| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| security | Deployment Strategy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md | + + Title: Identify Defender for Endpoint architecture and deployment method +description: Select the best Microsoft Defender for Endpoint deployment strategy for your environment +keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem, intune +search.product: eADQiWindows 10XVcnh ++ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 +++search.appverid: met150 Last updated : 12/18/2020+++# Identify Defender for Endpoint architecture and deployment method ++**Applies to:** ++- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ++> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-secopsdashboard-abovefoldlink) ++You've already completed steps to set up your Microsoft Defender for Endpoint deployment and assigned roles and permissions for Defender for Endpoint. Next, plan for onboarding your devices by identifying your architecture and choosing your deployment method. ++We understand that every enterprise environment is unique, so we've provided several options to give you the flexibility in choosing how to deploy the service. Deciding how to onboard endpoints to the Defender for Endpoint service comes down to two important steps: +++## Step 1: Identify your architecture ++Depending on your environment, some tools are better suited for certain architectures. Use the table below to decide which Defender for Endpoint architecture best suits your organization. ++|Architecture |Description | +||| +|**Cloud-native**| We recommend using Microsoft Intune to onboard, configure, and remediate endpoints from the cloud for enterprises that don't have an on-premises configuration management solution or are looking to reduce their on-premises infrastructure. | +|**Co-management**| For organizations that host both on-premises and cloud-based workloads we recommend using Microsoft's ConfigMgr and Intune for their management needs. These tools provide a comprehensive suite of cloud-powered management features, as well as unique co-management options to provision, deploy, manage, and secure endpoints and applications across an organization. | +|**On-premise**|For enterprises that want to take advantage of the cloud-based capabilities of Microsoft Defender for Endpoint while also maximizing their investments in Configuration Manager or Active Directory Domain Services, we recommend this architecture.| +|**Evaluation and local onboarding**|We recommend this architecture for SOCs (Security Operations Centers) that are looking to evaluate or run a Microsoft Defender for Endpoint pilot, but don't have existing management or deployment tools. This architecture can also be used to onboard devices in small environments without management infrastructure, such as a DMZ (Demilitarized Zone).| ++## Step 2: Select deployment method ++Once you have determined the architecture of your environment and have created an inventory as outlined in the [requirements section](../defender-endpoint/mde-planning-guide.md#requirements), use the table below to select the appropriate deployment tools for the endpoints in your environment. This will help you plan the deployment effectively. ++|Endpoint|Deployment tool| +||| +|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Intune/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md)| +|**Windows servers<br>Linux servers** | [Integration with Microsoft Defender for Cloud](azure-server-integration.md) +|**macOS**|[Local script](mac-install-manually.md) <br> [Microsoft Intune](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)| +|**Linux servers**|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md) <br> [Chef](linux-deploy-defender-for-endpoint-with-chef.md)<br> [Saltstack](linux-install-with-saltack.md)| +|**Android**|[Microsoft Intune](android-intune.md)| +|**iOS**|[Microsoft Intune](ios-install.md) <br> [Mobile Application Manager](ios-install-unmanaged.md) | ++>[!Note] +> For devices that aren't managed by Microsoft Intune or Microsoft Configuration Manager, you can use the Security Management for Microsoft Defender for Endpoint to receive security configurations for Microsoft Defender directly from Intune. ++## Next step ++After choosing your Defender for Endpoint architecture and deployment method continue to [Step 4 - Onboard devices](onboarding.md). |
| security | Partner Applications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md | Microsoft Defender for Endpoint seamlessly integrates with existing security sol Logo|Partner name|Description :|:|:-|[AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502)|AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets -|[AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705)|Stream alerts from Microsoft Defender for Endpoint into Microsoft Sentinel -|[Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)|Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions -|[Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303)|Elastic Security is a free and open solution for preventing, detecting, and responding to threats -|[IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903)|Configure IBM QRadar to collect detections from Defender for Endpoint -|[Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548)|Use Micro Focus ArcSight to pull Defender for Endpoint detections -|[RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566)|Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API -|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)|Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations -|[Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467)|Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities -|[Splunk](https://go.microsoft.com/fwlink/?linkid=2129805)|The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk -|[XM Cyber](/microsoft-365/compliance/insider-risk-management-configure)|Prioritize your response to an alert based on risk factors and high value assets +|[AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502)|AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets +|[AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705)|Stream alerts from Microsoft Defender for Endpoint into Microsoft Sentinel +|[Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)|Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions +|[Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303)|Elastic Security is a free and open solution for preventing, detecting, and responding to threats +|[IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903)|Configure IBM QRadar to collect detections from Defender for Endpoint +|[Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548)|Use Micro Focus ArcSight to pull Defender for Endpoint detections +|[RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566)|Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API +|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)|Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations +|[Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467)|Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities +|[Splunk](https://go.microsoft.com/fwlink/?linkid=2129805)|The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk +|[XM Cyber](/microsoft-365/compliance/insider-risk-management-configure)|Prioritize your response to an alert based on risk factors and high value assets ### Orchestration and automation Logo|Partner name|Description :|:|:-|[CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943)|CyOps integrates with Defender for Endpoint to automate customers' high-speed incident response playbooks -|[Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468)|Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye. -|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414)|Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response -|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures -|[Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040)|InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes -|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621)|Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration -|[Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902)|Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together +|[Fortinet FortiSOAR](https://www.fortinet.com/products/fortisoar)|Fortinet FortiSOAR is a holistic Security Orchestration, Automation and Response (SOAR) workbench, designed for SOC teams to efficiently respond to the ever-increasing influx of alerts, repetitive manual processes, and shortage of resources. It pulls together all of organization's tools, helps unify operations and reduces alert fatigue, context switching, and the mean time to respond to incidents. +|[Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468)|Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye. +|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414)|Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response +|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures +|[Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040)|InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes +|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621)|Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration +|[Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902)|Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together ### Threat intelligence Logo|Partner name|Description :|:|:-|[MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543)|Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Defender for Endpoint environment -|[Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582)|Enrich your endpoint protection by extending Autofocus and other threat feeds to Defender for Endpoint using MineMeld -|[ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115)|Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators +|[MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543)|Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Defender for Endpoint environment +|[Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582)|Enrich your endpoint protection by extending Autofocus and other threat feeds to Defender for Endpoint using MineMeld +|[ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115)|Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators ### Network security Logo|Partner name|Description :|:|:-|[Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544)|Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network -|[Blue Hexagon for Network](/training/modules/explore-malware-threat-protection/)|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection -| [Corelight](https://corelight.com/integrations/iot-security)| Using data, sent from Corelight network appliances, Microsoft 365 Defender gains increased visibility into the network activities of unmanaged devices, including communication with other unmanaged devices or external networks. -|[CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620)|Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment -|[HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763)|HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks -|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)|Vectra applies AI & security research to detect and respond to cyber-attacks in real time +|[Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544)|Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network +|[Blue Hexagon for