Updates from: 07/09/2021 03:10:33
Category Microsoft Docs article Related commit history on GitHub Change details
admin Change A User Name And Email Address https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/change-a-user-name-and-email-address.md
You may need to change someone's email address and display name if, for example,
If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../../business-video/index.yml).
-You must be a [global admin](about-admin-roles.md) to do these steps.
+You must be a [global admin](about-admin-roles.md) to complete these steps.
## Change a user's email address
You must be a [global admin](about-admin-roles.md) to do these steps.
1. Select the user's name, and then on the **Account** tab select **Manage username**.
-1. In the first box, type the first part of the new email address. If you added your own domain to Microsoft 365, choose the domain for the new email alias by using the drop-down list.
+1. In the first box, type the first part of the new email address. If you added your own domain to Microsoft 365, choose the domain for the new email alias by using the drop-down list. [Learn how to add a domain](../setup/add-domain.md).
1. Select **Save changes**.
You must be a [global admin](about-admin-roles.md) to do these steps.
::: moniker range="o365-worldwide"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
::: moniker-end
To learn how to change someone's username in Active Directory, in Windows Server
## Related content
-[Admins: Reset a password for one or more users](reset-passwords.md) (article)\
-[Add another email address to a user](../email/add-another-email-alias-for-a-user.md) (article)\
-[Create a shared mailbox](../email/create-a-shared-mailbox.md) (article)
+[Add a domain](../setup/add-domain.md)
+[Admins: Reset a password for one or more users](reset-passwords.md)
+[Add another email address to a user](../email/add-another-email-alias-for-a-user.md)
+[Create a shared mailbox](../email/create-a-shared-mailbox.md)
admin Change Email Address https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/change-email-address.md
When you change your domain's email to come to Microsoft 365, by updating your d
## Change your email address to use your custom domain using the Microsoft 365 admin center
-You must have a global admin account to perform these steps.
+You must be a global admin to perform these steps.
::: moniker range="o365-worldwide"
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.
::: moniker-end
-
+ ::: moniker range="o365-germany"
-
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">https://portal.office.de/adminportal</a>.
-
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">https://portal.office.de/adminportal</a>.
+ ::: moniker-end ::: moniker range="o365-21vianet"
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank"> https://portal.partner.microsoftonline.cn</a>.
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank"> https://portal.partner.microsoftonline.cn</a>.
-2. Go to the **Setup** > **Domains** page.
+2. Go to the **Setup** > **Domains** page.
3. On the **Domains** page, select **Add domain**.
-
-4. Follow the steps to confirm that you own your domain and to change your email address.
-
-You'll be guided to get everything set up correctly with your domain in Microsoft 365.
+
+4. Follow the steps to confirm that you own your domain. You'll be guided to get everything set up correctly with your domain in Microsoft 365.
+
+5. Go to **Users** > **Active users**.
+
+6. Select a user to edit their username and change it to the domain you just added.
> [!NOTE] > If you are not using an Exchange license, you cannot use the domain to send or receive emails from the Microsoft 365 tenant.
admin Business Assist https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/business-assist.md
Get the most out of your subscription with expert advice from small business spe
**Business Assist for Microsoft 365** is designed for businesses with fewer than 5 users to give you and your employees around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.
+### Watch: Business Assist for Microsoft 365
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWFTQl]
+ ## Business Assist services |&nbsp;|&nbsp;|&nbsp;|
admin Mailbox Not Found Error https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/mailbox-not-found-error.md
If you're using Outlook on the web and you get a **Mailbox couldn't be found fo
Your admin can assign a license to your account by following these steps:
-1. Open the [Microsoft 365 admin center](https://portal.office.com/adminportal/home#/homepage) and go to **Active users** under the **Users** section, and select the user who is seeing the error.
+1. Open the [Microsoft 365 admin center](https://admin.microsoft.com/adminportal/home#/homepage) and go to **Active users** under the **Users** section, and select the user who is seeing the error.
1. In the user page that opens, go to the **Licenses and Apps** section, select the appropriate **Location** value, and assign a license that contains Exchange Online (expand the license to see its details). 1. When you're finished, click **Save changes**.
admin Set Up File Storage And Sharing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/set-up-file-storage-and-sharing.md
Employees can also share OneDrive files and folders. If an employee is away or l
Here's how each person on your team can set up OneDrive and share files.
-1. Go to the <a href="https://portal.office.com/ " target="_blank">Microsoft 365 Portal</a>, and sign in with your user name and password.
+1. Go to the <a href="https://admin.mirosoft.com/ " target="_blank">Microsoft 365 admin center</a>, and sign in with your user name and password.
2. From the App launcher, select **OneDrive**.
business-video Set Up A New Business Email Address https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/set-up-a-new-business-email-address.md
Buy a new domain name for your email address and set up the email addresses with
Use a domain name you already own whether you're using it for a website address or an email address at another provider.
-## Try it!
+## Give it a try!
1. Sign into the website that hosts your domain. Click a button to verify automatically or update the domain manually. 1. Customize the email address or leave it as is.
business Microsoft 365 Business Start https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/microsoft-365-business-start.md
If you found this video helpful, check out the [complete training series for sma
### 1: Set up Microsoft 365 for business (Admin)
-Sign in to [Microsoft 365 admin center](https://portal.office.com/adminportal/home) with your global admin credentials, and complete the following steps to set up Microsoft 365 for business.
+Sign in to [Microsoft 365 admin center](https://admin.microsoft.com/adminportal/home) with your global admin credentials, and complete the following steps to set up Microsoft 365 for business.
1. [Prerequisites for protecting data on devices with Microsoft 365 for business](pre-requisites-for-data-protection.md)
business Move Files To Onedrive https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/move-files-to-onedrive.md
If you found this video helpful, check out the [complete training series for sma
If a user has a computer that includes many personal files, you should first move those files to OneDrive for Business:
-1. Go to portal.office.com and sign in with the user's Microsoft 365 for business credentials.
+1. Go to admin.microsoft.com and sign in with the user's Microsoft 365 for business credentials.
2. Click the app launcher ![The app launcher icon in Office 365](../media/7502f4ec-3c9a-435d-a7b4-b9cda85189a7.png) and go to OneDrive.
business Validate Settings On Android Or Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/validate-settings-on-android-or-ios.md
After you [set app configurations for Android devices](app-protection-settings-f
First, make sure that the policy applies to the app in which you're going to validate it.
-1. In the Microsoft 365 Business Premium [admin center](https://portal.office.com), go to **Policies** \> **Edit policy**.
+1. In the Microsoft 365 Business Premium [admin center](https://admin.microsoft.com), go to **Policies** \> **Edit policy**.
2. Choose **Application policy for Android** for the settings you created at setup, or another policy you created, and verify that it's enforced for Outlook, for example.
After you [set app configurations for iOS devices](app-protection-settings-for-a
First, make sure that the policy applies to the app in which you're going to validate it.
-1. In the Microsoft 365 Business Premium [admin center](https://portal.office.com), go to **Policies** \> **Edit policy**.
+1. In the Microsoft 365 Business Premium [admin center](https://admin.microsoft.com), go to **Policies** \> **Edit policy**.
2. Choose **Application policy for iOS** for the settings you created at setup, or another policy you created, and verify that it's enforced for Outlook for example.
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
The table also indicates the Office 365 Enterprise and Office 365 US Government
| Default alert policy | Description | Category | Enterprise subscription | |:--|:--|:--|:--| |**A potentially malicious URL click was detected**|Generates an alert when a user protected by [Safe Links](../security/office-365-security/safe-links.md) in your organization clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages (based on your organization's Microsoft 365 for business Safe Links policy). This alert policy has a **High** severity setting. For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on events that trigger this alert, see [Set up Safe Links policies](../security/office-365-security/set-up-safe-links-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Admin Submission result completed**|Generates an alert when an [Admin Submission](../security/office-365-security/admin-submission.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. These alerts are meant to remind you to [review the results of previous submissions](https://protection.office.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact. This policy has a **Informational** severity setting.|Threat management|E1/F1, E3/F3, or E5|
+|**Admin Submission result completed**|Generates an alert when an [Admin Submission](../security/office-365-security/admin-submission.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. These alerts are meant to remind you to [review the results of previous submissions](https://compliance.microsoft.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact. This policy has a **Informational** severity setting.|Threat management|E1/F1, E3/F3, or E5|
|**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has an **Informational** severity setting.|Threat management| E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription| |**Creation of forwarding/redirect rule**|Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell. This policy has a **Informational** severity setting. For more information about using inbox rules to forward and redirect email in Outlook on the web, see [Use rules in Outlook on the web to automatically forward messages to another account](https://support.office.com/article/1433e3a0-7fb0-4999-b536-50e05cb67fed).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5| |**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Security and compliance center. An alert is triggered when the following content search activities are performed: <br/><br/>* A content search is started<br/>* The results of a content search are exported<br/>* A content search report is exported<br/><br/>Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. This policy has a **Informational** severity setting. For more information about content search activities, see [Search for eDiscovery activities in the audit log](search-for-ediscovery-activities-in-the-audit-log.md#ediscovery-activities).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
compliance Archive Signal Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-signal-archiver-data.md
description: "Admins can set up a TeleMessage connector to import and archive Signal communications data in Microsoft 365. This lets you archive data from third-party data sources in Microsoft 365 so you can use compliance features such as legal hold, content search, and retention policies to manage your organization's third-party data."
-# Set up a connector to archive Signal communications data (preview)
+# Set up a connector to archive Signal communications data
Use the TeleMessage connector in the Microsoft 365 compliance center to import and archive Signal chats, attachments, files, and deleted messages and calls. After you set up and configure a connector, it connects to your organization's TeleMessage account, and imports the mobile communication of employees using the TeleMessage Signal Archiver to mailboxes in Microsoft 365.
compliance Archive Skypeforbusiness Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-skypeforbusiness-data.md
description: "Learn how to set up and use a connector in the Microsoft 365 compliance center to import and archive data from Skype for Business to Microsoft 365."
-# Set up a connector to archive Skype for Business data (preview)
+# Set up a connector to archive Skype for Business data
Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Skype for Business platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Skype for Business](https://www.veritas.com/en/au/insights/merge1/skype-for-business) connector that is configured to capture items from the third-party data source (on a regular basis) and import those items to Microsoft 365. The connector converts the content such as messages between users, persistent chats, and conference messages from Skype for Business to an email message format and then imports those items to the userΓÇÖs mailbox in Microsoft 365.
compliance Archive Telegram Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-telegram-archiver-data.md
description: "Admins can set up a TeleMessage connector to import and archive Telegram communications data in Microsoft 365. This lets you archive data from third-party data sources in Microsoft 365 so you can use compliance features such as legal hold, content search, and retention policies to manage your organization's third-party data."
-# Set up a connector to archive Telegram communications data (preview)
+# Set up a connector to archive Telegram communications data
Use the TeleMessage connector in the Microsoft 365 compliance center to import and archive Telegram chats, attachments, files, and deleted messages and calls. After you set up and configure a connector, it connects to your organization's TeleMessage account, and imports the mobile communication of employees using the Telegram Archiver to mailboxes in Microsoft 365.
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
Before you can archive third-party data in Microsoft 365, you have to work with
|[RingCentral](archive-ringcentral-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||| |[Salesforce Chatter](archive-salesforcechatter-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||| |[ServiceNow](archive-servicenow-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[Skype for Business](archive-skypeforbusiness-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
|[Slack eDiscovery](archive-slack-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Symphony](archive-symphony-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Text-delimited](archive-text-delimited-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
TeleMessage data connectors are also available in GCC environments in the Micros
|[Bell Network](archive-bell-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Enterprise Number](archive-enterprise-number-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[O2 Network](archive-o2-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Signal](archive-signal-archiver-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Telegram](archive-telegram-archiver-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[TELUS Network](archive-telus-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Verizon Network](archive-verizon-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[WeChat](archive-wechat-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
compliance Audit Log Search Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-search-script.md
When there are situations where you need to manually retrieve auditing data for
The value of `True` for the **UnifiedAuditLogIngestionEnabled** property indicates that audit log search is turned on. -- You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to run successfully the script. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. For more information, see the "Requirements to search the audit log" section in [Search the audit log in the compliance center](search-the-audit-log-in-security-and-compliance.md#requirements-to-search-the-audit-log).
+- You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to run successfully the script. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. For more information, see the "Requirements to search the audit log" section in [Search the audit log in the compliance center](search-the-audit-log-in-security-and-compliance.md#before-you-search-the-audit-log).
- It may take a long time for the script to complete. How long it takes to run depends on the date range and the size of the interval that you configure the script to retrieve audit records for. Larger date ranges and smaller intervals will result in a long running time. See the table in Step 2 for more information about the date range and intervals.
compliance Auditing Troubleshooting Scenarios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/auditing-troubleshooting-scenarios.md
You must be assigned the View-Only Audit Logs or Audit Logs role in Exchange Onl
This section describes the basics for creating and running audit log searches. Use these instructions as a starting point for each troubleshooting scenario in this article. For more detailed step-by-step instructions, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md#step-1-run-an-audit-log-search).
-1. Go to [https://protection.office.com/unifiedauditlog](https://protection.office.com/unifiedauditlog) and sign in using your work or school account.
