+Welcome to the Microsoft Purview solutions trial playbook. This playbook will help you make the most of your free trial by helping you discover robust and comprehensive capabilities of Microsoft Purview and security products.

+## Compliance actions with Microsoft Purview

+Easily and quickly start trying MicrosoftΓÇÖs compliance solutions without changing your organizationΓÇÖs metadata.

+Depending on your priorities, you can start with any of these solution areas to see immediate value. Here are four top organizational concerns as communicated by our customers and recommended solutions to start with.

+**LetΓÇÖs get started!**

+## Microsoft Purview Compliance Manager

+We recommend that you become familiar with Compliance Manager and improve your organizationΓÇÖs compliance posture. What can Compliance Manager do for your organization?

+- It can help you get compliant ΓÇô with easy onboarding and step-by-step guidance

+- It can help you stay compliant ΓÇô with customizable and multi-cloud assessments

+- It can help you scale compliance ΓÇô with built-in collaboration and workflow capabilities

+### Step 1: Get to know Compliance Manager

+Our Compliance Manager overview page is the best first stop for a comprehensive review of what Compliance Manager is and how it works.

+- Start with the [Microsoft Purview Compliance Manager Setup Guide](https://go.microsoft.com/fwlink/?linkid=2197452).

+You may also want to jump right to key sections of our documentation using the links below:

+- [Understand your compliance score](compliance-manager.md#understanding-your-compliance-score)

+- [Overview of key elements](compliance-manager.md#key-elements-controls-assessments-templates-improvement-actions): controls, assessments, templates, and improvement actions

+- [Understand the Compliance Manager dashboard](compliance-manager-setup.md#understand-the-compliance-manager-dashboard)

+- [Filter your dashboard view](compliance-manager-setup.md#filtering-your-dashboard-view)

+- [Learn about improvement actions](compliance-manager-setup.md#improvement-actions-page)

+- [Understand assessments](compliance-manager.md#assessments)

+- [Do a quick scan of your environment using the Microsoft Compliance Configuration Analyzer for Compliance Manager (preview)](compliance-manager-mcca.md)

+### Step 2: Configure Compliance Manager to manage your compliance activities

+Start working with assessments and taking improvement actions to implement controls and improve your compliance score.

+1. [Choose a pre-built template to create and manage your first assessment](compliance-manager-assessments.md).

+1. [Understand how to use templates for building assessments](compliance-manager-templates.md).

+1. [Perform implementation and testing work on improvement actions to complete controls in your assessments](compliance-manager-improvement-actions.md).

+1. [Better understand how different actions impact your compliance score](compliance-score-calculation.md).

+> [!NOTE]

+> Microsoft 365 or Office 365 E1/E3 subscription includes Microsoft Data Protection Baseline template. Microsoft 365 or Office 365 E5, E5 Compliance includes templates for:

+>

+> - Microsoft Data Protection Baseline

+> - European Union GDPR

+> - ISO/IEC 27001,

+> - NIST 800-53

+Compliance Manager includes 300+ regulatory or premium templates that can be purchased as an add-on with [Compliance Manager premium assessments add-on](compliance-easy-trials-compliance-manager-assessments.md). With any [premium templates](compliance-manager-templates-list.md) (included with your subscription or purchased as add-on) you will receive the universal version of those templates, allowing you to manage your compliance with any product or service

+### Step 3: Scaling up: use advanced functionality to meet your custom needs

+Custom assessments are helpful for:

+- Managing compliance for non-Microsoft 365 products such as third-party apps and services, on-premises applications, and other assets

+- Managing your own custom or business-specific compliance controls:

+ 1. [Extend a Compliance Manager template by adding your own controls and improvement actions](compliance-manager-templates-extend.md)

+ 1. [Create your own custom template](compliance-manager-templates-create.md)

+ 1. [Modify an existing template to add or remove controls and actions](compliance-manager-templates-modify.md)

+ 1. [Set up automated testing of improvement actions](compliance-manager-setup.md#set-up-automated-testing)

+ 1. [Reassign improvement actions to another user](compliance-manager-setup.md#reassign-improvement-actions-to-another-user)

+**Organizational Concerns**

+## Information protection

+The first organizational concern raised by customers is understanding what, where and how sensitive, business-critical data is being used and how to protect sensitive and confidential data from unauthorized access or leakage.

+Get data visibility and protection starting with Information Protection and Data Loss Prevention.

+- Detect ΓÇô discover sensitive data across your entire digital estate and understand how itΓÇÖs being used.

+- Protect ΓÇô classify information and apply sensitivity labels with a unified approach.

+- Prevent ΓÇô prevent accidental, malicious, and unauthorized oversharing of sensitive data.

+## Information Protection and Data Loss Prevention

+**Discover, classify and protect your sensitive data**

+One of the main concerns for most organizations, regarding compliance regulations, is how to classify their sensitive data, how to protect it, and prevent data loss. Purview Information Protection and Data Loss Prevention solutions allow customers to discover and classify their sensitive data, to protect their sensitive data using sensitivity labels, and finally to setup data loss prevention policies to prevent unauthorized sharing, use, or transfer of sensitive data through multiple egress points. The classification, labeling, and DLP capabilities are natively built-in Microsoft 365 workloads such as SharePoint Online, Exchange Online, OneDrive for Business, and Teams. You can extend these to non-Microsoft workloads.

+### Set up your information protection and data loss prevention trial

+Eligible customers can activate default labels and default DLP policies for Information Protection and Data Loss Prevention. When you enable the default configuration in the trial, it will take about 2 minutes to configure all policies for your tenant and up to 24 hours to see the results of these default policies.

+Choosing the default configuration, with 1-click, the following is automatically configured:

+- Sensitivity labels and a sensitivity label policy

+- Client-side auto-labeling

+- Service-side auto-labeling

+- Data loss prevention (DLP) policies for Teams and devices

+[Activate the default labels and policies](mip-easy-trials.md#activate-the-default-labels-and-policies). If necessary, you can edit it manually after the configuration is complete. If necessary, you can edit it manually after the configuration is complete.

+You can follow the actions below or alternatively, use the [Microsoft Purview Information Protection Setup Guide](https://go.microsoft.com/fwlink/?linkid=2197428) to set up your Information Protection and Data Loss Protection.

+**Actions to try:**

+## Microsoft Purview Information Protection

+### Step 1: Automatically apply sensitivity labels to documents

+When you create a sensitivity label, you can automatically assign that label to files and emails when it matches conditions that you specify.

+1. [Create and configure sensitivity labels](create-sensitivity-labels.md#create-and-configure-sensitivity-labels)

+1. [Publish sensitivity label policy to all users](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy)

+1. Create an [auto-labeling policy](apply-sensitivity-label-automatically.md)

+ - Choose info you want label applied to

+ - Define locations to apply label

+ - Select label to apply

+ - Run policy in simulation mode

+### Step 2: Review and turn on auto-labeling policy

+Now on the Information protection > Auto-labeling page, you see your auto-labeling policy in the Simulation section.

+1. Select your policy to see the details of the configuration and status. When the simulation is complete, select the Items to review tab to see which emails or documents matched the rules that are specified.

+1. When youΓÇÖre ready to run the policy without simulation, select the Turn on policy option.

+## Microsoft Purview Data Loss Prevention

+### Step 1: Prevent data loss on Microsoft Teams locations

+If your organization has data loss prevention (DLP), you can define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session.

+1. [Learn about DLP Licensing for Microsoft Teams and the scope of DLP protection](dlp-microsoft-teams.md#dlp-licensing-for-microsoft-teams)

+1. [Add Microsoft Teams as a location to existing DLP policies](dlp-microsoft-teams.md#add-microsoft-teams-as-a-location-to-existing-dlp-policies)

+1. [Configure our default DLP policy for Teams or define a new DLP policy for Microsoft Teams](mip-easy-trials.md)

+### Step 2: Prevent data loss on devices

+Microsoft Purview DLP for endpoints allows you to detect and prevent when sensitive items are used or shared on Windows 10, Windows 11 and macOS devices.