Network](/training/modules/explore-malware-threat-protection/)|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection +| [Corelight](https://corelight.com/integrations/iot-security)| Using data, sent from Corelight network appliances, Microsoft 365 Defender gains increased visibility into the network activities of unmanaged devices, including communication with other unmanaged devices or external networks. +|[CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620)|Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment +|[HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763)|HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks +|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)|Vectra applies AI & security research to detect and respond to cyber-attacks in real time ### Cross platform Logo|Partner name|Description :|:|:-|[Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)|Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats -|[Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)|AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy -|[Corrata](https://go.microsoft.com/fwlink/?linkid=2081148)|Mobile solution - Protect your mobile devices with granular visibility and control from Corrata -|[Lookout](https://go.microsoft.com/fwlink/?linkid=866935)|Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices -|[Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)|SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices -|[Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense +|[Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)|Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats +|[Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)|AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy +|[Corrata](https://go.microsoft.com/fwlink/?linkid=2081148)|Mobile solution - Protect your mobile devices with granular visibility and control from Corrata +|[Lookout](https://go.microsoft.com/fwlink/?linkid=866935)|Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices +|[Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)|SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices +|[Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense ## Other integrations Logo|Partner name|Description :|:|:-|[Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)|Enhance your Defender for Endpoint with advanced Web Filtering -|[Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)|Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Defender for Cloud dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information -|[THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)|Provides on-demand live forensics scans using a signature base with focus on persistent threats +|[Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)|Enhance your Defender for Endpoint with advanced Web Filtering +|[Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)|Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Defender for Cloud dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information +|[THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)|Provides on-demand live forensics scans using a signature base with focus on persistent threats ## SIEM integration |
| security | Troubleshoot Asr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr.md | ms.localizationpriority: medium audience: ITPro Previously updated : 03/27/2019 Last updated : 07/28/2023 There are four steps to troubleshooting these problems: Attack surface reduction rules only work on devices with the following conditions: -- Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).+- Endpoints are running Windows 10 Enterprise or later. - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender Antivirus to disable itself](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). If a rule isn't blocking a file or process that you're expecting it should block Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. -If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation: +If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on preconfigured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation: 1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). To add an exclusion, see [Customize Attack surface reduction](attack-surface-red ## Report a false positive or false negative -Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/support/report-exploit-guard) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md). +Use the [Microsoft Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/support/report-exploit-guard) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md). ## Collect diagnostic data for file submissions When you report a problem with attack surface reduction rules, you're asked to c 1. Open an elevated command prompt and change to the Windows Defender directory: ```console- cd "c:\program files\windows defender" + cd "c:\program files\Windows Defender" ``` 2. Run this command to generate the diagnostic logs: |
| security | Developer Resources | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/developer-resources.md | - Title: Software developer resources- -description: This page provides information for developers such as detection criteria, developer questions, and how to check your software against Security intelligence. -keywords: wdsi, software, developer, resources, detection, criteria, questions, scan, software, definitions, cloud, protection, security intelligence -search.product: eADQiWindows 10XVcnh ---ms.sitesec: library -ms.pagetype: security ------ m365-security-- tier2- Previously updated : 03/18/2022---# Software developer resources --Concerned about the detection of your software? -If you believe that your application or program has been incorrectly detected by Microsoft security software, submit the relevant files for analysis. --Check out the following resources for information on how to submit and view submissions: --- [Submit files](https://www.microsoft.com/wdsi/filesubmission)--- [View your submissions](https://www.microsoft.com/wdsi/submissionhistory)--## Additional resources --### Detection criteria --To objectively identify malware and unidentified software, Microsoft applies a [set of criteria](criteria.md) for evaluating malicious or potentially harmful code. --### Developer questions --Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.yml). --### Scan your software --Use [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft. |
| solutions | Groups Naming Policy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-naming-policy.md | Title: "Microsoft 365 groups naming policy"- + Title: Microsoft 365 Groups and Microsoft Teams naming policy + Last updated 02/18/2020 f1.keywords: NOCSH search.appverid: - MET150 ms.assetid: 6ceca4d3-cad1-4532-9f0f-d469dfbbb552 recommendations: false-description: "Learn how to create a naming policy for Microsoft 365 groups." +description: "Learn how to create a naming policy for Microsoft 365 Groups and Microsoft Teams." -# Microsoft 365 groups naming policy +# Microsoft 365 Groups and Microsoft Teams naming policy -You can use a group naming policy to enforce a consistent naming strategy for groups created by users in your organization. A naming policy can help you and your users identify the function of the group, membership, geographic region, or who created the group. The naming policy can also help categorize groups in the address book. You can use the policy to block specific words from being used in group names and aliases. +You can use a naming policy to enforce a consistent naming strategy for Microsoft 365 groups and teams created by users in your organization. A naming policy can help you and your users identify the function of the group, membership, geographic region, or who created the group. The naming policy can also help categorize groups in the address book. You can use the policy to block specific words from being used in group names and aliases. The naming policy is applied to groups that are created across all groups workloads (like Outlook, Microsoft Teams, SharePoint, Planner, Viva Engage, etc.). It gets applied to both the group name and group alias. It also gets applied when a user creates a group and when the group name, alias, description, or avatar is edited for an existing group. The naming policy is applied to groups that are created across all groups worklo The group naming policy consists of the following features: -- **Prefix-Suffix naming policy**: You can use prefixes or suffixes to define the naming convention of groups (for example: "US\_My Group\_Engineering"). The prefixes/suffixes can either be fixed strings or user attributes like [Department] that will get substituted based on the user who is creating the group.+- **Prefix-Suffix naming policy**: You can use prefixes or suffixes to define the naming convention of groups (for example: "US\_My Group\_Engineering"). The prefixes/suffixes can either be fixed strings or user attributes like [Department] that are substituted based on the user who is creating the group. - **Custom Blocked Words**: You can upload a set of blocked words specific to your organization that would be blocked in groups created by users. (For example: "CEO, Payroll, HR"). Prefixes and suffixes can either be fixed strings or user attributes. ### Fixed strings -You can use short strings that can help you differentiate groups in the GAL and left navigation of the group workloads. Some of the common prefixes suffixes are keywords like 'Grp\_Name' , '\#Name', '\_Name' +You can use short strings that can help you differentiate groups in the global address list and left navigation of the group workloads. Some of the common prefixes suffixes are keywords like 'Grp\_Name' , '\#Name', '\_Name' ### Attributes It's recommended that you use attributes that have values filled in for all user - During policy creation, the total prefixes and suffixes string length is restricted to 53 characters. -- Prefixes and suffixes can contain special characters supported in group name and group alias. When the prefixes and suffixes contain special characters that are not allowed in the group alias, they are only applied to the group name. So in this case, the prefixes and suffixes applied to group name would be different from the ones applied to the group alias.+- Prefixes and suffixes can contain special characters supported in group name and group alias. When the prefixes and suffixes contain special characters that aren't allowed in the group alias, they're only applied to the group name. So in this case, the prefixes and suffixes applied to group name would be different from the ones applied to the group alias. > [!NOTE] > A period (.) or a hyphen (-) is permitted anywhere in the group name, except at the beginning or end of the name. An underscore (_) is permitted anywhere in the group name, including at the beginning or end of the name. -- If you are using Viva Engage Office 365 connected groups, avoid using the following characters in your naming policy: @, \#, \[, \], \<, and \>. If these characters are in the naming policy, regular Viva Engage users will not be able to create groups.+- If you are using Viva Engage Office 365 connected groups, avoid using the following characters in your naming policy: @, \#, \[, \], \<, and \>. If these characters are in the naming policy, regular Viva Engage users can't create groups. > [!Tip] > - Use short strings as suffix. It's recommended that you use attributes that have values filled in for all user ## Custom blocked words -You can enter a comma separated list of blocked words that will be blocked in group names and aliases. +You can enter a comma separated list of blocked words to be blocked in group names and aliases. -No sub-string searches are carried out; specifically, an exact match between the user entered name and the custom blocked words is required to trigger a failure. +No substring searches are carried out; specifically, an exact match between the user entered name and the custom blocked words is required to trigger a failure. **Things to look out for**: - The blocked words are case-insensitive. -- When a user enters a blocked word, the group client will show an error message with the blocked word.+- When a user enters a blocked word, the group client shows an error message with the blocked word. - There are no character restrictions in the blocked words used. -- There is a limit of 5000 words that can be set as blocked words.+- There's a limit of 5000 words that can be set as blocked words. ## Admin override |