+1. Go to <https://compliance.microsoft.com/auditlogsearch> and sign in using your work or school account.
- The **Audit log search** page is displayed.
+ The **Audit** page is displayed.
- ![Configure criteria and then select Search to run the search](../media/8639d09c-2843-44e4-8b4b-9f45974ff7f1.png)
+ ![Configure criteria and then select Search to run the search](../media/AuditLogSearchPage1.png)
4. You can configure the following search criteria. Each troubleshooting scenario in this article recommends specific guidance for configuring these fields.
- a. **Activities:** Select the drop-down list to display the activities that you can search for. After you run the search, only the audit records for the selected activities are displayed. Selecting **Show results for all activities** displays results for all activities that meet the other search criteria. You'll also have to leave this field blank in some of the troubleshooting scenarios.
-
- b. **Start date** and **End date:** Select a date and time range to display the events that occurred within that period. The last seven days are selected by default. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days.
+ a. **Start date** and **End date:** Select a date and time range to display the events that occurred within that period. The last seven days are selected by default. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days.
+ b. **Activities:** Select the drop-down list to display the activities that you can search for. After you run the search, only the audit records for the selected activities are displayed. Selecting **Show results for all activities** displays results for all activities that meet the other search criteria. You'll also have to leave this field blank in some of the troubleshooting scenarios.
+
c. **Users:** Click in this box and then select one or more users to display search results for. Audit records for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization. d. **File, folder, or site:** Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you only type a portion of the URL, don't include any special characters or spaces. Leave this box blank to return entries for all files and folders in your organization. This field is left blank in all the troubleshooting scenarios in this article.
compliance Bulk Edit Content Searches https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/bulk-edit-content-searches.md
For more information about using the Search Statistics tool, see [View keyword s
## Use the Bulk Search Editor to change queries
-1. Go to <https://protection.office.com>, and then select **Search** \> **Content search**.
+1. Go to <https://compliance.microsoft.com>, and then select **Content search**.
2. In the list of searches, select one or more searches, and then select **Bulk Search Editor** ![Bulk Search Editor button](../media/1ddb3d18-2f00-4a7b-98a6-817ca5ec7014.png).
compliance Create Activity Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-activity-alerts.md
You can create an activity alert that will send you an email notification when u
## Create an activity alert
-1. Go to [https://protection.office.com/managealerts](https://protection.office.com/managealerts).
+1. Go to <https://compliance.microsoft.com/managealerts>.
2. Sign in using your work or school account.
You can create an activity alert that will send you an email notification when u
You can turn off an activity alert so that an email notification isn't sent. After you turn off the activity alert, it's still displayed in the list of activity alerts for your organization, and you can still view its properties.
-1. Go to Go to [https://protection.office.com/managealerts](https://protection.office.com/managealerts).
+1. Go to <https://compliance.microsoft.com/managealerts>.
2. Sign in using your work or school account.
compliance Dlp Configure Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-endpoints.md
Title: Onboarding tools and methods for Windows 10 devices
+ Title: Onboarding methods and tools for Windows 10 devices
f1.keywords: NOCSH
compliance Ediscovery Diagnostic Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-diagnostic-info.md
Get-CaseHoldPolicy "<Case hold policy name>" | %{"--CaseHoldPolicy--";$_|FL;"--C
Sometimes, it's not apparent what information is required by Microsoft Support to investigate your issue. In this situation, you can collect all of the diagnostics information for a Core eDiscovery case. The *Core eDiscovery case name* in the following command is the same as the name of a case that's displayed on the **Core eDiscovery** page in the Microsoft 365 compliance center. ```powershell
-Get-ComplianceCase "<Core eDiscovery case name>"| %{"$($_.Name)";"`t==Searches==";Get-ComplianceSearch -Case $_.Name | FL;"`t==Search Actions==";Get-ComplianceSearchAction -Case $_.Name |FL;"`t==Holds==";Get-CaseHoldPolicy -Case $_.Name | %{$_|FL;"`t`t ==$($_.Name) Rules==";Get-CaseHoldRule -Policy $_.Name | FL}} > "eDiscoveryCase.txt"
+Get-ComplianceCase "<Core eDiscovery case name>"| %{$_|fl;"`t==Searches==";Get-ComplianceSearch -Case $_.Name | FL;"`t==Search Actions==";Get-ComplianceSearchAction -Case $_.Name |FL;"`t==Holds==";Get-CaseHoldPolicy -Case $_.Name | %{$_|FL;"`t`t ==$($_.Name) Rules==";Get-CaseHoldRule -Policy $_.Name | FL}} > "eDiscoveryCase.txt"
``` ## Collect diagnostic information for Advanced eDiscovery
The **Settings** tab in an Advanced eDiscovery case lets you quickly copy the di
6. Save the text file and name it something like `AeD Diagnostic Info YYYY.MM.DD` (for example, `AeD Diagnostic Info 2020.11.03`).
-After reviewing the file and redacting sensitive information, send it to the Microsoft Support engineer working on your case.
+After reviewing the file and redacting sensitive information, send it to the Microsoft Support engineer working on your case.
compliance Ediscovery Troubleshooting Common Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-troubleshooting-common-issues.md
When running an eDiscovery search that includes SharePoint Online and One Drive
## Error/issue: This file wasn't exported because it doesn't exist anymore. The file was included in the count of estimated search results because it's still listed in the index. The file will eventually be removed from the index, and won't cause an error in the future.
-You may see that error when running an eDiscovery search that includes SharePoint Online and One Drive For Business locations. eDiscovery relies on teh SPO index to identify the file locations. If the file was deleted but the SPO index was not yet updated this error may occur.
+You may see that error when running an eDiscovery search that includes SharePoint Online and One Drive For Business locations. eDiscovery relies on the SPO index to identify the file locations. If the file was deleted but the SPO index was not yet updated this error may occur.
### Resolution Open the SPO location and verify that this file indeed is not there. Suggested solution is to manually reindex the site, or wait till the site reindexes by the automatic background process.
-## Error/issue: This search result was not downloaded as it is a folder or other artefact that can't be downloaded by itself, any items inside the folder or library will be downloaded.
+## Error/issue: This search result was not downloaded as it is a folder or other artifact that can't be downloaded by itself, any items inside the folder or library will be downloaded.
You may see that error when running an eDiscovery search that includes SharePoint Online and One Drive For Business locations. It means that we were going to try and export the item reported in the index, but it turned out to be a folder so we did not export it. As mentioned in the error, we don't export folder items but we do export their contents.
An eDiscovery search fails with error the `recipient not found`. This error may
## Error/issue: Exporting search results is slow
-When exporting search results from eDiscovery or Content Search in the Security and Compliance center, the download takes longer than expected. You can check to see the amount of data to be download and possibly increase the export speed.
+When exporting search results from Core eDiscovery or Content search in the Microsoft 365 compliance center, the download takes longer than expected. You can check to see the amount of data to be download and possibly increase the export speed.
### Resolution
When exporting search results from eDiscovery or Content Search in the Security
6. If you still have issues, consider dividing searches that return a large set of results into smaller searches. For example, you can use date ranges in search queries to return a smaller set of results that can be downloaded faster.
+## Error/issue: Export process not progressing or is stuck
+
+When exporting search results from Core eDiscovery or Content search in the Microsoft 365 compliance center, the export process is not progressing or appears to be stuck.
+
+### Resolution
+
+1. If necessary, rerun the search. If the search was last ran more than 7 days ago, you have to rerun the search.
+
+2. Restart the export.
+ ## Error/issue: "Internal server error (500) occurred" When running an eDiscovery search, if the search continually fails with error similar to "Internal server error (500) occurred", you may need rerun the search only on specific mailbox locations.
After a successful export, the completed download via the export tool shows zero
### Resolution
-This is a client-side issue and in order to remediate it, please attempt the following steps:
+This is a client-side issue. To remediate it, follow these steps:
1. Try using another client/machine to download.
This is a client-side issue and in order to remediate it, please attempt the fol
5. Make sure that no other export is downloading to the same folder or any parent folder.
-6. If the previous steps did not work, disable zipping and de-duplication.
+6. If the previous steps don't work, disable zipping and de-duplication.
7. If this works then the issue is due to a local virus scanner or a disk issue.
compliance Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery.md
- m365-security-compliance-- m365solution-aed
+- m365solution-ediscovery
- m365initiative-compliance - m365solution-overview localization_priority: Normal
compliance Enable Archive Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-archive-mailboxes.md
You have to be assigned the Mail Recipients role in Exchange Online to enable or
## Enable an archive mailbox
-1. Go to <https://protection.office.com>.
+1. Go to <https://compliance.microsoft.com> and sign in.
-2. Sign in using your work or school account.
-
-3. In the left pane of the Security & Compliance Center, click **Information governance** \> **Archive**.
+2. In the left pane of the Microsoft 365 compliance center, click **Information governance**, and then click the **Archive** tab.
The **Archive** page is displayed. The **Archive mailbox** column indicates whether an archive mailbox is enabled or disabled for each user.
The default archive policy assigned to users' mailboxes moves items to the archi
To disable an archive mailbox:
-1. Go to <https://protection.office.com>.
-
-2. Sign in using your work or school account.
+1. Go to <https://compliance.microsoft.com> and sign in.
-3. In the left pane of the Security & Compliance Center, click **Information governance** \> **Archive**.
+2. In the left pane of the Microsoft 365 compliance center, click **Information governance**, and then click the **Archive** tab.
The **Archive** page is displayed. The **Archive mailbox** column indicates whether an archive mailbox is enabled or disabled for each user. > [!NOTE] > The **Archive** page shows a maximum of 500 users.
-4. In the list of mailboxes, select the user that you want to disable the archive mailbox for.
+3. In the list of mailboxes, select the user that you want to disable the archive mailbox for.
-5. In the details pane, click **Disable**.
+4. In the details pane, click **Disable**.
A warning message is displayed saying that you'll have 30 days to re-enable the archive mailbox, and that after 30 days, all information in the archive will be permanently deleted.
-6. Click **Yes** to disable the archive mailbox.
+5. Click **Yes** to disable the archive mailbox.
It might take a few moments to disable the archive mailbox. When it's disabled, **Archive mailbox: disabled** is displayed in the details pane for the selected user. You might have to click **Refresh** ![Refresh icon](../mediM-Policy-RefreshIcon.gif) to update the information in the details pane.
compliance Get Started Core Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-core-ediscovery.md
To access Core eDiscovery or be added as a member of a Core eDiscovery case, a u
Complete the following steps to add users to the eDiscovery Manager role group:
-1. Go to [https://protection.office.com/permissions](https://protection.office.com/permissions) and sign in using the credentials for an admin account in your Microsoft 365 or Office 365 organization.
+1. Go to <https://compliance.microsoft.com/permissions> and sign in using the credentials for an admin account in your Microsoft 365 or Office 365 organization.
2. On the **Permissions** page, select the **eDiscovery Manager** role group.
compliance Get Started With Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-advanced-ediscovery.md
To access Advanced eDiscovery or added as a member of an Advanced eDiscovery cas
Complete the following steps to add users to the eDiscovery Manager role group:
-1. Go to <https://protection.office.com/permissions> and sign in using the credentials for an admin account in your Microsoft 365 organization.
+1. Go to <https://compliance.microsoft.com/permissions> and sign in using the credentials for an admin account in your Microsoft 365 organization.
2. On the **Permissions** page, select the **eDiscovery Manager** role group.
compliance Legacy Ediscovery Retirement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/legacy-ediscovery-retirement.md
Advanced eDiscovery v1.0, which is the version of Advanced eDiscovery available
To determine if your organization is using Advanced eDiscovery v1.0:
-1. Go to the [Office 365 Security & Compliance Center](https://protection.office.com).
+1. Go to the [Microsoft 365 compliance center](https://compliance.microsoft.com).
-2. In the left navigation pane of the Security & Compliance Center, click **eDiscovery > eDiscovery**, and open a Core eDiscovery case.
+2. In the left navigation pane of the compliance center, click **eDiscovery > Core**, and open a Core eDiscovery case.
3. If you see the **Switch to Advanced eDiscovery** button, then clicking it will take you to the 1.0 version of Advanced eDiscovery, which is being retired. The ability to create and manage cases in Core eDiscovery won't be affected. Only the ability to add and analyze case data in Advanced eDiscovery v1.0 (by clicking **Switch to Advanced eDiscovery**) is being retired.
compliance Microsoft 365 Compliance Center Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center-redirection.md
Automatic redirection is enabled by default for all users accessing the followin
Users are automatically routed to the same compliance solutions in the Microsoft 365 compliance center (compliance.microsoft.com). > [!NOTE]
-> For other compliance solutions included in the Office 365 Security and Compliance Center, users will continue to manage these solutions in either the Microsoft 365 compliance center or the Office 365 Security and Compliance Center. The automatic redirection for these compliance solutions will be available soon.*
+> For other compliance solutions included in the Office 365 Security and Compliance Center, users will continue to manage these solutions in either the Microsoft 365 compliance center or the Office 365 Security and Compliance Center. The automatic redirection for these compliance solutions will be available soon.
