report](../../media/compromised-users-report-activity-view.png)
+- **Restricted**: The user account has been restricted from sending email due to highly suspicious patterns.
+- **Suspicious**: The user account has sent suspicious email and is at risk of being restricted from sending email.
-In the details table below the graph, you can see the following details:
+The details table below the graph shows the following information:
- **Creation time** - **User ID** - **Action**
+You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+
+- **Date (UTC)**: **Start date** and **End date**.
+- **Activity**: **Restricted** or **Suspicious**
+
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+
+![Report view in the Compromised users report](../../media/compromised-users-report-activity-view.png)
+ ## Exchange transport rule report The **Exchange transport rule** report shows the effect of mail flow rules (also known as transport rules) on incoming and outgoing messages in your organization.
To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **
![Type view in the Mailflow status report](../../media/mail-flow-status-report-type-view.png)
-On the **Mailflow status report** page, the **Type** tab is selected by default. By default, this view contains a chart and a details table that's configured with the following filters:
+On the **Mailflow status report** page, the **Type** tab is selected by default. The chart shows the following information for the specified date range:
-- **Date (UTC)** The last 7 days.
+- **Good mail**
+- **Total**
+- **Malware**
+- **Phishing email**
+- **Spam**
+- **Edge protection**
+- **Rule messages**
+
+The details table below the graph shows the following information:
+
+- **Direction**
+- **Type**
+- **24 hours**
+- **3 days**
+- **7 days**
+- **15 days**
+- **30 days**
+
+You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+
+- **Date (UTC)**: **Start date** and **End date**
- **Mail direction**: - **Inbound** - **Outbound**
- - **Intra-org**: this count is for messages within a tenant i.e sender abc@domain.com sends to recipient xyz@domain.com (counted separately from **Inbound** and **Outbound**)
+ - **Intra-org**: Messages sent within the same tenant. For example, chris@contoso.com sends a message to michelle@contso.com.
- **Type**: - **Good mail** - **Malware**
On the **Mailflow status report** page, the **Type** tab is selected by default.
- **Phishing email** - **Domain**: **All**
-The chart is organized by the **Type** values.
-
-You can change these filters by clicking **Filter**.
-
-The following information is shown in the details table below the graph:
--- **Direction**-- **Type**-- **24 hours**-- **3 days**-- **7 days**-- **15 days**-- **30 days**
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
If you click **Choose a category for more details**, you can select from the following values:
Each exported .csv file is limited to 150,000 rows. If the data for that day con
![Direction view in the Mailflow status report](../../media/mail-flow-status-report-direction-view.png)
-If you click the **Direction** tab, the same default filters from the **Type** view are used.
+If you click the **Direction** tab, the chart shows the following information for the specified date range:
-The chart is organized by **Direction** values.
+- **Inbound**
+- **Outbound**
+- **Intra-org**
-You can change these filters by clicking **Filter**. The same filters from the **Type** view are used.
+The details table below the graph contains same information from the **Type** view.
-The details table contains same information from the **Type** view.
+You can filter both the chart and the details table by clicking **Filter**. The same filters from the **Type** view are available.
The **Choose a category for more details** available selections and behavior are the same as the **Type** view.
The **Funnel** view shows you how Microsoft's email threat protection features f
![Funnel view in the Mailflow status report](../../media/mail-flow-status-report-funnel-view.png)
-If you click the **Funnel** tab, by default, this view contains a chart and a details table that's configured with the following filters:
--- **Date**: The last 7 days.--- **Direction**:
- - **Inbound**
- - **Outbound**
- - **Intra-org**: This count is for messages sent within a tenant; i.e, sender abc@domain.com sends to recipient xyz@domain.com (counted separately from Inbound and Outbound).
- The aggregate view and details table view allow for 90 days of filtering.
-You can change these filters by clicking **Filter**. The same filters from the **Type** view are used.
+If you click the **Funnel** tab, the chart shows messages organized into the following categories for the specified date range:
-This chart shows the email count organized by:
--- **Total email**-- **Email after edge protection**
+- **Total email**: This value is always shown first. The remaining values are shown in descending order by message count.