| solutions | Groups Services Interactions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-services-interactions.md | - Title: "Groups services interactions"- Previously updated : 08/12/2020-------- highpri-- M365-collaboration-- m365solution-collabgovernance--- M365solutions -recommendations: false -description: "Groups services interactions" ---# Groups services interactions --Microsoft 365 Groups provides a common fabric for several services and workloads within the Microsoft 365 platform to deliver a connected experience for end users. At its core, a Microsoft 365 group exists to provide: --- A way to manage the membership (Azure AD)-- A place for messaging and conversations to take place (Exchange mailbox, Microsoft Teams, Viva Engage)-- A place for files to be stored (SharePoint)-- A calendar for scheduling (Exchange)-- A notebook for capturing notes (OneNote)--At the point of group creation, several other resources are also provisioned, however they aren't visible until accessed for the first time from the service: --- A board for managing group tasks (Planner)-- A workspace for reporting (Power BI)-- An area for shared videos (Microsoft Stream)-- An area for shared forms (Forms)--Across Microsoft 365, other services are able to interact with Microsoft 365 groups to deliver additional functionality and capabilities to group members. -Examples of this include: --- Power Apps for apps-- Power Automate for workflows-- Project on the web and Roadmap for waterfall-based project management-- Teams for channel-based conversations-- Viva Engage for communities of interest--## User interactions with groups --Microsoft 365 Groups can be created and managed from various interfaces, both by administrators and end users. --### Administrative experiences --Administrators can create and manage Microsoft 365 groups from several of the workload admin centers, command-line interfaces that support scripting, as well as custom-built apps interacting with the Graph API. The only exception to this is Viva Engage groups ΓÇô which must be created from within the Viva Engage web interface. --**Related settings** --Across the various administrative interfaces that can manage group settings exists several overlaps that you should be aware of. --**Microsoft 365 admin center** --In the Microsoft 365 admin center, guest access to Groups is enabled by default, as is the ability to allow owners to add guests. There are no further organization-level controls available for Groups from this admin center. --**Azure AD admin center** --The Azure AD admin center offers controls around whether users can create Groups or assign owners in Azure portals, as well as expiration and naming policy settings. --The admin center also provides several guest invitation control measures that go beyond that of the Microsoft 365 admin center, such as the ability to limit whether non-owners can also invite guests --**SharePoint** --SharePoint sites are created with Owner, Member, and Visitor security groups, with the first two matching up to their Microsoft 365 group counterparts. While membership for SharePoint Online sites is generally managed by the associated Microsoft 365 group, it isn't a bidirectional relationship. Any changes to membership at the Microsoft 365 group level are reflected in SharePoint, however if membership is changed in the SharePoint group, this isn't reflected in the Microsoft 365 group. --### User experiences --End users can create groups from several of the services within Microsoft 365, and in others they can only share with a group. --The following services allow creation of groups by end users: --- Outlook-- Planner-- Project for the web-- SharePoint-- Stream-- Microsoft Teams-- Viva Engage--#### Restriction of group creation --A common approach to control sprawl of teams is to limit which users can create them. This can only be done by limiting the creation of groups. Doing this impacts the ability to create groups from other services where that may be necessary for end user. Microsoft 365 Groups doesn't support the ability to restrict the creation of groups from some apps or services while allowing it from others. --The experience of group creation restriction varies between apps and --|App or service|Experience| -||| -|Outlook|**New group** option is removed from New menu in people page| -|Planner|**New plan** explains that group creation has been turned off and offers to add the plan to an existing group| -|Project for the web and Roadmap|**Create group** menu explains that group creation is restricted and suggests using an existing group.| -|SharePoint|Still able to create a team site that isn't connected to a group.| -|Stream|**Group** option doesn't appear under the **Create menu**.| -|Teams|User can't create a team with a new group but can still create a team that utilizes an existing group.<br><br>**Create a team** button is replaced with **Create team from a group**.| -|Viva Engage|**Create a group** option is removed from main Groups/Communities navigation.| --## Services interactions with groups --See the Groups in Microsoft 365 poster for information about different types of groups, how these are created and managed, and a few governance recommendations. --[](https://download.microsoft.com/download/6/3/0/6309218f-a169-4f2d-af4c-2fe49e30ba17/msft-m365-groups.pdf) --[PDF](https://download.microsoft.com/download/6/3/0/6309218f-a169-4f2d-af4c-2fe49e30ba17/msft-m365-groups.pdf) \| [Visio](https://download.microsoft.com/download/6/3/0/6309218f-a169-4f2d-af4c-2fe49e30ba17/msft-m365-groups.vsdx) --The following table provides an overview of Microsoft 365 Groups interactions with various --|Product|Features|Does the service exist without a group?|Can the service create a group?|Does deleting the instance delete the group?| -|||||| -|Azure AD|Membership, Group controls, Guests|Yes|Yes|Yes| -|Exchange|Calendar, mailbox|Yes|Yes|Yes| -|Forms|Form|Yes|No|No| -|OneNote|Notebook|Yes|No|No| -|Planner|Task board|No|Yes|Yes| -|Power Apps app|App|Yes|No|No| -|Power Automate|Workflow|Yes|No|No| -|Power BI (classic)|Workspace|No|Yes|Yes| -|Power BI (new)|Workspace|Yes|No|Yes| -|Project for the web|Project plan|Yes|Yes|No| -|Roadmap|Roadmap|Yes|Yes|No| -|SharePoint|Site|Yes|Yes|Yes| -|Stream|Channel, video|Yes|Yes|Yes| -|Teams|Team|No|Yes|Yes| -|Viva Engage|Group|Yes|Yes|Yes| --While the table above provides a high-level overview of group interactions with Microsoft 365 services, there are several nuances and intricacies that you should understand. The following sections take a more in-depth look at the specific workloads and their interactions with groups. --## Azure AD --Azure AD provides the underlying identity management capabilities across Microsoft 365. --**Key features provided to Groups** --- Group membership-- Naming policy-- Expiration policy-- Guests-- Restriction of Group creation--**Can Azure AD create a Group?** --Yes, Microsoft 365 Groups can be created from Azure AD either through the administration web portal, through PowerShell, or Graph API. --**Does Azure AD exist without a group?** --Yes, Azure AD performs a great number of services that have no relation to Microsoft 365 Groups. Each Microsoft 365 group is represented as an object in Azure AD. --**Can there be multiple instances of Azure AD per Group?** --No, there is only one instance of Azure AD. --**Can Azure AD be associated with multiple Groups?** --Yes, because Azure AD is the underlying platform that provides the group membership service. --**Can Azure ADΓÇÖs association with a group change?** --No, Azure AD is the underlying platform where groups exist. --**Does deleting the instance delete the Group?** --Deleting the group in Azure AD will delete relevant group-associated services and content. --## Teams --Teams is a chat-centered workspace aimed at enhancing collaboration by providing a singular interface to interact with various Microsoft and third-party services. --By default, when a team is created, the mailbox and calendar associated with the Microsoft 365 group are hidden from both the Global Address List in Exchange, as well as Outlook. This can be manually overridden by an administrator if the user would like to use both Outlook and Teams on the same Microsoft 365 group. --**Key features provided to Groups** --- Conversations-- Channels & tabs-- Meetings--**Can Teams create a group?** --Yes, creating a new team will create a new Microsoft 365 group. It's also possible to create a team for an existing group that doesn't currently have one. --**Do teams exist without a group?** --No, it isn't possible for a team to exist without a Group. --**Can there be multiple teams per group?** --No, the relationship between a team and a group is 1:1. --**Can a team be associated with multiple groups?** --No, the team itself can only be associated with a single group. --**Can a teamΓÇÖs association with a group change?** --No, the team can only ever be associated with the group to which it was originally associated. --**Does deleting the team delete the group?** --Yes, deleting the team in Microsoft Teams will delete the group, group-associated services, and content. --## Exchange --Exchange Online provides messaging, calendar, contact, and associated functionality. In the context of a Group, only a single resource is associated ΓÇô as opposed to an entire service instance. --**Key features provided to Groups** --- Mailbox and calendar-- Ability to email all Group members-- Storage of Teams channel conversations for eDiscovery purposes, Planner comments--**Can Exchange create a group?** --Yes, it's possible to create a group from the Exchange Online admin center, as well as from Outlook. You can also convert Exchange distribution lists to Microsoft 365 groups. --**Does Exchange exist without a Group?** --Yes, Exchange Online provides several services, including shared mailboxes and calendars, without any group association. --**Can there be multiple instances of Exchange mailboxes or calendars per group?** --No, there can only be a single Exchange Online mailbox and calendar for a group. --**Can Exchange mailboxes and calendars be associated with multiple groups?** --No, the mailbox and calendar have a 1:1 relationship with the group. It's possible to share the mailbox with other users or groups, however this doesn't establish any form of service association. --**Can the Exchange mailbox or calendarΓÇÖs association with a group change?** --No, the mailbox and calendar can't be changed to a different group. However, the content can be moved from one mailbox to another within Outlook or by using a third-party tool. --**Does deleting the mailbox delete the group?