Updates from: 07/29/2021 03:14:11
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove Former Employee Step 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-1.md
If you have email as part of your Microsoft 365 subscription, sign in to the Exc
1. Go to the <a href="https://admin.exchange.microsoft.com/" target="_blank">Exchange admin center</a>. 2. In the Exchange admin center, navigate to **Recipients** \> **Mailboxes**.
-3. Double-click the user and go to **Manage email apps settings** under **Email apps**. Turn **Off** the slider for all the options; **Mobile (Exchange ActiveSync)**, **Outlook on the web**, **Outlook desktop (MAPI)**, **Exchange web services**, **POP3**, and **IMAP**.
+3. Select the user mailbox from the list and then, in the *Details Pane* (on the right-hand side), select **Manage email apps settings** under **Email apps**. Turn **Off** the slider for all the options; **Mobile (Exchange ActiveSync)**, **Outlook on the web**, **Outlook desktop (MAPI)**, **Exchange web services**, **POP3**, and **IMAP**.
4. Select **Save**. ## Related content [Exchange admin center in Exchange Online](/exchange/exchange-admin-center)+ [Restore a user](restore-user.md)
admin Remove Former Employee Step 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-2.md
Once you've blocked a user from being able to log into your organization you can
## Related content [Exchange admin center in Exchange Online](/exchange/exchange-admin-center)+ [Restore a user](restore-user.md)
admin Remove Former Employee Step 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-3.md
Follow these steps on how to [convert the user's mailbox to a shared mailbox](..
## Related content [Open and use a shared mailbox in Outlook](https://support.microsoft.com/office/open-and-use-a-shared-mailbox-in-outlook-d94a8e9e-21f1-4240-808b-de9c9c088afd)+ [Access another person's mailbox](https://support.microsoft.com/office/access-another-person-s-mailbox-a909ad30-e413-40b5-a487-0ea70b763081)+ [Exchange admin center in Exchange Online](/exchange/exchange-admin-center)
-[Manager another person's mail and calendar items](https://support.microsoft.com/office/manage-another-person-s-mail-and-calendar-items-afb79d6b-2967-43b9-a944-a6b953190af5)
+
+[Manager another person's mail and calendar items](https://support.microsoft.com/office/manage-another-person-s-mail-and-calendar-items-afb79d6b-2967-43b9-a944-a6b953190af5)
admin Remove Former Employee Step 4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-4.md
To give access to the email messages, calendar, tasks, and contacts of the forme
> The steps remain the same for accessing an existing user's OneDrive and email data. > [!TIP]
-> If you want to import or restore only a few items from an Outlook Data File (.pst), you can open the Outlook Data File. Then, in the navigation pane, drag the items from Outlook Data File folders to your existing Outlook folders.
+> If you want to import or restore only a few items from an Outlook Data File (.pst), you can open the Outlook Data File. Then, in the navigation pane, drag the items from Outlook Data File folders to your existing Outlook folders.
## Related content [Add and remove admins on a OneDrive account](/sharepoint/manage-user-profiles#add-and-remove-admins-for-a-users-onedrive) (article)+ [Restore a deleted OneDrive](/onedrive/restore-deleted-onedrive) (article)+ [OneDrive retention and deletion](/onedrive/retention-and-deletion) (article)+ [Share OneDrive files and folders](https://support.microsoft.com/office/share-onedrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07)
admin Remove Former Employee Step 7 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-7.md
The above operations can be done in three places:
## Related content
-[Restore a user](restore-user.md) (article)/
+[Restore a user](restore-user.md) (article)
+ [Reset passwords](reset-passwords.md) (article)
admin Remove Former Employee https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee.md
description: "Follow the steps in this solution to remove a former employee from
# Overview: Remove a former employee and secure data
-A question we often get is, "What should I do to secure data and protect access when an employee leaves my organization?" This article series explains how to block access to Microsoft 365, the steps you should take to secure your data, and how to allow other employees to access the data.
-
+A question we often get is, "What should I do to secure data and protect access when an employee leaves my organization?" This article series explains how to block access to Microsoft 365 so these user's can't sign in to Microsoft 365, the steps you should take to secure organization data, and how to allow other employees to access email and OneDrive data.
## Before you begin You need to be a global administrator to complete the steps in this solution.
+To complete the steps in this series, you use these Microsoft 365 capabilities and features.
+
+|Product or component|Capability or feature|
+|||
+|Microsoft 365 admin center|Convert mailbox, forward email, revoke access, remove user |
+|Exchange admin center|Block user, block access to email, wipe device |
+|OneDrive and SharePoint |Give access to other users |
+|Outlook|Import pst files, add mailbox |
+|Active Directory|Remove users in hybrid environments |
+ ## Solution: Remove a former employee > [!IMPORTANT]
admin Create Dns Records At Any Dns Hosting Provider https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md
audience: Admin
localization_priority: Priority-+ - M365-subscription-management - Adm_O365 - Adm_TOC
search.appverid: - MET150 description: "Connect a domain at any DNS hosting provider to Microsoft 365 by verifying your domain and updating the DNS records in your registrarΓÇÖs account."-+ - okr_smb - AdminSurgePortfolio - AdminTemplateSet
First, you need to prove you own the domain you want to add to Microsoft 365.
2. In a new browser tab or window, sign in to your DNS hosting provider, and then find where you manage your DNS settings (e.g., Zone File Settings, Manage Domains, Domain Manager, DNS Manager). 3. Go to your provider's DNS Manager page, and add the TXT record indicated in the admin center to your domain.
-Adding this record won't affect your existing email or other services and you can safely remove it once your domain is connected to Microsoft 365.
+ Adding this record won't affect your existing email or other services and you can safely remove it once your domain is connected to Microsoft 365.
-Example:
-- TXT Name: `@`-- TXT Value: MS=ms######## (unique ID from the admin center)-- TTL: `3600ΓÇÄ` (or your provider default)
+ Example:
+
+ - TXT Name: `@`
+ - TXT Value: MS=ms######## (unique ID from the admin center)
+ - TTL: `3600` (or your provider default)
4. Save the record, go back to the admin center, and then select **Verify**. It typically takes around 15 minutes for record changes to register, but sometimes it can take longer. Give it some time and a few tries to pick up the change.
Make sure that the fields are set to the following values:
- Priority: Set to the highest value available, typically `0`. - Host Name: `@` - Points to address: Copy the value from the admin center and paste it here.-- TTL: `3600ΓÇÄ` (or your provider default)
+- TTL: `3600` (or your provider default)
When Microsoft finds the correct MX record, your domain is verified.
When Microsoft finds the correct MX record, your domain is verified.
In a new browser tab or window, sign in to your DNS hosting provider, and find where you manage your DNS settings (e.g., Zone File Settings, Manage Domains, Domain Manager, DNS Manager).
-You'll be adding several different types of DNS records depending on the services you want to enable.
+You'll be adding several different types of DNS records depending on the services you want to enable.
### Add an MX record for email (Outlook, Exchange Online)+ **Before you begin:** If users already have email with your domain (such as user@yourdomain.com), create their accounts in the admin center before you set up your MX records. That way, theyΓÇÖll continue to receive email. When you update your domain's MX record, all new email for anyone who uses your domain will now come to Microsoft 365. Any email you already have will stay at your current email host, unless you decide to [migrate email and contacts to Microsoft 365.](../setup/migrate-email-and-contacts-admin.md) You'll get the information for the MX record from the admin center domain setup wizard.
Make sure that the fields are set to the following values:
- Priority: Set to the highest value available, typically `0`. - Host Name: `@` - Points to address: Copy the value from the admin center and paste it here.-- TTL: `3600ΓÇÄ` (or your provider default)
+- TTL: `3600` (or your provider default)
Save the record, and then remove any other MX records. ### Add CNAME records to connect other services (Teams, Exchange Online, AAD, MDM)+ You'll get the information for the CNAME records from the admin center domain setup wizard. On your hosting provider's website, add CNAME records for each service that you want to connect.
Make sure that the fields are set to the following values for each:
- Record Type: `CNAME (Alias)` - Host: Paste the values you copy from the admin center here. - Points to address: Copy the value from the admin center and paste it here.-- TTL: `3600ΓÇÄ` (or your provider default)-
+- TTL: `3600` (or your provider default)
### Add or edit an SPF TXT record to help prevent email spam (Outlook, Exchange Online)+ **Before you begin:** If you already have an SPF record for your domain, don't create a new one for Microsoft 365. Instead, add the required Microsoft 365 values to the current record on your hosting providers website so that you have a *single* SPF record that includes both sets of values. On your hosting provider's website, edit the existing SPF record or create an SPF record.
Make sure that the fields are set to the following values:
- Record Type: `TXT (Text)` - Host: `@` - TXT Value: `v=spf1 include:spf.protection.outlook.com -all`-- TTL: `3600ΓÇÄ` (or your provider default)
+- TTL: `3600` (or your provider default)
Save the record. Validate your SPF record by using one of these [SPF validation tools](/office365/admin/setup/domains-faq#how-can-i-validate-spf-records-for-my-domain)
-SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. To protect against these, once you've set up SPF, you should also set up DKIM and DMARC for Microsoft 365.
+SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. To protect against these, once you've set up SPF, you should also set up DKIM and DMARC for Microsoft 365.
To get started, see [Use DKIM to validate outbound email sent from your domain in Microsoft 365](../../security/office-365-security/use-dkim-to-validate-outbound-email.md) and [Use DMARC to validate email in Microsoft 365](../../security/office-365-security/use-dmarc-to-validate-email.md).
Make sure that the fields are set to the following values for each:
- Priority: `100` - Weight: `1` - Port: Copy the value from the admin center and paste it here.-- TTL: `3600ΓÇÄ` (or your provider default)
+- TTL: `3600` (or your provider default)
Save the record. #### SRV record field restrictions and workarounds+ Some hosting providers impose restrictions on field values within SRV records. Here are some common workarounds for these restrictions. ##### Name+ If your hosting provider doesn't allow setting this field to **@**, leave it blank. Use this approach *only* when your hosting provider has separate fields for the Service and Protocol values. Otherwise, see the Service and Protocol notes below. ##### Service and Protocol
-If your hosting provider doesn't provide these fields for SRV records, you must specify the **Service** and **Protocol** values in the record's **Name** field. (Note: Depending on your hosting provider, the **Name** field might be called something else, like: **Host**, **Hostname**, or **Subdomain**.) To add these values, you create a single string, separating the values with a dot.
+
+If your hosting provider doesn't provide these fields for SRV records, you must specify the **Service** and **Protocol** values in the record's **Name** field. (Note: Depending on your hosting provider, the **Name** field might be called something else, like: **Host**, **Hostname**, or **Subdomain**.) To add these values, you create a single string, separating the values with a dot.
Example: `_sip._tls`
-##### Priority, Weight, and Port <br>
-If your hosting provider doesn't provide these fields for SRV records, you must specify them in the record's **Target** field. (Note: Depending on your hosting provider, the **Target** field might be called something else, like: **Content**, **IP Address**, or **Target Host**.)
+##### Priority, Weight, and Port
+
+If your hosting provider doesn't provide these fields for SRV records, you must specify them in the record's **Target** field. (Note: Depending on your hosting provider, the **Target** field might be called something else, like: **Content**, **IP Address**, or **Target Host**.)
-To add these values, create a single string, separating the values with spaces and *sometimes ending with a dot* (check with your provider if you are unsure). The values must be included in this order: Priority, Weight, Port, Target.
+To add these values, create a single string, separating the values with spaces and *sometimes ending with a dot* (check with your provider if you are unsure). The values must be included in this order: Priority, Weight, Port, Target.
- Example 1: `100 1 443 sipdir.online.lync.com.` - Example 2: `100 1 443 sipdir.online.lync.com`
To add these values, create a single string, separating the values with spaces a
[Change nameservers to set up Microsoft 365 with any domain registrar](change-nameservers-at-any-domain-registrar.md) (article)\ [Find and fix issues after adding your domain or DNS records](find-and-fix-issues.md) (article)\
-[Manage domains](index.yml) (link page)
+[Manage domains](index.yml) (link page)
admin Manage Office Scripts Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-office-scripts-settings.md
audience: Admin--++ localization_priority: Normal--- M365-subscription-management +
+- M365-subscription-management
- Adm_O365 - Adm_TOC-+ - AdminSurgePortfolio - AdminTemplateSet search.appverid: MET150
description: "Learn how to manage Office Scripts settings for users in your orga
# Manage Office Scripts settings
-[Office Scripts](/office/dev/scripts)ΓÇÄ allows users to automate tasks by recording, editing, and running scripts in ΓÇÄExcelΓÇÄ on the web. ΓÇÄOffice ScriptsΓÇÄ works with Power Automate, and users run scripts on workbooks by using the ΓÇÄExcelΓÇÄ Online (Business) connector. Microsoft 365 admins can manage Office Scripts settings from the Microsoft 365 admin center.
+[Office Scripts](/office/dev/scripts) allows users to automate tasks by recording, editing, and running scripts in Excel on the web. Office Scripts works with Power Automate, and users run scripts on workbooks by using the Excel Online (Business) connector. Microsoft 365 admins can manage Office Scripts settings from the Microsoft 365 admin center.
## Before you begin
description: "Learn how to manage Office Scripts settings for users in your orga
- Ensure users in your organization have a valid license for a Microsoft 365 or Office 365 commercial or EDU plan that includes access to Office desktop apps, such as one of the following plans:
- - Microsoft 365 Business Standard
- - Microsoft 365 Apps for business
- - Microsoft 365 Apps for enterprise
- - Office 365 E3
- - Office 365 E5
- - Office 365 A3
- - Office 365 A5
+- Microsoft 365 Business Standard
+- Microsoft 365 Apps for business
+- Microsoft 365 Apps for enterprise
+- Office 365 E3
+- Office 365 E5
+- Office 365 A3
+- Office 365 A5
## Manage availability of Office Scripts and sharing of scripts
-1. In the Microsoft 365 admin center, go to the **Settings** \> **Org settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2053743" target="_blank">Services</a> tab.
+1. In the Microsoft 365 admin center, go to the **Settings** \> **Org settings** \> **[Services](https://go.microsoft.com/fwlink/p/?linkid=2053743)** tab.
2. Select **Office Scripts**.
description: "Learn how to manage Office Scripts settings for users in your orga
- Distribution group - Security group - Mail-enabled security group
-
+ To learn more about the different types of groups, see [Compare groups](../create-groups/compare-groups.md). 5. To allow users with access to Office Scripts to share their scripts with others in your organization, select **Let users with access to Office Scripts share their scripts with others in the organization**. Sharing scripts outside of an organization is not allowed.
-
+ > [!NOTE] > If you later turn off script sharing for your organization, users will still be able to run previously-shared scripts.
-
+ 6. Specify which users with access to Office Scripts can share their scripts:
-
+ - To allow all users with access to Office Scripts to share their scripts, leave **Everyone** (the default) selected. - To allow only members of a specific group with access to Office Scripts to share their scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allow list, and it must be one of the following types:
description: "Learn how to manage Office Scripts settings for users in your orga
- Distribution group - Security group - Mail-enabled security group
-
+ To learn more about the different types of groups, see [Compare groups](../create-groups/compare-groups.md). 7. To allow users to run their Office Scripts inside Power Automate flows, select **Let users with access to Office Scripts run their scripts with Power Automate**. This allows users to add flow steps with the [Excel Online (Business) Connector's](/connectors/excelonlinebusiness) **Run script** option.
description: "Learn how to manage Office Scripts settings for users in your orga
## Next steps
-Because Office Scripts works with Power Automate, we recommend that you review your existing data loss prevention (DLP) policies to ensure your organization's data remains protected while users use ΓÇÄOffice ScriptsΓÇÄ. For more information, see [Data loss prevention (DLP) policies](/power-automate/prevent-data-loss).
+Because Office Scripts works with Power Automate, we recommend that you review your existing data loss prevention (DLP) policies to ensure your organization's data remains protected while users use Office Scripts. For more information, see [Data loss prevention (DLP) policies](/power-automate/prevent-data-loss).
## Related content
admin Show Hide New Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/show-hide-new-features.md
Title: "Manage which ΓÇÄOfficeΓÇÄ features appear in What's New"
+ Title: "Manage which Office features appear in What's New"
f1.keywords: - NOCSH
search.appverid:
description: "Decide which Office features to show or hide when a user chooses Help > What's New in their Office app on Windows by using the 'What's new in Office' feature in the Microsoft 365 admin center."
-# Manage which OfficeΓÇÄ features appear in What's New
+# Manage which Office features appear in What's New
-When an important ΓÇÄOfficeΓÇÄ feature is released, users will get a message about it when they choose **Help** > **What's New** in their ΓÇÄΓÇÄOfficeΓÇÄΓÇÄ app on ΓÇÄWindowsΓÇÄ.
+When an important Office feature is released, users will get a message about it when they choose **Help** \> **What's New** in their Office app on Windows.
You can control which of these feature messages your users are shown by using the **What's new in Office** feature in the Microsoft 365 admin center. If you decide to hide a feature message to your users, you can always come back later and decide to show it to them. > [!NOTE]
+>
> - Hiding a feature message from your users doesn't disable the feature in the Office app. > - You must be assigned either the Global admin role or the Office apps admin role to use the **What's new in Office** feature.
-## Show or hide new features
+## Show or hide new features
1. In the Microsoft 365 admin center, under **Settings**, choose **Org settings**. 2. On the **Services** tab, choose **What's new in Office**.
You can control which of these feature messages your users are shown by using th
- The first version (release) that the feature is available in for that channel. 4. Choose **Hide from users**. Or, if you previously hid the feature, choose **Show to users**.
-You can also select multiple features on the **Manage which ΓÇÄOfficeΓÇÄ features appear in What's New** page, and then choose either **Hide** or **Show**.
+You can also select multiple features on the **Manage which Office features appear in What's New** page, and then choose either **Hide** or **Show**.
> [!NOTE]
+>
> - If a feature is available in multiple Office apps, setting the feature to **Hidden** hides the feature message in all of those Office apps. > - All feature messages are shown to users by default. This is the default status for all features, and the status only changes if you have chosen to hide or show a feature message.
-> - You can also get to the **What's new in Office** feature from the Microsoft 365 Apps admin center ([https://config.office.com](https://config.office.com)). The feature is found under **Customization** > **What's New Management**.
+> - You can also get to the **What's new in Office** feature from the Microsoft 365 Apps admin center (<https://config.office.com>). The feature is found under **Customization** > **What's New Management**.
## List of features
-You can filter which features appear on the **Manage which ΓÇÄOfficeΓÇÄ features appear in What's New** page. You can filter by channel, application, or status, or by some combination of them.
+You can filter which features appear on the **Manage which Office features appear in What's New** page. You can filter by channel, application, or status, or by some combination of them.
New features appear on the page based on the following schedule:
+<br>
+
+****
+ |Channel|Date|Take action|
-|:--|:--|:--|
-|**Current** <br/> |15th of the month <br/> |1 - 3 weeks before the monthly release <br/> |
-|**Monthly Enterprise** <br/> |First of the month <br/> |Two weeks before the major release that brings new features |
-|**Semi-Annual Enterprise (Preview)** <br/> |Sept 1 and March 1 <br/> | 2 weeks before the major release that brings new features|
-|**Semi-Annual Enterprise** <br/> |Jan 1 and July 1 <br/> | 2 weeks before the major release that brings new features<br/> |
+||||
+|**Current**|15th of the month|1 - 3 weeks before the monthly release|
+|**Monthly Enterprise**|First of the month|Two weeks before the major release that brings new features|
+|**Semi-Annual Enterprise (Preview)**|Sept 1 and March 1| 2 weeks before the major release that brings new features|
+|**Semi-Annual Enterprise**|Jan 1 and July 1| 2 weeks before the major release that brings new features|
+|
For more information about when new versions are released to each update channel, see [Update history for Microsoft 365 Apps (listed by date)](/officeupdates/update-history-microsoft365-apps-by-date).
For more information about when new versions are released to each update channel
2. Locate **Manage which Office features appear in What's New** in the list and choose it. 3. Once the card is on your home page, you can choose **What's new in Office** to [show or hide the features](#show-or-hide-new-features) for your organization. - ## Related articles [Office What's New management is now generally available](https://techcommunity.microsoft.com/t5/microsoft-365-blog/office-what-s-new-management-is-now-generally-available/ba-p/1179954)
admin Set Up Dns Records Vsb https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/set-up-dns-records-vsb.md
audience: Admin
localization_priority: Priority-+ - M365-subscription-management - Adm_O365 - Adm_TOC
search.appverid:
- MET150 description: "Learn to verify your domain and create DNS records with Microsoft 365."-+ - AdminSurgePortfolio
Make sure that the fields are set to the following values:
- Priority: Set to the highest value available, typically `0`. - Host Name: `@` - Points to address: Copy the value from the admin center and paste it here.-- TTL: `3600ΓÇÄ` (or your provider default)
+- TTL: `3600` (or your provider default)
Save the record, and then remove any other MX records. ## Add a CNAME record to connect users to their mailboxes+ You'll get the information for the CNAME records from the admin center domain setup wizard. On your hosting provider's website, add the following CNAME record. Make sure that the fields are set to the following values for each:
On your hosting provider's website, add the following CNAME record. Make sure th
- Record Type: `CNAME (Alias)` - Host: Paste the values you copy from the admin center here. - Points to address: Copy the value from the admin center and paste it here.-- TTL: `3600ΓÇÄ` (or your provider default)
+- TTL: `3600` (or your provider default)
## Add a TXT record to help prevent spam+ **Before you begin:** If you already have an SPF record for your domain, don't create a new one for Microsoft 365. Instead, add the required Microsoft 365 values to the current record on your hosting providers website so that you have a *single* SPF record that includes both sets of values. On your hosting provider's website, edit the existing SPF record or create an SPF record.
Make sure that the fields are set to the following values:
- Record Type: `TXT (Text)` - Host: `@` - TXT Value: `v=spf1 include:spf.protection.outlook.com -all`-- TTL: `3600ΓÇÄ` (or your provider default)
+- TTL: `3600` (or your provider default)
Save the record.
SPF is designed to help prevent spoofing, but there are spoofing techniques that
To get started, see [Use DKIM to validate outbound email sent from your domain in Microsoft 365](../../security/office-365-security/use-dkim-to-validate-outbound-email.md) and [Use DMARC to validate email in Microsoft 365](../../security/office-365-security/use-dmarc-to-validate-email.md).
-Finally, head back to the admin center domain setup wizard to complete your setup.
+Finally, head back to the admin center domain setup wizard to complete your setup.
admin Whats New In Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/whats-new-in-preview.md
To learn more about the new features, check out [Message center](manage/message-
### What's new features
-We've made improvements to how you view the "What's new" features for users in the Office apps. You can now see the rich content in the Whats' new pane that your users can see. You can also learn more about the feature before you decide to let your users know about the feature. For more info, check out [Manage which OfficeΓÇÄ features appear in What's New](manage/show-hide-new-features.md).
+We've made improvements to how you view the "What's new" features for users in the Office apps. You can now see the rich content in the What's new pane that your users can see. You can also learn more about the feature before you decide to let your users know about the feature. For more info, check out [Manage which Office features appear in What's New](manage/show-hide-new-features.md).
:::image type="content" source="../media/power-bi-whats-new2.png" alt-text="Screenshot: Office apps what's new page showing improvements to Power BI":::
commerce View Your Bill Or Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/view-your-bill-or-invoice.md
You can submit your Fapiao request to our [Fapiao management system](https://go.
::: moniker-end
+> [!NOTE]
+>
+> Microsoft 365 services do not provide payment receipts.
+> For credit card payments, please use the invoice and credit card billing statement to match your payment.
++ ## Receive a copy of your billing statement in email You can choose to receive a copy of your billing statement as an email attachment. If you do, be aware that:
compliance App Governance Anomaly Detection Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-anomaly-detection-alerts.md
description: "Investigate anomaly detection alerts."
## MITRE ATT&CK
-To make it easier to map the relationship between Microsoft app governance alerts and the familiar MITRE ATT&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT&CK tactic. This additional reference makes it easier to understand the suspected attacks technique potentially in use when app governance alert is triggered.
+To make it easier to map the relationship between app governance alerts and the familiar MITRE ATT&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT&CK tactic. This additional reference makes it easier to understand the suspected attacks technique potentially in use when app governance alert is triggered.
This guide provides information about investigating and remediating app governance alerts in the following categories.
This guide provides information about investigating and remediating app governan
- Exfiltration - Impact
-<!-->
## Security alert classifications
-Following proper investigation, all Microsoft app governance alerts can be classified as one of the following activity types:
+Following proper investigation, all app governance alerts can be classified as one of the following activity types:
- True positive (TP): An alert on a confirmed malicious activity. - Benign true positive (B-TP): An alert on suspicious but not malicious activity, such as a penetration test or other authorized suspicious action. - False positive (FP): An alert on a non-malicious activity.> ## General investigation steps Use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action. -- Review the App severity level and compare with the rest of the app in your tenant. This review will help you identify which Apps in your tenant pose the greater risk.
+- Review the app severity level and compare with the rest of the apps in your tenant. This review will help you identify which Apps in your tenant pose the greater risk.
- If you identify a TP, review all the App activities to gain an understanding of the impact. For example, review the following App information: - Scopes granted access
This section describes alerts indicating that a malicious app may be attempting
**Severity:** Medium
-**Description**: This detection identifies OAuth apps with characters, such as Unicode or Encoded characters, requested for suspicious consent scopes and that accessed users mail folders through the Graph API. This alert can indicate an attempt to camouflage a malicious app as a known and trusted app so that adversaries can mislead the users into consenting to the malicious app.
+**Description**: This detection identifies OAuth apps with characters, such as Unicode or encoded characters, requested for suspicious consent scopes and that accessed users mail folders through the Graph API. This alert can indicate an attempt to camouflage a malicious app as a known and trusted app so that adversaries can mislead the users into consenting to the malicious app.
**TP or FP?** -- **TP**: If you can confirm that the OAuth app has Encoded the display name with suspicious scopes delivered from unknown source, then a true positive is indicated.
+- **TP**: If you can confirm that the OAuth app has encoded the display name with suspicious scopes delivered from an unknown source, then a true positive is indicated.
**Recommended action**: Review the level of permission requested by this app and which users granted access. Based on your investigation you can choose to ban access to this app.
This section describes alerts indicating that a malicious app may be attempting
**Recommended action**: Dismiss the alert.
-#### Understand the scope of the breach
+**Understand the scope of the breach**
Follow the tutorial on how to [investigate risky OAuth apps](/cloud-app-security/investigate-risky-oauth).
Follow the tutorial on how to [investigate risky OAuth apps](/cloud-app-security
**Recommended action**: Dismiss the alert.
-#### Understand the scope of the breach
+**Understand the scope of the breach**
1. Review all activities done by the app. 1. If you suspect that an app is suspicious, we recommend that you investigate the appΓÇÖs name and Reply URL in different app stores. When checking app stores, focus on the following types of apps:
Follow the tutorial on how to [investigate risky OAuth apps](/cloud-app-security
- Apps that haven't been recently updated. Lack of updates might indicate the app is no longer supported. 1. If you still suspect that an app is suspicious, you can research the app name, publisher name, and reply URL online
+### App with unusual display name and unusual TLD in Reply domain 
+
+**Severity**: Medium 
+
+**Description**
+
+This detection identifies app with unusual display name and redirect to suspicious reply domain with an unusual Top-level domain (TLD) through Graph API. This can indicate an attempt to camouflage a malicious or risky app as a known and trusted app so that adversaries can mislead the users into consenting to their malicious or risky app. 
+
+**TP or FP?**
+
+- **TP**: If youΓÇÖre able to confirm that the app with unusual display name delivered from an unknown source and redirects to a suspicious domain having unusual Top-level domain
+
+ **Recommended action**: Review the display name and Reply domain of the app. Based on your investigation you can choose to ban access to this app. Review the level of permission requested by this app and which users granted access.
+
+- **FP**: If after investigation, you can confirm that the app has a legitimate business use in the organization.
+
+ **Recommended Action**: Dismiss the alert.