This feature and associated controls does not enable the automatic redirection of Security features for Microsoft Defender for Office 365. To enable the redirection for security features, see [Redirecting accounts from Microsoft Defender for Office 365 to the Microsoft 365 security center](/microsoft-365/security/defender/microsoft-365-security-mdo-redirection) for details.
This feature and associated controls does not enable the automatic redirection o
If something isn't working for you or if there's anything you're unable to complete through the Microsoft 365 compliance center portal, you can temporarily disable the automatic redirection for all users. > [!IMPORTANT]
-> The Microsoft 365 compliance center is the replacement management portal for compliance solutions currently managed in the Office 365 Security and Compliance center. All Microsoft 365 compliance solutions will be managed solely in the Microsoft 365 compliance center. Disabling redirection to the Microsoft 365 compliance center should be a short-term solution.*
+> The Microsoft 365 compliance center is the replacement management portal for compliance solutions currently managed in the Office 365 Security and Compliance center. All Microsoft 365 compliance solutions will be managed solely in the Microsoft 365 compliance center. Disabling redirection to the Microsoft 365 compliance center should be a short-term solution.
To switch back to the Office 365 Security and Compliance center (protection.microsoft.com) for all users, complete the following steps:
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
Title: "Search the audit log in the Security & Compliance Center"
+ Title: "Search the audit log in the Microsoft 365 compliance center"
f1.keywords: - NOCSH
Need to find if a user viewed a specific document or purged an item from their m
- User and admin activity for sensitivity labels for sites that use SharePoint Online or Microsoft Teams - Admin activity in Briefing email and MyAnalytics
-## Requirements to search the audit log
+## Before you search the audit log
Be sure to read the following items before you start searching the audit log. -- Audit log search is turned on by default for Microsoft 365 and Office 365 enterprise organizations. This includes organizations with E3/G3 or E5/G5 subscriptions. To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell:
+- Audit log search is turned on by default for Microsoft 365 and Office 365 enterprise organizations. To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell:
```powershell Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
Be sure to read the following items before you start searching the audit log.
The value of `True` for the *UnifiedAuditLogIngestionEnabled* property indicates that audit log search is turned on. For more information, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md). -- You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. Note global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online. To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see [Manage role groups in Exchange Online](/Exchange/permissions-exo/role-groups).
+- You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. Global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online. To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see [Manage role groups in Exchange Online](/Exchange/permissions-exo/role-groups).
> [!IMPORTANT]
- > If you assign a user the View-Only Audit Logs or Audit Logs role on the **Permissions** page in the Security & Compliance Center, they won't be able to search the audit log. You have to assign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.
+ > If you assign a user the View-Only Audit Logs or Audit Logs role on the **Permissions** page in the Microsoft 365 compliance center, they won't be able to search the audit log. You have to assign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.
- When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for your organization. The length of time that an audit record is retained (and searchable in the audit log) depends on your Office 365 or Microsoft 365 Enterprise subscription, and specifically the type of the license that is assigned to specific users.
Be sure to read the following items before you start searching the audit log.
- For users assigned any other (non-E5) Office 365 or Microsoft 365 license, audit records are retained for 90 days. For a list of Office 365 and Microsoft 365 subscriptions that support unified audit logging, see [the security and compliance center service description](/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center). > [!NOTE]
- > Even when mailbox auditing on by default is turned on, you might notice that mailbox audit events for some users aren't found in audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API. For more information, see [More information about mailbox audit logging](enable-mailbox-auditing.md#more-information).
+ > Even when mailbox auditing on by default is turned on, you might notice that mailbox audit events for some users aren't found in audit log searches in the Microsoft 365 compliance center or via the Office 365 Management Activity API. For more information, see [More information about mailbox audit logging](enable-mailbox-auditing.md#more-information).
- If you want to turn off audit log search for your organization, you can run the following command in remote PowerShell connected to your Exchange Online organization:
Be sure to read the following items before you start searching the audit log.
For more information, see [Turn off audit log search](turn-audit-log-search-on-or-off.md). -- As previously stated, the underlying cmdlet used to search the audit log is an Exchange Online cmdlet, which is **Search-UnifiedAuditLog**. That means you can use this cmdlet to search the audit log instead of using the **Audit log search** page in the Security & Compliance Center. You have to run this cmdlet in remote PowerShell connected to your Exchange Online organization. For more information, see [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog).
+- As previously stated, the underlying cmdlet used to search the audit log is an Exchange Online cmdlet, which is **Search-UnifiedAuditLog**. That means you can use this cmdlet to search the audit log instead of using the **Audit log search** page in the Microsoft 365 compliance center. You have to run this cmdlet in remote PowerShell connected to your Exchange Online organization. For more information, see [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog).
For information about exporting the search results returned by the **Search-UnifiedAuditLog** cmdlet to a CSV file, see the "Tips for exporting and viewing the audit log" section in [Export, configure, and view audit log records](export-view-audit-log-records.md#tips-for-exporting-and-viewing-the-audit-log).
Be sure to read the following items before you start searching the audit log.
|Microsoft Teams|![Check mark](../media/checkmark.png)|| |Power Apps||![Check mark](../media/checkmark.png)| |Power BI|![Check mark](../media/checkmark.png)||
- |Security & Compliance Center|![Check mark](../media/checkmark.png)||
+ |Microsoft 365 compliance center|![Check mark](../media/checkmark.png)||
|Sensitivity labels||![Check mark](../media/checkmark.png)| |SharePoint Online and OneDrive for Business|![Check mark](../media/checkmark.png)|| |Workplace Analytics|![Check mark](../media/checkmark.png)||
Be sure to read the following items before you start searching the audit log.
## Search the audit log
-Here's the process for searching the audit log in Office 365.
+Here's the process for searching the audit log in Microsoft 365.
[Step 1: Run an audit log search](#step-1-run-an-audit-log-search)
Here's the process for searching the audit log in Office 365.
### Step 1: Run an audit log search
-1. Go to [https://protection.office.com](https://protection.office.com).
+1. Go to <https://compliance.microsoft.com> and sign in.
> [!TIP]
- > Use a private browsing session (not a regular session) to access the Security & Compliance Center because this will prevent the credential that you are currently logged on with from being used. To open an InPrivate Browsing session in Internet Explorer or Microsoft Edge, just press CTRL+SHIFT+P. To open a private browsing session in Google Chrome (called an incognito window), press CTRL+SHIFT+N.
+ > Use a private browsing session (not a regular session) to access the Microsoft 365 compliance center because this will prevent the credential that you are currently logged on with from being used. To open an InPrivate Browsing session in Internet Explorer or Microsoft Edge, just press CTRL+SHIFT+P. To open a private browsing session in Google Chrome (called an incognito window), press CTRL+SHIFT+N.
-2. Sign in using your work or school account.
+2. In the left pane of the Microsoft 365 compliance center, click **Audit**.
-3. In the left pane of the Security & Compliance Center, click **Search**, and then click **Audit log search**.
+ The **Audit** page is displayed.
- The **Audit log search** page is displayed.
-
- ![Configure criteria and then click Search to run report](../media/8639d09c-2843-44e4-8b4b-9f45974ff7f1.png)
+ ![Configure criteria and then click Search to run report](../media/AuditLogSearchPage1.png)
> [!NOTE]
- > You have to first turn on audit logging before you can run an audit log search. If the **Start recording user and admin activity** link is displayed, click it to turn on auditing. If you don't see this link, auditing has already been turned on for your organization.
-
-4. Configure the following search criteria:
-
- 1. **Activities**: Click the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can click the activity group name to select all activities in the group. You can also click a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting **Show results for all activities** displays results for all activities performed by the selected user or group of users.
+ > If the **Start recording user and admin activity** link is displayed, click it to turn on auditing. If you don't see this link, auditing is turned on for your organization.
- Over 100 user and admin activities are logged in the audit log. Click the **Audited activities** tab at the topic of this article to see the descriptions of every activity in each of the different services.
+3. On the **Search** tab, configure the following search criteria:
1. **Start date** and **End date**: The last seven days are selected by default. Select a date and time range to display the events that occurred within that period. The date and time are presented in local time. The maximum date range that you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.
- > [!TIP]
- > If you're using the maximum date range of 90 days, select the current time for the **Start date**. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.
+ > [!TIP]
+ > If you're using the maximum date range of 90 days, select the current time for the **Start date**. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.
- 1. **Users**: Click in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.
+ 2. **Activities**: Click the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can click the activity group name to select all activities in the group. You can also click a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting **Show results for all activities** displays results for all activities performed by the selected user or group of users.<br/><br/>Over 100 user and admin activities are logged in the audit log. Click the **Audited activities** tab at the topic of this article to see the descriptions of every activity in each of the different services.
- 1. **File, folder, or site**: Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces.
+ 3. **Users**: Click in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.
- Leave this box blank to return entries for all files and folders in your organization.
+ 4. **File, folder, or site**: Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces.<br/><br/>Leave this box blank to return entries for all files and folders in your organization.
- > [!TIP]
- >
- > - If you're looking for all activities related to a **site**, add the wildcard symbol (\*) after the URL to return all entries for that site; for example, `"https://contoso-my.sharepoint.com/personal*"`.
- >
- > - If you're looking for all activities related to a **file**, add the wildcard symbol (\*) before the file name to return all entries for that file; for example, `"*Customer_Profitability_Sample.csv"`.
+ > [!TIP]
+ >
+ > - If you're looking for all activities related to a **site**, add the wildcard symbol (\*) after the URL to return all entries for that site; for example, `"https://contoso-my.sharepoint.com/personal*"`.
+ >
+ > - If you're looking for all activities related to a **file**, add the wildcard symbol (\*) before the file name to return all entries for that file; for example, `"*Customer_Profitability_Sample.csv"`.
-5. Click **Search** to run the search using your search criteria.
+4. Click **Search** to run the search using your search criteria.
- The search results are loaded, and after a few moments they are displayed under **Results**. When the search is finished, the number of results found is displayed. A maximum of 5,000 events will be displayed in the **Results** pane in increments of 150 events. If more than 5,000 events meet the search criteria, the most recent 5,000 events are displayed.
+ The search results are loaded, and after a few moments they are displayed on a new page. When the search is finished, the number of results found is displayed. A maximum of 5,000 events will be displayed in increments of 150 events. If more than 5,000 events meet the search criteria, the most recent 5,000 events are displayed.
![The number of results are displayed after the search is finished](../media/986216f1-ca2f-4747-9480-e232b5bf094c.png)
The following table lists the user and admin activities in Yammer that are logge
### Microsoft Power Automate activities
-You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog [Microsoft Flow audit events now available in Security & Compliance Center](https://flow.microsoft.com/blog/security-and-compliance-center).
+You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog [Microsoft Flow audit events now available in Microsoft 365 compliance center](https://flow.microsoft.com/blog/security-and-compliance-center).
### Microsoft Power Apps activities
See the [Audited activities](#audited-activities) section in this article for a
**How long does it take for an auditing record to be available after an event has occurred?**
-Most auditing data is available within 30 minutes but it may take up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. See the table in the [Requirements to search the audit log](#requirements-to-search-the-audit-log) section of this article that shows the time it takes for events in the different services to be available.
+Most auditing data is available within 30 minutes but it may take up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. See the table in the [Before you search the audit log](#before-you-search-the-audit-log) section of this article that shows the time it takes for events in the different services to be available.
**How long are the audit records retained for?**
No. These are the only two ways to get data from the auditing service.
**Do I need to individually enable auditing in each service that I want to capture audit logs for?**
-In most services, auditing is enabled by default after you initially turn on auditing for your organization (as described in the [Requirements to search the audit log](#requirements-to-search-the-audit-log) section in this article).
+In most services, auditing is enabled by default after you initially turn on auditing for your organization (as described in the [Before you search the audit log](#before-you-search-the-audit-log) section in this article).
**Does the auditing service support de-duplication of records?**
compliance Set Up Advanced Audit https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-advanced-audit.md
If your organization has a subscription and end user licensing that supports Adv
![Workflow to set up Advanced Audit](../media/AdvancedAuditWorkflow.png)
-## Step1: Set up Advanced Audit for users
+## Step 1: Set up Advanced Audit for users
Advanced Audit features such as the ability to log crucial events such as MailItemsAccessed and Send require an appropriate E5 license assigned to users. Additionally, the Advanced Auditing app/service plan must be enabled for those users. To verify that the Advanced Auditing app is assigned to users, perform the following steps for each user:
compliance Set Up An Archive And Deletion Policy For Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes.md
The first step is to enable the archive mailbox for each user in your organizati
> [!NOTE] > You can enable archive mailboxes any time during this process, just as long as they're enabled at some point before you complete the process. If an archive mailbox isn't enabled, no action is taken on any items that have an archive or deletion policy assigned to it.
-1. Go to [https://protection.office.com](https://protection.office.com).
+1. Go to <https://compliance.microsoft.com>.
2. Sign in using your global administrator account.
-3. In the Security & Compliance Center, go to **Information governance** \> **Archive**.
+3. In the Microsoft 365 compliance center, click **Information governance**, and then click the **Archive** tab.