** --Yes, deleting the mailbox in Exchange will delete the group as well as group-associated services and content. --## Forms --Forms provides web-based surveys and quizzes. --**Key features provided to groups** --- Ownership of forms--**Can Forms create a group?** --No, Forms can't create a group. --**Do forms exist without a group?** --Yes, surveys and quizzes can be created directly in an end userΓÇÖs account. --**Can there be multiple forms per group?** --Yes, there can be multiple forms associated with a group. --**Can forms be associated with multiple groups?** --No, a form can only be associated with a single group. --**Can a formΓÇÖs association with a group change?** --No, once a form is associated with a group (either created directly within, or ownership transferred from an individual) it can't be moved to another group. --**Does deleting the form delete the group?** --No, it isn't possible to delete a group from the Forms interface, only individual forms. --## OneNote --OneNote is a digital notebook application. The OneNote notebook created with a group is a file in the associated SharePoint site rather than a group-connected service. --**Key features provided to groups** --- Shared notebook (stored in the Group-associated SharePoint library)--**Can OneNote create a group?** --No, the OneNote application can't create a group. --**Do OneNote notebooks exist without a group?** --Yes, notebooks can be created directly in OneDrive or in other shared locations. --**Can there be multiple OneNote notebooks per group?** --Yes, a notebook is created by default and others can be added, however any link to OneNote from group-associated services will always go to the default notebook. --**Can a OneNote notebook be associated with multiple groups?** --No, the notebook is stored in the group-associated SharePoint site library and linked from various interfaces. It can however be shared with other Groups in the same way it can be shared with individuals. --**Can the notebookΓÇÖs association with a group change?** --No, the notebook itself is associated with the group and can be directly accessed from other group-connected services, however the content can be moved from one notebook to another within the OneNote application. --**Does deleting the notebook delete the group?** --No, however if the OneNote notebook is deleted there may be broken links in some of the group-associated services. --## Planner --Planner is a lightweight group task management service. --**Key features provided to groups** --- Board for managing group tasks--**Can Planner create a group?** --Yes, creation of a plan will create a new group. --**Does a Planner board exist without a group?** --No, a plan must be associated with a group. --**Can there be multiple plans per group?** --Yes, there can be multiple plans per group. --**Can a plan be associated with multiple groups?** --No, a plan relies solely on the group membership to determine access. --**Can a planΓÇÖs association with a group change?** --No, however copying a plan creates a new group. --> [!NOTE] -> A Group created by any other application will not show up in Planner automatically for a user. To access the board initially they will need to open it from another Group-based interface such as Outlook. --**Does deleting the plan delete the group?** --Yes, deleting the plan will delete the group and group-associated services and content. --## Power Apps --Power Apps provides a canvas for app development without code. --**Key features provided to Groups** --- Apps can be shared with a group to be run and modified--**Can Power Apps create a group?** --No, Power Apps can't create a Microsoft 365 group. --**Do Power Apps exist without a group?** --Yes, apps can be created within Power Apps and reside within the creators account until shared or published. --**Can there be multiple apps per group?** --Yes, there can be multiple apps shared with a group. --**Can apps be associated with multiple groups?** --Yes, an app can be shared with multiple groups. --**Can an appΓÇÖs association with a group change?** --Yes, as the association between Power Apps and a Microsoft 365 group is sharing only ΓÇô the app still resides with the creator. --> [!IMPORTANT] -> [Groups must be security enabled before apps can be shared with them](/powerapps/maker/canvas-apps/share-app#share-an-app-with-office-365-groups). --**Does deleting the app delete the group?** --No, the apps are not connected to the group other than being shared with them. --## Power Automate --Power Automate (formerly known as Microsoft Flow) provides workflows and automation services. --**Key features provided to groups** --- Workflows can be shared with a group to be run and modified.--**Can Power Automate create a group?** --No, Power Automate can't create a Microsoft 365 group in the context of being associated with one. --It's possible however to create a flow that performs various operations such as creating an Azure AD security group or updating membership of a Microsoft 365 group. --**Do flows exist without a group?** --Yes, flows can be created within Power Automate and reside within the creators account until shared or published. --**Can there be multiple flows per group?** --Yes, there can be multiple flows shared with a group. --**Can a flow be associated with multiple groups?** --Yes, a flow can be shared with multiple groups. --**Can a flowΓÇÖs association with a group change?** --Yes, as the association between Power Automate and a Microsoft 365 group is sharing only ΓÇô the flow still resides with the creator. --**Does deleting a flow delete the group?** --No, like Power Apps, the flows are not connected to the group other than being shared with them. --## Power BI (classic) --Power BI provides interactive data-driven dashboards and reports. --**Key features provided to groups** --- Data reporting--**Can Power BI create a group?** --Yes, creating a classic workspace will create a Microsoft 365 group. --**Does a Power BI classic workspace exist without a group?** --No, [a classic workspace in Power BI must be associated with a group](/power-bi/collaborate-share/service-collaborate-power-bi-workspace). --**Can there be multiple Power BI workspaces per group?** --No, the relationship between a classic workspace and a group is 1:1. --**Can a workspace be associated with multiple groups?** --Technically no, while the classic workspace is created with the group, the content can be shared outside of the Group with users and security groups. --**Can the workspace's association with a group change?** --No, the classic workspace itself is associated with the Group, however the content can be moved from one workspace to another within the Power BI interface or by exporting contents locally. --**Does deleting the workspace delete the group?** --Yes, deleting the workspace in Power BI will delete group and group-associated services and content. --## Power BI (new) --Power BI provides interactive data-driven dashboards and reports. --While creating a new workspace in Power BI doesn't create a Microsoft 365 group, creating a group by any other means creates a new (not classic) workspace in Power BI. --**Key features provided to groups** --- Data reporting--**Can Power BI create a group?** --No, it isn't possible to create a Microsoft 365 group from the new Power BI interface. --**Does the new Power BI workspace exist without a group?** --Yes, it's possible to have reports and workspaces created in Power BI that are not associated with Microsoft 365 groups. --**Can there be multiple workspaces per group?** --Yes, [multiple workspaces created by Power BI can be shared with a single group](/power-bi/collaborate-share/service-create-the-new-workspaces#give-access-to-your-workspace). --**Can a workspace be associated with multiple groups?** --No, a workspace created by Power BI can only be associated with a single group. --**Can a workspace's association with a group change?** --Yes and no. A workspace created by Power BI can only be associated with a single group at a time but can change the association at any time. A workspace created in Power BI by a group is permanently associated to that group. --**Does deleting the workspace delete the group?** --Yes, deleting the workspace in Power BI will delete the group and group-associated services and content. --## Project for the web --Project for the web offers the ability to create project plans, Gantt charts, and roadmaps. -Key features provided to groups. --- Project plans--**Can Project for the web create a group?** --Yes, it's possible to create a new Microsoft 365 group directly from Project for the web. --**Do projects exist without a group?** --Yes, projects can exist without being associated with a Microsoft 365 group, however assignment of tasks requires group association. --**Can there be multiple projects per group?** --Yes, it is possible to connect multiple projects in a single group. --**Can project be associated with multiple groups?** --No, a project can only be associated with a single group. --**Can a projectΓÇÖs association with a group change?** --No, once the association with a group is established, it cannot change. --**Does deleting the project delete the group?** --No, deleting the project in Project for the web will not delete the group. --## Roadmap --Roadmap provides the ability to create project roadmaps with Project for the web and Project Online. --**Key features provided to Groups** --- Project roadmaps--**Can Roadmap create a group?** --Yes, it is possible to create a new Microsoft 365 group directly from roadmap. --**Does Roadmap exist without a group?** --Yes, roadmaps can exist without being associated with a Microsoft 365 group, however sharing the roadmap requires group association. --**Can there be multiple roadmaps per group?** --Yes, it is possible to connect multiple roadmaps to a single group. --**Can a roadmap be associated with multiple groups?** --No, a roadmap can only be associated with a single group. --**Can a roadmap's association with a group change?** --No, once the association with a group is established, it cannot change. --**Does deleting the roadmap delete the group?** --No, deleting the roadmap will not delete the group. --## SharePoint --SharePoint is a web-based content management platform that provides among other things, storage services for several Microsoft 365 services. --**Key features provided to Groups** --- Document library-- Library for storage of OneNote notebook-- Storage of Teams wiki files--**Can SharePoint create a group?** --Yes, creating a team site in SharePoint will create a Microsoft 365 group by default. It is also possible to create a group and, optionally, a team for an existing site. --**Do SharePoint sites exist without a group?** --Yes, SharePoint offers several non-group-associated services and sites such as communication and hub sites. --**Can there be multiple sites per group?** --No, there can only be a single site per group. Private and shared channels in Teams use additional sites that are not connected to the group. --**Can sites be associated with multiple groups?** --Technically no, but while a site is created with a group, the content can be shared with other groups. --**Can a siteΓÇÖs association with a group change?** --No, the site itself is associated with the group, however the content can be moved from one site to another within the SharePoint interface, by exporting content locally, or by using a third-party tool. --**Does deleting the site delete the group?