+
+**Understand the scope of the breach**
+
+Review all activities done by the app. If you suspect that an app is suspicious, we recommend that you investigate the appΓÇÖs name and reply domain in different app stores. When checking app stores, focus on the following types of apps:
+
+- Apps that have been created recently
+- App with unusual display name
+- Apps with a suspicious Reply domain
+
+If you still suspect that an app is suspicious, you can research the app display name and reply domain.
+ ## Persistence alerts This section describes alerts indicating that a malicious actor may be attempting to maintain their foothold in your organization.
This detection identifies an OAuth App that consented to suspicious scopes, crea
**Recommended action**: Dismiss the alert.
-#### Understand the scope of the breach
+**Understand the scope of the breach**
1. Review all activities done by the app. 1. Review the scopes granted by the app. 1. Review the inbox rule action and condition created by the app.
+### App accessed from unusual location post certificate update
+
+**Severity**: Low
+
+**MITRE ID**: T1098
+
+This detection triggers an alert when a Line of Business (LOB) app was updated the certificate / secret and within few days post certificate update, app is accessed from unusual location which was not seen recently or never accessed in past.
+
+**TP or FP?**
+
+- **TP**: if youΓÇÖre able to confirm that LOB app accessed from unusual location and performed unusual activities through Graph API.
+
+ **Recommend action**: Temporarily disable the app and reset the password and then re-enable the app.
+
+- **FP**: If youΓÇÖre able to confirm that LOB app accessed from unusual location for legitimate purpose and no unusual activities performed.
+
+ **Recommended Action**: Dismiss the alert.
+
+**Understand the scope of the breach**
+
+1. Review all activity performed by this app.
+1. Review the scopes granted by the app.
+1. Review the user activity associated with this app.
+
+### App accessed from unusual location made anomalous Graph calls post certificate update
+
+**Severity**: Medium
+
+**MITRE ID**: T1098
+
+This detection triggers an alert when a Line of Business (LOB) app updated the certificate / secret and within few days post certificate update, app is accessed from an unusual location which was not seen recently or never accessed in past and observed unusual activities or usage through Graph API using Machine learning algorithm.
+
+**TP or FP?**
+
+- **TP**: If youΓÇÖre able to confirm that unusual activities/usage was performed by the LOB app through Graph API from an unusual location.
+
+ **Recommend action**: Temporarily disable the app and reset the password and then re-enable the app.
+
+- **FP**: If youΓÇÖre able to confirm that LOB app accessed from unusual location for legitimate purpose and no unusual activities performed.
+
+ **Recommended action**: Dismiss the alert.
+
+**Understand the scope of the breach**
+
+1. Review all activity performed by this app.
+1. Review the scopes granted by the app.
+1. Review the user activity associated with this app.
+ ## Collection alerts This section describes alerts indicating that a malicious actor may be attempting to gather data of interest to their goal from your organization.
This detection identifies when Line of Business (LOB) OAuth App accesses an unus
- **TP**: If you can confirm that the unusual graph activity was performed by the Line of Business (LOB) OAuth App, then a true positive is indicated.
- **Recommend actions**: Temporarily disable the app and reset the password and then re-enable the app.
-
- Follow the tutorial on how to Reset a password using Azure Active Directory.
+ **Recommend actions**: Temporarily disable the app and reset the password and then re-enable the app. Follow the tutorial on how to Reset a password using Azure Active Directory.
- **FP**: If you can confirm that the app is intended to do unusually high volume of graph calls. **Recommended action**: Dismiss the alert.
-#### Understand the scope of the breach
+**Understand the scope of the breach**
1. Review the activity log for events performed by this app to gain a better understanding of other Graph activities to read emails and attempt to collect users sensitive email information. 1. Monitor for unexpected credential being added to the app.+
+### App creates inbox rule and made unusual email searches activities
+
+**Severity**: Medium
+
+**MITRE IDs**: T1137 , T1114
+
+This detection identifies App consented to high privilege scope, creates suspicious inbox rule, and made unusual email search activities in users mail folders through Graph API. This can indicate an attempted breach of your organization, such as adversaries attempting to search and collect specific emails from your organization through Graph API.
+
+**TP or FP?**
+
+- **TP**: If youΓÇÖre able to confirm any specific emails search and collection done through Graph API by an OAuth app with high privilege scope, and the app is delivered from unknown source.
+
+ **Recommended action**: Disable and remove the app, reset the password, and remove the inbox rule.
+
+- **FP**: If youΓÇÖre able to confirm app has performed specific email search and collection through Graph API and created an inbox rule to a new or personal external email account for legitimate reasons.
+
+ **Recommended action**: Dismiss the alert.
+
+**Understand the scope of the breach**
+
+1. Review all activities done by the app.
+1. Review the scopes granted by the app.
+1. Review any inbox rule action created by the app.
+1. Review any email search activities done by the app.
compliance App Governance App Policies Create https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-app-policies-create.md
localization_priority: Priority
+search.appverid:
- MOE150 - MET150 description: "Create app policies."
App governance has three categories of app policy templates.
App governance includes these templates to generate alerts for app usage.
-| Template name | Description |
-|:-|:--|
-| New app with a high volume of data access | Highlights any recently registered apps with high volume data access to ensure those data patterns are expected. <br><br> By default, this policy will flag all apps that have been registered in the last 7 days and that have had more than 1 GB in data access over that period. This policy can be customized with more conditions and actions. |
+<br>
+
+****
+
+|Template name|Description|
+|||
+|New app with a high volume of data access|Highlights any recently registered apps with high volume data access to ensure those data patterns are expected. <p> By default, this policy will flag all apps that have been registered in the last 7 days and that have had more than 1 GB in data access over that period. This policy can be customized with more conditions and actions.|
||| ### App Permissions App governance includes these templates to generate alerts for app permissions.
-| Template name | Description |
-|:-|:--|
-| Overprivileged apps | Highlights any apps with more granted permissions than are being used by those apps to identify opportunities for potential permission reduction. <br><br> By default, this policy will flag all apps that are marked as Overprivileged if not used for 90 days. This time period filter can be customized with more conditions and actions. |
-| New app with high-privilege permissions | Highlights all new apps with high privilege permissions to identify potential high-footprint apps that may need further investigation. <br><br> By default, this policy will flag all apps registered within the last 7 days that have high-scoped permissions. |
+<br>
+
+****
+
+|Template name|Description|
+|||
+|Overprivileged apps|Highlights any apps with more granted permissions than are being used by those apps to identify opportunities for potential permission reduction. <p> By default, this policy will flag all apps that are marked as Overprivileged if not used for 90 days. This time period filter can be customized with more conditions and actions.|
+|New app with high-privilege permissions|Highlights all new apps with high privilege permissions to identify potential high-footprint apps that may need further investigation. <p> By default, this policy will flag all apps registered within the last 7 days that have high-scoped permissions.|
||| ### M365 certification App governance includes these templates to generate alerts for M365 certification.
-| Template name | Description |
-|:-|:--|
-| New uncertified app | Highlights new apps that haven't been through the M365 certification process to ensure that they are expected in the tenant. <br><br> By default, this policy will flag all apps that were registered in the last 7 days and are uncertified. |
+<br>
+
+****
+
+|Template name|Description|
+|||
+|New uncertified app|Highlights new apps that haven't been through the M365 certification process to ensure that they are expected in the tenant. <p> By default, this policy will flag all apps that were registered in the last 7 days and are uncertified.|
||| ## Custom app policies
The **Create rule** pane allows you to select conditions for a new rule. Select
Here are the available conditions for a custom app policy.
-|Condition | Condition values accepted | More information |
-|:-|:--|:-|
-| App registration age | Within last X days | |
-| M365 certification | Basic compliance, MCAS Compliance, or N/A | [Microsoft 365 Certification](https://docs.microsoft.com/microsoft-365-app-certification/docs/enterprise-app-certification-guide) |
-| Publisher verification | Yes or No | [Publisher Verification](https://docs.microsoft.com/azure/active-directory/develop/publisher-verification-overview) |
-| Application Permission | Select one or more API permission from list | [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) |
-| Delegated Permission | Select one or more API permission from list | [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) |
-| High privilege | Yes or No | This is an internal designation based on the same logic used by MCAS. |
-| Overprivileged app | Yes or No | Apps with more granted permissions than are being used by those apps. |
-| App data access | Greater than X GB data access per hour | |
-| App data access trend | X% increase in data usage in last 7 days | |
-| App API Access | Greater than X API calls per hour | |
-| App API Access trend | X% increase in API Calls in last 7 days | |
-| Users consented | (Greater than or Less than) X consented users | |
-| Priority user consented | Yes or No | A user with a [priority account](https://docs.microsoft.com/microsoft-365/admin/setup/priority-accounts). |
-| App consented by | Select user(s) from list | |
-| Consenting userΓÇÖs role | Select one or more: Teams Administrator, Directory Readers, Security Reader, Compliance Administrator, Security Administrator, Helpdesk Administrator, SharePoint Administrator, Exchange Administrator, Global Reader, Global Administrator, Compliance Data Administrator, User Administrator, Service Support Administrator | Multiple selections allowed. <br><br> Any Azure AD role with assigned member should be made available in this list. |
-| Workload accessed | OneDrive and/or SharePoint and/or Exchange | Multiple selections allowed. |
-| Error rate | Error rate is greater than X% in the last 7 days, where X is an admin-defined value | |
+<br>
+
+****
+
+|Condition|Condition values accepted|More information|
+||||
+|App registration age|Within last X days||
+|App certification|Basic compliance, MCAS Compliance, or N/A|[Microsoft 365 Certification](/microsoft-365-app-certification/docs/enterprise-app-certification-guide)|
+|Publisher verification|Yes or No|[Publisher Verification](/azure/active-directory/develop/publisher-verification-overview)|
+|Application Permission|Select one or more API permission from list|[Microsoft Graph permissions reference](/graph/permissions-reference)|
+|Delegated Permission|Select one or more API permission from list|[Microsoft Graph permissions reference](/graph/permissions-reference)|
+|High privilege|Yes or No|This is an internal designation based on the same logic used by MCAS.|
+|Overprivileged app|Yes or No|Apps with more granted permissions than are being used by those apps.|
+|App data access|Greater than X GB data access per hour||
+|App data access trend|X% increase in data usage in last 7 days||
+|App API Access|Greater than X API calls per hour||
+|App API Access trend|X% increase in API Calls in last 7 days||
+|Users consented|(Greater than or Less than) X consented users||
+|Priority user consented|Yes or No|A user with a [priority account](/microsoft-365/admin/setup/priority-accounts).|
+|App consented by|Select user(s) from list||
+|Consenting user's role|Select one or more: Teams Administrator, Directory Readers, Security Reader, Compliance Administrator, Security Administrator, Helpdesk Administrator, SharePoint Administrator, Exchange Administrator, Global Reader, Global Administrator, Compliance Data Administrator, User Administrator, Service Support Administrator|Multiple selections allowed. <p> Any Azure AD role with assigned member should be made available in this list.|
+|Workload accessed|OneDrive and/or SharePoint and/or Exchange|Multiple selections allowed.|
+|Error rate|Error rate is greater than X% in the last 7 days, where X is an admin-defined value||
|||| All of the specified conditions must be met for this app policy to generate an alert.
Publish metadata-based policies
## Test and monitor your new app policy
-Now that your app policy is created, you should monitor it on the **Policies** page to ensure it is registering an expected number of active alerts and total alerts during testing.
+Now that your app policy is created, you should monitor it on the **Policies** page to ensure it is registering an expected number of active alerts and total alerts during testing.
![The MAPG policies summary page in the Microsoft 365 Compliance Center with a highlighted policy](..\media\manage-app-protection-governance\mapg-cc-policies-policy.png)
compliance Create A Dlp Policy From A Template https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-dlp-policy-from-a-template.md
f1_keywords:
- 'ms.o365.cc.NewPolicyFromTemplate' localization_priority: Normal-+ - M365-security-compliance
+search.appverid:
- MET150 - seo-marvel-mar2020
description: In this article, you'll learn about how to create DLP policies usin
# Create a DLP policy from a template The easiest, most common way to get started with DLP policies is to use one of the templates included in Office 365. You can use one of these templates as is, or customize the rules to meet your organization's specific compliance requirements.
-
+ Microsoft 365 includes over 40 ready-to-use templates that can help you meet a wide range of common regulatory and business policy needs. For example, there are DLP policy templates for:
-
+ - Gramm-Leach-Bliley Act (GLBA)
-
- Payment Card Industry Data Security Standard (PCI-DSS)
-
- United States Personally Identifiable Information (U.S. PII)
-
- United States Health Insurance Act (HIPAA)
-
+ You can fine tune a template by modifying any of the existing rules or adding new ones. For example, you can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, allow people to override the actions in a rule by providing a business justification, or change who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios.
-
+ You can also choose the Custom template, which has no default rules, and configure your DLP policy from scratch, to meet the specific compliance requirements for your organization.
-
+ ## Example: Identify sensitive information across all OneDrive for Business sites and restrict access for people outside your organization OneDrive for Business accounts make it easy for people across your organization to collaborate and share documents. But a common concern for compliance officers is that sensitive information stored in OneDrive for Business accounts may be inadvertently shared with people outside your organization. A DLP policy can help mitigate this risk.
-
+ In this example, you'll create a DLP policy that identifies U.S. PII data, which includes Individual Taxpayer Identification Numbers (ITIN), Social Security Numbers, and U.S. passport numbers. You'll get started by using a template, and then you'll modify the template to meet your organization's compliance requirementsΓÇöspecifically, you'll:
-
+ - Add a couple of types of sensitive informationΓÇöU.S. bank account numbers and U.S. driver's license numbersΓÇöso that the DLP policy protects even more of your sensitive data.
-
+ - Make the policy more sensitive, so that a single occurrence of sensitive information is enough to restrict access for external users.
-
+ - Allow users to override the actions by providing a business justification or reporting a false positive. This way, your DLP policy won't prevent people in your organization from getting their work done, provided they have a valid business reason for sharing the sensitive information.
-
-### Create a DLP policy from a template
-1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com).
-
+### Create the DLP policy from a template
+
+1. Go to <https://compliance.microsoft.com>.
+ 2. Sign in using your work or school account. You're now in the Security &amp; Compliance Center.
-
+ 3. In the Security &amp; Compliance Center \> left navigation \> **Data loss prevention** \> **Policy** \> **+ Create a policy**.
-
+ ![Create a policy button](../media/b1e48a08-92e2-47ca-abdc-4341694ddc7c.png)
-
+ 4. Choose the DLP policy template that protects the types of sensitive information that you need \> **Next**.
-
- In this example, you'll select **Privacy** \> **U.S. Personally Identifiable Information ΓÇÄ(PII)ΓÇÄ Data** because it already includes most of the types of sensitive information that you want to protectΓÇöyou'll add a couple later.
-
+
+ In this example, you'll select **Privacy** \> **U.S. Personally Identifiable Information (PII) Data** because it already includes most of the types of sensitive information that you want to protect - you'll add a couple later.
+ When you select a template, you can read the description on the right to learn what types of sensitive information the template protects.
-
+ ![Page for choosing a DLP policy template](../media/775266f6-ad87-4080-8d7c-97f2e7403b30.png)
-
+ 5. Name the policy \> **Next**.
-
+ 6. To choose the locations that you want the DLP policy to protect, do one of the following:
-
- - Choose **All locations in Office 365** \> **Next**.
-
- - Choose **Let me choose specific locations** \> **Next**. For this example, choose this.
-
- To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the **Status** of that location on or off.
-
- To include only specific SharePoint sites or OneDrive for Business accounts, switch the **Status** to on, and then click the links under **Include** to choose specific sites or accounts. When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site.
-
- ![Options for locations where a DLP policy can be applied](../media/ee50a61a-e867-4571-a150-3eec8d83650f.png)
-
- In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the **Status** for both **Exchange email** and **SharePoint sites**, and leave the **Status** on for **OneDrive accounts**.
-
+
+ - Choose **All locations in Office 365** \> **Next**.
+ - Choose **Let me choose specific locations** \> **Next**. For this example, choose this.
+
+ To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the **Status** of that location on or off.
+
+ To include only specific SharePoint sites or OneDrive for Business accounts, switch the **Status** to on, and then click the links under **Include** to choose specific sites or accounts. When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site.
+
+ ![Options for locations where a DLP policy can be applied](../media/ee50a61a-e867-4571-a150-3eec8d83650f.png)
+
+ In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the **Status** for both **Exchange email** and **SharePoint sites**, and leave the **Status** on for **OneDrive accounts**.
+ 7. Choose **Use advanced settings** \> **Next**.
-
+ 8. A DLP policy template contains predefined rules with conditions and actions that detect and act upon specific types of sensitive information. You can edit, delete, or turn off any of the existing rules, or add new ones. When done, click **Next**.
-
+ ![Rules expanded in US PII policy template](../media/3bc9f1b6-f8ad-4334-863a-24448bb87687.png)
-
+ In this example, the U.S. PII Data template includes two predefined rules:
-
- - **Low volume of content detected U.S. PII** This rule looks for files containing between 1 and 10 occurrences of each of three types of sensitive information (ITIN, SSN, and U.S. passport numbers), where the files are shared with people outside the organization. If found, the rule sends an email notification to the primary site collection administrator, document owner, and person who last modified the document.
-
- - **High volume of content detected U.S. PII** This rule looks for files containing 10 or more occurrences of each of the same three sensitive information types, where the files are shared with people outside the organization. If found, this action also sends an email notification, plus it restricts access to the file. For content in a OneDrive for Business account, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document.
-
+
+ - **Low volume of content detected U.S. PII** This rule looks for files containing between 1 and 10 occurrences of each of three types of sensitive information (ITIN, SSN, and U.S. passport numbers), where the files are shared with people outside the organization. If found, the rule sends an email notification to the primary site collection administrator, document owner, and person who last modified the document.
+
+ - **High volume of content detected U.S. PII** This rule looks for files containing 10 or more occurrences of each of the same three sensitive information types, where the files are shared with people outside the organization. If found, this action also sends an email notification, plus it restricts access to the file. For content in a OneDrive for Business account, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document.
+ To meet your organization's specific requirements, you may want to make the rules easier to trigger, so that a single occurrence of sensitive information is enough to block access for external users. After looking at these rules, you understand that you don't need low and high count rulesΓÇöyou need only a single rule that blocks access if any occurrence of sensitive information is found.
-
+ So you expand the rule named **Low volume of content detected U.S. PII** \> **Delete rule**.
-
+ ![Delete rule button](../media/bc36f7d2-0fae-4af1-92e8-95ba51077b12.png)
-
+ 9. Now, in this example, you need to add two sensitive information types (U.S. bank account numbers and U.S. driver's license numbers), allow people to override a rule, and change the count to any occurrence. You can do all of this by editing one rule, so select **High volume of content detected U.S. PII** \> **Edit rule**.
-
+ ![Edit rule button](../media/eaf54067-4945-4c98-8dd6-fb2c5d6de075.png)
-
+ 10. To add a sensitive information type, in the **Conditions** section \> **Add or change types**. Then, under **Add or change types** \> choose **Add** \> select **U.S. Bank Account Number** and **U.S. Driver's License Number** \> **Add** \> **Done**.
-
+ ![Option to Add or change types](../media/c6c3ae86-f7db-40a8-a6e4-db11692024be.png)
-
+ ![Add or change types pane](../media/fdbb96af-b914-4a6c-a97b-bbd014689965.png)
-
+ 11. To change the count (the number of instances of sensitive information required to trigger the rule), under **Instance count** \> choose the **min** value for each type \> enter 1. The minimum count cannot be empty. The maximum count can be empty; an empty **max** value convert to **any**.
-
+ When finished, the min count for all of the sensitive information types should be **1** and the max count should be **any**. In other words, any occurrence of this type of sensitive information will satisfy this condition.
-
+ ![Instance counts for sensitive information types](../media/5c6e08cb-59a9-4558-b54b-d899836d4737.png)
-
+ 12. For the final customization, you don't want your DLP policies to block people from doing their work when they have a valid business justification or encounter a false positive, so you want the user notification to include options to override the blocking action.
-
- In the **User notifications** section, you can see that email notifications and policy tips are turned on by default for this rule in the template.
-
+
+ In the **User notifications** section, you can see that email notifications and policy tips are turned on by default for this rule in the template.
+ In the **User overrides** section, you can see that overrides for a business justification are turned on, but overrides to report false positives are not. Choose **Override the rule automatically if they report it as a false positive**.
-
+ ![User notifications section and User overrides section](../media/62720e7a-a939-4c03-b414-67748f3d64a0.png)
-
-13. At the top of the rule editor, change the name of this rule from the default **High volume of content detected U.S. PII** to **Any content detected with U.S. PII** because it's now triggered by any occurrence of its sensitive information types.
-
+
+13. At the top of the rule editor, change the name of this rule from the default **High volume of content detected U.S. PII** to **Any content detected with U.S. PII** because it's now triggered by any occurrence of its sensitive information types.
+ 14. At the bottom of the rule editor \> **Save**.
-
+ 15. Review the conditions and actions for this rule \> **Next**.
-
- On the right, notice the **Status** switch for the rule. If you turn off an entire policy, all rules contained in the policy are also turned off. However, here you can turn off a specific rule without turning off the entire policy. This can be useful when you need to investigate a rule that is generating a large number of false positives.
-
+
+ On the right, notice the **Status** switch for the rule. If you turn off an entire policy, all rules contained in the policy are also turned off. However, here you can turn off a specific rule without turning off the entire policy. This can be useful when you need to investigate a rule that is generating a large number of false positives.
+ 16. On the next page, read and understand the following, and then choose whether to turn on the rule or test it out first \> **Next**.
-
- Before you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before you fully enforce them. For example, you don't want a new DLP policy to unintentionally block access to thousands of documents that people require to get their work done.
-
+
+ Before you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before you fully enforce them. For example, you don't want a new DLP policy to unintentionally block access to thousands of documents that people require to get their work done.
+ If you're creating DLP policies with a large potential impact, we recommend following this sequence:
-
-17. Start in test mode without Policy Tips and then use the DLP reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization.
-
+
+17. Start in test mode without Policy Tips and then use the DLP reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization.
+ 18. Move to Test mode with notifications and Policy Tips so that you can begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can further refine the rules.
-
-19. Turn on the policies so that the rules are enforced and the content's protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.
-
+
+19. Turn on the policies so that the rules are enforced and the content's protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.
+ ![Options for using test mode and turning on policy](../media/49fafaac-c6cb-41de-99c4-c43c3e380c3a.png)
-
+ 20. Review your settings for this policy \> choose **Create**.
-
+ After you create and turn on a DLP policy, it's deployed to any content sources that it includes, such as SharePoint Online sites or OneDrive for Business accounts, where the policy begins automatically enforcing its rules on that content.
-
+ ## View the status of a DLP policy
-At any time, you can view the status of your DLP policies on the **Policy** page in the **Data loss prevention** section of the Security &amp; Compliance Center. Here you can find important information, such as whether a policy was successfully enabled or disabled, or whether the policy is in test mode.
-
+At any time, you can view the status of your DLP policies on the **Policy** page in the **Data loss prevention** section of the Security &amp; Compliance Center. Here you can find important information, such as whether a policy was successfully enabled or disabled, or whether the policy is in test mode.
+ Here are the different statuses and what they mean.
-
-|**Status**|**Explanation**|
-|:--|:--|
-|**Turning on…** <br/> |The policy is being deployed to the content sources that it includes. The policy is not yet enforced on all sources. <br/> |
-|**Testing, with notifications** <br/> |The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are sent to the specified recipients. <br/> |
-|**Testing, without notifications** <br/> |The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are not sent to the specified recipients. <br/> |
-|**On** <br/> |The policy is active and enforced. The policy was successfully deployed to all its content sources. <br/> |
-|**Turning off…** <br/> |The policy is being removed from the content sources that it includes. The policy may still be active and enforced on some sources. Turning off a policy may take up to 45 minutes. <br/> |
-|**Off** <br/> |The policy is not active and not enforced. The settings for the policy (sources, keywords, duration, etc) are saved. <br/> |
-|**Deleting…** <br/> |The policy is in the process of being deleted. The policy is not active and not enforced. It normally takes an hour for a policy to delet <br/> |
-
+
+<br>
+
+****
+
+|Status|Explanation|
+|||
+|**Turning on…**|The policy is being deployed to the content sources that it includes. The policy is not yet enforced on all sources.|
+|**Testing, with notifications**|The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are sent to the specified recipients.|
+|**Testing, without notifications**|The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are not sent to the specified recipients.|
+|**On**|The policy is active and enforced. The policy was successfully deployed to all its content sources.|
+|**Turning off...**|The policy is being removed from the content sources that it includes. The policy may still be active and enforced on some sources. Turning off a policy may take up to 45 minutes.|
+|**Off**|The policy is not active and not enforced. The settings for the policy (sources, keywords, duration, etc) are saved.|
+|**Deleting...**|The policy is in the process of being deleted. The policy is not active and not enforced. It normally takes an hour for a policy to delete.|
+|
+ ## Turn off a DLP policy You can edit or turn off a DLP policy at any time. Turning off a policy disables all of the rules in the policy.
-
+ To edit or turn off a DLP policy, on the **Policy** page \> select the policy \> **Edit policy**.
-
+ ![Edit policy button](../media/ce319e92-0519-44fe-9507-45a409eaefe4.png)
-
-In addition, you can turn off each rule individually by editing the policy and then toggling off the **Status** of that rule, as described above.
-
+
+In addition, you can turn off each rule individually by editing the policy and then toggling off the **Status** of that rule, as described above.
+ ## More information - [Learn about data loss prevention](dlp-learn-about-dlp.md)
compliance Document Metadata Fields In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-metadata-fields-in-Advanced-eDiscovery.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Normal-+
+search.appverid:
- MOE150 - MET150
+ms.assetid:
description: "This article defines the metadata fields for documents in a review set in a case in Advanced eDiscovery in Microsoft 365."
The following table lists the metadata fields for documents in a review set in a
> [!NOTE] > The **Keywords** field in [review set search](./review-set-search.md) uses Keyword Query Language (KQL). The fields listed in the **Searchable field name** column can be used in the **Keywords** field in a review set search to form complex queries without you having to use the query builder. For more information about KQL, see [Keyword Query Language syntax reference](/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference).
