Updates from: 08/10/2023 06:40:38
Category Microsoft Docs article Related commit history on GitHub Change details
admin Microsoft Teams Usage Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-usage-activity.md
Data for following metrics are available for individual teams.
|Channel messages|The number of unique messages that the user posted in a team chat during the specified time period.| |Last activity date|The latest date that any member of the team has committed an action.|
+> [!NOTE]
+> Metric counts include Teams client built-in features, but don't include changes to chat and channel through service integration, such as Teams app posts or replies and emails in the channel.
+ ## Make the user-specific data anonymous To make the data in Teams user activity report anonymous, you have to be a global administrator. This will hide identifiable information (using MD5 hashes) such as display name, email, and Azure Active Directory Object ID in report and their export.
admin Microsoft Teams User Activity Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-user-activity-preview.md
description: "Learn how to get the Microsoft Teams user activity report and gain
# Microsoft 365 Reports in the admin center - Microsoft Teams user activity The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the Microsoft Teams user activity report, you can gain insights into the Microsoft Teams activity in your organization.
-
+ ## How to get to the Microsoft Teams user activity report 1. In the admin center, go to the **Reports**, then select **Usage**.
The Microsoft 365 Reports dashboard shows you the activity overview across the p
## Interpret the Microsoft Teams user activity report
-You can view the user activity in the Teams report by choosing the **User activity** tab. <br/>![Microsoft 365 reports - Microsoft Teams user activity.](../../media/user-activity-charts.png)
+You can view the user activity in the Teams report by choosing the **User activity** tab.
+
+![Microsoft 365 reports - Microsoft Teams user activity.](../../media/user-activity-charts.png)
Select **Choose columns** to add or remove columns from the report.
-![Teams user activity report - choose columns.](../../media/user-activity-columns.png)
You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. The exported format for **audio time**, **video time**, and **screen share time** follows ISO8601 duration format.
The **Microsoft Teams user activity** report can be viewed for trends over the l
To ensure data quality, we perform daily data validation checks for the past three days and will be filling any gaps detected. You may notice differences in historical data during the process.
-|Item|Description|
-|:--|:--|
-|**Metric**|**Definition**|
-|User name <br/> |The email address of the user. You can display the actual email address or make this field anonymous. <br/> |
-|Tenant name <br/> |The name of an internal or external tenant where a user belongs. <br/> <br/> If a user belongs to an external tenant, corresponding data metrics (for example, post messages, reply messages, etc.) are calculated based on their interactions in shared channels of the adminΓÇÖs tenant. Interactions done by the user in their own tenant (outside of shared channels of the given tenant) are not considered for the admin usage report of given tenant. |
-|Is external <br/> |Indicates if the user is an external user or not. <br/> |
-|Shared channel tenant names <br/> |The names of internal or external tenants of shared channels where the user participated. <br/> |
-|Channel messages <br/> |The number of unique messages that the user posted in a team chat during the specified time period. This includes original posts and replies. <br/> |
-|Posts <br/> |The number of post messages in all channels during the specified time period. A post is the original message in a teams chat.<br/> |
-|Replies <br/> |The number of replied messages in all channels during the specified time period. <br/> |
-|Urgent messages <br/> |The number of urgent messages during the specified time period. <br/> |
-|Chat messages <br/> |The number of unique messages that the user posted in a private chat during the specified time period. <br/> |
-|Total meetings <br/> |The number of online meetings that the user participated in during the specified time period. <br/> |
-|1:1 calls <br/> | The number of 1:1 calls that the user participated in during the specified time period. <br/> |
-|Last activity date (UTC) <br/> |The last date that the user participated in a Microsoft Teams activity.<br/> |
-|Meetings participated ad hoc <br/> | The number of ad hoc meetings a user participated in during the specified time period. <br/> |
-|Meetings organized ad hoc <br/> |The number of ad hoc meetings a user organized during the specified time period. <br/>|
-|Total organized meetings <br/> |The sum of one-time scheduled, Recurring, ad hoc and unclassified meetings a user organized during the specified time period. <br/> |
-|Total participated meetings <br/> |The sum of the one-time scheduled, recurring, ad hoc and unclassified meetings a user participated in during the specified time period. <br/> |
-|Meetings organized scheduled one-time <br/> |The number of one-time scheduled meetings a user organized during the specified time period. <br/> |
-|Meetings organized scheduled recurring <br/> |The number of recurring meetings a user organized during the specified time period. <br/> |
-|Meetings participated scheduled one-time <br/> |The number of the one-time scheduled meetings a user participated in during the specified time period. <br/> |
-|Meetings participated scheduled recurring <br/> |The number of the recurring meetings a user participated in during the specified time period. <br/> |
-|Is licensed <br/> |Selected if the user is licensed to use Teams. <br/>|
-|Other activity <br/>|The User is active but has performed other activities than exposed action types offered in the report (sending or replying to channel messages and chat messages, scheduling or participating in 1:1 calls and meetings). Examples actions are when a user changes the Teams status or the Teams status message or opens a Channel Message post but does not reply. <br/>|
-
+|Metric|Mapped metric in Export|Definition|
+|:--|:--|:--|
+|User name <br/> |User Principal Name|The email address of the user. You can display the actual email address or make this field anonymous. <br/> |
+|Tenant name <br/> |Tenant Display Name|The name of an internal or external tenant where a user belongs. <br/> <br/> If a user belongs to an external tenant, corresponding data metrics (for example, post messages, reply messages, etc.) are calculated based on their interactions in shared channels of the adminΓÇÖs tenant. Interactions done by the user in their own tenant (outside of shared channels of the given tenant) are not considered for the admin usage report of given tenant. |
+|Is external <br/> |Is External|Indicates if the user is an external user or not. <br/> |
+|Shared channel tenant names <br/> |Shared Channel Tenant Display Names|The names of internal or external tenants of shared channels where the user participated. <br/> |
+|Channel messages <br/> |Team Chat Message Count|The number of unique messages that the user posted in a team chat during the specified time period. This includes original posts and replies. <br/> |
+|Posts <br/> |Post Messages|The number of post messages in all channels during the specified time period. A post is the original message in a teams chat.<br/> |
+|Replies <br/> |Reply Messages|The number of replied messages in all channels during the specified time period. <br/> |
+|Urgent messages <br/> |Urgent Messages|The number of urgent messages during the specified time period. <br/> |
+|Chat messages <br/> |Private Chat Message Count|The number of unique messages that the user posted in a private chat during the specified time period. <br/> |
+|Total meetings <br/> |Meeting Count|The number of online meetings that the user participated in during the specified time period. <br/> |
+|1:1 calls <br/> |Call Count|The number of 1:1 calls that the user participated in during the specified time period. <br/> |
+|Last activity date (UTC) <br/> |Last Activity Date|The last date that the user participated in a Microsoft Teams activity.<br/> |
+|Meetings participated ad hoc <br/> |Ad Hoc Meetings Attended Count|The number of ad hoc meetings a user participated in during the specified time period. <br/> |
+|Meetings organized ad hoc <br/> |Ad Hoc Meetings Organized Count|The number of ad hoc meetings a user organized during the specified time period. <br/>|
+|Total organized meetings <br/> |Meetings Organized Count|The sum of one-time scheduled, Recurring, ad hoc and unclassified meetings a user organized during the specified time period. <br/> |
+|Total participated meetings <br/> |Meetings Attended Count|The sum of the one-time scheduled, recurring, ad hoc and unclassified meetings a user participated in during the specified time period. <br/> |
+|Meetings organized scheduled one-time <br/> |Scheduled One-time Meetings Organized Count|The number of one-time scheduled meetings a user organized during the specified time period. <br/> |
+|Meetings organized scheduled recurring <br/> |Scheduled Recurring Meetings Organized Count|The number of recurring meetings a user organized during the specified time period. <br/> |
+|Meetings participated scheduled one-time <br/> |Scheduled One-time Meetings Attended Count|The number of the one-time scheduled meetings a user participated in during the specified time period. <br/> |
+|Meetings participated scheduled recurring <br/> |Scheduled Recurring Meetings Attended Count|The number of the recurring meetings a user participated in during the specified time period. <br/> |
+|Is licensed <br/> |Is Licensed|Selected if the user is licensed to use Teams. <br/>|
+|Other activity <br/>|Has Other Action|The User is active but has performed other activities than exposed action types offered in the report (sending or replying to channel messages and chat messages, scheduling or participating in 1:1 calls and meetings). Examples actions are when a user changes the Teams status or the Teams status message or opens a Channel Message post but does not reply. <br/>|
+|Audio Duration| - |The sum of the audio duration of a user used during the specified time period and formatted by ISO 8601 - Wikipedia |
+|Video Duration| - |The sum of the video duration of a user used during the specified time period and formatted by ISO 8601 - Wikipedia |
+|Screen Share Duration| - |The sum of the screen share duration of a user used during the specified time period and formatted by ISO 8601 - Wikipedia |
+|Audio Duration In Seconds|Audio Time (Min)|The sum of the audio duration of a user used during the specified time period |
+|Video Duration In Seconds|Video Time (Min)|The sum of the video duration of a user used during the specified time period |
+|Screen Share Duration In Seconds|Screen Share Time (Min)|The sum of the screen share duration of a user used during the specified time period |
+
+> [!NOTE]
+> Metric counts include Teams client built-in features, but don't include changes to chat and channel through service integration, such as Teams app posts or replies and emails in the channel.
## Make the user-specific data anonymous
To make the data in Teams user activity report anonymous, you have to be a globa
[Microsoft Teams device usage report](../activity-reports/microsoft-teams-device-usage-preview.md)
-[Microsoft Teams usage activity report](../activity-reports/microsoft-teams-usage-activity.md)
+[Microsoft Teams usage activity report](../activity-reports/microsoft-teams-usage-activity.md)
admin Remove Former Employee Step 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-3.md
If your former employee had an organization phone, you can use the <a href="http
1. Go to the Exchange admin center > **Recipients** \> <a href="https://go.microsoft.com/fwlink/?linkid=2183135" target="_blank">Mailboxes</a>. 1. Select the user, and under **Mobile Devices**, select **View details**.
-1. On the **Mobile Device Details** page, under **Mobile devices**, select the mobile device, select **Wipe Data**![Wipe Device.](../../media/1c113a36-53cb-4974-884f-3ecd9535506e.png), and then select **Block**.
+1. On the **Mobile Device Details** page, under **Mobile devices**, select the mobile device, select **Wipe company data**![Wipe Device.](../../media/1c113a36-53cb-4974-884f-3ecd9535506e.png), and then select **Block access**.
1. Select **Save**. > [!TIP] > Be sure you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if you need specific steps on how to disable the user.
admin Set Password To Never Expire https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/set-password-to-never-expire.md
This guide applies to other providers, such as Intune and Microsoft 365, which a
Use the `Connect-MgGraph` command to sign in with the required scopes. You need to sign in with an admin account to consent to the required scopes. ```powershell
-Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"
+Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All"
``` The command prompts you to go to a web page to sign in using a device code. Once you've done that, the command indicates success with a `Welcome To Microsoft Graph!` message. You only need to sign in once per session.
admin Create Dns Records At Namecheap https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-namecheap.md
search.appverid:
- MET150 - MOE150 ms.assetid: 54ae2002-b38e-43a1-82fa-3e49d78fda56
-description: "Learn to verify your domain and set up DNS records for email, Skype for Business Online, and other services at Namecheap for Microsoft."
+description: "Learn to verify your domain and set up DNS records for email, Teams, and other services at Namecheap for Microsoft."
# Connect your DNS records at Namecheap to Microsoft 365
Only select this option if your organization uses Microsoft Teams. Teams needs 4
> [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-### Add the two required CNAME records for Skype for Business
+### Add the two required CNAME records for Teams
1. In the **HOST RECORDS** section, select **ADD NEW RECORD**.
admin Add Another Email Alias For A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/add-another-email-alias-for-a-user.md
If you get this error message it means that it's taking a bit longer to finish s
### Did you get "This user is synchronized with your local Active Directory. Some details can be edited only through your local Active Directory" message?
-If you get this error message it means that you need to add the alias in your on-premises Active Directory.
+If you get this error message it means that you need to add the alias in your on-premises Active Directory. Open Azure Active Directory and select the user account you would like to edit. Select **Properties** > **Attribute Editor** > **Proxyaddresses** and add the required alias, then wait for it to sync to Azure Active directory.
### Did you purchase your subscription from GoDaddy or another Partner?
admin Manage Addins In The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-addins-in-the-admin-center.md
As an organization you may wish to prevent the download of new Office Add-ins fr
- Add-ins within Microsoft 365
- A user who tries to access the store will see the following message: **Sorry, Microsoft 365 has been configured to prevent individual acquisition of Office Store add-ins.**
+ A user who tries to access the store will see the following message: **Office store not available. Unfortunately, your organization has disabled access to the Office Store. Please contact your administrator to get access to the store.**
Support for turning off the Office Store is available in the following versions:
admin Manage Feedback Ms Org https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-feedback-ms-org.md
Your devices must be on a minimum build number to use these policies. See the ta
|Allow users to access feedback portal|On|Manage user access to the feedback portal where users can follow-up on their feedback and participate in community feedback.| |Allow users to submit feedback to Microsoft|On|Controls feedback entry points across applications.| |Allow users to receive and respond to in-product surveys from Microsoft|On|Controls survey prompts within product.|
-|Allow users to include screenshots and attachments when they submit feedback to Microsoft|Off|Allows users to choose relevant files, screen recordings and screenshots to help Microsoft better understand and troubleshoot their feedback.|
-|Allow Microsoft to follow up on feedback submitted by users|Off|Determines if user can share contact info with feedback/survey for followup by Microsoft. Also allows users to get notified of feedback status changes. Users can manage communications settings in the feedback portal.|
-|Allow users to include log files and content samples when feedback is submitted to Microsoft|Off|Allows users to include Microsoft generated files such as additional log files and content samples when relevant to feedback they are submitting. Examples may include [Microsoft 365 Copilot](https://blogs.microsoft.com/blog/2023/03/16/introducing-microsoft-365-copilot-your-copilot-for-work/) prompt and response interactions.|
+|Allow users to include screenshots and attachments when they submit feedback to Microsoft|On|Allows users to choose relevant files, screen recordings and screenshots to help Microsoft better understand and troubleshoot their feedback.|
+|Allow Microsoft to follow up on feedback submitted by users|On|Determines if user can share contact info with feedback/survey for followup by Microsoft. Also allows users to get notified of feedback status changes. Users can manage communications settings in the feedback portal.|
+|Allow users to include log files and content samples when feedback is submitted to Microsoft|On|Allows users to include Microsoft generated files such as additional log files and content samples when relevant to feedback they are submitting. Examples may include [Microsoft 365 Copilot](https://blogs.microsoft.com/blog/2023/03/16/introducing-microsoft-365-copilot-your-copilot-for-work/) prompt and response interactions.|
> [!NOTE] > The **Allow users to access the feedback portal** policy is a cloud policy. This policy isn't defined in ADMX and doesn't have a corresponding registry key available to set the policy. You should create a cloud policy to enforce it. This is a cloud policy because the feedback portal is a web application that makes a call to the cloud policy service, which is also a web application, requesting the policies for the person who signs in. If this policy is configured, the feedback portal will receive the configured policy value in the response from the cloud policy service.
admin Manage Feedback Product Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-feedback-product-insights.md
Verbatim Recall- 94%
Charts are filtered by the NPS rating as follows: -- Detractors are unhappy customers who are unlikely to recommend your product or service.-- Passives are customers that are satisfied with the service but not enough to recommend your product or service.-- Promoters- Happy customers that are loyal, enthusiastic and are likely to recommend your product or service.
+- Detractors are unhappy customers who are unlikely to recommend your product or service. For example, 1-3 on the 5 point scale.
+- Passives are customers that are satisfied with the service but not enough to recommend your product or service. For example, 4 on the 5 point scale.
+- Promoters- Happy customers that are loyal, enthusiastic and are likely to recommend your product or service. For example, 5 on the 5 point scale.
:::image type="content" source="../../media/how-likely-recommend.png" alt-text="Screenshot: Chart showing how likely are you to recommend an app to a friend or colleague" lightbox="../../media/how-likely-recommend.png":::
admin Servicenow Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/servicenow-overview.md
For the Microsoft 365 support integration app, go to the [ServiceNow Store](http
> [!NOTE] > This app is not supported in regulated or restricted environments.
+>
+> This app is only supported in English.
## Key features
admin Download Software Licenses Csp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/download-software-licenses-csp.md
f1.keywords:
-+ audience: Admin
bookings Add Staff https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/add-staff.md
Although Bookings is a feature of Microsoft 365, not all of your staff members a
7. Select **Events on Microsoft 365 calendar affect availability** if you want the free/busy information from staff membersΓÇÖ calendars to impact availability for bookings services through Bookings.
- For example, if a staff member has a team meeting or a personal appointment scheduled for 3pm on a Wednesday, Bookings will show that staff member as unavailable to be booked in that time slot. That time will appear as busy or tentative in the Bookings calendar view, as shown in the below example.
+ For example, if a staff member has a team meeting or a personal appointment scheduled for 3pm on a Wednesday, Bookings will show that staff member as unavailable to be booked in that time slot. That time will appear as busy or tentative in the Bookings Page view, as shown in the below example.
- :::image type="content" source="media/bookings-busy-tentative-view-2.png" alt-text="A view of a Bookings calendar.":::
+ :::image type="content" source="media/bookings-busy-tentative-view-2.png" alt-text="A view of a Bookings Page.":::
-> [!IMPORTANT]
-> We highly recommend leaving this setting on (it is turned on by default) to avoid double-bookings and to optimize the availability of your staff members.
+ > [!IMPORTANT]
+ > We highly recommend leaving this setting on (it is turned on by default) to avoid double-bookings and to optimize the availability of your staff members.
8. Select **Use business hours** to set all bookable times for your staff members to be only within the business hours that you set in the **Business hours** section on the Business Information page. By deselecting this box, staff can be given custom hours that further limit when they can be booked. This is helpful for scenarios where a staff member may only be on site Tuesdays and Wednesdays, or they dedicate their mornings for one type of appointments, and their afternoons for other types. > [!NOTE]
- > Bookings supports up to 100 staff members in a Bookings Calendar.
+ > Bookings supports up to 100 staff members in a Bookings Page.
## Make a Bookings user a super user without adding them as Staff in Bookings
bookings Bookings In Outlook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/bookings-in-outlook.md
Bookings with me is an ideal solution for enterprise, small business, and users
For more information on how your users can work with Bookings with me, see the following topics: -- [Set up Bookings with me](https://support.microsoft.comoffice/bookings-with-me-setup-and-sharing-ad2e28c4-4abd-45c7-9439-27a789d254a2)
+- [Set up Bookings with me](https://support.microsoft.com/office/bookings-with-me-setup-and-sharing-ad2e28c4-4abd-45c7-9439-27a789d254a2)
- [Bookings with me articles](https://support.microsoft.com/office/bookings-with-me-articles-c69c4703-e812-435c-9fc2-d194e10fd205) ## Before you begin
bookings Enter Business Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/enter-business-information.md
The information you provide here will be displayed on the page customers and cli
1. In the navigation pane, select **Your calendar** > **Business information** in the left pane.
-1. On the **Basic details** section, enter your business name, address, and phone number you would like to use for your Bookings calendar.
+1. On the **Basic details** section, enter your business name, address, and phone number you would like to use for your booking page.
:::image type="content" source="../media/bookings-business-basic-details.png" alt-text="Screenshot: Page to enter your basic business information":::
commerce Change Payment Frequency https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-payment-frequency.md
f1.keywords:
-+ audience: Admin
commerce Pay For Subscription Billing Profile https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-subscription-billing-profile.md
f1.keywords:
-+ audience: Admin
commerce Pay For Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription.md
f1.keywords:
-+ audience: Admin
commerce Understand Your Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice.md
Title: Understand your bill or invoice
+ Title: "Understand your invoice for your Microsoft MCA billing account"
+f1.keywords:
+- 'MACBillingAccountsAddBillingProfileInvoices'
audience: Admin -- 'MACBillingBillsPaymentsInvoices' ms.localizationpriority: medium
- AdminSurgePortfolio - AdminTemplateSet search.appverid: MET150
-description: "Learn how to read and understand your bill or invoice for Microsoft business products."
Previously updated : 03/31/2023
+description: "Learn how to interpret the charges on your invoice for your Microsoft business subscription with an MCA billing account."
Last updated : 08/08/2023
-# Understand your bill or invoice
+# Understand your invoice for your Microsoft MCA billing account
Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).
-The invoice provides a summary of your charges and instructions for payment. You can [view your online invoice](#view-your-online-invoice) in the Microsoft 365 admin center. You can also download it in the Portable Document Format (.pdf) to send via email.
+This article only applies to customers with a Microsoft Customer Agreement (MCA) billing account type. If you have a Microsoft Online Services Agreement (MOSA) billing account type, see [Understand your invoice for your Microsoft MOSA billing account](understand-your-invoice2.md). [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).
+
+The invoice for your Microsoft business subscription provides a summary of the charges and instructions for how to pay your bill. You can [view your online invoice](view-your-bill-or-invoice.md) in the Microsoft 365 admin center. You can also download a copy of your invoice in the Portable Document Format (.PDF) to send via email. If you want to receive the invoice .PDF as an attachment in the email notification, see [Receive your organization's invoices as email attachments](manage-billing-notifications.md#receive-your-organizations-invoices-as-email-attachments).
> [!IMPORTANT] > As of April 1, 2023, we no longer accept checks as a payment method for subscriptions paid by invoice. Pay by check is no longer available as a payment option, and check payment instructions have been removed from invoices. You can still pay for your invoice by wire transfer. See your invoice for wire transfer payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by wire transfer, and avoid possible service disruption.
-To view and print your invoice:
-
-1. On the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page, select an invoice date range.
-2. To print or save a PDF copy of the bill, select **Download invoice PDF**, and then print the PDF.
+## Before you begin
-To learn more, see [View your bill or invoice](view-your-bill-or-invoice.md).
+- [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).
+- You must have an MCA billing account type and have the billing account owner or contributor role, or the billing profile owner or contributor role to do the tasks in this article.
-If you only have a Microsoft 365 subscription, see [Understand your bill or invoice for Microsoft 365 for business](understand-your-invoice2.md).
+> [!NOTE]
+> If you're the person who signed up for the subscription, youΓÇÖre automatically a billing account owner.
## How often and when am I billed?
-Depending on the billing frequency you chose when you bought your subscription, you receive an invoice monthly, every 3 months, every 6 months, or annually. The amount of time since the last invoice date is called the Billing Period and is shown on page one of the invoice, above the Billing Summary section. This time represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.
+Depending on the billing frequency that you chose when you bought your subscription, you receive an invoice monthly, every three months, every six months, or annually. The amount of time since the last invoice date is called the *Billing Period* and is shown on page one of the invoice, above the Billing Summary section. This time period represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.