** --Yes, deleting the site in SharePoint will delete group and group-associated services and content. --## Stream --Microsoft Stream is a video hosting and sharing platform. --**Key features provided to Groups** --- Video storage-- Teams meeting recording-- Video channels--**Can Stream create a group?** --Yes, it is possible to create a new Microsoft 365 group directly from Stream. --**Does Stream exist without a group?** --Yes, video channels and videos can exist in Stream without being associated with a group. --**Can there be multiple videos and channels per Group?** --Yes, there can be multiple videos and channels in each group. --**Can a video or channel be associated with multiple groups?** --Yes, while a video or channel is created with a group, it can be shared with other groups. --**Can its association with a Group change?** --Yes and no; videos in Stream are owned by the original uploader or meeting recorder and so can be associated with any group, however video channels can only be associated with the group they were originally created in. --**Does deleting videos or channels delete the group?** --No, deleting videos or channels doesnΓÇÖt delete the group. However, deleting the group itself in Stream will delete group-associated services and content, except for the actual videos. --## Viva Engage --Viva Engage is an enterprise social platform designed to foster community engagement within and between organizations. --Creating a community (formerly known as ΓÇ£groupΓÇ¥) in Viva Engage creates a mailbox, but at present this is not used. --A Microsoft 365 group that is associated with Viva Engage cannot be used with a team in Microsoft Teams. --A Viva Engage group cannot be used with a PowerBI Pro Workspace. --**Key features provided to Groups** --- Conversation area--**Can Viva Engage create a Microsoft 365 group?** --Yes, creating a new group in Viva Engage will create a new Microsoft 365 group, if the platforms are connected and the user has the ability to create a group. --A Viva Engage group with associated Microsoft 365 group cannot be created in any interface or service other than Viva Engage itself. --**Does a Viva Engage group exist without a Microsoft 365 group?** --Yes, it is possible to create a Viva Engage group without a Microsoft 365 group. --If the Viva Engage platform is not connected to Microsoft 365 groups, or users do not have the ability to create a Microsoft 365 group, Viva Engage groups are created without a Microsoft 365 group association. --**Can there be multiple Viva Engage groups per Microsoft 365 group?** --No, the relationship between a Viva Engage group and a Microsoft 365 group is 1:1. --**Can a Viva Engage group be associated with multiple Microsoft 365 groups?** --No, the Viva Engage group can only be associated with a single Microsoft 365 group. It is possible for posts to be shared with or moved to other Viva Engage groups. --**Can a Viva Engage groupΓÇÖs association with a Microsoft 365 group change?** --No, the Viva Engage group can only ever be associated with the Microsoft 365 group to which it was originally associated. --**Does deleting the Viva Engage group delete the Microsoft 365 group?** --Yes, deleting the group in Viva Engage will delete related Microsoft group and group-associated services and content. --## Related topics --[Collaboration governance planning recommendations](collaboration-governance-overview.md#collaboration-governance-planning-recommendations) --[Create your collaboration governance plan](collaboration-governance-first.md) |
| solutions | Groups Sharepoint Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-sharepoint-governance.md | Some settings for Microsoft 365 Groups and SharePoint in Microsoft 365, particul |SharePoint setting|Description|Effect on Microsoft 365 groups|Recommendation| |:--|:-|:--|:-| |External sharing for organization and site|Determines if sites, files, and folders can be shared with people outside the organization.|If SharePoint and Microsoft 365 Groups settings don't match, guests in the group may be blocked from accessing the site, or external access may be available in the site but not the group.|When changing sharing settings, check both Microsoft 365 Groups settings and SharePoint site settings for group-connected team sites.<br><br>See [Collaborate with guests in a site](./collaborate-in-site.md).|-|Domain allow/block|Allows or prevents content being shared with specified domains.|Microsoft 365 Groups doesn't recognize SharePoint allowlists or blocklists. Users from domains disallowed in SharePoint could gain access to SharePoint through a group.|Manage domain allowlists or blocklists for Azure AD and SharePoint together. Create an org-wide governance process for allowing and blocking domains.<br><br>See [SharePoint domain settings](/sharepoint/restricted-domains-sharing) and [Azure AD domain settings](/azure/active-directory/b2b/allow-deny-list)| +|Domain allow/block|Allows or prevents content being shared with specified domains.|Microsoft 365 Groups doesn't recognize SharePoint allowlists or blocklists. Users from domains disallowed in SharePoint could gain access to SharePoint through a group.|Manage domain allowlists or blocklists for Azure AD and SharePoint together, along with external access for meetings. Create an org-wide governance process for allowing and blocking domains.<br><br>See [SharePoint domain settings](/sharepoint/restricted-domains-sharing), [Azure AD domain settings](/azure/active-directory/b2b/allow-deny-list), and [External access](/microsoftteams/trusted-organizations-external-meetings-chat).| |Allow only users in specific security groups to share externally|Specifies security groups who can share sites, folders, and files externally.|This setting doesn't affect group owners sharing Microsoft 365 groups externally. Group guests have access to the associated SharePoint site.||-|SharePoint site sharing settings|Determines who can share the site directly outside of group membership. (The group or site owner configures this setting.)|This setting doesn't affect the group directly, but it can allow users to be added to a site and not have access to other group resources|Consider using this setting to limit sharing of the site directly and manage site access through the group.| +|SharePoint site sharing settings|Determines who can share the site directly, outside of group membership. (The group or site owner configures this setting.)|This setting doesn't affect the group directly, but it can allow users to be added to a site and not have access to other group resources|Consider using this setting to limit sharing of the site directly and manage site access through the group.| |Let users create sites from the SharePoint start page and OneDrive|Specifies if users can create new SharePoint sites.|If this setting is turned off, users can still create group-connected team sites by creating a group.|| ## The effects of Microsoft 365 Groups settings on SharePoint |
| solutions | Groups Sharepoint Teams Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-sharepoint-teams-governance.md | Title: "Settings interactions between Microsoft 365 Groups, Teams and SharePoint"- Previously updated : 08/12/2020 + Title: Microsoft Teams, SharePoint, and Microsoft 365 Groups integration (IT Admins) + Last updated : 07/28/2023 recommendations: false description: "Learn about settings interactions between Microsoft 365 Groups, Teams and SharePoint" -# Settings interactions between Microsoft 365 Groups, Teams and SharePoint +# Microsoft Teams, SharePoint, and Microsoft 365 Groups integration (IT Admins) Some settings for Microsoft 365 Groups, Microsoft Teams, and SharePoint in Microsoft 365, particularly related to sharing and group/team and SharePoint site creation, overlap with each other. This article provides descriptions of these interactions and best practices for how to work with these settings. Some settings for Microsoft 365 Groups, Microsoft Teams, and SharePoint in Micro |SharePoint setting|Description|Effect on Microsoft 365 groups and Teams|Recommendation| |:--|:-|:|:-|-|External sharing for organization and site|Determines if sites, files, and folders can be shared with people outside the organization.|If SharePoint, groups, and Teams settings don't match, guests in the team may be blocked from accessing the site, or unexpected external access may occur.|When changing sharing settings, check Groups settings, Teams settings, and SharePoint site settings for group-connected team sites.<br><br> See [Collaborate with guests in a team](./collaborate-as-team.md)| -|Domain allow/block|Allows or prevents content being shared with specified domains.|Groups and Teams do not recognize SharePoint allowlists or blocklists. Users from domains disallowed in SharePoint could gain access to SharePoint sites or content through a team.|Manage domain allowlists or blocklists for Azure AD and SharePoint together. Create an org-wide governance process for allowing and blocking domains.<br><br>See [SharePoint domain settings](/sharepoint/restricted-domains-sharing) and [Azure AD domain settings](/azure/active-directory/b2b/allow-deny-list)| -|Allow only users in specific security groups to share externally|Specifies security groups who can share SharePoint sites, folders, and files externally.|This setting does not prevent team owners from sharing teams externally. Team guests have access to the associated SharePoint site.|| -|SharePoint site sharing settings|Determines who can share the site directly outside of team membership. This is configured by the team or site owner.|This setting does not affect the team directly, but it can allow users to be added to a site and not have access to the team itself or other Teams resources|Consider using this setting to limit sharing of the site directly and manage site access through the team.| +|External sharing for organization and site|Determines if sites, files, and folders can be shared with people outside the organization.|If SharePoint, Microsoft 365 Groups, and Teams settings don't match, guests in the team may be blocked from accessing the site, or unexpected external access may occur.|When changing sharing settings, check Microsoft 365 Groups settings, Teams settings, and SharePoint site settings for group-connected team sites.<br><br> See [Collaborate with guests in a team](/microsoft-365/solutions/collaborate-as-team)| +|Domain allow/block|Allows or prevents content being shared with specified domains.|Microsoft 365 Groups and Teams don't recognize SharePoint allowlists or blocklists. Users from domains disallowed in SharePoint could gain access to SharePoint sites or content through a team.|Manage domain allowlists or blocklists for Azure AD and SharePoint together, along with external access for meetings. Create an org-wide governance process for allowing and blocking domains.<br><br>See [SharePoint domain settings](/sharepoint/restricted-domains-sharing), [Azure AD domain settings](/azure/active-directory/b2b/allow-deny-list), and [External access](/microsoftteams/trusted-organizations-external-meetings-chat).| +|Allow only users in specific security groups to share externally|Specifies security groups who can share SharePoint sites, folders, and files externally.|This setting doesn't prevent team owners from sharing teams externally. Team guests have access to the associated SharePoint site.