+- **Email after Edge Protection**
- **Email after transport rule** (mail flow rule) - **Email after anti-malware, file reputation, file type block**-- **Email after anti-phish, URL reputation, brand impersonation, anti-spoof**-- **Email after anti-spam, bulk mail filtering**-- **Email after user and domain impersonation**<sup>\*</sup>-- **Email after file and URL detonation**<sup>\*</sup>-- **Email detected as benign after post-delivery protection (URL click time protection)**-
-<sup>\*</sup> Defender for Office 365 only
-
-To view the email filtered by EOP or Defender for Office 365 separately, click on the value in the chart legend.
-
-The details table contains the following information, shown in descending date order:
--- **Date**-- **Total email**-- **Edge protection**-- **Anti-malware, file reputation, file type block**: - **File reputation**: Messages filtered due to identification of an attached file by other Microsoft customers. - **File type block**: Messages filtered due to the type of malicious file identified in the message.-- **Anti-phish, URL reputation, Brand impersonation, anti-spoof**:
+- **Email after anti-phish, URL reputation, brand impersonation, anti-spoof**
- **URL reputation**: Messages filtered due to the identification of the URL by other Microsoft customers. - **Brand impersonation**: Messages filtered due to the message coming from well-known brand impersonating senders. - **Anti-spoof**: Messages filtered due to the message attempting to spoof a domain that the recipient belongs to, or a domain that the message sender doesn't own.-- **Anti-spam, bulk mail filtering**:
+- **Email after anti-spam, bulk mail filtering**
- **Bulk mail filtering**: Messages filtered based on the bulk complain level (BCL) threshold in an anti-spam policy.-- **User and domain impersonationΓÇ»(Defender for Office 365)**:
- - **User impersonation**: Messages filtered due to an attempt to impersonate a user (message sender) that's defined in the impersonation protection settings of an anti-phishing policy.
- - **Domain impersonation**: Messages filtered due to an attempt to impersonate a domain that's defined in the impersonation protection settings of an anti-phishing policy.
-- **File and URL detonationΓÇ»(Defender for Office 365)**:
+- **Email after user and domain impersonation**
+ - **User impersonation**: Messages filtered due to an attempt to impersonate a user (message sender) that's defined in the impersonation protection settings of an anti-phishing policy in Defender for Office 365.
+ - **Domain impersonation**: Messages filtered due to an attempt to impersonate a domain that's defined in the impersonation protection settings of an anti-phishing policy in Defender for Office 365.
+- **Email after file and URL detonation**
- **File detonation**: Messages filtered by a Safe Attachments policy. - **URL detonation**: Message filtered by a Safe Links policy.-- **Post-delivery protection and ZAP (ATP), or ZAP (EOP)**: Zero-hour auto purge (ZAP) for malware, spam, and phishing.
+- **Email detected as benign after post-delivery protection (URL click time protection)**
+
+The categories are color coded by **EOP** or **Defender for Office 365**. To filter the categories in the chart, click **EOP** or **Defender for Office 365** in the chart legend (one click to eliminate; a second click to bring back).
+
+The details table below the chart contains the same information as the chart, but with different (shorter) descriptions:
+
+- **Total email**
+- **Edge protection**
+- **Rule messages**
+- **Anti-malware, file reputation, file type, file block**
+- **Anti-phish, URL reputation, brand impersonation, anti-spoof**
+- **Anti-spam, bulk mail filtering**
+- **User and domain impersonation**
+- **File and URL detonation (ATP)**: Defender for Office 365
+- **Post-delivery protection and ZAP (ATP)**: Defender for Office 365
If you select a row in the details table, a further breakdown of the email counts are shown in the flyout.
+You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+
+- **Date (UTC)**: **Start date** and **End date**
+- **Mail direction**:
+ - **Inbound**
+ - **Outbound**
+ - **Intra-org**: Messages sent within the same tenant. For example, chris@contoso.com sends a message to michelle@contso.com.