-|**Field name** and **Display field name**|**Searchable field name**|**Exported field name**|**Description**|
-|:--|:--|:--|:--|
+<br>
+
+****
+
+|Field name and Display field name|Searchable field name|Exported field name|Description|
+|||||
|Attachment Content Id|AttachmentContentId||Attachment content Id of the item.| |Attorney client privilege score|AttorneyClientPrivilegeScore||Attorney-client privilege model content score.| |Author|Author|Doc_authors|Author from the document metadata.|
-|BCC|Bcc|Email_bcc|Bcc field for message types. Format is **DisplayName \<SMTPAddress>**.|
-|CC|Cc|Email_cc|Cc field for message types. Format is **DisplayName \<SMTPAddress>**.|
+|BCC|Bcc|Email_bcc|Bcc field for message types. Format is **DisplayName \<SMTPAddress\>**.|
+|CC|Cc|Email_cc|Cc field for message types. Format is **DisplayName \<SMTPAddress\>**.|
|Compliance labels|ComplianceLabels|Compliance_labels|[Retention labels](retention.md) applied to content in Office 365.| |Compound Path|CompoundPath|Compound_path|Human readable path that describes the source of the item.| |Content*|Content||Extracted text of the item.| |Conversation Body|Conversation Body||Conversation body of the item.|
-|Conversation ID|ConversationId|Conversation_ID|Conversation Id from the message. For Teams 1:1 and group chats, all transcript files and their family items within the same conversation share the same Conversation ID. For more information, see [Advanced eDiscovery workflow for content in Microsoft Teams](teams-workflow-in-advanced-ediscovery.md). |
+|Conversation ID|ConversationId|Conversation_ID|Conversation Id from the message. For Teams 1:1 and group chats, all transcript files and their family items within the same conversation share the same Conversation ID. For more information, see [Advanced eDiscovery workflow for content in Microsoft Teams](teams-workflow-in-advanced-ediscovery.md).|
|Conversation Index||Conversation_index|Conversation index from the message.|
-|Conversation Name | |ConversationName|Name of the channel in Teams. The format of the name depends on the type of channel: <br/>Teams channel chats and private channel chats: <Name of team, name of channel> <br/>Teams 1:1 and group chats: Display name and email address of all chat participants<br/>Yammer community: Community name + first 120 chars of a post<br/>Yammer private: Sender name and email address + first 120 chars of a message|
+|Conversation Name||ConversationName|Name of the channel in Teams. The format of the name depends on the type of channel: <br>Teams channel chats and private channel chats: \<Name of team, name of channel\> <br>Teams 1:1 and group chats: Display name and email address of all chat participants<br>Yammer community: Community name + first 120 chars of a post<br>Yammer private: Sender name and email address + first 120 chars of a message|
|Conversation Pdf Time|ConversationPdfTime||Date when the PDF version of the conversation was created.| |Conversation Redaction Burn Time|ConversationRedactionBurnTime||Date when the PDF version of the conversation was created for Chat.| |Conversation Topic|Conversation Topic||Conversation topic of the item.|
-|Conversation Type| ConversationType|ConversationType| The type of chat conversation. Values are: <br/> Teams 1:1 and group chats and all Yammer conversations: **Group** for<br/>Teams channels and private channels: **Channel**|
-|Contains Edited Message |ContainsEditedMessage|ContainsEditedMessage|Indicates if the Teams chat transcript includes an edited message
+|Conversation Type|ConversationType|ConversationType|The type of chat conversation. Values are: <br> Teams 1:1 and group chats and all Yammer conversations: **Group** for<br>Teams channels and private channels: **Channel**|
+|Contains Edited Message|ContainsEditedMessage|ContainsEditedMessage|Indicates if the Teams chat transcript includes an edited message
|||Converted_file_path|The path of the converted export file. For internal Microsoft use only.| |Custodian|Custodian|Custodian|Name of the custodian the item was associated with.|
-|Date|Date|Date|Date is a computed field that depends on the file type.<br /><br />Email: Sent date<br />Email attachments: Last modified date of the document;if not available, the parent's Sent date<br />Embedded documents: Last modified date of the document; if not available, the parent's last modified date<br />SPO documents (includes modern attachments): SharePoint Last modified date; if not available, the documents last modified date<br />Non-Office 365 documents: Last modified date<br />Meetings: Meeting start date<br />VoiceMail: Sent date<br />IM: Sent date<br />Teams: Sent date|
+|Date|Date|Date|Date is a computed field that depends on the file type.<p>Email: Sent date<br>Email attachments: Last modified date of the document;if not available, the parent's Sent date<br>Embedded documents: Last modified date of the document; if not available, the parent's last modified date<br>SPO documents (includes modern attachments): SharePoint Last modified date; if not available, the documents last modified date<br>Non-Office 365 documents: Last modified date<br>Meetings: Meeting start date<br>VoiceMail: Sent date<br>IM: Sent date<br>Teams: Sent date|
|Document comments|DocComments|Doc_comments|Comments from the document metadata.| |Document company||Doc_company|Company from the document metadata.| |Document date created|CreatedTime|Doc_date_created|Create date from document metadata.|
The following table lists the metadata fields for documents in a review set in a
|FamilyDuplicateSet*||Family_duplicate_set|Numeric identifier for families that are exact duplicates of each other (same content and all the same attachments).| |Family ID|FamilyId|Family_ID|Groups together attachments and extracted items from email and chats with its parent item. This includes the chat or email and all attachments and extracted items.| |Family Size||Family_size|Number of documents in the family.|
-|File class|FileClass|File_class|For content from SharePoint and OneDrive: **Document**. <br/>For content from Exchange: **Email** or **Attachment**. <br/>For content from Teams or Yammer: **Conversations**. |
+|File class|FileClass|File_class|For content from SharePoint and OneDrive: **Document**. <br>For content from Exchange: **Email** or **Attachment**. <br>For content from Teams or Yammer: **Conversations**.|
|File ID|FileId|File_ID|Document identifier unique within the case.| |File system date created||File_system_date_created|Created date from file system (only applies to non-Office 365 data).| |File system date modified||File_system_date_modified|Modified date from file system (only applies to non-Office 365 data).|
The following table lists the metadata fields for documents in a review set in a
|In Reply To Id||In_reply_to_ID|In reply to Id from the message.| |InputFileExtension||Original_file_extension|The original file extension of the file.| |InputFileID||Input_file_ID|The file ID of the top level item in the review set. For an attachment, this ID will be the ID of the parent. This can be used to group families together.|
-|Is modern attachment| IsModernAttachment| |This file is a modern attachment or linked file.|
-|Is from document version | IsFromDocumentVersion | |Current document is from a different version of another document.|
-|Is email attachment | IsEmailAttachment| |This item is from an email attachment that shows up as an attached item to the message.|
-|Is inline attachment| IsInlineAttachment| |This was attached inline and shows up in the body of the message.|
+|Is modern attachment|IsModernAttachment||This file is a modern attachment or linked file.|
+|Is from document version|IsFromDocumentVersion||Current document is from a different version of another document.|
+|Is email attachment|IsEmailAttachment||This item is from an email attachment that shows up as an attached item to the message.|
+|Is inline attachment|IsInlineAttachment||This was attached inline and shows up in the body of the message.|
|Is Representative|IsRepresentative|Is_representative|One document in every set of exact duplicates is marked as representative.| |Item class|ItemClass|Item_class|Item class supplied by exchange server; for example, **IPM.Note**| |Last modified date|LastModifiedDate|Doc_date_modified|Last modified date from document metadata.| |Load ID|LoadId|Load_ID|The Id of the load set in which the item was added to a review set.|
-|Location|Location|Location|String that indicates the type of location that documents were sourced from.<br /><br />**Imported Data** - Non-Office 365 data<br />**Teams** - Microsoft Teams<br />**Exchange** - Exchange mailboxes<br />**SharePoint** - SharePoint sites<br />**OneDrive** - OneDrive accounts|
+|Location|Location|Location|String that indicates the type of location that documents were sourced from.<p>**Imported Data** - Non-Office 365 data<br>**Teams** - Microsoft Teams<br>**Exchange** - Exchange mailboxes<br>**SharePoint** - SharePoint sites<br>**OneDrive** - OneDrive accounts|
|Location name|LocationName|Location_name|String that identifies the source of the item. For exchange, this will be the SMTP address of the mailbox; for SharePoint and OneDrive, the URL for the site collection.| |||Marked_as_pivot|This file is the pivot in a near duplicate set.| |Marked as representative|MarkAsRepresentative||One document from each set of exact duplicates is marked as representatives.| |Meeting End Date|MeetingEndDate|Meeting_end_date|Meeting end date for meetings.| |Meeting Start Date|MeetingStartDate|Meeting_start_date|Meeting start date for meetings.|
-|Message kind|MessageKind|Message_kind|The type of message to search for. Possible values: **<br /><br />contacts <br />docs <br />email <br />externaldata <br />faxes <br />im <br />journals <br />meetings <br />microsoftteams** (returns items from chats, meetings, and calls in Microsoft Teams) **<br />notes <br />posts <br />rssfeeds <br />tasks <br />voicemail**|
+|Message kind|MessageKind|Message_kind|The type of message to search for. Possible values: **<p>contacts <br>docs <br>email <br>externaldata <br>faxes <br>im <br>journals <br>meetings <br>microsoftteams** (returns items from chats, meetings, and calls in Microsoft Teams) **<br>notes <br>posts <br>rssfeeds <br>tasks <br>voicemail**|
|Modern Attachment Parent Id||ModernAttachment_ParentId|The Immutable Id of the document's parent.| |Native Extension|NativeExtension|Native_extension|Native extension of the item.| |Native file name|NativeFileName|Native_file_name|Native file name of the item.|
The following table lists the metadata fields for documents in a review set in a
|Sender|Sender|Email_sender|Sender (From) field for message types. Format is **DisplayName \<SmtpAddress>**.| |Sender/Author|SenderAuthor||Calculated field comprised of the sender or author of the item.| |Sender domain|SenderDomain|Email_sender_domain|Domain of the sender.|
-|Sent|Sent|Email_date_sent|Sent date of the message.<br/>Chats: Beginning date from the transcript|
+|Sent|Sent|Email_date_sent|Sent date of the message.<br>Chats: Beginning date from the transcript|
|Set Order: Inclusive First|SetOrderInclusivesFirst|Set_order_inclusives_first|Sorting field - email and attachments: counter-chronological; documents: pivot first then by descending similarity score.| |Set ID||Set_ID|Documents of similar content (ND_set) or email within the same email thread (Email_set) share the same Set_ID.| |SimilarityPercent||Similarity_percent|Indicates how similar a document is to the pivot of the near duplicate set.|
compliance Privacy Management Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-setup.md
This feature enables you to show anonymized versions of usernames within privacy
### User notification emails
-When we detect a match for your data handling policies, privacy management can send an email to the affected users with corrective actions to take and a link to privacy training. In Settings, you can enable or disable the email notification capability of privacy management as a whole. You can activate individual notifications, set email frequency, and specify a training URL when you create or edit a policy. If notification capability is turned off in Settings, any policy-level configuration for specific notification mails will be disabled. To learn more about policies, see [Create and manage policies](privacy-management-policies.md).
+When we detect a match for your data handling policies, privacy management can send an email to your users with corrective actions to take and a link to privacy training. In Settings, you can enable or disable the email notification capability of privacy management as a whole. You can activate individual notifications, set email frequency, and specify a training URL when you create or edit a policy. If notification capability is turned off in Settings, any policy-level configuration for specific notification mails will be disabled. To learn more about policies, see [Create and manage policies](privacy-management-policies.md).
### Teams collaboration
compliance Sensitivity Labels Coauthoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md
Make sure you understand the following prerequisites before you turn on this fea
- Sensitivity labels must be [enabled for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md) for the tenant. If this feature isn't already enabled, it will be automatically enabled when you select the setting to turn on co-authoring for files with sensitivity labels. - Microsoft 365 Apps for enterprise:
- - **Windows**: Minimum version 2105: June 18
+ - **Windows**: Minimum version 2106
- **macOS**: Minimum version 16.50 - **iOS**: Not yet supported - **Android**: Not yet supported
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Dynamic markings with variables](#dynamic-markings-with-variables) | 2010+ | 16.42+ | 2.42+ | 16.0.13328+ | Rolling out | |[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Let users assign permissions: <br /> - Prompt users](encryption-sensitivity-labels.md#let-users-assign-permissions) |2004+ | 16.35+ | Under review | Under review | Under review |
-|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | 2.46+ | Rolling out: 16.0.13628+ | Yes <sup>\*</sup> |
+|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | 2.46+ | 16.0.13628+ | Yes <sup>\*</sup> |
|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.45+ | 2.47+ | 16.0.13628+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | 2009+ | 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | 2009+ | Under review | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
-|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | 2105: June 18+ | 16.50+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
+|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | 2106+ | 16.50+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
| **Footnote:**
compliance Set Up New Message Encryption Capabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-new-message-encryption-capabilities.md
You can verify that your Microsoft 365 tenant is properly configured to use the
3. Run the Test-IRMConfiguration cmdlet using the following syntax:
- ```powershell
- Test-IRMConfiguration [-Sender <email address >]
- ```
+ ```powershell
+ Test-IRMConfiguration [-Sender <email address> -Recipient <email address>]
+ ```
**Example**:
- ```powershell
- Test-IRMConfiguration -Sender securityadmin@contoso.com
- ```
+ ```powershell
+ Test-IRMConfiguration -Sender securityadmin@contoso.com -Recipient securityadmin@contoso.com
+ ```
- - Providing a sender email is optional, but forces the system to perform additional checks. Use the email address of any user in your Microsoft 365 tenant.
+ - For sender and recipient, use the email address of any user in your Microsoft 365 tenant.
Your results should be similar to:
- ```text
+ ```console
Results : Acquiring RMS Templates ... - PASS: RMS Templates acquired. Templates available: Contoso - Confidential View Only, Contoso - Confidential, Do Not Forward.
contentunderstanding Trial Syntex https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/trial-syntex.md
Previously updated : Last updated : audience: admin ms.prod: microsoft-365-enterprise-+ - enabler-strategic - m365initiative-syntex
+search.appverid:
localization_priority: Normal description: Learn how to plan and run a trial pilot program for SharePoint Syntex in your organization.
You can get the trial version from one of the following sources:
- The [SharePoint Syntex product page](https://www.microsoft.com/microsoft-365/enterprise/sharepoint-syntex?activetab=pivot:overviewtab) - The [Microsoft 365 admin center](https://admin.microsoft.com)
- 1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com).
- 2. Go to **Billing** > **Purchase Services**.
- 3. Scroll down to the **Add-Ons** section.
- 4. On the SharePoint Syntex tile, select **Details**.
- 5. Select **Get free trial**.
- 6. To confirm the trial, follow the remaining wizard steps.
+ 1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com).
+ 2. Go to **Billing** > **Purchase Services**.
+ 3. Scroll down to the **Add-Ons** section.
+ 4. On the SharePoint Syntex tile, select **Details**.
+ 5. Select **Get free trial**.
+ 6. To confirm the trial, follow the remaining wizard steps.
You must be a Microsoft 365 global administrator or billing administrator to activate a trial. ### Who should be involved in a trial
-|Role |Activity |
-|||
-|Microsoft 365 global admin or billing admin | Activate the trial and assign licenses |
-|Microsoft 365 global admin or SharePoint admin | Configure SharePoint Syntex and create content centers |
-|Business users | Model building and testing |
+|Role|Activity|
+|||
+|Microsoft 365 global admin or billing admin|Activate the trial and assign licenses|
+|Microsoft 365 global admin or SharePoint admin|Configure SharePoint Syntex and create content centers|
+|Business users|Model building and testing|
### Before you activate a trial
To successfully plan a SharePoint Syntex trial, consider the following factors:
- The most meaningful testing is completed on ΓÇ£real worldΓÇ¥ scenarios and data. - You can only activate a SharePoint Syntex trial once per tenant.
-A test or demo tenant can be used as a ΓÇ£dry runΓÇ¥ to walk through the activation steps and administrative controls. But itΓÇÖs probably best to evaluate model building on a production tenant.
+A test or demo tenant can be used as a ΓÇ£dry runΓÇ¥ to walk through the activation steps and administrative controls. But it's probably best to evaluate model building on a production tenant.
To maximize the value of a trial on a production tenant, planning and business engagement are essential. You should engage one or more business areas to identify three-to-six use cases that could potentially be addressed by SharePoint Syntex. These use cases should:
When you initiate a trial, you need to:
- Assign licenses to the relevant users. - Perform [additional setup of SharePoint Syntex](set-up-content-understanding.md).
- - You might want to [create additional content centers](create-a-content-center.md).
+ - You might want to [create additional content centers](create-a-content-center.md).
After the trial is activated, you can create models and process files. See [guidance for model creation](create-a-content-center.md). ## During a trial
-Trial periods are limited, so itΓÇÖs best to focus initially on whether SharePoint Syntex models can classify documents and extract metadata for the defined use cases. After the trial period is over, you can evaluate how the metadata can be exploited.
+Trial periods are limited, so it's best to focus initially on whether SharePoint Syntex models can classify documents and extract metadata for the defined use cases. After the trial period is over, you can evaluate how the metadata can be exploited.
## After a trial
Based on the outcome of the trial, you can decide whether to proceed to producti
### Proceed to production use
-To ensure continuity of service, you need to purchase the required number of licenses and assign those licenses to users. Trial users who donΓÇÖt have a full license at the end of the trial period wonΓÇÖt be able to fully utilize SharePoint Syntex.
+To ensure continuity of service, you need to purchase the required number of licenses and assign those licenses to users. Trial users who don't have a full license at the end of the trial period won't be able to fully utilize SharePoint Syntex.
-You might have to estimate your projected use of forms processing and plan for the expected amount of AI Builder credits. For help, see [Estimate the AI Builder capacity thatΓÇÖs right for you](https://powerapps.microsoft.com/ai-builder-calculator/).
+You might have to estimate your projected use of forms processing and plan for the expected amount of AI Builder credits. For help, see [Estimate the AI Builder capacity that's right for you](https://powerapps.microsoft.com/ai-builder-calculator/).
### Don't proceed to production use
-If you donΓÇÖt purchase licenses following the trial:
+If you don't purchase licenses following the trial:
-- You wonΓÇÖt be able to create new models.
+- You won't be able to create new models.
- Libraries that were running models will no longer automatically classify files or extract models.-- Any previously classified files or extracted metadata wonΓÇÖt be affected. -- Content centers and any document-understanding models wonΓÇÖt be automatically deleted. These will remain available for use if you decide to purchase licenses in the future.
+- Any previously classified files or extracted metadata won't be affected.
+- Content centers and any document-understanding models won't be automatically deleted. These will remain available for use if you decide to purchase licenses in the future.
- Forms-processing models will be stored in the Common Data Services (CDS) instance of the default Power Platform environment. These could be used with future licensing for SharePoint Syntex or with AI Builder capabilities in the Power Platform. ## See also
enterprise Block User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell.md
Set-AzureADUser -ObjectID (Get-AzureADUser | where {$_.DisplayName -eq $userName
To check the blocked status of a user account use the following command: ```powershell
-Get-AzureADUser -UserPrincipalName <UPN of user account> | Select DisplayName,AccountEnabled
+Get-AzureADUser -ObjectID <UPN of user account> | Select DisplayName,AccountEnabled
``` ### Block multiple user accounts
includes Microsoft 365 Client Support Certificate Based Authentication Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-certificate-based-authentication-include.md
|AZURE ADMIN|N/A|N/A|N/A|N/A|N/A| |COMPANY PORTAL|Γ£ö|Γ£ö|Γ£ö|N/A|Γ£ö| |CORTANA|N/A|N/A|N/A|N/A|Γ£ö|
-|DELVE|Γ£ö|Γ£ö|N/A|N/A|N/A|
|EXCEL|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |EXCHANGE ADMIN|N/A|N/A|N/A|Γ£ö|N/A| |FORMS|N/A|N/A|N/A|N/A|N/A| |KAIZALA|Γ£ö|Γ£ö|N/A|N/A|N/A| |MICROSOFT ROOMS|Planned|Planned|N/A|N/A|N/A| |OFFICE 365 ADMIN|Γ£ö|N/A|N/A|N/A|N/A|
-|OFFICE LENS|Γ£ö|Γ£ö|N/A|N/A|Γ£ö|
+|OFFICE LENS|Γ£ö|Γ£ö|N/A|N/A|N/A|
|OFFICE MOBILE|Γ£ö|Γ£ö|N/A|N/A|N/A| |OFFICE.COM|N/A|N/A|N/A|N/A|Γ£ö| |ONEDRIVE|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
includes Microsoft 365 Client Support Conditional Access Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-conditional-access-include.md
|AZURE ACTIVE DIRECTORY ADMIN|N/A|N/A|N/A|Planned|N/A| |COMPANY PORTAL|Planned|Planned|Planned|N/A|Planned| |CORTANA|N/A|N/A|N/A|N/A|Planned|
-|DELVE|Γ£ö|Γ£ö|N/A|N/A|N/A|
|EXCEL|Γ£ö|Planned|Planned|Planned|N/A| |EXCHANGE ADMIN|N/A|N/A|N/A|Γ£ö|N/A| |FORMS|N/A|N/A|N/A|N/A|N/A|
includes Microsoft 365 Client Support Modern Authentication Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-modern-authentication-include.md
|AZURE ADMIN|N/A|N/A|N/A|N/A|N/A| |COMPANY PORTAL|Γ£ö|Γ£ö|Γ£ö|N/A|Γ£ö| |CORTANA|N/A|N/A|N/A|N/A|Γ£ö|
-|DELVE|Γ£ö|Γ£ö|N/A|N/A|N/A|
|EXCEL|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |EXCHANGE ADMIN|N/A|N/A|N/A|Γ£ö|N/A| |FORMS|N/A|N/A|N/A|N/A|N/A| |KAIZALA|Γ£ö|Γ£ö|N/A|N/A|N/A| |MICROSOFT ROOMS|Planned|Planned|N/A|N/A|N/A| |OFFICE 365 ADMIN|Γ£ö|N/A|N/A|N/A|N/A|
-|OFFICE LENS|Γ£ö|Γ£ö|N/A|N/A|Γ£ö|
+|OFFICE LENS|Γ£ö|Γ£ö|N/A|N/A|N/A|
|OFFICE MOBILE|Γ£ö|Γ£ö|N/A|N/A|N/A| |OFFICE.COM|N/A|N/A|N/A|N/A|Γ£ö| |ONEDRIVE|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
includes Microsoft 365 Client Support Single Sign On Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-single-sign-on-include.md
|ACCESS|N/A|N/A|N/A|Γ£ö|N/A| |COMPANY PORTAL|N/A|Γ£ö|Planned|N/A|Γ£ö| |CORTANA|N/A|N/A|N/A|N/A|Γ£ö|
-|DELVE|Γ£ö|Γ£ö|N/A|N/A|N/A|
|EXCEL|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |KAIZALA|Γ£ö|Planned|N/A|N/A|N/A| |MICROSOFT ROOMS|Planned|Planned|N/A|N/A|N/A|
knowledge Trial Topics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/trial-topics.md
Previously updated : Last updated : audience: admin ms.prod: microsoft-365-enterprise-+
+search.appverid:
localization_priority: Normal description: Learn how to plan and run a trial pilot program for Microsoft Viva Topics in your organization.
Trials are publicly available from one of the following sources. These trials of
- The [Viva Topics product page](https://www.microsoft.com/microsoft-viva/topics?activetab=pivot:overviewtab) - The [Microsoft 365 admin center](https://admin.microsoft.com)
- 1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com).
- 2. Go to **Billing** > **Purchase Services**.
- 3. Scroll down to the **Add-Ons** section.
- 4. On the **Topic Experiences** tile, select **Details**.
- 5. Select **Get free trial**.
- 6. Follow the remaining wizard steps to confirm the trial.
+ 1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com).
+ 2. Go to **Billing** > **Purchase Services**.
+ 3. Scroll down to the **Add-Ons** section.
+ 4. On the **Topic Experiences** tile, select **Details**.
+ 5. Select **Get free trial**.
+ 6. Follow the remaining wizard steps to confirm the trial.
You must be a Microsoft 365 global administrator or billing administrator to activate a trial.
You must be a Microsoft 365 global administrator or billing administrator to act
### Who should be involved in a trial
-|Role |Activity |
-|||
-|Microsoft 365 global admin or billing admin | Activate the trial and assign licenses |
-|Microsoft 365 global admin or SharePoint admin | Configure Viva Topics and create topic centers |
-|Business user | Perform knowledge manager, topic contributor, and topic consumer roles |
+|Role|Activity|
+|||
+|Microsoft 365 global admin or billing admin|Activate the trial and assign licenses|
+|Microsoft 365 global admin or SharePoint admin|Configure Viva Topics and create topic centers|
+|Business user|Perform knowledge manager, topic contributor, and topic consumer roles|
### Before you activate a trial
Planning is essential for an effective trial of Viva Topics. The trial period is
There are two high-level strategy options for configuration of topic discovery during a trial: - Index all or most of your SharePoint Online content.
- - Large tenants can take up to two weeks to fully index. While topics will be generated incrementally throughout this period, full indexing could consume up to half the trial period.
- - For tenants with a significant volume of data, this option can produce a very large number of topics, perhaps tens of thousands.
+ - Large tenants can take up to two weeks to fully index. While topics will be generated incrementally throughout this period, full indexing could consume up to half the trial period.
+ - For tenants with a significant volume of data, this option can produce a very large number of topics, perhaps tens of thousands.
- Identify a subset of your SharePoint sites for indexing.
The choice of these strategies is a balance of the following two factors:
For most organizations, the second strategy produces the best outcome. > [!NOTE]
-> Due to the number of documents required by the AI, we recommend that you run Viva Topics trials on a production tenant. ThereΓÇÖs no impact on the performance of the tenant during this period. Only users who have a trial license can access Viva Topics user experiences.
+> Due to the number of documents required by the AI, we recommend that you run Viva Topics trials on a production tenant. There's no impact on the performance of the tenant during this period. Only users who have a trial license can access Viva Topics user experiences.
#### Roles During the trial, there are three roles that must be active, which are described in the following table.
-|Role |Activity |
-|||
-|Knowledge manager | Control the lifecycle stages of topics; confirm and remove topics; act as a community manager for topic contributors |
-|Topic contributor | Content subject matter experts, who can:<br> Review topics to evaluate the quality of AI-defined content<br>Curate discovered topics with additional content<br>Create additional topics that werenΓÇÖt discovered by AI |
-|Topic consumer | Consume topics through page highlights and search<br>Provide feedback on the value of the topics presented |
+|Role|Activity|
+|||
+|Knowledge manager|Control the lifecycle stages of topics; confirm and remove topics; act as a community manager for topic contributors|
+|Topic contributor|Content subject matter experts, who can:<br> Review topics to evaluate the quality of AI-defined content<br>Curate discovered topics with additional content<br>Create additional topics that weren't discovered by AI|
+|Topic consumer|Consume topics through page highlights and search<br>Provide feedback on the value of the topics presented|
#### Expected topics
The trial period should be used to evaluate the following components of Viva Top
Consider these factors: - For Viva Topics to deliver the maximum value, the content in topics needs to be a combination of AI-defined content and human-curated content.-- All user experiences are ΓÇ£permission trimmedΓÇ¥ (including the knowledge managerΓÇÖs view on the **Manage topics** page). Users will only see a topic if they have permissions to view some of the resources that were used to generate the topic. This means that different users might see different content on the same topic page.-- Users might see multiple topics that have the same name in the **Manage topics** page. These topics aren't necessarily duplicates but might be because of a single term thatΓÇÖs used in multiple contexts in the data, such as a project code name thatΓÇÖs used by two distinct projects.
+- All user experiences are ΓÇ£permission trimmedΓÇ¥ (including the knowledge manager's view on the **Manage topics** page). Users will only see a topic if they have permissions to view some of the resources that were used to generate the topic. This means that different users might see different content on the same topic page.
+- Users might see multiple topics that have the same name in the **Manage topics** page. These topics aren't necessarily duplicates but might be because of a single term that's used in multiple contexts in the data, such as a project code name that's used by two distinct projects.
## After a trial
Based on the outcome of the trial, you can decide whether to proceed to producti
### Proceed to production use
-To ensure continuity of service, you must purchase the required number of licenses and assign those licenses to users. Trial users who donΓÇÖt have a full license at the end of the trial period wonΓÇÖt be able to access any Viva Topics experiences.
+To ensure continuity of service, you must purchase the required number of licenses and assign those licenses to users. Trial users who don't have a full license at the end of the trial period won't be able to access any Viva Topics experiences.
-### DonΓÇÖt proceed to production use
+### Don't proceed to production use
-If you donΓÇÖt purchase licenses following the trial:
+If you don't purchase licenses following the trial:
- Topic discovery will stop. - Users will no longer see topic highlights or cards.-- The topic center wonΓÇÖt be deleted, but the suggested topics and manage topics experiences wonΓÇÖt be available.
+- The topic center won't be deleted, but the suggested topics and manage topics experiences won't be available.
- Any AI-defined topics will be lost. - Topics that have been edited by a topic contributor will remain in the topic center pages library. Only the manually provided content will remain on these pages, not any AI-suggested content. ## See also [Get started driving adoption of Microsoft Viva Topics](topics-adoption-getstarted.md)-
lti Teams Classes With Canvas https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-classes-with-canvas.md
Before managing the Microsoft Teams integration within Instructure Canvas, it is
Set up the Microsoft Teams LTI 1.3 Integration.
-As a Canvas Admin, you'll need to add the Microsoft Teams classes LTI app within your environment. Make a note of the LTI Client ID for the app.
+As a Canvas Admin, you'll need to add the Microsoft Teams classes LTI app within your environment. Access the the Developer Key listing in the main account, switch to the inherited keys, and enable the Teams LTI tool. Make a note of the LTI Client ID for the app.