|| +|SharePoint site sharing settings|Determines who can share the site directly, outside of team membership. The team or site owner configures this setting.|This setting doesn't affect the team directly, but it can allow users to be added to a site and not have access to the team itself or other Teams resources|Consider using this setting to limit sharing of the site directly and manage site access through the team.| |Let users create sites from the SharePoint start page and OneDrive|Specifies if users can create new SharePoint sites.|If this setting is turned off, users can still create group-connected team sites by creating a team.|| ## The effects of groups settings on teams |Microsoft 365 groups setting|Description|Effect on Teams|Recommendation| |:|:-|:--|:-|-|Naming policies|Specifies group name prefixes and suffixes, and blocked words for group creation|Policies are enforced for users creating teams.|| -|Group guest access|Specifies if people outside the organization can be added to groups.|If either the groups or Teams guest sharing settings are off, the team cannot be shared with guests.|When changing guest sharing settings, check the settings for Teams, Groups, and the SharePoint site associated with the team.<br><br> See [Collaborate with guests in a team](./collaborate-as-team.md)| -|Group creation by security group|Groups can only be created by members of a specific security group.|Users who are not members of the security group will not be able to create a team.|Be sure your process for requesting a group includes instructions for requesting a team or a SharePoint site.| -|Group expiration policy|Specifies a time period after which groups that are not actively used will be automatically deleted.|When the group is deleted, the team and associated SharePoint site are also deleted. Content protected by retention policies is retained.|Use expiration policies to avoid sprawl of unused teams, groups and sites.| +|Naming policies|Specifies Microsoft 365 group name prefixes and suffixes, and blocked words for group creation|Policies are enforced for users creating teams.|| +|Microsoft 365 Groups guest access|Specifies if people outside the organization can be added to Microsoft 365 groups.|If either the Microsoft 365 Groups or Teams guest sharing settings are off, the team can't be shared with guests.|When changing guest sharing settings, check the settings for Teams, Microsoft 365 Groups, and the SharePoint site associated with the team.<br><br> See [Collaborate with guests in a team](/microsoft-365/solutions/collaborate-as-team)| +|Microsoft 365 group creation by security group|Only members of a specific security group can create Microsoft 365 groups.|Users who aren't members of the security group can't create a team.|Be sure your process for requesting a Microsoft 365 group includes instructions for requesting a team or a SharePoint site.| +|Microsoft 365 group expiration policy|Specifies a time period after which Microsoft 365 groups that aren't actively used are automatically deleted.|When the group is deleted, the team and associated SharePoint site are also deleted. Content protected by retention policies is retained.|Use expiration policies to avoid sprawl of unused teams, Microsoft 365 groups, and sites.| ## Related topics |
| solutions | Groups Teams Access Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-access-governance.md | Title: "Governing access in Microsoft 365 groups, Teams, and SharePoint"- Previously updated : 08/12/2020+ Last updated : 07/28/2023 The following table provides a quick reference for the access controls available ||Control device access based on group, team, or site sensitivity.|[Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md)| ||Limit site access for unmanaged devices.|[Control SharePoint access from unmanaged devices](/sharepoint/control-access-from-unmanaged-devices)| ||Control site access based on location|[Control access to SharePoint and OneDrive data based on network location](/sharepoint/control-access-based-on-network-location)|+||Enforce more stringent access conditions when users access SharePoint sites.|[Conditional access policy for SharePoint sites and OneDrive](/sharepoint/authentication-context-example)| |Guest access||| ||Allow or block SharePoint sharing from specified domains.|[Restrict sharing of SharePoint and OneDrive content by domain](/sharepoint/restricted-domains-sharing)| ||Allow or block team or group membership from specified domains.|[Allow or block invitations to B2B users from specific organizations](/azure/active-directory/b2b/allow-deny-list)| The following table provides a quick reference for the access controls available ||Control guest access to a group, team, or site based on information sensitivity.|[Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md)| ||Turn off sharing options.|[Limit sharing in Microsoft 365](./microsoft-365-limit-sharing.md)| |User management|||-||Review team and group membership on a regular basis.|[What are Azure AD access reviews?](/azure/active-directory/governance/access-reviews-overview)| +||Review team and group membership regularly.|[What are Azure AD access reviews?](/azure/active-directory/governance/access-reviews-overview)| ||Automate access management to groups and teams.|[What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview)|+||Limit OneDrive access to members of a specific security group.|[Restrict OneDrive access by security group](/sharepoint/limit-access)| +||Restrict teams or site access to members of a group.|[Restrict SharePoint site access to members of a group](/sharepoint/restricted-access-control)| +|Information classification||| +||Classify groups and teams|[Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md)| +||Automatically classify sensitive content|[Apply a sensitivity label to content automatically](../compliance/apply-sensitivity-label-automatically.md)| +||Encrypt sensitive content|[Restrict access to content by using sensitivity labels to apply encryption](../compliance/encryption-sensitivity-labels.md)| +|User segmentation||| +||Restrict communication between user segments|[Information barriers](../compliance/information-barriers.md)| +|Data residency||| +||Store data in specific geo-locations|[Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo)| ## Membership -Membership of teams and groups is controlled by owners. Members can invite others, but the invitations are sent to owners for approval. While public teams and groups are discoverable by anyone in the organization, you can control whether private teams and groups are discoverable: --- [Manage discovery of private teams in Microsoft Teams](/microsoftteams/manage-discovery-of-private-teams)--You can manage membership of a group or team dynamically based on some criteria, such as department. In this case, members and owners cannot invite people to the team. Dynamic groups uses metadata that you define in Azure Active Directory to control who is a member of the group. Be sure the metadata that you're using is complete and up to date as incorrect metadata can lead to users being left out of groups or incorrect users being added. +You can manage membership of a group or team dynamically based on some criteria, such as department. In this case, members and owners can't invite people to the team. Dynamic groups use metadata that you define in Azure Active Directory to control who is a member of the group. Be sure the metadata that you're using is complete and up to date as incorrect metadata can lead to users being left out of groups or incorrect users being added. - [Create or update a dynamic group in Azure Active Directory](/azure/active-directory/users-groups-roles/groups-create-rule) Additional resources: - [Limit accidental exposure to files when sharing with people outside your organization](./share-limit-accidental-exposure.md) -- [Create a secure guest sharing environment](./create-secure-guest-sharing-environment.md)+- [Create a more secure guest sharing environment](./create-secure-guest-sharing-environment.md) - [Enable B2B external collaboration and manage who can invite guests](/azure/active-directory/b2b/delegate-invitations) Private channels in Teams allow for scoped conversations and file sharing betwee Shared channels allow you to invite people who are outside the team or outside the organization. Depending on your specific business needs and external sharing policies, you may want to allow or block this capability. -- [Shared channels](/MicrosoftTeams/shared-channels)+- [Shared channels in Microsoft Teams](/MicrosoftTeams/shared-channels) ++OneDrive provides an easy way for users to store and share content that they're working on. Depending on your business needs, you may want to restrict access to this content to full-time company employees or other groups within the company. If so, you can limit access to OneDrive content to members of a security group. ++- [Restrict OneDrive access by security group](/sharepoint/limit-access) ++For some more sensitive teams or sites, you might want to limit access to team or site content to members of the team or to members of a security group. ++- [Restrict SharePoint site access to members of a group](/sharepoint/restricted-access-control) Additional resources: - [Azure Active Directory Identity Governance](/azure/active-directory/governance) +## Information classification ++You can use sensitivity labels to govern guest access, group and team privacy, and access by unmanaged devices for groups and teams. When a user applies the label, these settings are automatically configured as specified by the label settings. ++- [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) ++You can configure Microsoft 365 to auto-apply sensitivity labels to files and emails based on the criteria that you specify, including detecting sensitive information types or pattern matching with trainable classifiers. ++- [Apply a sensitivity label to content automatically](../compliance/apply-sensitivity-label-automatically.md) ++You can use sensitivity labels to encrypt files, allowing only those with permissions to decrypt and read them. ++- [Restrict access to content by using sensitivity labels to apply encryption](../compliance/encryption-sensitivity-labels.md) ++Additional resources: ++- [Learn about sensitivity labels](../compliance/sensitivity-labels.md) ++## User segmentation ++With information barriers, you can segment your data and users to restrict unwanted communication and collaboration between groups and avoid conflicts of interest in your organization. Information barriers let you create policies to allow or prevent file collaboration, chatting, calling, or meeting invitations between groups of people in your organization. ++- [Information barriers](../compliance/information-barriers.md) ++- [Information barriers in Microsoft Teams](/microsoftteams/information-barriers-in-teams) ++- [Use information barriers with SharePoint](/sharepoint/information-barriers) ++## Data residency ++With Microsoft 365 Multi-Geo, you can provision and store data at rest in the geo locations that you've chosen to meet data residency requirements. In a Multi-Geo environment, your Microsoft 365 tenant consists of a central location (where your Microsoft 365 subscription was originally provisioned) and one or more satellite locations where you can store data. ++- [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo) ++- [Plan for Microsoft 365 Multi-Geo](/microsoft-365/enterprise/plan-for-multi-geo) + ## Related topics [Collaboration governance planning recommendations](collaboration-governance-overview.md#collaboration-governance-planning-recommendations) Additional resources: [Manage sharing settings in SharePoint](/sharepoint/turn-external-sharing-on-or-off) -[Create and manage an external network in Viva Engage](/viva/engage/work-with-external-users/create-and-manage-an-external-network) - [Configure Teams with three tiers of protection](./configure-teams-three-tiers-protection.md) |