+
+> [!NOTE]
+> You can only change the billing frequency for a subscription when you buy, upgrade, or renew a subscription.
Starting on page two of the invoice, you see the charges grouped by product order. For Azure customers, the charges might be organized by invoice section.
-At the end of each billing period, you receive an email that says your new invoice is ready to view or download in the Microsoft 365 admin center. If you have more than one billing profile, you receive an invoice for each billing profile. Learn how to [find and view your bill or invoice](view-your-bill-or-invoice.md).
+At the end of each billing period, you receive an email that says your new invoice is ready to view or download in the Microsoft 365 admin center. If you have more than one billing profile, you receive an invoice for each billing profile. For more information, see [View your invoice in the Microsoft 365 admin center](view-your-bill-or-invoice.md).
+
+## Overview of the invoice .PDF
+
+Your invoice is a .PDF that contains at least three pages. Page one contains general information about the invoice. An invoice summary section indicates the billing profile that is used to pay for the products and services contained in the invoice, the invoice number, and the invoice date. A billing summary section contains the totals for all charges on the invoice, any credits or sales tax, the invoice total, and payment instructions, if applicable. For details about what this information looks like in your invoice, see [Understand page one of your invoice](#understand-page-one-of-your-invoice).
+
-## Understand the invoice header
+Page two of the invoice contains a section summary, and details by section. If you have multiple products or services that are paid for with the same billing profile, the section details might continue for several pages. For details about what this information looks like in your invoice, see [Understand page two of your invoice](#understand-page-two-of-your-invoice).
-The top of the first page identifies who is accountable for payment, where the bill is sent to, and a summary of charges.
+
+The last page of the invoice contains payment instructions. For details about what this information looks like in your invoice, see [Understand the last invoice page](#understand-the-last-invoice-page).
++
+## Understand page one of your invoice
+
+The top of the first page of your invoice identifies who's accountable for payment, where the bill is sent to, and a summary of charges. The following table explains the fields shown at the top of page one.
| Term | Description | | | |
-| Sold to |The billing account that identifies the name and address of the legal entity responsible for payment. This information can be managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page, where you can find the account agreement and manage roles and permissions. |
-| Bill to |Identifies who receives the invoice. This information can be managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page. The billing profile is also shown on the online invoice page, in the **Invoice summary** section. To learn more about billing profiles and how you can use them to build more flexible billing options for your organization, see [Manage billing profiles](manage-billing-profiles.md). |
-| Billing Profile |The name of the billing profile used to define invoice properties like **Bill to**, **PO number**, and payment terms. This information can be managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page. For more information about billing profiles and how you can use them to build more flexible billing options for your organization, see [Manage billing profiles](manage-billing-profiles.md). |
+| Sold to |The billing account that identifies the name and address of the legal entity responsible for payment. This information is managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page, where you can find the account agreement and manage roles and permissions. |
+| Bill to |Identifies who receives the invoice. This information is managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page. The billing profile is also shown on the online invoice page, in the **Invoice summary** section. To learn more about billing profiles, see [Understand your Microsoft business billing profile](manage-billing-profiles.md). |
+| Billing Profile |The name of the billing profile used to define invoice properties like **Bill to**, **PO number**, and payment terms. This information is managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page. For more information about billing profiles, see [Understand your Microsoft business billing profile](manage-billing-profiles.md). |
| Invoice number |A unique, Microsoft-generated invoice number used for tracking purposes. | | Invoice date |Date that the invoice is generated, typically five to 12 days after the end of the billing cycle. You can check your invoice date on the billing profile details page. Charges that occur between the end of the billing period and the invoice date are included in the invoice for the next month, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**.| | Payment terms |How you pay for your Microsoft bill. *Net 30 days* means that you pay by following instructions on your invoice, within 30 days of the invoice date. |
-## Understand the billing summary
+### Billing Summary
-The **Billing Summary** shows the summary of charges since the previous billing period, any credits that were applied, tax, and the total amount due.
+The **Billing Summary** shows the summary of charges since the previous billing period, any credits that were applied, tax, and the total amount due. The following table explains the fields shown in the Billing Summary of your invoice.
| Term | Description | | | |
The **Billing Summary** shows the summary of charges since the previous billing
| Subtotal |The pre-tax amount due | | Tax |The type and amount of tax that you pay, depending on the country/region of your billing profile. If you don't have to pay tax, no tax is shown on your invoice. |
-### Understand your charges
+### Understand page two of your invoice
-The charges pages show the cost broken down by product. For Azure customers, the charges might be organized by invoice section. For more information about how invoice sections are used with Azure products, see
-[Invoice sections](/azure/billing/billing-mca-overview#invoice-sections) in [Get started with your Microsoft Customer Agreement billing account](/azure/billing/billing-mca-overview). Within each product order, cost is broken down by service family.
+The charges for your invoice start on page two and show the cost broken down by product or service. If you have multiple products or services that are paid for with the same billing profile, the section details might continue for several pages. For Azure customers, the charges might be organized by invoice section. For more information about how invoice sections are used with Azure products, see
+[Invoice sections](/azure/billing/billing-mca-overview#invoice-sections) in [Get started with your Microsoft Customer Agreement billing account](/azure/billing/billing-mca-overview). Within each product order, cost is itemized by service family. The following table explains the fields shown on the charges pages in your invoice.
| Term |Description | | | |
The charges pages show the cost broken down by product. For Azure customers, the
| Tax amount | Amount of tax applied to the purchase based on tax rate | | Total | The total amount due for the purchase |
-Line items details vary depending on the type of product you're charged for. For example, for Azure products, the amount of Azure credits applied is shown. Seat-based products show a unit price and quantity. The invoice details show the products purchased, discount or credits that were applied, tax rate and amount, and the line item totals.
+Line item details vary depending on the type of product you're charged for. For example, for Azure products, the amount of Azure credits applied is shown. Seat-based products show a unit price and quantity. The invoice details show the products purchased, discount or credits that were applied, tax rate and amount, and the line item totals.
> Total = Charges - Azure Credit + Tax
If there are Azure charges on your invoice that you would like more details on,
## Understand the last invoice page
-### Payment instructions
+- **Payment instructions**&mdash;The bottom of the invoice contains instructions for how to pay your bill.
-At the bottom of the invoice are instructions on how to pay your bill. You can pay online or by wire transfer.
+- **Publisher information**&mdash;If you have third-party services in your bill, the name and address of each publisher is listed at the bottom of your invoice.
-### Publisher information
+## View or download your invoice
-If you have third-party services in your bill, the name and address of each publisher is listed at the bottom of your invoice.
+Invoices are available online in the Microsoft 365 admin center. A link to your online invoice is available from your PDF invoice, and from the email notification you receive. [Learn how to view or download your invoice from the Microsoft 365 admin center](view-your-bill-or-invoice.md).
-## View your online invoice
-
-Invoices are available online. A link to your online invoice is available from your PDF invoice, and from an email notification. The online invoice is expandable so you can view the charges on your invoice and see more details for each item. The online invoice includes:
+The online invoice is expandable so that you can view the charges on your invoice and see more details about each item. The online invoice includes:
- **Pricing details**&mdash;Additional information including details about discounts and product pricing. - **Online payment**&mdash;You can choose to make a payment online from the invoice. - **Azure cost management**&mdash;For Azure customers, online invoices include a link to Azure cost management.
-### To view your online invoice
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.
-2. To download the .pdf version of your invoice, choose **Download invoice PDF** in the row for the invoice you want to see.
-3. To view your online invoice, choose an invoice from the list. You can also download the .pdf from the invoice details page.
- ## Invoice FAQ
-### When is my Invoice available?
+### When is my invoice available?
Some invoices are generated within 24 hours of the purchase. Other invoices are generated at the end of the billing period and include all items from that period.
-### How do I pay the amount due on my Invoice?
+### How do I pay the amount due on my invoice?
-Payment instructions depend on your payment method and are provided at the bottom of the invoice PDF. If your payment method is a credit card, it's automatically charged within 10 days of the invoice date. If your payment method is by wire transfer, see the information under **Payment Instructions** in the PDF.
+Payment instructions depend on your payment method and are provided at the bottom of the invoice PDF. If your payment method is a credit or debit card, it's automatically charged within 10 days of the invoice date. If your payment method is by wire transfer, see the information under **Payment Instructions** in the PDF.
### What's the difference between "Sold to" and "Bill to" addresses?
Payment instructions depend on your payment method and are provided at the botto
### Why don't I see Azure prepayment as a payment method?
-Azure prepayment is available as a payment method only for eligible Azure product and services
+Azure prepayment is available as a payment method only for eligible Azure products and services.
## Need help? Contact support
If you have questions or need help with your invoice in Microsoft 365 admin cent
## Related content
-[Understand your bill or invoice for Microsoft 365 for business](understand-your-invoice2.md) (article)\
-[Track Microsoft Customer Agreement Azure credit balance](/azure/billing/billing-mca-check-azure-credits-balance) (article)\
-[Review your Microsoft Customer Agreement invoice](/azure/cost-management-billing/understand/review-customer-agreement-bill) (article)\
-[Get started with your Microsoft Customer Agreement billing account](/azure/billing/billing-mca-overview) (article)
+[View your invoice in the Microsoft 365 admin center](view-your-bill-or-invoice.md) (article)\
+[Understand your invoice for your Microsoft MOSA billing account](understand-your-invoice2.md) (article)\
+[Payment options for your Microsoft business subscription](pay-for-your-subscription.md) (article)\
+[How to pay for your Microsoft business subscription with a billing profile](pay-for-subscription-billing-profile.md)\
+[Manage payment methods for Microsoft business accounts](manage-payment-methods.md) (article)\
+[Billing information for Microsoft 365 for business in Mexico](mexico-billing-info.md) (article)\
+[Minecraft: Education Edition payment options](/education/windows/school-get-minecraft) (article)
commerce Understand Your Invoice2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice2.md
Title: "Understand your bill or invoice for Microsoft 365 for business"
+ Title: "Understand your invoice for your Microsoft MOSA billing account"
f1.keywords:-- NOCSH
+- 'UnderstandBillInvoiceM365'
-+ audience: Admin
- AdminSurgePortfolio - AdminTemplateSet search.appverid: MET150
-description: "Learn how to interpret charges, billing, and payment info on your Microsoft 365 for business bill or invoice."
Previously updated : 03/31/2023
+description: "Learn how to interpret the charges on your invoice for your Microsoft business subscription with an MOSA billing account."
Last updated : 08/08/2023
-# Understand your bill or invoice for Microsoft 365 for business
+# Understand your invoice for your Microsoft MOSA billing account
Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).
-Your bill or invoice provides a summary of charges for your subscription and includes instructions for how to make a payment.
+This article only applies to customers with a Microsoft Online Services Agreement (MOSA) billing account type. If you have a Microsoft Customer Agreement (MCA) billing account type, see [Understand your invoice for your MCA account](understand-your-invoice.md). [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).
+
+The invoice for your Microsoft business subscription provides a summary of the charges and instructions for how to pay your bill. You can [view your online invoice](view-your-bill-or-invoice.md) in the Microsoft 365 admin center. You can also download a copy of your invoice in the Portable Document Format (.PDF) to send via email. If you want to receive the invoice .PDF as an attachment in the email notification, see [Receive your organization's invoices as email attachments](manage-billing-notifications.md#receive-your-organizations-invoices-as-email-attachments).
> [!IMPORTANT] > As of April 1, 2023, we no longer accept checks as a payment method for subscriptions paid by invoice. Pay by check is no longer available as a payment option, and check payment instructions have been removed from invoices. You can still pay for your invoice by wire transfer. See your invoice for wire transfer payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by wire transfer, and avoid possible service disruption.
-> [!NOTE]
-> If you have other subscriptions instead of or in addition to Microsoft 365, see [Understand your bill or invoice](understand-your-invoice.md).
+## Before you begin
+
+You must be a Global or Billing admin to do the steps described in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md).
-## Watch: Understand your bill or invoice
+## Watch: Understand your invoice
Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2209539).
Check out this video and others on our [YouTube channel](https://go.microsoft.co
## How often and when am I billed?
-Depending on the billing frequency you chose when you bought your subscription, you receive an invoice either monthly or annually. The amount of time since the last invoice date is called the *Billing Period* and is on page one of the invoice. This time represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.
+Depending on the billing frequency that you chose when you bought your subscription, you receive an invoice either monthly or annually. The amount of time since the last invoice date is called the *Billing Period* and shown on page one of the invoice. This time period represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.
+
+> [!NOTE]
+> You can change the billing frequency for a subscription by following the steps in [Change the billing frequency for your Microsoft business subscription](change-payment-frequency.md).
Starting on page two of the invoice, you see the charges grouped by their *Service Period*. The service period is the date range during which you're charged to use the service.
-At the end of each billing period, you receive an email that says your new invoice is ready to view or download in the Microsoft 365 admin center. If you have more than one order, you receive an invoice for each order. Learn how to [find and view your bill or invoice](view-your-bill-or-invoice.md).
+At the end of each billing period, you receive an email that says your new invoice is ready to view or download in the Microsoft 365 admin center. If you have more than one order, you receive an invoice for each order. For more information, see [View your invoice in the Microsoft 365 admin center](view-your-bill-or-invoice.md).
## Why is my total due different from last month?
The amount billed for your subscription reflects the license price multiplied by
If the amount billed is different than expected, that can happen for few reasons: -- You added or removed licenses from your subscription. Licenses changed mid-term are reflected on the next invoice. You might see a credit and rebill for the previous service period to account for this change. For details about what this looks like in your invoice, see [Page two](#page-two) below.
+- You added or removed licenses from your subscription. Licenses changed mid-term are reflected on the next invoice. You might see a credit and rebill for the previous service period to account for this change. For details about what the information looks like in your invoice, see [Understand page two of your invoice](#understand-page-two-of-your-invoice).
- The subscription was canceled. You receive an invoice after cancellation with any outstanding balance minus any credits. - Your subscription renewed for a new term and the license price changed. ## Overview of the invoice .PDF
-Your invoice is a .PDF that contains at least two pages. [Page one](#page-one) is the billing summary, and contains general information about the invoice, order, amount due, and payment instructions, if applicable.
+Your invoice is a .PDF that contains at least two pages. Page one of your invoice contains the billing summary, which includes general information about the invoice, order, amount due, and payment instructions, if applicable. For details about what this information looks like in your invoice, see [Understand page one of your invoice](#understand-page-one-of-your-invoice).
:::image type="content" source="../../media/understand-your-invoice2/invoice-page-1.png" alt-text="Page one of the invoice .PDF that shows the high-level information about your order.":::
-[Page two](#page-two) contains details about the billing activity for each subscription during the service period.
+Page two of your invoice contains details about the billing activity for each subscription during the service period. For details about what this information looks like in your invoice, see [Understand page two of your invoice](#understand-page-two-of-your-invoice).
:::image type="content" source="../../media/understand-your-invoice2/invoice-page-2.png" alt-text="Page two of the invoice .PDF that shows billing activity for each subscription.":::
-## Header
+## Understand the invoice header
The header appears at the top of every invoice page, and includes the month of service, and the **Invoice Date**, which is the date Microsoft created the invoice. The invoice is created the day after the end of your billing period. For example, if your billing period is January 15ΓÇöFebruary 14, your invoice date is February 15. The header also includes an **Invoice Number**, the unique number assigned to your invoice. If you pay by wire transfer, include the invoice number with your payment.
-Finally, the header includes the **Due Date** for payment of the invoice, and shows the total amount due. If you pay for your subscription with a credit card or bank account, we charge your card or account the day after the invoice date.
+Finally, the header includes the **Due Date** for payment of the invoice, and shows the total amount due. If you pay for your subscription with a credit or debit card, we charge your card the day after the invoice date.
-## Footer
+## Understand the invoice footer
-The footer appears at the bottom of every invoice page and includes Microsoft business center address. Based on your country or region, it might include other information like the phone number to call for billing or technical support, a link to online self-help articles, and the address and tax ID for Microsoft in your country or region.
+The footer appears at the bottom of every invoice page and includes Microsoft business center address. Based on your country/region, the footer might include other information like the phone number to call for billing or technical support, a link to online self-help articles, and the address and tax ID for Microsoft in your country/region.
-## Page one
+## Understand page one of your invoice
Page one of your invoice contains address information for your organization, high-level details about your order, a summary of invoice totals, and instructions about how to pay your invoice.
Page one of your invoice contains address information for your organization, hig
### Addresses
-Three addresses appear at the top of the first page. The **Sold-To** address is the name and address of the organization that bought the subscription. The **Bill-To** address is the address of your billing department. **Service Usage Address** is the address where the service is used. Usually, these addresses are the same. Depending on the size and configuration of your organization, these addresses might be different.
+Three addresses appear at the top of the first page of your invoice. The **Sold-To** address is the name and address of the organization that bought the subscription. The **Bill-To** address is the address of your billing department. **Service Usage Address** is the address where the service is used. Usually, these addresses are the same. However, depending on the size and configuration of your organization, these addresses might be different.
To update the **Sold-To** address, see [Change your organization's address, technical contact, and more](../../admin/manage/change-address-contact-and-more.md)**. To update your Bill-To** or **Service Usage Address**, see [Change your billing addresses](change-your-billing-addresses.md).
On page one of your invoice, the **Product** is "Online Services," the generic t
**Payment Terms** is the number of days from the invoice date when payment is due.
-**Due Date** is the date when the invoice payment is due. If your subscription is paid with a credit card or bank account, we charge your card or account the day after the Invoice Date.
+**Due Date** is the date when the invoice payment is due. If your subscription is paid with a credit or debit card, we charge your card the day after the Invoice Date.
### Billing Summary
If you pay by credit card, you see "Please DO NOT PAY. You will be charged the a
### Wire transfer
-If you chose "invoice" as your subscription payment method, page one contains the **Electronic Funds Transfer** section that shows the Microsoft bank account information for electronic payments (wire transfer, ACH, SEPA, and so on). Usually, your bank has a reference field you complete when you send a payment. Make sure you reference the invoice number in that field.
+If you chose "invoice" as your subscription payment method, page one contains the **Electronic Funds Transfer** section that shows the Microsoft bank account information for electronic payments (wire transfer, ACH, SEPA, and so on). Usually, your bank has a reference field that you complete when you send a payment. Make sure that you reference the invoice number in that field.
### Support
-In some countries or regions, the invoice has a **Support** section that includes instructions on how to view past invoices in the Microsoft 365 admin center. It also includes a link to self-help articles, and for some countries and regions, the support phone number.
+In some countries/regions, the invoice has a **Support** section that includes instructions on how to view past invoices in the Microsoft 365 admin center. It also includes a link to self-help articles, and for some countries/regions, the support phone number.
-## Page two
+## Understand page two of your invoice
-The product name for your subscription is at the top of page two. Below it is the formula that explains how the charges are calculated. If you have more than one product in your order, you see a separate section for each product and the associated charges.
+The product name for your subscription is at the top of page two of your invoice. Below the product name is the formula that explains how the charges are calculated. If you have more than one product in your order, you see a separate section for each product and the associated charges.
### New charges
If you pay by invoice, you can add or change the purchase order (PO) number for
> [!NOTE] > You can't add a PO number to an existing invoice. The PO number will appear on all future invoices.
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, select the subscription that you want to change.
-3. On the subscription details page, in the **Subscription and payment settings** section, select **Edit invoice**.
-4. At the bottom of the **Edit details for paying by invoice** pane, enter your PO number, and then select **Save**.
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank>Microsoft 365 admin center</a>.
+ - If youΓÇÖre using the **Simplified view**, select **Subscriptions**.
+ - If youΓÇÖre using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
+2. Select the subscription that you want to change.
+3. On the subscription details page, in the **Subscription and payment settings** section, under **Payment method**, select **Edit invoice**.
+4. At the bottom of the **Edit details for paying by invoice** pane, enter your PO number, then select **Save**.
## Run the Unknown Charge Diagnostic
-As a Microsoft 365 Global admin, you can use a diagnostic tool that runs within the Microsoft 365 admin center to research unexpected charges from Microsoft that appear on your bank or credit card statement.
+If you're a Microsoft 365 global admin, you can use a diagnostic tool that runs within the Microsoft 365 admin center to research unexpected charges from Microsoft that appear on your credit or debit card statement.
> [!NOTE] > The Unknown Charge Diagnostic is only available for customers who bought their products and services from Microsoft.com, including Microsoft 365 Enterprise, Education, and Non-profit.
-Select the **Run Tests** link below to open the diagnostic tool in the Microsoft 365 admin center.
+Select the following **Run Tests: Unknown Charge** link to open the diagnostic tool in the Microsoft 365 admin center.
>[!div class="nextstepaction"] >[Run Tests: Unknown Charge](https://aka.ms/PillarUnknownCharge) ## Related content
-[View your bill or invoice](view-your-bill-or-invoice.md) (article)\
-[Pay for your Microsoft 365 for business subscription](pay-for-your-subscription.md) (article)\
-[Manage payment methods](manage-payment-methods.md) (article)\
+[View your invoice in the Microsoft 365 admin center](view-your-bill-or-invoice.md) (article)\
+[Understand your invoice for your Microsoft MCA billing account](understand-your-invoice.md) (article) \
+[Payment options for your Microsoft business subscription](pay-for-your-subscription.md) (article) \
+[How to pay for your Microsoft business subscription with a billing profile](pay-for-subscription-billing-profile.md) \
+[Manage payment methods for Microsoft business accounts](manage-payment-methods.md) (article) \
[Billing information for Microsoft 365 for business in Mexico](mexico-billing-info.md) (article) \ [Minecraft: Education Edition payment options](/education/windows/school-get-minecraft) (article)
commerce View Your Bill Or Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/view-your-bill-or-invoice.md
Title: "View your bill or invoice"
+ Title: "View your invoice in the Microsoft 365 admin center"
f1.keywords: - NOCSH -+ audience: Admin ms.localizationpriority: medium - Tier1 - scotvorg
- AdminSurgePortfolio - AdminTemplateSet - adminvideo
-description: "Find your invoice or billing statement in the Microsoft 365 admin center. You can also save and print a copy of your bill."
Previously updated : 01/25/2022
+search.appverid: MET150, GEA150
+description: "Learn how to find your invoice or billing statement for a Microsoft business subscription in the Microsoft 365 admin center."
Last updated : 08/08/2023
-# View your Microsoft 365 for business subscription bill or invoice
+# View your invoice in the Microsoft 365 admin center
Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585). Check out [Microsoft 365 small business help](https://go.microsoft.com/fwlink/?linkid=2197659) on YouTube.
-This article is for people who have a Microsoft 365 for business subscription.
-
-If you need help with interpreting the charges you see on your bill, see [Understand your bill or invoice](understand-your-invoice2.md) for a detailed walkthrough.