+
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+ #### Export from Funnel view After you click **Export** under **Options**, you can select one of the following values:
Each exported .csv file is limited to 150,000 rows. If the data contains more th
The **Tech view** is similar to the **Funnel** view, providing more granular details for the configured threat protections features. From the chart, you can see how messages are categorized at the different stages of threat protection.
-If you click the **Tech view** tab, by default, this view contains a chart and a details table that's configured with the following filters:
--- **Date**: The last 7 days.--- **Direction**:
- - **Inbound**
- - **Outbound**
- - **Intra-org**: this count is for messages within a tenant i.e sender abc@domain.com sends to recipient xyz@domain.com (counted separately from Inbound and Outbound)
-
-The aggregate view and details table view allow for 90 days of filtering.
+![Tech view in the Mailflow status report](../../media/mail-flow-status-report-tech-view.png)
-You can change these filters by clicking **Filter**. The same filters from the **Type** view are used.
+The aggregate view and details table allow for 90 days of filtering.
-This chart shows messages organized into the following categories:
+If you click the **Tech view** tab, the chart shows messages organized into the following categories for the specified date range:
- **Total email** - **Edge allow** and **Edge filtered**
This chart shows messages organized into the following categories:
When you hover over a category in the chart, you can see the number of messages in that category.
-The details table contains the following information, shown in descending date order:
+The details table below the chart contains the following information
- **Date (UTC)** - **Total email** - **Edge filtered** - **Rule messages**: Messages filtered due to mail flow rules (also known as transport rules).-- **Anti-malware engine**, **Safe Attachments**<sup>\*</sup>:
+- **Anti-malware engine, Safe Attachments**<sup>\*</sup>:
- **DMARC, impersonation**<sup>\*</sup>, **spoof**, **phish filtered**: - **DMARC**: Messages filtered due to the message failing its DMARC authentication check. - **URL detonation detection**<sup>\*</sup>
The details table contains the following information, shown in descending date o
If you select a row in the details table, a further breakdown of the email counts are shown in the flyout.
+You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears:
+
+- **Date (UTC)**: **Start date** and **End date**
+- **Mail direction**:
+ - **Inbound**
+ - **Outbound**
+ - **Intra-org**: Messages sent within the same tenant. For example, chris@contoso.com sends a message to michelle@contso.com.
+
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+ #### Export from Tech view On clicking **Export**, under **Options** you can select one of the following values:
Under **Date**, choose a range, and then click **Apply**. Data for the current f
Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000 rows, then multiple .csv files will be created.
-![Tech view in the Mailflow status report](../../media/mail-flow-status-report-tech-view.png)
- ## Malware detections report The **Malware detections report** report shows information about malware detections in incoming and outgoing email messages (malware detected by Exchange Online Protection or EOP). For more information about malware protection in EOP, see [Anti-malware protection in EOP](anti-malware-protection.md).
To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **
![Malware detections in email widget on the Email & collaboration reports page](../../media/malware-detections-widget.png)
-On the **Malware detections report** page, you can filter both the chart and the details table by clicking **Filter** and selecting one of the following values:
+On the **Malware detections report** page, the chart shows the following information for the specified date range:
-- **Date (UTC)** **Start date** and **End date**-- **Direction**: **Inbound** and **Outbound**
+- **Outbound**
+- **Inbound**
![Report view in the Malware detection in email report](../../media/malware-detections-report-view.png)
-In the details table below the graph, you can see the following details:
+The details table below the graph shows the following information:
- **Date** - **Sender address**
In the details table below the graph, you can see the following details:
- **Filename** - **Malware name**
+You can filter both the chart and the details table by clicking **Filter** and selecting one of the following values:
+
+- **Date (UTC)** **Start date** and **End date**
+- **Direction**: **Inbound** and **Outbound**
+
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+ ## Mail latency report The **Mail latency report** in Defender for Office 365 contains information on the mail delivery and detonation latency experienced within your organization. For more information, see [Mail latency report](view-reports-for-mdo.md#mail-latency-report).