A list of the mailboxes in your organization is displayed and whether the corresponding archive mailbox is enabled or disabled.
compliance Sit Edm Notifications Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-edm-notifications-activities.md
# Create notifications for exact data match activities
-When you [create custom sensitive information types with exact data match (EDM)](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) there are a number of activities that are created in the [audit log](search-the-audit-log-in-security-and-compliance.md#requirements-to-search-the-audit-log). You can use the [New-ProtectionAlert](/powershell/module/exchange/new-protectionalert) PowerShell cmdlet to create notifications that let you know when these activities occur:
+When you [create custom sensitive information types with exact data match (EDM)](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) there are a number of activities that are created in the [audit log](search-the-audit-log-in-security-and-compliance.md#before-you-search-the-audit-log). You can use the [New-ProtectionAlert](/powershell/module/exchange/new-protectionalert) PowerShell cmdlet to create notifications that let you know when these activities occur:
- CreateSchema - EditSchema
The account you use must be one of the following:
To learn more about DLP permissions, see [Permissions](data-loss-prevention-policies.md#permissions).
-EDM-based classification is included in these subscriptions
+EDM-based classification is included in these subscriptions:
- Office 365 E5 - Microsoft 365 E5 - Microsoft 365 E5 Compliance - Microsoft E5/A5 Information Protection and Governance
-To learn more about DLP licensing, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection)
+To learn more about DLP licensing, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection).
## Configure notifications for EDM activities
-1. Connect to the [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell)
+1. Connect to the [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
-2. Run the `New-ProtectionAlert` cmdlet using the activity that you want to create the notification for. For example, if you want to be notified when the **UploadDataCompleted** action occured, run
+2. Run the `New-ProtectionAlert` cmdlet using the activity that you want to create the notification for. For example, if you want to be notified when the **UploadDataCompleted** action occurred, run:
-```powershell
-New-ProtectionAlert -Name "EdmUploadCompleteAlertPolicy" -Category Others -NotifyUser <***address to send notification to***> -ThreatType Activity -Operation UploadDataCompleted -Description "Custom alert policy to track when EDM upload Completed" -AggregationType None
-```
-
-for the **UploadDataFailed** you can run
-
-```powershell
-New-ProtectionAlert -Name "EdmUploadFailAlertPolicy" -Category Others -NotifyUser <***SMTP address to send notification to***> -ThreatType Activity -Operation UploadDataFailed -Description "Custom alert policy to track when EDM upload Failed" -AggregationType None -Severity High
-```
+ ```powershell
+ New-ProtectionAlert -Name "EdmUploadCompleteAlertPolicy" -Category Others -NotifyUser <address to send notification to> -ThreatType Activity -Operation UploadDataCompleted -Description "Custom alert policy to track when EDM upload Completed" -AggregationType None
+ ```
+
+ for the **UploadDataFailed** you can run:
+
+ ```powershell
+ New-ProtectionAlert -Name "EdmUploadFailAlertPolicy" -Category Others -NotifyUser <SMTP address to send notification to> -ThreatType Activity -Operation UploadDataFailed -Description "Custom alert policy to track when EDM upload Failed" -AggregationType None -Severity High
+ ```
## Related articles
compliance Turn Audit Log Search On Or Off https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/turn-audit-log-search-on-or-off.md
description: How to turn on or off the Audit log search feature in the Microsoft
# Turn auditing on or off
-Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. This includes organizations with E3/G3 or E5/G5 subscriptions. When auditing in the compliance center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days, and up to one year depending on the license assigned to users. However, your organization may have reasons for not wanting to record and retain audit log data. In those cases, a global admin may decide to turn off auditing in Microsoft 365.
+Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. When auditing in the Microsoft 365 compliance center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days, and up to one year depending on the license assigned to users. However, your organization may have reasons for not wanting to record and retain audit log data. In those cases, a global admin may decide to turn off auditing in Microsoft 365.
+
+When setting up a new Microsoft 365 or Office 365 organization, you can verify the auditing status for your organization. For instructions, see the [Verify the auditing status for your organization](#verify-the-auditing-status-for-your-organization) section in this article.
> [!IMPORTANT]
-> If you turn off auditing in Microsoft 365, you can't use the Office 365 Management Activity API or Azure Sentinel to access auditing data for your organization. Turning off auditing by following the steps in this article means that no results will be returned when you search the audit log using the Security & Compliance Center or when you run the **Search-UnifiedAuditLog** cmdlet in Exchange Online PowerShell. This also means that audit logs won't be available through the Office 365 Management Activity API or Azure Sentinel.
+> If you turn off auditing in Microsoft 365, you can't use the Office 365 Management Activity API or Azure Sentinel to access auditing data for your organization. Turning off auditing by following the steps in this article means that no results will be returned when you search the audit log using the Microsoft 365 compliance center or when you run the **Search-UnifiedAuditLog** cmdlet in Exchange Online PowerShell. This also means that audit logs won't be available through the Office 365 Management Activity API or Azure Sentinel.
## Before you turn auditing on or off -- You have to be assigned the Audit Logs role in Exchange Online to turn auditing on or off in your Microsoft 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online.
+- You have to be assigned the Audit Logs role in Exchange Online to turn auditing on or off in your Microsoft 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online.
> [!NOTE]
- > Users have to be assigned permissions in Exchange Online to turn auditing on or off. If you assign users the Audit Logs role on the **Permissions** page in the Security & Compliance Center, they won't be able to turn auditing on or off. This is because the underlying cmdlet is an Exchange Online PowerShell cmdlet.
+ > Users have to be assigned permissions in Exchange Online to turn auditing on or off. If you assign users the Audit Logs role on the **Permissions** page in the Microsoft 365 compliance center, they won't be able to turn auditing on or off. This is because the underlying cmdlet is an Exchange Online PowerShell cmdlet.
-- For step-by-step instructions on searching the audit log, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md). For more information about the Microsoft 365 Management Activity API, see [Get started with Microsoft 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis).
+- For step-by-step instructions on searching the audit log, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md). For more information about the Microsoft 365 Management Activity API, see [Get started with Microsoft 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis).
-- To verify that auditing is turned on, you can run the following command in Exchange Online PowerShell:
+## Verify the auditing status for your organization
- ```powershell
- Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
- ```
+To verify that auditing is turned on for your organization, you can run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):
+
+```powershell
+Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
+```
- The value of `True` for the _UnifiedAuditLogIngestionEnabled_ property indicates that auditing is turned on.
+A value of `True` for the _UnifiedAuditLogIngestionEnabled_ property indicates that auditing is turned on. A value of `False` indicates that auditing is not turned on.
## Turn on auditing
-If auditing is not turned on for your organization, you can turn it on in the compliance center or by using Exchange Online PowerShell. It may take several hours after you turn on auditing before you can return results when you search the audit log.
+If auditing is not turned on for your organization, you can turn it on in the Microsoft 365 compliance center or by using Exchange Online PowerShell. It may take several hours after you turn on auditing before you can return results when you search the audit log.
### Use the compliance center to turn on auditing 1. Go to <https://compliance.microsoft.com> and sign in.
-2. In the left navigation pane of the Microsoft 365 compliance center, click **Show all**, and then click **Audit**.
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Audit**.
If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
If auditing is not turned on for your organization, you can turn it on in the co
### Use PowerShell to turn on auditing
-1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell)
+1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
-2. Run the following PowerShell command to turn on auditing in Office 365.
+2. Run the following PowerShell command to turn on auditing.
```powershell Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
If auditing is not turned on for your organization, you can turn it on in the co
You have to use Exchange Online PowerShell to turn off auditing.
-1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell)
+1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
2. Run the following PowerShell command to turn off auditing.
compliance Use Sharing Auditing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-sharing-auditing.md
A common requirement for administrators is creating a list of all resources that
The first step is to search the audit log for sharing events. For more information (including the required permissions) about searching the audit log, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md).
-1. Go to [https://protection.office.com](https://protection.office.com).
-
+1. Go to <https://compliance.microsoft.com>.
+ 2. Sign in using your work or school account.
-
-3. In the left pane of the Security & Compliance Center, click **Search** > **Audit log search**.
-
- The **Audit log search** page is displayed.
-
+
+3. In the left pane of the Microsoft 365 compliance center, click **Audit**.
+
+ The **Audit** page is displayed.
+ 4. Under **Activities**, click **Sharing and access request activities** to search for sharing-related events.
-
+ ![Under Activities, select Sharing and access request activities](../media/46bb25b7-1eb2-4adf-903a-cc9ab58639f9.png)
-5. Select a date and time range to find the sharing events that occurred within that period.
-
+5. Select a date and time range to find the sharing events that occurred within that period.
+ 6. Click **Search** to run the search.
-
+ 7. When the search is finished running and the results are displayed, click **Export results** \> **Download all results**.
-
+ After you select the export option, a message at the bottom of the window prompts you to open or save the CSV file.
-
+ 8. Click **Save** \> **Save as** and save the CSV file to a folder on your local computer. ### Step 2: Use the PowerQuery Editor to format the exported audit log
enterprise Ms Cloud Germany Transition Add Adfs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-adfs.md
description: "Summary: Active Directory Federation Services (AD FS) migration st
# AD FS migration steps for the migration from Microsoft Cloud Deutschland This configuration change needs to be applied any time before phase 2 is starting.
-Once phase 2 is completed the configuration change will work and you are able to sign in via Office 365 Global endpoints such as `https://portal.office.com`. If you are implementing the configuration change before phase 2, the Office 365 Global endpoints will _not yet work_ but the new relying party trust is still part of your Active Directory Federation Services (AD FS) configuration.
+Once phase 2 is completed the configuration change will work and you are able to sign in via Office 365 Global endpoints such as `https://admin.microsoft.com`. If you are implementing the configuration change before phase 2, the Office 365 Global endpoints will _not yet work_ but the new relying party trust is still part of your Active Directory Federation Services (AD FS) configuration.
Customers who use federated authentication with Active Directory Federation Services (AD FS) shouldn't make changes to issuer URIs that are used for all authentications with on-premises Active Directory Domain Services (AD DS) during migration. Changing issuer URIs will lead to authentication failures for users in the domain. Issuer URIs can be changed directly in AD FS or when a domain is converted from _managed_ to _federated_ and vice-versa. We recommend that you do not add, remove, or convert a federated domain in the Azure AD tenant that has been migrated. Issuer URIs can be changed after the migration is fully complete.
enterprise Password Reset M365 Ent Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/password-reset-m365-ent-test-environment.md
Next, test password reset for the User 3 account.
1. Enter the User 3 account name, enter the characters from the CAPTCHA, and then select **Next**. 1. For **verification step 1**, select **Email my alternate email**, and then select **Email**. When you receive the email, enter the verification code, and then select **Next**. 1. In **Get back into your account**, enter a new password for the User 3 account, and then select **Finish**. Note the changed password of the User 3 account and store it in a safe location.
-1. In a separate tab of the same browser, go to [https://portal.office.com](https://portal.office.com), and then sign in with the User 3 account name and its new password. You should see the **Microsoft Office Home** page.
+1. In a separate tab of the same browser, go to [https://admin.microsoft.com](https://admin.microsoft.com), and then sign in with the User 3 account name and its new password. You should see the **Microsoft Office Home** page.
## Next step
enterprise Performance Tuning Using Baselines And History https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/performance-tuning-using-baselines-and-history.md
Title: "Office 365 performance tuning using baselines and performance history"
Previously updated : 8/31/2017 Last updated : 07/08/2021 audience: Admin
description: Learn how to check the history of your client computer connections
There are some simple ways to check the connection performance between Office 365 and your business that will let you establish a rough baseline of your connectivity. Knowing the performance history of your client computer connections can help you detect emerging issues early, identify, and predict problems.
-If you're not used to working on performance issues, this article is designed to help you consider some common questions, like How do you know the problem you're seeing is a performance issue and not an Office 365 service incident? How can you plan for good performance, long term? How can you keep an eye on performance? If your team or clients are seeing slow performance while using Office 365, and you wonder about any of these questions, read on.
+If you're not used to working on performance issues, this article is designed to help you consider some common questions. How do you know the problem you're seeing is a performance issue and not an Office 365 service incident? How can you plan for good performance, long term? How can you keep an eye on performance? If your team or clients are seeing slow performance while using Office 365, and you wonder about any of these questions, read on.
> [!IMPORTANT] > **Have a performance issue between your client and Office 365 right now?** Follow the steps outlined in the [Performance troubleshooting plan for Office 365](performance-troubleshooting-plan.md). ## Something you should know about Office 365 performance
-Office 365 lives inside a high-capacity, dedicated Microsoft network that is steadily monitored not just by automation, but by real people. Part of the role of maintaining the Office 365 cloud is building-in performance tuning and streamlining where it's possible. Since clients of the Office 365 cloud have to connect across the Internet, there is a continuous effort to fine-tune the performance across Office 365 services too. Performance improvements never really stop in the cloud, and there is a lot of accumulated experience with keeping the cloud healthy and quick. Should you experience a performance issue connecting from your location to Office 365, it's best not to start with, and wait on, a Support case. Instead, you should begin investigating the problem from 'the inside out'. That is, start inside of your network, and work your way out to Office 365. Before you open a case with Office 365 Support, you can gather data and take actions that will explore, and may resolve, your problem.
+Office 365 lives inside a high-capacity, dedicated Microsoft network that is monitored by automation and real people. Part of maintaining the Office 365 cloud is performance tuning and streamlining where possible. Since clients of the Office 365 cloud have to connect across the Internet, there's ongoing effort to fine-tune the performance across Office 365 services too.