-
+You can view your invoice for your Microsoft business subscription in the Microsoft 365 admin center. If you need help with interpreting the charges that you see on your invoice, [find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts), then see either [Understand your invoice for your Microsoft MCA billing account](understand-your-invoice.md) or [Understand your invoice for your Microsoft MOSA billing account](understand-your-invoice2.md) for a detailed walkthrough of the billing statement.
+
+> [!IMPORTANT]
+> Microsoft 365 services doesnΓÇÖt provide payment receipts. For credit or debit card payments, use the invoice and your credit or debit card billing statement to match your payment.
+ **Have a problem with your bill?** [Contact support for business products](../../admin/get-help-support.md). ## Before you begin
-You must be a Global or Billing admin to do the steps described in this article.
+You must be a Global or Billing admin to do the steps described in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md).
-## Watch: View, download, or print your bill
-
-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2209539).
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FGmo?autoplay=false]
-
-1. In the Microsoft 365 admin center, select **Billing** in the left navigation pane, and then select the <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">**Invoices** tab</a>.
-1. Select an invoice to view it. If you don't see an invoice, select **Filter by: Last 6 months** from the drop-down list.
-1. To view the invoice details, select **Download PDF** in the top-right corner of the invoice.
-
-## View a bill or invoice
--
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.
--
+## View your bill or invoice
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2127421" target="_blank">Bills & payments</a> page.
+1. Go to the Microsoft 365 admin center.
+ - If you're using the **Simplified view**, select **Subscriptions**, then select **View invoices**.
+ - If you're using the **Dashboard view**, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.
+2. Select an invoice from the list to view the details online. If you donΓÇÖt see any invoices, change the date range.
+3. To download the .PDF version of your invoice, select **Download PDF**.
-
-2. On the **Invoices** tab, choose the invoice that you want to view. If you don't see an invoice, use the date filter and select **Past 3 months**, **Past 6 months**, or **Specify date range**.
-3. On the **Invoice summary** page, you see invoice details including the list of items, the price for each item, and the total cost for all items in the invoice.
-4. To print or save a PDF copy of the invoice, select **Download PDF**.
+> [!NOTE]
+> The online version of your invoice looks different from the .PDF version that you download.
-If you want to receive a copy of your billing statement in email, see [Manage billing notifications and invoice attachments](manage-billing-notifications.md).
+If you want to receive a copy of your invoice in email, see [Manage billing notifications and invoice attachments](manage-billing-notifications.md).
::: moniker range="o365-21vianet"
You can submit your Fapiao request to our [Fapiao management system](https://go.
::: moniker-end
-> [!NOTE]
->
-> Microsoft 365 services do not provide payment receipts.
-> For credit card payments, please use the invoice and credit card billing statement to match your payment.
- ## Run the Unknown Charge Diagnostic
-As a Microsoft 365 Global admin, you can use a diagnostic tool that runs within the Microsoft 365 admin center to research unexpected charges from Microsoft that appear on your bank or credit card statement.
+If you're a Microsoft 365 global admin and you have a Microsoft Online Services Agreement (MOSA) billing account type, you can use a diagnostic tool to research unexpected charges in your invoice. The tool runs within the Microsoft 365 admin center, and lets you investigate charges from Microsoft that appear on your credit or debit card statement. [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).
> [!NOTE] > The Unknown Charge Diagnostic is only available for customers who bought their products and services from Microsoft.com, including Microsoft 365 Enterprise, Education, and Non-profit.
-Select the **Run Tests** link below to open the diagnostic tool in the Microsoft 365 admin center.
+Select the following **Run Tests: Unknown Charge** link to open the diagnostic tool in the Microsoft 365 admin center.
>[!div class="nextstepaction"] >[Run Tests: Unknown Charge](https://aka.ms/PillarUnknownCharge)
-## Next steps
-
-If you have a balance and would like to pay it, you can do that online. To learn how, see [Pay for your subscription](pay-for-your-subscription.md).
- ## Related content
-[Pay by invoice, credit card, or bank account](pay-for-your-subscription.md) (article) \
-[Manage payment methods](manage-payment-methods.md) (article) \
-[Billing information for Microsoft 365 for business in Mexico](mexico-billing-info.md) (article) \
+[Understand your invoice for your Microsoft MCA billing account](understand-your-invoice.md) (article)\
+[Understand your invoice for your Microsoft MOSA billing account](understand-your-invoice2.md) (article)\
+[Payment options for your Microsoft business subscription](pay-for-your-subscription.md) (article)\
+[How to pay for your Microsoft business subscription with a billing profile](pay-for-subscription-billing-profile.md)\
+[Manage payment methods](manage-payment-methods.md) (article)\
+[Billing information for Microsoft 365 for business in Mexico](mexico-billing-info.md) (article)\
[Minecraft: Education Edition payment options](/education/windows/school-get-minecraft) (article)
commerce Buy Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/buy-licenses.md
f1.keywords:
-+ audience: Admin
commerce Manage Third Party App Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-third-party-app-licenses.md
f1.keywords:
-+ audience: Admin
commerce Manage Saas Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-saas-apps.md
f1.keywords:
-+ audience: Admin
commerce No Billing Account Found https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/no-billing-account-found.md
f1.keywords: CSH
-+ audience: Admin
commerce Review Partner Admin Privileges https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/review-partner-admin-privileges.md
f1.keywords:
-+ audience: Admin
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
f1.keywords:
-+ audience: Admin
Last updated 08/07/2023
Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).
-This article only applies to canceling **Dynamics 365**, **Intune**, **Power Platform**, **Windows 365**, and **Microsoft 365 for business** subscriptions. If you have an Azure subscription, see [Cancel your Azure subscription](/azure/cost-management-billing/manage/cancel-azure-subscription). If you have Microsoft 365 Family or Personal, see [Cancel a Microsoft 365 subscription](https://support.microsoft.com/office/cancel-a-microsoft-365-subscription-46e2634c-c64b-4c65-94b9-2cc9c960e91b?OCID=M365_DocsCancel_Link).
+This article only applies to canceling **Dynamics 365**, **Intune**, **Power Platform**, **Windows 365**, **Microsoft Defender for Business**, and **Microsoft 365 for business** subscriptions. If you have an Azure subscription, see [Cancel your Azure subscription](/azure/cost-management-billing/manage/cancel-azure-subscription). If you have Microsoft 365 Family or Personal, see [Cancel a Microsoft 365 subscription](https://support.microsoft.com/office/cancel-a-microsoft-365-subscription-46e2634c-c64b-4c65-94b9-2cc9c960e91b?OCID=M365_DocsCancel_Link).
> [!WARNING] > Before you cancel a subscription, make sure your users [save their data](#save-your-data).
commerce Manage Pay As You Go Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-pay-as-you-go-services.md
f1.keywords:
-+ audience: Admin
commerce Upgrade From Teams Free https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/upgrade-from-teams-free.md
f1.keywords:
-+ audience: Admin
commerce Upgrade To Different Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/upgrade-to-different-plan.md
f1.keywords:
-+ audience: Admin
enterprise Microsoft 365 Teams Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-teams-monitoring.md
Microsoft Teams monitoring supports the following organizational scenarios with
- **Join Meeting**. The number of times users joined Teams meetings without errors. Data is sampled and retrieved every 30 minutes.
+- **Quality of Experience**. The percentage of audio streams for which Quality of Experience (QoE) telemetry was received by the Teams service. Data can be received up to 3 days after call completion. If the rate drops, investigate your network configuration to ensure that the Microsoft Teams telemetry URLs are not being blocked.
+
+- **UDP Stream Establishment**. The percentage of audio streams established over UDP (User Datagram Protocol). Real-time media established over UDP is more efficient and provides better call quality. If the rate drops, investigate your network configuration to ensure that the ports and protocols required by Microsoft Teams are not being blocked.
+ Admins can use the information to correlate any Microsoft-reported issues with the usage data to confirm any actual impact to their organization. Also, admins can view any usage from the last two weeks of usage data to identify any anomalies. ![Example of Teams Monitoring.](../media/microsoft-365-exchange-monitoring/TeamsMonitoring2.png)
enterprise Urls And Ip Address Ranges 21Vianet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet.md
Title: "URLs and IP address ranges for Office 365 operated by 21Vianet"
Previously updated : 07/31/2023 Last updated : 08/08/2023 audience: ITPro
Data columns shown are:
- **ER**: This is **Yes** if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is **No**, this means that ExpressRoute isn't supported for this endpoint set. However, it shouldn't be assumed that no routes are advertised for an endpoint set where ER is **No**. - **Addresses**: Lists the FQDNs or wildcard domain names and IP Address ranges for the endpoint set. Note that an IP Address range is in CIDR format and may include many individual IP Addresses in the specified network.
-
+ - **Ports**: Lists the TCP or UDP ports that are combined with the Addresses to form the network endpoint. You may notice some duplication in IP Address ranges where there are different ports listed. [!INCLUDE [Office 365 operated by 21Vianet endpoints](../includes/office-365-operated-by-21vianet-endpoints.md)]
lighthouse M365 Lighthouse Deploy Task Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-task-manually.md
Additionally, each partner tenant user must meet the following requirements:
## Deploy a task manually
-1. In the left navigation pane in Lighthouse, select **Tenant**.
+1. In the left navigation pane in Lighthouse, select **Tenants**.
2. From the tenant list, select the tenant you want to view.
The task status will be updated to **Compliant**, and the Task Details pane will
If the task status changes and is no longer compliant, you can reset the status to **Not compliant**. To do this:
-1. In the left navigation pane in Lighthouse, select **Tenant**.
+1. In the left navigation pane in Lighthouse, select **Tenants**.
2. From the tenant list, select the tenant you want to view.
security Mdb Onboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md
ms.localizationpriority: medium Previously updated : 07/19/2023- Last updated : 08/08/2023+ f1.keywords: NOCSH - SMB
Onboard your business devices to protect them right away. You can choose from se
> > For more information, see [Microsoft Defender for Business requirements](mdb-requirements.md). > + Choose one of the following options to onboard Windows client devices to Defender for Business: - [Local script](#local-script-for-windows-10-and-11) (for onboarding devices manually in the Microsoft 365 Defender portal)
Choose one of the following options to onboard Windows client devices to Defende
### Local script for Windows 10 and 11
-You can use a local script to onboard Windows client devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory, if that trust doesn't already exist; enrolls the device in Microsoft Intune, if it isn't already enrolled; and then onboards the device to Defender for Business. If you're not currently using Intune, the local script method is the recommended onboarding method for Defender for Business customers.
+You can use a local script to onboard Windows client devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the device in Microsoft Intune (if it isn't already enrolled), and then onboards the device to Defender for Business. If you're not currently using Intune, the local script method is the recommended onboarding method for Defender for Business customers.
> [!TIP] > We recommend that you onboard up to 10 devices at a time when you use the local script method.
Choose one of the following options to onboard Mac:
### Local script for Mac
-When you run the local script on Mac, it creates a trust with Azure Active Directory if that trust doesn't already exist. It enrolls the Mac in Microsoft Intune if it isn't already enrolled, and then onboards the Mac to Defender for Business. We recommend that you onboard up to 10 devices at a time using this method.
+When you run the local script on Mac, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the Mac in Microsoft Intune (if it isn't already enrolled), and then onboards the Mac to Defender for Business. We recommend that you onboard up to 10 devices at a time using this method.
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
When you run the local script on Mac, it creates a trust with Azure Active Direc
8. Select **Continue**, agree with the license terms, and then enter your password when prompted.
-9. You're prompted to allow installation of a driver from Microsoft (either "System Extension Blocked" or "Installation is on hold", or both). You must allow the driver installation: Select **Open Security Preferences** or **Open System Preferences** > **Security & Privacy**, and then select **Allow**.
+9. You're prompted to allow installation of a driver from Microsoft (either *System Extension Blocked* or *Installation is on hold*, or both). You must allow the driver installation. Select **Open Security Preferences** or **Open System Preferences** > **Security & Privacy**, and then select **Allow**.
10. Use the following Bash command to run the onboarding package:
You can use the following methods to onboard mobile devices, such as Android and
> [!IMPORTANT] > Make sure that all of the following requirements are met before onboarding mobile devices:
-> 1. Defender for Business has finished provisioning. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Assets** > **Devices**.<br/>- If you see a message that says, "Hang on! We're preparing new spaces for your data and connecting them," it means that Defender for Business hasn't finished provisioning. This process is happening now, and can take up to 24 hours to complete. <br/>- If you see a list of devices, or you're prompted to onboard devices, it means Defender for Business provisioning has completed.
+> 1. Defender for Business has finished provisioning. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Assets** > **Devices**.<br/>- If you see a message that says, "Hang on! We're preparing new spaces for your data and connecting them," then Defender for Business hasn't finished provisioning. This process is happening now, and it can take up to 24 hours to complete. <br/>- If you see a list of devices, or you're prompted to onboard devices, it means Defender for Business provisioning has completed.
> 2. Users have downloaded the Microsoft Authenticator app on their device, and have registered their device using their work or school account for Microsoft 365. | Device | Procedure | |:|:|
-| Android | 1. On the device, go to the Google Play store.<br/><br/>2. If you haven't already done so, download and install the Microsoft Authenticator app. Sign in, and register your device in the Microsoft Authenticator app. <br/><br/>3. In the Google Play store, search for the Microsoft Defender app. <br/><br/>4. On the app page, scroll down and select **Join the beta** > **Join**.<br/><br/>5. Wait for the process to complete. It might take a few hours for the process of joining the beta program to complete. You'll see text that says, "Joining the beta..."<br/><br/>6. After you've enrolled into the beta, verify that the beta version of the app looks like `1.0.xxxx.0201`, and then install the app.<br/><br/>7. Open the app, sign in, and complete the onboarding process. |
+| Android | 1. On the device, go to the Google Play store.<br/><br/>2. If you haven't already done so, download and install the Microsoft Authenticator app. Sign in, and register your device in the Microsoft Authenticator app. <br/><br/>3. In the Google Play store, search for the Microsoft Defender app, and install it. <br/><br/>4. Open the Microsoft Defender app, sign in, and complete the onboarding process. |
| iOS | 1. On the device, go to the Apple App Store. <br/><br/>2. If you haven't already done so, download and install the Microsoft Authenticator app. Sign in, and register your device in the Microsoft Authenticator app.<br/><br/>3. In the Apple App Store, search for the Microsoft Defender app.<br/><br/>4. Sign in and install the app. <br/><br/>5. Agree to the terms of use to continue. <br/><br/>6. Allow the Microsoft Defender app to set up a VPN connection and add VPN configurations. <br/><br/>7. Choose whether to allow notifications (such as alerts). | > [!TIP]
If your subscription includes Microsoft Intune, you can use it to onboard mobile
After a device is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md). + ## [**Servers**](#tab/Servers) ## Servers
You can use the following methods to onboard an instance of Linux Server to Defe
> [!NOTE] > Onboarding an instance of Linux Server to Defender for Business is the same as onboarding to [Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md). + ## View a list of onboarded devices
After you've onboarded a device, you can run a quick phishing test to make sure
- If you have other devices to onboard, select the tab for those devices ([Windows 10 and 11, Mac, Servers, or Mobile devices](#what-to-do)), and follow the guidance on that tab. - If you're done onboarding devices, proceed to [Step 6: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md).+
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
Use the following advanced features to get better protected from potentially mal
## Live response
-> [!NOTE]
-> Live response requires **Automated investigation** to be turned on before you can enable it in the advanced settings section in the Microsoft Defender for Endpoint portal.
- Turn on this feature so that users with the appropriate permissions can start a live response session on devices. For more information about role assignments, see [Create and manage roles](user-roles.md).
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
For a more detailed overview of exclusions, see [Manage exclusions for Microsoft
- Appropriate exclusions must be set for software that isn't included with the operating system. - Windows Server 2012 R2 doesn't have Microsoft Defender Antivirus as an installable feature. When you onboard those servers to Defender for Endpoint, you'll install Microsoft Defender Antivirus, and default exclusions for operating system files are applied. However, exclusions for server roles (as specified below) don't apply automatically, and you should configure these exclusions as appropriate. To learn more, see [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md). - Built-in exclusions and automatic server role exclusions don't appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).-- The list of built-in exclusions changes frequently with [security intelligence updates](microsoft-defender-antivirus-updates.md#security-intelligence-updates) and product updates. This article lists some, but not all, of the built-in and automatic exclusions.
+- The list of built-in exclusions in Windows is kept up-to-date as the threat landscape changes. This article lists some, but not all, of the built-in and automatic exclusions.
## Automatic server role exclusions
Built-in exclusions include:
- [File Replication Service (FRS) exclusions](#file-replication-service-frs-exclusions) - [Process exclusions for built-in operating system files](#process-exclusions-for-built-in-operating-system-files)
+The list of built-in exclusions in Windows is kept up-to-date as the threat landscape changes.
+ ### Windows "temp.edb" files - `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
security Defender Endpoint Antivirus Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions.md
Examples include:
- Windows Security files - ... and more.
-Built-in exclusions are updated through security intelligence updates and product updates. To learn more about these exclusions, see [Microsoft Defender Antivirus exclusions on Windows Server: Built-in exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#built-in-exclusions).
+The list of built-in exclusions in Windows is kept up-to-date as the threat landscape changes. To learn more about these exclusions, see [Microsoft Defender Antivirus exclusions on Windows Server: Built-in exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#built-in-exclusions).
### Custom exclusions
security Microsoft Defender Antivirus Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md
Title: Microsoft Defender Antivirus security intelligence and product updates
description: Manage how Microsoft Defender Antivirus receives protection and product updates. ms.localizationpriority: high Previously updated : 07/24/2023 Last updated : 08/07/2023 audience: ITPro
All our updates contain
- Serviceability improvements - Integration improvements (Cloud, [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender))
+### July-2023 (Platform: 4.18.23070.1004 | Engine: 1.1.23070.1005)
+
+- Security intelligence update version: **1.395.30.0**
+- Released: **August 9, 2023 (Engine and Platform)**
+- Platform: **4.18.23070.1004**
+- Engine: **1.1.23070.1005**
+- Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Improved output for [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) if scan results fail to retrieve
+- Extended management options for configuring security intelligence updates with Intune, Group Policy, and PowerShell
+- Extended management options for disabling IOAV scans over the network using Intune, Group Policy, and PowerShell. The new setting is `ApplyDisableNetworkScanningToIOAV` for [Set-MpPreference](/powershell/module/defender/set-mppreference).
+- Improved the Unified agent installation process to handle [MsMpEng.exe](troubleshooting-mode-scenarios.md#scenario-2-high-cpu-usage-due-to-windows-defender-msmpengexe) debugger extensions, if present
+- Fixed an issue pertaining to showing the exclusions list with PowerShell [Get-MpPreference](/powershell/module/defender/get-mppreference) on systems managed by Intune
+- Fixed warn notifications for two attack surface reduction (ASR) rules ([Block Office applications from injecting code into other processes](attack-surface-reduction-rules-reference.md#block-office-applications-from-injecting-code-into-other-processes) and [Block credential stealing from the Windows local security authority subsystem](attack-surface-reduction-rules-reference.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem))
+- Fixed an issue with running `Update-MpSignature -UpdateSource:MMPC` when using a nonelevated PowerShell console (see [Update-MpSignature](/powershell/module/defender/update-mpsignature))
+- Fixed an issue with [ASR rules deployed via Intune](enable-attack-surface-reduction.md#intune) to display accurately in the Microsoft 365 Defender portal
+- Fixed [tamper protection management](prevent-changes-to-security-settings-with-tamper-protection.md) for customers who have Microsoft 365 E3 or [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md)
+- Improved installation and uninstallation logic on Server SKUs using the modern, unified agent (see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md))
+- Fixed an issue where `AntivirusSignatureLastUpdated` was incorrect when executing [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus)
+- Addressed a deadlock caused by Microsoft Defender Antivirus in rare cases
+- Added `ProcessId` to ASR Warn exclusion events (see [ASR rules configuration summary card](attack-surface-reduction-rules-report.md#asr-rules-configuration-summary-card))
+- Fixed an issue where values specified in [ThreatSeverityDefaultAction](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction) weren't honored intermittently
+- Improved error reporting in the [modern, unified agent installer](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution)
+- Fixed the overriding logic in the ASR rule [Block all Office applications from creating child processes](attack-surface-reduction-rules-reference.md#block-all-office-applications-from-creating-child-processes) configured in warn mode
+- Added support for scanning Zstandard (Zstd) containers/archives
+
+### Known issues
+
+- None
+ ### May-2023 *UPDATE* (Platform: 4.18.23050.9)
-*Microsoft has released an additional platform update (**4.18.23050.9**) for the May 2023 release.*
+*Microsoft has released a platform update (**4.18.23050.9**) for the May 2023 release.*
- Security intelligence update version: **1.393.1315.0** - Released: **July 24, 2023 (Platform only)**
All our updates contain
#### What's new - Fixed an issue with [ASR rules deployed via Intune](/mem/intune/protect/endpoint-security-asr-policy) to display accurately in the Microsoft 365 Defender portal-- Fixed a performance issue when building and validating Defender cache
+- Fixed a performance issue when building and validating the Microsoft Defender Antivirus cache
- Improved performance by removing redundant exclusion checks #### Known Issues
All our updates contain
### May-2023 *UPDATE* (Platform: 4.18.23050.5 | Engine: 1.1.23050.2)
-*Microsoft has released a platform update (**4.18.23050.5**) for the May 2023 release. Note that an [additional update](#may-2023-update-platform-418230509) has been released.*
+*Microsoft released a platform update (**4.18.23050.5**) for the May 2023 release, followed by [an additional update](#may-2023-update-platform-418230509).*
- Security intelligence update version: **1.391.860.0** - Released: **June 12, 2023**
All our updates contain
- Fixed sense offboarding on Windows Server 2016 when [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled - Fixed inconsistent results of caching files with the internal Defender file cache - Augmented attack surface reduction (ASR) telemetry with more data related to an ASR detection -- Removed Image File Execution Options (IFEO) debugger value during installation which can be used to prevent service starts
+- Removed Image File Execution Options (IFEO) debugger value during installation, which can be used to prevent service starts
- Fixed memory leaked in ASR logic - Improved validation guard-rail for Malicious Software Removal Tool (MSRT) releases
All our updates contain
- Potential issue that could lead to resolution of incorrect service endpoint
-### April-2023 (Platform: 4.18.2304.8 | Engine: 1.1.20300.3)
--- Security intelligence update version: **1.387.2997.0**-- Release date: **May 2, 2023 (Engine) / May 2, 2023 (Platform)**-- Platform: **4.18.2304.8** -- Engine: **1.1.20300.3**-- Support phase: **Security and Critical Updates**-
-#### What's new
--- **Beginning in May 2023, the Platform and Engine version schema have a new format**. Here's what the new version format looks like:
- - Platform: `4.18.23050.1`
- - Engine: `1.1.23050.63000`
-- Fixed memory leak in behavior monitoring-- Improved resiliency of signature loading and platform updates-- Quarantine and restore support for [WMI](use-wmi-microsoft-defender-antivirus.md)-- Fixed attack surface reduction (ASR) rule output with [Get-MpPreference](/powershell/module/defender/get-mppreference)-- Fixed MSERT to only use release engine version-- Improved the enforcement of exclusions-- Added support for enabling real-time protection and signature updates during OOBE-- Fixed localization for Defender events-- Deprecated real-time signature delivery setting-- Updated missing setting (ValidateMapsConnection) in [MpCmdRun.exe](command-line-arguments-microsoft-defender-antivirus.md)-- Fixed abandoned threats in the Windows Security app-- Fixed a service-hang issue that caused invalid outputs to display in [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus)-
-#### Known issues
--- None- ### Previous version updates: Technical upgrade support only After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).
security Msda Updates Previous Versions Technical Upgrade Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md
ms.localizationpriority: medium Previously updated : 07/06/2023 Last updated : 08/07/2023 audience: ITPro
search.appverid: met150
Microsoft regularly releases [security intelligence updates and product updates for Microsoft Defender Antivirus](microsoft-defender-antivirus-updates.md). It's important to keep Microsoft Defender Antivirus up to date. When a new package version is released, support for the previous two versions is reduced to technical support only. Versions that are older than the previous two versions are listed in this article and are provided for technical upgrade support only.