+1. Prepare your endpoints - make sure that the Windows 10 and macOS devices that you plan on deploying Endpoint DLP [meet these requirements](endpoint-dlp-getting-started.md#skusubscriptions-licensing).

+1. [Onboard devices into device management](endpoint-dlp-getting-started.md#windows-10-and-windows-11-onboarding-procedures) - You must onboard your endpoints before you can detect and protect sensitive items on a device. Both of these actions are done in the Microsoft Purview compliance portal.

+ - Scenario 1 ΓÇô Onboarding devices that have not been onboarded yet.

+ - Scenario 2 - Microsoft Defender for Endpoint is already deployed and there are endpoints reporting in. All these endpoints will appear in the managed devices list.

+1. [Configure our default DLP policy for devices or define a new DLP policy for devices](mip-easy-trials.md#dlp-for-devices).

+1. [View Endpoint DLP alerts](dlp-configure-view-alerts-policies.md) in DLP Alerts Management dashboard.

+1. [View Endpoint DLP data](data-classification-activity-explorer.md) in activity explorer.

+### Step 3: Expand policies in scope or protection

+You have flexibility in how you configure your DLP policies. You can start with our default DLP policy for Teams and devices and expand those policies to protect additional locations, sensitive information types, or labels. Note customers can run a DLP policy in test mode to understand or fine tune how the policy is working before it is turned on. In addition, you can expand upon the policy actions and customize alerting.

+1. Add locations

+1. Add sensitive information types or labels to protect

+1. Add actions

+ - Teams:

+ i. [Prevent external access to sensitive documents](dlp-microsoft-teams.md#prevent-external-access-to-sensitive-documents)

+ i. [Get policy tips to help educate users and instructions for customizing policy tips](dlp-microsoft-teams.md#policy-tips-help-educate-users)

+ - Devices: switch from audit only to block

+1. [Configure and view alerts for data loss prevention policies](dlp-configure-view-alerts-policies.md)

+## Microsoft Purview data governance

+The second organizational concern customers convey is how to reduce risk and meet regulations by classifying data to keep what they need and delete what they don't need. Customers want compliant lifecycle management of sensitive data, to meet record keeping obligations, and to reduce the risk from over-retained data.

+Microsoft Purview Data Lifecycle Management and Records Management help you to:

+- Apply retention and deletion policies to data where users collaborate to manage risk and prevent productivity loss.

+- Ensure the correct policies are enforced by auto-classifying content.

+- Comply with record keeping obligations with immutability options, defensible disposal, and advanced policy targeting.

+## Microsoft Purview Data Lifecycle Management

+### Govern at scale with automation

+Start with the [Data Lifecycle Management Setup Guide](https://go.microsoft.com/fwlink/?linkid=2197335). Additionally, you may want to consider implementing these common scenarios:

+1. Auto-apply retention or deletion settings to sensitive data

+1. Auto-apply retention or deletion settings to everything in a SharePoint document library

+1. Target a retention or deletion policy to only specific users or mailboxes

+### Step 1: Auto-apply retention or deletion settings to sensitive data

+Start by managing the lifecycle of sensitive data by managing it automatically using retention and deletion settings. First, decide on the type of sensitive data that you want to protect. You may want to use one of our pre-built [sensitive information types](sensitive-information-type-learn-about.md). Next, [create a retention label](retention.md#retention-labels) with your desired retention or deletion settings. Finally, [automatically apply the retention label](apply-retention-labels-automatically.md#auto-apply-labels-to-content-with-specific-types-of-sensitive-information) that contains the sensitive information type you selected.

+### Step 2: Auto-apply retention or deletion settings to everything in a SharePoint document library, folder, or document set

+You can set a default retention label in SharePoint to automatically apply it to all items within a specific document library, folder, or document set in SharePoint. This option is useful when users store a specific type of document in one of these locations.

+First, identify the content you would like to manage and the location of the content in SharePoint. Next, [create a retention label](retention.md#retention-labels) with your desired retention or deletion settings. Finally, [publish the retention to the document library, folder, or document set](create-apply-retention-labels.md#applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set).

+### Step 3: Dynamically target retention policies with Adaptive Policy Scopes

+Many customers want to target a retention policy to specific users or mailboxes. For example, they may want to apply a longer retention period to the mailboxes of people in leadership roles or apply shorter retention to shared mailboxes. Adaptive policy scopes allow you to do this by using their AD attributes to target the policy. If one of the attribute values changes then the retention policy will automatically update its membership.

+First, [decide what attributes you will use to target](retention-settings.md#configuration-information-for-adaptive-scopes) the users or mailboxes that you want to include or exclude from your policy. Next, [Create an Adaptive Policy Scope and use it with a retention policy](retention.md#adaptive-or-static-policy-scopes-for-retention).

+## Microsoft Purview Records Management

+**Manage high-value items for business, legal, or regulatory record-keeping requirements**

+Records Management helps you to comply with more granular retention and deletion requirements. As an example, you can track your retention schedule or use flexible automation options. Additionally, you can make content immutable, trigger retention using an event, or require approval before items are disposed.

+Here are our most popular records management scenarios:

+1. Automatically apply a retention label based on SharePoint file metadata

+1. Conduct a disposition review at the end of a retention period

+1. Make content immutable to prevent users from editing it

+### Step 1: Automatically apply a retention label based on SharePoint file metadata

+Auto-applying labels removes the need for your users to manually perform the labeling activities. As an example, you can auto-apply retention labels to content that has specific metadata properties in SharePoint.

+First, decide the metadata properties you would like to use, the locations where you want to look for matches, and the retention or deletion settings you want to apply. Next, [create a retention label](retention.md#retention-labels). Then, [follow the steps](auto-apply-retention-labels-scenario.md) to auto-apply the label based on SharePoint metadata.

+### Step 2: Review content to approve before it's permanently deleted

+Some organizations have a requirement to review content at the end of its retention period before it is permanently deleted. Using Records Management, users you specify ("reviewers") can be notified to review the content and approve the permanent disposal action. Reviewers can also choose to assign a different retention period to the content or postpone deletion. Learn more here: Disposition of content.

+### Step 3: Make content immutable to prevent users from editing it

+Some content has a lifecycle phase where both the file and the metadata should not be available for editing, often called declaring the content as an immutable record. Learn how to configure this option in Records Management: [Create a retention label that declares content as a record or a regulatory record](declare-records.md).

+## Manage insider risks

+The third organizational concern we hear is how to protect your data and respond to potential insider data security incident risks, which may include data theft and inappropriate sharing of confidential information across all platforms like email and IM (e.g. Microsoft Teams).

+

+Using Insider Risk Management and Communication Compliance you can quickly identify and act on insider data security incidents and regulatory requirement risks, empowering you to collaborate with your Security, HR, Legal and other teams, depending on your organization.

+- Get rich insights ΓÇô identifying hidden risks with customizable ML templates requiring no endpoint agents.

+- Investigate ΓÇô integrated investigation workflows enable end-to-end collaboration across Security, HR and Legal.

+- Know privacy is built-in ΓÇô protect user privacy and prevent bias by removing identifiable user details, like name or email, while mitigating organizational risk.

+## Microsoft Purview Insider Risk Management

+**Detect and remediate insider risks**

+Leverage end-to-end workflows to help you quickly identify, triage, and remediate. Using logs from Microsoft 365 and Azure services, you can define policies to identify potential data security incidents and take remediation actions such as promoting user education or initiating an investigation.

+### Step 1 (required): Enable permissions for Insider Risk Management

+There are four role groups used to configure permissions to manage Insider Risk Management features, which have different roles and level of access. Setting up permissions to Insider Risk Management is key before proceeding.

+[Add users to an insider risk management role group](insider-risk-management-configure.md#add-users-to-an-insider-risk-management-role-group)

+If you are not able to see permissions, please talk to your tenant admin to assign the correct roles.

+### Step 2 (required): Enable the Microsoft 365 audit log

+Auditing is enabled for Microsoft 365 organizations by default. Some organizations may have disabled auditing for specific reasons. If auditing is disabled for your organization, it might be because another administrator has turned it off. We recommend confirming that itΓÇÖs OK to turn auditing back on when completing this step.