- Microsoft Teams classes - 170000000000570
managed-desktop Register Devices Partner https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/register-devices-partner.md
Once you have established the relationship with your customers, you can use Part
> The Group Name must match those listed in the table exactly, including capitalization and special characters. This will allow the newly registered devices to be assigned with the Microsoft Managed Desktop Autopilot profile. >[!NOTE]
-> You should have received this .csv file with your device purchase. If you didn't receive a .csv file, you can create one yourself by following the steps in [Adding devices to Windows Autopilot](/windows/deployment/windows-autopilot/add-devices#collecting-the-hardware-id-from-existing-devices-using-powershell). The Windows PowerShell script is different from the one used for the [Microsoft Managed Desktop Admin portal](./register-devices-self.md#obtain-the-hardware-hash). Partners should use [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) to register devices for Microsoft Managed Desktop devices in Partner Center.
+> You should have received this .csv file with your device purchase. If you didn't receive a .csv file, you can create one yourself by following the steps in [Adding devices to Windows Autopilot](/windows/deployment/windows-autopilot/add-devices#collecting-the-hardware-id-from-existing-devices-using-powershell). Extra columns are not supported. Quotes are not supported. Only ANSI-format text files can be used (not Unicode). Headers are case-sensitive. Editing the file in Excel and saving it as a CSV file will not generate a usable file due to these requirements. Ensure that you preserve any leading zeroes in the device serial numbers. Partners should use [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) to register devices for Microsoft Managed Desktop devices in Partner Center.
If you get an error message while trying to upload the .csv file, check the format of the file. Make sure the column order matches what is described in [Use Windows Autopilot profiles on new devices to customize a customer's out-of-box experience](/partner-center/autopilot#add-devices-to-a-customers-account). You can also use the sample .csv file provided from the link next to **Add devices** to create a device list.
Once you've established the relationship, you can start registering devices for
|Standard | **Microsoft365Managed\_Standard** | > [!IMPORTANT]
-> The Group Tags must match those listed in the table exactly, including capitalization and special characters. This will allow the newly registered devices to be assigned with the Microsoft Managed Desktop Autopilot profile.
+> The Group Tags must match those listed in the table exactly, including capitalization and special characters. This will allow the newly registered devices to be assigned with the Microsoft Managed Desktop Autopilot profile.
managed-desktop Register Devices Self https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/register-devices-self.md
You'll need to have the data in the CSV files combined into a single file to com
`Import-CSV -Path (Get-ChildItem -Filter *.csv) | ConvertTo-Csv -NoTypeInformation | % {$_.Replace('"', '')} | Out-File .\aggregatedDevices.csv`
+> [!NOTE]
+> Extra columns are not supported. Quotes are not supported. Only ANSI-format text files can be used (not Unicode). Headers are case-sensitive. Editing the file in Excel and saving it as a CSV file will not generate a usable file due to these requirements. Be sure to preserve any leading zeroes in the device serial numbers.
+ ### Register devices by using the Admin Portal In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. Look for the Microsoft Managed Desktop section of the menu and select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.
managed-desktop Admin Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/admin-support.md
# Admin support for Microsoft Managed Desktop
-You can submit support tickets or feedback requests to Microsoft using the Microsoft Managed Desktop Admin portal. Support requests are always prioritized over feedback submissions. Support requests are triaged and managed according to severity as outlined in the [severity definition table](#sev). Feedback is reviewed and a response provided where requested.
-
+You can submit support tickets or feedback requests to Microsoft using the Microsoft Managed Desktop Admin portal. Support requests are always prioritized over feedback submissions. Support requests are triaged and managed according to severity as outlined in the [severity definition table](#sev). Feedback is reviewed and a response provided where requested.
## Open a new support request 1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu. 2. Look for the Microsoft Managed Desktop section, and then select **Service request**. 3. On **Support requests**, select **+ New Support ticket**.
-4. Select the **Support request type** that matches the help you need. The following table outlines the options.
+4. Select the **Support request type** that matches the help you need. The following table outlines the options.
5. Select the **Severity level**. For more information, see [Support request severity definitions](#sev). 6. Provide as much information about the request as possible to help the team respond quickly. Depending on the type of request, you may be required to provide different details.
-7. Review all the information you provided for accuracy.
-8. When youΓÇÖre ready, select **Create**.
-
+7. Review all the information you provided for accuracy.
+8. When you're ready, select **Create**.
-Support request type | When to use
- |
-Incident | You require the Microsoft Managed Desktop Operations team to investigate, for example, a widespread impact of a change or service outage.
-Request for information | You're planning a change in networking, proxy configuration, VPN systems, certificate expiration, or just need some information about the service. A response from the Microsoft Managed Desktop Operations team is advised when communicating a change within your organization.
-Change request | You require the Microsoft Managed Desktop Operations team to make a change, such as moving devices between update groups.
+Support request type|When to use
+|
+Incident|You require the Microsoft Managed Desktop Operations team to investigate, for example, a widespread impact of a change or service outage.
+Request for information|You're planning a change in networking, proxy configuration, VPN systems, certificate expiration, or just need some information about the service. A response from the Microsoft Managed Desktop Operations team is advised when communicating a change within your organization.
+Change request|You require the Microsoft Managed Desktop Operations team to make a change, such as moving devices between update groups.
> [!IMPORTANT] > When you create a support request you will need to list a Primary contact, responsible for working with our Service Engineers to resolve the issue or answer any questions about a requested change. We also require that you have previously [set up an Admin contact](../get-started/add-admin-contacts.md) who will be copied on all case notifications for their relevant area of focus and be asked to take over a case if the primary contact for a case is unreachable. ## Manage an active support request+ The primary contact for a case (and any [Admin contact](../get-started/add-admin-contacts.md) for that area of focus) will receive email notifications when a case is **Created**, **Assigned** to a Service Engineer to investigate, and **Resolved**. If at any point you have a question about the case, the best way to get in touch with our team is to reply directly to one of those emails. If we have questions about your request or need more details to take action, we will email the Primary contact listed on the support requests (copying all the relevant Admin contacts). ### View all your active cases+ While email is the recommended approach to interact with our team, you may want to see the summary status of all your support requests. At any time, you can use the portal to see all support requests Active during the last six months.
-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.
-2. Look for the *Microsoft Managed Desktop* section, select **Service request**.
-3. From this view, you can export the summary view or click on any case to see the details
+1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.
+2. Look for the *Microsoft Managed Desktop* section, select **Service request**.
+3. From this view, you can export the summary view or click on any case to see the details
### Edit case details+ If you need to edit the details of a case, for example updating the primary case contact, you will need to follow these steps:
-1. From the **Service request** blade, in **Tenant Administration** menu of [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), use the search bar or filters to find the case youΓÇÖre interested in editing.
-2. Select the case to open up the requestΓÇÖs details
-3. Scroll to the bottom of the request details and select **Edit**.
-4. Update the editable information, add attachments to the case, or add a note for the Service Engineering team, then select **Save**.
+
+1. From the **Service request** blade, in **Tenant Administration** menu of [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), use the search bar or filters to find the case you're interested in editing.
+2. Select the case to open up the request's details
+3. Scroll to the bottom of the request details and select **Edit**.
+4. Update the editable information, add attachments to the case, or add a note for the Service Engineering team, then select **Save**.
### Provide feedback
The initial response time is the period from when you submit your support reques
> [!NOTE] > In this table, "admin support hours" means, that Microsoft Managed Desktop support for admins is available, for most countries, 24 hours a day **Monday through Friday**. Severity A can be worked 24 hours a day all seven days of the week.
-Severity level | Situation | Initial response time | Expected response from you
- | | |
-**Severity A ΓÇô Critical Impact** | **Critical business impact**<br><br>Your business has significant loss or degradation of services and require immediate attention.<br><br>**Major application compatibility impact**<br><br>Your entire business is experiencing financial impact due to devices not responding or loss of critical functionality | Initial: < 1 hour<br>Update: 60 minutes<br>24-hour support every day is available | When you select Severity A, you confirm that the issue has critical business impact, with severe loss and degradation of services. <br><br>The issue demands an immediate response, and you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft can at its discretion decrease the Severity to level B.<br><br> You also ensure that Microsoft has your accurate contact information.
-**Severity B ΓÇô Moderate Impact** | **Moderate business impact**<br><br>Your business has moderate loss or degradation of services, but work can reasonably continue in an impaired manner.<br><br>**Moderate application compatibility impact**<br><br>A specific business group is no longer productive, due to devices not responding or loss of critical functionality. | Initial: < 4 hours<br>Update: 12 hours<br>24 hours a day during admin support hours (Monday through Friday). | When you select Severity B, you confirm that the issue has moderate impact to your business with loss and degradation of services, but workarounds enable reasonable, albeit temporary, business continuity. <br><br>The issue demands an urgent response. If you chose all day every day support when you submit the support request, you commit to a continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft might at its discretion decrease the severity to level C. If you chose admin support-hours support when you submit a Severity B incident, Microsoft will contact you during admin support hours only.<br><br>You also ensure that Microsoft has your accurate contact information.
-**Severity C ΓÇô Minimal Impact** | **Minimum business impact**<br><br> Your business is functioning with minor impediments of services.<br><br>**Minor application compatibility impact**<br><br>Potentially unrelated users experience minor compatibility issues that do not prevent productivity | Initial: < 8 hours<br>Update: 24 hours<br>Support 24 hours a day during admin support hours (Monday through Friday) | When you select Severity C, you confirm that the issue has minimum impact to your business with minor impediment of service.<br><br>For a Severity C incident, Microsoft will contact you during admin support hours only.<br><br>You also ensure that Microsoft has your accurate contact information.
+Severity level|Situation|Initial response time|Expected response from you
+|||
+**Severity A ΓÇô Critical Impact**|**Critical business impact**<p>Your business has significant loss or degradation of services and require immediate attention.<p>**Major application compatibility impact**<p>Your entire business is experiencing financial impact due to devices not responding or loss of critical functionality|Initial: < 1 hour<br>Update: 60 minutes<br>24-hour support every day is available|When you select Severity A, you confirm that the issue has critical business impact, with severe loss and degradation of services. <p>The issue demands an immediate response, and you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft can at its discretion decrease the Severity to level B.<p> You also ensure that Microsoft has your accurate contact information.
+**Severity B ΓÇô Moderate Impact**|**Moderate business impact**<p>Your business has moderate loss or degradation of services, but work can reasonably continue in an impaired manner.<p>**Moderate application compatibility impact**<p>A specific business group is no longer productive, due to devices not responding or loss of critical functionality.|Initial: < 4 hours<br>Update: 12 hours<br>24 hours a day during admin support hours (Monday through Friday).|When you select Severity B, you confirm that the issue has moderate impact to your business with loss and degradation of services, but workarounds enable reasonable, albeit temporary, business continuity. <p>The issue demands an urgent response. If you chose all day every day support when you submit the support request, you commit to a continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft might at its discretion decrease the severity to level C. If you chose admin support-hours support when you submit a Severity B incident, Microsoft will contact you during admin support hours only.<p>You also ensure that Microsoft has your accurate contact information.
+**Severity C ΓÇô Minimal Impact**|**Minimum business impact**<p> Your business is functioning with minor impediments of services.<p>**Minor application compatibility impact**<p>Potentially unrelated users experience minor compatibility issues that do not prevent productivity|Initial: < 8 hours<br>Update: 24 hours<br>Support 24 hours a day during admin support hours (Monday through Friday)|When you select Severity C, you confirm that the issue has minimum impact to your business with minor impediment of service.<p>For a Severity C incident, Microsoft will contact you during admin support hours only.<p>You also ensure that Microsoft has your accurate contact information.
- **Support languages** - All support is provided in English.-- **Severity level changes** - Microsoft might downgrade the severity level if you aren't able to provide adequate resources or responses to enable us to continue with problem resolution efforts.
+- **Severity level changes** - Microsoft might downgrade the severity level if you aren't able to provide adequate resources or responses to enable us to continue with problem resolution efforts.
- **Application compatibility** - For an application compatibility issue to be considered, there must be a reproducible error, of the same version of the application, between the previous and current version of Windows or Microsoft 365 Apps for enterprise. To resolve application compatibility issues, we requires a point of contact in your org to work with. The contact must work directly with our Fast Track team to investigate and resolve the issue. - **Customer response time** If you aren't able to meet the expected response requirements, we'll downgrade the request by one severity level, to a minimum of Severity C. If you're unresponsive to requests for action, we'll mitigate and close the support request within 48 hours of the last request. - ## More resources -- [User support for Microsoft Managed Desktop](end-user-support.md). -- [Support for Microsoft Managed Desktop](../service-description/support.md).
+- [User support for Microsoft Managed Desktop](end-user-support.md).
+- [Support for Microsoft Managed Desktop](../service-description/support.md).
- If you already subscribe to Microsoft Managed Desktop, you can find detailed procedures, process flows, work instructions, and FAQs in the Microsoft Managed Desktop Admin Guide in the **Online resources** page under the **Microsoft Managed Desktop** section of the **Tenant administration** menu in [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
security Troubleshoot Onboarding Error Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender for Endpoint service.
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
ms.technology: mde
- Windows Server 2016 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
You might need to troubleshoot the Microsoft Defender for Endpoint onboarding process if you encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices.
security Troubleshoot Performance Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
+ If your system is having high CPU usage or performance issues related to the real-time protection service in Microsoft Defender for Endpoint, you can submit a ticket to Microsoft support. Follow the steps in [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md).
-As an admin, you can also troubleshoot these issues on your own.
+As an admin, you can also troubleshoot these issues on your own.
First, you might want to check if the issue is being caused by another software. Read [Check with vendor for antivirus exclusions](#check-with-vendor-for-antivirus-exclusions).
-Otherwise, you can identify which software is related to the identified performance issue by following the steps in [Analyze the Microsoft Protection Log](#analyze-the-microsoft-protection-log).
+Otherwise, you can identify which software is related to the identified performance issue by following the steps in [Analyze the Microsoft Protection Log](#analyze-the-microsoft-protection-log).
You can also provide additional logs to your submission to Microsoft support by following the steps in:+ - [Capture process logs using Process Monitor](#capture-process-logs-using-process-monitor)-- [Capture performance logs using Windows Performance Recorder](#capture-performance-logs-using-windows-performance-recorder)
+- [Capture performance logs using Windows Performance Recorder](#capture-performance-logs-using-windows-performance-recorder)
## Check with vendor for antivirus exclusions
-If you can readily identify the software affecting system performance, go to the software vendor's knowledge base or support center. Search if they have recommendations about antivirus exclusions. If the vendor's website does not have them, you can open a support ticket with them and ask them to publish one.
+If you can readily identify the software affecting system performance, go to the software vendor's knowledge base or support center. Search if they have recommendations about antivirus exclusions. If the vendor's website does not have them, you can open a support ticket with them and ask them to publish one.
We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The vendor can submit their software through the [Microsoft Defender Security Intelligence portal (MDSI)](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper). - ## Analyze the Microsoft Protection Log In **MPLog-xxxxxxxx-xxxxxx.log**, you can find the estimated performance impact information of running software as *EstimatedImpact*:
-
+ `Per-process counts:ProcessImageName: smsswd.exe, TotalTime: 6597, Count: 1406, MaxTime: 609, MaxTimeFile: \Device\HarddiskVolume3\_SMSTaskSequence\Packages\WQ1008E9\Files\FramePkg.exe, EstimatedImpact: 65%`
-| Field name | Description |
+|Field name|Description|
|||
-|ProcessImageName | Process image name |
-| TotalTime | The cumulative duration in milliseconds spent in scans of files accessed by this process |
-|Count | The number of scanned files accessed by this process |
-|MaxTime | The duration in milliseconds in the longest single scan of a file accessed by this process |
-| MaxTimeFile | The path of the file accessed by this process for which the longest scan of `MaxTime` duration was recorded |
-| EstimatedImpact | The percentage of time spent in scans for files accessed by this process out of the period in which this process experienced scan activity |
+|ProcessImageName|Process image name|
+|TotalTime|The cumulative duration in milliseconds spent in scans of files accessed by this process|
+|Count|The number of scanned files accessed by this process|
+|MaxTime|The duration in milliseconds in the longest single scan of a file accessed by this process|
+|MaxTimeFile|The path of the file accessed by this process for which the longest scan of `MaxTime` duration was recorded|
+|EstimatedImpact|The percentage of time spent in scans for files accessed by this process out of the period in which this process experienced scan activity|
If the performance impact is high, try adding the process to the Path/Process exclusions by following the steps in [Configure and validate exclusions for Microsoft Defender Antivirus scans](collect-diagnostic-data.md). If the previous step doesn't solve the problem, you can collect more information through the [Process Monitor](#capture-process-logs-using-process-monitor) or the [Windows Performance Recorder](#capture-performance-logs-using-windows-performance-recorder) in the following sections.
-  
+ ## Capture process logs using Process Monitor Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time processes. You can use this to capture the performance issue as it is occurring.
Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time
1. Under the *General* tab, look for *Security*. 1. Check the box beside **Unblock**. 1. Select **Apply**.
-
- ![Remove MOTW](images/procmon-motw.png)
-3. Unzip the file in `C:\temp` so that the folder path will be `C:\temp\ProcessMonitor`.
+ ![Remove MOTW](images/procmon-motw.png)
-4. Copy **ProcMon.exe** to the Windows client or Windows server you're troubleshooting.
+3. Unzip the file in `C:\temp` so that the folder path will be `C:\temp\ProcessMonitor`.
+
+4. Copy **ProcMon.exe** to the Windows client or Windows server you're troubleshooting.
5. Before running ProcMon, make sure all other applications not related to the high CPU usage issue are closed. Doing this will minimize the number of processes to check. 6. You can launch ProcMon in two ways.
- 1. Right-click **ProcMon.exe** and select **Run as administrator**.
-
+ 1. Right-click **ProcMon.exe** and select **Run as administrator**.
Since logging starts automatically, select the magnifying glass icon to stop the current capture or use the keyboard shortcut **Ctrl+E**.
-
+ ![magnifying glass icon](images/procmon-magglass.png) To verify that you have stopped the capture, check if the magnifying glass icon now appears with a red X.
- ![red slash](images/procmon-magglass-stop.png)
+ ![red slash](images/procmon-magglass-stop.png)
Next, to clear the earlier capture, select the eraser icon.
Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time
2. The second way is to run the **command line** as admin, then from the Process Monitor path, run: ![cmd procmon](images/cmd-procmon.png)
-
+ ```console Procmon.exe /AcceptEula /Noconnect /Profiling ```
-
- >[!TIP]
- >Make the ProcMon window as small as possible when capturing data so you can easily start and stop the trace.
- >
- >![Minimize Procmon](images/procmon-minimize.png)
-
+
+ > [!TIP]
+ > Make the ProcMon window as small as possible when capturing data so you can easily start and stop the trace.
+ >
+ > ![Minimize Procmon](images/procmon-minimize.png)
+ 7. After following one of the procedures in step 6, you'll next see an option to set filters. Select **OK**. You can always filter the results after the capture is completed.
-
- ![Filter out Process Name is System Exclude](images/procmon-filter-options.png)
+
+ ![Filter out Process Name is System Exclude](images/procmon-filter-options.png)
8. To start the capture, select the magnifying glass icon again.
-  
+ 9. Reproduce the problem.
-
- >[!TIP]
- >Wait for the problem to be fully reproduced, then take note of the timestamp when the trace started.
+
+ > [!TIP]
+ > Wait for the problem to be fully reproduced, then take note of the timestamp when the trace started.
10. Once you have two to four minutes of process activity during the high CPU usage condition, stop the capture by selecting the magnifying glass icon.
Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time
12. For better tracking, change the default path from `C:\temp\ProcessMonitor\LogFile.PML` to `C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML` where: - `%ComputerName%` is the device name - `MMDDYEAR` is the month, day, and year
- - `Repro_of_issue` is the name of the issue you're trying to reproduce
+ - `Repro_of_issue` is the name of the issue you're trying to reproduce
- >[!TIP]
+ > [!TIP]
> If you have a working system, you might want to get a sample log to compare. 13. Zip the .pml file and submit it to Microsoft support. - ## Capture performance logs using Windows Performance Recorder
-You can use Windows Performance Recorder (WPR) to include additional information in your submission to Microsoft support. WPR is a powerful recording tool that creates Event Tracing for Windows recordings.
+You can use Windows Performance Recorder (WPR) to include additional information in your submission to Microsoft support. WPR is a powerful recording tool that creates Event Tracing for Windows recordings.
WPR is part of the Windows Assessment and Deployment Kit (Windows ADK) and can be downloaded from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). You can also download it as part of the Windows 10 Software Development Kit at [Windows 10 SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/).
-You can use the WPR user interface by following the steps in [Capture performance logs using the WPR UI](#capture-performance-logs-using-the-wpr-ui).
+You can use the WPR user interface by following the steps in [Capture performance logs using the WPR UI](#capture-performance-logs-using-the-wpr-ui).
Alternatively, you can also use the command-line tool *wpr.exe*, which is available in Windows 8 and later versions by following the steps in [Capture performance logs using the WPR CLI](#capture-performance-logs-using-the-wpr-cli). - ### Capture performance logs using the WPR UI
->[!TIP]
->If you have multiple devices where the issue is occurring, use the one which has the most amount of RAM.
+> [!TIP]
+> If you have multiple devices where the issue is occurring, use the one which has the most amount of RAM.
1. Download and install WPR.
-2. Under *Windows Kits*, right-click **Windows Performance Recorder**.
+2. Under *Windows Kits*, right-click **Windows Performance Recorder**.
![Start menu](images/wpr-01.png)
Alternatively, you can also use the command-line tool *wpr.exe*, which is availa
![UAC](images/wpt-yes.png)
-4. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder like `C:\temp`.
-
+4. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder like `C:\temp`.
+ 5. On the WPR dialog box, select **More options**. ![Select more options](images/wpr-03.png)
Alternatively, you can also use the command-line tool *wpr.exe*, which is availa
![in-file](images/wpr-infile.png) >[!WARNING]
- >If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system could consume a high amount of non-paged pool memory or buffers which can lead to system instability. You can choose which profiles to add by expanding **Resource Analysis**.
+ >If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system could consume a high amount of non-paged pool memory or buffers which can lead to system instability. You can choose which profiles to add by expanding **Resource Analysis**.
This custom profile provides the necessary context for in-depth performance analysis.
-
+ 8. To use the custom measurement Microsoft Defender for Endpoint verbose analysis profile in the WPR UI: 1. Ensure no profiles are selected under the *First-level triage*, *Resource Analysis* and *Scenario Analysis* groups. 2. Select **Custom measurements**. 3. Select **Microsoft Defender for Endpoint analysis**. 4. Select **Verbose** under *Detail* level.
- 1. Select **File** or **Memory** under Logging mode.
+ 5. Select **File** or **Memory** under Logging mode.
- >[!important]
- >You should select *File* to use the file logging mode if the performance issue can be reproduced directly by the user. Most issues fall under this category. However, if the user cannot directly reproduce the issue but can easily notice it once the issue occurs, the user should select *Memory* to use the memory logging mode. This ensures that the trace log will not inflate excessively due to the long run time.
+ > [!IMPORTANT]
+ > You should select *File* to use the file logging mode if the performance issue can be reproduced directly by the user. Most issues fall under this category. However, if the user cannot directly reproduce the issue but can easily notice it once the issue occurs, the user should select *Memory* to use the memory logging mode. This ensures that the trace log will not inflate excessively due to the long run time.
9. Now you're ready to collect data. Exit all the applications that are not relevant to reproducing the performance issue. You can select **Hide options** to keep the space occupied by the WPR window small.
- ![Hipe options](images/wpr-08.png)
+ ![Hide options](images/wpr-08.png)
- >[!TIP]
- >Try starting the trace at whole number seconds. For instance, 01:30:00. This will make it easier to analyze the data. Also try to keep track of the timestamp of exactly when the issue is reproduced.
+ > [!TIP]
+ > Try starting the trace at whole number seconds. For instance, 01:30:00. This will make it easier to analyze the data. Also try to keep track of the timestamp of exactly when the issue is reproduced.
10. Select **Start**.
Alternatively, you can also use the command-line tool *wpr.exe*, which is availa
11. Reproduce the issue.
- >[!TIP]
- >Keep the data collection to no more than five minutes. Two to three minutes is a good range since a lot of data is being collected.
+ > [!TIP]
+ > Keep the data collection to no more than five minutes. Two to three minutes is a good range since a lot of data is being collected.
12. Select **Save**.
The command-line tool *wpr.exe* is part of the operating system starting with Wi
1. Download **[Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp)** profile for performance traces to a file named `MDAV.wprp` in a local directory such as `C:\traces`.
-3. Right-click the **Start Menu** icon and select **Windows PowerShell (Admin)** or **Command Prompt (Admin)** to open an Admin command prompt window.
+2. Right-click the **Start Menu** icon and select **Windows PowerShell (Admin)** or **Command Prompt (Admin)** to open an Admin command prompt window.
-4. When the User Account Control dialog box appears, select **Yes**.
+3. When the User Account Control dialog box appears, select **Yes**.
-5. At the elevated prompt, run the following command to start a Microsoft Defender for Endpoint performance trace:
+4. At the elevated prompt, run the following command to start a Microsoft Defender for Endpoint performance trace:
```console wpr.exe -start C:\traces\MDAV.wprp!WD.Verbose -filemode ```
-
- >[!WARNING]
- >If your Windows Server has 64 GB or RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system could consume a high amount of non-paged pool memory or buffers which can lead to system instability.
-6. Reproduce the issue.
+ > [!WARNING]
+ > If your Windows Server has 64 GB or RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system could consume a high amount of non-paged pool memory or buffers which can lead to system instability.
+
+5. Reproduce the issue.
- >[!TIP]
- >Keep the data collection no to more than five minutes. Depending on the scenario, two to three minutes is a good range since a lot of data is being collected.
+ > [!TIP]
+ > Keep the data collection no to more than five minutes. Depending on the scenario, two to three minutes is a good range since a lot of data is being collected.
-7. At the elevated prompt, run the following command to stop the performance trace, making sure to provide information about the problem and how you reproduced the issue:
+6. At the elevated prompt, run the following command to stop the performance trace, making sure to provide information about the problem and how you reproduced the issue:
```console wpr.exe -stop merged.etl "Timestamp when the issue was reproduced, in HH:MM:SS format" "Description of the issue" "Any error that popped up" ```
-8. Wait until the trace is merged.
+7. Wait until the trace is merged.
-9. Include both the file and the folder in your submission to Microsoft support.
+8. Include both the file and the folder in your submission to Microsoft support.
## See also
security Troubleshoot Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md
ms.technology: mde
> [!IMPORTANT] > On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
-You can use Microsoft Defender Antivirus with Update Compliance. YouΓÇÖll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender for Endpoint portal](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
+You can use Microsoft Defender Antivirus with Update Compliance. You'll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender for Endpoint portal](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues.
In order for devices to properly show up in Update Compliance, you have to meet
> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). > - It has been 3 days since all requirements have been met
-ΓÇ£You can use Microsoft Defender Antivirus with Update Compliance. YouΓÇÖll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
+"You can use Microsoft Defender Antivirus with Update Compliance. You'll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
security Troubleshoot Siem https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-siem.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
You might need to troubleshoot issues while pulling detections in your SIEM tools. This page provides detailed steps to troubleshoot issues you might encounter. - ## Learn how to get a new client secret+ If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret. 1. Login to the [Azure management portal](https://portal.azure.com).
If your client secret expires or if you've misplaced the copy provided when you
7. Copy the value and save it in a safe place. - ## Error when getting a refresh access token+ If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools, you'll need to add reply URL for relevant application in Azure Active Directory. 1. Login to the [Azure management portal](https://ms.portal.azure.com).
If you encounter an error when trying to get a refresh token when using the thre
- For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` - For the United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback` - For the United States: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
-
+ 6. Click **Save**. ## Error while enabling the SIEM connector application
-If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
--
+If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
## Related topics+ - [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) - [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md) - [Pull detections to your SIEM tools](configure-siem.md)
security Tvm Assign Device Value https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-assign-device-value.md
ms.technology: mde
[!include[Prerelease information](../../includes/prerelease.md)]
-Defining a deviceΓÇÖs value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices assigned as ΓÇ£high valueΓÇ¥ will receive more weight.
+Defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices assigned as "high value" will receive more weight.
You can also use the [set device value API](set-device-value.md).
security Tvm Dashboard Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-dashboard-insights.md
ms.technology: mde
Threat and vulnerability management is a component of Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including: - - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable device vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
You can use the threat and vulnerability management capability in [Microsoft 365
Watch this video for a quick overview of what is in the threat and vulnerability management dashboard.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4r1nv]
## Threat and vulnerability management dashboard :::image type="content" source="../../mediashboard.png" alt-text="Threat and Vulnerability Management dashboard for Devices":::
-Area | Description
+Area|Description
:|:
-**Selected device groups (#/#)** | Filter the threat and vulnerability management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the threat and vulnerability management pages.
-[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
-[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
-**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations that are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list. Select **Show exceptions** for the list of recommendations that have an exception.
-**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
-**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
-**Top exposed devices** | View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device.
+**Selected device groups (#/#)**|Filter the threat and vulnerability management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the threat and vulnerability management pages.
+[**Exposure score**](tvm-exposure-score.md)|See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
+[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md)|See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
+**Device exposure distribution**|See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
+**Top security recommendations**|See the collated security recommendations that are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list. Select **Show exceptions** for the list of recommendations that have an exception.
+**Top vulnerable software**|Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
+**Top remediation activities**|Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
+**Top exposed devices**|View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device.
For more information on the icons used throughout the portal, see [Microsoft Defender for Endpoint icons](portal-overview.md#microsoft-defender-for-endpoint-icons). - ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
For more information on the icons used throughout the portal, see [Microsoft Def
- [Security recommendations](tvm-security-recommendation.md) - [Software inventory](tvm-software-inventory.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md)-
security Tvm End Of Support Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-end-of-support-software.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
End-of-support (EOS), otherwise known as end-of-life (EOL), for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
security Tvm Exception https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-exception.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. If your organization has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present.
When an exception is created for a recommendation, the recommendation will not b
## Permissions
-Only users with ΓÇ£exceptions handlingΓÇ¥ permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](user-roles.md).
+Only users with "exceptions handling" permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](user-roles.md).
![View of exception handling permission.](images/tvm-exception-permissions.png)
Select a security recommendation you would like create an exception for, and the
### Exception by device group
-Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from ΓÇ£activeΓÇ¥ to ΓÇ£partial exception.ΓÇ¥ The state will change to ΓÇ£full exceptionΓÇ¥ if you select all the device groups.
+Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from "active" to "partial exception." The state will change to "full exception" if you select all the device groups.
![Showing device group dropdown.](images/tvm-exception-device-group-500.png)
A flyout will appear where you can search and choose device groups you want incl
### Global exceptions
-If you have global administrator permissions, you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from ΓÇ£activeΓÇ¥ to ΓÇ£full exception.ΓÇ¥
+If you have global administrator permissions, you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from "active" to "full exception."
![Showing global exception option.](images/tvm-exception-global.png)
In the Security Recommendations page, select **Customize columns** and check the
![Showing customize columns options.](images/tvm-after-exceptions.png)
-The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ΓÇÿthird party controlΓÇÖ and ΓÇÿalternate mitigationΓÇÖ. Other justifications do not reduce the exposure of a device, and they are still considered exposed.
+The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include 'third party control' and 'alternate mitigation'. Other justifications do not reduce the exposure of a device, and they are still considered exposed.
-The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ΓÇÿthird party controlΓÇÖ and ΓÇÿalternate mitigation.ΓÇÖ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.
+The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include 'third party control' and 'alternate mitigation.' Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.
![Showing the columns in the table.](images/tvm-after-exceptions-table.png)
security Tvm Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-exposure-score.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Your exposure score is visible in the [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft 365 Defender portal. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation.
The card gives you a high-level view of your exposure score trend over time. Any
The exposure score is broken down into the following levels: -- 0ΓÇô29: low exposure score-- 30ΓÇô69: medium exposure score-- 70ΓÇô100: high exposure score
+- 0-29: low exposure score
+- 30-69: medium exposure score
+- 70-100: high exposure score
You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
security Tvm Hunt Exposed Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-hunt-exposed-devices.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
## Use advanced hunting to find devices with vulnerabilities
security Tvm Microsoft Secure Score Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
>[!NOTE]
security Tvm Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-prerequisites.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Ensure that your devices:
security Tvm Remediation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-remediation.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
## Request remediation
security Tvm Supported Os https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-supported-os.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
->[!NOTE]
->The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) list.
+> [!NOTE]
+> The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) list.
## Capabilities per supported operating systems (OS) and platforms In the following table, "Yes" indicates that a threat and vulnerability management capability is supported for the OS or platform on that row.
-Supported OS or platform | OS vulnerabilities | Software product vulnerabilities | OS configuration assessment | Security controls configuration assessment | Software product configuration assessment
+Supported OS or platform|OS vulnerabilities|Software product vulnerabilities|OS configuration assessment|Security controls configuration assessment|Software product configuration assessment
:|:|:|:|:|:
-Windows 7 | Yes | Not supported | Not supported | Not supported | Not supported
-Windows 8.1 | Yes | Yes | Yes | Yes| Yes
-Windows 10, versions 1607-1703 | Yes | Not supported | Not supported | Not supported | Not supported
-Windows 10, version 1709 or later | Yes | Yes | Yes | Yes | Yes
-Windows Server 2008 R2 | Yes | Yes | Yes | Yes | Yes
-Windows Server 2012 R2 | Yes | Yes | Yes | Yes | Yes
-Windows Server 2016 | Yes | Yes | Yes | Yes | Yes
-Windows Server 2019 | Yes | Yes | Yes | Yes | Yes
-macOS 10.14 "Mojave" and above | Yes | Yes | Yes | Yes | Yes
-Red Hat Enterprise Linux 7.2 or higher (\* See "Important" notice below) | Yes | Yes | Yes | Yes | Yes
-CentOS 7.2 or higher | Yes | Yes | Yes | Yes | Yes
-Ubuntu 16.04 LTS or higher LTS | Yes | Yes | Yes | Yes | Yes
-Oracle Linux 7.2 or higher | Yes | Yes | Yes | Yes | Yes
-SUSE Linux Enterprise Server 12 or higher | Yes | Yes | Yes | Yes | Yes
+Windows 7|Yes|Not supported|Not supported|Not supported|Not supported
+Windows 8.1|Yes|Yes|Yes|Yes|Yes
+Windows 10, versions 1607-1703|Yes|Not supported|Not supported|Not supported|Not supported
+Windows 10, version 1709 or later|Yes|Yes|Yes|Yes|Yes
+Windows Server 2008 R2|Yes|Yes|Yes|Yes|Yes
+Windows Server 2012 R2|Yes|Yes|Yes|Yes|Yes
+Windows Server 2016|Yes|Yes|Yes|Yes|Yes
+Windows Server 2019|Yes|Yes|Yes|Yes|Yes
+macOS 10.14 "Mojave" and above|Yes|Yes|Yes|Yes|Yes
+Red Hat Enterprise Linux 7.2 or higher (\* See "Important" notice below)|Yes|Yes|Yes|Yes|Yes
+CentOS 7.2 or higher|Yes|Yes|Yes|Yes|Yes
+Ubuntu 16.04 LTS or higher LTS|Yes|Yes|Yes|Yes|Yes
+Oracle Linux 7.2 or higher|Yes|Yes|Yes|Yes|Yes
+SUSE Linux Enterprise Server 12 or higher|Yes|Yes|Yes|Yes|Yes
->[!NOTE]
+> [!NOTE]
> Some features are not available for down-level Operating System, check the Microsoft 365 Defender Portal for more details on supported OS.
->[!IMPORTANT]
+> [!IMPORTANT]
> \* Red Hat Enterprise Linux:
-> “The vulnerability data provided and shown as part of your Microsoft Defender for Endpoint services is made available to you in its raw form, “AS IS”, from Red Hat, Inc., and might not be up to date. The data that is accessible in the Red Hat Security Data API is licensed under the Creative Commons Attribution 4.0 International License. You bear the risk in using this data. Microsoft and its third-party suppliers disclaim any and all liability for consequential and other indirect damages and implied warranties, including implied warranties of non-infringement, merchantability and fitness for a particular purpose. © 2020 Red Hat. All rights reserved. © 2020 Microsoft. All rights reserved.”
+> "The vulnerability data provided and shown as part of your Microsoft Defender for Endpoint services is made available to you in its raw form, "AS IS", from Red Hat, Inc., and might not be up to date. The data that is accessible in the Red Hat Security Data API is licensed under the Creative Commons Attribution 4.0 International License. You bear the risk in using this data. Microsoft and its third-party suppliers disclaim any and all liability for consequential and other indirect damages and implied warranties, including implied warranties of non-infringement, merchantability and fitness for a particular purpose. © 2020 Red Hat. All rights reserved. © 2020 Microsoft. All rights reserved."
## Related articles
security Tvm Vulnerable Devices Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-vulnerable-devices-report.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
security Tvm Weaknesses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-weaknesses.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Threat and vulnerability management uses the same signals in Defender for Endpoint's endpoint protection to scan and detect vulnerabilities.
View related weaknesses information in the device page.
Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. The new section is called "Detection Logic" (in any discovered vulnerability in the device page) and shows the detection logic and source.
-The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, weΓÇÖll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS.
+The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we'll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS.
:::image type="content" alt-text="Detection Logic example which lists the software detected on the device and the KBs." source="images/tvm-cve-detection-logic.png":::
security Tvm Zero Day Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-zero-day-vulnerabilities.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
A zero-day vulnerability is a publicly disclosed vulnerability for which no official patches or security updates have been released. Zero-day vulnerabilities often have high severity levels and are actively exploited.
Once a zero-day vulnerability has been found, information about it will be conve
### Threat and vulnerability management dashboard
-Look for recommendations with a zero-day tag in the ΓÇ£Top security recommendationsΓÇ¥ card.
+Look for recommendations with a zero-day tag in the "Top security recommendations" card.
![Top recommendations with a zero-day tag.](images/tvm-zero-day-top-security-recommendations.png)
Find top software with the zero-day tag in the "Top vulnerable software" card.
Look for the named zero-day vulnerability along with a description and details. -- If this vulnerability has a CVE-ID assigned, youΓÇÖll see the zero-day label next to the CVE name.
+- If this vulnerability has a CVE-ID assigned, you'll see the zero-day label next to the CVE name.
-- If this vulnerability has no CVE-ID assigned, you'll find it under an internal, temporary name that looks like ΓÇ£TVM-XXXX-XXXXΓÇ¥. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel.
+- If this vulnerability has no CVE-ID assigned, you'll find it under an internal, temporary name that looks like "TVM-XXXX-XXXX". The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel.
:::image type="content" alt-text="Zero day example for CVE-2020-17087 in weaknesses page." source="images/tvm-zero-day-weakness-name.png" lightbox="images/tvm-zero-day-weakness-name.png":::
Look for software with the zero-day tag. Filter by the "zero day" tag to only se
### Software page
-Look for a zero-day tag for each software that has been affected by the zeroΓÇôday vulnerability.
+Look for a zero-day tag for each software that has been affected by the zero-day vulnerability.
:::image type="content" alt-text="Zero day example for Windows Server 2016 software page." source="images/tvm-zero-day-software-page.png" lightbox="images/tvm-zero-day-software-page.png":::
Go to the security recommendation page and select a recommendation with a zero-d
There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.
-Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose ΓÇ£update.ΓÇ¥
+Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose "update."
![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-recommendation-flyout400.png)
Go to the threat and vulnerability management [Remediation](tvm-remediation.md)
## Patching zero-day vulnerabilities
-When a patch is released for the zero-day, the recommendation will be changed to ΓÇ£UpdateΓÇ¥ and a blue label next to it that says ΓÇ£New security update for zero day.ΓÇ¥ It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.
+When a patch is released for the zero-day, the recommendation will be changed to "Update" and a blue label next to it that says "New security update for zero day." It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.
![Recommendation for "Update Microsoft Windows 10" with new patch label.](images/tvm-zero-day-patch.jpg)
security Unisolate Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/unisolate-machine.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Undo isolation of a device.
+Undo isolation of a device.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Isolate | 'Isolate machine'
-Delegated (work or school account) | Machine.Isolate | 'Isolate machine'
+Application|Machine.Isolate|'Isolate machine'
+Delegated (work or school account)|Machine.Isolate|'Isolate machine'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
POST https://api.securitycenter.microsoft.com/api/machines/{id}/unisolate ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|string|application/json. **Required**.
## Request body+ In the request body, supply a JSON object with the following parameters:
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-Comment | String | Comment to associate with the action. **Required**.
+Comment|String|Comment to associate with the action. **Required**.
## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
## Example
-**Request**
+### Request
Here is an example of the request.
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2
{ "Comment": "Unisolate machine since it was clean and validated" }- ``` --- To isolate a device, see [Isolate device](isolate-machine.md).-
+To isolate a device, see [Isolate device](isolate-machine.md).
security Unrestrict Code Execution https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/unrestrict-code-execution.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Enable execution of any application on the device.
+Enable execution of any application on the device.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.RestrictExecution | 'Restrict code execution'
-Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
+Application|Machine.RestrictExecution|'Restrict code execution'
+Delegated (work or school account)|Machine.RestrictExecution|'Restrict code execution'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
POST https://api.securitycenter.microsoft.com/api/machines/{id}/unrestrictCodeExecution ``` ## Request headers
-Name | Type | Description
+
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|string|application/json. **Required**.
## Request body+ In the request body, supply a JSON object with the following parameters:
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-Comment | String | Comment to associate with the action. **Required**.
+Comment|String|Comment to associate with the action. **Required**.
## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
## Example
-**Request**
+### Request
Here is an example of the request.
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2
``` - To restrict code execution on a device, see [Restrict app execution](restrict-code-execution.md).
security Update Alert https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-alert.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description Updates properties of existing [Alert](alerts.md).
-<br>Submission of **comment** is available with or without updating properties.
-<br>Updatable properties are: ```status```, ```determination```, ```classification``` and ```assignedTo```.
+Submission of **comment** is available with or without updating properties.
+
+Updatable properties are: `status`, `determination`, `classification` and `assignedTo`.
## Limitations+ 1. You can update alerts that available in the API. See [List Alerts](get-alerts.md) for more information. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Alerts.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+Application|Alerts.ReadWrite.All|'Read and write all alerts'
+Delegated (work or school account)|Alert.ReadWrite|'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
PATCH /api/alerts/{id} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | String | application/json. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|String|application/json. **Required**.
## Request body+ In the request body, supply the values for the relevant fields that should be updated.
-<br>Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
-<br>For best performance you shouldn't include existing values that haven't change.
-Property | Type | Description
+Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
+
+For best performance you shouldn't include existing values that haven't change.
+
+Property|Type|Description
:|:|:
-status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
-assignedTo | String | Owner of the alert
-classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
-determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
-comment | String | Comment to be added to the alert.
+status|String|Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
+assignedTo|String|Owner of the alert
+classification|String|Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
+determination|String|Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
+comment|String|Comment to be added to the alert.
## Response
-If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found.
+If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found.
## Example
-**Request**
+### Request
Here is an example of the request.
PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_213
```json { "status": "Resolved",
- "assignedTo": "secop2@contoso.com",
+ "assignedTo": "secop2@contoso.com",
"classification": "FalsePositive", "determination": "Malware", "comment": "Resolve my alert and assign to secop2"
security Update Machine Method https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-machine-method.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description+ Updates properties of existing [Machine](machine.md).
-<br>Updatable properties are: ```machineTags``` and ```deviceValue```.
+Updatable properties are: `machineTags` and `deviceValue`.
## Limitations+ 1. You can update machines that are available in the API. 2. Update machine only appends tags to the tag collection. If tags exist, they must be included in the tags collection in the body. 3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.ReadWrite.All | 'Read and write machine information for all machines'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.ReadWrite.All|'Read and write machine information for all machines'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts investigation'. For more information, see [Create and manage roles](user-roles.md).
->- The user needs to have access to the device associated with the alert, based on device group settings. For more information, see [Create and manage device groups](machine-groups.md).
+> - The user needs to have at least the following role permission: 'Alerts investigation'. For more information, see [Create and manage roles](user-roles.md).
+> - The user needs to have access to the device associated with the alert, based on device group settings. For more information, see [Create and manage device groups](machine-groups.md).
## HTTP request
-```
+
+```http
PATCH /api/machines/{machineId} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | String | application/json. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|String|application/json. **Required**.
## Request body+ In the request body, supply the values for the relevant fields that should be updated.
-<br>Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
-<br>For best performance, you shouldn't include existing values that haven't change.
-Property | Type | Description
+Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
+
+For best performance, you shouldn't include existing values that haven't change.
+
+Property|Type|Description
:|:|:
-machineTags | String collection | Set of [machine](machine.md) tags.
-deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'.
+machineTags|String collection|Set of [machine](machine.md) tags.
+deviceValue|Nullable Enum|The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'.
## Response
-If successful, this method returns 200 OK, and the [machine](machine.md) entity in the response body with the updated properties.
+
+If successful, this method returns 200 OK, and the [machine](machine.md) entity in the response body with the updated properties.
+ If machine tags collection in body doesn't contain existing machine tags - 400 Invalid Input and a message informing of the missing tag/s.
-If machine with the specified ID was not found - 404 Not Found.
+If machine with the specified ID was not found - 404 Not Found.
## Example
-**Request**
+### Request
Here's an example of the request.
security Use https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
Microsoft Defender Security Center is the portal where you can access Microsoft Defender for Endpoint capabilities.
security User Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user-roles.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
security User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
security View Incidents Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/view-incidents-queue.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
The **Incidents queue** shows a collection of incidents that were flagged from devices in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
security Vulnerability https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/vulnerability.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - [!include[Prerelease information](../../includes/prerelease.md)] ## Methods
-Method |Return Type |Description
-:|:|:
-[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
-[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
-[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
+Method|Return Type|Description
+:|:|:
+[Get all vulnerabilities](get-all-vulnerabilities.md)|Vulnerability collection|Retrieves a list of all the vulnerabilities affecting the organization
+[Get vulnerability by Id](get-vulnerability-by-id.md)|Vulnerability|Retrieves vulnerability information by its ID
+[List devices by vulnerability](get-machines-by-vulnerability.md)|MachineRef collection|Retrieve a list of devices that are associated with the vulnerability ID
## Properties
-Property | Type | Description
+
+Property|Type|Description
:|:|:
-id | String | Vulnerability ID
-Name | String | Vulnerability title
-Description | String | Vulnerability description
-Severity | String | Vulnerability Severity. Possible values are: ΓÇ£LowΓÇ¥, ΓÇ£MediumΓÇ¥, ΓÇ£HighΓÇ¥, ΓÇ£CriticalΓÇ¥
-cvssV3 | Double | CVSS v3 score
-exposedMachines | Long | Number of exposed devices
-publishedOn | DateTime | Date when vulnerability was published
-updatedOn | DateTime | Date when vulnerability was updated
-publicExploit | Boolean | Public exploit exists
-exploitVerified | Boolean | Exploit is verified to work
-exploitInKit | Boolean | Exploit is part of an exploit kit
-exploitTypes | String collection | Exploit impact. Possible values are: ΓÇ£Denial of serviceΓÇ¥, ΓÇ£Local privilege escalationΓÇ¥, ΓÇ£Denial of serviceΓÇ¥
-exploitUris | String collection | Exploit source URLs
+id|String|Vulnerability ID
+Name|String|Vulnerability title
+Description|String|Vulnerability description
+Severity|String|Vulnerability Severity. Possible values are: "Low", "Medium", "High", "Critical"
+cvssV3|Double|CVSS v3 score
+exposedMachines|Long|Number of exposed devices
+publishedOn|DateTime|Date when vulnerability was published
+updatedOn|DateTime|Date when vulnerability was updated
+publicExploit|Boolean|Public exploit exists
+exploitVerified|Boolean|Exploit is verified to work
+exploitInKit|Boolean|Exploit is part of an exploit kit
+exploitTypes|String collection|Exploit impact. Possible values are: "Denial of service", "Local privilege escalation", "Denial of service"
+exploitUris|String collection|Exploit source URLs
security Web Protection Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-overview.md
Title: Web protection description: Learn about the web protection in Microsoft Defender for Endpoint and how it can protect your organization
-keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites
+keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection in Microsoft Defender for Endpoint is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft 365 Defender portal by going to **Reports > Web protection**.
Web protection in Microsoft Defender for Endpoint is a capability made up of [We
The cards that make up web threat protection are **Web threat detections over time** and **Web threat summary**. Web threat protection includes:+ - Comprehensive visibility into web threats affecting your organization - Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the devices that access these URLs - A full set of security features that track general access trends to malicious and unwanted websites
Web threat protection includes:
The cards that comprise web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**. Web content filtering includes:+ - Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away - You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender for Endpoint role-based access control settings](/microsoft-365/security/defender-endpoint/rbac) - You can access web reports in the same central location, with visibility over actual blocks and web usage ## In this section
-Topic | Description
-:|:
+Topic|Description
+|
[Web threat protection](web-threat-protection.md) | Stop access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked. [Web content filtering](web-content-filtering.md) | Track and regulate access to websites based on their content categories.
security Web Protection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-response.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection in Microsoft Defender for Endpoint lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list. ## View web threat alerts+ Microsoft Defender for Endpoint generates the following [alerts](manage-alerts.md) for malicious or suspicious web activity:-- **Suspicious connection blocked by network protection** ΓÇö this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is *stopped* by network protection in *block* mode-- **Suspicious connection detected by network protection** ΓÇö this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in *audit only* mode
-Each alert provides the following information:
+- **Suspicious connection blocked by network protection**: This alert is generated when an attempt to access a malicious website or a website in your custom indicator list is *stopped* by network protection in *block* mode
+- **Suspicious connection detected by network protection**: This alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in *audit only* mode
+
+Each alert provides the following information:
+ - Device that attempted to access the blocked website - Application or program used to send the web request - Malicious URL or URL in the custom indicator list
Each alert provides the following information:
![Image of an alert related to web threat protection](images/wtp-alert.png)
->[!Note]
->To reduce the volume of alerts, Microsoft Defender for Endpoint consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md).
+> [!NOTE]
+> To reduce the volume of alerts, Microsoft Defender for Endpoint consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md).
## Inspect website details+ You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that particular URL or domain with various information, including:+ - Devices that attempted to access website - Incidents and alerts related to the website - How frequent the website was seen in events in your organization
You can dive deeper by selecting the URL or domain of the website in the alert.
[Learn more about URL or domain entity pages](investigate-domain.md) ## Inspect the device+ You can also check the device that attempted to access a blocked URL. Selecting the name of the device on the alert page opens a page with comprehensive information about the device. [Learn more about device entity pages](investigate-machines.md)
With web protection in Microsoft Defender for Endpoint, your end users will be p
*Web threat blocked on Chrome* ## Related topics+ - [Web protection overview](web-protection-overview.md) - [Web content filtering](web-content-filtering.md) - [Web threat protection](web-threat-protection.md)
security Web Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-threat-protection.md
Title: Protect your organization against web threats description: Learn about web protection in Microsoft Defender for Endpoint and how it can protect your organization.
-keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
+keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
->[!Note]
->It can take up to an hour for devices to receive new custom indicators.
+> [!NOTE]
+> It can take up to an hour for devices to receive new custom indicators.
## Prerequisites+ Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers. To turn on network protection on your devices:+ - Edit the Defender for Endpoint security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Defender for Endpoint security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline)-- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
+- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
->[!Note]
->If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
+> [!NOTE]
+> If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
## Related topics
security Whats New In Microsoft Defender Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-atp.md
For more information on preview features, see [Preview features](preview.md).
## June 2021 -- [Delta export software vulnerabilities assessment](get-assessment-methods-properties.md#31-methods) API <br> An addition to the [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API collection. <br> Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed" or ΓÇ£how many new vulnerabilities were added to an organization.ΓÇ¥
+- [Delta export software vulnerabilities assessment](get-assessment-methods-properties.md#31-methods) API <br> An addition to the [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API collection. <br> Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed" or "how many new vulnerabilities were added to an organization."
- [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API <br> Adds a collection of APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.
security Api Get Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-get-incident.md
**Applies to:** - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description Retrieves a specific incident by its ID
Retrieves a specific incident by its ID
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions
-One of the following permissions is required to call this API.
+One of the following permissions is required to call this API.
-Permission type | Permission | Permission display name
-:|:|:
-Application | Incident.Read.All | 'Read all Incidents'
-Application | Incident.ReadWrite.All | 'Read and write all Incidents'
-Delegated (work or school account) | Incident.Read | 'Read Incidents'
-Delegated (work or school account) | Incident.ReadWrite | 'Read and write Incidents'
+Permission type|Permission|Permission display name
+||
+Application|Incident.Read.All|'Read all Incidents'
+Application|Incident.ReadWrite.All|'Read and write all Incidents'
+Delegated (work or school account)|Incident.Read|'Read Incidents'
+Delegated (work or school account)|Incident.ReadWrite|'Read and write Incidents'
> [!NOTE] >
Delegated (work or school account) | Incident.ReadWrite | 'Read and write Incide
## HTTP request ```console
-GET .../api/incidents/{id}
+GET .../api/incidents/{id}
``` ## Request headers
-Name | Type | Description
-:|:|:
-Authorization | String | Bearer {token}. **Required**.
+Name|Type|Description
+||
+Authorization|String|Bearer {token}. **Required**.
## Request body
Empty
## Response
-If successful, this method returns 200 OK, and the incident entity in the response body.
+If successful, this method returns 200 OK, and the incident entity in the response body.
If incident with the specified id was not found - 404 Not Found. ## Example
-**Request**
+### Request
Here is an example of the request.
security Api List Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-list-incidents.md
The API supports the following **OData** operators:
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Access Microsoft 365 Defender APIs](api-access.md)
-Permission type | Permission | Permission display name
--|-|-
-Application | Incident.Read.All | Read all incidents
-Application | Incident.ReadWrite.All | Read and write all incidents
-Delegated (work or school account) | Incident.Read | Read incidents
-Delegated (work or school account) | Incident.ReadWrite | Read and write incidents
-
-> [!Note]
+Permission type|Permission|Permission display name
+||
+Application|Incident.Read.All|Read all incidents
+Application|Incident.ReadWrite.All|Read and write all incidents
+Delegated (work or school account)|Incident.Read|Read incidents
+Delegated (work or school account)|Incident.ReadWrite|Read and write incidents
+
+> [!NOTE]
> When obtaining a token using user credentials: > > - The user needs to have view permission for incidents in the portal.