On the **Spoof mail report** page, you can filter both the chart and the details
![Spoof mail report page in the Microsoft 365 Defender portal](../../media/spoof-detections-report-page.png)
-In the details table below the graph, you can see the following details:
+The details table below the graph shows the following information:
- **Date** - **Spoofed user**
If you click **Filter**, the following filters are available:
When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
-### View data by System override
+### View data by System override and Chart breakdown by Reason
-![Message override view in the Threat protection status report](../../media/threat-protection-status-report-message-override-view.png)
+![Message override and Chart breakdown by Reason view in the Threat protection status report](../../media/threat-protection-status-report-system-override-view-breakdown-by-reason.png)
-In the **View data by System override** view, the following override reason information is shown in the chart:
+In the **View data by System override** and **Chart breakdown by Reason** view, the following override reason information is shown in the chart:
- **On-premises skip** - **IP allow**
In the **View data by System override** view, the following override reason info
- **Organization allowed senders** - **Organization allowed domains** - **ZAP not enabled**-- **Junk Mail folder not enabled** - **User Safe Sender** - **User Safe Domain**
+- **Phishing simulation**: For more information, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](configure-advanced-delivery.md).
+- **Third party filter**
In the details table below the chart, the following information is available:
In the details table below the chart, the following information is available:
- **Subject** - **Sender** - **Recipients**-- **Detected by**-- **Delivery Status**
+- **System override**
- **Source of Compromise** - **Tags** If you click **Filter**, the following filters are available: - **Date (UTC)** **Start date** and **End date**-- **Detection**-- **Protected by**: **MDO** (Defender for Office 365) or **EOP**-- **Direction**
+- **Reason**
+- **Direction**:
+ - **All**
+ - **Inbound**
+ - **Outbound**
- **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md). - **Domain**-- **Policy type**
+- **Policy type**:
+ - **All**
+ - **Anti-malware**
+ - **Safe Attachments**<sup>\*</sup>
+ - **Anti-phish**
+ - **Anti-spam**
+ - **Mail flow rule** (transport rule)
+ - **Others**
- **Policy name** (details table only) - **Recipients**
+<sup>\*</sup> Defender for Office 365 only
+ When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+### View data by System override and Chart breakdown by Delivery location
+
+![Message override and Chart breakdown by Delivery Location view in the Threat protection status report](../../media/threat-protection-status-report-system-override-view-breakdown-by-delivery-location.png)
+
+In the **View data by System override** and **Chart breakdown by Delivery location** view, the following override reason information is shown in the chart:
+
+- **Junk Mail folder not enabled**
+- **SecOps mailbox**: For more information, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](configure-advanced-delivery.md).
+
+In the details table below the chart, the following information is available:
+
+- **Date**
+- **Subject**
+- **Sender**
+- **Recipients**
+- **System override**
+- **Source of Compromise**
+- **Tags**
+
+If you click **Filter**, the following filters are available:
+
+- **Date (UTC)** **Start date** and **End date**
+- **Reason**
+- **Direction**:
+ - **All**
+ - **Inbound**
+ - **Outbound**
+- **Tag**: Filter the results by users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Domain**
+- **Policy type**:
+ - **All**
+ - **Anti-malware**
+ - **Safe Attachments**<sup>\*</sup>
+ - **Anti-phish**
+ - **Anti-spam**
+ - **Mail flow rule** (transport rule)
+ - **Others**
+- **Policy name** (details table only)
+- **Recipients**
+ <sup>\*</sup> Defender for Office 365 only
+When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
+ ## Top malware report The **Top malware** report shows the various kinds of malware that was detected by [anti-malware protection in EOP](anti-malware-protection.md).
To group the entries, click **Group** and select one of the following values fro
![User reported messages report](../../media/user-reported-messages-report.png)
-In the details table below the graph, you can see the following details:
+The details table below the graph shows the following information:
- **Email subject** - **Reported by**
security Walkthrough Spoof Intelligence Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!NOTE]
-> This article describes the older spoofed sender management experience that's being replaced. For more information about the new experience, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)
+> This article describes the older spoofed sender management experience that's being replaced (the **spoof intelligence policy** on the **Anti-spam policies** page). For more information about the new experience (the **Spoofing** tab in the Tenant Allow/Block List), see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spoofing by EOP as of October 2018. EOP uses **spoof intelligence** as part of your organization's overall defense against phishing. For more information, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md). The default (and only) **spoof intelligence policy** helps ensure that the spoofed email sent by legitimate senders doesn't get caught up in EOP spam filters while protecting your users from spam or phishing attacks. You can also use the **Spoof intelligence insight** to quickly determine which external senders are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks).