+
+Performance improvements never really stop in the cloud, so neither does experience with keeping the cloud healthy and quick. Should you have a performance issue connecting from your location to Office 365, it's best not to start with or wait on a Support case. Instead, you should begin investigating the problem from 'the inside out'. That is, start inside of your network, and work your way out to Office 365. Before you open a case with Support, you can gather data and take actions that will explore, and may resolve, the problem.
> [!IMPORTANT]
-> Be aware of capacity planning and limits in Office 365. That information will put you ahead of the curve when trying to resolve a performance issue. Here's a link to the [Microsoft 365 and Office 365 service descriptions](/office365/servicedescriptions/office-365-service-descriptions-technet-library). This is a central hub, and all the services offered by Office 365 have a link that goes to their own Service Descriptions from here. That means, should you need to see the standard limits for SharePoint Online, for example, you would click [SharePoint Online Service Description](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-service-description) and locate its [SharePoint Online Limits section](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits).
+> Be aware of capacity planning and limits in Office 365. That information will put you ahead of the curve when trying to resolve a performance issue. Here's a link to the [Microsoft 365 and Office 365 service descriptions](/office365/servicedescriptions/office-365-service-descriptions-technet-library). This is a central hub, and all the services offered by Office 365 have a link that goes to their own Service Descriptions from here. That means, should you need to see the standard limits for SharePoint Online, for example, you would click [SharePoint Online Service Description](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-service-description) and locate its [SharePoint Online Limits section](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits).
-Make sure you go into your troubleshooting with the understanding that performance is a sliding scale, it's not about achieving an idealized value and maintaining it permanently (if you believe this is so, then occasional high-bandwidth tasks like on-boarding a large number of users, or doing large data migrations will be very stressful -- so do plan for performance impacts then). You can, and should, have a rough idea of your performance targets, but a lot of variables play into performance, therefore, performance varies. That's the nature of performance.
+Make sure you go into your troubleshooting with the understanding that performance is a sliding scale. It's not about achieving an idealized value and maintaining it permanently. Occasional high-bandwidth tasks like on-boarding a large number of users, or doing large data migrations will be stressful, so *plan* for performance impacts then. You should have a rough idea of your performance targets, but many variables play into performance, so performance varies.
Performance troubleshooting isn't about meeting specific goals and maintaining those numbers indefinitely, it's about improving existing activities, given all the variables.
Performance troubleshooting isn't about meeting specific goals and maintaining t
First, you need to make sure that what you are experiencing is indeed a performance issue and not a service incident. A performance problem is different from a service incident in Office 365. Here's how to tell them apart.
-If the Office 365 service is having issues, that's a service incident. You will see red or yellow icons under **Current health** in the Microsoft 365 admin center, you may also notice slow performance on client computers connecting to Office 365. For example, if Current health reports a red icon and you see **Investigating** beside Exchange, you might then also receive a bunch of calls from people in your organization who complain that client mailboxes that use Exchange Online are performing badly. In that case, it's reasonable to assume that your Exchange Online performance just became a victim of issues within the Service.
+Service Incidents happen when the Office 365 service itself is having issues. You may see red or yellow icons under **Current health** in the Microsoft 365 admin center. You may notice performance on client computers connecting to Office 365 is slow. For example, if Current health reports a red icon and you see **Investigating** beside Exchange, you might then also get calls from people in your organization who complain that client mailboxes using Exchange Online are slow. In that case, it's reasonable to assume that your Exchange Online performance was a victim of Service issues.
![The Office 365 Health dashboard with all workloads showing green, except Exchange, which shows Service Restored.](../media/ec7f0325-9e61-4e1a-bec0-64b87f4469be.PNG)
-At this point, you, the Office 365 admin, should check **Current health** and then **View details and history**, frequently, to keep up to date on maintenance we perform on the system. The **Current health** dashboard was made to update you about changes to, and problems in, the service. The notes and explanations written to health history, admin to admin, are there to help you gauge your impact, and to keep you posted about ongoing work.
+At this point, you, the Office 365 admin, should check **Current health** and then **View details and history**, often, to keep up to date on maintenance on the system. The **Current health** dashboard was made to update you about changes to, and problems in, the service. The notes and explanations written to health history, admin to admin, are there to help you gauge, and to keep you posted about ongoing work.
![A picture of the Office 365 health dashboard explaining that the Exchange Online service has been restored, and why.](../media/66609554-426a-4448-8be6-ea09817f41ba.PNG) A performance issue isn't a service incident, even though incidents can cause slow performance. A performance issue looks like this: -- A performance issue occurs no matter what the admin center **Current health** is reporting for the service.
+- A performance issue occurs no matter what the admin center **Current health** is reporting for the service.
-- A behavior that used to be relatively seamless takes a long time to complete or never completes.
+- A behavior that used to flow takes a long time to complete or never completes.
-- You can replicate the problem too, or, at least, you know it will happen if you do the right series of steps.
+- You can replicate the problem too, or know it will happen if you do the right series of steps.
-- If the problem is intermittent, there is still a pattern, for example, you know that by 10:00 AM you will have calls from users who can't reliably access Office 365, and that the calls will die down around noon.
+- If the problem is intermittent, there can still be a pattern. For example, you know that by 10:00 AM you'll have calls from users who can't always access Office 365. The calls will end around noon.
-This probably sounds familiar; maybe too familiar. Once you know it's a performance problem, the question becomes, "What do you do next?" The rest of this article helps you determine exactly that.
+This list probably sounds familiar; maybe too familiar. Once you're aware it's a performance problem, the question becomes, "What do you do next?" The rest of this article helps you determine exactly that.
## How to define and test the performance problem
-Performance issues often emerge over time, so it can be challenging to define the actual problem. You need to create a good problem statement and a good idea of issue context, and then you need to repeatable testing steps to win the day. Otherwise, through no fault of your own, you may be lost. Why? Well, here are some examples of problems statements that don't provide enough information:
+Performance issues often emerge over time, so it can be challenging to define the actual problem. Create a good problem statement with a good idea of issue context, and then you need to repeatable testing steps. Here are some examples of problems statements that don't provide enough information:
- Switching from my Inbox to my Calendar used to be something I didn't notice, and now it's a coffee-break. Can you make it act like it used to? - Uploading my files to SharePoint Online is taking forever. Why is it slow in the afternoon, but any other time, it's fast? Can't it just be fast?
-There are several large challenges posed by the problem statements above. Specifically, there are a lot of ambiguities to deal with. for example:
+There are several large challenges posed by the problem statements above. Specifically, too many ambiguities to deal with. for example:
- It's unclear how switching between Inbox and Calendar used to act on the laptop. - When the user says, "Can't it just be fast", what's "fast"? -- How long is "forever"? Is that several seconds, or minutes, or could the user go to lunch and it would finish up ten minutes after the user got back?
+- How long is "forever"? Is that several seconds? Or many minutes? Or could the user take lunch and the action would finish up 10 minutes after they got back?
-All of this is without considering that the admin and troubleshooter can't be aware of many details from problem statements like these. For example, when the problem started happening; That the user works from home and only ever sees slow switching while on a home network; That the user must run several other RAM intensive applications on the local client, or the user is running an older operating system or hasn't run recent updates.
+The admin and troubleshooter can't be aware of the *details* of the problem from general statements like these. For example, they don't know when the problem started happening. The troubleshooter might not know the user works from home and only ever sees slow switching while on their home network. Or that the user runs other RAM intensive applications on the local client. Admins may not know the user is running an older operating system or hasn't run recent updates.
-When users report a performance problem, there's a lot of information to collect. Collecting this information is part of a process called scoping the issue, or investigating it. The following is a basic scoping list you can use to collect information about your performance issue. This list is not exhaustive, but it's a place to start one of your own:
+When users report a performance problem, there's a lot of information to collect. Getting and recording information is called scoping the issue. Here is a basic scoping list you can use to collect information about performance issues. This list is not exhaustive, but it's a place to start:
- On what date did the issue happen, and around what time of day or night?
You have to use [PSPing](/sysinternals/downloads/psping) or another tool that do
2. Navigate to the folder where the tool (in this case PsPing) is installed and test these Office 365 URLs:
- - psping portal.office.com:443
+ - psping admin.microsoft.com:443
- psping microsoft-my.sharepoint.com:443
managed-desktop Network https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/network.md
Microsoft service | URLs required on allow list | Documentation source
Windows Update for Business (WUfB) | update.microsoft.com<br>\*.update.microsoft.com<br>download.windowsupdate.com<br>\*.download.windowsupdate.com<br>download.microsoft.com<br>\*.download.microsoft.com<br>windowsupdate.com<br>\*.windowsupdate.com<br>ntservicepack.microsoft.com<br>wustat.windows.com<br>login.live.com <br>mp.microsoft.com<br>\*.mp.microsoft.com | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) Delivery Optimization | \*.do.dsp.mp.microsoft.com<br>\*.dl.delivery.mp.microsoft.com <br>\*.emdl.ws.microsoft.com<br>\*.download.windowsupdate.com <br>\*.windowsupdate.com | [Windows Update proxy requirements](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) Microsoft Store for Business | login.live.com <br>account.live.com <br>clientconfig.passport.net <br>wustat.windows.com <br>\*.windowsupdate.com <br>\*.wns.windows.com <br>\*.hotmail.com <br>\*.outlook.com <br>\*.microsoft.com <br>\*.msftncsi.com/ncsi.txt | [Microsoft Store allow list](https://support.microsoft.com/help/2778122/using-authenticated-proxy-servers-together-with-windows-8)
-Microsoft 365 | \*.office365.com<br>\*.office.com<br>\*.office.net<br>\*.live.com<br>\*.portal.cloudappsecurity.com<br>\*.portal.cloudappsecurity.com<br>\*.us.portal.cloudappsecurity.com<br>\*.eu.portal.cloudappsecurity.com<br>\*.us2.portal.cloudappsecurity.com<br><tenant>.onmicrosoft.com<br>account.office.net<br>agent.office.net<br>apc.delve.office.com<br>aus.delve.office.com<br>can.delve.office.com<br>delve.office.com<br>eur.delve.office.com<br>gbr.delve.office.com<br>home.office.com<br>ind.delve.office.com<br>jpn.delve.office.com<br>kor.delve.office.com<br>lam.delve.office.com<br>nam.delve.office.com<br>portal.office.com<br>outlook.office365.com<br>suite.office.net<br>webshell.suite.office.com<br>www.office.com<br>\*.aria.microsoft.com<br>browser.pipe.aria.microsoft.com<br>mobile.pipe.aria.microsoft.com<br>portal.microsoftonline.com<br>clientlog.portal.office.com<br>nexus.officeapps.live.com<br>nexusrules.officeapps.live.com<br>amp.azure.net<br>\*.o365weve.com<br>auth.gfx.ms<br>appsforoffice.microsoft.com<br>assets.onestore.ms<br>az826701.vo.msecnd.net<br>c.microsoft.com<br>c1.microsoft.com<br>client.hip.live.com<br>contentstorage.osi.office.net<br>dgps.support.microsoft.com<br>docs.microsoft.com<br>groupsapi-<br>rod.outlookgroups.ms<br>groupsapi2-prod.outlookgroups.ms<br>groupsapi3-prod.outlookgroups.ms<br>groupsapi4-prod.outlookgroups.ms<br>msdn.microsoft.com<br>platform.linkedin.com<br>products.office.com<br>prod.msocdn.com<br>r1.res.office365.com<br>r4.res.office365.com<br>res.delve.office.com<br>shellprod.msocdn.com<br>support.content.office.net<br>support.microsoft.com<br>support.office.com<br>technet.microsoft.com<br>templates.office.com<br>video.osi.office.net<br>videocontent.osi.office.net<br>videoplayercdn.osi.office.net<br>\*.manage.office.com<br>\*.protection.office.com<br>manage.office.com<br>Protection.office.com<br>diagnostics.office.com | [Microsoft 365 URL and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md)
+Microsoft 365 | \*.office365.com<br>\*.office.com<br>\*.office.net<br>\*.live.com<br>\*.portal.cloudappsecurity.com<br>\*.portal.cloudappsecurity.com<br>\*.us.portal.cloudappsecurity.com<br>\*.eu.portal.cloudappsecurity.com<br>\*.us2.portal.cloudappsecurity.com<br><tenant>.onmicrosoft.com<br>account.office.net<br>agent.office.net<br>apc.delve.office.com<br>aus.delve.office.com<br>can.delve.office.com<br>delve.office.com<br>eur.delve.office.com<br>gbr.delve.office.com<br>home.office.com<br>ind.delve.office.com<br>jpn.delve.office.com<br>kor.delve.office.com<br>lam.delve.office.com<br>nam.delve.office.com<br>admin.microsoft.com<br>outlook.office365.com<br>suite.office.net<br>webshell.suite.office.com<br>www.office.com<br>\*.aria.microsoft.com<br>browser.pipe.aria.microsoft.com<br>mobile.pipe.aria.microsoft.com<br>portal.microsoftonline.com<br>clientlog.admin.microsoft.com<br>nexus.officeapps.live.com<br>nexusrules.officeapps.live.com<br>amp.azure.net<br>\*.o365weve.com<br>auth.gfx.ms<br>appsforoffice.microsoft.com<br>assets.onestore.ms<br>az826701.vo.msecnd.net<br>c.microsoft.com<br>c1.microsoft.com<br>client.hip.live.com<br>contentstorage.osi.office.net<br>dgps.support.microsoft.com<br>docs.microsoft.com<br>groupsapi-<br>rod.outlookgroups.ms<br>groupsapi2-prod.outlookgroups.ms<br>groupsapi3-prod.outlookgroups.ms<br>groupsapi4-prod.outlookgroups.ms<br>msdn.microsoft.com<br>platform.linkedin.com<br>products.office.com<br>prod.msocdn.com<br>r1.res.office365.com<br>r4.res.office365.com<br>res.delve.office.com<br>shellprod.msocdn.com<br>support.content.office.net<br>support.microsoft.com<br>support.office.com<br>technet.microsoft.com<br>templates.office.com<br>video.osi.office.net<br>videocontent.osi.office.net<br>videoplayercdn.osi.office.net<br>\*.manage.office.com<br>\*.protection.office.com<br>manage.office.com<br>Protection.office.com<br>diagnostics.office.com | [Microsoft 365 URL and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md)