+For step-by-step instructions to turn on auditing, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md). After you turn on auditing, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this action once. For more information about using the Microsoft 365 audit log, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md).

+### Step 3 (recommended): Enable and view Insider Risk Management analytics insights

+Analytics within Insider Risk Management enables you to conduct an evaluation of potential insider risks that may lead to a data security incident in your organization without configuring any insider risk policies. Analytics scan results may take up to 48 hours before insights are available as reports for review. These assessment results are aggregated and anonymized, and offer organization-wide insights, like the percentage of users performing potential sensitive data exfiltration activities.

+To learn more about analytics insights, see [Insider risk management settings: Analytics](insider-risk-management-settings.md#analytics) and check out the [Insider risk management analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help you understand your insider risk posture and help you take action by setting up appropriate policies to identify risky users.

+> [!NOTE]

+> To enable insider risk analytics, you must be a member of the Insider Risk Management or Insider Risk Management Admin.

+### Step 4: Start with Recommended actions

+Quickly get started and get the most out of Insider Risk Management capabilities with Recommended actions. Included on the Overview page, recommended actions will help guide you through the steps to configure and deploy policies and to take investigation actions for user actions that generate alerts from policy matches.

+[Select a recommendation from the list](insider-risk-management-configure.md#recommended-actions-preview) to get started with configuring insider risk management.

+Each recommended action guides you through the required activities for the recommendation, including any requirements, what to expect, and the impact of configuring the feature in your organization.

+Note that the recommended steps in the playbook (above) may also be included in the Recommended actions shown in the portal.

+Set up recommendations are also available on the Microsoft docs page, via the [Microsoft Purview Insider Risk Management Setup Guide](https://go.microsoft.com/fwlink/?linkid=2197153).

+To fully leverage the functionality of Insider Risk Management, we recommend setting up policies for your organization to better identify potential risky actions that may lead to a security incident, leveraging templates for Data leaks or Data theft.

+## Microsoft Purview Communication Compliance

+**Identify regulatory compliance policy violations**

+Microsoft Purview Communication Compliance helps organizations detect explicit regulatory compliance violations such as SEC or FINRA obligations, including inappropriate sharing of sensitive or confidential information. With built in workflows, the solution can help you investigate and remediate possible regulatory compliance violations. Built with privacy by design, this solution has usernames pseudonymized by default, role-based access controls are built-in, investigators must be explicitly added by an administrator to a policy, and audit logs are in place to help ensure user-level privacy.

+### Step 1: Enable permissions for communication compliance

+Assign users communication compliance roles to be able to use the product. The "Communication Compliance" role group gives you all the permissions to use the product. Learn about other communication compliance role groups here: [Get started with communication compliance](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance).

+### Step 2: Enable the audit log

+To use this feature, turn on auditing. When you turn this on actions will be available in the audit log and view in a report. To learn more, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md).

+### Step 3: Review recommended actions insights

+Included on the Policies page, recommended actions helps you discover risks you may not be aware of, like inappropriate sharing of sensitive or confidential information that are already occurring in your organization. This view includes only the aggregate number of matches per classification type, with none of the insights containing any personally identifiable information, and helps you determine the type and scope of communication compliance policies to configure.

+### Step 4: Create a communication compliance policy

+Create a communication compliance policy using the existing templates: 1- Sensitive information; 2- Regulatory compliance; 3- Conflict of interest. Learn more about our out of the box policy templates and how to create a custom policy here: [Communication compliance policies](communication-compliance-policies.md).

+### Step 5: Investigate and remediate alerts

+[Investigate and remediate communication compliance alerts](communication-compliance-investigate-remediate.md).

+### Step 6: Review reports for insights

+[Review reports for insights on your overall communication compliance posture](communication-compliance-reports-audits.md).

+## Discover & respond

+The fourth organizational concern from customers is how to find relevant data when needed for investigations, regulatory requests, or litigations and for meeting regulatory requirements.

+With eDiscovery and Audit, you can discover data efficiently.

+- Discover and collect data in-place ΓÇô collect, filter, and gain data insights faster, with greater visibility.

+- Manage workflows ΓÇô reduce the friction of identifying and collecting potential sources of relevant information by automatically mapping unique and shared data sources.

+- Accelerate the discovery process ΓÇô manage the increase of data volume by searching and processing highly relevant content in-place.

+## Microsoft Purview eDiscovery (Premium)

+Discover more efficiently with an end-to-end workflow

+Take advantage of an end-to-end workflow for preserving, collecting, analyzing, and exporting content thatΓÇÖs responsive to your organizationΓÇÖs internal and external investigations. Legal teams can also manage the entire legal hold notification process by communicating with custodians involved in a case.

+### Step 1 (required): Permissions

+To access eDiscovery (Premium) or be added as a member of an eDiscovery (Premium) case, a user must be assigned the appropriate permissions.

+1. [Set up eDiscovery (Premium) ΓÇô Assign eDiscovery permissions](get-started-with-advanced-ediscovery.md#step-2-assign-ediscovery-permissions)

+1. [Add or remove members from a case](add-or-remove-members-from-a-case-in-advanced-ediscovery.md)

+### Step 2 (required): Create a Case

+More organizations use the eDiscovery (Premium) solution in Microsoft 365 for critical eDiscovery processes. This includes responding to regulatory requests, investigations, and litigation.

+1. Manage eDiscovery (Premium) ΓÇô [learn how to configure eDiscovery (Premium), manage cases by using the Security & Compliance Center, manage a workflow in Advanced eDiscovery, and analyze Advanced eDiscovery search results](/learn/modules/manage-advanced-ediscovery).

+1. [Create an eDiscovery case](advanced-ediscovery-new-case-format.md) using eDiscovery PremiumΓÇÖs new case format

+1. [Close or delete a case](close-or-delete-case.md) - When the legal case or investigation is completed, you can close or delete. You can also reopen a closed case.

+### Step 3 (optional): Settings

+To allow people in your organization start to create and use cases, you must configure global settings that apply to all cases in your organization. You can manage settings such as attorney-client privilege detection, historical versions and many more.

+1. [Configure global settings for eDiscovery (Premium)](get-started-with-advanced-ediscovery.md#step-3-configure-global-settings-for-ediscovery-premium)

+1. [Configure search and analytics settings](configure-search-and-analytics-settings-in-advanced-ediscovery.md)

+1. [Manage jobs in eDiscovery (Premium)](managing-jobs-ediscovery20.md)

+### Step 4 (optional): Compliance Boundaries

+Compliance boundaries create logical boundaries within an organization that control the user content locations (such as mailboxes, OneDrive accounts, and SharePoint sites) that eDiscovery managers can search. They also control who can access eDiscovery cases used to manage the legal, human resources, or other investigations within your organization.

+Set up compliance boundaries for eDiscovery investigations:

+1. [Identify a user attribute to define your agencies](set-up-compliance-boundaries.md#step-1-identify-a-user-attribute-to-define-your-agencies)

+1. [Create a role group for each agency](set-up-compliance-boundaries.md#step-2-create-a-role-group-for-each-agency)

+1. [Create a search permissions filter to enforce the compliance boundary](set-up-compliance-boundaries.md#step-3-create-a-search-permissions-filter-to-enforce-the-compliance-boundary)

+1. [Create an eDiscovery case for an intra-agency investigations](set-up-compliance-boundaries.md#step-4-create-an-ediscovery-case-for-intra-agency-investigations)

+### Step 5 (optional): eDiscovery PremiumΓÇÖs collection tool

+Use the [eDiscovery (Premium) collection workflow](create-draft-collection.md#create-a-draft-collection) to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Teams. Collections in eDiscovery (Premium) help eDiscovery managers quickly scope a search for content across email, documents, Teams reactions, and other content in Microsoft 365. Collections provide managers with an estimate of the content that may be relevant to the case.