| solutions | Groups Teams Communication Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-communication-governance.md | - Title: Communications governance for collaboration scenarios- Previously updated : 08/12/2020-------- highpri-- M365-collaboration-- m365solution-collabgovernance--- M365solutions -recommendations: false -description: "Learn about Communications governance collaboration scenarios." ---# Communications governance for collaboration scenarios --Microsoft 365 offers a number of controls to help you govern communication in your organization, including messaging and meetings settings. Review these options and consider how they map to your business needs, the sensitivity of your data, and the scope of people that your users need to collaborate with. --The following table provides a quick reference for the communications controls available in Microsoft 365. Further information is provided in the following sections. --|Category|Description|Reference| -|:-|:-|:--| -|Messaging||| -||Manage what users can do while messaging in Teams.|[Manage messaging policies in Teams](/microsoftteams/messaging-policies-in-teams)| -||Control who can start and reply to posts in a channel.|[Set up and manage channel moderation in Microsoft Teams](/microsoftteams/manage-channel-moderation-in-teams)| -|Meetings||| -||Manage what meeting participants can do.|[Manage meeting policies in Teams](/microsoftteams/meeting-policies-in-teams)| -||Allow or prevent anonymous users joining meetings.|[Allow anonymous users to join meetings](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings)| -|Communication compliance||| -||Surface and respond to careless and negligent communication|[Communication compliance](../compliance/communication-compliance.md)| --## Messaging --You can control which chat and channel messaging features - such as editing or deleting messages - are available to users in Microsoft Teams by using messaging policies. You can create different policies for different users and groups. --[Manage messaging policies in Teams](/microsoftteams/messaging-policies-in-teams) --You can control who can start new posts and reply to posts in a Teams channel by configuring channel moderation. --[Set up and manage channel moderation in Microsoft Teams](/microsoftteams/manage-channel-moderation-in-teams) --## Meetings --You can control the features that are available to Teams meeting participants, including scheduling, content sharing, participants, and audio and video policies. --[Manage meeting policies in Teams](/microsoftteams/meeting-policies-in-teams) --You can control anonymous join for Teams meetings which allows anyone with a link to the meeting to join. --[Allow anonymous users to join meetings](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings) ---## Communication compliance --Communication compliance allows you to examine communications for offensive language, sensitive information, and information related to internal and regulatory standards. Chat communications, mailboxes, and Viva Engage messages can all be monitored, generating alerts. With administration tools, you can quickly identify and take action on messages with policy matches. --[Learn about communication compliance](../compliance/communication-compliance.md) --## Related topics --[Collaboration governance planning recommendations](collaboration-governance-overview.md#collaboration-governance-planning-recommendations) --[Create your collaboration governance plan](collaboration-governance-first.md) --[Manage Microsoft Teams settings for your organization](/microsoftteams/enable-features-office-365) --[Manage Viva Engage data compliance](/viva/engage/manage-security-and-compliance/manage-data-compliance) |
| solutions | Groups Teams Compliance Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-compliance-governance.md | - Title: "Compliance options for Microsoft 365 groups, Teams, and SharePoint collaboration"- Previously updated : 08/12/2020-------- highpri-- M365-collaboration-- m365solution-collabgovernance--- M365solutions -recommendations: false -description: "Learn about compliance options for Microsoft 365 groups, Teams, and SharePoint collaboration." ---# Compliance options for Microsoft 365 groups, Teams, and SharePoint collaboration --Microsoft 365 offers a full suite of tools to maintain compliance as your users collaborate. Review these options and consider how they map to your business needs, the sensitivity of your data, and the scope of people that your users need to collaborate with. --The following table provides a quick reference for the compliance controls available in Microsoft 365. Further information is provided in the following sections. --|Category|Description|Reference| -|:-|:-|:--| -|Information retention||| -||Retain groups mail and SharePoint content|[Learn about retention policies for SharePoint and OneDrive](../compliance/retention-policies-sharepoint.md)| -||Retain chat and messages|[Learn about retention policies for Microsoft Teams](../compliance/retention-policies-teams.md)| -|Information classification||| -||Classify groups and teams|[Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md)| -||Automatically classify sensitive content|[Apply a sensitivity label to content automatically](../compliance/apply-sensitivity-label-automatically.md)| -||Encrypt sensitive content|[Restrict access to content by using sensitivity labels to apply encryption](../compliance/encryption-sensitivity-labels.md)| -|Information protection||| -||Prevent the loss of sensitive information|[Learn about Microsoft Purview Data Loss Prevention](../compliance/dlp-learn-about-dlp.md)| -||Protect sensitive information in chat.|[Microsoft Purview Data Loss Prevention and Microsoft Teams](../compliance/dlp-microsoft-teams.md)| -||Define your organization's sensitive information|[Custom sensitive information types](../compliance/sensitive-information-type-learn-about.md)| -|User segmentation||| -||Restrict communication between user segments|[Information barriers](../compliance/information-barriers.md)| -|Data residency||| -||Store data in specific geo-locations|[Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo)| --## Information retention --Retention policies are available to retain or delete items used for collaboration in groups and teams, including files, messages, and mail. Policies can be set to retain and delete, to retain only, or delete only. Information covered by a retention policy is protected in the event that the group or team expires or is otherwise deleted. --Configuring a retention policy for Microsoft 365 Groups covers the group mailbox and the associated SharePoint site and files. --- [Learn about retention policies for SharePoint and OneDrive](../compliance/retention-policies-sharepoint.md)--Retention policies for Teams retain chat and channel messages. While chat and channel messages are stored in Exchange mailboxes, they are not affected by Exchange retention policies. You must set your retention policies to apply to Teams chats and Teams channel messages. --User chats are retained indefinitely even if a user account is deleted. If you don't want to retain this data indefinitely, consider using a retention policy to delete user chats after a specified time or include this deletion in your user deletion process. --- [Learn about retention policies for Microsoft Teams](../compliance/retention-policies-teams.md)--- [Retention policies in Microsoft Teams](/microsoftteams/retention-policies)--A single retention policy can be set to apply to Teams chat and Teams channel messages (including shared channel messages). Teams private channel messages must be contained in their own retention policy. --Additional resources: --- [Learn about retention policies](../compliance/retention.md)--- [Retention tags and retention policies](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies) in Exchange--## Information classification --You can use sensitivity labels to govern guest access, group and team privacy, and access by unmanaged devices for groups and teams. By applying the label, these settings are automatically configured as specified by the label settings. --- [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md)--You can configure Microsoft 365 to auto-apply sensitivity labels to files and emails based on the criteria that you specify, including detecting sensitive information types or pattern matching with trainable classifiers. --- [Apply a sensitivity label to content automatically](../compliance/apply-sensitivity-label-automatically.md)--You can use sensitivity labels to encrypt files, allowing only those with permissions to decrypt and read them. --- [Restrict access to content by using sensitivity labels to apply encryption](../compliance/encryption-sensitivity-labels.md)--- [Configure a team with security isolation](./secure-teams-security-isolation.md)--Additional resources: --- [Learn about sensitivity labels](../compliance/sensitivity-labels.md)---## Information protection --DLP policies can prevent the accidental sharing of sensitive information across SharePoint, Exchange, and Teams. You can create policies that specify actions to take (such as blocking access) based on a set of rules. --- [Learn about data loss prevention](../compliance/dlp-learn-about-dlp.md)--DLP in Teams can help protect sensitive information in Teams chat and channel messages by deleting messages that contain sensitive information. --- [Data loss prevention and Microsoft Teams](../compliance/dlp-microsoft-teams.md)--If you have sensitive information that is unique to your organization, such as project code names, you can create your own sensitive information types and apply them to DLP policies to protect content in groups, teams, and SharePoint. --- [Custom sensitive information types](../compliance/sensitive-information-type-learn-about.md)--## User segmentation --With information barriers, you can segment your data and users to restrict unwanted communication and collaboration between groups and avoid conflicts of interest in your organization. Information barriers let you create policies to allow or prevent file collaboration, chatting, calling, or meeting invitations between groups of people in your organization. --- [Information barriers](../compliance/information-barriers.md)--- [Information barriers in Microsoft Teams](/microsoftteams/information-barriers-in-teams)--- [Use information barriers with SharePoint](/sharepoint/information-barriers)--## Data residency --With Microsoft 365 Multi-Geo, you can provision and store data at rest in the geo locations that you've chosen to meet data residency requirements. In a Multi-Geo environment, your Microsoft 365 tenant consists of a central location (where your Microsoft 365 subscription was originally provisioned) and one or more satellite locations where you can store data. --- [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo)--- [Plan for Microsoft 365 Multi-Geo](/microsoft-365/enterprise/plan-for-multi-geo)--## Related topics --[Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance) --[Collaboration governance planning recommendations](collaboration-governance-overview.md#collaboration-governance-planning-recommendations) --[Create your collaboration governance plan](collaboration-governance-first.md) --[Security and compliance for Exchange Online](/exchange/security-and-compliance/security-and-compliance) --[Protect information](../compliance/information-protection.md) |