+## April-2023 (Platform: 4.18.2304.8 | Engine: 1.1.20300.3)
+
+- Security intelligence update version: **1.387.2997.0**
+- Release date: **May 2, 2023 (Engine) / May 2, 2023 (Platform)**
+- Platform: **4.18.2304.8**
+- Engine: **1.1.20300.3**
+- Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+- **Beginning in May 2023, the Platform and Engine version schema have a new format**. Here's what the new version format looks like:
+ - Platform: `4.18.23050.1`
+ - Engine: `1.1.23050.63000`
+- Fixed memory leak in behavior monitoring
+- Improved resiliency of signature loading and platform updates
+- Quarantine and restore support for [WMI](use-wmi-microsoft-defender-antivirus.md)
+- Fixed attack surface reduction (ASR) rule output with [Get-MpPreference](/powershell/module/defender/get-mppreference)
+- Fixed MSERT to only use release engine version
+- Improved the enforcement of exclusions
+- Added support for enabling real-time protection and signature updates during OOBE
+- Fixed localization for Defender events
+- Deprecated real-time signature delivery setting
+- Updated missing setting (ValidateMapsConnection) in [MpCmdRun.exe](command-line-arguments-microsoft-defender-antivirus.md)
+- Fixed abandoned threats in the Windows Security app
+- Fixed a service-hang issue that caused invalid outputs to display in [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus)
+
+### Known issues
+
+- None
++ ## March-2023 (Platform: 4.18.2303.8 | Engine: 1.1.20200.4) - Security intelligence update version: **1.387.695.0**
security Rbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/rbac.md
Last updated 12/18/2020
# Manage portal access using role-based access control > [!NOTE]
-> If you are running the Microsoft 365 Defender preview program you can now experience the new Microsoft Defender 365 role-based access control (RBAC) model. For more information, see [Microsoft Defender 365 role-based access control (RBAC)](../defender/manage-rbac.md).
+> If you are running the Microsoft 365 Defender preview program you can now experience the new Microsoft Defender 365 Unified role-based access control (RBAC) model. For more information, see [Microsoft Defender 365 Unified role-based access control (RBAC)](../defender/manage-rbac.md).
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
Title: Take response actions on a file in Microsoft Defender for Endpoint description: Take response actions on file-related alerts by stopping and quarantining a file or blocking a file and checking activity details.
-keywords: respond, stop and quarantine, block file, deep analysis
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
search.appverid: met150 Previously updated : 07/10/2023 Last updated : 08/07/2023 # Take response actions on a file
The **Download file** button can have the following states:
- **Disabled** - If the button is grayed out or disabled during an active collection attempt, you may not have appropriate RBAC permissions to collect files.
- The following permissions are required:
+ The following permissions are required:
+
+ For Microsoft 365 Defender Unified role-based access control (RBAC):
+
+ - Add file collection permission in Microsoft 365 Defender Unified (RBAC)
+
+ For Microsoft Defender for Endpoint role-based access control (RBAC):
For Portable Executable file (.exe, .sys, .dll, and others) - Global admin or Advanced live response or Alerts
security User Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user-roles.md
The following steps guide you on how to create roles in Microsoft 365 Defender.
- **View data** - **Security operations** - View all security operations data in the portal
- - **Threat and vulnerability management** - View Defender Vulnerability Management data in the portal
+ - **Defender Vulnerability Management** - View Defender Vulnerability Management data in the portal
- **Active remediation actions** - **Security operations** - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators
- - **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions
- - **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities
- - **Threat and vulnerability management - Application handling** - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions
+ - **Defender Vulnerability Management - Exception handling** - Create new exceptions and manage active exceptions
+ - **Defender Vulnerability Management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities
+ - **Defender Vulnerability Management - Application handling** - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions
- **Security baselines**
- - **Threat and vulnerability management ΓÇô Manage security baselines assessment profiles** - Create and manage profiles so you can assess if your devices comply to security industry baselines.
-
- > [!NOTE]
- > For the Defender Vulnerability Management public preview trial this permission is not required. Users with "Threat and vulnerability management - View data" permissions can manage security baselines. However, when the trial ends and a license is purchased, this permission is required.
+ - **Defender Vulnerability Management ΓÇô Manage security baselines assessment profiles** - Create and manage profiles so you can assess if your devices comply to security industry baselines.
- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files
security Whats New In Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
ms.pagetype: security
ms.localizationpriority: medium Previously updated : 07/19/2023 Last updated : 08/08/2023 audience: ITPro
For more information on Microsoft Defender for Endpoint on specific operating sy
- [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) - [What's new in Defender for Endpoint on Linux](linux-whatsnew.md)
-## August 2023
--- **Data completeness**-
- - Extended file attributes and registry monitoring capabilities to enhance investigation and detection experience. 
-
- - Conditional Access - Expanding integration between Microsoft Defender for Endpoint and Intune to support additional Azure Active Directory (AAD) joined scenarios to deploy conditional access policies in your environment and enable Zero Trust policies to better protect your network against adversaries. 
-
- - Engine bugfixes and improvements. 
----- **Platform**-
- - Enabled safer deployment of features through rings and containment mechanism enhancements. 
-
- - Consolidate the billing and alert experiences of customers that are onboarded to both Microsoft Defender for Endpoint and Microsoft Defender for Cloud in cloud environments by collecting machine identifiers that allow de-duplication on cloud side. 
----- **Hardening**-
- - General hardening improvements. 
---- **Response** -
- - Device Isolation improvements. For more information, see [Take response actions on a device](respond-machine-alerts.md) 
-
- - Strengthen the resilience of device isolation permit and block rules.  
-
- - Allow a device that is disconnected from a Command and Control channel using offline signed command to be removed from isolation.  
-
- - Improved performance for [Live Response](live-response.md) commands when executed concurrently with automatic investigation.  
-
- - Send command status events for isolate and IR commands through Command and Control channel to improve performance, support future design changes, and easier monitoring. 
-
- - Custom Exclusion for Isolation - exclusion of apps, allow list of IP addresses and ports, and users.
-
- - Isolation hardening is a measure taken against a technique known as process hollowing. Implementing this hardening approach, a system can establish stronger isolation rules that significantly enhance security when dealing with code injection tactics.  
-
-
- - Reduce device disconnections for isolated device caused by third-party inspection drivers. For more information, see [Take response actions on a device](respond-machine-alerts.md).
----- **Vulnerability management** 
-
- - Replaces some of the current threat vulnerability collections and adds new much requested user installed packages collector. 
-
- - New and higher-performing (both CPU and memory) vulnerabilities collector. 
-
- - Changes on devices will be reflected in a timelier manner to the portal, enabling them to take action against threats faster. 
-
- - Bugfix in Vulnerability Management client management component - race condition. 
----- **Threat Prevention/Protection** -
- - Lateral Movement Firewall - Addressing advanced attacks inflicting customers (Human Operated Ransomware) by expanding identity-oriented response capabilities known to be gaps in our current protection story.
-
- - Supporting force close active SMB sessions for incriminated users as part of Lateral Movement Firewall to disrupt and terminate active malicious sessions. 
--
- - Device Contain - Introducing new Windows Filtering Platform (WFP) network filter to allow telemetry & audit-mode capabilities to network connections enforcements. For more information, see - [Take response actions on a device in Microsoft Defender for Endpoint](respond-machine-alerts.md#contain-devices-from-the-network).
--
- - Anti-tampering - Addressing tampering gaps in Defender for Endpoint authentication flow by hardening protection of the cryptographic key used to register clients with Defender for Endpoint's authentication service. This is done by storing the key in an AV-protected registry key. 
----- **MITRE**-
- - Introducing a new sensor for MITRE. 
- - Alternative data streams support. 
- - Extended Registry monitoring capabilities. 
- ## July 2023
security Tvm Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-prerequisites.md
Ensure that your devices:
## Relevant permission options
+> [!NOTE]
+> You can now control access and grant granular permissions for Microsoft Defender Vulnerability Management as part of the Microsoft 365 Defender Unified RBAC model. For more information, see [Microsoft Defender 365 Unified role-based access control (RBAC)](../defender/manage-rbac.md).
+ To view the permissions options for vulnerability management: 1. Log in to Microsoft 365 Defender portal using account with a Security administrator or Global administrator role assigned.
For more information, see [Create and manage roles for role-based access control
### View data - **Security operations** - View all security operations data in the portal-- **Threat and vulnerability management** - View Defender Vulnerability Management data in the portal
+- **Defender Vulnerability Management** - View Defender Vulnerability Management data in the portal
### Active remediation actions - **Security operations** - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators-- **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions-- **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities-- **Threat and vulnerability management - Application handling** - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions
+- **Defender Vulnerability Management - Exception handling** - Create new exceptions and manage active exceptions
+- **Defender Vulnerability Management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities
+- **Defender Vulnerability Management - Application handling** - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions
### Defender Vulnerability Management - security baselines
-**Threat and vulnerability management ΓÇô Manage security baselines assessment profiles** - Create and manage profiles so you can assess if your devices comply to security industry baselines.
+**Defender Vulnerability Management ΓÇô Manage security baselines assessment profiles** - Create and manage profiles so you can assess if your devices comply to security industry baselines.
## Related articles
security Whats New In Microsoft Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md
This article provides information about new features and important product updat
## August 2023
-Microsoft Defender Vulnerability Management Standalone is now Generally Available. To learn more about what's included in Microsoft Defender Vulnerability Management plans, see [Compare Microsoft Defender Vulnerability Management plans and capabilities](defender-vulnerability-management-capabilities.md).
+### Microsoft Defender Vulnerability Management permissions are now integrated with Microsoft 365 Defender Unified role-based access control (RBAC)
+
+You can now control access and grant granular permissions for Microsoft Defender Vulnerability Management as part of the Microsoft 365 Defender Unified RBAC model. For more information, see [Microsoft Defender 365 Unified role-based access control (RBAC)](../defender/manage-rbac.md). You can add the new permissions to a custom role by selecting them from the **Security posture** permissions group when creating the role. For more information, see [Create custom roles with Microsoft 365 Defender Unified RBAC](../defender/create-custom-rbac-roles.md).
+
+### Microsoft Defender Vulnerability Management Standalone is now Generally Available
+
+To learn more about what's included in Microsoft Defender Vulnerability Management plans, see [Compare Microsoft Defender Vulnerability Management plans and capabilities](defender-vulnerability-management-capabilities.md).
## March 2023
security Activate Defender Rbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/activate-defender-rbac.md
search.appverid: met150
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Identity](https://go.microsoft.com/fwlink/?LinkID=2198108) - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
[!include[Prerelease information](../../includes/prerelease.md)]
security Before You Begin Defender Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-defender-experts.md
- tier1 search.appverid: met150 Previously updated : 07/26/2022 Last updated : 08/08/2023 # Before you begin using Defender Experts for Hunting
Defender Experts for Hunting customers are assigned two Ask Defender Experts (Ex
For more information about Microsoft's commercial licensing terms, visit [this page](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).
+### Server coverage
+
+Defender Experts for XDR also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesnΓÇÖt cover Microsoft Defender for Cloud.
+[Learn more about specific hardware and software requirements](/microsoft-365/security/defender-endpoint/minimum-requirements).
+ ### Access requirements Anyone from your organization can complete the customer interest form for Microsoft Defender Experts for Hunting service, however, you need to work with your Commercial Executive to transact the SKU. You might need certain roles and permissions to fully access the service capabilities. Refer to [Custom roles in role-based access control for Microsoft 365 Defender](custom-roles.md) for details.
security Before You Begin Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-xdr.md
- tier1 search.appverid: met150 Previously updated : 11/17/2022 Last updated : 08/08/2023 # Before you begin
Aside from the requirements stated previously, to get Defender Experts for XDR c
Defender Experts for XDR is a managed extended detection and response (XDR) service. To get native XDR coverage, we recommend deploying the full Microsoft 365 Defender suite.
+### Server coverage
+
+Defender Experts for XDR also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesnΓÇÖt cover Microsoft Defender for Cloud.
+[Learn more about specific hardware and software requirements](/microsoft-365/security/defender-endpoint/minimum-requirements).
+
+### Ask Defender Experts
+ As part of the service's built-in [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md), you're also assigned two **Ask Defender Experts** credits on the first of each month, which you may use to submit questions. You can still submit inquiries beyond the initial number of allocated credits. Unused credits expire 90 days from date of assignment or at the end of the subscription term, whichever is shortest. [Learn more about Microsoft's commercial licensing terms](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).
security Compare Rbac Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/compare-rbac-roles.md
search.appverid: met150
All permissions listed within the Microsoft 365 Defender Unified RBAC model align to existing permissions in the individual RBAC models. Once you activate the Microsoft 365 Defender Unified RBAC model the permissions and assignments configured in your imported roles will replace the existing roles in the individual RBAC models.
-This article describes how existing roles and permissions in Microsoft Defender for Endpoint, Microsoft Defender for Office 365 (Exchange Online Protection), Microsoft Defender for Identity, and Azure Active Directory roles map to the roles and permission in the Microsoft 365 Defender Unified RBAC model.
+This article describes how existing roles and permissions in Microsoft Defender for Endpoint, Microsoft Defender Vulnerability Management and Microsoft Defender for Office 365 (Exchange Online Protection), Microsoft Defender for Identity, and Azure Active Directory roles map to the roles and permission in the Microsoft 365 Defender Unified RBAC model.
[!INCLUDE[Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
This article describes how existing roles and permissions in Microsoft Defender
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Identity](https://go.microsoft.com/fwlink/?LinkID=2198108) - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
[!include[Prerelease information](../../includes/prerelease.md)]
This article describes how existing roles and permissions in Microsoft Defender
Use the tables in the following sections to learn more about how your existing individual RBAC role definitions map to your new Microsoft 365 Defender Unified RBAC roles:
-1. [Map Defender for Endpoint permissions](#map-defender-for-endpoint-permissions-to-the-microsoft-365-defender-unified-rbac-permissions)
+1. [Map Defender for Endpoint and Defender Vulnerability Management permissions](#map-defender-for-endpoint-and-defender-vulnerability-management-permissions-to-the-microsoft-365-defender-rbac-permissions)
2. [Map Defender for Office 365 (Exchange Online Protection) roles](#map-defender-for-office-365-exchange-online-protection-roles-to-the-microsoft-365-defender-unified-rbac-permissions) 3. [Map Microsoft Defender for Identity permissions](#map-microsoft-defender-for-identity-permissions-to-the-microsoft-365-defender-unified-rbac-permissions) 4. [Azure Active Directory Global roles access](#azure-active-directory-global-roles-access)
-### Map Defender for Endpoint permissions to the Microsoft 365 Defender Unified RBAC permissions
+### Map Defender for Endpoint and Defender Vulnerability Management permissions to the Microsoft 365 Defender RBAC permissions
-|Defender for Endpoint permission|Microsoft 365 Defender Unified RBAC permission|
+|Defender for Endpoint and Defender Vulnerability Management permissions|Microsoft 365 Defender Unified RBAC permission|
|||| |View data - Security operations|Security operations \ Security data \ Security data basics (read)|
-|View data - Threat and vulnerability management|Security posture \ Posture management \ Vulnerability management (read)|
+|View data - Defender Vulnerability Management|Security posture \ Posture management \ Vulnerability management (read)|
|Alerts investigation|Security operations \ Security data \ Alerts (manage)| |Active remediation actions - Security operations|Security operations \ Security data \ Response (manage)|
-|Active remediation actions - Threat and vulnerability management - Exception handling|Security posture \ Posture management \ Exception handling (manage)|
-|Active remediation actions - Threat and vulnerability management - Remediation handling|Security posture \ posture management \ Remediation handling (manage)|
-|Active remediation actions - Threat and vulnerability management - Application handling|Security posture \ Posture management \ Application handling (manage)|
-|Vulnerability management ΓÇô Manage security baselines assessment profiles|Security posture \ posture management \ Security baselines assessment (manage)|
+|Active remediation actions - Defender Vulnerability Management - Exception handling|Security posture \ Posture management \ Exception handling (manage)|
+|Active remediation actions - Defender Vulnerability Management - Remediation handling|Security posture \ posture management \ Remediation handling (manage)|
+|Active remediation actions - Defender Vulnerability Management - Application handling|Security posture \ Posture management \ Application handling (manage)|
+|Defender Vulnerability management ΓÇô Manage security baselines assessment profiles|Security posture \ posture management \ Security baselines assessment (manage)|
|Live response capabilities|Security operations \ Basic live response (manage)| |Live response capabilities - advanced|Security operations \ Advanced live response (manage) </br> Security operations \ Security data \ File collection (manage)| |Manage security settings in the Security Center|Authorization and settings \ Security setting (All permissions)|
Use the tables in the following sections to learn more about how your existing i
Users assigned with Azure Active Directory global roles may also have access to the [Microsoft 365 Defender portal](https://security.microsoft.com).
-Use this table to learn about the permissions assigned by default for each workload (Defender for Endpoint, Defender for Office and Defender for Identity) in Microsoft 365 Defender Unified RBAC to each global Azure Active Directory role.
+Use this table to learn about the permissions assigned by default for each workload (Defender for Endpoint, Defender Vulnerability Management, Defender for Office and Defender for Identity) in Microsoft 365 Defender Unified RBAC to each global Azure Active Directory role.
|AAD role|Microsoft 365 Defender Unified RBAC assigned permissions for all workloads|Microsoft 365 Defender Unified RBAC assigned permissions ΓÇô workload specific| |||||
-|Global administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Security posture \ Posture management \ Secure Score (read) </br> Security posture \ Posture management \ Secure Score (manage)</br>Authorization and settings \ Authorization \ (All permissions)</br>Authorization and settings \ Security settings \ (All permissions)</br>Authorization and settings \ System settings \ (All permissions) |_**Defender for Endpoint only permissions**_ </br>Security operations \ Basic live response (manage)</br>Security operations \ Advanced live response (manage) </br> Security operations \ Security data \ File collection (manage) </br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br>Security posture \ Posture management \ Application handling (manage)</br>Security posture \ Posture management \ Security baseline assessment (manage)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Email quarantine (manage)</br>Security operations \ Security data \ Email advanced actions (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)|
+|Global administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Security posture \ Posture management \ Secure Score (read) </br> Security posture \ Posture management \ Secure Score (manage)</br>Authorization and settings \ Authorization \ (All permissions)</br>Authorization and settings \ Security settings \ (All permissions)</br>Authorization and settings \ System settings \ (All permissions) |_**Defender for Endpoint and Defender Vulnerability Management permissions only permissions**_ </br>Security operations \ Basic live response (manage)</br>Security operations \ Advanced live response (manage) </br> Security operations \ Security data \ File collection (manage) </br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br>Security posture \ Posture management \ Application handling (manage)</br>Security posture \ Posture management \ Security baseline assessment (manage)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Email quarantine (manage)</br>Security operations \ Security data \ Email advanced actions (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)|
|Security administrator|Same as Global administrator|Same as Global administrator|
-|Global reader|Security operations \ Security data \ Security data basics (read)</br>Security posture \ Posture management \ Secure Score (read) </br>|_**Defender for Endpoint only permissions**_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Authorization and settings \ Authorization \ (read) </br></br>_**Defender for Office and Defender for Identity only permissions**_ </br>Authorization and settings \ Security settings \ (read)</br>Authorization and settings \ System settings \ (read)|
-|Security reader|Security operations \ Security data \ Security data basics (read)</br>Security posture \ Posture management \ Secure Score (read) </br>|_**Defender for Endpoint only permissions**_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read) </br></br>_**Defender for Office and Defender for Identity only permissions**_ </br>Authorization and settings \ Security settings \ (read)</br>Authorization and settings \ System settings \ (read)|
-|Security operator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Security posture \ Posture management \ Secure Score (read)</br>Authorization and settings \ Security settings \ (All permissions)|_**Defender for Endpoint only permissions**_</br>Security operations \ Security data \ Basic live response (manage)</br>Security operations \ Security data \ Advanced live response (manage)</br> Security operations \ Security data \ File collection (manage) </br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br></br>_**Defender for Office only permissions**_ </br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Authorization and settings \ System settings \ (All permissions)</br></br>_**Defender for Identity only permissions**_ </br>Authorization and settings \ System settings \ (read)|
+|Global reader|Security operations \ Security data \ Security data basics (read)</br>Security posture \ Posture management \ Secure Score (read) </br>|_**Defender for Endpoint and Defender Vulnerability Management permissions only permissions**_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Authorization and settings \ Authorization \ (read) </br></br>_**Defender for Office and Defender for Identity only permissions**_ </br>Authorization and settings \ Security settings \ (read)</br>Authorization and settings \ System settings \ (read)|
+|Security reader|Security operations \ Security data \ Security data basics (read)</br>Security posture \ Posture management \ Secure Score (read) </br>|_**Defender for Endpoint and Defender Vulnerability Management permissions only permissions**_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read) </br></br>_**Defender for Office and Defender for Identity only permissions**_ </br>Authorization and settings \ Security settings \ (read)</br>Authorization and settings \ System settings \ (read)|
+|Security operator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Security posture \ Posture management \ Secure Score (read)</br>Authorization and settings \ Security settings \ (All permissions)|_**Defender for Endpoint and Defender Vulnerability Management permissions only permissions**_</br>Security operations \ Security data \ Basic live response (manage)</br>Security operations \ Security data \ Advanced live response (manage)</br> Security operations \ Security data \ File collection (manage) </br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br></br>_**Defender for Office only permissions**_ </br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Authorization and settings \ System settings \ (All permissions)</br></br>_**Defender for Identity only permissions**_ </br>Authorization and settings \ System settings \ (read)|
|Exchange Administrator|Security posture \ Posture management \ Secure Score (read) </br> Security posture \ Posture management \ Secure Score (manage)|not applicable| |SharePoint Administrator|Security posture \ Posture management \ Secure Score (read) </br> Security posture \ Posture management \ Secure Score (manage)|not applicable| |Service Support Administrator|Security posture \ Posture management \ Secure Score (read) |not applicable|
security Create Custom Rbac Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/create-custom-rbac-roles.md
search.appverid: met150
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Identity](https://go.microsoft.com/fwlink/?LinkID=2198108) - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
[!include[Prerelease information](../../includes/prerelease.md)]
security Custom Permissions Details https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-permissions-details.md
In Microsoft 365 Defender Unified role-based access control (RBAC) you can selec
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Identity](https://go.microsoft.com/fwlink/?LinkID=2198108) - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
[!include[Prerelease information](../../includes/prerelease.md)]
Permissions for managing day-to-day operations and responding to incidents and a
### Security posture ΓÇô Posture management
-Permissions for managing the organization's security posture and performing threat and vulnerability management.