+[Learn more about collection queries and estimates.](building-search-queries.md)

+## Microsoft Purview Audit (Premium)

+**Conduct investigations**

+Advanced Audit helps organizations to conduct forensic and compliance investigations by increasing audit log retention required to conduct an investigation, providing access to crucial events that help determine scope of compromise, and providing faster access to the Office 365 Management Activity API.

+### Step 1: Apply the E5 license to each user for which youΓÇÖd like to generate E5 events

+Audit (Premium) features such as the ability to log crucial events such as MailItemsAccessed and Send require an appropriate E5 license assigned to users. Additionally, the Advanced Auditing app/service plan must be enabled for those users.

+Set up Audit (Premium) for users - to verify that the Advanced Auditing app is assigned to users, [perform the following steps for each user](set-up-advanced-audit.md#step-1-set-up-audit-premium-for-users).

+1. Enable Audit (Premium) events - [enable SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint](set-up-advanced-audit.md#step-2-enable-audit-premium-events) to be audited for each user in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

+1. Set up audit retention policies - [create additional audit log retention policies](set-up-advanced-audit.md#step-3-set-up-audit-retention-policies) to meet the requirements of your organizationΓÇÖs security operations, IT, and compliance teams.

+1. Search for Audit (Premium) events - [search for crucial Audit (Premium) events](set-up-advanced-audit.md#step-4-search-for-audit-premium-events) and other activities when conducting forensic investigations.

+### Step 2: Create new Audit Log policies to specify how long to retain audit logs in your org for activities performed by users and define priority levels for your policies

+Audit log retention policies are part of the new Advanced Audit capabilities in Microsoft 365. An audit log retention policy lets you specify how long to retain audit logs in your organization.

+1. Before you create an audit log retention policy ΓÇô [key things to know](audit-log-retention-policies.md#before-you-create-an-audit-log-retention-policy) before creating your policy.

+1. [Create an audit log retention policy](audit-log-retention-policies.md#create-an-audit-log-retention-policy).

+1. [Manage audit log retention policies in the Microsoft Purview compliance portal](audit-log-retention-policies.md#manage-audit-log-retention-policies-in-the-compliance-portal) - Audit log retention policies are listed on the Audit retention policies tab (also called the dashboard). You can use the dashboard to view, edit, and delete audit retention policies.

+1. [Create and manage audit log retention policies on PowerShell](audit-log-retention-policies.md#create-and-manage-audit-log-retention-policies-in-powershell) - You can also use Security & Compliance Center PowerShell to create and manage audit log retention policies. One reason to use PowerShell is to create a policy for a record type or activity that isnΓÇÖt available in the UI.

+### Roles and Role Groups

+There are roles and role groups that you can use to fine-tune your access controls.

+### Update existing system configuration profiles

+1. A Full Disk Access configuration profile should have been previously created and deployed for MDE. See, [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-intune#full-disk-access). Endpoint DLP requires an additional Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`.

+ 1. Update the existing Fullfull Disk Access configuration profile with the fulldisk.mobileconfig file.

+1. Find the existing MDE Preferences configuration profile. See, [Set preferences for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-preferences#intune-full-profile)

+ 1. Add a new key to the profile using these values:

+```xml

+<key>features</key>

+<dict>

+ <key>systemExtensions</key>

+ <string>enabled</string>

+ <key>dataLossPrevention</key>

+ <string>enabled</string>

+</dict>

+```

+Here's an [example mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/com.microsoft.wdav.mobileconfig)

+

+1. [Publish application](#publish-application)

+### Publish application

+Microsoft Endpoint DLP is installed as a component of Microsoft Defender for Endpoint (MDE) on macOS

+1. Follow the procedures in [Intune-based deployment for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-install-with-intune#publish-application) to deploy MDE to enrolled macOS devices.

+> [!IMPORTANT]

+> Another organization's cross-tenant access settings can be responsible for either their users being unable to open content that your users have encrypted, or your users being unable to open content encrypted by the other organization.

+>

+> The message that users see indicates which organization blocked access. You might need to direct the Azure AD admin from another organization to this section.

+For example, another organization might have settings configured that prevent their users from opening content encrypted by your organization. In this scenario, until their Azure AD admin reconfigures their cross-tenant settings, an external user attempting to open that content will see a message that informs them **Access is blocked by your organization** with a reference to **Your tenant administrator**. In that message, the external users see their own organization domain name that identifies it's their Azure AD tenant, rather than yours, that's responsible for blocking the access.

+Your users will see a similar message but with your own organization name when it's your Azure AD configuration that blocks access. From the perspective of the signed in user, if it's another Azure AD organization that's responsible for blocking access, the message changes to **Access is blocked by the organization** and the domain name of that other organization.

+SharePoint uses Azure Blob Storage for its content, while the metadata associated with sites and its files is stored within SharePoint. After the site is moved from its source geo location to its destination geo location, the service will also move its associated Blob Storage. Blob Storage moves complete in approximately 40 days. This will not have any impact to users interaction with the data.

+You can check the Blob Storage move status using the [Get-SPOCrossGeoMoveReport](/powershell/module/sharepoint-online/get-spocrossgeomovereport) cmdlet.

+##### [Network protection for Linux](network-protection-linux.md)

+##### [Network protection for MacOS](network-protection-macos.md)

+ Title: Use network protection to help prevent Linux connections to bad sites

+description: Protect your network by preventing Linux users from accessing known malicious and suspicious network addresses

+keywords: Network protection, Linux exploits, malicious website, ip, domain, domains, command and control, SmartScreen, toast notification

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+- m365initiative-m365-defender

+- M365-security-compliance

+# Network protection for Linux

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> [!IMPORTANT]

+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+## Overview

+Microsoft is bringing Network Protection functionality to Linux.

+Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host:

+- phishing scams

+- exploits

+- other malicious content on the Internet

+Network protection expands the scope of Microsoft Defender [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The blocks on outbound HTTP(s) traffic is based on the domain or hostname.

+## Web content filtering for Linux

+You can use web content filtering for testing with Network protection for Linux. See [Web content filtering](web-content-filtering.md).

+### Known issues

+- Network Protection is implemented as a virtual private network (VPN) tunnel. Advanced packet routing options using custom nftables/iptables scripts are available.

+- Block/Warn UX isn't available

+ - Customer feedback is being collected to drive further design improvements

+> [!NOTE]

+> To evaluate the effectiveness of Linux Web Threat Protection, we recommend using the Firefox browser which is the default for all the distributions.

+### Prerequisites

+- Licensing: Microsoft Defender for Endpoint tenant (can be trial) and platform specific requirements found in [Microsoft Defender for Endpoint for non-Windows platforms](non-windows.md#licensing-requirements)

+- Onboarded Machines:

+ - **Minimum Linux version**: For a list of supported distributions, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).

+ - **Microsoft Defender for Endpoint Linux client version**: 101.78.13 -insiderFast(Beta)

+## Instructions

+Deploy Linux manually, see [Deploy Microsoft Defender for Endpoint on Linux manually](linux-install-manually.md)

+The following example shows the sequence of commands needed to the mdatp package on ubuntu 20.04 for insiders-Fast channel.

+```bash

+curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/20.04/insiders-fast.list

+sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list

+sudo apt-get install gpg

+curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -

+sudo apt-get install apt-transport-https

+sudo apt-get update

+sudo apt install -y mdatp

+```

+### Device Onboarding

+To onboard the device, you must download the Python onboarding package for Linux server from Microsoft 365 Defender -> Settings -> Device Management -> Onboarding and run:

+```bash

+sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py

+```

+### Manually enable network protection

+1. Turn on the ΓÇ£networkProtectionΓÇ¥ feature, edit the ΓÇ£/etc/opt/microsoft/mdatp/wdacfgΓÇ¥ and set **networkProtection** to **enabled**.