Azure Active Directory | api.login.microsoftonline.com<br>api.passwordreset.microsoftonline.com<br>autologon.microsoftazuread-sso.com<br>becws.microsoftonline.com<br>clientconfig.microsoftonline-p.net <br>companymanager.microsoftonline.com <br>device.login.microsoftonline.com <br>hip.microsoftonline-p.net <br>hipservice.microsoftonline.com <br>login.microsoft.com<br>login.microsoftonline.com <br>logincert.microsoftonline.com <br>loginex.microsoftonline.com<br>login-us.microsoftonline.com <br>login.microsoftonline-p.com <br>login.windows.net <br>nexus.microsoftonline-p.com <br>passwordreset.microsoftonline.com <br>provisioningapi.microsoftonline.com<br>stamp2.login.microsoftonline.com<br>\*.msappproxy.net<br>ccs.login.microsoftonline.com<br>ccs-sdf.login.microsoftonline.com<br>accounts.accesscontrol.windows.net<br>secure.aadcdn.microsoftonline-p.com<br>\*.phonefactor.net<br>account.activedirectory.windowsazure.com<br>secure.aadcdn.microsoftonline-p.com<br>graph.microsoft.com | [Hybrid identity required ports and protocols](/azure/active-directory/connect/active-directory-aadconnect-ports) and [Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)) Microsoft Intune | login.microsoftonline.com<br>portal.manage.microsoft.com<br>m.manage.microsoft.com<br>sts.manage.microsoft.com<br>Manage.microsoft.com <br>i.manage.microsoft.com <br>r.manage.microsoft.com <br>a.manage.microsoft.com <br>p.manage.microsoft.com <br>EnterpriseEnrollment.manage.microsoft.com <br>EnterpriseEnrollment-s.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com<br>m.fei.msua01.manage.microsoft.com<br>fei.msua01.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com <br>m.fei.msua01.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fef.msua01.manage.microsoft.com<br>fef.msua02.manage.microsoft.com<br>fef.msua04.manage.microsoft.com<br>fef.msua05.manage.microsoft.com<br>fef.msua06.manage.microsoft.com<br>fef.msua07.manage.microsoft.com<br>fef.msub01.manage.microsoft.com<br>fef.msub02.manage.microsoft.com<br>fef.msub03.manage.microsoft.com<br>fef.msub05.manage.microsoft.com<br>fef.msuc01.manage.microsoft.com<br>fef.msuc02.manage.microsoft.com<br>fef.msuc03.manage.microsoft.com<br>fef.msuc05.manage.microsoft.com | [Intune network configuration requirements](/intune/network-bandwidth-use) OneDrive for Business | onedrive.com <br> <br>\*.onedrive.com <br>onedrive.live.com <br>login.live.com <br>spoprod-a.akamaihd.net <br>\*.mesh.com <br>p.sfx.ms <br>\*.microsoft.com <br>fabric.io <br>\*.crashlytics.com <br>vortex.data.microsoft.com <br>https://posarprodcssservice.accesscontrol.windows.net <br>redemptionservices.accesscontrol.windows.net <br>token.cp.microsoft.com/ <br>tokensit.cp.microsoft-tst.com/ <br>\*.office.com <br>\*.officeapps.live.com <br>\*.aria.microsoft.com <br>\*.mobileengagement.windows.net <br>\*.branch.io <br>\*.adjust.com <br>\*.servicebus.windows.net <br>vas.samsungapps.com <br>odc.officeapps.live.com <br>login.windows.net <br>login.microsoftonline.com <br>\*.files.1drv.com <br>\*.onedrive.live.com <br>\*.\*.onedrive.live.com <br>storage.live.com <br>\*.storage.live.com <br>\*.\*.storage.live.com <br>\*.groups.office.live.com <br>\*.groups.photos.live.com <br>\*.groups.skydrive.live.com <br>favorites.live.com <br>oauth.live.com <br>photos.live.com <br>skydrive.live.com <br>api.live.net <br>apis.live.net <br>docs.live.net <br>\*.docs.live.net <br>policies.live.net <br>\*.policies.live.net <br>settings.live.net <br>\*.settings.live.net <br>skyapi.live.net <br>snapi.live.net <br>\*.livefilestore.com <br>\*.\*.livefilestore.com <br>storage.msn.com <br>\*.storage.msn.com <br>\*.*.storage.msn.com | [Required URLs and ports for OneDrive](/onedrive/required-urls-and-ports)
security Onboard Windows 10 Multi Session Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Onboard-Windows-10-multi-session-device.md
There are several ways to onboard a WVD host machine:
#### *Scenario 1: Using local group policy* This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process.
-Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](configure-endpoints-vdi.md#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1).
+Use the instructions in [Onboard the non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md#onboard-the-non-persistent-virtual-desktop-infrastructure-vdi-devices).
Follow the instructions for a single entry for each device.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [General]() ##### [Verify data storage location and update data retention settings](data-retention-settings.md) ##### [Configure alert notifications](configure-email-notifications.md)
+##### [Configure vulnerability email notifications](configure-vulnerability-email-notifications.md)
##### [Configure advanced features](advanced-features.md) #### [Permissions]()
security Access Mssp Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/access-mssp-portal.md
Title: Access the Microsoft Defender Security Center MSSP customer portal
-description: Access the Microsoft Defender Security Center MSSP customer portal
+ Title: Access the Microsoft 365 Defender MSSP customer portal
+description: Access the Microsoft 365 Defender MSSP customer portal
keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Access the Microsoft Defender Security Center MSSP customer portal
+# Access the Microsoft 365 Defender MSSP customer portal
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
This feature enables you to block potentially malicious files in your network. B
To turn **Allow or block** files on:
-1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**.
1. Toggle the setting between **On** and **Off**.
The integration with Microsoft Defender for Identity allows you to pivot directl
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
-When you turn this feature on, you'll be able to incorporate data from Microsoft Defender for Office 365 into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
+When you turn this feature on, you'll be able to incorporate data from Microsoft Defender for Office 365 into Microsoft 365 Defender to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
> [!NOTE] > You'll need to have the appropriate license to enable this feature.
security Alerts Queue Endpoint Detection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response.md
Title: Alerts queue in Microsoft Defender Security Center
+ Title: Alerts queue in Microsoft 365 Defender
-description: View and manage the alerts surfaced in Microsoft Defender Security Center
+description: View and manage the alerts surfaced in Microsoft 365 Defender
keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150
Last updated 09/03/2018
ms.technology: mde
-# Alerts queue in Microsoft Defender Security Center
+# Alerts queue in Microsoft 365 Defender
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Api Portal Mapping https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-portal-mapping.md
Title: Microsoft Defender for Endpoint detections API fields
-description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center
+description: Understand how the Detections API fields map to the values in Microsoft 365 Defender
keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
-Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
+Understand what data fields are exposed as part of the detections API and how they map to Microsoft 365 Defender.
>[!Note] >- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
security Attack Simulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md
Read the walkthrough document provided with each attack scenario. Each document
## Run a simulation
-1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate:
+1. In **Endpoints** > **Evaluation & tutorials** > **Tutorials & simulations**, select which of the available attack scenarios you would like to simulate:
- **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
security Configure Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-conditional-access.md
Title: Configure Conditional Access in Microsoft Defender for Endpoint
-description: Learn about steps that you need to do in Intune, Microsoft Defender Security Center, and Azure to implement Conditional access
+description: Learn about steps that you need to do in Intune, Microsoft 365 Defender, and Azure to implement Conditional access
keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration search.product: eADQiWindows 10XVcnh search.appverid: met150
You need to make sure that all your devices are enrolled in Intune. You can use
-There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
+There are steps you'll need to take in Microsoft 365 Defender, the Intune portal, and Azure AD portal.
It's important to note the required roles to access these portals and implement Conditional access:-- **Microsoft Defender Security Center** - You'll need to sign into the portal with a global administrator role to turn on the integration.
+- **Microsoft 365 Defender** - You'll need to sign into the portal with a global administrator role to turn on the integration.
- **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions. - **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator.
It's important to note the required roles to access these portals and implement
> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. Take the following steps to enable Conditional Access:-- Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center
+- Step 1: Turn on the Microsoft Intune connection from Microsoft 365 Defender
- Step 2: Turn on the Defender for Endpoint integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy
Take the following steps to enable Conditional Access:
### Step 1: Turn on the Microsoft Intune connection
-1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **General** > **Advanced features** > **Microsoft Intune connection**.
2. Toggle the Microsoft Intune setting to **On**. 3. Click **Save preferences**.
security Configure Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-discovery.md
Discovery can be configured to be on standard or basic mode. Use the standard op
You can customize the list of devices that are used to perform standard discovery. You can either enable standard discovery on all the onboarded devices that also support this capability (currently - Windows 10 devices only) or select a subset or subsets of your devices by specifying their device tags. > [!IMPORTANT]
-> For preview, you'll first need to turn on the Preview features in Microsoft Defender Security Center.
-> You can then access the device discovery configuration in Microsoft 365 security center. The list of unmanaged devices and security recommendations will be available in both Microsoft Defender Security Center and Microsoft 365 security center, while the dashboard tiles will only be available in Microsoft 365 security center.
+> For preview, you'll first need to turn on the Preview features in Microsoft 365 Defender.
+> You can then access the device discovery configuration in Microsoft 365 security center. The list of unmanaged devices and security recommendations will be available in both Microsoft 365 Defender and Microsoft 365 security center, while the dashboard tiles will only be available in Microsoft 365 security center.
Take the following configuration steps in Microsoft 365 security center:
security Configure Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-email-notifications.md
The email notification includes basic information about the alert and a link to
You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
-1. In the navigation pane, select **Settings** > **Email notifications**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **General** > **Email notifications**.
2. Click **Add item**.
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
Title: Onboard Windows 10 devices to Microsoft Defender for Endpoint via Group Policy
-description: Use Group Policy to deploy the configuration package on Windows 10 devices so that they are onboarded to the service.
+description: Use Group Policy to deploy the configuration package on the Windows 10 devices so that they are onboarded to the service.
keywords: configure devices using group policy, device management, configure Microsoft Defender for Endpoint devices, onboard Microsoft Defender for Endpoint devices, group policy search.product: eADQiWindows 10XVcnh search.appverid: met150
Last updated 04/24/2018
ms.technology: mde
-# Onboard Windows 10 devices using Group Policy
+# Onboard the Windows 10 devices using Group Policy
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Onboarding**.
+ 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
1. Select Windows 10 as the operating system.
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
-8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
+8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the NetBIOS path of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
9. Click **OK** and close any open GPMC windows.
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). ## Additional Defender for Endpoint configuration settings
-For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
+For each device, you can state whether samples can be collected from the device when a request is made through Microsoft 365 Defender to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
For security reasons, the package used to Offboard devices will expire 30 days a
> [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
-1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Offboarding**.
+ 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
1. Select Windows 10 as the operating system.
With Group Policy there isnΓÇÖt an option to monitor deployment of policies on t
## Monitor devices using the portal
-1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
-2. Click **Devices list**.
+1. Go to [Microsoft 365 Defender portal](https://security.microsoft.com/).
+2. Click **Devices inventory**.
3. Verify that devices are appearing. > [!NOTE]
security Configure Endpoints Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md
Title: Onboard Windows 10 devices using Mobile Device Management tools
-description: Use Mobile Device Management tools to deploy the configuration package on devices so that they are onboarded to the service.
+description: Use Mobile Device Management tools to deploy the configuration package on devices so that the devices are onboarded to the service.
keywords: onboard devices using mdm, device management, onboard Microsoft Defender for Endpoint devices, mdm search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Onboard Windows 10 devices using Mobile Device Management tools
+# Onboard the Windows 10 devices using Mobile Device Management tools
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
For security reasons, the package used to Offboard devices will expire 30 days a
> [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
-1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Offboarding**.
+ 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
1. Select Windows 10 as the operating system.
security Configure Endpoints Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md
ms.technology: mde
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
-Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.
+Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft 365 Defender and better protect your organization's network.