GET /api/incidents
## Request headers
-Name | Type | Description
--|-|-
-Authorization | String | Bearer {token}. **Required**
-
+Name|Type|Description
+||
+Authorization|String|Bearer {token}. **Required**
## Request body
If successful, this method returns `200 OK`, and a list of [incidents](api-incid
### Incident metadata
-Field name | Description | Example value
--|-|-
-incidentId | Unique identifier to represent the incident | 924565
-redirectIncidentId | Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic. | 924569
-incidentName | String value available for every incident. | Ransomware activity
-createdTime | Time when incident was first created. | 2020-09-06T14:46:57.0733333Z
-lastUpdateTime | Time when the incident was last updated on the backend.<br /><br /> This field can be used when you're setting the request parameter for the range of time that incidents are retrieved. | 2020-09-06T14:46:57.29Z
-assignedTo | Owner of the incident, or *null* if no owner is assigned. | secop2@contoso.com
-classification | The specification for the incident. The property values are: *Unknown*, *FalsePositive*, *TruePositive* | Unknown
-determination | Specifies the determination of the incident. The property values are: *NotAvailable*, *Apt*, *Malware*, *SecurityPersonnel*, *SecurityTesting*, *UnwantedSoftware*, *Other* | NotAvailable
-detectionSource | Specifies source of detection. | MCAS
-status | Categorize incidents (as *Active*, or *Resolved*). It can help you organize and manage your response to incidents. | Active
-severity | Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.<br /><br />One of the following values: *Informational*, *Low*, *Medium, and *High*. | Medium
-tags | Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. | \[\]
-comments | Array of comments created by secops when managing the incident, for example additional information about the classification selection. | \[\]
-alerts | Array containing all of the alerts related to the incident, plus other information, such as severity, entities that were involved in the alert, and the source of the alerts. | \[\] (see details on alert fields below)
+Field name|Description|Example value
+||
+incidentId|Unique identifier to represent the incident|924565
+redirectIncidentId|Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic.|924569
+incidentName|String value available for every incident.|Ransomware activity
+createdTime|Time when incident was first created.|2020-09-06T14:46:57.0733333Z
+lastUpdateTime|Time when the incident was last updated on the backend. <p> This field can be used when you're setting the request parameter for the range of time that incidents are retrieved.|2020-09-06T14:46:57.29Z
+assignedTo|Owner of the incident, or *null* if no owner is assigned.|secop2@contoso.com
+classification|The specification for the incident. The property values are: *Unknown*, *FalsePositive*, *TruePositive*|Unknown
+determination|Specifies the determination of the incident. The property values are: *NotAvailable*, *Apt*, *Malware*, *SecurityPersonnel*, *SecurityTesting*, *UnwantedSoftware*, *Other*|NotAvailable
+detectionSource|Specifies source of detection.|MCAS
+status|Categorize incidents (as *Active*, or *Resolved*). It can help you organize and manage your response to incidents.|Active
+severity|Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. <p> One of the following values: *Informational*, *Low*, *Medium, and *High*.|Medium
+tags|Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.|\[\]
+comments|Array of comments created by secops when managing the incident, for example additional information about the classification selection.|\[\]
+alerts|Array containing all of the alerts related to the incident, plus other information, such as severity, entities that were involved in the alert, and the source of the alerts.|\[\] (see details on alert fields below)
### Alerts metadata
-Field name | Description | Example value
--|-|-
-alertId | Unique identifier to represent the alert | caD70CFEE2-1F54-32DB-9988-3A868A1EBFAC
-incidentId | Unique identifier to represent the incident this alert is associated with | 924565
-serviceSource | Service that the alert originates from, such as Microsoft Defender for Endpoint, Microsoft Cloud App Security, Microsoft Defender for Identity, or Microsoft Defender for Office 365. | MicrosoftCloudAppSecurity
-creationTime | Time when alert was first created. | 2020-09-06T14:46:55.7182276Z
-lastUpdatedTime | Time when alert was last updated at the backend. | 2020-09-06T14:46:57.2433333Z
-resolvedTime | Time when alert was resolved. | 2020-09-10T05:22:59Z
-firstActivity | Time when alert first reported that activity was updated at the backend.| 2020-09-04T05:22:59Z
-title | Brief identifying string value available for each alert. | Ransomware activity
-description | String value describing each alert. | The user Test User2 (testUser2@contoso.com) manipulated 99 files with multiple extensions ending with the uncommon extension *herunterladen*. This is an unusual number of file manipulations and is indicative of a potential ransomware attack.
-category | Visual and numeric view of how far the attack has progressed along the kill chain. Aligned to the [MITRE ATT&CKΓäó framework](https://attack.mitre.org/). | Impact
-status | Categorize alerts (as *New*, *Active*, or *Resolved*). It can help you organize and manage your response to alerts. | New
-severity | Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.<br>One of the following values: *Informational*, *Low*, *Medium, and *High*. | Medium
-investigationId | The automated investigation ID triggered by this alert. | 1234
-investigationState | Information on the investigation's current status. One of the following values: *Unknown*, *Terminated*, *SuccessfullyRemediated*, *Benign*, *Failed*, *PartiallyRemediated*, *Running*, *PendingApproval*, *PendingResource*, *PartiallyInvestigated*, *TerminatedByUser*, *TerminatedBySystem*, *Queued*, *InnerFailure*, *PreexistingAlert*, *UnsupportedOs*, *UnsupportedAlertType*, *SuppressedAlert*. | UnsupportedAlertType
-classification | The specification for the incident. The property values are: *Unknown*, *FalsePositive*, *TruePositive*, or *null* | Unknown
-determination | Specifies the determination of the incident. The property values are: *NotAvailable*, *Apt*, *Malware*, *SecurityPersonnel*, *SecurityTesting*, *UnwantedSoftware*, *Other* or *null* | Apt
-assignedTo | Owner of the incident, or *null* if no owner is assigned. | secop2@contoso.com
-actorName | The activity group, if any, the associated with this alert. | BORON
-threatFamilyName | Threat family associated with this alert. | null
-mitreTechniques | The attack techniques, as aligned with the [MITRE ATT&CK](https://attack.mitre.org/)Γäó framework. | \[\]
-devices | All devices where alerts related to the incident were sent. | \[\] (see details on entity fields below)
+Field name|Description|Example value
+||
+alertId|Unique identifier to represent the alert|caD70CFEE2-1F54-32DB-9988-3A868A1EBFAC
+incidentId|Unique identifier to represent the incident this alert is associated with|924565
+serviceSource|Service that the alert originates from, such as Microsoft Defender for Endpoint, Microsoft Cloud App Security, Microsoft Defender for Identity, or Microsoft Defender for Office 365.|MicrosoftCloudAppSecurity
+creationTime|Time when alert was first created.|2020-09-06T14:46:55.7182276Z
+lastUpdatedTime|Time when alert was last updated at the backend.|2020-09-06T14:46:57.2433333Z
+resolvedTime|Time when alert was resolved.|2020-09-10T05:22:59Z
+firstActivity|Time when alert first reported that activity was updated at the backend.|2020-09-04T05:22:59Z
+title|Brief identifying string value available for each alert.|Ransomware activity
+description|String value describing each alert.|The user Test User2 (testUser2@contoso.com) manipulated 99 files with multiple extensions ending with the uncommon extension *herunterladen*. This is an unusual number of file manipulations and is indicative of a potential ransomware attack.
+category|Visual and numeric view of how far the attack has progressed along the kill chain. Aligned to the [MITRE ATT&CKΓäó framework](https://attack.mitre.org/).|Impact
+status|Categorize alerts (as *New*, *Active*, or *Resolved*). It can help you organize and manage your response to alerts.|New
+severity|Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.<br>One of the following values: *Informational*, *Low*, *Medium*, and *High*.|Medium
+investigationId|The automated investigation ID triggered by this alert.|1234
+investigationState|Information on the investigation's current status. One of the following values: *Unknown*, *Terminated*, *SuccessfullyRemediated*, *Benign*, *Failed*, *PartiallyRemediated*, *Running*, *PendingApproval*, *PendingResource*, *PartiallyInvestigated*, *TerminatedByUser*, *TerminatedBySystem*, *Queued*, *InnerFailure*, *PreexistingAlert*, *UnsupportedOs*, *UnsupportedAlertType*, *SuppressedAlert*.|UnsupportedAlertType
+classification|The specification for the incident. The property values are: *Unknown*, *FalsePositive*, *TruePositive*, or *null*|Unknown
+determination|Specifies the determination of the incident. The property values are: *NotAvailable*, *Apt*, *Malware*, *SecurityPersonnel*, *SecurityTesting*, *UnwantedSoftware*, *Other* or *null*|Apt
+assignedTo|Owner of the incident, or *null* if no owner is assigned.|secop2@contoso.com
+actorName|The activity group, if any, the associated with this alert.|BORON
+threatFamilyName|Threat family associated with this alert.|null
+mitreTechniques|The attack techniques, as aligned with the [MITRE ATT&CK](https://attack.mitre.org/)Γäó framework.|\[\]
+devices|All devices where alerts related to the incident were sent.|\[\] (see details on entity fields below)
### Device format
-Field name | Description | Example value
--|-|-
-DeviceId | The device ID as designated in Microsoft Defender for Endpoint. | 24c222b0b60fe148eeece49ac83910cc6a7ef491
-aadDeviceId | The device ID as designated in [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis). Only available for domain-joined devices. | null
-deviceDnsName | The fully qualified domain name for the device. | user5cx.middleeast.corp.contoso.com
-osPlatform | The OS platform the device is running.| WindowsServer2016
-osBuild | The build version for the OS the device is running. | 14393
-rbacGroupName | The [role-based access control](/azure/role-based-access-control/overview) (RBAC) group associated with the device. | WDATP-Ring0
-firstSeen | Time when device was first seen. | 2020-02-06T14:16:01.9330135Z
-healthStatus | The health state of the device. | Active
-riskScore | The risk score for the device. | High
-entities | All entities that have been identified to be part of, or related to, a given alert. | \[\] (see details on entity fields below)
+Field name|Description|Example value
+||
+DeviceId|The device ID as designated in Microsoft Defender for Endpoint.|24c222b0b60fe148eeece49ac83910cc6a7ef491
+aadDeviceId|The device ID as designated in [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis). Only available for domain-joined devices.|null
+deviceDnsName|The fully qualified domain name for the device.|user5cx.middleeast.corp.contoso.com
+osPlatform|The OS platform the device is running.|WindowsServer2016
+osBuild|The build version for the OS the device is running.|14393
+rbacGroupName|The [role-based access control](/azure/role-based-access-control/overview) (RBAC) group associated with the device.|WDATP-Ring0
+firstSeen|Time when device was first seen.|2020-02-06T14:16:01.9330135Z
+healthStatus|The health state of the device.|Active
+riskScore|The risk score for the device.|High
+entities|All entities that have been identified to be part of, or related to, a given alert.|\[\] (see details on entity fields below)
### Entity Format
-Field name | Description | Example value
--|-|-
-entityType | Entities that have been identified to be part of, or related to, a given alert.<br>The properties values are: *User*, *Ip*, *Url*, *File*, *Process*, *MailBox*, *MailMessage*, *MailCluster*, *Registry* | User
-sha1 | Available if entityType is *File*.<br>The file hash for alerts associated with a file or process. | 5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd
-sha256 | Available if entityType is *File*.<br>The file hash for alerts associated with a file or process. | 28cb017dfc99073aa1b47c1b30f413e3ce774c4991eb4158de50f9dbb36d8043
-fileName | Available if entityType is *File*.<br>The file name for alerts associated with a file or process | Detector.UnitTests.dll
-filePath | Available if entityType is *File*.<br>The file path for alerts associated with a file or process | C:\\\agent_work_temp\Deploy\SYSTEM\2020-09-06 12_14_54\Out
-processId | Available if entityType is *Process*. | 24348
-processCommandLine | Available if entityType is *Process*. | "Your File Is Ready To Download\_1911150169.exe"
-processCreationTime | Available if entityType is *Process*. | 2020-07-18T03:25:38.5269993Z
-parentProcessId | Available if entityType is *Process*. | 16840
-parentProcessCreationTime | Available if entityType is *Process*. | 2020-07-18T02:12:32.8616797Z
-ipAddress | Available if entityType is *Ip*. <br>IP address for alerts associated with network events, such as *Communication to a malicious network destination*. | 62.216.203.204
-url | Available if entityType is *Url*. <br>Url for alerts associated to network events, such as, *Communication to a malicious network destination*. | down.esales360.cn
-accountName | Available if entityType is *User*. | testUser2
-domainName | Available if entityType is *User*. | europe.corp.contoso
-userSid | Available if entityType is *User*. | S-1-5-21-1721254763-462695806-1538882281-4156657
-aadUserId | Available if entityType is *User*. | fc8f7484-f813-4db2-afab-bc1507913fb6
-userPrincipalName | Available if entityType is *User*/*MailBox*/*MailMessage*. | testUser2@contoso.com
-mailboxDisplayName | Available if entityType is *MailBox*. | test User2
-mailboxAddress | Available if entityType is *User*/*MailBox*/*MailMessage*. | testUser2@contoso.com
-clusterBy | Available if entityType is *MailCluster*. | Subject;P2SenderDomain;ContentType
-sender | Available if entityType is *User*/*MailBox*/*MailMessage*. | user.abc@mail.contoso.co.in
-recipient | Available if entityType is *MailMessage*. | testUser2@contoso.com
-subject | Available if entityType is *MailMessage*. | \[EXTERNAL\] Attention
-deliveryAction | Available if entityType is *MailMessage*. | Delivered
-securityGroupId | Available if entityType is *SecurityGroup*. | 301c47c8-e15f-4059-ab09-e2ba9ffd372b
-securityGroupName | Available if entityType is *SecurityGroup*. | Network Configuration Operators
-registryHive | Available if entityType is *Registry*. | HKEY\_LOCAL\_MACHINE |
-registryKey | Available if entityType is *Registry*. | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
-registryValueType | Available if entityType is *Registry*. | String
-registryValue | Available if entityType is *Registry*. | 31-00-00-00
-deviceId | The ID, if any, of the device related to the entity. | 986e5df8b73dacd43c8917d17e523e76b13c75cd
+Field name|Description|Example value
+||
+entityType|Entities that have been identified to be part of, or related to, a given alert.<br>The properties values are: *User*, *Ip*, *Url*, *File*, *Process*, *MailBox*, *MailMessage*, *MailCluster*, *Registry*|User
+sha1|Available if entityType is *File*.<br>The file hash for alerts associated with a file or process.|5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd
+sha256|Available if entityType is *File*.<br>The file hash for alerts associated with a file or process.|28cb017dfc99073aa1b47c1b30f413e3ce774c4991eb4158de50f9dbb36d8043
+fileName|Available if entityType is *File*.<br>The file name for alerts associated with a file or process|Detector.UnitTests.dll
+filePath|Available if entityType is *File*.<br>The file path for alerts associated with a file or process|C:\\\agent_work_temp\Deploy\SYSTEM\2020-09-06 12_14_54\Out
+processId|Available if entityType is *Process*.|24348
+processCommandLine|Available if entityType is *Process*.|"Your File Is Ready To Download\_1911150169.exe"
+processCreationTime|Available if entityType is *Process*.|2020-07-18T03:25:38.5269993Z
+parentProcessId|Available if entityType is *Process*.|16840
+parentProcessCreationTime|Available if entityType is *Process*.|2020-07-18T02:12:32.8616797Z
+ipAddress|Available if entityType is *Ip*. <br>IP address for alerts associated with network events, such as *Communication to a malicious network destination*.|62.216.203.204
+url|Available if entityType is *Url*. <br>Url for alerts associated to network events, such as, *Communication to a malicious network destination*.|down.esales360.cn
+accountName|Available if entityType is *User*.|testUser2
+domainName|Available if entityType is *User*.|europe.corp.contoso
+userSid|Available if entityType is *User*.|S-1-5-21-1721254763-462695806-1538882281-4156657
+aadUserId|Available if entityType is *User*.|fc8f7484-f813-4db2-afab-bc1507913fb6
+userPrincipalName|Available if entityType is *User*/*MailBox*/*MailMessage*.|testUser2@contoso.com
+mailboxDisplayName|Available if entityType is *MailBox*.|test User2
+mailboxAddress|Available if entityType is *User*/*MailBox*/*MailMessage*.|testUser2@contoso.com
+clusterBy|Available if entityType is *MailCluster*.|Subject;P2SenderDomain;ContentType
+sender|Available if entityType is *User*/*MailBox*/*MailMessage*.|user.abc@mail.contoso.co.in
+recipient|Available if entityType is *MailMessage*.|testUser2@contoso.com
+subject|Available if entityType is *MailMessage*.|\[EXTERNAL\] Attention
+deliveryAction|Available if entityType is *MailMessage*.|Delivered
+securityGroupId|Available if entityType is *SecurityGroup*.|301c47c8-e15f-4059-ab09-e2ba9ffd372b
+securityGroupName|Available if entityType is *SecurityGroup*.|Network Configuration Operators
+registryHive|Available if entityType is *Registry*.|HKEY\_LOCAL\_MACHINE|
+registryKey|Available if entityType is *Registry*.|SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
+registryValueType|Available if entityType is *Registry*.|String
+registryValue|Available if entityType is *Registry*.|31-00-00-00
+deviceId|The ID, if any, of the device related to the entity.|986e5df8b73dacd43c8917d17e523e76b13c75cd
## Example
-### Request
+### Request example
```HTTP GET https://api.security.microsoft.com/api/incidents ```
-### Response
+### Response example
```json {
security Api Update Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-update-incidents.md
ms.prod: m365-security
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH
audience: ITPro
+search.appverid:
- MOE150 - MET150 ms.technology: m365d
ms.technology: m365d
## API description
-Updates properties of existing incident. Updatable properties are: ```status```, ```determination```, ```classification```, ```assignedTo```, ```tags```, and ```comments```.
+Updates properties of existing incident. Updatable properties are: `status`, `determination`, `classification`, `assignedTo`, `tags`, and `comments`.
### Quotas, resource allocation, and other constraints
If your request is throttled, it will return a `429` response code. The response
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Access the Microsoft 365 Defender APIs](api-access.md).
-Permission type | Permission | Permission display name
--|-|-
-Application | Incident.ReadWrite.All | Read and write all incidents
-Delegated (work or school account) | Incident.ReadWrite | Read and write incidents
+Permission type|Permission|Permission display name
+||
+Application|Incident.ReadWrite.All|Read and write all incidents
+Delegated (work or school account)|Incident.ReadWrite|Read and write incidents
> [!NOTE] > When obtaining a token using user credentials, the user needs to have permission to update the incident in the portal.
PATCH /api/incidents/{id}
## Request headers
-Name | Type | Description
--|-|-
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | String | application/json. **Required**.
+Name|Type|Description
+||
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|String|application/json. **Required**.
## Request body In the request body, supply the values for the fields that should be updated. Existing properties that aren't included in the request body will maintain their values, unless they have to be recalculated due to changes to related values. For best performance, you should omit existing values that haven't changed.
-Property | Type | Description
--|-|-
-status | Enum | Specifies the current status of the incident. Possible values are: ```Active```, ```Resolved```, and ```Redirected```.
-assignedTo | string | Owner of the incident.
-classification | Enum | Specification of the incident. Possible values are: ```Unknown```, ```FalsePositive```, ```TruePositive```.
-determination | Enum | Specifies the determination of the incident. Possible values are: ```NotAvailable```, ```Apt```, ```Malware```, ```SecurityPersonnel```, ```SecurityTesting```, ```UnwantedSoftware```, ```Other```.
-tags | string List | List of Incident tags.
-comment | string | Comment to be added to the incident.
+Property|Type|Description
+||
+status|Enum|Specifies the current status of the incident. Possible values are: `Active`, `Resolved`, and `Redirected`.
+assignedTo|string|Owner of the incident.
+classification|Enum|Specification of the incident. Possible values are: `Unknown`, `FalsePositive`, `TruePositive`.
+determination|Enum|Specifies the determination of the incident. Possible values are: `NotAvailable`, `Apt`, `Malware`, `SecurityPersonnel`, `SecurityTesting`, `UnwantedSoftware`, `Other`.
+tags|string List|List of Incident tags.
+comment|string|Comment to be added to the incident.
## Response
If successful, this method returns `200 OK`. The response body will contain the
## Example
-**Request**
+### Request example
Here's an example of the request.
Here's an example of the request.
PATCH https://api.security.microsoft.com/api/incidents/{id} ```
-**Response**
+### Response example
```json {
security Use Dkim To Validate Outbound Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
ms.prod: m365-security
In this article: - [How DKIM works better than SPF alone to prevent malicious spoofing](#how-dkim-works-better-than-spf-alone-to-prevent-malicious-spoofing)-- [Steps to enable and disable DKIM from Microsoft 365 Defender portal]
+- [Steps to Create, enable and disable DKIM from Microsoft 365 Defender portal](#steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal)
- [Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys](#steps-to-manually-upgrade-your-1024-bit-keys-to-2048-bit-dkim-encryption-keys) - [Steps to manually set up DKIM](#steps-to-manually-set-up-dkim) - [Steps to configure DKIM for more than one custom domain](#to-configure-dkim-for-more-than-one-custom-domain)
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
## July 2021 -- [Email analysis improvements in automated investigations](email-analysis-investigations)
+- [Email analysis improvements in automated investigations](email-analysis-investigations.md)
## June 2021
solutions Empower People To Work Remotely Security Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely-security-compliance.md
Here are the features of Microsoft 365 that provide security and compliance serv
Protect your applications and data with these security features of Microsoft 365.
-| Capability or feature | Why I need it | Licensing |
-|:-|:--|:-|
-| Microsoft Defender for Office 365 | Protect your Microsoft 365 apps and dataΓÇösuch as email messages, Office documents, and collaboration toolsΓÇöfrom attack. <br><br> Microsoft Defender for Office 365 collects and analyzes signals from your apps for detection, investigation, and remediation of security risks and safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. It also provides automated tenant configuration assessment and configuration tooling for standard and strict security postures. | Microsoft 365 E3 or E5 |
-| Malware protection | ΓÇÄMicrosoft Defender Antivirus and Device Guard provides device-based malware protection. <br><br> SharePointΓÇÄ Online automatically scans file uploads for known malware. ΓÇÄ<br><br> Exchange Online ProtectionΓÇÄ (ΓÇÄEOPΓÇÄ) secures cloud mailboxes. | Microsoft 365 E3 or E5 |
-| Microsoft Defender for Endpoint | Protect your organizationΓÇÖs devices from cyber threats and data breaches and detect, investigate, and respond to advanced threats. | Microsoft 365 E5 |
-| Cloud App Security | Protect your cloud-based servicesΓÇöboth Microsoft 365 and other SaaS appsΓÇöfrom attack. | Microsoft 365 E5 or individual Cloud App Security licenses |
-| Azure AD Identity Protection | Automate detection and remediation of identity-based risks. <br><br>Create risk-based Conditional Access policies to require multi-factor authentication (MFA) for risky sign-ins. | Microsoft 365 E5 or E3 with Azure AD Premium P2 licenses |
+|Capability or feature|Why I need it|Licensing|
+||||
+|Microsoft Defender for Office 365|Protect your Microsoft 365 apps and dataΓÇösuch as email messages, Office documents, and collaboration toolsΓÇöfrom attack. <p> Microsoft Defender for Office 365 collects and analyzes signals from your apps for detection, investigation, and remediation of security risks and safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. It also provides automated tenant configuration assessment and configuration tooling for standard and strict security postures.|Microsoft 365 E3 or E5|
+|Malware protection|Microsoft Defender Antivirus and Device Guard provides device-based malware protection. <p> SharePoint Online automatically scans file uploads for known malware. <p> Exchange Online Protection (EOP) secures cloud mailboxes.|Microsoft 365 E3 or E5|
+|Microsoft Defender for Endpoint|Protect your organizationΓÇÖs devices from cyber threats and data breaches and detect, investigate, and respond to advanced threats.|Microsoft 365 E5|
+|Cloud App Security|Protect your cloud-based servicesΓÇöboth Microsoft 365 and other SaaS appsΓÇöfrom attack.|Microsoft 365 E5 or individual Cloud App Security licenses|
+|Azure AD Identity Protection|Automate detection and remediation of identity-based risks. <p>Create risk-based Conditional Access policies to require multi-factor authentication (MFA) for risky sign-ins.|Microsoft 365 E5 or E3 with Azure AD Premium P2 licenses|
|||| You first step should be to learn about and use [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score).
For information about security across Microsoft 365, see [Microsoft 365 security
Comply with internal policies or regulatory requirements with these compliance features of Microsoft 365.
-| Capability or feature | Why I need it | Licensing |
-|:-|:--|:-|
-| Sensitivity labels | Classify and protect your organization's data without hindering the productivity of users and their ability to collaborate by placing labels with various levels of protection on email, files, or sites. | Microsoft 365 E3 or E5 |
-| Data Loss Protection (DLP) | Detect, warn, and block risky, inadvertent, or inappropriate sharing, such as sharing of data containing personal information, both internally and externally. | Microsoft 365 E3 or E5 |
-| Conditional Access App Control | Prevent sensitive data from being downloaded to users' personal devices. | Microsoft 365 E3 or E5 |
-| Data retention labels and policies | Implement information governance controls, such as how long to keep data and requirements on the storage of personal data on customers, to comply with your organization's policies or data regulations. | Microsoft 365 E3 or E5 |
-| Office message encryption (OME) | Send and receive encrypted email messages between people inside and outside your organization that contains regulated data, such as personal data on customers. | Microsoft 365 E3 or E5 |
-| Compliance Manager | Manage regulatory compliance activities related to Microsoft cloud services with this workflow-based risk assessment tool in the Microsoft Service Trust Portal. | Microsoft 365 E3 or E5 |
-| Compliance Manager | See an overall score of your current compliance configuration and recommendations for improving it in the Microsoft 365 compliance center. | Microsoft 365 E3 or E5 |
-| Communication Compliance | Detect, capture, and take remediation actions for inappropriate messages in your organization. | Microsoft 365 E5 or Microsoft 365 E3 with the Compliance or Insider Risk Management add-ons |
-| Insider Risk Management | Detect, investigate, and act on malicious and inadvertent risks in your organization. Microsoft 365 can detect these kinds of risks even when a worker is using an unmanaged device. | Microsoft 365 E5 or Microsoft 365 E3 with the Compliance or Insider Risk Management add-ons |
+|Capability or feature|Why I need it|Licensing|
+||||
+|Sensitivity labels|Classify and protect your organization's data without hindering the productivity of users and their ability to collaborate by placing labels with various levels of protection on email, files, or sites.|Microsoft 365 E3 or E5|
+|Data Loss Protection (DLP)|Detect, warn, and block risky, inadvertent, or inappropriate sharing, such as sharing of data containing personal information, both internally and externally.|Microsoft 365 E3 or E5|
+|Conditional Access App Control|Prevent sensitive data from being downloaded to users' personal devices.|Microsoft 365 E3 or E5|
+|Data retention labels and policies|Implement information governance controls, such as how long to keep data and requirements on the storage of personal data on customers, to comply with your organization's policies or data regulations.|Microsoft 365 E3 or E5|
+|Office message encryption (OME)|Send and receive encrypted email messages between people inside and outside your organization that contains regulated data, such as personal data on customers.|Microsoft 365 E3 or E5|
+|Compliance Manager|Manage regulatory compliance activities related to Microsoft cloud services with this workflow-based risk assessment tool in the Microsoft Service Trust Portal.|Microsoft 365 E3 or E5|
+|Compliance Manager|See an overall score of your current compliance configuration and recommendations for improving it in the Microsoft 365 compliance center.|Microsoft 365 E3 or E5|
+|Communication Compliance|Detect, capture, and take remediation actions for inappropriate messages in your organization.|Microsoft 365 E5 or Microsoft 365 E3 with the Compliance or Insider Risk Management add-ons|
+|Insider Risk Management|Detect, investigate, and act on malicious and inadvertent risks in your organization. Microsoft 365 can detect these kinds of risks even when a worker is using an unmanaged device.|Microsoft 365 E5 or Microsoft 365 E3 with the Compliance or Insider Risk Management add-ons|
|||| See [Quick tasks for getting started with Microsoft 365 compliance](../compliance/compliance-quick-tasks.md) for more information.
solutions Empower People To Work Remotely https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely.md
For a seamless sign-in experience, your on-premises Active Directory Domain Serv
To enable the capabilities of Microsoft 365 for your hybrid workers, use these Microsoft 365 features.