+2. Restart the mdatp service by running the following command:

+```bash

+sudo systemctl restart mdatp

+```

+> :::image type="content" source="images/network-protection-linux-mdatp-restart.png" alt-text="Shows Linux mdatp restart." lightbox="images/network-protection-linux-mdatp-restart.png":::

+### Configure the enforcement level

+Network protection is disabled by default, but it can be configured to run in one of the following modes (also called enforcement levels):

+- **Audit**: useful to make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur

+- **Block**: network protection prevents connection to malicious websites

+- **Disabled**: all components associated with Network Protection are disabled

+```bash

+sudo mdatp config network-protection enforcement-level --value block

+```

+or

+```bash

+sudo mdatp config network-protection enforcement-level --value audit

+```

+To confirm Network Protection has successfully started, run the following command from the Terminal; verify that it prints ΓÇ£startedΓÇ¥:

+```bash

+mdatp health --field network_protection_status

+```

+### Validation

+A. Check Network Protection has effect on always blocked sites:

+- [http://www.smartscreentestratings2.net](http://www.smartscreentestratings2.net)

+- [https://www.smartscreentestratings2.net](https://www.smartscreentestratings2.net)

+- [http://malw-090-0-1.phsh-005-0-1.smartscreentestratings.com/](http://malw-090-0-1.phsh-005-0-1.smartscreentestratings.com/)

+B. Inspect diagnostic logs

+```bash

+$ sudo mdatp log level set --level debug

+$ sudo tail -f /var/log/microsoft/mdatp/microsoft_defender_np_ext.logΓÇ»

+```

+#### To exit the validation mode

+Disable network protection and restart the network connection:

+```bash

+$ sudo mdatp config network-protection enforcement-level --value disabled

+```

+## Advanced configuration

+By default, Linux network protection is active on the default gateway; routing and tunneling are internally configured.

+To customize the network interfaces, change the **networkSetupMode** parameter from the **/opt/microsoft/mdatp/conf/** configuration file and restart the service:

+```bash

+sudo systemctl restart mdatp

+```

+The configuration file also enables the user to customize:

+- proxy setting

+- SSL certificate stores

+- tunneling device name

+- IP

+- and more

+The default values were tested for all distributions as described in [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+### Microsoft Defender portal

+Also, make sure that in **Microsoft Defender** > **Settings** > **Endpoints** > **Advanced features** that **ΓÇÿCustom network indicatorsΓÇÖ** toggle is set _enabled_.

+> [!IMPORTANT]

+> The above **ΓÇÿCustom network indicatorsΓÇÖ** toggle controls **Custom Indicators** enablement **for ALL platforms with Network Protection support, including Windows. Reminder that - on Windows - for indicators to be enforced you also must have Network Protection explicitly enabled.

+>:::image type="content" source="images/network-protection-linux-defender-security-center-advanced-features-settings.png" alt-text="MEM Create Profile" lightbox="images/network-protection-linux-defender-security-center-advanced-features-settings.png":::

+## How to explore the features

+1. Learn how to [Protect your organization against web threats](web-threat-protection.md) using web threat protection.

+ - Web threat protection is part of web protection in Microsoft Defender for Endpoint. It uses network protection to secure your devices against web threats.

+2. Run through the [Custom Indicators of Compromise](indicator-ip-domain.md) flow to get blocks on the Custom Indicator type.

+3. Explore [Web content filtering](web-content-filtering.md).

+ > [!NOTE]

+ > If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.

+ > Pro tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.

+4. [Integrate Microsoft Defender for Endpoint with Cloud App Security](/defender-cloud-apps/mde-integration.md) and your network protection-enabled macOS devices will have endpoint policy enforcement capabilities.

+ > [!NOTE]

+ > Discovery and other features are currently not supported on these platforms.

+## Scenarios

+The following scenarios are supported during public preview:

+### Web threat protection

+Web threat protection is part of Web protection in Microsoft Defender for Endpoint. It uses network protection to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy. Web threat protection can protect devices while they're on premises or away. Web threat protection stops access to the following types of sites:

+- phishing sites

+- malware vectors

+- exploit sites

+- untrusted or low-reputation sites

+- sites you've blocked in your custom indicator list

+>:::image type="content" source="images/network-protection-reports-web-protection.png" alt-text="Web Protection reports web threat detections." lightbox="images/network-protection-reports-web-protection.png":::

+For more information, see [Protect your organization against web threat](web-threat-protection.md)

+#### Custom Indicators of Compromise

+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).

+Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action and the scope of the device group to apply it to.

+Currently supported sources are the cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender Antivirus).

+>:::image type="content" source ="images/network-protection-add-url-domain-indicator.png" alt-text="Shows network protection add URL or domain indicator." lightbox="images/network-protection-add-url-domain-indicator.png":::

+For more information, see: [Create indicators for IPs and URLs/domains](indicator-ip-domain.md).

+### Web content filtering

+Web content filtering is part of the [Web protection](web-protection-overview.md) capabilities in Microsoft Defender for Endpoint and Microsoft Defender for Business. Web content filtering enables your organization to track and regulate access to websites based on their content categories. Many of these websites (even if they're not malicious) might be problematic because of compliance regulations, bandwidth usage, or other concerns.

+Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.

+Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave, and Opera). For more information about browser support, see [Prerequisites](#prerequisites).

+> :::image type="content" source="images/network-protection-wcf-add-policy.png" alt-text="Shows network protection web content filtering add policy." lightbox="images/network-protection-wcf-add-policy.png":::

+For more information about reporting, see [Web content filtering](web-content-filtering.md).

+### Microsoft Defender for Cloud Applications

+The Microsoft Defender for Cloud Applications / Cloud App Catalog identifies apps you would want end users to be warned upon accessing with Microsoft 365 Defender for Endpoint, and mark them as _Monitored_. The domains listed under monitored apps would be later synced to Microsoft 365 Defender for Endpoint:

+> :::image type="content" source="images/network-protection-macos-mcas-monitored-apps.png" alt-text="Shows network protection mcas monitored apps." lightbox="images/network-protection-macos-mcas-monitored-apps.png":::

+Within 10-15 minutes, these domains will be listed in Microsoft 365 Defender for Endpoint Security Center under Indicators > URLs/Domains with Action=Warn. Within the enforcement SLA (see details at the end of this article).

+> :::image type="content" source="images/network-protection-macos-mcas-cloud-app-security.png" alt-text="Shows network protection mcas cloud app security." lightbox="images/network-protection-macos-mcas-cloud-app-security.png":::

+## See also

+- [Protect your network](network-protection.md)

+- [Turn on network protection](enable-network-protection.md)

+- [Web protection](web-protection-overview.md)

+- [Create indicators](manage-indicators.md)

+- [Web content filtering](web-content-filtering.md)

+ Title: Use network protection to help prevent macOS connections to bad sites

+description: Protect your network by preventing macOS users from accessing known malicious and suspicious network addresses

+keywords: Network protection, MacOS exploits, malicious website, ip, domain, domains, command and control, SmartScreen, toast notification

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+- m365initiative-m365-defender

+- M365-security-compliance

+# Network protection for macOS

+**Applies to:**

+- [Microsoft Microsoft 365 Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Microsoft 365 Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> [!IMPORTANT]

+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+## Overview

+Microsoft is bringing Network protection functionality to macOS (min. macOS 11).

+Microsoft Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host:

+- phishing scams

+- exploits

+- other malicious content on the Internet

+Network protection expands the scope of Microsoft 365 Defender [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The blocks on outbound HTTP(s) traffic are based on the domain or hostname.

+## New and updated capabilities

+- You can run your corporate VPN in tandem or ΓÇ£side by sideΓÇ¥ with network protection. Currently, no VPN conflicts are identified. If you do experience conflicts, you can provide feedback through the feedback channel listed at the bottom of this page.

+ - Web content filtering is supported with network protection for macOS.

+ - If network protection is configured and active on the device, web content filtering (WCF) policies created in the MDEP Portal are respected in browsers, including Chromium Microsoft Edge for macOS. Web content filtering in Microsoft Edge on Mac currently requires network protection; other E5 feature, such as Microsoft Defender for Cloud Applications or Custom Indicators currently also require network protection.

+### Known issues

+- Block/Warn UX isn't customizable and might require other look and feel changes

+ - Customer feedback is being collected to drive further design improvements

+### Important notes

+- We donΓÇÖt recommend controlling network protection from System Preferences by using the Disconnect button. Instead, use the mdatp command-line tool or JAMF / Intune to control network protection for macOS.