+Permissions for managing the organization's security posture and performing vulnerability management.
|Permission name|Level|Description| ||||
-|Vulnerability management|Read|View threat and vulnerability management data for the following: software and software inventory, weaknesses, missing KBs, advanced hunting, security baselines assessment, and devices.|
-|Exception handling|Manage|Create security recommendation exceptions and manage active exceptions in threat and vulnerability management.|
-|Remediation handling|Manage|Create remediation tickets, submit new requests, and manage remediation activities in threat and vulnerability management.|
-|Application handling|Manage|Manage vulnerable applications and software, including blocking and unblocking them in threat and vulnerability management.|
+|Vulnerability management|Read|View Defender Vulnerability Management data for the following: software and software inventory, weaknesses, missing KBs, advanced hunting, security baselines assessment, and devices.|
+|Exception handling|Manage|Create security recommendation exceptions and manage active exceptions in Defender Vulnerability Management.|
+|Remediation handling|Manage|Create remediation tickets, submit new requests, and manage remediation activities in Defender Vulnerability Management.|
+|Application handling|Manage|Manage vulnerable applications and software, including blocking and unblocking them in Defender Vulnerability Management.|
|Security baseline assessment|Manage|Create and manage profiles so you can assess if your devices comply to security industry baselines.| |Secure Score|Read / Manage|Manage permissions to Secure Score data including which users have access to the data and the products for which they will see Secure Score data.|
security Defender Experts For Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-experts-for-hunting.md
- tier1 search.appverid: met150 Previously updated : 05/05/2022 Last updated : 08/08/2023 # Microsoft Defender Experts for Hunting
security Dex Xdr Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/dex-xdr-overview.md
- tier1 search.appverid: met150 Previously updated : 05/29/2023 Last updated : 08/08/2023 # Microsoft Defender Experts for XDR
security Edit Delete Rbac Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/edit-delete-rbac-roles.md
search.appverid: met150
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Identity](https://go.microsoft.com/fwlink/?LinkID=2198108) - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
[!include[Prerelease information](../../includes/prerelease.md)]
security Import Rbac Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/import-rbac-roles.md
search.appverid: met150
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Identity](https://go.microsoft.com/fwlink/?LinkID=2198108) - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
[!include[Prerelease information](../../includes/prerelease.md)]
security Manage Rbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-rbac.md
- tier3 -+ Last updated 05/31/2023 search.appverid: met150
search.appverid: met150
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Identity](https://go.microsoft.com/fwlink/?LinkID=2198108) - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
[!include[Prerelease information](../../includes/prerelease.md)]
Centralized permissions management is supported for the following solutions:
|||| |Microsoft 365 Defender|Centralized permissions management for Microsoft 365 Defender experiences.| |Microsoft Defender for Endpoint|Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page.|
-|Microsoft Defender for Office 365|Support for all scenarios that were controlled by **Exchange Online Protection roles** (EOP), configured in the Microsoft 365 Defender portal under **Permissions** \> **Email & collaboration roles**. </br></br> **Note:** Scenarios that adhere to Exchange Online roles are not impacted by this new model and will still be managed by Exchange Online. The Microsoft 365 Defender Unified RBAC model will initially be available for organizations with Microsoft Defender for Office Plan 2 licenses only. This capability is not available to users on trial licenses.|
+|Microsoft Defender Vulnerability Management | Centralized permissions management for all Defender Vulnerability Management capabilities.|
+|Microsoft Defender for Office 365|Support for all scenarios that were controlled by **Exchange Online Protection roles** (EOP), configured in the Microsoft 365 Defender portal under **Permissions** \> **Email & collaboration roles**. </br></br> **Note:** Scenarios that adhere to Exchange Online roles are not impacted by this new model and will still be managed by Exchange Online. The Microsoft 365 Defender RBAC model will initially be available for organizations with Microsoft Defender for Office Plan 2 licenses only. This capability is not available to users on trial licenses.|
|Microsoft for Identity|Full support for all identity data and actions. </br></br> **Note:** Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).| |Microsoft Secure Score|Full support for all Secure Score data from the [Products included in Secure Score](../defender/microsoft-secure-score.md#products-included-in-secure-score).| + > [!NOTE] > Scenarios and experiences controlled by Compliance permissions are still managed in the Microsoft Purview compliance portal. >
security Whats New In Microsoft Defender Urbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new-in-microsoft-defender-urbac.md
This article provides information about new features and important product updat
## August 2023
-### Microsoft Secure Score permissions integration with Microsoft 365 Defender Unified role-based access control (RBAC) is now in Public Preview </br>
+### Microsoft Defender Vulnerability Management permissions are now integrated with Microsoft 365 Defender Unified role-based access control (RBAC)
-You can control access and grant granular permissions for the Microsoft Secure Score experience as part of the Microsoft 365 Defender Unified RBAC model. For more information, see [Manage permissions with Microsoft 365 Defender Unified role-based access control(RBAC)](./microsoft-secure-score.md#manage-permissions-with-microsoft-365-defender-unified-role-based-access-controlrbac). </br>
+You can now control access and grant granular permissions for Microsoft Defender Vulnerability Management as part of the Microsoft 365 Defender Unified RBAC model. For more information, see [Microsoft Defender 365 Unified role-based access control (RBAC)](../defender/manage-rbac.md). You can add the new permissions to a custom role by selecting them from the **Security posture** permissions group when creating the role. For more information, see [Create custom roles with Microsoft 365 Defender Unified RBAC](./create-custom-rbac-roles.md).
-### A new file collection permission in Microsoft 365 Defender Unified RBAC is now in Public Preview </br>
+### Microsoft Secure Score permissions integration with Microsoft 365 Defender Unified role-based access control (RBAC) is now in Public Preview
-You can now assign a new granular permission in Microsoft 365 Defender Unified RBAC that allows users to collect or download files for analysis. This permission enables Microsoft Defender for Endpoint users download files directly from the file page and during a live response investigation in the live response console.
+You can control access and grant granular permissions for the Microsoft Secure Score experience as part of the Microsoft 365 Defender Unified RBAC model. For more information, see [Manage permissions with Microsoft 365 Defender Unified role-based access control(RBAC)](./microsoft-secure-score.md#manage-permissions-with-microsoft-365-defender-unified-role-based-access-controlrbac).
-You can add the new permission to a custom role by selecting it from the **Security operations** permissions group when creating the role. For more information, see [Create custom roles with Microsoft 365 Defender Unified RBAC](./create-custom-rbac-roles.md).
+### A new file collection permission in Microsoft 365 Defender Unified RBAC is now in Public Preview
+
+You can now assign a new granular permission in Microsoft 365 Defender Unified RBAC that allows users to collect or download files for analysis. This permission enables Microsoft Defender for Endpoint users download files directly from the file page and during a live response investigation in the live response console. You can add the new permission to a custom role by selecting it from the **Security operations** permissions group when creating the role. For more information, see [Create custom roles with Microsoft 365 Defender Unified RBAC](./create-custom-rbac-roles.md).
For more information on what's new with other Microsoft Defender security products, see:
security Anti Phishing Policies About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-about.md
description: Admins can learn about the anti-phishing policies that are availabl
search.appverid: met150 Previously updated : 7/11/2023 Last updated : 8/9/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
security Anti Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md
You can configure anti-spam policies in the Microsoft 365 Defender portal or in
⁵ Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages. - **Intra-Organizational messages to take action on**: Controls whether spam filtering and the corresponding verdict actions are applied to internal messages (messages sent between users within the organization). The action that's configured in the policy for the specified spam filter verdicts is taken on messages sent between internal users. The available values are:
- - **Default**: This is the default value. Currently, this value is the same as selecting **None**. The behavior for the value **Default** will eventually change to apply the action for high confidence phishing detections in the policy as if you selected **High confidence phishing messages**. Check the Message Center for announcements to changes in this setting.
+ - **Default**: This is the default value. This value is the same as selecting **High confidence phishing messages**.
+
+ > [!NOTE]
+ > Currently, in U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), the value **Default** is the same as selecting **None**.
+ - **None** - **High confidence phishing messages** - **Phishing and high confidence phishing messages**
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
description: Admins can learn how the order of protection settings and the prior
search.appverid: met150 Previously updated : 6/20/2023 Last updated : 8/8/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
There are two major factors that determine which policy is applied to a message:
<sup>\*</sup> Defender for Office 365 only.
- The priority order matters if you have the same recipient intentionally or unintentionally defined in multiple policies, because *only* the first policy of that type (anti-spam, anti-malware, anti-phishing, etc.) is applied to that recipient, regardless of how many other policies that the recipient is specified in. There's never a merging or combining of the settings in multiple policies for the recipient. The recipient is unaffected by the settings of the remaining policies of that type.
+ The priority order matters if you have the same recipient intentionally or unintentionally included in multiple policies, because *only* the first policy of that type (anti-spam, anti-malware, anti-phishing, etc.) is applied to that recipient, regardless of how many other policies that the recipient is included in. There's never a merging or combining of the settings in multiple policies for the recipient. The recipient is unaffected by the settings of the remaining policies of that type.
-For example, the group named "Contoso Executives" is specified in the following policies:
+For example, the group named "Contoso Executives" is included in the following policies:
- The Strict preset security policy - A custom anti-spam policy with the priority value 0 (highest priority)
To make sure that recipients get the protection settings that you want, use the
- Assign a smaller number of users to higher priority policies, and a larger number of users to lower priority policies. Remember, default policies are always applied last. - Configure higher priority policies to have stricter or more specialized settings than lower priority policies. You have complete control over the settings in custom policies and the default policies, but no control over most settings in preset security policies. - Consider using fewer custom policies (only use custom policies for users who require more specialized settings than the Standard or Strict preset security policies, or the default policies).+
+## Appendix
+
+It's important to understand how user allows and blocks, tenant allows and blocks, and filtering stack verdicts in EOP and Defender for Office 365 compliment or contradict each other.
+
+- For information about filtering stacks and how they're combined, see [Step-by-step threat protection in Microsoft Defender for Office 365](protection-stack-microsoft-defender-for-office365.md).
+- After the filtering stack determines a verdict, only then are tenant policies and their configured actions evaluated.
+- If the same email address or domain exists in a user's Safe Senders list and Blocked Senders list, the Safe Senders list takes precedence.
+- If the same entity (email address, domain, spoofed sending infrastructure, file, or URL) exists in an allow entry and a block entry in the Tenant Allow/Block List, the block entry takes precedence.
+
+### User allows and blocks
+
+Entries in a user's _safelist collection_ (the Safe Senders list, the Safe Recipients list, and the Blocked Senders list on each mailbox) are able to override some filtering stack verdicts as described in the following table:
+
+|Filtering stack verdict|User's Safe Senders/Recipients list|User's Blocked Senders list|
+||||
+|Malware|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|
+|High confidence phishing|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|
+|Phishing|**User wins**: Email delivered to user's Inbox|**Tenant wins**: The applicable anti-spam policy determines the action|
+|High confidence spam|**User wins**: Email delivered to user's Inbox|**User wins**: Email delivered to user's Junk Email folder|
+|Spam|**User wins**: Email delivered to user's Inbox|**User wins**: Email delivered to user's Junk Email folder|
+|Bulk|**User wins**: Email delivered to user's Inbox|**User wins**: Email delivered to user's Junk Email folder|
+|Not spam|**User wins**: Email delivered to user's Inbox|**User wins**: Email delivered to user's Junk Email folder|
+
+For more information about the safelist collection and anti-spam settings on user mailboxes, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).
+
+### Tenant allows and blocks
+
+Tenant allows and blocks are able to override some filtering stack verdicts as described in the following tables:
+
+- [Advanced delivery policy](skip-filtering-phishing-simulations-sec-ops-mailboxes.md) (skip filtering for designated SecOps mailboxes and phishing simulation URLs):
+
+ |Filtering stack verdict|Advanced delivery policy allow|
+ |||
+ |Malware|**Tenant wins**: Email delivered to mailbox|
+ |High confidence phishing|**Tenant wins**: Email delivered to mailbox|
+ |Phishing|**Tenant wins**: Email delivered to mailbox|
+ |High confidence spam|**Tenant wins**: Email delivered to mailbox|
+ |Spam|**Tenant wins**: Email delivered to mailbox|
+ |Bulk|**Tenant wins**: Email delivered to mailbox|
+ |Not spam|**Tenant wins**: Email delivered to mailbox|
+
+- [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (skip listing):
+
+ |Filtering stack verdict|Enhanced Filtering|
+ |||
+ |Malware|**Filter wins**: Email quarantined|
+ |High confidence phishing|**Tenant wins**: Email delivered to mailbox|
+ |Phishing|**Tenant wins**: Email delivered to mailbox|
+ |High confidence spam|**Tenant wins**: Email delivered to mailbox|
+ |Spam|**Tenant wins**: Email delivered to mailbox|
+ |Bulk|**Tenant wins**: Email delivered to mailbox|
+ |Not spam|**Tenant wins**: Email delivered to mailbox|
+
+- IP Allow List and IP Block List in [connection filter policies](connection-filter-policies-configure.md):
+
+ |Filtering stack verdict|IP Allow List|IP Block List|
+ ||||
+ |Malware|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|
+ |High confidence phishing|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|
+ |Phishing|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email silently dropped|
+ |High confidence spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email silently dropped|
+ |Spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email silently dropped|
+ |Bulk|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email silently dropped|
+ |Not spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email silently dropped|
+
+- [Exchange mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules):
+
+ |Filtering stack verdict|Mail flow rule allows|Mail flow rule blocks|
+ ||||
+ |Malware|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|
+ |High confidence phishing|**Filter wins**: Email quarantined except in complex routing|**Filter wins**: Email quarantined|
+ |Phishing|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Phishing action in the applicable anti-spam policy|
+ |High confidence spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to user's Junk Email folder|
+ |Spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to user's Junk Email folder|
+ |Bulk|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to user's Junk Email folder|
+ |Not spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to user's Junk Email folder|
+
+- Allow and block settings in [anti-spam policies](anti-spam-policies-configure.md):
+ - Allowed sender and domain list.
+ - Blocked sender and domain list.
+ - Block messages from specific countries or in specific languages.
+ - Block messages based on [Advanced Spam Filter (ASF) settings](anti-spam-policies-asf-settings-about.md).
+
+ |Filtering stack verdict|Anti-spam policy allows|Anti-spam policy blocks|
+ ||||
+ |Malware|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|
+ |High confidence phishing|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|
+ |Phishing|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Phishing action in the applicable anti-spam policy|
+ |High confidence spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to user's Junk Email folder|
+ |Spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to user's Junk Email folder|
+ |Bulk|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to user's Junk Email folder|
+ |Not spam|**Tenant wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to user's Junk Email folder|
+
+- [Allow entries in the Tenant Allow/Block List](tenant-allow-block-list-about.md#allow-entries-in-the-tenant-allowblock-list):
+
+ |Filtering stack verdict|Email address/domain|
+ |||
+ |Malware|**Filter wins**: Email quarantined|
+ |High confidence phishing|**Filter wins**: Email quarantined|
+ |Phishing|**Tenant wins**: Email delivered to mailbox|
+ |High confidence spam|**Tenant wins**: Email delivered to mailbox|
+ |Spam|**Tenant wins**: Email delivered to mailbox|
+ |Bulk|**Tenant wins**: Email delivered to mailbox|
+ |Not spam|**Tenant wins**: Email delivered to mailbox|
+
+- [Block entries in the Tenant Allow/Block List](tenant-allow-block-list-about.md#block-entries-in-the-tenant-allowblock-list):
+
+ |Filtering stack verdict|Email address/domain|Spoof|File|URL|
+ ||||||
+ |Malware|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|**Tenant wins**: Email quarantined|**Filter wins**: Email quarantined|
+ |High confidence phishing|**Tenant wins**: Email quarantined|**Filter wins**: Email quarantined|**Tenant wins**: Email quarantined|**Tenant wins**: Email quarantined|
+ |Phishing|**Tenant wins**: Email quarantined|**Tenant wins**: Spoof action in the applicable anti-phishing policy|**Tenant wins**: Email quarantined|**Tenant wins**: Email quarantined|
+ |High confidence spam|**Tenant wins**: Email quarantined|**Tenant wins**: Spoof action in the applicable anti-phishing policy|**Tenant wins**: Email quarantined|**Tenant wins**: Email quarantined|
+ |Spam|**Tenant wins**: Email quarantined|**Tenant wins**: Spoof action in the applicable anti-phishing policy|**Tenant wins**: Email quarantined|**Tenant wins**: Email quarantined|
+ |Bulk|**Tenant wins**: Email quarantined|**Tenant wins**: Spoof action in the applicable anti-phishing policy|**Tenant wins**: Email quarantined|**Tenant wins**: Email quarantined|
+ |Not spam|**Tenant wins**: Email quarantined|**Tenant wins**: Spoof action in the applicable anti-phishing policy|**Tenant wins**: Email quarantined|**Tenant wins**: Email quarantined|
+
+### User and tenant settings conflict
+
+The following table describes how conflicts are resolved if an email is affected by both user allow/block settings and tenant allow/block settings:
+
+|Type of tenant allow/block|User's Safe Senders/Recipients list|User's Blocked Senders list|
+||||
+|Block entries in the Tenant Allow/Block List for: <ul><li>Email addresses and domains</li><li>Files</li><li>URLs</li></ul>|**Tenant wins**: Email quarantined|**Tenant wins**: Email quarantined|
+|Block entries for spoofed senders in the Tenant Allow/Block List|**Tenant wins**: Spoof intelligence action in the applicable anti-phishing policy|**Tenant wins**: Spoof intelligence action in the applicable anti-phishing policy|
+|Advanced delivery policy|**User wins**: Email delivered to mailbox|**Tenant wins**: Email delivered to mailbox|
+|Block settings in anti-spam policies|**User wins**: Email delivered to mailbox|**User wins**: Email delivered to user's Junk Email folder|
+|Allows by: <ul><li>Mail flow rules</li><li>IP Allow List (connection filter policy)</li><li>Allowed sender and domain list (anti-spam policies)</li><li>Tenant Allow/Block List</li></ul>|**User wins**: Email delivered to mailbox|**User wins**: Email delivered to user's Junk Email folder|
security Mdo Support Teams About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-support-teams-about.md
Title: Microsoft Defender for Office 365 support for Microsoft Teams (Preview)
+ Title: Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams
f1.keywords: - NOCSH--++ audience: Admin
search.appverid:
- m365-security - tier1
-description: Admins can learn about Microsoft Teams features in Microsoft Defender for Office 365.
+description: Admins can learn about Microsoft Teams features in Microsoft Defender for Office 365 Plan 2.
Previously updated : 6/15/2023 Last updated : 8/4/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview" target="_blank">Microsoft Defender for Office 365 plan 2</a>
-# Microsoft Defender for Office 365 support for Microsoft Teams (Preview)
+# Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams
[!include[Prerelease information](../../includes/prerelease.md)] [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-> [!NOTE]
-> This article lists new features in the latest release of Microsoft Defender for Office 365. These features are currently in preview. Once you run the cmdlet, please be aware that it will take a few days for the features to to be available.
+With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using chat messages has also increased. Microsoft Defender for Office 365 already provides time of click protection for URLs and files in Teams messages through [Safe Links for Microsoft Teams](safe-links-about.md#safe-links-settings-for-microsoft-teams) and [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).
-With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using URLs and messages has increased as well. Microsoft Defender for Office 365 already provides protection against malicious URLs in Teams through [Safe Links](safe-links-about.md), and now Microsoft is extending this protection with a new set of capabilities designed to disrupt the attack chain.
+In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams protection with a set of capabilities that are designed to disrupt the attack chain:
-- **Reporting suspicious messages and files to admins and Microsoft (optional)**: Users have the ability to report potential malicious messages to their admins. The admins can review these messages and report them to Microsoft. For more information, see [User reported settings in Teams](submissions-teams.md).
+- **Report suspicious Teams messages**: Users can report malicious Teams messages. Depending on the reported message settings in the organization, the reported messages go to the specified reporting mailbox, to Microsoft, or both. For more information, see [User reported settings in Teams](submissions-teams.md).
-- **Zero-Hour Auto Purge (ZAP)**: ZAP is an existing email protection feature that proactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered. For read or unread messages that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. Currently, ZAP for Teams takes action on malware or high confidence phishing messages, not spam. For more information, see [Zero-hour auto purge in Microsoft Defender for Office 365](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams).
+- **Zero-hour auto protection (ZAP) for Teams**: ZAP is an existing email protection feature that detects and neutralizes spam, phishing, and malware messages after delivery by moving the messages to the Junk Email folder or quarantine.
-- **Quarantine**: Admins are able to review quarantined messages that are identified as malicious by ZAP. Admins can also release messages that are determined to be safe. For more information, see [Manage quarantined Teams messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages).
+ ZAP for Teams quarantines messages in Teams chats or channels that are found to be malware or high confidence phishing. For more information, see [Zero-hour auto purge (ZAP) in Microsoft Teams](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams).
-- The **Teams Message Entity Panel** is one single place to store all of Teams message metadata that allows for immediate SecOps review. Any threat coming from chats, group or meeting chats, and other channels can be found in one place as soon as it's assessed. For more information, see [Teams Message Entity Panel for Microsoft Teams](teams-message-entity-panel.md).
+ Instructions to configure ZAP for Teams protection are in the next section.
-- **Attack simulation training**: In order to ensure your users are resilient to phishing attacks in Microsoft Teams, admins can configure phishing simulations in Teams similar to how they do so in email. For more information, see [Microsoft Teams in Attack simulation training](attack-simulation-training-teams.md).
+- **Teams messages in quarantine**: As with email messages that are identified as malware or high confidence phishing, only admins are able to manage Teams messages that are quarantined by ZAP for Teams by default. For more information, see [Manage quarantined Teams messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages).
-## Enable Microsoft Defender for Teams
+- The **Teams Message Entity Panel** is a single place to store all Teams message metadata for immediate SecOps review. Any threats coming from Teams chats, group chats, meeting chats, and other channels can be found in one place as soon as they're assessed. For more information, see [Teams Message Entity Panel for Microsoft Teams](teams-message-entity-panel.md).
-If you're interested in previewing the previously described features for ALL users in your tenant, you can use an Exchange Online PowerShell cmdlet to enable them. Make sure you have the latest version of the PowerShell module.
+- **Attack simulation training using Teams messages**: To ensure users are resilient to phishing attacks in Microsoft Teams, admins can configure phishing simulations using Teams messages instead of email messages. For more information, see [Microsoft Teams in Attack simulation training](attack-simulation-training-teams.md).
-After you [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), run the following command to join the Teams preview:
+## Configure ZAP for Teams protection in Defender for Office 365 Plan 2
+
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Settings** \> **Email & collaboration** \> **Microsoft Teams protection**. Or, to go directly to the **Microsoft Teams protection** page, use <https://security.microsoft.com/securitysettings/teamsProtectionPolicy>.
+
+2. On the **Microsoft Teams protection** page, verify the toggle in the **Zero-hour auto purge (ZAP)** section:
+ - **Turn on ZAP for Teams**: Verify the toggle is **On** :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
+ - **Turn off ZAP for Teams**: Slide the toggle to **Off** :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::.
+
+ > [!NOTE]
+ > Before August 22, 2023, even if the toggle is **On**, do the following steps to activate ZAP for Teams protection:
+ >
+ > 1. Slide the toggle to **Off** :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::, select **Save** at the bottom of the page, and then select **OK** in the confirmation dialog that opens.
+ > 2. Slide the toggle to **On** :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::, select **Save** at the bottom of the page, and then select **OK** in the confirmation dialog that opens.
+ >
+ > Before August 22, 2023, run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to verify that ZAP for Teams protection is turned on: `Get-TeamsProtectionPolicy | Format-List ZapEnabled`. The value True means ZAP for Teams is turned on. The value False means ZAP for Teams is turned off.
+ >
+ > After August 22, 2023, ZAP for Teams protection is turned on and functional by default (**On** on the **Microsoft Teams protection** page means ZAP for Teams is turned on, so there's no need to confirm in PowerShell).
+
+3. When the toggle is **On** :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::, use the remaining settings on the page to customize ZAP for Teams protection:
+
+ - **Quarantine policies** section: You can select the existing quarantine policy to use for messages that are quarantined by ZAP for Teams protection as **Malware** or **High confidence phishing**. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+
+ > [!NOTE]
+ > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware or high confidence phishing, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+
+ - **Exclude these participants** section: Specify the **Users**, **Groups**, or **Domains** to exclude from ZAP for Teams protection. Exclusions matter for message _recipients_, not message _senders_. For more information, see [Zero-hour auto purge (ZAP) in Microsoft Teams](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams).
+
+ > [!IMPORTANT]
+ > Unlike all other security policies in Exchange Online Protection and Defender for Office 365, multiple different types of exceptions for ZAP for Teams protection use OR logic instead of AND. The message is excluded from ZAP for Teams protection for recipients that match _any_ of the specified filters. For example, you configure exclusions with the following values:
+ >
+ > - Users: romain@contoso.com
+ > - Groups: Executives
+ >
+ > The user romain@contoso.com and members of the Executives group are excluded from ZAP for Teams protection.
+
+4. When you're finished on the **Microsoft Teams protection** page, select **Save**.
++
+### Use Exchange Online PowerShell to configure ZAP for Teams protection
+
+If you'd rather use [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to configure ZAP for Microsoft Teams, the following cmdlets are involved:
+
+- The Teams protection policy (**\*-TeamsProtectionPolicy** cmdlets) turns ZAP for Teams on and off and specifies the quarantine policies to use for malware and high confidence phishing detections.
+- The Teams protection policy rule (**\*-TeamsProtectionPolicyRule** cmdlets) identifies the Teams protection policy and specifies any exceptions for ZAP for Teams protection (users, groups, or domains).
+
+**Notes**:
+
+- There's only one Teams protection policy in an organization. By default, that policy is named Teams Protection Policy.
+- Using the **New-TeamsProtectionPolicy** cmdlet is meaningful only if there's no Teams protection policy in the organization (the **Get-TeamsProtectionPolicy** cmdlet returns nothing). You can run the cmdlet without error, but no new Teams protection policies are created if one already exists.
+- You can't remove an existing Teams protection policy or Teams protection policy rule (there's no **Remove-TeamsProtectionPolicy** or **Remove-TeamsProtectionPolicyRule** cmdlet).
+- By default, there's no Teams protection policy rule (the **Get-TeamsProtectionPolicyRule** cmdlet returns nothing). Specifying quarantine policies or exceptions for ZAP for Teams in the Defender portal creates the rule automatically. Or, you can use the **New-TeamsProtectionPolicyRule** cmdlet to create the rule in PowerShell if it doesn't already exist.
+
+#### Use PowerShell to view the Teams protection policy and Teams protection policy rule
+
+To view the important values in Teams protection policy and Teams protection policy rule, run the following commands:
+
+```powershell
+Get-TeamsProtectionPolicy | Format-List Name,ZapEnabled,HighConfidencePhishQuarantineTag,MalwareQuarantineTag
+
+Get-TeamsProtectionPolicyRule | Format-List Name,TeamsProtectionPolicy,ExceptIfSentTo,ExceptIfSentToMemberOf,ExceptIfRecipientDomainIs
+```
+
+For detailed syntax and parameter information, see [Get-TeamsProtectionPolicy](/powershell/module/exchange/get-teamsprotectionpolicy) and [Get-TeamsProtectionPolicyRule](/powershell/module/exchange/get-teamsprotectionpolicyrule).
+
+#### Use PowerShell to modify the Teams protection policy
+
+To modify the Teams protection policy, use the following syntax:
```powershell
-Set-TeamsSecurityPreview -Enable $true
+Set-TeamsProtectionPolicy -Identity "Teams Protection Policy" [-ZapEnabled <$true | $false>] [-HighConfidencePhishQuarantineTag "<QuarantinePolicyName>"] [-MalwareQuarantineTag "<QuarantinePolicyName>"]
```
-> [!NOTE]
-> This cmdlet informs Microsoft that you want to join the Teams preview. By running this cmdlet, your tenant will be added to the rollout schedule. The features will be enabled over time during the preview period.
+This example enables ZAP for Teams and changes the quarantine policy that's used for high confidence phishing detections:
-To check the status for your tenant, run the following command:
+```powershell
+Set-TeamsProtectionPolicy -Identity "Teams Protection Policy" -ZapEnabled $true -HighConfidencePhishQuarantineTag AdminOnlyWithNotifications
+```
+
+For detailed syntax and parameter information, see [Set-TeamsProtectionPolicy](/powershell/module/exchange/set-teamsprotectionpolicy).
+
+#### Use PowerShell to create the Teams protection policy rule
+
+By default, there's no Teams protection policy rule, because there are no default exceptions for ZAP for Teams.
+
+To create a new Teams protection policy rule, use the following syntax:
+
+```powershell
+New-TeamsProtectionPolicyRule -Name "Teams Protection Policy Rule" -TeamsProtectionPolicy "Teams Protection Policy" [-ExceptIfSentTo <UserEmail1,UserEmail2,...UserEmailN>] [-ExceptIfSentToMemberOf <GroupEmail1,GroupEmail2,...GroupEmailN>] [-ExceptIfRecipientDomainIs <Domain1,Domain2,...DomainN>]
+```
+
+> [!IMPORTANT]
+> As explained previously in this article, multiple exception types (users, groups, and domains) use OR logic, not AND.
+
+This example creates the Teams protection policy rule with members of the group named Research excluded from ZAP for Teams protection.
+
+```powershell
+New-TeamsProtectionPolicyRule -Name "Teams Protection Policy Rule" -TeamsProtectionPolicy "Teams Protection Policy" -ExceptIfSentToMemberOf research@contoso.onmicrosoft.com
+```
+
+For detailed syntax and parameter information, see [New-TeamsProtectionPolicyRule](/powershell/module/exchange/new-teamsprotectionpolicyrule).
+
+#### Use PowerShell to modify the Teams protection policy rule
+
+If the Teams protection policy rule already exists (the **Get-TeamsProtectionPolicyRule** cmdlet returns output), use the following syntax to modify the rule:
+
+```powershell
+Set-TeamsProtectionPolicyRule -Identity "Teams Protection Policy Rule" [-ExceptIfSentTo <UserEmailAddresses | $null>] [-ExceptIfSentToMemberOf <GroupEmailAddresses | $null>] [-ExceptIfRecipientDomainIs <Domains | $null>]
+```
+
+**Notes**:
+
+- For information about the syntax for adding, removing, and replacing all values for the _ExceptIfSentTo_, _ExceptIfSentToMemberOf_, and _ExceptIfRecipientDomainIs_ parameters, see the parameter descriptions in [Set-TeamsProtectionPolicyRule](/powershell/module/exchange/set-teamsprotectionpolicyrule).
+- To empty the _ExceptIfSentTo_, _ExceptIfSentToMemberOf_, or _ExceptIfRecipientDomainIs_ parameters, use the value `$null`.
+
+This example modifies the existing Teams protection policy rule by excluding recipients in the domains research.contoso.com and research.contoso.net from ZAP for Teams protection.
```powershell
-Get-TeamsSecurityPreview
+Set-TeamsProtectionPolicyRule -Identity "Teams Protection Policy Rule" -ExceptIfRecipientDomainIs research.contoso.com,research.contoso.net
```
+For detailed syntax and parameter information, see [Set-TeamsProtectionPolicyRule](/powershell/module/exchange/set-teamsprotectionpolicyrule).
+ ## See also - [Microsoft Teams](/microsoftteams/teams-overview)
security Microsoft Defender For Office 365 Product Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview.md
description: Security in Office 365, from EOP to Defender for Office 365 Plans 1
adobe-target: true Previously updated : 06/09/2023 Last updated : 8/7/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
appliesto:
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-This article will introduce you to your new Microsoft Defender for Office 365 security properties in the Cloud. Whether you're part of a Security Operations Center, you're a Security Administrator new to the space, or you want a refresher, let's get started.
+This article introduces you to your new Microsoft Defender for Office 365 security properties in the Cloud. Whether you're part of a Security Operations Center, you're a Security Administrator new to the space, or you want a refresher, let's get started.
> [!CAUTION] > If you're using **Outlook.com**, **Microsoft 365 Family**, or **Microsoft 365 Personal**, and need *Safe Links* or *Safe Attachments* info, ***click this link***: [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-office-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2). ## What is Defender for Office 365 security
-Every Office 365 subscription comes with security capabilities. The goals and actions that you can take depend on the focus of these different subscriptions. In Office 365 security, there are three main security services (or products) tied to your subscription type:
+Every Office 365 subscription comes with security capabilities. The goals and available actions depend on the focus of these different subscriptions. In Office 365 security, there are three main security services (or products) tied to your subscription type:
-1. Exchange Online Protection (EOP)
-1. Microsoft Defender for Office 365 Plan 1 (Defender for Office P1)
-1. Microsoft Defender for Office 365 Plan 2 (Defender for Office P2)
+1. Exchange Online Protection (EOP).
+1. Microsoft Defender for Office 365 Plan 1 (Defender for Office P1).
+1. Microsoft Defender for Office 365 Plan 2 (Defender for Office P2).
> [!NOTE] > If you bought your subscription and need to roll out security features *right now*, skip to the steps in the [Protect Against Threats](protect-against-threats.md) article. If you're new to your subscription and would like to know your license before you begin, browse Billing > Your Products in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/#/homepage).
But in terms of architecture, let's start by thinking of each piece as cumulativ
Though each of these services emphasizes a goal from among Protect, Detect, Investigate, and Respond, ***all*** the services can carry out ***any*** of the goals of protecting, detecting, investigating, and responding.
-The core of Office 365 security is EOP protection. Microsoft Defender for Office 365 P1 contains EOP in it. Defender for Office 365 P2 contains P1 and EOP. The structure is cumulative. That's why, when configuring this product, you should start with EOP and work to Defender for Office 365.
+The core of Office 365 security is EOP protection. Microsoft Defender for Office 365 P1 contains EOP. Defender for Office 365 P2 contains P1 and EOP. The structure is cumulative. That's why, when configuring this product, you should start with EOP and work up to Defender for Office 365.
Though email authentication configuration takes place in public DNS, it's important to configure this feature to help defend against spoofing. *If you have EOP,* ***you should [configure email authentication](email-authentication-about.md)***.
-If you have an Office 365 E3, or below, you have EOP, but with the option to buy standalone Defender for Office 365 P1 through upgrade. If you have Office 365 E5, you already have Defender for Office 365 P2.
+If you have an Office 365 E3 or virtually any subscription with Exchange Online mailboxes, you definitely have EOP. You can most likely purchase Defender for Office 365 as an add-on subscription. If you have Office 365 E5, you already have Defender for Office 365 P2.
> [!TIP]
-> If your subscription is neither Office 365 E3 or E5, you can still check to see if you have the option to upgrade to Microsoft Defender for Office 365 P1. If you're interested, [this webpage](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection#coreui-contentrichblock-x07wids) lists subscriptions eligible for the Microsoft Defender for Office 365 P1 upgrade (check the end of the page for the fine-print).
+> If your subscription is neither Office 365 E3 or E5, you can use [this page](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection#coreui-contentrichblock-x07wids) to see if you can upgrade to Microsoft Defender for Office 365 (check the end of the page for the fine-print).
## The Office 365 security ladder from EOP to Microsoft Defender for Office 365 > [!IMPORTANT] > Learn the details on these pages: [Exchange Online Protection](eop-about.md), and [Defender for Office 365](defender-for-office-365.md).
-What makes adding Microsoft Defender for Office 365 plans an advantage to pure EOP threat management can be difficult to tell at first glance. To help sort out if an upgrade path is right for your organization, let's look at the capabilities of each product when it comes to:
+What makes adding Microsoft Defender for Office 365 plans an advantage to pure EOP threat management can be difficult to tell at first glance. To determine if an upgrade path is right for your organization, let's look at the capabilities of each product when it comes to:
-- preventing and detecting threats-- investigating-- responding
+- Preventing and detecting threats
+- Investigating
+- Responding
-starting with **Exchange Online Protection**:
-<p>
+The capabilities of **Exchange Online Protection** are summarized in the following table:
|Prevent/Detect|Investigate|Respond| ||||
-|Technologies include:<ul><li>spam</li><li>phish</li><li>malware</li><li>bulk mail</li><li>spoof intelligence</li><li>impersonation detection</li><li>Admin Quarantine</li><li>False positives and false negative reporting by admin submissions and user reported messages</li><li>Allow and block entries for URLs and files in the Tenant Allow/Block List</li><li>Reports</li></ul>|<li>Audit log search</li><li>Message Trace</li>|<li>Zero-hour auto purge (ZAP)</li><li>Refinement and testing of entries in the Tenant Allow/Block List</li>|
+|Technologies include:<ul><li>Spam</li><li>Phishing</li><li>Malware</li><li>Bulk mail</li><li>Spoof intelligence</li><li>Quarantine</li><li>False positives and false negative reporting by admin submissions and user reported messages</li><li>Allow and block entries in the Tenant Allow/Block List for: <ul><li>Domains and email addresses</li><li>Spoof</li><li>URLs</li><li>Files</li></ul></li></ul>|<ul><li>Audit log search</li><li>Message Trace</li><li>Email security reports</li></ul>|<ul><li>Zero-hour auto purge (ZAP)</li><li>Refinement and testing of entries in the Tenant Allow/Block List</li></ul>|
If you want to dig in to EOP, **[jump to this article](eop-about.md)**.
-Because these products are cumulative, if you evaluate Microsoft Defender for Office 365 P1 and decide to subscribe to it, you'll add these abilities.
-
-Gains with **Defender for Office 365, Plan 1** (to date):
-<p>
+If you evaluate and ultimately purchase **Microsoft Defender for Office 365 P1**, you get these additional capabilities over EOP:
|Prevent/Detect|Investigate|Respond| ||||
-|Technologies include everything in EOP plus:<ul><li>Safe attachments</li><li>Safe links<li>Microsoft Defender for Office 365 protection for workloads (ex. SharePoint Online, Teams, OneDrive for Business)</li><li>Time-of-click protection in email, Office clients, and Teams</li><li>anti-phishing in Defender for Office 365</li><li>User and domain impersonation protection</li><li>Alerts, and SIEM integration API for alerts</li>|<li>SIEM integration API for detections</li><li>**Real-time detections tool**</li><li>URL trace</li>|<li>Same</li></ul>
+|<ul><li>Safe Attachments in email</li><li>Safe Attachments for SharePoint, OneDrive, and Microsoft Teams</li><li>Safe Links in email, Office clients, and Teams</li><li>Advanced anti-phishing thresholds in anti-phishing policies</li><li>User, domain, and mailbox intelligence impersonation protection in anti-phishing policies</li><li>Alerts, and SIEM integration API for alerts</li></ul>|<ul><li>SIEM integration API for detections</li><li>**Real-time detections**</li><li>URL trace</li><li>Specific Defender for Office 365 reports</li></ul>|<li>Same</li></ul>
So, Microsoft Defender for Office 365 P1 expands on the ***prevention*** side of the house, and adds extra forms of ***detection***.
-Microsoft Defender for Office 365 P1 also adds **Real-time detections** for investigations. This threat hunting tool's name is in bold because having it is clear means of *knowing* you have Defender for Office 365 P1. It doesn't appear in Defender for Office 365 P2.
+Microsoft Defender for Office 365 P1 also adds **Real-time detections** for investigations. The presence of **Real-time detections** as a selection in the Microsoft 365 Defender portal means you have Defender for Office 365 P1.
-Gains with **Defender for Office 365, Plan 2** (to date):
-<p>
+If you evaluate and ultimately purchase **Microsoft Defender for Office 365 P2**, you get these additional capabilities over EOP and Defender for Office 365 P1:
|Prevent/Detect|Investigate|Respond| ||||
-|Technologies include everything in EOP, and Microsoft Defender for Office 365 P1 plus:<ul><li>Same</li>|<li>**Threat Explorer**</li><li>Threat Trackers</li><li>Campaign views</li>|<li>Automated Investigation and Response (AIR)</li><li>AIR from Threat Explorer</li><li>AIR for compromised users</li><li>SIEM Integration API for Automated Investigations</li>
+|<ul><li>Attack simulation training</li>|<li>**Threat Explorer**</li><li>Threat Trackers</li><li>Campaign views</li>|<li>Automated Investigation and Response (AIR)</li><li>AIR from Threat Explorer</li><li>AIR for compromised users</li><li>SIEM Integration API for Automated Investigations</li>
-So, Microsoft Defender for Office 365 P2 expands on the ***investigation and response*** side of the house, and adds a new hunting strength. Automation.
+So, Microsoft Defender for Office 365 P2 expands on the ***investigation and response*** side of the house, and adds a new hunting strength: Automation.
In Microsoft Defender for Office 365 P2, the primary hunting tool is called **Threat Explorer** rather than Real-time detections. If you see Threat Explorer when you navigate to the Microsoft 365 Defender portal, you're in Microsoft Defender for Office 365 P2. To get into the details of Microsoft Defender for Office 365 P1 and P2, **[jump to this article](defender-for-office-365.md)**. > [!TIP]
-> EOP and Microsoft Defender for Office 365 are also different when it comes to end-users. In EOP and Defender for Office 365 P1, the focus is *awareness*, and so those two services include the *Report message Outlook add-in* so users can report emails they find suspicious, for further analysis. <p> In Defender for Office 365 P2 (which contains everything in EOP and P1), the focus shifts to *further training* for end-users, and so the Security Operations Center has access to a powerful *Threat Simulator* tool, and the end-user metrics it provides.
+> EOP and Microsoft Defender for Office 365 are also different when it comes to end-users. In EOP and Defender for Office 365 P1, the focus is *awareness*. The [Microsoft Report Message and Report Phishing add-ins](submissions-users-report-message-add-in-configure.md) are available for users to report messages that they find suspicious.
+>
+> In Defender for Office 365 P2 (which contains everything in EOP and P1), the focus shifts to *further training* for end-users. The Security Operations Center has access to a powerful *Threat Simulator* tool, and the end-user metrics it provides.
## Microsoft Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet
-This quick-reference will help you understand what capabilities come with each Microsoft Defender for Office 365 subscription. When combined with your knowledge of EOP features, it can help business decision makers determine what Microsoft Defender for Office 365 is best for their needs.
+This quick-reference helps you understand what capabilities come with each Microsoft Defender for Office 365 subscription. When combined with your knowledge of EOP features, it can help business decision makers determine what Microsoft Defender for Office 365 is best for their needs.
|Defender for Office 365 Plan 1|Defender for Office 365 Plan 2| |||
-|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments-about.md)</li><li>[Safe Links](safe-links-about.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Anti-phishing protection in Defender for Office 365](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer-about.md)</li></ul>|Defender for Office 365 Plan 1 capabilities <p> plus <p> Automation, investigation, remediation, and education capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer-about.md)</li><li>[Automated investigation and response](air-about.md)</li><li>[Attack simulation training](attack-simulation-training-simulations.md)</li><li>[Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](../defender/advanced-hunting-overview.md)</li><li>[Investigate incidents in Microsoft 365 Defender](../defender/investigate-incidents.md)</li><li>[Investigate alerts in Microsoft 365 Defender](../defender/investigate-alerts.md)</li></ul>|
+|Prevent and detect capabilities: <ul><li>[Safe Attachments](safe-attachments-about.md), including [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links](safe-links-about.md)</li><li>[Advanced phishing thresholds and impersonation protection](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer-about.md)</li></ul>|Everything in Defender for Office 365 Plan 1 capabilities <br/><br/> plus <br/><br/> Prevent and detect capabilities: <ul><li>[Attack simulation training](attack-simulation-training-simulations.md)</li></ul> <br/> Automate, investigate, and respond capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer-about.md)</li><li>[Automated investigation and response](air-about.md)</li><li>[Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](../defender/advanced-hunting-overview.md)</li><li>[Investigate incidents in Microsoft 365 Defender](../defender/investigate-incidents.md)</li><li>[Investigate alerts in Microsoft 365 Defender](../defender/investigate-alerts.md)</li></ul>|
- Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365 A5, and Microsoft 365 E5.- - Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium.--- Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions. To learn more, here's another link [Feature availability across Microsoft Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability-across-advanced-threat-protection-atp-plans).--- The [Safe Documents](safe-documents-in-e5-plus-security-about.md) feature is only available to users with the Microsoft 365 A5 or Microsoft 365 E5 Security licenses (not included in Microsoft Defender for Office 365 plans).--- If your current subscription doesn't include Microsoft Defender for Office 365 and you want it, [contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html), and find out how Microsoft Defender for Office 365 can work for in your organization.-
+- Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions. To learn more, see [Feature availability across Microsoft Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability-across-advanced-threat-protection-atp-plans).
+- [Safe Documents](safe-documents-in-e5-plus-security-about.md) is available to users with the Microsoft 365 A5 or Microsoft 365 E5 Security licenses (not included in Microsoft Defender for Office 365 plans).
+- If your current subscription doesn't include Microsoft Defender for Office 365 Plan 2, you can [try Microsoft Defender for Office 365](try-microsoft-defender-for-office-365.md) free for 90 days. Or, [contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html).
- Microsoft Defender for Office 365 P2 customers have access to **Microsoft 365 Defender integration** to efficiently detect, review, and respond to incidents and alerts. > [!TIP]
-> ***Insider tip***. You can use the Microsoft Learn table of contents to learn about EOP and Microsoft Defender for Office 365. Navigate back to this page, [Office 365 Security overview](index.yml), and you'll notice that table of contents organization in the side-bar. It begins with Deployment (including migration) and then continues into prevention, detection, investigation, and response. <p> This structure is divided so that **Security Administration** topics are followed by **Security Operations** topics. If you're a new member of either job role, use the link in this tip, and your knowledge of the table of contents, to help learn the space. Remember to use *feedback links* and *rate articles* as you go. Feedback helps us improve what we offer you.
+> ***Insider tip***. You can use the Microsoft Learn table of contents to learn about EOP and Microsoft Defender for Office 365. Navigate back to this page, [Office 365 Security overview](index.yml), and you'll notice that table of contents organization in the side-bar. It begins with Deployment (including migration) and then continues into prevention, detection, investigation, and response.
+>
+> This structure is divided so that **Security Administration** topics are followed by **Security Operations** topics. If you're a new member of either job role, use the link in this tip, and your knowledge of the table of contents, to help learn the space. Remember to use *feedback links* and *rate articles* as you go. Feedback helps us improve what we offer you.
## Where to go next
-If you're a Security Admin, you may need to configure DKIM or DMARC for your mail. You may want to roll out 'Strict' security presets for your priority users, or look for what's new in the product. Or if you're with Security Ops, you may want to leverage Real-time detections or Threat Explorer to investigate and respond, or train end-user detection with Attack Simulator. Either way, here are some additional recommendations for what to look at next.
+If you're a Security Admin, you may need to configure DKIM or DMARC for your mail. You may want to roll out 'Strict' security presets for your priority users, or look for what's new in the product. Or if you're with Security Ops, you may want to use Real-time detections or Threat Explorer to investigate and respond, or train end-user detection with Attack Simulator. Either way, here are some additional recommendations for what to look at next:
[Email Authentication, including SPF, DKIM, and DMARC (with links to setup of all three)](email-authentication-about.md)
security Quarantine About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-about.md
description: Admins can learn about quarantine in Exchange Online Protection (EOP) that holds potentially dangerous or unwanted messages. Previously updated : 7/24/2023 Last updated : 8/4/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
How long quarantined messages or files are held in quarantine before they expire
|Messages quarantined by anti-spam policies: spam, high confidence spam, phishing, high confidence phishing, or bulk.|15 days: <ul><li>In the default anti-spam policy.</li><li>In anti-spam policies that you create in PowerShell.</li></ul> <br/> 30 days in anti-spam policies that you create in the Microsoft 365 Defender portal.|Yes|You can configure (lower) this value in anti-spam policies. For more information, see the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) setting in [Configure anti-spam policies](anti-spam-policies-configure.md).| |Messages quarantined by anti-phishing policies: spoof intelligence in EOP; user impersonation, domain impersonation, or mailbox intelligence in Defender for Office 365.|30 days|Yes|This retention period is also controlled by the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) setting in **anti-spam** policies. The retention period that's used is the value from the first matching **anti-spam** policy that the recipient is defined in.| |Messages quarantined by anti-malware policies (malware messages).|30 days|No|If you turn on the *common attachments filter* in anti-malware policies (in the default policy or in custom policies), file attachments in email messages to the affected recipients are treated as malware based solely on the file extension. A predefined list of mostly executable file types is used by default, but you can customize the list. For more information, see [Common attachments filter in anti-malware policies](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies).|
-|Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware messages).|30 days|No||
|Messages quarantined by mail flow rules: the action is **Deliver the message to the hosted quarantine** (_Quarantine_).|30 days|No||
+|Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware messages).|30 days|No||
|Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files).|30 days|No|Files quarantined in SharePoint or OneDrive are removed fom quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.|
+|Messages in chats and channels quarantined by zero-hour auto protection (ZAP) for Microsoft Teams in Defender for Office 365|30 days|No|
When a message expires from quarantine, you can't recover it.
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
Admins can create or use quarantine policies with more restrictive or less restr
|**Quarantine policy** for **High confidence phishing** (_HighConfidencePhishQuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|| |**Bulk compliant level (BCL) met or exceeded** (_BulkSpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)|| |**Quarantine policy** for **Bulk compliant level (BCL) met or exceeded** (_BulkQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if bulk detections are quarantined.|
-|**Intra-Organizational messages to take action on** (_IntraOrgFilterState_)|**Default** (Default)|**Default** (Default)|**Default** (Default)|Currently, the value **Default** is the same as selecting **None**. The behavior for the value **Default** will eventually change to apply the action for high confidence phishing detections in the policy as if you selected **High confidence phishing messages**. Check the Message Center for announcements to changes in this setting.|
+|**Intra-Organizational messages to take action on** (_IntraOrgFilterState_)|**Default** (Default)|**Default** (Default)|**Default** (Default)|The value **Default** is the same as selecting **High confidence phishing messages**. Currently, in U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), the value **Default** is the same as selecting **None**.|
|**Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_)|15 days|30 days|30 days|This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-about.md).| |**Enable spam safety tips** (_InlineSafetyTipsEnabled_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|| |Enable zero-hour auto purge (ZAP) for phishing messages (_PhishZapEnabled_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||
security Zero Hour Auto Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md
description: Zero-hour auto purge (ZAP) moves delivered messages in Microsoft 365 mailboxes to the Junk Email folder or quarantine if those messages are retroactively found to be spam, phishing, or contain malware. Previously updated : 7/31/2023 Last updated : 8/4/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
To determine if ZAP moved your message, you have the following options:
> [!NOTE] > ZAP is not logged in the Exchange mailbox audit logs as a system action.
-### Zero-hour auto purge (ZAP) considerations for Microsoft Defender for Office 365
+### Zero-hour auto purge (ZAP) considerations for Safe Attachments in Microsoft Defender for Office 365
ZAP doesn't quarantine messages that are in the process of [Dynamic Delivery](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies) in Safe Attachments policy scanning. If a phishing or spam signal is received for messages in this state, and the filtering verdict in the anti-spam policy is set to take some action on the message (Move to Junk, Redirect, Delete, or Quarantine), ZAP reverts to the 'Move to Junk' action. ## Zero-hour auto purge (ZAP) in Microsoft Teams > [!NOTE]
-> ZAP for Microsoft Teams is available only to customers with Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 subscriptions.
+> ZAP for Microsoft Teams is available only to customers with Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 subscriptions. To configure ZAP for Teams protection, see [Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams](mdo-support-teams-about.md).
>
-> Currently, ZAP is available for internal messages that are identified as malware or high confidence phishing.
+> ZAP for Teams is available for internal Teams messages that are identified as malware or high confidence phishing. Currently, external messages aren't supported.
>
-> Currently, blocking potentially malicious messages by ZAP is supported only for Teams Chats. Channels and external messages aren't supported.
+> Currently, ZAP for Teams is supported only for Teams chats, shared channels, and standard channels.
-When a chat message is identified as potentially phishing or malicious in Microsoft Teams, ZAP blocks the message and quarantines it. This message is blocked for both the recipient and the sender. This protection feature applies only to messages in a chat or in a meeting within the organization.
+Teams is different than email, because everyone in a Teams chat receives the same copy of the message at the same time (there's no message bifurcation). When ZAP for Teams protection blocks a message, the message is blocked for everyone in the chat. The initial block happens right after delivery, but ZAP occurs up to 48 hours after delivery.
+
+Exclusions for ZAP for Teams protection matter for message _recipients_, not message _senders_.
+
+ZAP for Teams protection is able to take action on messages for _all_ recipients in a chat if _any_ recipients in the chat aren't excluded from ZAP for Teams protection. Only when _all_ recipients in a chat are excluded from ZAP for Teams protection will ZAP not take action on a message. These scenarios are illustrated in the following table:
+
+|Scenario|Result|
+|||
+|Group chat with Recipients A, B, C, and D. <br/><br/> Recipients A, B, C, and D are excluded from ZAP for Teams protection.|ZAP won't block messages sent to the group chat.|
+|Group chat with Recipients A, B, C, and D. <br/><br/> Only recipients A, B, and C are excluded from ZAP for Teams protection.|ZAP is able to block messages sent to the group chat for all recipients.|
+|Group chat with Recipients A, B, C, and D. <br/><br/> Recipients A, B, C, and D aren't excluded from ZAP for Teams protection. <br/><br/> Sender X is excluded from ZAP for Teams protection and sends a message to the group chat.|ZAP is able to block messages sent to the group chat for all recipients.|
**Sender view**: **Recipient view**: -
-Admins can view and manage these quarantined messages in the Quarantine view. For more information, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages). Currently, you can't view or manage quarantined Teams messages unless you're an admin.
### Zero-hour auto purge (ZAP) for high confidence phishing messages in Teams
-For Teams messages that are identified as high confidence phishing after delivery, ZAP blocks and quarantines the message. By default, only admins can view and manage quarantined high confidence phishing messages.
+For messages that are identified as high confidence phishing after delivery, ZAP for Teams protection blocks and quarantines the message. To set the quarantine policy that's used for high confidence phishing detections in ZAP for Teams, see [Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams](mdo-support-teams-about.md).
### Zero-hour auto purge (ZAP) for malware in Teams messages
-For Teams messages that are identified as malware, ZAP blocks and quarantines the message. By default, only admins can view and manage quarantined malware messages.
-
-### How to see if ZAP blocked your Teams message
-
-To find out if ZAP blocked your Teams message, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages).
-
-### Zero-hour auto purge (ZAP) quarantine policies for Teams
-
-To protect your Teams chats and channels, go to the Microsoft 365 Defender portal at <https://security.microsoft.com/>, go to **Settings** > **Email & collaboration** > **Microsoft Teams protection**. The Zero-hour auto purge protection is turned on by default. Note that for this release, protection for Teams chats and shared and standard channels are supported.
--
-Admins can configure quarantine policy options for malware and high-confidence phishing. **AdminOnlyAccessPolicy** is the only quarantine policy available for both malware and high-confidence phishing for this release of the product.
-
-You can also configure exceptions to the ZAP policy.
--- User exceptions: -
- - You can select one or multiple users.
+For messages that are identified as malware, ZAP for Teams protection blocks and quarantines the message. To set the quarantine policy that's used for malware detections in ZAP for Teams, see [Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams](mdo-support-teams-about.md).
- - Once you save the policy, the users in the exception list are exempt from the policy setting.
+### How to see if ZAP blocked a Teams message
- - Exceptions are only honored when all users in the chat are on the exception list.
--- Group exceptions:-
- - You can select one or multiple groups selected.
-
- - Once you save the policy, the groups in the exception list are exempt from the policy setting.
--- Domain exceptions: -
- - You can select one or multiple domains.
-
- - Once you save the policy, the domain exception list is exempt from the policy setting.
-
-For more information on creating policies, see [Quarantine policies](quarantine-policies.md). Note that creating custom policies is currently not supported in this release.
-
-#### Create ZAP quarantine policies in PowerShell
-
-You can also use PowerShell to create quarantine policies. Connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) or [standalone Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell) and use the `TeamsProtectionPolicy` cmdlet.
-
-All parameters and values are defined in the following table.
-
-|Parameter|Description|Value|
-||||
-|MalwareQuarantinePolicy|The quarantine policy to be applied for malware.|`AdminOnlyAccessPolicy`|
-|HighConfidencePhishQuarantinePolicy|The quarantine policy applied for High-confidence phish verdicts.|`AdminOnlyAccessPolicy`|
-|ExemptUsers|List of users exempt from ZAP.|`ExceptIfSentTo`|
-|ExemptGroups|List of groups exempt from ZAP.|`ExceptIfSentToMemberOf`|
-|ExemptDomains|List of domains exempt from ZAP.|`ExceptIfRecipientDomainIs`|
+Currently, only admins can view and manage messages that were quarantined by ZAP for Teams protection. For more information, see [Use the Microsoft 365 Defender portal to manage Microsoft Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages).
## Zero-hour auto purge (ZAP) FAQ
ZAP takes action on a message based on the configuration of anti-spam policies a
### What are the licensing requirements for ZAP?
-There are no special licensing requirements for ZAP. ZAP works on all mailboxes hosted in Exchange Online. ZAP doesn't work in on-premises mailboxes that are protected by standalone EOP.
+There are no special licensing requirements for ZAP for malware, spam, and phishing. ZAP works on all mailboxes hosted in Exchange Online. ZAP doesn't work in on-premises mailboxes that are protected by standalone EOP.
+
+ZAP for Teams protection requires Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 licenses.
### Does ZAP work on messages in other folders in the mailbox (for example, messages moved by Inbox rules)?
syntex Esignature Send Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-send-requests.md
+
+ Title: Create, review, and sign signature requests using Microsoft Syntex eSignature (Preview)
++++ Last updated : 08/01/2023
+audience: enabler
++
+search.appverid:
+
+ - enabler-strategic
+ - m365initiative-syntex
+ms.localizationpriority: medium
+
+description: Learn how to use Microsoft Syntex eSignature to send electronic signature requests to people inside and outside of your organization.
++
+# Create, review, and sign signature requests using Microsoft Syntex eSignature (Preview)
+
+> [!NOTE]
+> This feature is currently in limited preview and subject to change.
+
+Microsoft Syntex eSignature simplifies the process of signing and sharing documents, while providing the security and compliance of Microsoft 365.
+
+With Syntex eSignature, you can quickly and securely send documents for signature to people both inside and outside of your organization. You'll also have a digital audit trail, which can be used to verify the authenticity of documents and transactions.
+
+## Before you begin
+
+Before you can use Syntex eSignature, an admin must [set up the Syntex eSignature service](esignature-setup.md) in the Microsoft 365 admin center.
+
+You must be signed in to SharePoint Online by using your work email address.
+
+> [!NOTE]
+> For this preview, Syntex eSignature is available for PDF documents only at this time.
+
+## Create a signature request
+
+1. From a SharePoint document library, open the document for which you want to start the Syntex eSignature process.
+
+2. In the document viewer, select **More options** (...), and then select **Get signatures**.
+
+ ![Screenshot of a document showing the Get signatures option.](../media/content-understanding/esignature-get-signatures-option.png)
+
+3. On the **Syntex eSignature** panel, add up to 10 internal or external recipients you want to sign the document, and then select **Next**.
+
+ ![Screenshot of the Add recipients panel.](../media/content-understanding/esignature-add-recipients-panel.png)
+
+4. On the **Add form fields** panel, drag and drop the **Signature**, **Initials**, and **Date** fields to the appropriate locations in the document for each recipient. Each form field can be marked either as required or not required.
+
+ ![Screenshot of the Add form fields panel.](../media/content-understanding/esignature-add-form-fields-panel.png)
+
+5. Select **Next** to progress to the next stage. At least one required signature field is needed for each recipient. Up to 50 fields (total) can be added to the document.
+
+6. On the **Review request** panel, enter a title for the request, add an optional message, and review the details on the panel to make sure it's correct. Then select **Send**.
+
+ ![Screenshot of the Review request panel.](../media/content-understanding/esignature-review-request-panel.png)
+
+ Once sent, the status of the request is set to **In progress** and recipients are able to add their signatures.
+
+### Unable to create a request
+
+If you aren't able to create a signature request, check the PDF viewer settings or the collaboration settings.
+
+#### PDF settings from the PDF viewer
+
+The PDF viewer is opened by selecting a PDF file from SharePoint Online. The ability to request signatures won't be available if the PDF is viewed in any other way (for example, in Microsoft Edge). If PDF files are opened in any other way, the **Get signatures** option isn't available.
+
+#### Collaboration settings
+
+Syntex eSignature is an extension of SharePoint document storage and management service. Therefore, all existing access, sharing, and data loss prevention policies that are already applied at the tenant level, SharePoint site and library level, or folder and file level might affect whether a request can be started from a document in SharePoint and who it can be sent to. Some of the scenarios that might affect the signature request process are:
+
+- The document has a sensitivity label applied that restricts access or sharing. This event limits who can start signature request with that document or the recipients that it can be sent to, depending on the label settings and the user's role.
+
+- The document is stored in a library or folder that has unique permissions or sharing settings. This event might override the default settings of the SharePoint site or tenant and either allow or block certain users from initiating or accessing an eSignature request with that document.
+
+- Azure Active Directory collaboration settings restrict document sharing to specific individuals. This event limits who the requests can be sent to.
+
+### Cancel a signature request
+
+If you create a signature request and want to cancel it, follow these steps.
+
+1. From one of your email notifications, select **View Request**.
+
+2. When the document is open in the document viewer, select **More options** (...), and then select **Cancel request**.
+
+ ![Screenshot of a document showing the Cancel signature request option.](../media/content-understanding/esignature-cancel-signature-request-option.png)
+
+3. On the **Cancel signature request** confirmation screen, enter a message detailing why the request is canceled if needed, and then select **Yes, cancel**.
+
+ ![Screenshot of the Cancel signature request confirmation screen.](../media/content-understanding/esignature-cancel-signature-request-confirmation.png)
+
+ Once canceled, the status of the request is set to **Canceled** and recipients receive an email notification telling them that the request was canceled and that no further action is possible on this request.
+
+## Review and sign a signature request
+
+When a signature request is created, an email notification is sent to the recipients. The notification contains details of the request, including all recipients who are required to sign, and any signing instructions. A recipient doesn't need to have a Syntex license or a Microsoft account to sign the request.
+
+### Access the document to be signed
+
+When you receive the email notification, select **View signed document** in the email to begin the signing process.
+
+![Screenshot of an email notification showing the View request button.](../media/content-understanding/esignature-notification-view-request.png)
+
+### Consent to use your electronic signature
+
+To continue the electronic signing process, you must consent to the terms and conditions and agree to use your electronic signature for signing. On the **Electronic Record and Signature Disclosure** screen:
+
+- Select **Agree** to use your electronic signature and continue with the signing process.
+- Or select **Decline** if you'd prefer [not to use your digital signature](#decline-to-sign-the-document), and contact the person who requested your signature to complete the signature by using a different method.
+- If you close the **Electronic Record and Signature Disclosure** without selecting the **Agree** button, you can reopen the dialog by selecting the **View disclosure** button on the top-left area of the document.
+
+ ![Screenshot of the Electronic Record and Signature Disclosure screen.](../media/content-understanding/esignature-signature-disclosure-screen.png)
+
+### Sign the document
+
+Once you give your consent, the document viewer opens in a new browser tab. Here you can navigate and read the document, and review the content. When youΓÇÖre ready to sign, select **Start**. This action brings you to the first location where your input is needed.
+
+![Screenshot of the document to be signed showing the Start button.](../media/content-understanding/esignature-start-signing.png)
+
+There are three different types of input you can be asked for:
+
+- [Signature](#signature)
+- [Initials](#initials)
+- [Date](#date)
+
+#### Signature
+
+Electronic signatures let you digitally sign a document by enabling you to add a representation of your physical signature.
+
+1. To add your signature, type your name. If you want to choose a different font style for your signature, select **Change font** and choose the font you want to use.
+
+ ![Screenshot of setting up your name and font for your signature.](../media/content-understanding/esignature-name-and-font.png)
+
+2. Select **Done** to add your signature to the document.
+
+3. Select **Next** to go to the next location in the document that requires your input.
+
+ ![Screenshot showing an electronic signature added to a document.](../media/content-understanding/esignature-signature-added.png)
+
+#### Initials
+
+In some locations within the document, you might be asked to add your initials to acknowledge a particular clause.
+
+1. Select **Initial here**, and enter your initials. This action is prepopulated if you've already entered your signature.
+
+ ![Screenshot showing the Initial here field for adding your electronic initials to a document.](../media/content-understanding/esignature-initial-here.png)
+
+2. Select **Next** to go to the next location in the document that requires your input.
+
+#### Date
+
+The date is prepopulated with the current dayΓÇÖs date.
+
+### Submit the signed document
+
+When you have entered all of the required input, select **Submit** to complete the signing process.
+
+![Screenshot of the completed document showing the Submit button.](../media/content-understanding/esignature-submit.png)
+
+The status of the request changes from **In progress** to **Completed**. The document becomes read-only. You'll receive an email notification saying that your signature has been received and the requester will be notified.
+
+Once everyone has signed the document, you'll receive an email notification saying where you can view the document and request details. The document is available via the **View request** button in the email for 30 days, so make sure you download it for your own records.
+
+### Decline to sign the document
+
+If you review the document and donΓÇÖt want to sign it, you can decline to sign.
+
+1. In the document viewer, select **More options** (...), and then select **Decline to sign**.
+
+ ![Screenshot of the document viewer showing the Decline to sign button.](../media/content-understanding/esignature-decline-to-sign.png)
+
+2. On the **You are declining to sign this document** screen, enter a reason for not signing document, and then select **Decline**. Or if you change your mind, select **Go back**.
+
+ ![Screenshot of the You are declining to sign this document screen.](../media/content-understanding/esignature-decline-to-sign-screen.png)
+
+Once you decline, you won't be able to add your signature, but you'll be able to see the document in read-only mode.
+
+Once you decline, an email notification is sent to the requester saying that you donΓÇÖt want to sign the document. Declining to sign will complete the signing process and change the status of the request from **In progress** to **Declined**.
+
+If there are more recipients, they'll also receive a notification saying that the request has been declined.
+
+### View request history and details
+
+Whether you're a requester or a recipient, you can select **View request** from any of your email notifications to view the document and find out more about the request.
+
+1. In the document viewer, select the **View history** tab to see the status of the request. On the **Request history** panel, you can see the recipients who haven't signed yet and the activities that have happened so far, such as when the request was created and who the recipients are.
+
+ ![Screenshot of the View history tab and the Request history panel.](../media/content-understanding/esignature-view-history.png)
+
+2. Select the **View details** tab to see the details of the request. On the **Request details** panel, you can see the title of the request, any instructions the requester added when sending the request, and who the request was sent to.
+
+ ![Screenshot of the View details tab and the Request details panel.](../media/content-understanding/esignature-view-details.png)
+
+## Monitor the status of a request
+
+When you create a signature request with Syntex eSignature, it goes through different stages that are reflected in the request statuses. You can view the status of a request by selecting **View request** in any of the email notifications you received about the signature request. The following table shows the request statuses and their meaning.