-| Capability or feature | Description | Licensing |
-|:-|:--|:-|
-| MFA enforced with security defaults | Protect against compromised identities and devices by requiring a second form of authentication for sign-ins. Security defaults requires MFA for all user accounts. | Microsoft 365 E3 or E5 |
-| MFA enforced with Conditional Access| Require MFA based on the properties of the sign-in with Conditional Access policies. | Microsoft 365 E3 or E5 |
-| MFA enforced with risk-based Conditional Access | Require MFA based on the risk of the user sign-in with Microsoft Defender for Identity. | Microsoft 365 E5 or E3 with Azure AD Premium P2 licenses |
-| Self-Service Password Reset (SSPR) | Allow your users to reset or unlock their passwords or accounts. | Microsoft 365 E3 or E5 |
-| Azure AD Application Proxy | Provide secure remote access for web-based applications hosted on intranet servers. | Requires separate paid Azure subscription |
-| Azure Point-to-Site VPN | Create a secure connection from a remote workerΓÇÖs device to your intranet through an Azure virtual network. | Requires separate paid Azure subscription |
-| Windows Virtual Desktop | Support remote workers who can only use their personal and unmanaged devices with virtual desktops running in Azure. | Requires separate paid Azure subscription |
-| Remote Desktop Services (RDS) | Allow employees to connect into Windows-based computers on your intranet. | Microsoft 365 E3 or E5 |
-| Remote Desktop Services Gateway | Encrypt communications and prevent the RDS hosts from being directly exposed to the Internet. | Requires separate Windows Server licenses |
-| Microsoft Intune | Manage devices and applications. | Microsoft 365 E3 or E5 |
-| Configuration Manager | Manage software installations, updates, and settings on your devices | Requires separate Configuration Manager licenses |
-| Desktop Analytics | Determine the update readiness of your Windows clients. | Requires separate Configuration Manager licenses |
-| Windows Autopilot | Set up and pre-configure new Windows 10 devices for productive use. | Microsoft 365 E3 or E5 |
-| Microsoft Teams, Exchange Online, SharePoint Online and OneDrive, Microsoft 365 Apps, Microsoft Power Platform, and Yammer | Create, communicate, and collaborate. | Microsoft 365 E3 or E5 |
+|Capability or feature|Description|Licensing|
+||||
+|MFA enforced with security defaults|Protect against compromised identities and devices by requiring a second form of authentication for sign-ins. Security defaults requires MFA for all user accounts.|Microsoft 365 E3 or E5|
+|MFA enforced with Conditional Access|Require MFA based on the properties of the sign-in with Conditional Access policies.|Microsoft 365 E3 or E5|
+|MFA enforced with risk-based Conditional Access|Require MFA based on the risk of the user sign-in with Microsoft Defender for Identity.|Microsoft 365 E5 or E3 with Azure AD Premium P2 licenses|
+|Self-Service Password Reset (SSPR)|Allow your users to reset or unlock their passwords or accounts.|Microsoft 365 E3 or E5|
+|Azure AD Application Proxy|Provide secure remote access for web-based applications hosted on intranet servers.|Requires separate paid Azure subscription|
+|Azure Point-to-Site VPN|Create a secure connection from a remote workerΓÇÖs device to your intranet through an Azure virtual network.|Requires separate paid Azure subscription|
+|Windows Virtual Desktop|Support remote workers who can only use their personal and unmanaged devices with virtual desktops running in Azure.|Requires separate paid Azure subscription|
+|Remote Desktop Services (RDS)|Allow employees to connect into Windows-based computers on your intranet.|Microsoft 365 E3 or E5|
+|Remote Desktop Services Gateway|Encrypt communications and prevent the RDS hosts from being directly exposed to the Internet.|Requires separate Windows Server licenses|
+|Microsoft Intune|Manage devices and applications.|Microsoft 365 E3 or E5|
+|Configuration Manager|Manage software installations, updates, and settings on your devices|Requires separate Configuration Manager licenses|
+|Desktop Analytics|Determine the update readiness of your Windows clients.|Requires separate Configuration Manager licenses|
+|Windows Autopilot|Set up and pre-configure new Windows 10 devices for productive use.|Microsoft 365 E3 or E5|
+|Microsoft Teams, Exchange Online, SharePoint Online and OneDrive, Microsoft 365 Apps, Microsoft Power Platform, and Yammer|Create, communicate, and collaborate.|Microsoft 365 E3 or E5|
|||| For security and compliance criteria, see [Deploy security and compliance for remote workers](empower-people-to-work-remotely-security-compliance.md).
solutions Groups Services Interactions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-services-interactions.md
SharePoint sites are created with Owner, Member and Visitor security groups, wit
End users can create groups from several of the services within Microsoft 365, and in others they can only share with a group. The following services allow creation of groups by end users:
-
-Outlook Planner Project for the web SharePoint Stream Microsoft Teams Yammer
-**Restriction of group creation**
+- Outlook
+- Planner
+- Project for the web
+- SharePoint
+- Stream
+- Microsoft Teams
+- Yammer
+
+#### Restriction of group creation
A common approach to control sprawl of teams is to limit which users can create them. This can only be done by limiting the creation of groups. Doing this impacts the ability to create groups from other services where that may be necessary for end-user. Microsoft 365 Groups does not support the ability to restrict the creation of groups from some apps or services while allowing it from others. The experience of group creation restriction varies between apps and - |App or service|Experience|
-|:-|:|
+|||
|Outlook|**New group** option is removed from New menu in people page| |Planner|**New plan** explains that group creation has been turned off and offers to add the plan to an existing group| |Project for the web and Roadmap|**Create group** menu explains that group creation is restricted and suggests using an existing group.|
See the Groups in Microsoft 365 poster for information about different types of
The following table provides an overview of Microsoft 365 Groups interactions with various |Product|Features|Does the service<br>exist without a group?|Can the service<br>create a group?|Does deleting the<br>instance delete the group?|
-|:|:|:|:|:|
+||||||
|Azure AD|Membership, Group controls, Guests|Yes|Yes|Yes| |Exchange|Calendar, mailbox|Yes|Yes|Yes| |Forms|Form|Yes|No|No|
Yes, deleting the group in Yammer will delete related Microsoft group and group-
[Collaboration governance planning step-by-step](collaboration-governance-overview.md#collaboration-governance-planning-step-by-step)
-[Create your collaboration governance plan](collaboration-governance-first.md)
+[Create your collaboration governance plan](collaboration-governance-first.md)
solutions Information Protection Deploy Assess https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-assess.md
The GDPR, the most well-known and cited of the data privacy regulations, regulat
According to GDPR Article 4: -- ΓÇÿpersonal dataΓÇÖ means any information relating to an identified or identifiable natural person (ΓÇÿdata subjectΓÇÖ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
+- 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
### ISO 27001
Many of the data privacy-related regulations have overlapping requirements, so y
For later reference in the articles of this overall solution, this table provides excerpts from a sampling of data privacy regulations.
-| Regulation | Article/section | Excerpt | Applicable technical control categories |
-|:-|:--|:-|:-|
-| GDPR | Article 5(1)(f) | Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ('integrity and confidentiality'. | (All) <br> Identity <br> Device <br> Threat Protection <br> Protect information <br> Govern information <br> Discover and respond |
-| | Article (32)(1)(a) | Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data. | Protect information |
-| | Article (13)(2)(a) | "…the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period. | Govern information |
-| | Article (15)(1)(e) | The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and the following information: (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing | Discover and respond |
-| LGPD | Article 46 | Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing. | Protect information <br> Govern information <br> Discover and respond|
-| | Article 48 | The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects. | Discover and respond |
-| HIPPA-HITECH | 45 CFR 164.312(e)(1) | Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. | Protect information |
-| | 45 C.F.R. 164.312(e)(2)(ii) | Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. | Protect information |
-| | 45 CFR 164.312(c)(2) | Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. | Govern information |
-| | 45 CFR 164.316(b)(1)(i) | If an action, activity, or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment | Govern information |
-| | 45 CFR 164.316(b)(1)(ii) | Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. | Govern information |
-| | 45 C.F.R. 164.308(a)(1)(ii)(D) | Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports | Discover and respond |
-| | 45 C.F.R. 164.308(a)(6)(ii) | Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. | Discover and respond |
-| | 45 C.F.R. 164.312(b) | Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. | Discover and respond |
-| CCPA | 1798.105(c) | A business that receives a verifiable request from a consumer to delete the consumerΓÇÖs personal information pursuant to subdivision (a) of this section shall delete the consumerΓÇÖs personal information from its records and direct any service providers to delete the consumerΓÇÖs personal information from their records | Discover and respond |
-| | 1798.105(d) | (exceptions to 1798.105(c) <br> A business or a service provider shall not be required to comply with a consumerΓÇÖs request to delete the consumerΓÇÖs personal information if it is necessary for the business or service provider to maintain the consumerΓÇÖs personal information in order to: (refer to the current regulation for additional information). | Discover and respond |
+|Regulation|Article/section|Excerpt|Applicable technical control categories|
+|||||
+|GDPR|Article 5(1)(f)|Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ('integrity and confidentiality'.|(All) <br> Identity <br> Device <br> Threat Protection <br> Protect information <br> Govern information <br> Discover and respond|
+||Article (32)(1)(a)|Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data.|Protect information|
+||Article (13)(2)(a)|"…the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.|Govern information|
+||Article (15)(1)(e)|The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and the following information: (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing|Discover and respond|
+|LGPD|Article 46|Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing.|Protect information <br> Govern information <br> Discover and respond|
+||Article 48|The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.|Discover and respond|
+|HIPPA-HITECH|45 CFR 164.312(e)(1)|Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.|Protect information|
+||45 C.F.R. 164.312(e)(2)(ii)|Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.|Protect information|
+||45 CFR 164.312(c)(2)|Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.|Govern information|
+||45 CFR 164.316(b)(1)(i)|If an action, activity, or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment|Govern information|
+||45 CFR 164.316(b)(1)(ii)|Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.|Govern information|
+||45 C.F.R. 164.308(a)(1)(ii)(D)|Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports|Discover and respond|
+||45 C.F.R. 164.308(a)(6)(ii)|Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.|Discover and respond|
+||45 C.F.R. 164.312(b)|Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.|Discover and respond|
+|CCPA|1798.105(c)|A business that receives a verifiable request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records|Discover and respond|
+||1798.105(d)|(exceptions to 1798.105(c) <br> A business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to: (refer to the current regulation for additional information).|Discover and respond|
||||| > [!IMPORTANT]
Data also moves around over time as it is processed, refined, and other versions
### Where the personal data is
-To address data privacy regulations, you canΓÇÖt rely on general notions of where you think personal data might exist, either now or in the future. Data privacy regulations require that organizations prove that they know where personal data is on an ongoing basis. This makes it important to take an initial snapshot of all your data sources for possible storage of personal information, including your Microsoft 365 environment, and establish mechanisms for ongoing monitoring and detection.
+To address data privacy regulations, you can't rely on general notions of where you think personal data might exist, either now or in the future. Data privacy regulations require that organizations prove that they know where personal data is on an ongoing basis. This makes it important to take an initial snapshot of all your data sources for possible storage of personal information, including your Microsoft 365 environment, and establish mechanisms for ongoing monitoring and detection.
If you have not already assessed your overall readiness and risk associated with data privacy regulations, use the following 3-step framework to get started.
Your data privacy exposure in Microsoft 365 may be more limited relative to your
It's also important to think about the following common data privacy compliance challenges when evaluating your risk profile:
+- **Personal data distribution.** How scattered is information about a given subject? Is it known well enough to convince regulatory bodies that proper controls are in place? Can it be investigated and remediated if needed?
- **Protecting against exfiltration.** How do you protect personal data of a given type or source from being compromised and how to respond if it was? - **Protection vs. risk.** What information protection mechanisms are appropriate relative to the risk and how to maintain business continuity and productivity and minimize end-user impact if end-user intervention is required? For example, should manual classification or encryption be used? - **Personal data retention.** How long does information containing personal data need to be kept around for valid business reasons and how to avoid past keep-it-forever practices, balanced with retention needs for business continuity?
Most organizations will have some exposure to one of the above scenarios. Taking
Although specific to GDPR, the questions posed in the free [Microsoft GDPR assessment tool](https://www.microsoft.com/cyberassessment/en/gdpr/uso365) provide a good start towards understanding your overall data privacy readiness.
-Organizations subject to other data privacy regulations, such as CCPA in the United States or BrazilΓÇÖs LGPD, may also benefit from this toolΓÇÖs inventory of readiness due overlapping provisions with the GDPR.
+Organizations subject to other data privacy regulations, such as CCPA in the United States or Brazil's LGPD, may also benefit from this tool's inventory of readiness due overlapping provisions with the GDPR.
GDPR assessment consists of these sections:
-| Section | Description |
+|Section|Description|
|:-|:--|
-| Governance | <ol><li>Does your privacy policy explicitly state what data information is being processed? </li><li>Do you regularly run Privacy Impact Assessments (PIAs)? </li><li> Do you use a tool to manage personal information (PI)? </li><li> Do you have legal authority to conduct business using PI data on any given individual? Do you track consent for data? </li><li> Do you track, implement, and manage audit controls? Do you monitor for data leaks? </li></ol>|
-| Deletion and notification | <ol><li>Do you give explicit instructions on how users' data can be accessed? </li><li> Do you have documented processes in place for handling opt out consent? </li><li> Do you have an Automated Deletion process for data? </li><li> Do you have a process to validate identity when engaging with a customer? </li></ol>|
-| Risk mitigation and information security | <ol><li>Do you use tools to scan unstructured data? </li><li>Are all servers up to date, and do you leverage firewalls to protect them? </li><li>Do you run regular backups of your servers? </li><li>Do you actively monitor for data leaks? </li><li>Do you encrypt your data at rest and in transmission? </li></ol>|
-| Policy management | <ol><li>How do you manage your Binding Corporate Rules (BCRs)? </li><li>Do you track consent for data? </li><li> On a scale of 1 to 5, 5 being completely covered, do your contracts cover data classifications and handling requirements? </li><li>Do you have and regularly test an incident response plan? </li><li>What policy do you use to manage access? </li></ol>|
+|Governance|<ol><li>Does your privacy policy explicitly state what data information is being processed? </li><li>Do you regularly run Privacy Impact Assessments (PIAs)? </li><li> Do you use a tool to manage personal information (PI)? </li><li> Do you have legal authority to conduct business using PI data on any given individual? Do you track consent for data? </li><li> Do you track, implement, and manage audit controls? Do you monitor for data leaks? </li></ol>|
+|Deletion and notification|<ol><li>Do you give explicit instructions on how users' data can be accessed? </li><li> Do you have documented processes in place for handling opt out consent? </li><li> Do you have an Automated Deletion process for data? </li><li> Do you have a process to validate identity when engaging with a customer? </li></ol>|
+|Risk mitigation and information security|<ol><li>Do you use tools to scan unstructured data? </li><li>Are all servers up to date, and do you leverage firewalls to protect them? </li><li>Do you run regular backups of your servers? </li><li>Do you actively monitor for data leaks? </li><li>Do you encrypt your data at rest and in transmission? </li></ol>|
+|Policy management|<ol><li>How do you manage your Binding Corporate Rules (BCRs)? </li><li>Do you track consent for data? </li><li> On a scale of 1 to 5, 5 being completely covered, do your contracts cover data classifications and handling requirements? </li><li>Do you have and regularly test an incident response plan? </li><li>What policy do you use to manage access? </li></ol>|
|||
-## Step 3: Identify sensitive information types that occur in your Microsoft 365 environment.
+## Step 3: Identify sensitive information types that occur in your Microsoft 365 environment
This step involves identification of particular sensitive information types that are subject to specific regulatory controls, as well as the occurrence of them in your Microsoft 365 environment.
Detailed guidance on the use of Content Search for discovery of personal data is
Additional insights on investigative and remediation techniques for personal data in Microsoft 365 are provided in the [monitor and respond article](information-protection-deploy-monitor-respond.md). > [!NOTE]
-> To Find what sensitive information you have in files stored on-premises, please refer to [Azure Information Protection](/azure/information-protection/quickstart-findsensitiveinfo).
+> To Find what sensitive information you have in files stored on-premises, please refer to [Azure Information Protection](/azure/information-protection/quickstart-findsensitiveinfo).
solutions Setup Secure Collaboration With Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/setup-secure-collaboration-with-teams.md
ms.audience: ITPro
ms.prod: microsoft-365-enterprise localization_priority: Normal-+ - M365-collaboration - m365solution-securecollab - m365solution-overview-+ - M365solutions - seo-marvel-jun2020 f1.keywords: NOCSH
description: Learn how to set up secure content collaboration in Teams to protec
Being able to easily share information with the right people while preventing oversharing is key to an organization's success. This includes being able to share sensitive data safely with only those who should have access to it. Depending on the project, this might include sharing sensitive data with people outside your organization. This collaboration solution guidance includes two components to help you:+ - Deploy Microsoft Teams with the right level of protection for each project - Configure external sharing with appropriate security settings for each project
Information that is critical to your organization's success, or has stringent se
![Risk scale from low (released brochure) to high (sensitive business data)](../media/solutions-architecture-center/SecureCollaboration-SensitivityAndBusinessImpactofSharing-fromVisio.png)
-For all the scenarios noted above, you can use teams in Microsoft Teams to store, share, and collaborate on the information.
+For all the scenarios noted above, you can use teams in Microsoft Teams to store, share, and collaborate on the information.
To configure secure collaboration, you use these Microsoft 365 capabilities and features.
-| Product or component | Capability or feature | Licensing |
-|:-|:--|:-|
-| Microsoft Defender for Office 365 | Safe Attachments for SPO, OneDrive and Teams; Safe Documents; Safe Links for Teams | Microsoft 365 E1, E3 and E5 |
-| SharePoint | Site and file sharing policies, Site sharing permissions, Sharing links, Access requests, Site guest sharing settings | Microsoft 365 E1, E3 and E5 |
-| Microsoft Teams | Guest access, private teams, private channels | Microsoft 365 E1, E3 and E5 |
-| Microsoft 365 Compliance | Sensitivity labels | Microsoft 365 E3 and E5 |
+|Product or component|Capability or feature|Licensing|
+||||
+|Microsoft Defender for Office 365|Safe Attachments for SPO, OneDrive and Teams; Safe Documents; Safe Links for Teams|Microsoft 365 E1, E3 and E5|
+|SharePoint|Site and file sharing policies, Site sharing permissions, Sharing links, Access requests, Site guest sharing settings|Microsoft 365 E1, E3 and E5|
+|Microsoft Teams|Guest access, private teams, private channels|Microsoft 365 E1, E3 and E5|
+|Microsoft 365 Compliance|Sensitivity labels|Microsoft 365 E3 and E5|
-### Collaboration governance
+## Collaboration governance
Microsoft 365 provides many options for governing your collaboration solution. We recommend you use this deployment content alongside the [collaboration governance content](collaboration-governance-overview.md) to create the best collaboration solution for your organization. ### Using Teams for all kinds of data
-To manage access to information with different sensitivities, we've developed [three different tiers of protection for Teams](configure-teams-three-tiers-protection.md). You can customize any of these tiers to better address the needs or your business.
+To manage access to information with different sensitivities, we've developed [three different tiers of protection for Teams](configure-teams-three-tiers-protection.md). You can customize any of these tiers to better address the needs or your business.
![Graphic of three levels of protection for Teams](../media/solutions-architecture-center/Teams-tiers-of-protection-1.png) - These tiers - *baseline*, *sensitive*, and *highly sensitive* - gradually increase the protections that help prevent oversharing and potential information leakage, as shown in the following table.
-|-|**Baseline tier**|**Sensitive tier**|**Highly sensitive tier**|
-|:--|:--|:|:-|
+|-|Baseline tier|Sensitive tier|Highly sensitive tier|
+|||||
|Public or private team|Either|Private|Private| |Unauthenticated sharing|Blocked|Blocked|Blocked| |File sharing|Allowed|Allowed|Only team owners can share.|
Depending on the sensitivity of the information being shared, you can add safegu
If you have a major project with a partner organization, you can use Azure Entitlement Management to manage the guests from that organization in a team that you set up for the project. See [Create a B2B extranet with managed guests](b2b-extranet.md) for details. -- ## Training for administrators These training modules from Microsoft Learn can help you learn the collaboration, governance, and identity features in Teams and SharePoint.
-#### Teams
+### Teams
|Training:|Manage team collaboration with Microsoft Teams|
-|:|:|
-|![Teams collaboration training icon](../media/manage-team-collaboration-with-microsoft-teams.svg)|Manage team collaboration with Microsoft Teams introduces you to the features and capabilities of Microsoft Teams, the central hub for team collaboration in Microsoft 365. YouΓÇÖll learn how you can use Teams to facilitate teamwork and communication within your organization, both on and off premises, on a wide range of devicesΓÇöfrom desktops to tablets to phonesΓÇöwhile taking advantage of all the rich functionality of Office 365 applications. YouΓÇÖll gain an understanding of how Teams provides a comprehensive and flexible environment for collaboration across applications and devices. This learning path can help you prepare for the Microsoft 365 Certified: Teams Administrator Associate certification.<br><br>2 hr 17 min - Learning Path - 5 Modules|
+|||
+|![Teams collaboration training icon](../media/manage-team-collaboration-with-microsoft-teams.svg)|Manage team collaboration with Microsoft Teams introduces you to the features and capabilities of Microsoft Teams, the central hub for team collaboration in Microsoft 365. YouΓÇÖll learn how you can use Teams to facilitate teamwork and communication within your organization, both on and off premises, on a wide range of devicesΓÇöfrom desktops to tablets to phonesΓÇöwhile taking advantage of all the rich functionality of Office 365 applications. YouΓÇÖll gain an understanding of how Teams provides a comprehensive and flexible environment for collaboration across applications and devices. This learning path can help you prepare for the Microsoft 365 Certified: Teams Administrator Associate certification.<p>2 hr 17 min - Learning Path - 5 Modules|
> [!div class="nextstepaction"] > [Start >](/learn/modules/m365-teams-collab-prepare-deployment/introduction/)
-#### SharePoint
+### SharePoint
|Training:|Collaborate with SharePoint in Microsoft 365|
-|:|:|
-|![SharePoint training icon](../media/collaborate-with-sharepoint-in-microsoft-365.svg)|Manage shared content with Microsoft SharePoint introduces you to the features and capabilities of SharePoint, and how it works with Microsoft 365. You'll learn about the different types of SharePoint sites, including hub sites, as well as information protection, reporting, and monitoring. You'll also learn how to use SharePoint file and folder sharing to optimize collaboration, how to share files externally, and how to manage SharePoint sites in the SharePoint admin center. This learning path can help you prepare for the Microsoft 365 Certified: Teamwork Administrator Associate certification.<br><br>1 hr 14 min - Learning Path - 4 Modules|
+|||
+|![SharePoint training icon](../media/collaborate-with-sharepoint-in-microsoft-365.svg)|Manage shared content with Microsoft SharePoint introduces you to the features and capabilities of SharePoint, and how it works with Microsoft 365. You'll learn about the different types of SharePoint sites, including hub sites, as well as information protection, reporting, and monitoring. You'll also learn how to use SharePoint file and folder sharing to optimize collaboration, how to share files externally, and how to manage SharePoint sites in the SharePoint admin center. This learning path can help you prepare for the Microsoft 365 Certified: Teamwork Administrator Associate certification.<p>1 hr 14 min - Learning Path - 4 Modules|
> [!div class="nextstepaction"] > [Start >](/learn/modules/m365-teams-sharepoint-plan-sharepoint/introduction/)
-#### Information protection
+### Information protection
|Training:|Protect enterprise information with Microsoft 365|
-|:|:|
-|![Teams info protection training icon](../media/protect-enterprise-information-microsoft-365.svg)|Protecting and securing your organization's information is more challenging than ever. The Protect enterprise information with Microsoft 365 learning path discusses how to protect your sensitive information from accidental oversharing or misuse, how to discover and classify data, how to protect it with sensitivity labels, and how to both monitor and analyze your sensitive information to protect against its loss. This learning path can help you prepare for the Microsoft 365 Certified: Security Administrator Associate and Microsoft 365 Certified: Enterprise Administration Expert certifications..<br><br>1 hr - Learning Path - 5 Modules|
+|||
+|![Teams info protection training icon](../media/protect-enterprise-information-microsoft-365.svg)|Protecting and securing your organization's information is more challenging than ever. The Protect enterprise information with Microsoft 365 learning path discusses how to protect your sensitive information from accidental oversharing or misuse, how to discover and classify data, how to protect it with sensitivity labels, and how to both monitor and analyze your sensitive information to protect against its loss. This learning path can help you prepare for the Microsoft 365 Certified: Security Administrator Associate and Microsoft 365 Certified: Enterprise Administration Expert certifications..<p>1 hr - Learning Path - 5 Modules|
> [!div class="nextstepaction"] > [Start >](/learn/modules/m365-security-info-overview/introduction/)
-#### Identity and access
+### Identity and access
|Training:|Protect identity and access with Azure Active Directory|
-|:|:|
-|![Identity and access training icon](../media/protect-identity-and-access-with-microsoft-365.svg)|The Identity and Access learning path covers the latest identity and access technologies, tools for strengthening authentication, and guidance on identity protection within your organization. Microsoft access and identity technologies enable you to secure your organizationΓÇÖs identity, whether it is on-premises or in the cloud, and empower your users to work securely from any location. This learning path can help you prepare for the Microsoft 365 Certified: Security Administrator Associate and Microsoft 365 Certified: Enterprise Administration Expert certifications.<br><br>2 hr 52 min - Learning Path - 6 Modules|
+|||
+|![Identity and access training icon](../media/protect-identity-and-access-with-microsoft-365.svg)|The Identity and Access learning path covers the latest identity and access technologies, tools for strengthening authentication, and guidance on identity protection within your organization. Microsoft access and identity technologies enable you to secure your organizationΓÇÖs identity, whether it is on-premises or in the cloud, and empower your users to work securely from any location. This learning path can help you prepare for the Microsoft 365 Certified: Security Administrator Associate and Microsoft 365 Certified: Enterprise Administration Expert certifications.<p>2 hr 52 min - Learning Path - 6 Modules|
> [!div class="nextstepaction"] > [Start >](/learn/modules/m365-identity-overview/introduction/)
These training modules from Microsoft Learn can help you learn the collaboration
These training modules can help your users use Teams, groups, and SharePoint for collaboration in Microsoft 365. |Teams|SharePoint|
-|:|:|
+|||
|![Set up and customize your team training icon](../media/set-up-customize-team-training.png)<br>**[Set up and customize your team](https://support.microsoft.com/office/702a2977-e662-4038-bef5-bdf8ee47b17b)**|![SharePoint share and sync training icon](../media/sharepoint-share-sync-training.png)<br>**[Share and sync](https://support.microsoft.com/office/98cb2ff2-c27e-42ea-b055-c2d895f8a5de)**| |![Teams upload and find files training icon](../media/smc-teams-upload-find-files-training.png)<br>**[Upload and find files](https://support.microsoft.com/office/57b669db-678e-424e-b0a0-15d19215cb12)**|| |![Collaborate in teams and channels icon](../media/teams-collaborate-channels-training.png)<br>**[Collaborate in teams and channels](https://support.microsoft.com/office/c3d63c10-77d5-4204-a566-53ddcf723b46)**||
These training modules can help your users use Teams, groups, and SharePoint for
These illustrations will help you understand how groups and teams interact with other services in Microsoft 365 and what governance and compliance features are available to help you manage these services in your organization. ### Groups in Microsoft 365 for IT Architects+ What IT architects need to know about groups in Microsoft 365 |**Item**|**Description**|
-|:--|:--|
-|[![Thumb image for groups infographic](../downloads/msft-m365-groups-architecture-thumb.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-groups.pdf) <br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-groups.pdf) \| [Visio](https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/raw/live/Enterprise/downloads/msft-m365-groups.vsdx) <br> Updated June 2019|These illustrations detail the different types of groups, how these are created and managed, and a few governance recommendations.|
+|||
+|[![Thumb image for groups infographic](../downloads/msft-m365-groups-architecture-thumb.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-groups.pdf) <br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-groups.pdf) \|[Visio](https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/raw/live/Enterprise/downloads/msft-m365-groups.vsdx) <br> Updated June 2019|These illustrations detail the different types of groups, how these are created and managed, and a few governance recommendations.|
### Microsoft Teams and related productivity services in Microsoft 365 for IT architects+ The logical architecture of productivity services in Microsoft 365, leading with Microsoft Teams. |**Item**|**Description**|
-|:--|:--|
-|[![Thumb image for Teams logical architecture poster](../downloads/msft-teams-logical-architecture-thumb.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-teams-logical-architecture.pdf) <br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-teams-logical-architecture.pdf) \| [Visio](https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/raw/live/Enterprise/downloads/msft-m365-teams-logical-architecture.vsdx) <br>Updated April 2019 |Microsoft provides a suite of productivity services that work together to provide collaboration experiences with data governance, security, and compliance capabilities. <br/> <br/>This series of illustrations provides a view into the logical architecture of productivity services for enterprise architects, leading with Microsoft Teams.|
+|||
+|[![Thumb image for Teams logical architecture poster](../downloads/msft-teams-logical-architecture-thumb.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-teams-logical-architecture.pdf) <br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-teams-logical-architecture.pdf) \|[Visio](https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/raw/live/Enterprise/downloads/msft-m365-teams-logical-architecture.vsdx) <br>Updated April 2019|Microsoft provides a suite of productivity services that work together to provide collaboration experiences with data governance, security, and compliance capabilities. <p>This series of illustrations provides a view into the logical architecture of productivity services for enterprise architects, leading with Microsoft Teams.|
## Deploy the secure collaboration solution When you're ready to deploy this solution, continue with these steps:+ 1. Configure the [three different tiers of protection for Teams](configure-teams-three-tiers-protection.md). 2. Configure settings for [sharing information of any sensitivity with people outside your organization](collaborate-with-people-outside-your-organization.md).
solutions Tenant Management Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/tenant-management-overview.md
ms.audience: ITPro
ms.prod: microsoft-365-enterprise localization_priority: Normal-+ - M365-subscription-management - Strat_O365_Enterprise - m365solution-tenantmanagement
description: "An overview of the planning, deployment, and ongoing operation of
Creating a path to your organization's digital transformation with cloud computing requires a firm foundation upon which your workers can rely for productivity, collaboration, performance, privacy, compliance, and security.