+- To evaluate effectiveness of macOS web threat protection, we recommend trying it in browsers other than Microsoft Edge for macOS (for example, Safari). Microsoft Edge for macOS has built-in web threat protection that is enabled regardless of whether the Mac network protection feature you're evaluating, is turned on or not.

+> [!NOTE]

+>

+> Microsoft Edge for macOS does not currently support web content filtering, custom indicators, or other enterprise features. However, network protection will provide this protection to Microsoft Edge for macOS as well if network protection is enabled.

+## Prerequisites

+- Licensing: Microsoft 365 Defender for Endpoint tenant (can be trial)

+- Onboarded Machines:

+ - Minimum macOS version: 11

+ - Product version 101.78.13 or later

+ - Your device must be in either the InsiderSlow (Preview) or InsiderFast (Beta) Microsoft AutoUpdate update channel. You can check the update channel using the following command:

+```bash

+mdatp --health releaseRing

+```

+If your device isn't already in the InsiderSlow(Preview) update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).

+```bash

+defaults write com.microsoft.autoupdate2 ChannelName -string InsiderSlow

+```

+Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the device group remotely. For more information, see [Set preferences for Microsoft 365 Defender for Endpoint on macOS](mac-preferences.md).

+## Deployment instructions

+### Microsoft 365 Defender for Endpoint

+After youΓÇÖve configured your device to be in the InsiderSlow(preview) update channel, install the most recent product version through Microsoft AutoUpdate. To open Microsoft AutoUpdate, run the following command from the Terminal:

+```bash

+open /Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app

+```

+Configure the product with your organization information using the instructions in our public documentation.

+Network protection is disabled by default, but it can be configured to run in one of the following modes (also called enforcement levels):

+- **Audit**: useful to make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur

+- **Block**: network protection prevents connection to malicious websites

+- **Disabled**: all components associated with network protection are disabled

+You can deploy this feature in one of the following ways: manually, through JAMF, or through Intune. The following sections describe each of these methods in detail.

+#### Manual deployment

+To configure the enforcement level, run the following command from the Terminal:

+```bash

+mdatp config network-protection enforcement-level --value [enforcement-level]

+```

+For example, to configure network protection to run in blocking mode, execute the following command:

+```bash

+mdatp config network-protection enforcement-level --value block

+```

+To confirm that network protection has been started successfully, run the following command from the Terminal, and verify that it prints ΓÇ£startedΓÇ¥:

+```bash

+mdatp health --field network_protection_status

+```

+#### JAMF deployment

+A successful JAMF deployment requires a configuration profile to set the enforcement level of network protection.

+After you create this configuration profile, assign it to the devices where you want to enable network protection.

+##### Configure the enforcement level

+Note: If youΓÇÖve already configured Microsoft 365 Defender for Endpoint on Mac using the instructions listed here, then update the plist file you previously deployed with the content listed below and redeploy it from JAMF.

+1. In **Computers** > **Configuration Profiles**, select **Options** > **Applications & Custom Settings**

+2. Select **Upload File** (PLIST file)

+3. Set preference domain to _com.microsoft.wdav_

+4. Upload the following plist file

+```xml

+<?xml version="1.0" encoding="UTF-8"?>

+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

+<plist version="1.0">

+<dict>

+ <key>networkProtection</key>

+ <dict>

+ <key>enforcementLevel</key>

+ <string>block</string>

+ </dict>

+</dict>

+</plist>

+```

+#### Intune deployment

+A successful Intune deployment requires a configuration profile to set the enforcement level of network protection.

+After you create this configuration profile, assign it to the devices where you want to enable network protection.

+##### Configure the enforcement level using Intune

+> [!NOTE]

+> If youΓÇÖve already configured Microsoft Defender for Endpoint on Mac using the instructions listed here, then update the plist file you previously deployed with the content listed below and re-deploy it from Intune.

+1. OpenΓÇ»**Manage**ΓÇ»>ΓÇ»**Device configuration**. SelectΓÇ»**Manage**ΓÇ»>ΓÇ»**Profiles**ΓÇ»>ΓÇ»**Create Profile**.

+2. Specify a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.

+3. Save the following payload as _com.microsoft.wdav.xml_

+```xml

+<?xml version="1.0" encoding="utf-8"?>

+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

+<plist version="1">

+ <dict>

+ <key>PayloadUUID</key>

+ <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>

+ <key>PayloadType</key>

+ <string>Configuration</string>

+ <key>PayloadOrganization</key>

+ <string>Microsoft</string>

+ <key>PayloadIdentifier</key>

+ <string>com.microsoft.wdav</string>

+ <key>PayloadDisplayName</key>

+ <string>Microsoft Defender ATP settings</string>

+ <key>PayloadDescription</key>

+ <string>Microsoft Defender ATP configuration settings</string>

+ <key>PayloadVersion</key>

+ <integer>1</integer>

+ <key>PayloadEnabled</key>

+ <true/>

+ <key>PayloadRemovalDisallowed</key>

+ <true/>

+ <key>PayloadScope</key>

+ <string>System</string>

+ <key>PayloadContent</key>

+ <array>

+ <dict>

+ <key>PayloadUUID</key>

+ <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>

+ <key>PayloadType</key>

+ <string>com.microsoft.wdav</string>

+ <key>PayloadOrganization</key>

+ <string>Microsoft</string>

+ <key>PayloadIdentifier</key>

+ <string>com.microsoft.wdav</string>

+ <key>PayloadDisplayName</key>

+ <string>Microsoft Defender ATP configuration settings</string>

+ <key>PayloadDescription</key>

+ <string/>

+ <key>PayloadVersion</key>

+ <integer>1</integer>

+ <key>PayloadEnabled</key>

+ <true/>

+ <key>networkProtection</key>

+ <dict>

+ <key>enforcementLevel</key>

+ <string>block</string>

+ </dict>

+ </dict>

+ </array>

+ </dict>

+</plist>

+```

+4. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs OK:

+```bash

+plutil -lint com.microsoft.wdav.xml

+```

+5. Enter _com.microsoft.wdav_ as the custom configuration profile name.

+6. Open the configuration profile and upload the com.microsoft.wdav.xml file. (This file was created in step 3.)

+7. SelectΓÇ»**OK**

+8. Select **Manage** > **Assignments**. In the **Include** tab, select the devices for which you want to enable network protection.

+## How to explore the features

+1. Learn how to [Protect your organization against web threats](web-threat-protection.md) using web threat protection.

+ - Web threat protection is part of web protection in Microsoft Defender for Endpoint. It uses network protection to secure your devices against web threats.

+2. Run through the [Custom Indicators of Compromise](indicator-ip-domain.md) flow to get blocks on the Custom Indicator type.

+3. Explore [Web content filtering](web-content-filtering.md).

+ > [!NOTE]

+ > If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.

+ > Pro tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.

+4. [Integrate Microsoft Defender for Endpoint with Cloud App Security](/defender-cloud-apps/mde-integration) and your network protection-enabled macOS devices will have endpoint policy enforcement capabilities.

+ > [!NOTE]

+ > Discovery and other features are currently not supported on these platforms.

+## Scenarios

+The following scenarios are supported during public preview:

+### Web threat protection

+Web threat protection is part of web protection in Microsoft 365 Defender for Endpoint. It uses network protection to secure your devices against web threats. By integrating with Microsoft Edge for macOS and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy. Web threat protection can protect devices while they're on premises or away. Web threat protection stops access to the following types of sites:

+- phishing sites

+- malware vectors

+- exploit sites

+- untrusted or low-reputation sites

+- sites you've blocked in your custom indicator list

+For more information, see [Protect your organization against web threat](web-threat-protection.md)

+### Custom Indicators of Compromise

+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).

+Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action and the scope of the device group to apply it to.

+Currently supported sources are the cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender Antivirus).

+For more information, see: [Create indicators for IPs and URLs/domains](indicator-ip-domain.md).