You'll need to know the exact Linux distros and macOS versions that are compatible with Defender for Endpoint for the integration to work. For more information, see: - [Microsoft Defender for Endpoint on Linux system requirements](microsoft-defender-endpoint-linux.md#system-requirements)
security Configure Endpoints Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md
Title: Onboard Windows 10 devices using Configuration Manager
-description: Use Configuration Manager to deploy the configuration package on devices so that they are onboarded to the service.
+description: Use Configuration Manager to deploy the configuration package on devices so that devices are onboarded to the service.
keywords: onboard devices using sccm, device management, configure Microsoft Defender for Endpoint devices search.product: eADQiWindows 10XVcnh search.appverid: met150
Last updated 02/07/2020
ms.technology: mde
-# Onboard Windows 10 devices using Configuration Manager
+# Onboard the Windows 10 devices using Configuration Manager
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
-1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Onboarding**.
+ 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
1. Select Windows 10 as the operating system.
For more information, see [Configure Detection Methods in System Center 2012 R2
### Configure sample collection settings
-For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
+For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft 365 Defender to submit a file for deep analysis.
>[!NOTE]
->These configuration settings are typically done through Configuration Manager.
+>These configuration settings are typically done through Configuration Manager.
You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
If you use Microsoft Endpoint Manager current branch, see [Create an offboarding
### Offboard devices using System Center 2012 R2 Configuration Manager
-1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Offboarding**.
+ 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
1. Select Windows 10 as the operating system.
security Configure Endpoints Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md
Title: Onboard Windows 10 devices using a local script
-description: Use a local script to deploy the configuration package on devices so that they are onboarded to the service.
+description: Use a local script to deploy the configuration package on devices to enable onboarding of the devices to the service.
keywords: configure devices using a local script, device management, configure Microsoft Defender for Endpoint devices search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Onboard Windows 10 devices using a local script
+# Onboard the Windows 10 devices using a local script
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
You can also manually onboard individual devices to Defender for Endpoint. You m
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint.
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Onboarding**.
+ 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
1. Select Windows 10 as the operating system.
For information on how you can manually validate that the device is compliant an
> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint](run-detection-test.md). ## Configure sample collection settings
-For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
+For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft 365 Defender to submit a file for deep analysis.
You can manually configure the sample sharing setting on the device by using *regedit* or creating and running a *.reg* file.
For security reasons, the package used to Offboard devices will expire 30 days a
> [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
-1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Offboarding**.
+ 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** >**Offboarding**.
1. Select Windows 10 as the operating system.
You can follow the different verification steps in the [Troubleshoot onboarding
Monitoring can also be done directly on the portal, or by using the different deployment tools. ### Monitor devices using the portal
-1. Go to Microsoft Defender Security Center.
+1. Go to Microsoft 365 Defender portal.
-2. Click **Devices list**.
+2. Click **Devices inventory**.
3. Verify that devices are appearing.
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
Last updated 04/16/2020
ms.technology: mde
-# Onboard non-persistent virtual desktop infrastructure (VDI) devices
+# Onboard the non-persistent virtual desktop infrastructure (VDI) devices
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
The following steps will guide you through onboarding VDI devices and will highl
### For Windows 10 or Windows Server 2019
-1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft 365 Defender portal](https://security.microsoft.com/):
- 1. In the navigation pane, select **Settings** > **Onboarding**.
+ 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
1. Select Windows 10 as the operating system.
The following steps will guide you through onboarding VDI devices and will highl
- For single entry for each device:
- Check only one entry in Microsoft Defender Security Center.
+ Check only one entry in Microsoft 365 Defender portal.
- For multiple entries for each device:
- Check multiple entries in Microsoft Defender Security Center.
+ Check multiple entries in Microsoft 365 Defender portal.
6. Click **Devices list** on the Navigation pane.
security Configure Mssp Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-support.md
You'll need to take the following configuration steps to enable the managed secu
The integration will allow MSSPs to take the following actions: -- Get access to MSSP customer's Microsoft Defender Security Center portal
+- Get access to MSSP customer's Microsoft 365 Defender portal
- Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools
Typically, MSSP customers take the initial configuration steps to grant MSSPs ac
In general, the following configuration steps need to be taken: -- **Grant the MSSP access to Microsoft Defender Security Center** <br>
+- **Grant the MSSP access to Microsoft 365 Defender** <br>
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant.
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
Please see the following guidance to eliminate the wildcard (*) requirement for
1. Onboard a previous operating system with the Microsoft Monitoring Agent (MMA) into Defender for Endpoint (for more information, see [Onboard previous versions of Windows on Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2010326) and [Onboard Windows servers](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016).
-2. Ensure the machine is successfully reporting into the Microsoft Defender Security Center portal.
+2. Ensure the machine is successfully reporting into the Microsoft 365 Defender portal.
3. Run the TestCloudConnection.exe tool from ΓÇ£C:\Program Files\Microsoft Monitoring Agent\AgentΓÇ¥ to validate the connectivity and to see the required URLs for your specific workspace.
Please see the following guidance to eliminate the wildcard (*) requirement for
![Image of administrator in Windows PowerShell](images/admin-powershell.png)
-The wildcards (\*) used in \*.ods.opinsights.azure.com, \*.oms.opinsights.azure.com, and \*.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft Defender Security Center portal.
+The wildcards (\*) used in \*.ods.opinsights.azure.com, \*.oms.opinsights.azure.com, and \*.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft 365 Defender portal.
The \*.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the "Firewall Rule: \*.blob.core.windows.net" section of the test results.
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
-Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
+Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft 365 Defender console.
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Defender for Endpoint](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
If you're already using System Center Operations Manager (SCOM) or Azure Monitor
In general, you'll need to take the following steps: 1. Fulfill the onboarding requirements outlined in **Before you begin** section.
-2. Turn on server monitoring from Microsoft Defender Security center.
+2. Turn on server monitoring from Microsoft 365 Defender portal.
3. Install and configure MMA for the server to report sensor data to Defender for Endpoint. 4. Configure and update System Center Endpoint Protection clients.
Once completed, you should see onboarded Windows servers in the portal within an
### Option 2: Onboard Windows servers through Azure Security Center
-1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**.
+1. In the Microsoft 365 Defender navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
The following capabilities are included in this integration:
> The integration between Azure Defender for Servers and Microsoft Defender for Endpoint has been expanded to support [Windows Server 2019 and Windows Virtual Desktop (WVD)](/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview). - Windows servers monitored by Azure Defender will also be available in Defender for Endpoint - Azure Defender seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Defender console.-- Server investigation - Azure Defender customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
+- Server investigation - Azure Defender customers can access Microsoft 365 Defender portal to perform detailed investigation to uncover the scope of a potential breach.
> [!IMPORTANT] > - When you use Azure Defender to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).<br>
To offboard the Windows server, you can use either of the following methods:
1. Get your Workspace ID:
- 1. In the navigation pane, select **Settings** > **Onboarding**.
+ 1. In the Microsoft 365 Defender navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system and get your Workspace ID:
security Configure Vulnerability Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications.md
Create a notification rule to send an email when there are certain exploit or vu
3. Name the email notification rule and include a description.
-4. Check **Notification enabled** to activate the notification. Select **Next**
+4. Check **Activate notification rule**. Select **Next**
5. Fill in the notification settings. Then select **Next** - Choose device groups to get notifications for.
- - Choose the vulnerability event(s) that you want to be notified about when they affect your organization.
- - Options: new vulnerability found (including severity threshold), new public exploit, exploit added to an exploit kit, exploit was verified.
- - Include organization name if you want the organization name in the email
+ - Choose the vulnerability event(s) that you want to be notified about when they affect your organization:
+ - New vulnerability found (including severity threshold)
+
+ > [!NOTE]
+ > This includes newly detected [zero-day vulnerabilities](tvm-zero-day-vulnerabilities.md) and patches released for existing zero-day vulnerabilities. For more information, see [patching zero-day vulnerabilities](tvm-zero-day-vulnerabilities.md#patching-zero-day-vulnerabilities).
+
+ - Exploit was verified
+ - New public exploit
+ - Exploit added to an exploit kit
+
+ - Include organization name if you want the organization name in the email.
6. Enter the recipient email address then select **Add**. You can add multiple email addresses.
security Connected Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md
Applications use standard OAuth 2.0 protocol to authenticate and provide tokens
You'll need to follow [these steps](/microsoft-365/security/defender-endpoint/apis-intro) to use the APIs with the connected application. ## Access the connected application page
-From the left navigation menu, select **Partners & APIs** > **Connected AAD applications**.
+From the left navigation menu, select **Endpoints** > **Partners and APIs** > **Connected applications**.
## View connected application details
security Contact Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md
Accessing the new support widget can be done in one of two ways:
![Image of widget when question mark is selected](images/support-widget.png)
-2. Clicking on the **Need help?** button in the bottom right of the Microsoft Defender Security Center:
+2. Clicking on the **Need help?** button in the bottom right of the Microsoft 365 Defender portal:
- ![Image of the need help button](images/need-help.png)
+ ![Image of the need help button](images/need-help-option.png)
In the widget you will be offered two options:
In the widget you will be offered two options:
## Find solutions to common problems This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced.
-![Image of need help widget](images/Support3.png)
+![Image of need help widget](images/information-on-help-screen.png)
In case the suggested articles are not sufficient, you can open a service request.
Learn how to open support tickets by contacting Defender for Endpoint support.
This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case:
-![Image of the open a service request widget](images/Support4.png)
+![Image of the open a service request widget](images/contact-support-screen.png)
1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you.
security Data Retention Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-retention-settings.md
After completing the onboarding, you can verify your selection in the data reten
## Verify data storage location During the [Set up phase](production-deployment.md), you would have selected the location to store your data.
-You can verify the data location by navigating to **Settings** > **Data retention**.
+You can verify the data location by navigating to **Settings** > **Endpoints** > **Data retention**.
## Update data retention settings You can update the data retention settings. By default, the retention period is 180 days.
-1. In the navigation pane, select **Settings** > **Data retention**.
+1. In the navigation pane, select **Settings** > **Endpoints** > **Data retention**.
2. Select the data retention duration from the drop-down list.
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
When you're done reviewing and undoing actions that were taken as a result of fa
### Review completed actions
-1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
+1. In the left navigation pane of the Microsoft 365 Defender portal, click **Action center**.
2. Select the **History** tab to view a list of actions that were taken.
When you're done reviewing and undoing actions that were taken as a result of fa
### Restore a quarantined file from the Action Center
-1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
+1. In the left navigation pane of the Microsoft 365 Defender portal, click **Action center**.
2. On the **History** tab, select an action that you want to undo.
When you're done reviewing and undoing actions that were taken as a result of fa
### Undo multiple actions at one time
-1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
+1. In the left navigation pane of the Microsoft 365 Defender portal, click **Action center**.
2. On the **History** tab, select the actions that you want to undo.
When you're done reviewing and undoing actions that were taken as a result of fa
> [!div class="mx-imgBorder"] > ![Quarantine file](images/autoir-quarantine-file-1.png)
-1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
+1. In the left navigation pane of the Microsoft 365 Defender portal, click **Action center**.
2. On the **History** tab, select a file that has the Action type **Quarantine file**.
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
ms.technology: mde
EDR in block mode is also integrated with [threat & vulnerability management](next-gen-threat-and-vuln-mgt.md). Your organization's security team will get a [security recommendation](tvm-security-recommendation.md) to turn EDR in block mode on if it isn't already enabled. > [!NOTE] > To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](configure-machines-security-baseline.md)**.
The following image shows an instance of unwanted software that was detected and
3. Turn on **EDR in block mode**. > [!NOTE]
-> EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.
+> EDR in block mode can be turned on only in the Microsoft 365 Defender portal. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.
## Requirements for EDR in block mode
security Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md
When working with features in public preview, these features:
- Are fully supported by Microsoft. - May only be available in selected geographic regions or cloud environments. For example, the feature may not exist in the government cloud. - Individual features in preview may have more usage and support restrictions. If so, this information is typically noted in the feature documentation.-- The preview versions are provided with a standard support level, and it is recommended for production workloads.