| solutions | Manage Creation Of Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-creation-of-groups.md | Title: "Manage who can create Microsoft 365 Groups" + Title: Manage who can create Microsoft 365 Groups f1.keywords: NOCSH - Previously updated : 02/18/2020+ Last updated : 07/28/2023 audience: Admin search.appverid: - MET150 ms.assetid: 4c46c8cb-17d0-44b5-9776-005fced8e618 recommendations: false-description: "Learn how to control which users can create Microsoft 365 Groups." +description: Learn how to control which users can create Microsoft 365 Groups. # Manage who can create Microsoft 365 Groups When you limit who can create a group, it affects all services that rely on grou - SharePoint - Viva Engage - Microsoft Teams-- Microsoft Stream - Planner - Power BI (classic) - Project for the web / Roadmap |
| solutions | Plan Organization Lifecycle Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/plan-organization-lifecycle-governance.md | Title: "Plan organization and lifecycle governance for Microsoft 365 groups and Microsoft Teams"- Previously updated : 08/12/2020 + Title: Plan organization and lifecycle governance for Microsoft 365 groups and Microsoft Teams + Last updated : 07/28/2023 -description: "Lean about lifecycle governance options for collaboration tools in Microsoft 365" +description: Lean about lifecycle governance options for collaboration tools in Microsoft 365 # Plan organization and lifecycle governance for Microsoft 365 groups and Microsoft Teams -Microsoft 365 groups has a rich set of tools to implement the governance capabilities your organization requires. +Microsoft 365 Groups has a rich set of tools to implement the governance capabilities your organization requires. The following section describes the capabilities, recommends best practices, and provides guidance to ask the right questions to determine the requirements for governance, and how to meet them. ## Control who can create Microsoft 365 groups -Groups can be created by end-users from multiple end-points including Outlook, SharePoint, Teams, and other environments. +Microsoft 365 groups can be created by end users from multiple end-points including Outlook, SharePoint, Teams, and other environments. Creating a team always creates a Microsoft 365 group, so governing the Microsoft 365 Groups lifecycle also governs the lifecycle of teams in Microsoft Teams.  We highly recommend self-service to empower group owners and help users get thei Consider the following governance options for groups creation: -- To limit group sprawl, use [groups expiration policies](microsoft-365-groups-expiration-policy.md) to automatically delete groups that are not being used.+- To limit group sprawl, use [groups expiration policies](microsoft-365-groups-expiration-policy.md) to automatically delete groups that aren't being used. - Limit group creation to members of a [security groups with dynamic membership](/azure/active-directory/users-groups-roles/groups-create-rule) containing, for example, all full-time employees. - Limit group creation to a security group and require users to complete training in your organization's group usage policies in order to become members of the security group. If you want to limit who can create groups, see [Manage who can create Microsoft ## Group delete, restore, and archiving -When a Microsoft 365 group is deleted, by default it's retained for 30 days. This 30-day period is called "soft-delete" because you can still restore the group. After 30 days, the group and associated content is permanently deleted and cannot be restored. +When a Microsoft 365 group is deleted, by default it's retained for 30 days. This 30-day period is called "soft-delete" because you can still restore the group. After 30 days, the group and associated content are permanently deleted and can't be restored. If you have retention policies in place to retain chat, files, or mail, those items will be preserved after the group is deleted. See [Learn about retention policies](../compliance/retention.md) for details. If you want to delete a group but preserve the content from one or more of the g A groups naming policy can help you govern groups in two ways: - A prefix/suffix naming policy can be used to enforce fixed strings or Azure AD attributes at the beginning or end of a group name and its associated email address. By doing this, you can ensure the inclusion of, for example, department names or regions in group names.-- A blocked words policy can ensure that certain words, such as the names of executives, are not used in group names.+- A blocked words policy can ensure that certain words, such as the names of executives, aren't used in group names. Naming policies are applied when groups are created from any of the group-connected services. -If you decide to use naming policies for groups, see [Microsoft 365 Groups naming policy](groups-naming-policy.md). +If you want to use naming policies for groups, see [Microsoft 365 Groups naming policy](groups-naming-policy.md). ## Group expiration policy -You can specify an expiration period and any group that reaches the end of that period, and is not renewed, will be deleted. The expiration period begins when the group is created, or on the date it was last renewed. +You can specify an expiration period and any group that reaches the end of that period, and isn't renewed, will be deleted. The expiration period begins when the group is created, or on the date it was last renewed. Once you set groups to expire: - Owners of the group are notified to renew the group as the expiration nears. - Active groups are renewed automatically.-- Any group that is not renewed is deleted.-- Any group that is deleted can be restored within 30 days by the group owners or the admin.+- Any group that isn't renewed is deleted. +- Any group that is deleted can be restored within 30 days by the group owners or a global administrator. Expiration policies are a good way to limit group sprawl by ensuring that groups that are no longer in use are deleted. If you want to create a group expiration policy, see [Microsoft 365 Groups Expiration Policy](microsoft-365-groups-expiration-policy.md). |
| syntex | Syntex Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-overview.md | You can dive deeper into your content to truly understand it, and you can turn t :::row::: :::column span="3":::- With Syntex, you can automatically generate standard repetitive business documents, such as contracts, statements of work, service agreements, letters of consent, and correspondence. -- You can do all these tasks quicker, more consistently, and with fewer errors in Syntex. + With Syntex, you can automatically generate standard repetitive business documents, such as contracts, statements of work, service agreements, letters of consent, and correspondence. You can do all these tasks quicker, more consistently, and with fewer errors in Syntex. :::column-end::: :::column span="":::  Both structured and freeform models use Microsoft Power Apps AI Builder to creat ### Optical character recognition :::row:::- :::column span="3"::: - The optical character recognition (OCR) service in Syntex lets you extract printed or handwritten text from images. Syntex automatically scans the image files, extracts the relevant text, and makes the text from the images available for search and indexing. This lets you quickly and accurately find the keywords and phrases you're looking for. - :::column-end::: :::column span="":::  :::column-end:::+ :::column span="3"::: + The optical character recognition (OCR) service in Syntex lets you extract printed or handwritten text from images. Syntex automatically scans the image files, extracts the relevant text, and makes the text from the images available for search and indexing. This lets you quickly and accurately find the keywords and phrases you're looking for. + :::column-end::: :::row-end::: -[Learn more about using the OCR service in Microsoft Syntex.](ocr.md) +[Learn more about using the OCR service in Microsoft Syntex.](ocr-overview.md) ## Other features ### Annotations :::row:::- :::column span=""::: -  - :::column-end::: :::column span="3"::: Use the annotations feature in Syntex to add notes, comment, and collaborate with others on your content in document libraries. You can use annotations without modifying the original files, so the original records are preserved. :::column-end:::+ :::column span=""::: +  + :::column-end::: :::row-end::: [Learn more about using annotations in Microsoft Syntex.](annotations.md) Both structured and freeform models use Microsoft Power Apps AI Builder to creat ### Content query :::row:::+ :::column span=""::: +  + :::column-end::: :::column span="3"::: The content query feature in Syntex lets you perform specific metadata-based queries on SharePoint document libraries. You can make faster, more precise queries based on specific metadata column values, rather than just searching for keywords. :::column-end:::- :::column span=""::: -  - :::column-end::: :::row-end::: This feature is useful when you have a specific piece of information you want to search for, such as when a document was last modified, a specific person associated with a file, or a specific file type. [Learn more about how to search for metadata in document libraries in Microsoft Syntex.](metadata-search.md) -### Content compliance -- :::column span=""::: -  - :::column-end::: - :::column span="3"::: - Understanding your content allows for better compliance control and increases management and governance options for all your data. When content is properly tagged and labeled, you have better control over your data and can follow regulations more easily. Syntex helps you ensure compliance by using retention labels and sensitivity labels to manage your documents. - :::column-end::: --Learn more about how to apply [retention labels](apply-a-retention-label-to-a-model.md) and [sensitivity labels](apply-a-sensitivity-label-to-a-model.md) to models in Microsoft Syntex. - ### Content processing :::row::: Learn more about how to apply [retention labels](apply-a-retention-label-to-a-mo [Learn more about content processing rules in Microsoft Syntex.](content-processing-overview.md) -### Premium taxonomy services +### Content compliance :::row::: :::column span="":::-  +  :::column-end:::+ :::column span="3"::: + Understanding your content allows for better compliance control and increases management and governance options for all your data. When content is properly tagged and labeled, you have better control over your data and can follow regulations more easily. Syntex helps you ensure compliance by using retention labels and sensitivity labels to manage your documents. + :::column-end::: ++Learn more about how to apply [retention labels](apply-a-retention-label-to-a-model.md) and [sensitivity labels](apply-a-sensitivity-label-to-a-model.md) to models in Microsoft Syntex. ++### Premium taxonomy services + :::column span="3"::: Having one or more Syntex licenses in your organization enables the following additional term store features for admins:<br><br>- + :::column-end::: + :::column span=""::: +  :::column-end::: :::row-end::: |