+### Web content filtering

+Web content filtering is part of the [Web protection](web-protection-overview.md) capabilities in Microsoft Defender for Endpoint and Microsoft Defender for Business. Web content filtering enables your organization to track and regulate access to websites based on their content categories. Many of these websites (even if they're not malicious) might be problematic because of compliance regulations, bandwidth usage, or other concerns.

+Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.

+Web content filtering is available on the major web browsers, with blocks performed by Network Protection (Safari, Chrome, Firefox, Brave, and Opera). For more information about browser support, see [Prerequisites](#prerequisites).

+For more information about reporting, see [Web content filtering](web-content-filtering.md).

+### Microsoft Defender for Cloud Applications

+The Microsoft Defender for Cloud Applications / Cloud App Catalog identifies apps you would want end users to be warned upon accessing with Microsoft 365 Defender for Endpoint, and mark them as _Monitored_. The domains listed under monitored apps would be later synced to Microsoft 365 Defender for Endpoint:

+Within 10-15 minutes, these domains will be listed in Microsoft 365 Defender for Endpoint Security Center under Indicators > URLs/Domains with Action=Warn. Within the enforcement SLA (see details at the end of this article), end users will be getting warn messages when attempting to access these domains:

+When the end user will be attempting to access monitored domains, they'll be warned by Microsoft 365 Defender for Endpoint.

+- The user will get a plain block experience accompanied by the following toast message, which will be displayed by the operating system including the name of the blocked application (e.g Blogger.com)

+ :::image type="content" source="images/network-protection-macos-content-blocked.png" alt-text="Shows end-user network protection content blocked toast notification.":::

+If the end user encounters a _block_, the user will have two possible resolutions:

+#### User bypass

+- **For toast message experience**: Press the Unblock button. By reloading the webpage, the user will be able to proceed and use the cloud app. (This action is applicable for the next 24 hours, after which the user will have to unblock once again)

+#### User education

+- **For toast message experience**: Press the toast message itself. End user will be redirected to a custom redirect URL set globally in Microsoft Defender for Cloud Applications (More information at the bottom of this page)

+> [!NOTE]

+> Tracking bypasses per app** ΓÇô You can track how many users have bypassed the warning in the _Application_ page in Microsoft Defender for Cloud Applications.

+ :::image type="content" source="images/network-protection-macos-mcas-cloud-app-security.png" alt-text="Shows network protection cloud app security overview.":::

+## Appendix

+### End user education center SharePoint site template

+For many organizations, it's important to take the cloud controls provided by Microsoft Defender for Cloud Applications, and to not only set limitations on end users when needed, but to also educate and coach them about:

+- the specific incident

+- why it has happened

+- what is the thinking behind this decision

+- how encountering block sites can be mitigated

+Upon facing an unexpected behavior, usersΓÇÖ confusion may be reduced by providing them as much information as possible, not only to explain about what has happened but to also educate them to be more aware the next time they choose a cloud app to complete their job. For example, this information can include:

+- Organization security and compliance policies and guidelines for internet and cloud use

+- Approved/recommended cloud apps for use

+- Restricted/blocked cloud apps for use

+For this page, we recommend that your organization uses a basic SharePoint site.

+### Important things to know

+1. It can take up to two hours (typically less) for app domains to propagate and to be update in the endpoint devices, after it's marked as _Monitored_.

+2. By default, action will be taken for all apps and domains that were marked as Monitored in Microsoft Defender for Cloud Applications portal for all the onboarded endpoints in the organization.

+3. Full URLs are currently not supported and won't be sent from Microsoft Defender for Cloud Applications to Microsoft 365 Defender for Endpoint, if any full URLs are listed under Microsoft Defender for Cloud Applications monitored apps, hence, user wonΓÇÖt get warned on access attempt (for example, google.com/drive isn't supported, while drive.google.com is supported).

+No End-user notification on third party browsers? Check your toast message settings

+## See also

+- [Microsoft 365 Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+- [Microsoft 365 Defender for Endpoint integration with Microsoft Microsoft 365 Defender for Cloud Applications](/defender-cloud-apps/mde-integration.md)

+- [Get to know the innovative features in Microsoft Edge](https://www.microsoft.com/edge/features)

+- [Protect your network](network-protection.md)

+- [Turn on network protection](enable-network-protection.md)

+- [Web protection](web-protection-overview.md)

+- [Create indicators](manage-indicators.md)

+- [Web content filtering](web-content-filtering.md)

+ :::image type="content" source="images/network-protection-phishing-warn-2.png" alt-text="Shows a network protection phishing content warn notification.":::

+ > [!NOTE]

+ :::image type="content" source="images/network-protection-phishing-blocked.png" alt-text="Shows a network protection known phishing content blocked notification." lightbox="images/network-protection-phishing-blocked.png":::

+Microsoft Defender for Endpoint Administrators can configure SmartScreen Unblock functionality at [Microsoft 365 Defender](https://security.microsoft.com/), using the following configuration tool. From the Microsoft 365 Defender portal, navigate to the path to the ConfigToolName.

+- [Network protection for Linux](network-protection-linux.md) | To learn about using Microsoft Network protection for Linux devices.

+- [Network protection for MacOS](network-protection-macos.md) | To learn more about Microsoft Network protection for MacOS

+1. Microsoft Defender for Endpoint Plan 2 customers can seamlessly enhance their existing generally available vulnerability management capabilities with the Microsoft Defender Vulnerability Management add-on. This service provides consolidated inventories, expanded asset coverage, cross-platform support, and new assessment and mitigation tools. To sign up for the free 120-day public preview trial, see [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-the-defender-vulnerability-management-add-on-public-preview-trial-for-defender-for-endpoint-plan-2-customers).

+2. For non-Defender for Endpoint Plan 1 or Plan 2 customers, or non-Microsoft 365 E3 customers looking for a risk-based vulnerability management solution, Microsoft Defender Vulnerability Management standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. To sign up for the free 120-day public preview trial, see [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).

+If you have any questions related to the trial sign-up and onboarding process, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+### Is Defender Vulnerability Management available as part of Defender for Endpoint Plan 2?

+If the customer has Defender for Endpoint Plan 2 they have the core vulnerability management capabilities. Defender Vulnerability Management is a separate solution from Defender for Endpoint (not included in Defender for Endpoint Plan 2) and is available as an add-on.

+For existing Defender for Endpoint Plan 2 customers who want to evaluate the experience first-hand, we encourage directly onboarding onto the Microsoft Defender Vulnerability Management add-on free 120-day public preview trial. For more information, see [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-the-defender-vulnerability-management-add-on-public-preview-trial-for-defender-for-endpoint-plan-2-customers).

+For new customers (non-Defender for Endpoint Plan 1 or Plan 2 customers, or non-Microsoft 365 E3 customers), see [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone) to sign up for the free 120-day public preview trial.

+Currently, there's no need to assign the new Defender Vulnerability Management license to users. Licenses will be applied automatically after a customer signs up for the free public preview trial.

+After your trial ends, you'll have a 30 day grace period of active trial before the license becomes suspended. When the trial is suspended, you'll retain your security baselines, but you may lose access to your portal and your blocked applications may become unblocked.

+Examples of recommendations where you might not see a mitigation action (such as block) includes:

+- Recommendations related to applications where Microsoft doesn't have sufficient information to block

+- Recommendations related to operating systems

+- Recommendations related to apps for macOS and Linux

+It's also possible that your organization has reached the maximum indicator capacity of 15,000. If this is the case, you will need to free up space by deleting old indicators. To learn more, see [Manage indicators](../defender-endpoint/indicator-manage.md).

+There's currently support for:

+Currently Windows is supported, but coverage will be expanded to cover more operating systems such as Mac and Linux.

+- If you don't have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3, sign up to try the [Defender Vulnerability Management Standalone trial.](#try-defender-vulnerability-management-standalone)

+- If you already have Defender for Endpoint Plan 2, sign up to try the [Defender Vulnerability Management Add-on trial.](#try-the-defender-vulnerability-management-add-on-public-preview-trial-for-defender-for-endpoint-plan-2-customers)

+If you don't have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3, you will sign up to trial the **Defender Vulnerability Management Standalone trial**.