+- The preview versions are provided with a standard support level, and can be used for production environments.
security Advanced Hunting Aadsignineventsbeta Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadsignineventsbeta-table.md
reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-h
|`NetworkLocationDetails`|string|Network location details of the authentication processor of the sign-in event| |`RequestId`|string|Unique identifier of the request| |`ReportId`|string|Unique identifier for the event|
-|
## Related articles
security Advanced Hunting Aadspnsignineventsbeta Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadspnsignineventsbeta-table.md
reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-h
-| Column name | Data type | Description |
-| -- | -- | - |
-| `Timestamp` | datetime | Date and time when the record was generated |
-| `Application` | string | Application that performed the recorded action |
-| `ApplicationId` | string | Unique identifier for the application |
-| `IsManagedIdentity` | boolean | Indicates whether the sign-in was initiated by a managed identity |
-| `ErrorCode` | int | Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit <https://aka.ms/AADsigninsErrorCodes>. |
-| `CorrelationId` | string | Unique identifier of the sign-in event |
-| `ServicePrincipalName` | string | Name of the service principal that initiated the sign-in |
-| `ServicePrincipalId` | string | Unique identifier of the service principal that initiated the sign-in |
-| `ResourceDisplayName` | string | Display name of the resource accessed |
-| `ResourceId` | string | Unique identifier of the resource accessed |
-| `ResourceTenantId` | string | Unique identifier of the tenant of the resource accessed |
-| `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
-| `Country` | string | Two-letter code indicating the country where the client IP address is geolocated |
-| `State` | string | State where the sign-in occurred, if available |
-| `City` | string | City where the account user is located |
-| `Latitude` | string | The north to south coordinates of the sign-in location |
-| `Longitude` | string | The east to west coordinates of the sign-in location |
-| `RequestId` | string | Unique identifier of the request |
-|`ReportId` | string | Unique identifier for the event | 
+| Column name | Data type | Description |
+|--|--|--|
+| `Timestamp` | datetime | Date and time when the record was generated |
+| `Application` | string | Application that performed the recorded action |
+| `ApplicationId` | string | Unique identifier for the application |
+| `IsManagedIdentity` | boolean | Indicates whether the sign-in was initiated by a managed identity |
+| `ErrorCode` | int | Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit <https://aka.ms/AADsigninsErrorCodes>. |
+| `CorrelationId` | string | Unique identifier of the sign-in event |
+| `ServicePrincipalName` | string | Name of the service principal that initiated the sign-in |
+| `ServicePrincipalId` | string | Unique identifier of the service principal that initiated the sign-in |
+| `ResourceDisplayName` | string | Display name of the resource accessed |
+| `ResourceId` | string | Unique identifier of the resource accessed |
+| `ResourceTenantId` | string | Unique identifier of the tenant of the resource accessed |
+| `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
+| `Country` | string | Two-letter code indicating the country where the client IP address is geolocated |
+| `State` | string | State where the sign-in occurred, if available |
+| `City` | string | City where the account user is located |
+| `Latitude` | string | The north to south coordinates of the sign-in location |
+| `Longitude` | string | The east to west coordinates of the sign-in location |
+| `RequestId` | string | Unique identifier of the request |
+|`ReportId` | string | Unique identifier for the event |
 
reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-h
- [Learn the query language](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language) - [Understand the
- schema](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
+ schema](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
security Microsoft Secure Score Whats Coming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-whats-coming.md
We're making some changes in the near future to make [Microsoft Secure Score](mi
- Set 'Enforce password history' to '24 or more password(s)' in macOS - Set 'Maximum password age' to '90 or fewer days, but not 0' in macOS - Set account lockout threshold to 5 or lower in macOS-- Turn on Firewall on macOs
+- Turn on Firewall on macOS
- Enable Gatekeeper - Enable System Integrity Protection (SIP) - Enable FileVault Disk Encryption
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
RSS feed: Get notified when this page is updated by copying and pasting the foll
/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+365+defender%22&locale=en-us ```
+## July 2021
+- [Professional services catalog](https://sip.security.microsoft.com/interoperability/professional_services)<br>Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections.
+
+ ## May 2021 - [New alert page in the Microsoft 365 Defender portal](https://techcommunity.microsoft.com/t5/microsoft-365-defender/easily-find-anomalies-in-incidents-and-alerts/ba-p/2339243) <br> Provides enhanced information for the context into an attack. You can see which other triggered alert caused the current alert and all the affected entities and activities involved in the attack, including files, users and mailboxes. See [Investigate alerts](/microsoft-365/security/defender/investigate-alerts) for more information.
security Recover From Ransomware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recover-from-ransomware.md
If your country isn't listed, ask your local or federal law enforcement agencies
You can report phishing messages that contain ransomware by using one of several methods. For more information, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
-## See also
+## Additional ransomware resources
-- [Ransomware](/windows/security/threat-protection/intelligence/ransomware-malware)
+[Human-operated ransomware overview](/security/compass/human-operated-ransomware)
-- [Ransomware responseΓÇöto pay or not to pay?](https://www.microsoft.com/security/blog/2019/12/16/ransomware-response-to-pay-or-not-to-pay/)
+[Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware)
-- [Norsk Hydro responds to ransomware attack with transparency](https://www.microsoft.com/security/blog/2019/12/17/norsk-hydro-ransomware-attack-transparency/)
+[The latest Microsoft Security Intelligence Report PDF)](https://www.microsoft.com/securityinsights/) (search for "ransomware")
-- [Ransomware detection and recovering your files in OneDrive](https://support.microsoft.com/office/0d90ec50-6bfd-40f4-acc7-b8c12c73637f)
+**Ransomware: A pervasive and ongoing threat** report in the **Threat analytics node** of the Microsoft 365 Defender portal
-- [Microsoft Security Intelligence Report](https://www.microsoft.com/securityinsights/)
+Microsoft 365 protection:
+- [Ransomware detection and recovering your files in OneDrive](https://support.microsoft.com/office/0d90ec50-6bfd-40f4-acc7-b8c12c73637f)
- [Enable or disable macros in Office files](https://support.microsoft.com/office/12b036fd-d140-4e74-b45e-16fed1a7e5c6)- - [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md) -- [A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017](https://www.microsoft.com/security/blog/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/)--- [No mas, Samas: What's in this ransomware's modus operandi?](https://www.microsoft.com/security/blog/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/)
+Microsoft Security team blog posts:
-- [Locky malware, lucky to avoid it](https://www.microsoft.com/security/blog/2016/02/24/locky-malware-lucky-to-avoid-it/)
+- [Becoming resilient by understanding cybersecurity risks: Part 4ΓÇönavigating current threats (May 2021)](https://www.microsoft.com/security/blog/2021/05/26/becoming-resilient-by-understanding-cybersecurity-risks-part-4-navigating-current-threats/)
-- [MSRT July 2016: Cerber ransomware](https://www.microsoft.com/security/blog/2016/07/12/msrt-july-2016-cerber-ransomware/)
+ See the **Ransomware** section.
-- [The three heads of the Cerberus-like Cerber ransomware](https://www.microsoft.com/security/blog/2016/03/09/the-three-heads-of-the-cerberus-like-cerber-ransomware/)
+- [Human-operated ransomware attacks: A preventable disaster (March 2020)](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/)
+- [Ransomware responseΓÇöto pay or not to pay? (December 2019)](https://www.microsoft.com/security/blog/2019/12/16/ransomware-response-to-pay-or-not-to-pay/)
+- [Norsk Hydro responds to ransomware attack with transparency (December 2019)](https://www.microsoft.com/security/blog/2019/12/17/norsk-hydro-ransomware-attack-transparency/)
+- [A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017 (January 2018)](https://www.microsoft.com/security/blog/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/)
-- [Troldesh ransomware influenced by (the) Da Vinci code](https://www.microsoft.com/security/blog/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/)
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
After you've verified that your mailbox meets all applicable prerequisites, you
- To modify the configuration for User submissions, you need to be a member of one of the following role groups: - **Organization Management** or **Security Administrator** in the [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
- - **Organization Management** in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups).
-
+
- You need access to Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that looks like this when specify the submissions mailbox: > Specify an email address in your domain
solutions Cloud Architecture Models https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/cloud-architecture-models.md
IT decision makers and architects can use these resources to determine the ideal
What IT architects need to know about designing identity for organizations using Microsoft cloud services and platforms.
-|**Item**|**Description**|
+| Item | Description |
|:--|:--|
-|[![Thumb image for Microsoft cloud identity model](../media/solutions-architecture-center/msft-cloud-identity-model-thumb.png)](../downloads/MSFT_cloud_architecture_identity.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_identity.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity.vsdx) <br/>Updated September 2020 | This model contains: <ul> <li> Introduction to identity with Microsoft's cloud </li><li> Azure AD IDaaS capabilities </li><li> Integrating on-premises Active Directory Domain Services (AD DS) accounts with Azure AD </li><li> Putting directory components in Azure IaaS </li><li> AD DS options for workloads in Azure IaaS </li></ul><br/> <br/>|
+|[![Thumb image for Microsoft cloud identity model](../media/solutions-architecture-center/msft-cloud-identity-model-thumb.png)](../downloads/MSFT_cloud_architecture_identity.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_identity.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity.pdf) <br/>Updated September 2020 | This model contains: <ul> <li> Introduction to identity with Microsoft's cloud </li><li> Azure AD IDaaS capabilities </li><li> Integrating on-premises Active Directory Domain Services (AD DS) accounts with Azure AD </li><li> Putting directory components in Azure IaaS </li><li> AD DS options for workloads in Azure IaaS </li></ul><br/> <br/>|
<a name="security"></a> ### Microsoft cloud security for IT architects What IT architects need to know about security in Microsoft cloud services and platforms.
-|**Item**|**Description**|
+| Item | Description |
|:--|:--| |[![Microsoft cloud security for enterprise architects model thumbnail](../media/solutions-architecture-center/msft-cloud-security-model-thumb.png)](https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security%20(1).pdf) <br/> [PDF](https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security%20(1).pdf) \| <br/>Updated April 2021 | This model contains: <ul><li>Microsoft and customer security responsibilities</li><li>Identity and device access</li><li>Threat protection</li><li>Information protection </ul><br/>|
What IT architects need to know about security in Microsoft cloud services and p
What IT architects need to know about networking for Microsoft cloud services and platforms.
-|**Item**|**Description**|
+| Item | Description |
|:--|:--| |[![Thumb image for Microsoft cloud networking model](../media/solutions-architecture-center/msft-cloud-networking-model-thumb.png)](../downloads/MSFT_cloud_architecture_networking.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_networking.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_networking.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_networking.vsdx) <br/>Updated August 2020 | This model contains: <ul><li> Evolving your network for cloud connectivity </li><li> Common elements of Microsoft cloud connectivity </li><li> ExpressRoute for Microsoft cloud connectivity </li><li> Designing networking for Microsoft SaaS, Azure PaaS, and Azure IaaS </li></ul><br/> <br/>|
What IT architects need to know about networking for Microsoft cloud services an
What IT architects need to know about hybrid cloud for Microsoft services and platforms.
-|**Item**|**Description**|
+| Item | Description |
|:--|:--| |[![Thumb image for the Microsoft hybrid cloud model](../media/solutions-architecture-center/msft-hybrid-cloud-model-thumb.png)](../downloads/MSFT_cloud_architecture_hybrid.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_hybrid.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_hybrid.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_hybrid.vsdx) <br>Updated August 2020 | This model contains: <ul><li> Microsoft's cloud offerings (SaaS, Azure PaaS, and Azure IaaS) and their common elements </li><li> Hybrid cloud architecture for Microsoft's cloud offerings </li><li> Hybrid cloud scenarios for Microsoft SaaS (Office 365), Azure PaaS, and Azure IaaS </li></ul><br/>| ### Architecture approaches for Microsoft cloud tenant-to-tenant migrations This series of topics illustrates several architecture approaches for mergers, acquisitions, divestitures, and other scenarios that might lead you to migrate to a new cloud tenant. These topics provide starting-point guidance for enterprise resource planning.
-|**Item**|**Description**|
+| Item | Description |
|:--|:--| |[![Thumb image for Microsoft cloud tenant-to-tenant migrations](../media/solutions-architecture-center/msft-tenant-to-tenant-migration-thumb.png)](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf) <br/> [PDF](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf) \| Updated February 2021 |This model contains: <ul><li>A mapping of business scenarios to architecture approaches</li><li>Design considerations</li><li>Single event migration flow example</li><li>Phased migration flow example</li><li>Tenant move or split flow example</li></ul>|
This series of topics illustrates several architecture approaches for mergers, a
### Common attacks and Microsoft capabilities that protect your organization Learn about the most common cyber attacks and how Microsoft can help your organization at every stage of an attack.
-|**Item**|**Description**|
+| Item | Description |
|:--|:--| |[![Illustration of the Common attacks poster.](../media/solutions-architecture-center/common-attacks-model-thumb.png) ](https://download.microsoft.com/download/F/A/C/FACFC1E9-FA35-4DF1-943C-8D4237B4275B/MSFT_Cloud_architecture_security_commonattacks.pdf) <br/> [PDF](https://download.microsoft.com/download/F/A/C/FACFC1E9-FA35-4DF1-943C-8D4237B4275B/MSFT_Cloud_architecture_security_commonattacks.pdf) \| [Visio](https://download.microsoft.com/download/F/A/C/FACFC1E9-FA35-4DF1-943C-8D4237B4275B/MSFT_Cloud_architecture_security_commonattacks.vsdx) <br/> Updated August 2017 | This poster illustrates the path of common attacks and describes which capabilities help stop attackers at each stage of an attack. <br/>|
solutions Identity Design Principles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/identity-design-principles.md
As stated earlier, many customers are looking to achieve a more granular delegat
- **Stream** - (/stream/assign-administrator-user-role) - **Information barriers** - (../compliance/information-barriers.md)
-For the rest, search in Docs has been really good lately - <https://docs.microsoft.com/>.
- ### Activity Logs Office 365 has a [unified audit log](../compliance/search-the-audit-log-in-security-and-compliance.md). ItΓÇÖs a very [detailed log](/office/office-365-management-api/office-365-management-activity-api-schema), but donΓÇÖt read too much into the name. It may not contain everything you want or need for your security and compliance needs. Also, some customers are really interested in [Advanced Audit](../compliance/advanced-audit.md).