-Correct configuration of your Microsoft 365 tenants provides that foundation, leaving your workers to focus on getting their work done and your IT department to focus on end-to-end solutions that provide additional business value.
+Correct configuration of your Microsoft 365 tenants provides that foundation, leaving your workers to focus on getting their work done and your IT department to focus on end-to-end solutions that provide additional business value.
This solution takes you through the configuration of that foundation in these steps:
But first, let's take a moment to understand what a tenant is and what a tenant
A Microsoft 365 tenant is a dedicated instance of the services of Microsoft 365 and your organization data stored within a specific default location, such as Europe or North America. This location is specified when you create the tenant for your organization. Each Microsoft 365 tenant is distinct, unique, and separate from all other Microsoft 365 tenants. You create a Microsoft 365 tenant when you purchase one or more products from Microsoft, such as Microsoft 365 E3 or E5, and a set of licenses for each.
-Your Microsoft 365 tenant also includes an Azure Active Directory (Azure AD) tenant, which is a dedicated instance of Azure AD for user accounts, groups, and other objects. Each Azure AD tenant is distinct, unique, and separate from all other Azure AD tenants. While your organization can have multiple Azure AD tenants that you can set up with Azure subscriptions, Microsoft 365 tenants can only use a single Azure AD tenant, the one that was created when you created the tenant.
+Your Microsoft 365 tenant also includes an Azure Active Directory (Azure AD) tenant, which is a dedicated instance of Azure AD for user accounts, groups, and other objects. Each Azure AD tenant is distinct, unique, and separate from all other Azure AD tenants. While your organization can have multiple Azure AD tenants that you can set up with Azure subscriptions, Microsoft 365 tenants can only use a single Azure AD tenant, the one that was created when you created the tenant.
Here is an example: ![An example Microsoft 365 tenant with its Azure AD tenant](../media/tenant-management-overview/tenant-management-example-tenant.png)
-*Tenant management* is the planning, deployment, and ongoing operation of your Microsoft 365 tenants.
+*Tenant management* is the planning, deployment, and ongoing operation of your Microsoft 365 tenants.
## Attributes of a well-designed and operating tenant
The following sections and table list the key capabilities and licensing for the
### Tenant
-| Capability or feature | Description | Licensing |
-|:-|:--|:-|
-| Multiple tenants | Each Microsoft 365 tenant is distinct, unique, and separate from all other Microsoft 365 tenants. With multiple tenants, there are restrictions and additional considerations when managing them and providing services to your users. | Microsoft 365 E3 or E5 |
-| Cross-tenant mailbox migration | Tenant administrators can move mailboxes between tenants with minimal infrastructure dependencies in their on-premises systems. This removes the need to off-board and onboard mailboxes. | Microsoft 365 E3 or E5 |
-| Multi-Geo | Your tenant can store data at rest in the other datacenter geo locations that you've chosen to meet data residency requirements. | Microsoft 365 E3 or E5 |
-| Move core data to a new datacenter geo | As Microsoft adds new datacenter geos for additional capacity and compute resources, you can request a datacenter geo move for in-geo data residency for your core customer data. | Microsoft 365 E3 or E5 |
+|Capability or feature|Description|Licensing|
+||||
+|Multiple tenants|Each Microsoft 365 tenant is distinct, unique, and separate from all other Microsoft 365 tenants. With multiple tenants, there are restrictions and additional considerations when managing them and providing services to your users.|Microsoft 365 E3 or E5|
+|Cross-tenant mailbox migration|Tenant administrators can move mailboxes between tenants with minimal infrastructure dependencies in their on-premises systems. This removes the need to off-board and onboard mailboxes.|Microsoft 365 E3 or E5|
+|Multi-Geo|Your tenant can store data at rest in the other datacenter geo locations that you've chosen to meet data residency requirements.|Microsoft 365 E3 or E5|
+|Move core data to a new datacenter geo|As Microsoft adds new datacenter geos for additional capacity and compute resources, you can request a datacenter geo move for in-geo data residency for your core customer data.|Microsoft 365 E3 or E5|
|||| ### Networking
-| Capability or feature | Description | Licensing |
-|:-|:--|:-|
-| Network Insights | Network performance metrics collected from your Microsoft 365 tenant to help you design network perimeters for your office locations. | Microsoft 365 E3 or E5 |
-| Automate endpoint updates | Automate the configuration and ongoing updates for Microsoft 365 endpoints in your client PAC files and network devices and services. | Microsoft 365 E3 or E5 |
+|Capability or feature|Description|Licensing|
+||||
+|Network Insights|Network performance metrics collected from your Microsoft 365 tenant to help you design network perimeters for your office locations.|Microsoft 365 E3 or E5|
+|Automate endpoint updates|Automate the configuration and ongoing updates for Microsoft 365 endpoints in your client PAC files and network devices and services.|Microsoft 365 E3 or E5|
|||| ### Identity
-| Capability or feature | Description | Licensing |
-|:-|:--|:-|
-| Synchronize on-premises Active Directory Domain Services (AD DS) with your Azure AD tenant | Leverage your on-premises identity provider for user accounts, groups, and other objects. | Microsoft 365 E3 or E5 |
-| MFA enforced with security defaults | Protect against compromised identities and devices by requiring a second form of authentication for sign-ins. Security defaults requires MFA for all user accounts. | Microsoft 365 E3 or E5 |
-| MFA enforced with Conditional Access| Require MFA based on the attributes of the sign-in with Conditional Access policies. | Microsoft 365 E3 or E5 |
-| MFA enforced with risk-based Conditional Access | Require MFA based on the risk of the user sign-in with Microsoft Defender for Identity. | Microsoft 365 E5 or E3 with Azure AD Premium P2 licenses |
-| Self-Service Password Reset (SSPR) | Allow your users to reset or unlock their passwords or accounts. | Microsoft 365 E3 or E5 |
+|Capability or feature|Description|Licensing|
+||||
+|Synchronize on-premises Active Directory Domain Services (AD DS) with your Azure AD tenant|Leverage your on-premises identity provider for user accounts, groups, and other objects.|Microsoft 365 E3 or E5|
+|MFA enforced with security defaults|Protect against compromised identities and devices by requiring a second form of authentication for sign-ins. Security defaults requires MFA for all user accounts.|Microsoft 365 E3 or E5|
+|MFA enforced with Conditional Access|Require MFA based on the attributes of the sign-in with Conditional Access policies.|Microsoft 365 E3 or E5|
+|MFA enforced with risk-based Conditional Access|Require MFA based on the risk of the user sign-in with Microsoft Defender for Identity.|Microsoft 365 E5 or E3 with Azure AD Premium P2 licenses|
+|Self-Service Password Reset (SSPR)|Allow your users to reset or unlock their passwords or accounts.|Microsoft 365 E3 or E5|
|||| ### Migration
-| Capability or feature | Description | Licensing |
-|:-|:--|:-|
-| Migrate to Windows 10 | Migrate your devices that run Windows 7 or Windows 8.1 to Windows 10 Enterprise. | Windows 10 Enterprise licenses included with Microsoft 365 E3 or E5 |
-| Migrate to Microsoft 365 Apps for enterprise | Migrate your Office client apps such as Word and PowerPoint to the versions installed from the cloud that are updated with new features. | Microsoft 365 E3 or E5 |
-| Migrate on-premises servers and data to Microsoft 365 | Migrate your Exchange mailboxes, SharePoint sites, and Skype for Business Online to Microsoft 365 cloud services. | Microsoft 365 E3 or E5 |
+|Capability or feature|Description|Licensing|
+||||
+|Migrate to Windows 10|Migrate your devices that run Windows 7 or Windows 8.1 to Windows 10 Enterprise.|Windows 10 Enterprise licenses included with Microsoft 365 E3 or E5|
+|Migrate to Microsoft 365 Apps for enterprise|Migrate your Office client apps such as Word and PowerPoint to the versions installed from the cloud that are updated with new features.|Microsoft 365 E3 or E5|
+|Migrate on-premises servers and data to Microsoft 365|Migrate your Exchange mailboxes, SharePoint sites, and Skype for Business Online to Microsoft 365 cloud services.|Microsoft 365 E3 or E5|
|||| ### Device and app management
-| Capability or feature | Description | Licensing |
-|:-|:--|:-|
-| Microsoft Intune | A cloud-based service that provides mobile device management (MDM) and mobile application management (MAM) to control how your organizationΓÇÖs application and the devices are used, including mobile phones, tablets, and laptops. | Microsoft 365 E3 or E5 |
-| Basic Mobility and Security | Secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones with this built-in service. | Microsoft 365 E3 or E5 |
+|Capability or feature|Description|Licensing|
+||||
+|Microsoft Intune|A cloud-based service that provides mobile device management (MDM) and mobile application management (MAM) to control how your organizationΓÇÖs application and the devices are used, including mobile phones, tablets, and laptops.|Microsoft 365 E3 or E5|
+|Basic Mobility and Security|Secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones with this built-in service.|Microsoft 365 E3 or E5|
|||| ## Next steps
test-base Contentguideline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/contentguideline.md
f1.keywords: NOCSH
# Test package guidelines
-## 1. Script referencing
+## 1. Script referencing
When you upload a .zip file to the portal, we unzip all the content of that file into a root folder. You do not need to write any code to do this initial unzip operation. You also can reference any file within the .zip by using the path relative to the zip file uploaded.
In the example below, we show how you can reference your binaries/scripts from t
It is important you are aware of the content within your zip file before uploading it. Often when zipping a folder, your local machine will create a main folder underneath the zip file. In this case, the referencing will be as shown in **bold** below:
- **Contoso_App_Folder.zip**
-~~~
+**Contoso_App_Folder.zip**:
+
+```console
Γö£ΓöÇΓöÇ Contoso_App_Folder Γöé Γö£ΓöÇΓöÇ file1.exe
It is important you are aware of the content within your zip file before uploadi
Γöé Γö£ΓöÇΓöÇ folder1
-Γöé Γö£ΓöÇΓöÇ file3.exe
+Γöé Γö£ΓöÇΓöÇ file3.exe
+
+Γöé Γö£ΓöÇΓöÇ script.ps1
+```
-Γöé Γö£ΓöÇΓöÇ script.ps1
-~~~
+- ScriptX.ps1 - **"Contoso_App_Folder/ScriptX.ps1"**
+- Script.ps1 - **"Contoso_App_Folder/folder1/script.ps1"**
- - ScriptX.ps1 ΓÇô **ΓÇ£Contoso_App_Folder/ScriptX.ps1ΓÇ¥**
- - Script.ps1 ΓÇô **ΓÇ£Contoso_App_Folder/folder1/script.ps1ΓÇ¥**
+Other times, your zip file may have your files or content right underneath it (for example, no 2nd-level folder):
-Other times, your zip file may have your files or content right underneath it i.e. no 2nd-level folder:
+**Zip_file_uploaded.zip**:
- **Zip_file_uploaded.zip**
-~~~
+```console
Γö£ΓöÇΓöÇ file1.exe Γö£ΓöÇΓöÇ ScriptX.ps1
Other times, your zip file may have your files or content right underneath it i.
Γöé Γö£ΓöÇΓöÇ file3.exe Γöé Γö£ΓöÇΓöÇ script.ps1
-~~~
- - ScriptX.ps1 ΓÇô **ΓÇ£ScriptX.ps1ΓÇ¥**
- - Script.ps1 ΓÇô **ΓÇ£folder1/script.ps1ΓÇ¥**
-
-## 2. Script execution
-
-**Out-of-Box tests:** The application package needs to contain at least three PowerShell scripts that will execute unattended installing, launching, and closing of the application and its dependencies. Each script should handle checking its own prerequisites, validating it succeeded, as well as cleaning up after itself (if necessary).
-
-**Functional tests:** The application package needs to contain at least one PowerShell script. Where more than one script is provided, the scripts are run in upload sequence and a failure in a particular script will stop subsequent scripts from executing.
+```
-### Script requirements
+- ScriptX.ps1 - **"ScriptX.ps1"**
+- Script.ps1 - **"folder1/script.ps1"**
-ΓÇó PowerShell Version 5.1+
+## 2. Script execution
-ΓÇó Unattended execution
+**Out-of-Box tests:** The application package needs to contain at least three PowerShell scripts. These scripts will execute unattended installing, launching, and closing of the application and its dependencies. Each script should handle checking its own prerequisites, validating its own success, and cleaning up after itself (if necessary).
-ΓÇó Error return code
+**Functional tests:** The application package needs to contain at least one PowerShell script. Where more than one script is provided, the scripts are run in upload sequence and a failure in a particular script will stop subsequent scripts from executing.
-ΓÇó Validate success
+### Script requirements
-ΓÇó Logging to script specific log folder
+- PowerShell Version 5.1+
+- Unattended execution
+- Error return code
+- Validate success
+- Logging to script specific log folder
-Each script needs to run completely unattended to successfully execute in the test pipeline.
+Each script needs to run unattended (no user prompts) to successfully execute in the test pipeline.
-> [!Note]
-> Scripts should return ΓÇ£0ΓÇ¥ on successful completion and a non-zero error code if any error occurs during execution.
+> [!NOTE]
+> Scripts should return "0" on successful completion and a non-zero error code if any error occurs during execution.
-Each script should validate that it ran successfully. E.g. the install script should check for the existence of certain binaries and/or registry keys on the system, after the installer binary finishes executing to ensure with a reasonable degree of confidence that the installation was successful.
+Each script should validate that it ran successfully. For example, the install script should check for the existence of certain binaries and/or registry keys on the system after the installer binary finishes executing. This check helps to ensure with a reasonable degree of confidence that the installation was successful.
-This is necessary to properly diagnose where errors occur during a test run, e.g. unable to install the application successfully versus being unable to launch it.
+Validation is necessary to properly diagnose where errors occur during a test run. For example, if the script is unable to install the application successfully versus being unable to launch it.
-> [!Important]
+> [!IMPORTANT]
> **Avoid the following:**
-> Scripts should not reboot the machine, if a reboot is necessary please specify this during the upload of your scripts.
+> Scripts should not reboot the machine, if a reboot is necessary please specify this during the upload of your scripts.
-## 3. Log collection
+## 3. Log collection
-Each script should output any logs it generates into a folder named ```logs```. All folders in the directory named ```logs``` will be copied and presented for download on the ```Test Results``` page.
+Each script should output any logs it generates into a folder named `logs`. All folders in the directory named `logs` will be copied and presented for download on the `Test Results` page.
For example, the installation script (which may be located in the **App/scripts/install** directory) can output its logs to: **logs/install.log**, such that the final log will be at: **Apps/scripts/install/logs/install.log**
-The system will pick up the ```install.log``` file along with other files within other ```logs``` folders and collate it for download.
--
-## 4. Application binaries
+The system will pick up the `install.log` file along with other files within other `logs` folders and collate it for download.
-Any binaries and dependencies should be included in the single zip file.
+## 4. Application binaries
-These should include everything necessary for installation of the application (e.g. the application installer); if the application has a dependency on any frameworks, such as .NET Core/Standard or .NET Framework, these should be included in the file and referenced correctly in the provided scripts.
+Any binaries and dependencies should be included in the single zip file.
+These binaries should include everything necessary for installation of the application (for example, the application installer). If the application has a dependency on any frameworks, such as .NET Core/Standard or .NET Framework, these frameworks should be included in the file and referenced correctly in the provided scripts.
-> [!Note]
+> [!NOTE]
> The uploaded zip file cannot have any spaces or special characters in its name ## Next steps
test-base Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/overview.md
localization_priority: Normal
+f1.keywords: NOCSH
-# What is Test Base for Microsoft 365?
+# What is Test Base for Microsoft 365?
-Test Base for Microsoft 365 (Test Base) is MicrosoftΓÇÖs validation service based in the secure Azure environment.
+Test Base for Microsoft 365 (Test Base) is MicrosoftΓÇÖs validation service based in the secure Azure environment.
With Test Base, Software Vendors (SVs) and System Integrators (SIs) can accelerate the validation of their applications against pre-released Windows security and feature builds. This is a highly engaged collaboration between SV partners and Microsoft enabling joint testing, validation and remediation. Test Base provides a great opportunity to build and maintain a secure validation service on Azure, where customers and partners can stage and test their application's workloads against our pre-released security updates. With Test Base, SVs are provided with more visibility into potential issues that could hinder their application(s) from performing at its best on the new OS release before Microsoft releases the update to the market.
-This new service will help SVs make testing efforts simpler and more efficient. Enterprise customers will benefit from SV and Microsoft testing together in a collaborative environment and gain more confidence that their applications will work as expected.
+This new service will help SVs make testing efforts simpler and more efficient. Enterprise customers will benefit from SV and Microsoft testing together in a collaborative environment and gain more confidence that their applications will work as expected.
-### Advantages Test Base offers Enterprises and their SV partners include:
-
- * Faster rollout of security updates to secure your devices;
-
- * Lowered update validation costs by hosting the OS changes and application in the same environment;
-
- * World-class intelligence report from Microsoft about your apps (code coverage, API impact analysis, and so on);
-
- * Microsoft's expertise in shifting test content and harnesses to Azure.
+**Advantages Test Base offers Enterprises and their SV partners include**:
+- Faster rollout of security updates to secure your devices;
+- Lowered update validation costs by hosting the OS changes and application in the same environment;
+- World-class intelligence report from Microsoft about your apps (code coverage, API impact analysis, and so on);
+- Microsoft's expertise in shifting test content and harnesses to Azure.
-### Guide to navigating the Test Base portal
+## Guide to navigating the Test Base portal
This guide is divided into four (4) parts to ensure a hitch free experience while using our service:
-1. The **Overview** which provides detailed, step-by-step guidelines on how to upload your application via our self-serve onboarding portal.
+1. The **Overview** which provides detailed, step-by-step guidelines on how to upload your application via our self-serve onboarding portal.
2. The **Quickstarts** section, which provides information on the format for the zipped folder structure and what you need to know when preparing your test scripts.
This guide is divided into four (4) parts to ensure a hitch free experience whil
4. The **Reference** section that provides answers to the typical questions we receive from our customers.
-### Test Base is in public preview!
+## Test Base is in public preview!
-Test Base has officially been declared ```Public Preview``` during the Microsoft Inspire conference in July 2021.
+Test Base has officially been declared `Public Preview` during the Microsoft Inspire conference in July 2021.
This means anyone with a valid enterprise Azure account is able to onboard their test collateral and quickly start testing their applications on the service.
-### Who should onboard?
+## Who should onboard?
We're encouraging all Software Vendors (SVs), System Integrators (SIs) to onboard their applications, binaries, and test scripts onto the service.
We're encouraging all Software Vendors (SVs), System Integrators (SIs) to onboar
Follow the link to get started > [!div class="nextstepaction"] > [Next step](createaccount.md)-
test-base Review https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/review.md
f1.keywords: NOCSH + # Step 6: Review your selections to create your package.
-1. On this tab, the service displays your test details and runs a quick completeness check.
+1. On this tab, the service displays your test details and runs a quick completeness check.
A **Validation passed** or **Validation failed** message shows whether you can proceed to next steps or not.
-2. Review your test details and if satisfied, click on the **Create** button.
+2. Review your test details and if satisfied, click on the **Create** button.
:::image type="content" alt-text="View validation." source="Media/validation.png" lightbox="Media/validation.png":::
-3. This will onboard your package to the Test Base environment. If your package is successfully created, an automated test which verifys whether your package can be successfully executed on Azure will be triggered.
+3. This will onboard your package to the Test Base environment. If your package is successfully created, an automated test which verifys whether your package can be successfully executed on Azure will be triggered.
![Successful result](Media/successful.png)
-
- > [!Note]
- > You will get a notification from the Azure portal to notify you on the success or failure of the package verification.
+
+ > [!NOTE]
+ > You will get a notification from the Azure portal to notify you on the success or failure of the package verification.
>
- > Please note that the process can take up to 24 hours, so it is likely your webpage will timeout if you are not active on it and hence, the notification will not inform you of the completion of this on-demand run.
+ > Please note that the process can take up to 24 hours, so it is likely your webpage will timeout if you are not active on it and hence, the notification will not inform you of the completion of this on-demand run.
- Peradventure this happens, you can view the status of your package on the **Manage packages** tab. :::image type="content" alt-text="Image for managing packages." source="Media/managepackages.png" lightbox="Media/managepackages.png"::: - For succesful tests, their results can be seen via the **Test Summary**, **Security Updates Results** and **Feature Updates Results** pages at scheduled intervals, often starting a few days after your upload.
-
- - While failed tests, require you to upload a new package.
-
+
+ - While failed tests, require you to upload a new package.
+ You can download the **test logs** for further analysis from the **Security update results** and **Feature updates results** pages.
- - If you experience repeated test failures, please reach out to testbasepreview@microsoft.com with details of your error.
+ - If you experience repeated test failures, please reach out to testbasepreview@microsoft.com with details of your error.
## Next steps
test-base Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/server.md
f1.keywords: NOCSH
-# Windows Server Application Testing
+# Windows Server Application Testing
With Test Base for Microsoft 365, you can now validate your applications against Windows Server 2016 and 2019, including Server Core! To get started with validating your uploaded applications against pre-release updates for Windows Server 2016 and 2019 operating systems on Test Base for Microsoft 365, kindly adhere to the following steps:
-1. Log on to our self-service onboarding portal. From the left-side navigation menu, select ```Upload new package``` under ```Package catalogue``` and fill out the Test details.
+1. Log on to our self-service onboarding portal. From the left-side navigation menu, select `Upload new package` under `Package catalogue` and fill out the Test details.
-2. Select ```Security updates``` as the OS update type:
+2. Select `Security updates` as the OS update type:
-![Select security updates](Media/selecting-security-updates.png)
+ ![Select security updates](Media/selecting-security-updates.png)
3. Under OS versions to test, select the applicable OS versions. You can select Windows Server OS versions or a combination of server and client OS versions.
-![Select OS version](Media/selecting-OS-versions.png)
+ ![Select OS version](Media/selecting-OS-versions.png)
4. Provide other required information, review the details provided, and upload your application package. After uploading, you can view package status on the Manage packages menu tab. - 5. To view test results and insights from the validation of your application against pre-release security updates for Windows Server 2016 and 2019, go to the Test summary page or the Security update results page.
-![View test results](Media/access-test-results.png)
+ ![View test results](Media/access-test-results.png)
Advance to the next article to get started with **Functional testing** > [!div class="nextstepaction"] > [Next step](functional.md)-
test-base Uploadapplication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/uploadApplication.md
Once there, follow the steps below to upload a new package.
## Enter details for your package
-On the Test details tab, type in your package's name, version, and other details as requested.
+On the Test details tab, type in your package's name, version, and other details as requested.
**Out-of-Box** and **Functional testing** can be done via this dashboard. The steps below provides a guide on how to fill out your package details:
-1. Enter the name to be given your package in the `Package name` field.
+1. Enter the name to be given your package in the `Package name` field.
- > [!Note]
+ > [!NOTE]
> The package name and version combination entered must be unique within your organization. This is validated by the checkmark as shown below.
-
+ - If you choose to reuse a package's name, then the version number must be unique (that is, never been used with a package bearing that particular name).
- - If the combination of the package name + version doesn't pass the uniqueness check, you'll see an error message that reads, *ΓÇ£Package with this package version already existsΓÇ¥*.
+ - If the combination of the package name + version doesn't pass the uniqueness check, you'll see an error message that reads, *"Package with this package version already exists"*.
:::image type="content" alt-text="Image for uploading package instructions." source="Media/Instructions.png":::
-2. Enter a version in the ΓÇ£Package versionΓÇ¥ field.
+2. Enter a version in the "Package version" field.
:::image type="content" alt-text="Package version." source="Media/ApplicationVersion.png":::
-3. Select the type of test you want to run on this package.
+3. Select the type of test you want to run on this package.
+
+ An **Out-of-Box (OOB)** test performs an *install*, *launch*, *close*, and *uninstall* of your package. After the install, the launch-close routine is repeated 30 times before a single uninstall is run.
- An **Out-of-Box (OOB)** test performs an *install*, *launch*, *close*, and *uninstall* of your package. After the install, the launch-close routine is repeated 30 times before a single uninstall is run.
-
This OOB test provides you with standardized telemetry on your package to compare across Windows builds. A **Functional test** would execute your uploaded test script(s) on your package. The scripts are run in upload sequence and a failure in a particular script will stop subsequent scripts from executing.
- > [!Note]
- > **All** scripts run for 80 minutes at the most.
-
-4. Select the OS update type.
+ > [!NOTE]
+ > **All** scripts run for 80 minutes at the most.
+
+4. Select the OS update type.
- - The ΓÇÿSecurity updatesΓÇÖ enables your package to be tested against incremental churns of Windows pre-release monthly security updates.
+ - The ΓÇÿSecurity updatesΓÇÖ enables your package to be tested against incremental churns of Windows pre-release monthly security updates.
- The ΓÇÿFeature updatesΓÇÖ enables your package to be tested against Windows pre-release bi-annual feature updates builds from the Windows Insider Program. <! Change to the correct picture --> :::image type="content" alt-text="OS update type." source="Media/OSUpdateType.png":::
-5. Select the OS version(s) for Security update tests.
+5. Select the OS version(s) for Security update tests.
- In the multi-select dropdown, select the OS version(s) of Windows your package will be installed on.
+ In the multi-select dropdown, select the OS version(s) of Windows your package will be installed on.
- To test your package only against Windows client operating systems, select the applicable Windows 11 OS versions from the menu list. - To test your package only against Windows Server operating systems, select the applicable Windows Server OS versions from the menu list.
- - To test your package only against Windows client and Windows Server operating systems, select all applicable operating systems from the menu list.
+ - To test your package only against Windows client and Windows Server operating systems, select all applicable operating systems from the menu list.
- > [!Note]
+ > [!NOTE]
> If you select to test your package against both Server and Client OSes, please make sure that the package is compatible and can run on both OSes :::image type="content" alt-text="Selecting an OS version." source="Media/OSVersion.png":::
The steps below provides a guide on how to fill out your package details:
Change to the correct picture -->
-6. Select options for Feature update tests:
+6. Select options for Feature update tests:
+
+ - On the option to "Select Insider Channel", select the `Windows Insider Program Channel` as the build that your packages should be tested against.
- - On the option to ΓÇ£Select Insider ChannelΓÇ¥, select the `Windows Insider Program Channel` as the build that your packages should be tested against.
-
We currently use builds flighted in the Insider Beta Channel.
- - On the option to ΓÇ£Select OS baseline for InsightΓÇ¥, select the Windows OS version to be used as a baseline in comparing your test results.
+ - On the option to "Select OS baseline for Insight", select the Windows OS version to be used as a baseline in comparing your test results.
- > [!Note]
+ > [!NOTE]
> We DO NOT support Feature update testing for Server OSes at this time <! Note to actual note format for markdown
The steps below provides a guide on how to fill out your package details:
--> :::image type="content" alt-text="Feature update testing." source="Media/FeatureUpdate.png":::
-7. A completed Test details page should look like this:
+7. A completed Test details page should look like this:
:::image type="content" alt-text="Viewing test details." source="Media/TestDetails.png":::
Our next article covers Uploading your Binaries to our service.
<! Add button for next page -->-