+If you already have Defender for Endpoint Plan 2, sign up to trial the **Defender Vulnerability Management Add-on trial** to get access to the additional capabilities. To sign up:

+## August 2022

+New Microsoft Information Protection recommendations are now available as Secure Score improvement actions:

+- **Labeling**

+ - Extend M365 sensitivity labeling to assets in Azure Purview data map

+ - Ensure Auto-labeling data classification policies are setup and used

+ - Publish M365 sensitivity label data classification policies

+ - Create Data Loss Prevention (DLP) policies

+New Microsoft Defender for Office 365 recommendations are now available as Secure Score improvement actions:

+- **Anti-spam - Inbound policy**

+ - Set the email bulk complaint level (BCL) threshold to be 6 or lower

+ - Set action to take on spam detection

+ - Set action to take on high confidence spam detection

+ - Set action to take on phishing detection

+ - Set action to take on high confidence phishing detection

+ - Set action to take on bulk spam detection

+ - Retain spam in quarantine for 30 days

+ - Ensure spam safety tips are enabled

+ - Ensure that no sender domains are allowed for anti-spam policies (will replace ΓÇ£Ensure that there are no sender domains allowed for Anti-spam policiesΓÇ¥ to extend functionality also for specific senders)

+- **Anti-spam - Outbound policy**

+ - Set maximum number of external recipients that a user can email per hour

+ - Set maximum number of internal recipients that a user can send to within an hour

+ - Set a daily message limit

+ - Block users who reached the message limit

+ - Set Automatic email forwarding rules to be system controlled

+- **Anti-spam - Connection filter**

+ - Don't add allowed IP addresses in the connection filter policy

+- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list.md).

+- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list.md).

+ > [!NOTE]

+ > If Microsoft 365 system messages from the following senders are identified as impersonation attempts, you can add the senders to the trusted senders list:

+ >

+ > - `Γüánoreply@email.teams.microsoft.com`

+ > - `noreply@emeaemail.teams.microsoft.com`

+ > - `no-reply@sharepointonline.com`

+> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list.md).

+> - The spoof intelligence insight and the **Spoofed senders** tab in the Tenant Allow/Block list replace the functionality of the spoof intelligence policy that was available on the anti-spam policy page in the Security & Compliance Center.

+> Remember, only spoofed senders that were detected by spoof intelligence appear on this page. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab in the Tenant Allow/Block List.

+ When spoof intelligence is enabled, the **spoof intelligence insight** shows spoofed senders that were automatically detected and allowed or blocked by spoof intelligence. You can manually override the spoof intelligence verdict to allow or block the detected spoofed senders from within the insight. But when you do, the spoofed sender disappears from the spoof intelligence insight, and is now visible only on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders in the Tenant Allow/Block List. For more information, see the following articles:

+ > [!NOTE]

+ > If Microsoft 365 system messages from the following senders are identified as impersonation attempts, you can add the senders to the trusted senders list:

+ >

+ > - `Γüánoreply@email.teams.microsoft.com`

+ > - `noreply@emeaemail.teams.microsoft.com`

+ > - `no-reply@sharepointonline.com`

+- Spoofed senders to allow or block. If you override the allow or block verdict in the [spoof intelligence insight](learn-about-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders here before they're detected by spoof intelligence.

+- Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as phishing in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](learn-about-spoof-intelligence.md), the **Spoofed senders** tab in the [Tenant Allow/Block List](tenant-allow-block-list.md), and the [Spoof detections report](view-email-security-reports.md#spoof-detections-report). Once you have reviewed allowed and blocked spoofed senders and made any necessary overrides, you can be confident to [configure spoof intelligence in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder.

+You can use [data loss prevention (DLP)](../compliance/dlp-learn-about-dlp.md) in Microsoft Purview to detect, warn, and block risky, inadvertent, or inappropriate sharing, such as sharing of data containing personal information, both internally and externally.

+See, [Plan for data loss prevention (DLP)](../compliance/dlp-overview-plan-for-dlp.md) for complete guidance on planning your DLP implementation

+<!-- Plan your DLP policies for:

+ - DLP policies can be applied to Teams chat and channel messages. Sensitivity labels can only be applied to documents and email. -->

+DLP policies are configured in the Microsoft Purview compliance portal and specify the level of protection, the information the policy is looking for, and the target workloads. Every DLP policy requires you to:

+1. Choose what you want to monitor.

+1. Choose where to monitor.

+1. Choose the conditions that must be matched for a policy to be applied to an item.

+1. Choose the action to take when the policy conditions are met.

+To learn more about DLP policies, and how to design them, see:

+- [Learn about data loss prevention](../compliance/dlp-learn-about-dlp.md)

+- [Design a data loss prevention policy](../compliance/dlp-policy-design.md)

+- [Data Loss Prevention policy reference](../compliance/dlp-policy-reference.md)

+<!--

+See [this article](../compliance/create-test-tune-dlp-policy.md) for more information about creating and applying DLP policies.-->

+If you're the Microsoft Whiteboard administrator for your organization, you can control the following settings:

+In addition to **Required** or **Optional**, there's also a choice of **Neither**. If you choose that option, no diagnostic data about Whiteboard client software running on the userΓÇÖs device is sent to Microsoft. This option, however, significantly limits MicrosoftΓÇÖs ability to detect, diagnose, and remediate problems that your users may encounter while using Whiteboard.

+Your users wonΓÇÖt be able to change the diagnostic data level for their devices if they're signed in to Whiteboard with their organizational credentials (sometimes referred to as a work or school account). But if they're signed in to Whiteboard with a Microsoft account, such as a personal outlook.com email address, then they can change the diagnostic data level on their devices by going to **Settings > Privacy and security**.

+These connected experiences are different because they aren't covered by your organizationΓÇÖs commercial agreement with Microsoft. Optional connected experiences are offered by Microsoft directly to your users and are governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) instead of the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products).

+Even if you choose to make these optional connected experiences available to your users, your users can turn them off as a group by going to **Settings > Privacy and security**. Your users only have this choice if they're signed into Whiteboard with their organizational credentials, also known as a work or school account. Users can't change privacy settings if they're signed in with a Microsoft account, such as a personal outlook.com email address.

+Collected every time when Microsoft Whiteboard is launched by a call from another application or process. This information is critical to catch if Whiteboard doesn't launch when properly invoked by another application or process. Microsoft is using this data to diagnose the issue in order to guarantee Microsoft Whiteboard is running as expected.

+- **Kind** ΓÇô application or process that is launching Whiteboard

+Collected the first time Microsoft Whiteboard is displayed on a client per a session. This information is critical to catch launching issues. Microsoft is using this data to diagnose the issue in order to guarantee Microsoft Whiteboard is running as expected.

+- **CollectFullTelemetryWithoutSignIn** ΓÇô full telemetry collection without sign-in enablement

+In order to deploy Whiteboard, you must first ensure that Whiteboard is enabled for your organization. For more information, see [Manage access to Whiteboard](manage-whiteboard-access-organizations.md).

+In order to manage personal information, you must first ensure that Whiteboard is enabled for your organization. For more information, see [Manage access to Whiteboard](manage-whiteboard-access-organizations.md).

+3. Do one of the following steps:

+In order to manage data, you must first ensure that Whiteboard is enabled for your organization. For more information, see [Manage access to Whiteboard in GCC High environments](manage-whiteboard-access-gcc-high.md).

+In order to manage data, you must first ensure that Whiteboard is enabled for your organization. For more information, see [Manage access to Whiteboard](manage-whiteboard-access-organizations.md).

+Microsoft Whiteboard is a visual collaboration canvas where people, content, and ideas come together. Microsoft Whiteboard on OneDrive for Business is enabled by default for applicable Microsoft 365 tenants. It can be enabled or disabled at a tenant-wide level. You should also ensure that **Microsoft Whiteboard Services** is enabled in the **Azure Active Directory admin center** > **Enterprise applications**.