-You can manage spoof intelligence in the Security & Compliance Center, or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+You can manage spoof intelligence in the Microsoft 365 Defender portal, or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>.
- - To go directly to the **Anti-spam settings** page for the spoof intelligence policy, use <https://protection.office.com/antispam>.
- - To go directly to the **Security dashboard** page for the spoof intelligence insight, use <https://protection.office.com/searchandinvestigation/dashboard>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>.
+ - To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
There are two ways to allow and block spoofed senders:
### Manage spoofed senders in the spoof intelligence policy
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam**.
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand **Spoof intelligence policy**.
+2. On the **Anti-spam policies** page, select **Spoof intelligence policy** by clicking on the name.
![Select the spoof intelligence policy](../../media/anti-spam-settings-spoof-intelligence-policy.png)
-3. Make one of the following selections:
-
- - **Review new senders**
+3. On the **Spoof intelligence policy** flyout that appears, make one of the following selections:
- **Show me senders I already reviewed**
+ - **Review new senders**
-4. In the **Decide if these senders are allowed to spoof your users** flyout that appears, select one of the following tabs:
-
+4. On the **Decide if these senders are allowed to spoof your users** flyout that appears, select one of the following tabs:
- **Your Domains**: Senders spoofing users in your internal domains. - **External Domains**: Senders spoofing users in external domains.
-5. Click ![Expand icon](../../medi#spoof-settings).
+5. Click ![Expand icon](../../media/scc-expand-icon.png) in the **Allowed to spoof?** column and make one of the following selections:
+ - **Yes**: Allow the spoofed sender.
+ - **No**: Mark the message as spoofed. The action is controlled by the default anti-phishing policy or custom anti-phishing policies. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
- ![Screenshot showing the spoofed senders flyout, and whether the sender is allowed to spoof](../../media/c0c062fd-f4a4-4d78-96f7-2c22009052bb.jpg)
+ ![Screenshot showing the spoofed senders flyout, and whether the sender is allowed to spoof](../../media/spoof-allow-block-flyout.png)
The columns and values that you see are explained in the following list:
There are two ways to allow and block spoofed senders:
- **Failed**: The sender failed EOP sender authentication checks. - **Unknown**: The result of these checks isn't known.
- - **Decision set by**: Shows who determined if the sending infrastructure is allowed to spoof the user:
- - **Spoof intelligence policy** (automatic)
- - **Admin** (manual)
- - **Last seen**: The last date when a message was received from the sending infrastructure that contains the spoofed user. - **Allowed to spoof?**: The values that you see here are:
There are two ways to allow and block spoofed senders:
- **Some users** (**Your Domains** tab only): A sending infrastructure is spoofing multiple users, where some spoofed users are allowed and others are not. Use the **Detailed** tab to see the specific addresses.
-6. At the bottom of the page, click **Save**.
+6. When you're finished, click **Save**.
#### Use PowerShell to manage spoofed senders
For detailed syntax and parameter information, see [Set-PhishFilterPolicy](/powe
To verify that you've configured spoof intelligence with senders who are allowed and not allowed to spoof, use any of the following steps: -- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam** \> expand **Spoof intelligence policy** \> select **Show me senders I already reviewed** \> select the **Your Domains** or **External Domains** tab, and verify the **Allowed to spoof?** value for the sender.
+- **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** page \> **Policies** section \> **Anti-spam** \> **Spoof intelligence policy** \> select **Show me senders I already reviewed** \> select the **Your Domains** or **External Domains** tab, and verify the **Allowed to spoof?** value for the sender.
- In PowerShell, run the following commands to view the senders who are allowed and not allowed to spoof: