Updates from: 08/11/2021 03:17:51
Category Microsoft Docs article Related commit history on GitHub Change details
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
If you added your own domain name to use with your subscription, you must remove
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. Find the subscription that you want to cancel. Select the three dots (more actions), then select **Cancel subscription**.
-3. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback.
-4. Select **Save**.
-
-Your subscription now appears in a **Disabled** state, and has reduced functionality until it's deleted. For more information about what you can expect when a paid Microsoft 365 for business subscription is canceled, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md)
-
-> [!NOTE]
-> If you explicitly delete a subscription, then it skips the Expired and Disabled stages and the SharePoint Online data and content, including OneDrive, is deleted immediately.
::: moniker-end
Your subscription now appears in a **Disabled** state, and has reduced functiona
::: moniker range="o365-21vianet" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.+ ::: moniker-end
-2. Select the **Products** tab.
-3. Find the subscription that you want to cancel. Select the three dots (more actions), then select **Cancel subscription**.
-4. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback.
-5. Select **Save**.
+2. Find the subscription that you want to cancel. Select the three dots (more actions), then select **Cancel subscription**.
+3. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback.
+4. Select **Save**.
+
+Your subscription now appears in a **Disabled** state, and has reduced functionality until it's deleted. For more information about what you can expect when a paid Microsoft 365 for business subscription is canceled, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md)
+
+> [!NOTE]
+> If you explicitly delete a subscription, then it skips the Expired and Disabled stages and the SharePoint Online data and content, including OneDrive, is deleted immediately.
Your subscription now appears in a **Disabled** state, and has reduced functionality until it's deleted. For more information about what you can expect when a paid Microsoft 365 for business subscription is canceled, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md).
compliance Communication Compliance Case Study https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-case-study.md
Contoso decides to use the *Communication Compliance* role group assign all the
| **Communication Compliance Investigator** | Use this group to assign permissions to users that will act as communication compliance investigators. Users assigned to this role group can view message metadata and content, escalate to additional reviewers, escalate to an Advanced eDiscovery case, send notifications to users, and resolve the alert. | | **Communication Compliance Viewer** | Use this group to assign permissions to users that will manage communication reports. Users assigned to this role group can access all reporting widgets on the communication compliance home page and can view all communication compliance reports. |
-1. Contoso IT administrators sign into the **Office 365 Security & Compliance center** permissions page [(https://compliance.microsoft.com/permissions)](https://compliance.microsoft.com/permissions) using credentials for a global administrator account and select the link to view and manage roles in Microsoft 365.
-2. In the **Security & Compliance Center**, they go to **Permissions** and select the link to view and manage roles in Office 365.
+1. Contoso IT administrators sign into the [Microsoft 365 compliance center](https://compliance.microsoft.com/permissions) permissions page using credentials for a global administrator account and select the link to view and manage roles in Microsoft 365.
+2. In the **Microsoft 365 compliance center**, they go to **Permissions** and select the link to view and manage roles in Office 365.
3. The administrators select the *Communication Compliance* role group, then select **Edit role group**. 4. The administrators select **Choose members** from the left navigation pane, then select **Edit**. 5. They select **Add** and then select the checkbox for all Contoso users that will manage communication compliance, investigate, and review alerts.
compliance Communication Compliance Feature Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-feature-reference.md
Communication compliance filters allow you to filter and sort alert messages for
## Alert policies
-After you configure a policy, a corresponding alert policy is automatically created and alerts are generated for messages that match conditions defined in the policy. By default, all policy matches alert triggers are assigned a severity level of medium in the associated alert policy. Alerts are generated for a communication compliance policy once the aggregation trigger threshold level is met in the associated alert policy.
+After you configure a policy, a corresponding alert policy is automatically created and alerts are generated for messages that match conditions defined in the policy. It may take up to 24 hours after creating a policy start to receive alerts from activity indicators. By default, all policy matches alert triggers are assigned a severity level of medium in the associated alert policy. Alerts are generated for a communication compliance policy once the aggregation trigger threshold level is met in the associated alert policy.
For communication compliance policies, the following alert policy values are configured by default: |**Alert policy trigger**|**Default value**| |:--|:--| | Aggregation | Simple aggregation |
-| Threshold | 4 activities |
-| Window | 60 minutes |
+| Threshold | Minimum: 3 activities <br> Maximum: 2,147,483,647 activities |
+| Window | Minimum: 60 minutes <br> Maximum: 10,000 minutes |
> [!NOTE] > The alert policy threshold trigger settings for activities supports a minimum value of 3 or higher for communication compliance policies.
-You can change the default settings for triggers on number of activities, period for the activities, and for specific users in alert policies on the **Alert policies** page in the Security & Compliance Center.
+You can change the default settings for triggers on number of activities, period for the activities, and for specific users in alert policies on the **Alert policies** page in the Microsoft 365 compliance center.
### Change the severity level for an alert policy If you'd like to change the severity level assigned in an alert policy for a specific communication compliance policy, complete the following steps:
-1. Sign into [https://compliance.microsoft.com](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization.
+1. Sign into [Microsoft 365 compliance center](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization.
2. In the Microsoft 365 compliance center, go to **Policies**.
-3. Select **Office 365 alert** on the **Policies** page to open the **Alerts policies** page in the **Office 365 Security & Compliance center**.
+3. Select **Office 365 alert** on the **Policies** page to open the **Alerts policies** page.
4. Select the checkbox for the communication compliance policy you want to update, then select **Edit policy**.
compliance Compliance Manager Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-setup.md
To set permissions and assign roles in the Microsoft 365 compliance center, foll
1. Go to the [Microsoft 365 compliance center](https://compliance.microsoft.com/compliancemanager) and select **Permissions** on the left navigation.
-2. Under the **Compliance center** dropdown, select **Roles**.
+2. Under the **Compliance center** dropdown, select **Roles**.
3. Find the role group to which you want to add one or more users, and check the box to the left of the group name. (See the [list of roles and related functions below](#role-types). The role group names mimic the role name.)
compliance Insider Risk Management Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md
If you don't have an existing Microsoft 365 Enterprise E5 plan and want to try i
There are four roles groups used to configure permissions to manage insider risk management features. To continue with these configuration steps, your tenant administrators must first assign you to the **Insider Risk Management** or **Insider Risk Management Admin** role group. To access and manage insider risk management features after initial configuration, users must be a member of at least one insider risk management role group.
-Depending on the structure of your compliance management team, you have options to assign users to specific role groups to manage different sets of insider risk management features. To view the **Permissions** tab in the Office 365 Security & Compliance Center and manage role groups, you need to be assigned to the *Organization Management* role group or need to be assigned the *Role Management* role. Choose from these role group options when configuring insider risk management:
+>[!IMPORTANT]
+>Make sure you always have at least one user in the **Insider Risk Management** or **Insider Risk Management Admin** role groups (depending on the option you choose) so that your insider risk management configuration doesn't get in to a 'zero administrator' scenario if specific users leave your organization.
+
+Depending on the structure of your compliance management team, you have options to assign users to specific role groups to manage different sets of insider risk management features. To view the **Permissions** tab in the Microsoft 365 compliance center and manage role groups, you need to be assigned to the *Organization Management* role group or need to be assigned the *Role Management* role. Choose from these role group options when configuring insider risk management:
| **Role group** | **Role permissions** | | :- | :- |
-| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings.|
-| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to separate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings. |
+| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. ***When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings***.|
+| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to separate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. ***When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings***. |
| **Insider Risk Management Analysts** | Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access and view all insider risk management alerts, cases, analytics insights, and notices templates. They cannot access the insider risk Content explorer. | | **Insider Risk Management Investigators** | Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access to all insider risk management alerts, cases, notices templates, and the Content explorer for all cases. | | **Insider Risk Management Auditors** | Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log. |
compliance Insider Risk Management Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-content-explorer.md
The insider risk management **Content explorer** allows users assigned the *Insider Risk Management Investigators* role to examine the context and details of content associated with activity in alerts. The case data in Content explorer is refreshed daily to include new activity. For all alerts that are confirmed to a case, copies of data and message files are archived as a snapshot in time of the items, while maintaining the original files and messages in the storage sources. If needed, case data files may be exported as a portable document file (PDF) or in the original file format.
-The copying of data and messages is transparent to the user associated with the alert and to the owner of the content. For new cases, it usually takes about an hour for content to populate in Content explorer. For cases with large amounts of content, it may take longer to create a snapshot. If content is still loading in Content explorer, you will see a progress indicator that displays the completion percentage.
+For new cases, it usually takes about an hour for content to populate in Content explorer. For cases with large amounts of content, it may take longer to create a snapshot. If content is still loading in Content explorer, you will see a progress indicator that displays the completion percentage.
In some cases, data associated with a case may not be available as a snapshot for review in Content explorer. This situation may occur when case data has been deleted or moved, or when a temporary error occurs when processing case data. If this situation occurs, select **View files** in the warning bar to view the file names, file path, and reason for the failure for each file. If needed, this information can be exported to a .csv (comma-separated values) file. If the content includes Information Rights Management permissions, these permissions are maintained for the copied content and users assigned the *Insider Risk Management Investigators* role will need these permissions and rights if they need to open and view the files. Each file and message are automatically assigned a unique file ID in the insider risk management case for management purposes. Documents associated with device indicator activities are not included in Content explorer. > [!NOTE]
-> Content explorer includes activities related to Microsoft Office files. Site-level activities, such as when a SharePoint site is deleted or if site permissions are changed, aren't included in Content explorer.
+> Content explorer includes user activities related to Microsoft 365 service files, such as user activity on SharePoint, Exchange, Microsoft Teams, and OneDrive for Business.
## Column options
compliance Insider Risk Management Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-plan.md
If you have requirements for specific stakeholders to be involved in case invest
Select dedicated stakeholders to monitor and review the alerts and cases on a regular cadence in the [Microsoft 365 compliance center](https://compliance.microsoft.com/). Make sure understand how you will assign different stakeholders to the different role groups available in insider risk management.
-Depending on the structure of your compliance management team, you have options to assign users to specific role groups to manage different sets of insider risk management features. To view the **Permissions** tab in the Office 365 Security & Compliance Center and manage role groups, you need to be assigned to the *Organization Management* role group or need to be assigned the *Role Management* role. Choose from these role group options when configuring insider risk management:
+>[!IMPORTANT]
+>Make sure you always have at least one user in the **Insider Risk Management** or **Insider Risk Management Admin** role groups (depending on the option you choose) so that your insider risk management configuration doesn't get in to a 'zero administrator' scenario if specific users leave your organization.
+
+Depending on the structure of your compliance management team, you have options to assign users to specific role groups to manage different sets of insider risk management features. To view the **Permissions** tab in the Microsoft 365 compliance center and manage role groups, you need to be assigned to the *Organization Management* role group or need to be assigned the *Role Management* role. Choose from these role group options when configuring insider risk management:
| **Role group** | **Role permissions** | | :- | :- |
-| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings. |
-| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to separate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings. |
+| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. ***When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings***.|
+| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to separate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. ***When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings***. |
| **Insider Risk Management Analysts** | Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access and view all insider risk management alerts, cases, analytics insights, and notices templates. They cannot access the insider risk Content explorer. | | **Insider Risk Management Investigators** | Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access to all insider risk management alerts, cases, notices templates, and the Content explorer for all cases. | | **Insider Risk Management Auditors** | Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log. |
compliance Privacy Management Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-permissions.md
+
+ Title: "Set user permissions and assign roles in privacy management (preview)"
+f1.keywords:
+- CSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-security-compliance
+- M365-privacy-management
+search.appverid:
+- MOE150
+- MET150
+description: "Learn how to set up privacy management permissions and assign users to role groups."
++
+# Set user permissions and assign roles in privacy management (preview)
+
+In this article: learn how to set **permissions** and assign users to **role groups** and **roles**.
+
+To give members of your organization permissions to use privacy management, assign them to the appropriate role groups in the Microsoft 365 compliance center. Note that roles specific to privacy management will not appear in Azure Active Directory.
+
+## Sign in and set permissions
+
+1. Go to the [Microsoft 365 compliance center](https://compliance.microsoft.com/) and select **Permissions** in the left navigation.
+2. Under the **Compliance center** dropdown, select **Roles**. The full list of role groups will appear.
+3. Find the role group to which you want to add one or more users, and check the box to the left of the group name. See below for a list of privacy management roles.
+4. On the flyout pane for that group, select **Edit** under the **Members** header.
+5. Select **Choose members**. Another flyout window will appear.
+6. Select **+ Add** to choose one or more users to add to the group.
+7. Select the checkbox next to the names you want to add, then select the **Add** button at the bottom.
+8. When youΓÇÖre done assigning users, select **Done**, then **Save**, then **Close**.
+
+## Role groups and roles
+
+Members should be assigned to role groups depending on what tasks they need to accomplish and what level of file access is appropriate. Each role group includes one or more roles. These roles may pertain to specific privacy management tasks or key functions that are enabled or restricted for that groupΓÇÖs members.
+
+Role groups can be customized if needed. To avoid accidental loss of access, we recommend creating a copy of the existing role group you wish to customize, giving the copy an identifiable name, making and verifying your changes to the new group, and assigning people to it as appropriate.
+
+## Privacy Management role group
+
+This group contains all the privacy management permission roles in a single group. This role group may be a good fit for organizations where the same individual may perform all duties within the privacy management solution. Providing membership in this role group will grant that account full access to all features of the privacy management solution.
+
+Roles include:
+
+- Case Management
+- Data Classification Content Viewer
+- Data Classification List Viewer
+- Privacy Management Admin
+- Privacy Management Analysis
+- Privacy Management Investigation
+- Privacy Management Permanent Contribution
+- Privacy Management Temporary Contribution
+- Privacy Management Viewer
+- Subject Rights Request Admin
+- View-Only Case
+
+## Privacy Management Administrators role group
+
+Members of this role group focus on configuration and administration tasks, and have broad access to privacy management functions, including creating, reading, updating, and deleting privacy management policies, subject rights requests, privacy management permissions, and privacy management settings.
+
+Roles include:
+
+- Case Management
+- Privacy Management Admin
+- View-Only Case
+
+## Privacy Management Analysts role group
+
+Members of this role group act as privacy management case analysts. They can investigate policy matches, view file metadata, and take remediation actions. This group cannot access full files through the Content Explorer.
+
+Roles include:
+
+- Case Management
+- Data Classification List Viewer
+- Privacy Management Analysis
+- View-Only Case
+
+### Privacy Management Investigators role group
+
+Members of this group act as privacy management data investigators. They can investigate policy matches, view the associated file content, and take remediation actions. This group can access files through the Content Explorer.
+
+Roles include:
+
+- Case Management
+- Data Classification Content Viewer
+- Data Classification List Viewer
+- Privacy Management Investigation
+- View-Only Case
+
+## Privacy Management Viewer role group
+
+Members of this group can view analytical information in privacy management, like the overview, data profile, and subject request reports.
+
+Roles include:
+
+- Privacy Management Viewer
+
+## Subject Rights Request Administrators role group
+
+Members of this group have full access to administer and create subject rights requests.
+
+Roles include:
+
+- Subject Rights Request Admin
+
+## Privacy Management Contributors role group
+
+Members of this group have contributor access to subject rights requests.
+
+Roles include:
+
+- Privacy Management Temporary Contribution
+- Privacy Management Permanent Contribution
compliance Privacy Management Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-policies.md
With email notifications, users receive direct notifications about policy matche
Notifications can be enabled for individual policies during custom policy creation or when editing any policy. Use the Outcomes section to define what happens when a policy match is detected, including the option to enable these notifications, and set how often you want these digests to be delivered.
-Email notification capability is controlled at a global level within Settings. It is enabled by default. Turning this setting off will stop all emails even if specific notifications have been configured at an individual policy level. For more information, see Configure settings under [Get started with privacy management](privacy-management-setup.md#configure-settings).
+Email notification capability is controlled at a global level within Settings. It is enabled by default. Turning this setting off will stop all emails even if specific notifications have been configured at an individual policy level. For more information, see [Manage privacy management settings](privacy-management-settings.md).
## View policy details
compliance Privacy Management Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-settings.md
+
+ Title: "Manage privacy management settings (preview)"
+f1.keywords:
+- CSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-security-compliance
+- M365-privacy-management
+search.appverid:
+- MOE150
+- MET150
+description: "Learn about the global settings options for privacy management."
++
+# Manage privacy management settings (preview)
+
+In this article: learn about **settings** options for privacy management.
+
+The global settings options for privacy management can be found under the gear icon in the upper right corner of the main pages. These options allow you to set high-level preferences and customize key properties. This page provides an overview of the main Settings categories.
+
+## Anonymization
+
+This feature enables you to show anonymized versions of usernames within privacy management features to users in certain roles. It will replace identifiable display names with a generic label in order to help mask your usersΓÇÖ identities while reviewing sensitive data. This option does not apply to the subject rights request module.
+
+## User notification emails
+
+Policies in privacy management allow you to set parameters for evaluating potential privacy risks in your environment. When we detect a policy match, privacy management can send an email to your users with corrective actions to take and a link to privacy training. In Settings, you can enable or disable the email notification capability of privacy management as a whole. You can activate individual notifications, set email frequency, and specify a training URL when you create or edit a policy. If notification capability is turned off in Settings, any policy-level configuration for specific notification mails will be disabled. To learn more about policies, see [Create and manage policies](privacy-management-policies.md).
+
+## Teams collaboration
+
+Integrate Microsoft Teams capabilities with privacy management to enhance collaboration with stakeholders. Every time a subject rights request is created, an associated team will be created. Users can be added to a team from the requestΓÇÖs Collaborators tab. To learn more about subject rights requests, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
+
+## Power Automate flows
+
+Use Power Automate flows to automatically manage privacy-related processes and tasks. You can create flows in the Settings section using built-in privacy management templates, or use the Power Automate console to create custom flows. To learn more about Power Automate, see the [Power Automate](/power-automate/) documentation.
+
+## Data matching
+
+Use this section to upload data schemas that describe attributes of your data subjects, which will help identify the correct data subject when searching for personal data within your Microsoft 365 environment. Schemas and rule packages are created and uploaded in XML format. Under Personal data upload, you can also submit personal data that matches a provided schema. You can create and upload your own file or choose to upload personal data from Azure. To learn more about subject rights requests, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
+
+## Data retention periods
+
+For subject rights requests, choose how long you want to retain the collected data and the reports you have generated. You can select between 30 or 90 days after the request is closed. To learn more about subject rights requests, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
+
+## Data review tags
+
+Manage the tags youΓÇÖll use to mark files retrieved in a subject rights request. In this section, you can edit the names and descriptions for custom tags. You can also edit tag descriptions for the built-in tags provided by the system. Names for system tags cannot be changed. To learn more about subject rights requests, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
compliance Privacy Management Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-setup.md
description: "Learn how to set up privacy management for your organization, set
In this article: learn how to set up **access to privacy management** for your organization, how to **get started** with evaluating your data, and how to handle important **settings**.
-## Sign up
+## Who can access privacy management
-Privacy management is available within the Microsoft 365 compliance center. The public preview of privacy management is available to organizations with E1, E3, and E5 Office 365 and Microsoft 365 enterprise licenses. Upon general availability of privacy management, organizations will need to obtain a new license.
+The public preview of privacy management is available within the Microsoft 365 compliance center and is available to organizations with E1, E3, and E5 enterprise licenses in Office 365 and Microsoft 365. When privacy management moves to general availability, organizations that used the public preview will need to obtain a new license.
-Note that the public preview of privacy management will not be available to US Government Community (GCC) Moderate, GCC High, or Department of Defense (DoD) customers.
+For detailed licensing guidance, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection).
-To get started with the public preview, obtain the preview subscription from the admin center. If you do not yet have a subscription when you first select privacy management in the compliance center, you will be directed to the admin center to get started. We recommend that the global admin sign in and set user permissions as outlined below when visiting privacy management for the first time. If you donΓÇÖt hold the required role to obtain the subscription or consent to the terms of using privacy management, youΓÇÖll be prompted to contact your global admin for assistance.
+> [!Note]
+> The public preview of privacy management will not be available to US Government Community (GCC) Moderate, GCC High, or Department of Defense (DoD) customers.
-Confirming that you would like to start using privacy management signals that you agree to the terms and the personal data evaluation process. You can review the provided links in full before proceeding.
+## Set up privacy management
-## Set user permissions and assign roles
+To get started with privacy management, first get your trial license and sign in. Then you can assign permissions for your users and review settings.
-Privacy management uses a role-based access control (RBAC) permission model. Only users who are assigned a role may access privacy management, and the actions allowed by each user are restricted by role type.
-
-Permissions and role assignments for privacy management can be handled within the Microsoft 365 compliance center, as follows. Note that roles specific to privacy management will not appear in Azure Active Directory.
-
-### In the Microsoft 365 compliance center
--- Select Permissions in the left navigation.-- Expand Compliance Center and select Roles. The full list of role groups will appear. -- Scroll to find the privacy management groups, or search by keyword, for example ΓÇ£privacy.ΓÇ¥-- Select the relevant role group to see a description, the assigned roles, and a list of members.-- Use the Edit link beside these sections to add or change users or edit the settings.-
-### Learn about role groups and roles
-
-This section outlines the role groups and roles relevant to privacy management. Members should be assigned to role groups by the top-level admin depending on what tasks they need to accomplish and what level of file access is appropriate. Each role group includes one or more roles. These roles may pertain to specific privacy management tasks or may correspond to key functions that are enabled or restricted for that groupΓÇÖs members.
-
-Role groups can be customized if needed. To avoid accidental loss of access, we recommend creating a copy of the existing role group you wish to customize, giving the copy an identifiable name, making and verifying your changes to the new group, and assigning people to it as appropriate.
-
-**Privacy Management**: This group contains all the privacy management permission roles in a single group. This is the easiest way to quickly get started with privacy management and manage access control for other groups that will use privacy management. It is also a good fit for organizations that do not need separate permissions defined for separate groups of users.
-
-**Privacy Management Administrators**: Members of this role group focus on configuration and administration tasks, and have broad access to privacy management functions, including creating, reading, updating, and deleting privacy management policies, subject rights requests, privacy management permissions, and privacy management settings.
-
-**Privacy Management Analysts**: Members of this role group act as privacy management case analysts. They can investigate policy matches, view file metadata, and take remediation actions. This group cannot access full files through the Content Explorer.
-
-**Privacy Management Investigators**: Members of this group act as privacy management data investigators. They can investigate policy matches, view the associated file content, and take remediation actions. This group can access files through the Content Explorer.
-
-**Privacy Management Viewer**: Members of this group can view analytical information in privacy management, like the overview, data profile, and subject request reports.
-
-**Subject Rights Request Administrators**: Members of this group have full access to administer and create subject rights requests.
+### Get trial license
-**Privacy Management Contributors**: Members of this group have contributor access to subject rights requests.
+To get started with the public preview, your global admin can obtain the free privacy management trial license from the [admin center](https://aka.ms/purchasem365privacy). Select ΓÇ£Start trialΓÇ¥ to begin. Your license lasts for one month and you can renew it at no cost as needed during the public preview.
-To see the specific roles included in each role group, see the following table.
+After obtaining your subscription, allow up to 30 minutes for it to activate. Then return to privacy management to get started. You will be asked to confirm that you agree to the terms and the personal data evaluation process ([learn more](privacy-management.md#how-we-evaluate-your-data)). You can review the provided links in full before proceeding. Once you agree, it may take up to 24 hours before privacy management starts providing insights about your organizationΓÇÖs data.
-| Role group | Roles included |
-|:-- |:--|
-| Privacy Management | Case Management |
-| | Data Classification Content Viewer |
-| | Data Classification List Viewer |
-| | Privacy Management Admin |
-| | Privacy Management Analysis |
-| | Privacy Management Investigation |
-| | Privacy Management Permanent Contribution |
-| | Privacy Management Temporary Contribution |
-| | Privacy Management Viewer |
-| | Subject Rights Request Admin |
-| | View-Only Case |
-| Privacy Management Admin | Case Management |
-| | Privacy Management Admin |
-| | View-Only Case |
-| Privacy Management Analysts | Case Management |
-| | Data Classification List Viewer |
-| | Privacy Management Analysis |
-| | View-Only Case |
-| Privacy Management Investigators | Case Management |
-| | Data Classification Content Viewer |
-| | Data Classification List Viewer |
-| | Privacy Management Investigation |
-| | View-Only Case |
-| Privacy Management Viewer | Privacy Management Viewer |
-| Subject Rights Request Administrator | Subject Rights Request Admin |
-|Privacy Management Contributors | Privacy Management Temporary Contribution |
-| | Privacy Management Permanent Contribution |
+If you donΓÇÖt hold the required role to obtain the subscription or consent to the terms of using privacy management, youΓÇÖll be prompted to contact your global admin for assistance.
-## Configure settings
+### Set user permissions and assign roles
-The Settings page is accessible via the gear wheel in the upper right corner of privacy managementΓÇÖs main pages. It allows privacy management administrators to configure essential properties across privacy management. Options include the following.
-
-### Anonymization
-
-This feature enables you to show anonymized versions of usernames within privacy management features to users in certain roles. This will replace identifiable display names like ΓÇ£Grace TaylorΓÇ¥ with a generic label like ΓÇ£AnonyIS8-988ΓÇ¥ in order to help mask your usersΓÇÖ identities while reviewing sensitive data. This option does not apply to the subject rights request module.
-
-### User notification emails
-
-When we detect a match for your data handling policies, privacy management can send an email to your users with corrective actions to take and a link to privacy training. In Settings, you can enable or disable the email notification capability of privacy management as a whole. You can activate individual notifications, set email frequency, and specify a training URL when you create or edit a policy. If notification capability is turned off in Settings, any policy-level configuration for specific notification mails will be disabled. To learn more about policies, see [Create and manage policies](privacy-management-policies.md).
-
-### Teams collaboration
-
-Integrate Microsoft Teams capabilities with privacy management to enhance collaboration with stakeholders. Every time a subject rights request is created, an associated team will be created. Users can be added to a team from the requestΓÇÖs Collaborators tab. To learn more about subject rights requests, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
-
-### Power Automate flows
-
-Use Power Automate flows to automatically manage privacy-related processes and tasks. You can create flows in the Settings section using built-in privacy management templates, or use the Power Automate console to create custom flows. To learn more about Power Automate, see the [Power Automate](/power-automate/) documentation.
-
-### Data matching
+Privacy management uses a role-based access control (RBAC) permission model. Only users who are assigned a role may access privacy management, and the actions allowed by each user are restricted by role type.
-Use this section to upload data schemas that describe attributes of your data subjects, which will help identify the correct data subject when searching for personal data within your Microsoft 365 environment. Schemas and rule packages are created and uploaded in XML format. Under Personal data upload, you can also submit personal data that matches a provided schema. You can create and upload your own file or choose to upload personal data from Azure. To learn more about subject rights requests, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
+We recommend that the global admin sign in and set user permissions in the Compliance Center when using privacy management for the first time. For a quick start, the Privacy Management role group has permissions to access all features of privacy management. This group may be a good fit for organizations where the same individual may perform all duties within the privacy management solution. Other privacy roles allow you to take more granular control and assign users to selected features or functions.
-### Data retention periods
+To learn more about role groups and how to grant access, see [Set user permissions and assign roles](privacy-management-permissions.md).
-For subject rights requests, choose how long you want to retain the final data collected and report after a request is closed. You can select between 30 or 90 days. To learn more about subject rights requests, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
+### Manage settings
-### Data review tags
+The Settings page is accessible via the gear wheel in the upper right corner of privacy managementΓÇÖs main pages. It allows privacy management administrators to configure essential properties across privacy management.
-Manage the tags youΓÇÖll use to mark files retrieved in a subject rights request. In this section, you can edit the names and descriptions for custom tags. You can also edit tag descriptions for the built-in tags provided by the system. Names for system tags cannot be changed. To learn more about subject rights requests, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
+You may wish to review the default configuration and make any desired adjustments before you begin. To learn more about your options, see [Manage privacy management settings](privacy-management-settings.md).
## Get initial data insights
-After signing into privacy management, youΓÇÖll arrive at the **Overview** page. This page provides dynamic insights about the personal data stored in your Microsoft 365 environment in order to help you quickly spot issues, identify risk indicators, and take action to fix issues. Your Overview should populate with initial insights within the first 24 hours of signing up. As you continue to use privacy management, the overview page will refresh to continue to provide current information.
+After signing into privacy management, youΓÇÖll arrive at the **Overview** page. This page provides insights about the personal data stored in your Microsoft 365 environment in order to help you quickly spot issues, identify risk indicators, and take action to fix issues. Your Overview should populate with initial insights within the first 24 hours of signing up. As you continue to use privacy management, the overview page will refresh to continue to provide current information.
-For further insights into your data over time, your **Data profile** page will provide more visualizations and analytics and give you a high-level view of your organizationΓÇÖs data by geographic location and by Microsoft 365 service.
+For further insights into your data over time, your **Data profile** page will provide more visualizations and analytics and give you a high-level view of your organization's data by geographic location and by Microsoft 365 service.
To learn more about these pages, see [Find and visualize your data](privacy-management-data-profile.md).+
+## Get started with default policies
+
+Privacy management will help kickstart your data evaluation process by creating three policies with default settings, using the templates for data minimization, data overexposure, and data transfers. These policies will be on by default, but will not automatically trigger notification mails or remediation prompts. After your initial setup, you can proceed to create and customize your own policies. To learn more, see [Create and manage policies](privacy-management-policies.md).
compliance Privacy Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management.md
description: "Microsoft privacy management offers solutions for evaluating perso
# Microsoft privacy management (preview)
-## What is privacy management
+## What is privacy management?
As your companyΓÇÖs cloud data grows in size and complexity, so does your need to understand and safeguard the personal data held in your environment. Privacy management in Microsoft 365 empowers your employees to make smart data handling decisions and address critical privacy risks by providing efficient ways to find and manage personal data, automate privacy operations, and fulfill subject rights requests. These solutions will enable you to build a privacy resilient workplace and handle issues at scale.
compliance Sensitivity Labels Coauthoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md
This preview version of co-authoring for files encrypted with sensitivity labels
- Users won't be able to apply any labels in Office for the web for Word, Excel, and PowerPoint files that are bigger than 300 MB. For these files, you can use the Office desktop apps to apply a label but you must be the only person who has the file open. -- Currently rolling out: Support for [DLP policies that use sensitivity labels as conditions](dlp-sensitivity-label-as-condition.md) and unencrypted attachments for emails.- - Some documents are incompatible with sensitivity labels because of features such as [password-protection](https://support.microsoft.com/office/require-a-password-to-open-or-modify-a-workbook-10579f0e-b2d9-4c05-b9f8-4109a6bce643), [shared workbooks](https://support.microsoft.com/office/about-the-shared-workbook-feature-49b833c0-873b-48d8-8bf2-c1c59a628534), or content that includes ActiveX controls. Other reasons are documented in [Troubleshoot co-authoring in Office](https://support.microsoft.com/office/troubleshoot-co-authoring-in-office-bd481512-3f3a-4b6d-b7eb-ebf9d3626ae7). For these documents, you see a message **UPLOAD FAILED** and should select the **Discard Changes** option. Until this issue is addressed, do not label these documents that are identified with this failure message. - Office apps for iOS and Android are not supported.
enterprise Office 365 Network Mac Perf Cpe https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-cpe.md
Informed network routing provides a bi-directional data sharing channel between
Quality of service degradations in the path of a particular Internet circuit such as increased latency or high packet loss are difficult to detect on a continuous basis. These degradations may be detrimental to user experiences for applications such as Exchange Online, SharePoint, OneDrive, and Microsoft Teams. Common symptoms include slow search of Exchange content, high transfer times when interacting with SharePoint or OneDrive document libraries, or poor call or meeting quality in Microsoft Teams.
-The feedback and recovery mechanism within network informed routing seeks to dynamically detect such issues in near real time and informs the deployed SD-WAN solution to take automatic recovery actions.
+The feedback and recovery mechanism within informed network routing seeks to dynamically detect such issues in near real time and informs the deployed SD-WAN solution to take automatic recovery actions.
The data sharing channel is also used to periodically receive network-level optics data from the SD-WAN solution, including configuration information and usage statistics associated with the device and attached circuits. No personal information is collected or stored. All collected information is aggregated to office locations and connected Internet circuits. This information can help Microsoft more efficiently and effectively resolve reported issues with your use of Microsoft 365 services and applications.
Microsoft is working with various partners to enable integration with Microsoft
Informed network routing currently identifies traffic associated with a specific office location and Internet circuit based on the public IP address used to send network traffic to Microsoft.
-In the case where there is not at least one network circuit providing direct Internet access at a branch location, network informed routing may not provide significant value.
+In the case where there is not at least one network circuit providing direct Internet access at a branch location, informed network routing may not provide significant value.
### Application usage
Application experience data (reflected through network quality metrics) is colle
## Enabling informed network routing
-Enabling informed network routing requires multiple steps, some of which will need to be performed within the configuration interface of your SD-WAN solution. Consult your SD-WAN solution vendor for guidance on how to initiate the process of enabling network informed routing within the SD-WAN solution before proceeding with configuration in the Microsoft 365 admin center.
+Enabling informed network routing requires multiple steps, some of which will need to be performed within the configuration interface of your SD-WAN solution. Consult your SD-WAN solution vendor for guidance on how to initiate the process of enabling informed network routing within the SD-WAN solution before proceeding with configuration in the Microsoft 365 admin center.
Once you are ready to enable informed network routing in the Microsoft 365 admin center, ensure you have the necessary global administrator permissions.
In the configuration pane, select **Add your SD-WAN solution (Preview)**.
### Step 2: Select your SD-WAN solution and data storage location
-In the drop-down boxes, select the SD-WAN solution you have deployed and the location where you wish to have the data associated with network informed routing stored. See the [data storage](#data-storage) section for additional information.
+In the drop-down boxes, select the SD-WAN solution you have deployed and the location where you wish to have the data associated with informed network routing stored. See the [data storage](#data-storage) section for additional information.
Select **Next**.
Once you have completed the permissions grant, select **Next**.
### Step 5: Confirm your configuration settings
-The final step in enabling network informed routing for your tenant is a confirmation page that displays the settings you've provided.
+The final step in enabling informed network routing for your tenant is a confirmation page that displays the settings you've provided.
Informed network routing is now enabled for your tenant. Select **Done** and then close the SD-WAN solution configuration pane.
-## Configuring network informed routing
+## Configuring informed network routing
You will perform much of the configuration for informed network routing within your SD-WAN solution, such as configuring how your traffic should be routed under normal circumstances and the alternate paths that should be used if issues are detected. Consult your SD-WAN solution provider for details on these configuration steps.
Ensure that each office location where you wish to enable informed network routi
4. Select **Save** to save your changes.
-## Disabling network informed routing
+## Disabling informed network routing
-The informed network routing feature may be disabled for the entire tenant by resetting your SD-WAN solution settings. While this will stop all processing of data within Microsoft 365, you should also disable network informed routing within the admin center.
+The informed network routing feature may be disabled for the entire tenant by resetting your SD-WAN solution settings. While this will stop all processing of data within Microsoft 365, you should also disable informed network routing within the admin center.
### Step 1: Open SD-WAN solution configuration options
Your settings have now been reset and informed network routing has been disabled
## Data storage
-Data exchanged between Microsoft and the SD-WAN solution provider is stored in the data storage location selected during the initial enablement of network informed routing. The data storage location options represent geographical areas containing Microsoft Azure regions where the data is stored.
+Data exchanged between Microsoft and the SD-WAN solution provider is stored in the data storage location selected during the initial enablement of informed network routing. The data storage location options represent geographical areas containing Microsoft Azure regions where the data is stored.
>[!NOTE] >During the Preview phase, the only available data storage location is **North America**. Additional data storage locations will become available prior to the general availability of informed network routing. Data is retained in this location for up to 30 days. When disabled, all remaining data is removed within this 30-day retention window.
+Data in this location is exchanged with the selected SD-WAN solution, and the location of the configured SD-WAN solution may not be within the same region. Customers should work with their SD-WAN solution provider to evaluate any data storage location requirements prior to production deployment.
+ ## Related topics [Network connectivity in the Microsoft 365 admin center (preview)](office-365-network-mac-perf-overview.md)
enterprise View Service Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-service-health.md
If you are unable to sign in to the admin center, you can use the [service statu
3. On the **Service health** page, the health state of each cloud service is shown in a table format.
- ![View of current issues in service health](../media/service-health-all-services.png)
+ ![View of current issues in service health](../media/shd-landing-page.png)
The **All services** tab (the default view) shows all services, their current health state, and any active incidents or advisories. An icon and status in the **Health** column indicate the state of each service.
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
We are working with OEM to find a solution to enable this permission from the ap
Users can follow these steps to enable the same permissions from the device settings: 1. Go to **Settings** on your device.
+
2. Search for and select **Battery Optimization**.
+
+ ![Search for and select "Battery Optimisation".](images/search-battery-optimisation.png)
+ 3. In **Special app access**, select **Battery Optimization**.
+
+ ![In Special app access, select "Battery Optimisation".](images/special-app-access.png)
+ 4. Change the Dropdown to show **All Apps**.+
+ ![Change dropdown to show "All Apps".](images/show-all-apps-2.png)
+
+ ![Change dropdown to show "All Apps".](images/show-all-apps-1.png)
+ 5. Locate ΓÇ£Microsoft Defender EndpointΓÇ¥ and select **DonΓÇÖt Optimize**.
+ ![Locate "Microsoft Defender Endpoint" and select "Don't Optimise".](images/select-dont-optimise.png)
++ Return to the Microsoft Defender Endpoint onboarding screen, select **Allow**, and you will be redirected to the dashboard screen.
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
10. Select **OK** and close any open GPMC windows.
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md).
+ ## Additional Defender for Endpoint configuration settings For each device, you can state whether samples can be collected from the device when a request is made through Microsoft 365 Defender to submit a file for deep analysis.
Policy | Setting
:|: Configure Controlled folder access| Enabled, Audit Mode
+## Run a detection test to verify onboarding
+After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
++ ## Offboard devices using Group Policy For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you'll be notified of the packages expiry date and it will also be included in the package name.
security Configure Endpoints Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md
For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThr
> - The **Health Status for onboarded devices** policy uses read-only properties and can't be remediated. > - Configuration of diagnostic data reporting frequency is only available for devices on Windows 10, version 1703.
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint.
+## Run a detection test to verify onboarding
+After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
++ ## Offboard and monitor devices using Mobile Device Management tools For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you'll be notified of the packages expiry date and it will also be included in the package name.
security Configure Endpoints Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md
Check out the [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/publ
> [!NOTE] > Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.-
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md).
> > Note that it's possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. > If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change.
Enable the feature in audit mode for at least 30 days. After this period, review
For more information, see [Evaluate controlled folder access](evaluate-controlled-folder-access.md).
+## Run a detection test to verify onboarding
+After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
++ ## Offboard devices using Configuration Manager For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
security Configure Endpoints Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md
Possible values are:
The default value in case the registry key doesn't exist is 1.
+## Run a detection test to verify onboarding
+After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
## Offboard devices using a local script For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
security Configure Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints.md
Devices in your organization must be configured so that the Defender for Endpoin
The following deployment tools and methods are supported: -- Group Policy-- Microsoft Endpoint Configuration Manager-- Mobile Device Management (including Microsoft Intune)-- Local script-
-## In this section
Topic|Description :|:
-[Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)|Use Group Policy to deploy the configuration package on devices.
-[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)|You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
-[Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)|Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
-[Onboard Windows 10 devices using a local script](configure-endpoints-script.md)|Learn how to use the local script to deploy the configuration package on endpoints.
+[Onboard devices using Group Policy](configure-endpoints-gp.md)|Use Group Policy to deploy the configuration package on devices.
+[Onboard devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)|You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
+[Onboard devices using Mobile Device Management tools](configure-endpoints-mdm.md)|Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
+[Onboard devices using a local script](configure-endpoints-script.md)|Learn how to use the local script to deploy the configuration package on endpoints.
[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)|Learn how to use the configuration package to configure VDI devices. > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-configureendpoints-belowfoldlink)++
+After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
In general, you'll need to take the following steps:
3. Install and configure MMA for the server to report sensor data to Defender for Endpoint. 4. Configure and update System Center Endpoint Protection clients.
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md).
#### Before you begin
The following steps are required to enable this integration:
- [Configure the SCEP client Cloud Protection Service membership](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to the **Advanced** setting.
+## Run a detection test to verify onboarding
+After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
++ ## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
ms.technology: mde Previously updated : 08/05/2021 Last updated : 08/10/2021
-# Microsoft Defender Antivirus compatibility
+# Microsoft Defender Antivirus compatibility with other security products
**Applies to:**
Microsoft Defender Antivirus is automatically installed on endpoints running the
- Windows Server, version 1803 or later - Windows Server 2019
-But what happens when another (non-Microsoft) antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as your operating system and whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint) together with your antivirus protection.
+What happens when another non-Microsoft antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as your operating system and whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint) together with your antivirus protection.
This article describes what happens with Microsoft Defender Antivirus and a non-Microsoft antivirus/antimalware solution, with or without Defender for Endpoint.
This section describes what happens with Microsoft Defender Antivirus and non-Mi
| Windows Server 2016 <br/><br/> Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | Microsoft Defender Antivirus | Active mode | | Windows Server 2016 <br/><br/> Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) <sup>[[1](#fn1)]<sup></sup> |
-(<a id="fn1">1</a>) On Windows Server, if you are running a non-Microsoft antivirus product, you can disable Microsoft Defender Antivirus by using Group Policy to turn Microsoft Defender Antivirus off, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to true.)
+(<a id="fn1">1</a>) On Windows Server, if you are running a non-Microsoft antivirus product, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Microsoft Defender Antivirus, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base.
> [!TIP] > See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) for key differences and management options for Windows Server installations. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*.
If your organization is using a non-Microsoft antivirus/antimalware solution tog
| Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Passive mode (set manually) <sup>[[2](#fn2)]<sup></sup> | | Windows Server 2016 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) <sup>[[3](#fn3)]<sup> |
-(<a id="fn2">2</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, when you install a non-Microsoft antivirus product, you can set Microsoft Defender Antivirus to passive mode manually. You can use the **ForceDefenderPassiveMode** registry key to perform this task. To use the registry key, navigate to `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`, and set or create a DWORD entry called `ForceDefenderPassiveMode`. Set its value to `1` (which sets the registry key's value to *true*). For more information, see [Passive mode and Windows Server](microsoft-defender-antivirus-on-windows-server.md#passive-mode-and-windows-server).
+(<a id="fn2">2</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, when you install a non-Microsoft antivirus product, set Microsoft Defender Antivirus to passive mode manually. You can use the **ForceDefenderPassiveMode** registry key to perform this task. To use the registry key, navigate to `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`, and set or create a DWORD entry called `ForceDefenderPassiveMode`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base. For more information, see [Passive mode and Windows Server](microsoft-defender-antivirus-on-windows-server.md#passive-mode-and-windows-server).
-(<a id="fn3">3</a>) On Windows Server 2016, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Windows Defender Antivirus, or use the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*).
+(<a id="fn3">3</a>) On Windows Server 2016, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Windows Defender Antivirus, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*), and select **Hexadecimal** for its base.
> [!TIP] > See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) for key differences and management options for Windows Server installations. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*.
The table in this section summarizes the features and capabilities that are acti
(<a id="fn6">6</a>) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans. > [!NOTE]
-> [Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode.
+> [Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode.
## Important notes
The table in this section summarizes the features and capabilities that are acti
- In Defender for Endpoint, turn EDR in block mode on, even if Microsoft Defender Antivirus is not your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see [EDR in block mode](edr-in-block-mode.md).
+## How to confirm the state of Microsoft Defender Antivirus
+
+To check the state of Microsoft Defender Antivirus, you can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).
+
+1. On a Windows device, open Windows PowerShell.
+
+2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`.
+
+3. Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint.
+ ## More details about Microsoft Defender Antivirus states The table in this section describes various states you might see with Microsoft Defender Antivirus. <br/><br/>
The table in this section describes various states you might see with Microsoft
||| | Active mode | In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself). | | Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however.<br/><br/> Files are scanned, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <br/><br/>When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <br/><br/>For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <br/><br/>**NOTE**: Passive mode is not supported on Windows Server 2016. |
-| Disabled <br/>or<br/>Uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.<br/><br/> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. <br/><br/>In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints.<br/><br/>You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app. |
+| Disabled <br/>or<br/>Uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.<br/><br/> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. <br/><br/>In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints.<br/><br/>You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app. |
## See also
security Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md
For more details on how to get started, visit the Defender for Endpoint on macOS
>The following capabilities are not currently supported on macOS endpoints: >- Data loss prevention >- Live response
->- SIEM
## Microsoft Defender for Endpoint on Linux
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
Once completed, you should see onboarded endpoints in the portal within an hour.
- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](/azure/log-analytics/log-analytics-oms-gateway). - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Defender for Endpoint service URLs](/microsoft-365/security/defender-endpoint/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+## Run a detection test to verify onboarding
+After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
+ ## Offboard client endpoints To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the endpoint will no longer send sensor data to Defender for Endpoint.
security Run Detection Test https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-detection-test.md
Title: Run a detection test on a newly onboarded Microsoft Defender for Endpoint device
-description: Run the detection script on a newly onboarded device to verify that it is properly onboarded to the Microsoft Defender for Endpoint service.
+ Title: Run a detection test after adding a device to Microsoft Defender for Endpoint device
+description: Run the detection script on a device that has recently been added to the Microsoft Defender for Endpoint service to verify that it is properly onboarded
keywords: detection test, detection, powershell, script, verify, onboarding, microsoft defender for endpoint onboarding, clients, servers, test search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+Onboarding devices is the method of adding devices to the Microsoft Defender for Endpoint service. It allows devices to report signals to the service.
+
+Verifying that a device has been successfully added to the service is an important step in the entire deployment process.
+
+## Verify onboarding using a detection test
Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service. 1. Create a folder: 'C:\test-MDATP-test'.
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
- m365solution-symantecmigrate Previously updated : 06/14/2021 Last updated : 08/10/2021
Now that your endpoints have been onboarded to Defender for Endpoint, your next
| Method | What to do | |:-|:-| |Command Prompt | 1. On a Windows device, open Command Prompt as an administrator.<p>2. Type `sc query windefend`, and then press Enter.<p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-| PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
+| PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`. <p>Review the results. You should see **Passive mode**. [Learn more about Microsoft Defender Antivirus states](microsoft-defender-antivirus-compatibility.md#more-details-about-microsoft-defender-antivirus-states). |
> [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1
### Start Microsoft Defender Antivirus on Windows Server 2016
-If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
+If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can perform this task by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
## Get updates for Microsoft Defender Antivirus
To get help with this task, reach out to your solution provider's technical supp
## Make sure Defender for Endpoint is working correctly
-Now that you have onboarded to Defender for Endpoint, and you have uninstalled your former non-Microsoft solution, your next step is to make sure that Defender for Endpoint working correctly. One good way to do this is by visiting the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+Now that you have onboarded to Defender for Endpoint, and you have uninstalled your former non-Microsoft solution, your next step is to make sure that Defender for Endpoint working correctly. One good way to perform this task is by visiting the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
- Cloud-delivered protection - Potentially Unwanted Applications (PUA)
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
- m365solution-symantecmigrate Previously updated : 07/19/2021 Last updated : 08/10/2021
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
`c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<p> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
-3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/>
- `Get-Service -Name windefend`
-
- Look for a status of *Running*.
- ### Set Microsoft Defender Antivirus to passive mode on Windows Server 1. Open Registry Editor, and then navigate to <br/>
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
- Under **Base**, select **Hexadecimal**. > [!NOTE]
-> After onboarding to Defender for Endpoint, you might have to set Microsoft Defender Antivirus to passive mode on Windows Server. To validate that passive mode was set as expected, search for *event 5007* in the **Microsoft-Windows-Windows Defender Operational** log (located at `C:\Windows\System32\winevt\Logs`) and confirm either **ForcePassiveMode** or **PassiveMode** registry keys were set by to **0x1**.
+> After onboarding to Defender for Endpoint, you might have to set Microsoft Defender Antivirus to passive mode on Windows Server. To validate that passive mode was set as expected, search for *event 5007* in the **Microsoft-Windows-Windows Defender Operational** log (located at `C:\Windows\System32\winevt\Logs`), and confirm that either the **ForceDefenderPassiveMode** or **PassiveMode** registry keys were set by to **0x1**.
### Are you using Windows Server 2016?
-If you have endpoints running Windows Server 2016, you cannot run Microsoft Defender Antivirus alongside a non-Microsoft antivirus/antimalware solution. Microsoft Defender Antivirus cannot run in passive mode on Windows Server 2016. In this case, you'll need to uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus instead. To learn more, see [Antivirus solution compatibility with Defender for Endpoint](microsoft-defender-antivirus-compatibility.md).
-
-If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, follow these steps:
+Currently, you cannot run Microsoft Defender Antivirus in passive mode on Windows Server 2016. Uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus. If you're having trouble enabling Microsoft Defender Antivirus on Windows Server 2016, follow these steps:
1. On the device, open PowerShell as an administrator. 2. Type the following PowerShell cmdlet: `mpcmdrun -wdenable` > [!TIP]
-> For more information, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
+> For more information, see the following articles:
+> - [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md)
+> - [Microsoft Defender Antivirus compatibility with other security products](microsoft-defender-antivirus-compatibility.md)
+
+### Confirm that Microsoft Defender Antivirus is enabled
+
+To check the state of Microsoft Defender Antivirus, you can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).
+
+1. On a Windows device, open Windows PowerShell.
+
+2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`.
+
+3. Review the results. You should see either **Normal** or **Passive** if Microsoft Defender Antivirus is enabled on the endpoint. [Learn more about Microsoft Defender Antivirus states](microsoft-defender-antivirus-compatibility.md#more-details-about-microsoft-defender-antivirus-states).
## Configure Defender for Endpoint
security Web Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-threat-protection.md
To turn on network protection on your devices:
> [!NOTE] > If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
+## Configure web threat protection
+
+The following procedure describes how to configure web threat protection using the Microsoft Endpoint Manager admin center.
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), and sign in.
+
+2. Choose **Endpoint security** > **Attack surface reduction**, and then choose **+ Create policy**.
+
+3. Select a platform, such as **Windows 10 and later**, select the **Web protection** profile, and then choose **Create**.
+
+4. On the **Basics** tab, specify a name and description, and then choose **Next**.
+
+5. On the **Configuration settings** tab, expand **Web Protection**, specify your settings, and then choose **Next**.
+
+ - Set **Enable network protection** to **Enabled** so web protection is turned on. Alternately, you can set network protection to **Audit mode** to see how it will work in your environment. In audit mode, network protection does not prevent users from visiting sites or domains, but it does track detections as events.
+ - To protect users from potential phishing scams and malicious software, turn **Require SmartScreen for Microsoft Edge Legacy** to **Yes**.
+ - To prevent users from bypassing warnings about potentially malicious sites, set **Block malicious site access** to **Yes**.
+ - To prevent users from bypassing the warnings and downloading unverified files, set **Block unverified file download** tl **Yes**.
+
+6. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then choose **Next**. (If you are not using scope tags, choose **Next**.) To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+
+7. On the **Assignments** tab, specify the users and devices to receive the web protection policy, and then choose **Next**.
+
+8. On the **Review + create** tab, review your policy settings, and then choose **Create**.
+ ## Related topics - [Web protection overview](web-protection-overview.md)
security Advanced Hunting Query Language https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-language.md
Advanced hunting is based on the [Kusto query language](/azure/kusto/query/). Yo
## Try your first query
-In Microsoft 365 security center, go to **Hunting** to run your first query. Use the following example:
+In the Microsoft 365 Defender portal, go to **Hunting** to run your first query. Use the following example:
```kusto // Finds PowerShell execution events that could involve a download
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md
Custom detection rules are rules you can design and tweak using [advanced huntin
To manage custom detections, you need to be assigned one of these roles: -- **Security administrator**ΓÇöUsers with this [Azure Active Directory role](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator) can manage security settings in Microsoft 365 security center and other portals and services.
+- **Security administrator**ΓÇöUsers with this [Azure Active Directory role](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator) can manage security settings in the Microsoft 365 Defender portal and other portals and services.
-- **Security operator**ΓÇöUsers with this [Azure Active Directory role](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator) can manage alerts and have global read-only access to security-related features, including all information in Microsoft 365 security center. This role is sufficient for managing custom detections only if role-based access control (RBAC) is turned off in Microsoft Defender for Endpoint. If you have RBAC configured, you also need the **manage security settings** permission for Defender for Endpoint.
+- **Security operator**ΓÇöUsers with this [Azure Active Directory role](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator) can manage alerts and have global read-only access to security-related features, including all information in the Microsoft 365 Defender portal. This role is sufficient for managing custom detections only if role-based access control (RBAC) is turned off in Microsoft Defender for Endpoint. If you have RBAC configured, you also need the **manage security settings** permission for Defender for Endpoint.
You can also manage custom detections that apply to data from specific Microsoft 365 Defender solutions if you have permissions for them. If you only have manage permissions for Microsoft 365 Defender for Office, for instance, you can create custom detections using `Email` tables but not `Identity` tables.
To manage required permissions, a **global administrator** can:
## Create a custom detection rule ### 1. Prepare the query.
-In Microsoft 365 security center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
+In the Microsoft 365 Defender portal, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
>[!IMPORTANT] >To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
security Custom Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-roles.md
Title: Custom roles for role-based access control
-description: Learn how to manage custom roles in Microsoft 365 security center
+description: Learn how to manage custom roles in the Microsoft 365 Defender portal
keywords: access, permissions, Microsoft 365 Defender, M365, security, MCAS, Cloud App Security, Microsoft Defender for Endpoint, scope, scoping, RBAC, roles-based access, custom roles-based access, roles-based auth, RBAC in MDO, roles, rolegroups, permissions inheritance, fine-grained permissions search.product: eADQiWindows 10XVcnh ms.prod: m365-security
Access to Microsoft 365 Defender can be managed collectively by using [Global ro
If you need greater flexibility and control over access to specific product data, Microsoft 365 Defender access can also be managed with the creation of Custom roles through each respective security portal.
-For example, a Custom role created through Microsoft Defender for Endpoint would allow access to the relevant product data, including Endpoint data within the Microsoft 365 security center. Similarly, a Custom role created through Microsoft Defender for Office 365 would allow access to the relevant product data, including Email & collaboration data within the Microsoft 365 security center.
+For example, a Custom role created through Microsoft Defender for Endpoint would allow access to the relevant product data, including Endpoint data within the Microsoft 365 Defender portal. Similarly, a Custom role created through Microsoft Defender for Office 365 would allow access to the relevant product data, including Email & collaboration data within the Microsoft 365 Defender portal.
-Users with existing Custom roles may access data in the Microsoft 365 security center according to their existing workload permissions with no additional configuration required.
+Users with existing Custom roles may access data in the Microsoft 365 Defender portal according to their existing workload permissions with no additional configuration required.
## Create and manage custom roles Custom roles and permissions can be created and individually managed through each of the following security portals:
Custom roles and permissions can be created and individually managed through eac
Each custom role created through an individual portal allows access to the data of the relevant product portal. For example, a custom role created through Microsoft Defender for Endpoint will only allow access to Defender for Endpoint data. > [!TIP]
-> Permissions and roles can also be accessed through the Microsoft 365 security center by selecting Permissions & roles from the navigation pane. Access to Microsoft Cloud App Security (MCAS) is managed through the MCAS portal and controls access to Microsoft Defender for Identity as well. See [Microsoft Cloud App Security](/cloud-app-security/manage-admins)
+> Permissions and roles can also be accessed through the Microsoft 365 Defender portal by selecting Permissions & roles from the navigation pane. Access to Microsoft Cloud App Security (MCAS) is managed through the MCAS portal and controls access to Microsoft Defender for Identity as well. See [Microsoft Cloud App Security](/cloud-app-security/manage-admins)
> [!NOTE]
-> Custom roles created in Microsoft Cloud App Security have access to Microsoft Defender for Identity data as well. Users with User group admin, or App/instance admin Microsoft Cloud App Security roles are not able to access Microsoft Cloud App Security data through the Microsoft 365 security center.
+> Custom roles created in Microsoft Cloud App Security have access to Microsoft Defender for Identity data as well. Users with User group admin, or App/instance admin Microsoft Cloud App Security roles are not able to access Microsoft Cloud App Security data through the Microsoft 365 Defender portal.
-## Manage permissions and roles in the Microsoft 365 security center
-Permissions and roles can also be managed in the Microsoft 365 security center:
+## Manage permissions and roles in the Microsoft 365 Defender portal
+Permissions and roles can also be managed in the Microsoft 365 Defender portal:
-1. Sign in to the Microsoft 365 security center at security.microsoft.com.
+1. Sign in to the Microsoft 365 Defender portal at security.microsoft.com.
2. In the navigation pane, select **Permissions & roles**. 3. Under the **Permissions** header, select **Roles**.
security Deploy Supported Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/deploy-supported-services.md
ms.technology: m365d
[Microsoft 365 Defender](microsoft-365-defender.md) integrates various Microsoft security services to provide centralized detection, prevention, and investigation capabilities against sophisticated attacks. This article describes the supported services, their licensing requirements, the advantages and limitations associated with deploying one or more services, and links to how you can fully deploy them individually. ## Supported services
-A Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses provides access to the following supported services and entitles you to use Microsoft 365 Defender in Microsoft 365 security center. [See licensing requirements](prerequisites.md#licensing-requirements)
+A Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses provides access to the following supported services and entitles you to use Microsoft 365 Defender. [See licensing requirements](prerequisites.md#licensing-requirements)
| Supported service | Description | | | |
security Eval Defender Identity Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-architecture.md
The following table identified key concepts that are important to understand whe
| Network Name Resolution | Network Name Resolution (NNR) is a component of MDI functionality which captures activities based on network traffic, Windows events, ETW, etc. and correlates this raw data to the relevant computers involved in each activity. | [What is Network Name Resolution?](/defender-for-identity/nnr-policy) | | Reports | Defender for Identity reports allow you to schedule or immediately generate and download reports that provide system and entity status information. You can create reports about system health, security alerts, and potential lateral movement paths detected in your environment. | [Microsoft Defender for Identity Reports ](/defender-for-identity/reports) | | Role groups | Defender for Identity offers role-based groups and delegated access to safeguard data according to your organization's specific security and compliance needs which includes Administrators, Users and Viewers. | [Microsoft Defender for Identity role groups](/defender-for-identity/role-groups) |
-| Administrative portal | In addition to the Microsoft 365 Security Center, the Defender for Identity portal cab be used to monitor and respond to suspicious activity. | [Working with the Microsoft Defender for Identity portal](/defender-for-identity/workspace-portal) |
+| Administrative portal | In addition to the Microsoft 365 Defender portal, the Defender for Identity portal cab be used to monitor and respond to suspicious activity. | [Working with the Microsoft Defender for Identity portal](/defender-for-identity/workspace-portal) |
| Microsoft Cloud App Security integration | Microsoft Cloud App Security integrates with Microsoft Defender for Identity to provide user entity behavioral analytics (UEBA) across a hybrid environment - both cloud app and on-premises | Microsoft Defender for Identity integration | | | | |
security First Incident Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-prepare.md
Components of Microsoft 365 Defender can display violations of rules that have b
Device risk directly influences what resources will be accessible by the user of that device. The denial of access to resources based on certain criteria is the main theme of Zero Trust and Microsoft 365 Defender provides information needed to determine the trust level criteria. For example, Microsoft 365 Defender can provide the software version level of a device through the Threat and Vulnerability Management page while Conditional Access policies restrict devices that have outdated or vulnerable versions.
-Automation is a crucial part of implementing and maintaining a Zero Trust environment while also reducing the number of alerts that would potentially lead to incident response (IR) events. Components of Microsoft 365 Defender can be automated such as [remediation actions](m365d-autoir.md) (known as investigations for an incident in the Microsoft 365 security center), notification actions, and even the creation of support tickets such as in [ServiceNow](https://microsoft.service-now.com/sp/).
+Automation is a crucial part of implementing and maintaining a Zero Trust environment while also reducing the number of alerts that would potentially lead to incident response (IR) events. Components of Microsoft 365 Defender can be automated such as [remediation actions](m365d-autoir.md) (known as investigations for an incident in the Microsoft 365 Defender portal), notification actions, and even the creation of support tickets such as in [ServiceNow](https://microsoft.service-now.com/sp/).
## Step 2. Determine your organizationΓÇÖs security posture
To check your software patching progress, visit the [Threat and Vulnerability Ma
## 4. Understand emerging threats
-Use [threat analytics](threat-analytics.md) in the Microsoft 365 security center to keep up-to-date with the current security threat landscape. Expert Microsoft security researchers create reports that describe the latest cyber-threats in detail so you can understand how they might affect your Microsoft 365 subscription, devices, and users. These reports can include:
+Use [threat analytics](threat-analytics.md) in the Microsoft 365 Defender portal to keep up-to-date with the current security threat landscape. Expert Microsoft security researchers create reports that describe the latest cyber-threats in detail so you can understand how they might affect your Microsoft 365 subscription, devices, and users. These reports can include:
- Active threat actors and their campaigns - Popular and new attack techniques
Threat analytics also looks at your configuration and alerts to determine how at
You can implement the recommendations of an emerging threat to strengthen your security posture and minimize your attack surface area.
-Make time in your schedule to regularly check the [Threat Analytics](threat-analytics.md) section of the Microsoft 365 security center.
+Make time in your schedule to regularly check the [Threat Analytics](threat-analytics.md) section of the Microsoft 365 Defender portal.
## Next step
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
Title: Investigate users in Microsoft 365 Defender
-description: Investigate users for an incident in the Microsoft 365 security center.
+description: Investigate users for an incident in the Microsoft 365 Defender portal.
keywords: security, malware, Microsoft 365, M365, security center, monitor, report, identities, data, devices, apps, incident, analyze, response ms.prod: m365-security ms.mktglfcycl: deploy
Part of your incident investigation can include user accounts. Start with the **
To get a quick summary of a user account for the incident, select the check mark next to the user account name. Here's an example. > [!NOTE] > The User page shows Azure Active Directory (Azure AD) organization as well as groups, helping you understand the groups and permissions associated with a user. In this fly-out page, you can review user threat information, including any current incidents, active alerts, and risk level as well as user exposure, accounts, devices, and more.
-In addition, you can take action directly in the Microsoft 365 security center to address a compromised user, confirming the user is compromised or requiring them to sign in again.
+In addition, you can take action directly in the Microsoft 365 Defender portal to address a compromised user, confirming the user is compromised or requiring them to sign in again.
From here, you can select **Go to user page** to see the details of a user account. Here's an example. You can also see this page by selecting the name of the user account from the list on the **Users** page.
-The Microsoft 365 security center user page combines information from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security (depending on what licenses you have).
+the Microsoft 365 Defender portal user page combines information from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security (depending on what licenses you have).
This page shows information specific to the security risk of a user account. This includes a score that helps assess risk and recent events and alerts that contributed to the overall risk of the user.
From this page, you can do these additional actions:
Here's an example. <!--
-You can access this page from multiple areas in the Microsoft 365 security center. You can access this page from a specific incident in the **Users** tab. Some alerts might include users as a specific affected asset. You can also search for users.
+You can access this page from multiple areas in the Microsoft 365 Defender portal. You can access this page from a specific incident in the **Users** tab. Some alerts might include users as a specific affected asset. You can also search for users.
Learn more about how to investigate users and potential risk [in this Cloud App Security tutorial](/cloud-app-security/tutorial-ueba#:~:text=To%20identify%20who%20your%20riskiest,user%20page%20to%20investigate%20them).
security M365d Autoir https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-If your organization is using [Microsoft 365 Defender](microsoft-365-defender.md), your security operations team receives an alert within the Microsoft 365 security center whenever a malicious or suspicious activity or artifact is detected. Given the seemingly never-ending flow of threats that can come in, security teams often face the challenge of addressing the high volume of alerts. Fortunately, Microsoft 365 Defender includes automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.
+If your organization is using [Microsoft 365 Defender](microsoft-365-defender.md), your security operations team receives an alert within the Microsoft 365 Defender portal whenever a malicious or suspicious activity or artifact is detected. Given the seemingly never-ending flow of threats that can come in, security teams often face the challenge of addressing the high volume of alerts. Fortunately, Microsoft 365 Defender includes automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.
This article provides an overview of AIR and includes links to next steps and additional resources.
security M365d Enable Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable-faq.md
Microsoft 365 Defender automatically selects an optimal location for the data ce
>[!NOTE] >Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Azure Defender. Microsoft 365 Defender will automatically provision in the same EU data center for customers who have provisioned Microsoft Defender for Endpoint in this manner.
-The data center location is shown before and after the service is provisioned in the settings page for Microsoft 365 Defender (**Settings > Microsoft 365 Defender**). If you prefer to use another data center location, select **Need help?** in the Microsoft 365 security center to contact Microsoft support.
+The data center location is shown before and after the service is provisioned in the settings page for Microsoft 365 Defender (**Settings > Microsoft 365 Defender**). If you prefer to use another data center location, select **Need help?** in the Microsoft 365 Defender portal to contact Microsoft support.
## Where can I access Microsoft 365 Defender?
-Microsoft 365 Defender is available in Microsoft 365 security center. To go to the security center, browse to the URL <https://security.microsoft.com>.
+Microsoft 365 Defender is available at: <https://security.microsoft.com>.
-## What permissions do I need to access Microsoft 365 Defender in Microsoft 365 security center?
+## What permissions do I need to access Microsoft 365 Defender?
Accounts assigned the following Azure Active Directory (Azure AD) roles can access Microsoft 365 Defender functionality and data:
security M365d Enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable.md
Title: Turn on Microsoft 365 Defender in the Microsoft 365 security center
+ Title: Turn on Microsoft 365 Defender
description: Learn how to enable Microsoft 365 Defender and start integrating your security incident and response. keywords: get started, enable Microsoft 365 Defender, Microsoft 365 Defender, M365, security, data location, required permissions, license eligibility, settings page search.product: eADQiWindows 10XVcnh
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-[Microsoft 365 Defender](microsoft-365-defender.md) unifies your incident response process by integrating key capabilities across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. This unified experience adds powerful features you can access in the Microsoft 365 security center.
+[Microsoft 365 Defender](microsoft-365-defender.md) unifies your incident response process by integrating key capabilities across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. This unified experience adds powerful features you can access in the Microsoft 365 Defender portal.
-Microsoft 365 Defender automatically turns on when eligible customers with the required permissions visit Microsoft 365 security center. Read this article to understand various prerequisites and how Microsoft 365 Defender is provisioned.
+Microsoft 365 Defender automatically turns on when eligible customers with the required permissions visit Microsoft 365 Defender portal. Read this article to understand various prerequisites and how Microsoft 365 Defender is provisioned.
## Check license eligibility and required permissions
-A license to a Microsoft 365 security product generally entitles you to use Microsoft 365 Defender in Microsoft 365 security center without additional licensing cost. We do recommend getting a Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses that provides access to all supported services.
+A license to a Microsoft 365 security product generally entitles you to use Microsoft 365 Defender without additional licensing cost. We do recommend getting a Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses that provides access to all supported services.
For detailed licensing information, [read the licensing requirements](prerequisites.md#licensing-requirements).
Onboarding to Microsoft 365 Defender is simple. From the navigation menu, select
Microsoft 365 Defender will store and process data in the [same location used by Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). If you don't have Microsoft Defender for Endpoint, a new data center location is automatically selected based on the location of active Microsoft 365 security services. The selected data center location is shown in the screen.
-Select **Need help?** in the Microsoft 365 security center to contact Microsoft support about provisioning Microsoft 365 Defender in a different data center location.
+Select **Need help?** in the Microsoft 365 Defender portal to contact Microsoft support about provisioning Microsoft 365 Defender in a different data center location.
> [!NOTE] > In the past, Microsoft Defender for Endpoint automatically provisioned in European Union (EU) data centers when turned on through Azure Defender. Microsoft 365 Defender will automatically provision in the same EU data center for customers who have provisioned Defender for Endpoint in this manner in the past.
Once the service is provisioned, it adds:
- [Advanced hunting](advanced-hunting-overview.md) capabilities - Threat analytics
-![Image of Microsoft 365 security center navigation pane with Microsoft 365 Defender features](../../media/overview-incident.png)
-*Microsoft 365 security center with incidents management and other Microsoft 365 Defender capabilities*
+![Image of Microsoft 365 Defender portal navigation pane with Microsoft 365 Defender features](../../media/overview-incident.png)
+*Microsoft 365 Defender portal with incidents management and other capabilities*
### Getting Microsoft Defender for Identity data To enable the integration with Microsoft Cloud App Security, you'll need to login to the Microsoft Cloud App Security at least once.
To enable the integration with Microsoft Cloud App Security, you'll need to logi
To get answers to the most commonly asked questions about turning on Microsoft 365 Defender, [read the FAQ](m365d-enable-faq.md).
-Microsoft support staff can help provision or deprovision the service and related resources on your tenant. For assistance, select **Need help?** in the Microsoft 365 security center. When contacting support, mention Microsoft 365 Defender.
+Microsoft support staff can help provision or deprovision the service and related resources on your tenant. For assistance, select **Need help?** in the Microsoft 365 Defender portal. When contacting support, mention Microsoft 365 Defender.
## Related topics
security M365d Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-permissions.md
Title: Manage access to Microsoft 365 Defender data in the Microsoft 365 security center
+ Title: Manage access to Microsoft 365 Defender data in the Microsoft 365 Defender portal
description: Learn how to manage permissions to data in Microsoft 365 Defender keywords: access, permissions, Microsoft 365 Defender, M365, security, MCAS, Cloud App Security, Microsoft Defender for Endpoint, scope, scoping, RBAC search.product: eADQiWindows 10XVcnh
Accounts assigned the following **Global Azure Active Directory (AD) roles** can
- Global Reader - Security Reader
-To review accounts with these roles, [view Permissions in the Microsoft 365 security center](https://security.microsoft.com/permissions).
+To review accounts with these roles, [view Permissions in the Microsoft 365 Defender portal](https://security.microsoft.com/permissions).
**Custom role** access is a new capability in Microsoft 365 Defender and allows you to manage access to specific data, tasks, and capabilities in Microsoft Defender 365. Custom roles offer more control than global Azure AD roles, providing users only the access they need with the least-permissive roles necessary. Custom roles can be created in addition to global Azure AD roles. [Learn more about custom roles](custom-roles.md).
security M365d Time Zone https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-time-zone.md
ms.technology: m365d
-Microsoft 365 Defender can display date and time information using either your local time zone or UTC. The selected time zone will apply to all date and time information shown in the following features in the Microsoft 365 security center:
+Microsoft 365 Defender can display date and time information using either your local time zone or UTC. The selected time zone will apply to all date and time information shown in the following features in the Microsoft 365 Defender portal:
- Incidents - Automated investigation and remediation, including the action center - Advanced hunting
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
ms.technology: m365d
Incident management is critical in ensuring that threats are contained and addressed.
-You manage incidents from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
+You manage incidents from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
:::image type="content" source="../../media/incidents-queue/incidents-ss-incidents.png" alt-text="Example of the incident queue":::
security Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md
Microsoft 365 Defender cross-product features include:
## Get started
-Microsoft 365 Defender licensing requirements must be met before you can enable the service in the Microsoft 365 security center at [security.microsoft.com](https://security.microsoft.com). For more information, read:
+Microsoft 365 Defender licensing requirements must be met before you can enable the service in the Microsoft 365 Defender portal at [security.microsoft.com](https://security.microsoft.com). For more information, read:
- [Licensing requirements](prerequisites.md#licensing-requirements) - [Turn on Microsoft 365 Defender](m365d-enable.md)
security Microsoft Secure Score History Metrics Trends https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-history-metrics-trends.md
Title: Track your Microsoft Secure Score history and meet goals description: Gain insights into activity that has affected your Microsoft Secure Score. Discover trends and set goals.
-keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, microsoft 365 security center, improvement actions
+keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, Microsoft 365 Defender portal, improvement actions
ms.prod: m365-security ms.mktglfcycl: deploy localization_priority: Normal
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
-[Microsoft Secure Score](microsoft-secure-score.md) is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the [Microsoft 365 security center](overview-security-center.md).
+[Microsoft Secure Score](microsoft-secure-score.md) is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the [Microsoft 365 Defender portal](overview-security-center.md).
## Gain insights into activity that has affected your score
security Microsoft Secure Score Improvement Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-improvement-actions.md
Title: Assess your security posture through Microsoft Secure Score
-description: Describes how to take action to improve your Microsoft Secure Score in the Microsoft 365 security center.
-keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, microsoft 365 security center, improvement actions
+description: Describes how to take action to improve your Microsoft Secure Score in the Microsoft 365 Defender portal.
+keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, Microsoft 365 Defender portal, improvement actions
ms.prod: m365-security ms.mktglfcycl: deploy localization_priority: Normal
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
-Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the [Microsoft 365 security center](overview-security-center.md).
+Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the [Microsoft 365 Defender portal](overview-security-center.md).
To help you find the information you need more quickly, Microsoft improvement actions are organized into groups:
security Microsoft Secure Score Whats Coming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-whats-coming.md
Title: What's coming to Microsoft Secure Score
-description: Describes what new changes are coming to Microsoft Secure Score in the Microsoft 365 security center.
-keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, microsoft 365 security center, improvement actions
+description: Describes what new changes are coming to Microsoft Secure Score in the Microsoft 365 Defender portal.
+keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, Microsoft 365 Defender portal, improvement actions
ms.prod: m365-security ms.mktglfcycl: deploy localization_priority: Normal
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
-Microsoft Secure Score can be found at https://security.microsoft.com/securescore in the [Microsoft 365 security center](overview-security-center.md).
+Microsoft Secure Score can be found at https://security.microsoft.com/securescore in the [Microsoft 365 Defender portal](overview-security-center.md).
## Proposed changes
security Microsoft Secure Score Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-whats-new.md
Title: What's new in Microsoft Secure Score
-description: Describes what new changes have happened to Microsoft Secure Score in the Microsoft 365 security center.
-keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, microsoft 365 security center
+description: Describes what new changes have happened to Microsoft Secure Score in the Microsoft 365 Defender portal.
+keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, Microsoft 365 Defender portal
ms.prod: m365-security ms.mktglfcycl: deploy localization_priority: Normal
ms.technology: m365d
To make Microsoft Secure Score a better representative of your security posture, we have made some changes. To learn about planned changes, see [What's coming in Microsoft Secure Score?](microsoft-secure-score-whats-coming.md)
-Microsoft Secure Score can be found at https://security.microsoft.com/securescore in the [Microsoft 365 security center](overview-security-center.md).
+Microsoft Secure Score can be found at https://security.microsoft.com/securescore in the [Microsoft 365 Defender portal](overview-security-center.md).
## July 2021
Microsoft Secure Score can be found at https://security.microsoft.com/securescor
### Compatibility with Graph API
-Microsoft Secure Score recommendations delivered via Graph API will look and be weighted the same as the recommendations you currently see in the Microsoft 365 security center.
+Microsoft Secure Score recommendations delivered via Graph API will look and be weighted the same as the recommendations you currently see in the Microsoft 365 Defender portal.
## January 2021
security Microsoft Secure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score.md
Title: Microsoft Secure Score
-description: Describes Microsoft Secure Score in the Microsoft 365 security center, how to improve your security posture, and what security admins can expect.
-keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, microsoft 365 security center, improvement actions
+description: Describes Microsoft Secure Score in the Microsoft 365 Defender portal, how to improve your security posture, and what security admins can expect.
+keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, Microsoft 365 Defender portal, improvement actions
ms.prod: m365-security ms.mktglfcycl: deploy localization_priority: Normal
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
-Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the [Microsoft 365 security center](overview-security-center.md).
+Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the [Microsoft 365 Defender portal](overview-security-center.md).
-Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 security center, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices.
+Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices.
Secure Score helps organizations:
security Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mssp-access.md
Title: Provide managed security service provider (MSSP) access
-description: Learn about changes from the Microsoft Defender Security Center to the Microsoft 365 security center
-keywords: Getting started with the Microsoft 365 security center, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, MDO, MDE, single pane of glass, converged portal, security portal, defender security portal
+description: Learn about changes from the Microsoft Defender Security Center to the Microsoft 365 Defender portal
+keywords: Getting started with the Microsoft 365 Defender portal, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, MDO, MDE, single pane of glass, converged portal, security portal, defender security portal
ms.prod: microsoft-365-enterprise ms.mktglfcycl: deploy localization_priority: Normal
To implement a multi-tenant delegated access solution, take the following steps:
-1. Enable [role-based access control](/windows/security/threat-protection/microsoft-defender-atp/rbac) in Defender for Endpoint in Microsoft 365 security center and connect with Azure Active Directory (Azure AD) groups.
+1. Enable [role-based access control](/windows/security/threat-protection/microsoft-defender-atp/rbac) in Defender for Endpoint in Microsoft 365 Defender portal and connect with Azure Active Directory (Azure AD) groups.
2. Configure [Governance Access Packages](/azure/active-directory/governance/identity-governance-overview) for access request and provisioning. 3. Manage access requests and audits in [Microsoft Myaccess](/azure/active-directory/governance/entitlement-management-request-approve).
-## Enable role-based access controls in Microsoft Defender for Endpoint in Microsoft 365 security center
+## Enable role-based access controls in Microsoft Defender for Endpoint in Microsoft 365 Defender portal
1. **Create access groups for MSSP resources in Customer AAD: Groups**
- These groups will be linked to the Roles you create in Defender for Endpoint in Microsoft 365 security center. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
+ These groups will be linked to the Roles you create in Defender for Endpoint in Microsoft 365 Defender portal. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
- Tier 1 Analyst - Tier 2 Analyst - MSSP Analyst Approvers
-2. Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint in Microsoft 365 security center roles and groups.
+2. Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint in Microsoft 365 Defender portal roles and groups.
- To enable RBAC in the customer Microsoft 365 security center, access **Permissions > Endpoints roles & groups > Roles** with a user account with Global Administrator or Security Administrator rights.
+ To enable RBAC in the customer Microsoft 365 Defender portal, access **Permissions > Endpoints roles & groups > Roles** with a user account with Global Administrator or Security Administrator rights.
![Image of MSSP access](../../media/mssp-access.png)
To implement a multi-tenant delegated access solution, take the following steps:
2. Approve or deny requests in the **Approvals** section of the UI.
- At this point, analyst access has been provisioned, and each analyst should be able to access the customer's Microsoft 365 Security Center:
+ At this point, analyst access has been provisioned, and each analyst should be able to access the customer's Microsoft 365 Defender portal:
`https://security.microsoft.com/?tid=<CustomerTenantId>` with the permissions and roles they were assigned. > [!IMPORTANT]
-> Delegated access to Microsoft Defender for Endpoint in the Microsoft 365 security center currently allows access to a single tenant per browser window.
+> Delegated access to Microsoft Defender for Endpoint in the Microsoft 365 Defender portal currently allows access to a single tenant per browser window.
security Overview Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/overview-security-center.md
Reports are also unified in Microsoft 365 Defender. Admins can start with a gene
### Quickly view your Microsoft 365 environment
-The **Home** page shows many of the common cards that security teams need. The composition of cards and data is dependent on the user role. Because Microsoft 365 security center uses role-based access control, different roles will see cards that are more meaningful to their day to day jobs.
+The **Home** page shows many of the common cards that security teams need. The composition of cards and data is dependent on the user role. Because Microsoft 365 Defender portal uses role-based access control, different roles will see cards that are more meaningful to their day to day jobs.
This at-a-glance information helps you keep up with the latest activities in your organization. Microsoft 365 Defender brings together signals from different sources to present a holistic view of your Microsoft 365 environment.
Track and respond to emerging threats with the following Microsoft 365 Defender
## A centralized Learning Hub
-Microsoft 365 security center includes a learning hub that bubbles up official guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation at docs.microsoft.com.
+Microsoft 365 Defender portal includes a learning hub that bubbles up official guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation at docs.microsoft.com.
Inside the learning hub, Email & Collaboration (Microsoft Defender for Office 365) guidance is side-by-side with Endpoint (Microsoft Defender for Endpoint) and Microsoft 365 Defender learning resources.
security Portals https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/portals.md
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
-While [Microsoft 365 security center](overview-security-center.md) is the new home for monitoring and managing security across your identities, data, devices, and apps, you will need to access various portals for certain specialized tasks.
+While [Microsoft 365 Defender portal](overview-security-center.md) is the new home for monitoring and managing security across your identities, data, devices, and apps, you will need to access various portals for certain specialized tasks.
> [!TIP]
-> To access various relevant portals from Microsoft 365 security center, select **More resources** in the navigation pane.
+> To access various relevant portals from Microsoft 365 Defender portal, select **More resources** in the navigation pane.
## Security portals
Security operators and admins can go to the following portals to manage security
| Portal name | Description | Link | ||||
-| Microsoft 365 security center | Monitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with [Microsoft 365 Defender](microsoft-365-defender.md) | [security.microsoft.com](https://security.microsoft.com/) |
+| Microsoft 365 Defender portal | Monitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with [Microsoft 365 Defender](microsoft-365-defender.md) | [security.microsoft.com](https://security.microsoft.com/) |
| Microsoft Defender Security Center | Monitor and respond to threat activity on your endpoints using capabilities provided with [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) | [securitycenter.windows.com](https://securitycenter.microsoft.com/) | | Security & Compliance Center | Manage [Exchange Online Protection](../office-365-security/exchange-online-protection-overview.md) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) to protect your email and collaboration services, and ensure compliance to various data-handling regulations | [protection.office.com](https://protection.office.com) | | Azure Defender portal | Use [Azure Defender](/azure/security-center/security-center-intro) to strengthen the security posture of your data centers and your hybrid workloads in the cloud | [portal.azure.com/#blade/Microsoft_Azure_Security](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) |
security Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/prerequisites.md
ms.technology: m365d
Learn about licensing and other requirements for provisioning and using [Microsoft 365 Defender](microsoft-365-defender.md). ## Licensing requirements
-Any of these licenses gives you access to Microsoft 365 Defender features in Microsoft 365 security center without additional cost:
+Any of these licenses gives you access to Microsoft 365 Defender features in Microsoft 365 Defender portal without additional cost:
- Microsoft 365 E5 or A5 - Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
Go to Microsoft 365 admin center ([admin.microsoft.com](https://admin.microsoft.
You must be a **global administrator** or a **security administrator** in Azure Active Directory to turn on Microsoft 365 Defender. For the list of roles required to use Microsoft 365 Defender and information on how access to data is regulated, read about [managing access to Microsoft 365 Defender](m365d-permissions.md). ## Browser requirements
-Access Microsoft 365 Defender in the Microsoft 365 security center using Microsoft Edge, Internet Explorer 11, or any HTML 5 compliant web browser.
+Access Microsoft 365 Defender in the Microsoft 365 Defender portal using Microsoft Edge, Internet Explorer 11, or any HTML 5 compliant web browser.
## Availability to US GCC, GCC High, and other US government institutions Currently, Microsoft 365 Defender is *not* available to:
security Setup M365deval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/setup-m365deval.md
Title: Set up your Microsoft 365 Defender trial lab or pilot environment
-description: Access Microsoft 365 Security Center then set up your Microsoft 365 Defender trial lab environment
+description: Access Microsoft 365 Defender portal then set up your Microsoft 365 Defender trial lab environment
keywords: Microsoft 365 Defender trial setup, Microsoft 365 Defender pilot setup, try Microsoft 365 Defender, Microsoft 365 Defender evaluation lab setup search.product: eADQiWindows 10XVcnh search.appverid: met150
security Streaming Api Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-event-hub.md
Once the Event Hub namespace is created you will need to:
To get the data types for event properties do the following:
-1. Log in to [Microsoft 365 security center](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
+1. Log in to [Microsoft 365 Defender portal](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
2. Run the following query to get the data types mapping for each event:
security Tickets https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/tickets.md
Title: Integrate ServiceNow tickets into the Microsoft 365 security center and compliance center
-description: Learn how to create and track tickets in ServiceNow from the Microsoft 365 security center and compliance center.
+ Title: Integrate ServiceNow tickets into the Microsoft 365 Defender portal and compliance center
+description: Learn how to create and track tickets in ServiceNow from the Microsoft 365 Defender portal and compliance center.
keywords: security, Microsoft 365, M365, compliance, compliance center, security center, ServiceNow, tickets, tasks, SNOW, connection ms.prod: m365-security ms.mktglfcycl: deploy
- seo-marvel-apr2020 ms.technology: m365d
-# Integrate ServiceNow tickets into the Microsoft 365 security center and compliance center
+# Integrate ServiceNow tickets into the Microsoft 365 Defender portal and compliance center
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/troubleshoot.md
For more information, see [Microsoft Defender for Identity integration](/cloud-a
## Where is the settings page for turning on the service?
-To turn on Microsoft 365 Defender, access **Settings** from the navigation pane in the Microsoft 365 security center. This navigation item is visible only if you have the [prerequisite permissions and licenses](m365d-enable.md#check-license-eligibility-and-required-permissions).
+To turn on Microsoft 365 Defender, access **Settings** from the navigation pane in the Microsoft 365 Defender portal. This navigation item is visible only if you have the [prerequisite permissions and licenses](m365d-enable.md#check-license-eligibility-and-required-permissions).
## How do I create an exception for my file/URL?
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+f
## March 2021 - [CloudAppEvents table](advanced-hunting-cloudappevents-table.md) <br>Find information about events in various cloud apps and services covered by Microsoft Cloud App Security. This table also includes information previously available in `AppFileEvents`. ## February 2021-- (Preview) The enhanced [Microsoft 365 security center (https://security.microsoft.com)](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint and Defender for Office 365 to the center. [Learn more about what's changed](./overview-security-center.md).
+- (Preview) The enhanced [Microsoft 365 Defender portal (https://security.microsoft.com)](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint and Defender for Office 365 to the center. [Learn more about what's changed](./overview-security-center.md).
## September 2020 - [IdentityDirectoryEvents table](advanced-hunting-identitydirectoryevents-table.md) <br> Find events involving an on-premises domain controller running Active Directory (AD). This [advanced hunting](advanced-hunting-overview.md) schema table covers a range of identity-related events and system events on the domain controller.
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
For other ways to submit email messages, URLs, and attachments to Microsoft, see
- **Reason for submitting**<sup>\*</sup> - **Rescan status**<sup>\*</sup> - **Rescan result**<sup>\*</sup>
+ - **Tags**<sup>\*</sup>
- **Filter verdict** - **Delivery/Block reason** - **Submission ID**
For other ways to submit email messages, URLs, and attachments to Microsoft, see
- **Submission ID**: A GUID value that's assigned to every submission. - **Network Message ID** - **Sender**
+ - **Tags**
When you're finished, click **Apply**.
If you've deployed the [Report Message add-in](enable-the-report-message-add-in.
- **Sender**<sup>\*</sup> - **Reported reason**<sup>\*</sup> - **Rescan result**<sup>\*</sup>
+ - **Tags**<sup>\*</sup>
- **Message reported ID** - **Network Message ID** - **Sender IP**
If you've deployed the [Report Message add-in](enable-the-report-message-add-in.
- **Sender** - **Reported reason**: **Not junk**, **Phish**, or **Spam**. - **Phish simulation**: **Yes** or **No**
+ - **Tags**
When you're finished, click **Apply**.
security Removing User From Restricted Users Portal After Spam https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md
Admins can remove users from the Restricted users page in the Microsoft 365 Defe
6. Click **Yes** to confirm the change. > [!NOTE]
- > It might take up to 24 hours for all restrictions to be removed from the user.
+ > It might take up to 1 hour for all restrictions to be removed from the user.
## Verify the alert settings for restricted users