+
+|Status |Description |
+|||
+|**In&nbsp;progress** |The request is in progress as soon as it's created. The status remains at this state until the request has been reviewed by all recipients or canceled by the sender of the request.|
+|**Completed** |The request is completed when all recipients have signed the document. |
+|**Canceled** |The request has been canceled by the sender. |
+|**Declined** |One of the recipients has declined to sign.|
+
+When the status of a request is **Completed**, **Canceled**, or **Declined**, the request can no longer be acted on by either the sender or the recipients. As an example, if a recipient declines a request, the sender would need to send a new request after the reason for declining has been addressed. The original declined request can't be edited.
+
+## Access the signed document
+
+All parties involved in the request receive an email notification saying that the request has been completed and the status of the request is **Completed**. In the email, you can select **View request** to access the signed document and the request history. Access to the document via the email notification will be available for 30 days after the request is completed.
+
+Additionally, the signed document also is saved to the folder where the original PDF is located (originating folder). It will be a read-only document with the permissions of the originating folder. The document can be accessed by the requester and anyone who has access to the originating folder.
+
+> [!NOTE]
+> When you open a PDF document on a SharePoint site, you won't see the details of the request if your default PDF viewer is set to Adobe. You'll need to set PDF viewer as your default viewer.
+
+### Unable to access the signed document
+
+Before a signature request is sent and at the completion of the request, certain checks are done to ensure that the sender has the permission to write to the document and the originating folder. If the permission changes when the signature request is in progress, the service might not be able to save a copy of the signed document in the originating folder. This event can happen when:
+
+- The sender of the request no longer has access to the originating folder. For example, the senderΓÇÖs access has been revoked by the owner of the originating folder or a SharePoint admin.
+
+- Initial write permission of the sender to the originating folder was downgraded to view only.
+
+- The originating folder was deleted.
+
+To avoid potential issues, you should check the status and settings of their documents before starting a signature request. Ensure that there are sufficient permissions and roles to access and share the documents with their intended recipients.
+
+- Data loss prevention (DLP) policies
+- Azure Active Directory collaboration settings
+- SharePoint sharing settings and policies
+- User permissions and document access
+
+## Security of the signed document
+
+After all recipients have signed the document, the signatures are added and an audit trail is appended to the signed PDF. Details of the request, including activities and timestamps of when they occurred throughout the signing process, are included. The details include the date and time the request created, date and time when the recipients signed, and so on. These details provide evidence of the integrity of the signing process. The signed document is then digitally signed by a Microsoft certificate to ensure that it can't be tampered with.
+
+For setup and technical information for admins, see [Set up Microsoft Syntex eSignature (Preview)](esignature-setup.md).
+
syntex Esignature Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-setup.md
+
+ Title: Set up Microsoft Syntex eSignature (Preview)
++++ Last updated : 08/01/2023
+audience: admin
++
+search.appverid:
+
+ - enabler-strategic
+ - m365initiative-syntex
+ms.localizationpriority: medium
+
+description: Learn how to set up Microsoft Syntex eSignature to send electronic signature requests to people inside and outside of your organization.
++
+# Set up Microsoft Syntex eSignature (Preview)
+
+> [!NOTE]
+> This feature is currently in limited preview and subject to change.
+
+The Microsoft Syntex eSignature service is set up in the Microsoft 365 admin center.
+
+## Prerequisites
+
+### Licensing
+
+Before you can use Syntex eSignature, you must first link your Azure subscription in [Syntex pay-as-you-go](syntex-azure-billing.md). Syntex eSignature is billed based on the [type and number of transactions](syntex-pay-as-you-go-services.md). (Billing and pricing aren't activated during this preview.)
+
+### Permissions
+
+You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up Syntex eSignature.
+
+## Set up Syntex eSignature
+
+1. In the Microsoft 365 admin center, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2171997" target="_blank">**Setup**</a>, and then select **Use content AI with Microsoft Syntex**.
+
+2. On the **Use content AI with Microsoft Syntex** page, select **Manage Microsoft Syntex**.
+
+3. On the **Manage Microsoft Syntex** page, select **Syntex eSignature**.
+
+4. On the **Syntex eSignature** page, select **Turn on**.
+
+### Manage sites
+
+By default, Syntex eSignature is turned on for libraries in all SharePoint sites. Follow these steps to manage which SharePoint sites users can use Syntex eSignature.
+
+1. On the **Manage Microsoft Syntex** page, select **Syntex eSignature**.
+
+2. On the **Syntex eSignature** page, under **SharePoint libraries where Syntex eSignature is turned on**, select **Select sites**.
+
+ a. Choose which site or sites this service should be enabled for.
+
+ b. To restrict user access to this service, select **No SharePoint libraries** or **Libraries in selected SharePoint sites** and follow the instructions to either select the sites or upload a CSV listing a maximum of 100 sites. Be sure to add your content center site if you want it to be included. You can then manage site access permissions for the sites you selected.
+
+ c. Select **Save**.
+
+### Turn off Syntex eSignature
+
+1. On the **Manage Microsoft Syntex** page, select **Syntex eSignature**.
+
+2. On the **Turn off Syntex eSignature** page, select **Turn off**.
+
+## Document storage and retention
+
+### Document storage
+
+Syntex eSignature lets a requester start a signature request from a PDF document that is saved in a SharePoint library for which Syntex eSignature has been enabled. After all required parties have signed, the Syntex eSignature service saves a copy of the signed document to the folder of the original document (originating folder). The sender is notified in an email that includes a link to view the document and a separate link to the SharePoint folder where the signed document was saved.
+
+Before a signature request is sent and at the completion of the request, certain checks are done to ensure that the sender has the permission to write to the document and the originating folder. If the permission changes when the signature request is in progress, the service might not be able to save a copy of the signed document in the originating folder. This event can happen when:
+
+- The sender of the request no longer has access to the originating folder. For example, the senderΓÇÖs access has been revoked by the owner of the originating folder or a SharePoint admin.
+
+- Initial write permission of the sender to the originating folder was downgraded to view only.
+
+- The originating folder was deleted.
+
+### Document retention
+
+When a signature request is created for a document in SharePoint, the Syntex eSignature service creates a working copy of the document. It's this working copy that is sent out to all recipients for signing, and it's how the sender can track the status of their requests. The working copy of the request is stored in a hidden document library in SharePoint. The signature will only be added to the working copy of the request document after all parties have signed; otherwise, it will appear as unsigned even if one of the parties has added their signature.
+
+The working copy of the request is stored and retained for five years or in accordance with the document retention policy set up by the SharePoint or tenant admin. Learn more about [retention policies](/purview/retention-policies-sharepoint).
+
+### Expiration of URL links in email
+
+Every email notification sent in relation to a signature request contains a URL link that allows the recipient to view, review, and sign the document. When a request reaches a terminal state (when the status is **Completed**, **Canceled**, or **Declined**), the recipient has 30 days to view, download, and store the document in a preferred location. After the link expires, it can no longer be used to access the document.
+
+For more protection, when a sender cancels a request, recipients immediately lose access to the request document. The email notification received by recipients won't contain a URL link to view the request.
+
+For user instructions about how to use Syntex eSignature, see [Create, review, and sign signature requests using Microsoft Syntex eSignature (Preview)](esignature-send-requests.md).
syntex Ocr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/ocr.md
Manage which SharePoint sites have OCR enabled for Syntex in the Microsoft 365 a
a. Choose which site or sites this service should be enabled for.
- b. To restrict user access to this service, select **No sites** or **Selected sites** and follow the instructions to either select the sites or upload a CSV listing a maximum of 100 sites. You can then manage site access permissions for the sites you selected.
+ b. To restrict user access to this service, select **No sites** or **Selected sites** and follow the instructions to either select the sites or upload a CSV listing a maximum of 100 sites. Be sure to add your content center site if you want it to be included. You can then manage site access permissions for the sites you selected.
c. Select **Save**.
syntex Prebuilt Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/prebuilt-setup.md
By default, prebuilt document processing is turned on for libraries in all Share
> [!NOTE] > Disabling a site after a model is made available to process files on that site will not disable the model. Models can still be used to process files and incur charges. A model can be made available to process files by being created on that site or in a content center.
- b. To restrict user access to this service, select **No sites** or **Selected sites** and follow the instructions to either select the sites or upload a CSV listing a maximum of 100 sites. You can then manage site access permissions for the sites you selected.
+ b. To restrict user access to this service, select **No SharePoint libraries** or **Libraries in selected SharePoint sites** and follow the instructions to either select the sites or upload a CSV listing a maximum of 100 sites. Be sure to add your content center site if you want it to be included. You can then manage site access permissions for the sites you selected.
c. Select **Save**.
syntex Set Up Content Understanding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/set-up-content-understanding.md
Title: Set up Microsoft Syntex per-user licensing
Previously updated : 07/08/2022 Last updated : 08/08/2023 audience: admin
Prior to setup, make sure to plan for the best way to set up and configure conte
- The SharePoint sites in which you want to enable document processing - all of them, some, or selected sites - The name and admins for your content center
-## Requirements
+## Requirements
> [!NOTE] > You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up Syntex. As an admin, you can also make changes to your selected settings anytime after setup, and throughout the content understanding management settings in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
+<!
### Custom Power Platform environments If you plan to use a custom Power Platform environment, you must install the *AI Builder for Project Cortex* app in this environment. See [Manage Dynamics 365 apps](/power-platform/admin/manage-apps#install-an-app-in-the-environment-view) for details and look for the *AI Builder for Project Cortex* app in the list of Dynamics 365 apps. The environment must not be of the Sandbox type.
You also need to [allocate AI Builder credits](/power-platform/admin/capacity-ad
When using a custom environment, model creators must be assigned the Environment Maker security role and model users must be assigned the Basic User security role. See [Assign a security role to a user](/power-platform/admin/assign-security-roles) for more information. Users creating models in a [content center site](/microsoft-365/contentunderstanding/create-a-content-center) must be site members. Users creating models locally outside the content center must be site owners of those sites.-
+>
## Assign licenses You must assign licenses for the users who will be using per-user Microsoft Syntex features.
syntex Set Up Microsoft Syntex https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/set-up-microsoft-syntex.md
The following table provides links to the specific setup instructions for each s
|Service |Instructions to set up service | |:-|:-| |Prebuilt document processing | [Set up prebuilt document processing](prebuilt-setup.md) |
+|Structured and freeform document processing | [Set up structured and freeform document processing](structured-freeform-setup.md) |
|Unstructured document processing | [Set up unstructured document processing](unstructured-setup.md) | |Content assembly | [Set up content assembly](content-assembly-setup.md) | |Image tagging | [Set up image tagging](image-tagging-setup.md) |
syntex Structured Freeform Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/structured-freeform-setup.md
+
+ Title: Set up and manage structured and freeform document processing in Microsoft Syntex
++++ Last updated : 08/08/2023
+audience: admin
+++
+search.appverid:
+
+ - enabler-strategic
+ - m365initiative-syntex
+ms.localizationpriority: medium
+description: Learn how to set up and manage structured and freeform document processing in Microsoft Syntex.
++
+# Set up and manage structured and freeform document processing in Microsoft Syntex
+
+The structured and freeform document processing service for Microsoft Syntex is set up in the Microsoft 365 admin center.
+
+## Prerequisites
+
+### Permissions
+
+You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up structured and freeform document processing in Syntex.
+
+### Licensing
+
+> [!NOTE]
+> As of July 1, 2023, per-user licenses are no longer available for purchase. You will need to [set up pay-as-you-go billing](syntex-azure-billing.md).<br><br>
+> Per-user licenses purchased before July 1 can still be assigned to new users. After existing per-user licenses expire, you will need to opt-in to Syntex [pay-as-you-go billing](syntex-azure-billing.md).
+
+For an overview of licensing options for Microsoft Syntex, see [Licensing for Microsoft Syntex](syntex-licensing.md).
+
+Each user for structured and freeform document processing must have a license assigned. To assign licenses, see [Set up Microsoft Syntex per-user licensing](set-up-content-understanding.md#assign-licenses).
+
+## Set up structured and freeform document processing
+
+### Get AI Builder credits
+
+To use structured or freeform document processing models, you also need AI Builder credits. For each licensed user of Syntex, an allocation of AI Builder credits is provided each month in your default Power Platform environment.
+
+### Enable sites
+
+By default, structured and freeform document processing is turned off for all sites.
+
+1. In the Microsoft 365 admin center, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2171997" target="_blank">**Setup**</a>, and then select **Use content AI with Microsoft Syntex**.
+
+2. On the **Use content AI with Microsoft Syntex** page, select **Manage Microsoft Syntex**.
+
+3. On the **Manage Microsoft Syntex** page, select **Structured and freeform document processing**.
+
+4. On the **Structured and freeform document processing** page:
+
+ a. Choose which site or sites this service should be enabled for.
+
+ > [!NOTE]
+ > Disabling a site after a model is made available to process files on that site will not disable the model. Models can still be used to process files and incur charges. A model can be made available to process files by being created either on that site or in a content center.
+
+ b. To restrict user access to this service, select **No SharePoint libraries** or **Libraries in selected SharePoint sites** and follow the instructions to either select the sites or upload a CSV listing a maximum of 100 sites. Be sure to add your content center site if you want it to be included. You can then manage site access permissions for the sites you selected.
+
+ c. Select **Save**.
+
+## Using a custom Power Platform environment
+
+Your tenant will come with a default Power Platform environment. If you plan to use a custom Power Platform environment, you must install the *AI Builder for Project Cortex* app in this environment. See [Manage Dynamics 365 apps](/power-platform/admin/manage-apps#install-an-app-in-the-environment-view) for details and look for the *AI Builder for Project Cortex* app in the list of Dynamics 365 apps. The environment must not be of the Sandbox type.
+
+You also need to [allocate AI Builder credits](/power-platform/admin/capacity-add-on) to the custom environment before you can create document processing models.
+
+When using a custom environment, model creators must be assigned the Environment Maker security role and model users must be assigned the Basic User security role. For more information, see [Assign a security role to a user](/power-platform/admin/assign-security-roles). You don't need to assign users this role if you're using the default Power Platform environment.
+
+Users creating models in a [content center site](create-a-content-center.md) must be site members. Users creating models locally outside the content center must be site owners of those sites.
syntex Syntex Azure Billing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-azure-billing.md
description: Learn about how to set up pay-as-you-go Azure billing for Microsoft
# Configure Microsoft Syntex for pay-as-you-go billing
-Some Microsoft Syntex features are billed on a pay-as-you-go basis. These features use an Azure subscription for billing and track usage and cost with a Syntex meter. Read the [Microsoft Syntex pay-as-you-go terms of service](/legal/microsoft-365/microsoft-syntex-pay-as-you-go-terms) before you configure pay-as-you-go.
+Microsoft Syntex services are billed on a pay-as-you-go basis. These services use an Azure subscription for billing and track usage and cost with a Syntex meter. Read the [Microsoft Syntex pay-as-you-go terms of service](/legal/microsoft-365/microsoft-syntex-pay-as-you-go-terms) before you configure pay-as-you-go.
-For a list of Microsoft Syntex features that use pay-as-you-go, see [Licensing for Microsoft Syntex](syntex-licensing.md)
-
-Note that if you use [Microsoft Syntex per-user licensing](set-up-content-understanding.md) you can't sign up for pay-as-you-go.
+For a list of Microsoft Syntex services that use pay-as-you-go, see [Licensing for Microsoft Syntex](syntex-licensing.md).
## Prerequisites
For information about how to create an Azure resource group, see [Manage Azure r
## Set up Microsoft Syntex billing in Azure
-When you set up Microsoft Syntex billing in Azure, events will be sent to the Azure meter in your account and you will be able to view the pages processed for unstructured and prebuilt document processing models.
+When you set up Microsoft Syntex billing in Azure, events will be sent to the Azure meter in your account, and you'll be able to view the pages processed for unstructured and prebuilt document processing models.
The following permissions are required to set up Microsoft Syntex billing:
To configure Microsoft Syntex billing
1. In the Microsoft 365 admin center, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2171997" target="_blank">**Setup**</a>, and then view the **Files and content** section.
-1. In the **Files and content** section, select **Use content AI with Microsoft Syntex**.
+2. In the **Files and content** section, select **Use content AI with Microsoft Syntex**.
-1. On the **Microsoft Syntex** page, select **Configure billing** to walk through the setup process.
-1. On the **Enter your Azure subscription** panel, choose an Azure subscription from the **Azure subscription** dropdown.
-1. Choose a resource group and region. (The region determines where your tenant ID and usage information such as site names will be stored.)
-1. Read and accept the [Microsoft Syntex pay-as-you-go terms of service](/legal/microsoft-365/microsoft-syntex-pay-as-you-go-terms).
-1. Select **Save**.
+3. On the **Microsoft Syntex** page, select **Configure billing** to walk through the setup process.
+4. On the **Enter your Azure subscription** panel, choose an Azure subscription from the **Azure subscription** dropdown.
+5. Choose a resource group and region. (The region determines where your tenant ID and usage information such as site names will be stored.)
+6. Read and accept the [Microsoft Syntex pay-as-you-go terms of service](/legal/microsoft-365/microsoft-syntex-pay-as-you-go-terms).
+7. Select **Save**.
If you need to change or disconnect your Azure subscription, you can select **Manage billing** on the **Use content AI with Microsoft Syntex**. ## Monitor your Microsoft Syntex pay-as-you-go usage
-You can monitor your Microsoft Syntex pay-as-you-go usage in Azure Cost Management. You must have at least *read* access to the resource group that you specified for Microsoft Syntex. Note that usage information may take up to 24 hours to appear in Cost Management.
+You can monitor your Microsoft Syntex pay-as-you-go usage in Microsoft Cost Management for Azure. You must have at least *read* access to the resource group that you specified for Microsoft Syntex. Note that usage information might take up to 24 hours to appear in Cost Management.
To see the charges applied to the Syntex meters
-1. Sign in to [Azure Cost Management](https://portal.azure.com/#view/Microsoft_Azure_CostManagement/Menu/~/overview).
+1. Sign in to [Microsoft Cost Management for Azure](https://portal.azure.com/#view/Microsoft_Azure_CostManagement/Menu/~/overview).
1. Under **Cost Management**, select **Cost analysis**. 1. Select **Add filter**, choose **Product** from the list, and then choose the product (listed below) that you want to filter on. 1. Select **Add filter**, choose **Tag** from the list, and then choose the tag (listed below) that you want to filter on.
-The following Microsoft Syntex products are available:
-- Syntex Unstructured Document Processing-- Syntex Prebuilt Document Processing
+The following Microsoft Syntex products are currently available:
+
+- Prebuilt document processing
+- Unstructured document processing
+- Content assembly
+- Image tagging
+- Optical character recognition
The following tags are available: - Site
syntex Unstructured Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/unstructured-setup.md
By default, unstructured document processing is turned on for libraries in all S
> [!NOTE] > Disabling a site after a model is made available to process files on that site will not disable the model. Models can still be used to process files and incur charges. A model can be made available to process files by being created either on that site or in a content center.
- b. To restrict user access to this service, select **No sites** or **Selected sites** and follow the instructions to either select the sites or upload a CSV listing a maximum of 100 sites. You can then manage site access permissions for the sites you selected.
+ b. To restrict user access to this service, select **No SharePoint libraries** or **Libraries in selected SharePoint sites** and follow the instructions to either select the sites or upload a CSV listing a maximum of 100 sites. Be sure to add your content center site if you want it to be included. You can then manage site access permissions for the sites you selected.
c. Select **Save**.
test-base Createpackagefromappgallery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/createpackagefromappgallery.md
+
+ Title: 'Create Package from App Gallery'
+description: How to create package from App Gallery
+search.appverid: MET150
+++
+audience: Software-Vendor
+ Last updated : 08/09/2023+
+ms.localizationpriority: medium
+++
+f1.keywords: NOCSH
++
+# Create Package from App Gallery #
+This section provides the steps necessary to onboard a package from App Gallery onto Test Base.
+> [!IMPORTANT]
+> If you do not have a Test Base account, you will need to create one before proceeding, as described in Creating a Test Base Account.
+
+In the [Azure portal](https://portal.azure.com/), go to the **Test
+Base** account for which you will be creating and uploading your package
+and perform the steps that follow.
+
+In the left-hand menu under **Package catalog**, select the **New
+package**. Then click the card '**Create package from App Gallery**'.
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of create package from app gallery](Media/create_package_from_gallery_1.png)](Media/create_package_from_gallery_1.png#lightbox)
+
+**Step 1. Define content**
+
+1. In the **Package source** section, click on 'Select app from App Gallery - Winget' then there will be a slide bar pop-up on the right hand side.
+
+ > [!div class="mx-imgBorder"]
+ > [![Screenshot of search from winget app gallery](Media/create_package_from_gallery_2.png)](Media/create_package_from_gallery_2.png#lightbox)
++
+2. Then you can either scroll down or search for the applications which you'd like to test. You can also select the version of specific app in the Version drop down.
+
+3. Once you select the app by checking the box and clicking on the select button, there's a pop-up notification displaying the app license and disclaimer.
+
+ > [!div class="mx-imgBorder"]
+ > [![Screenshot of accept the license](Media/create_package_from_gallery_3.png)](Media/create_package_from_gallery_3.png#lightbox)
++
+4. By clicking on the 'Accept' button, the app will be auto uploaded while the package name and package version will be auto-populated.
+ You can also modify the package name and version as needed.
+
+ > [!div class="mx-imgBorder"]
+ > [![Screenshot of basic information](Media/create_package_from_gallery_4.png)](Media/create_package_from_gallery_4.png#lightbox)
+
+ > [!Note]
+ > The combination of package name and version must be unique within your Test Base account.
+
+5. After all the requested information is specified, you can proceed to the next phase by clicking the **Next: Configure test** button.
+
+ > [!div class="mx-imgBorder"]
+ > [![Screenshot of the button of configure test](Media/create_package_from_gallery_5.png)](Media/create_package_from_gallery_5.png#lightbox)
++
+**Step 2. Configure test**
+
+1. For now, only **Out of Box (OOB)** **test** is supported for the Winget package:
+
+ > An **Out of Box (OOB)** **test** performs an install, launch, close,
+ > and uninstall of your package. After the install, the launch-close
+ > routine is repeated 30 times before a single uninstall is run. The OOB
+ > test provides you with standardized telemetry on your package to
+ > compare across Windows builds.
+ >
+ > [!div class="mx-imgBorder"]
+ > [![Screenshot of configure test for new package](Media/create_package_from_gallery_6.png)](Media/create_package_from_gallery_6.png#lightbox)
+
+2. Once all required information is filled out, you can proceed to step 3 by
+ clicking the Next button at the bottom.
+
+For next steps, please refer to the [Creating and Testing Binary Files on Test Base \| Microsoft Learn](testapplication.md).