Updates from: 08/21/2021 03:17:09
Category Microsoft Docs article Related commit history on GitHub Change details
admin Find And Fix Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/find-and-fix-issues.md
Getting your domain set up to work with Microsoft 365 can be challenging. The DN
- [Accessing your website isn't working?](#accessing-your-website-isnt-working) ## Can't verify your domain?
-<a name="BKMK_verify"> </a>
There are a couple of common reasons that domain verification doesn't work as it should:
There are a couple of common reasons that domain verification doesn't work as it
3. **The record hasn't updated across the Internet.** It typically only takes a few minutes for us to be able to see the new record, but occasionally it can take as long as a few hours. ## Outlook isn't working?
-<a name="BKMK_OutlookBroken"> </a>
If you've set up your MX record and other DNS records correctly for your domain, but mail doesn't work, let us help you [fix your Outlook problems](/exchange/troubleshoot/outlook-connectivity/outlook-connection-issues).
There are a couple of scenarios when you just need to verify your organization's
Check out the guidance in [Verify your Microsoft 365 domain to prove ownership, nonprofit or education status, or to activate Yammer](../setup/domains-faq.yml) to make sure you've completed all the required steps. It's a little different for each situation. ## Services not working with your domain?
-<a name="BKMK_Test"> </a>
We can help you track down issues with your domain's DNS setup. The domains troubleshooter in Microsoft 365 will show you any records that need fixing, and exactly what the records need to be set to.
We can help you track down issues with your domain's DNS setup. The domains trou
> Got your DNS set up correctly, but mail doesn't work in Outlook on your desktop? Check out the [different mail flow scenarios you can have with Microsoft 365](/exchange/mail-flow-best-practices/mail-flow-best-practices) to make sure you've got things set up correctly for your business. Or get more troubleshooting help with email here: [Fix Outlook problems](/exchange/troubleshoot/outlook-connectivity/outlook-connection-issues). ## Accessing your website isn't working?
-<a name="BKMK_Website"> </a>
If you've fixed any DNS issues and you're still having trouble, try one of the following. -- People can't get to your website at www.mydomain.com: [Track down website issues](../setup/add-domain.md)
+- People can't get to your website at *contoso.com*: [Track down website issues](../setup/add-domain.md)
- You can't update your A record or CNAME record to point to your website: [Update custom DNS records in Microsoft 365](../setup/add-domain.md)
admin Use Qr Code Download Outlook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/use-qr-code-download-outlook.md
description: "Learn how to use a QR code to authenticate and download Outlook mo
# Use a QR code to sign-in to the Outlook mobile apps
-> [!IMPORTANT]
-> This feature is only available to organizations that have turned on Targeted Release in the Microsoft 365 admin center. To turn on Targeted release and learn more about how it works, see [Set up the Standard or Targeted release options](release-options-in-office-365.md). WeΓÇÖll be expanding to more organizations in the coming weeks through public preview. Public preview provides early access to Microsoft 365 features.
- As the Microsoft 365 administrator, you can enable your users to sign in to Outlook for Android or iOS app on their mobile devices without having to enter their username and password. By scanning a QR code, users can securely authenticate and sign in to Outlook mobile. In Outlook on the web or other desktop Outlook applications, users may see notifications informing them that they can use Outlook on their mobile device. These notifications can be managed by the administrator using Exchange PowerShell. If users choose to send themselves an SMS text message to download the app on their mobile device, a QR code will appear on their computer. They will be able to scan the QR code to log into Outlook on their phone or tablet. This QR code is a short lived token that can only be redeemed once.
compliance Data Classification Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-content-explorer.md
The account you use to access content explorer must be in one or both of the rol
You can also assign either or both of the roles to a custom role group to tailor access to content explorer.
-A Global admin, Compliance admin, or Data admin can assign the necessary Content Explorer List Viewer, and Content Explorer Content Viewer role group membership.
+A Global admin, can assign the necessary Content Explorer List Viewer, and Content Explorer Content Viewer role group membership.
## Content explorer
compliance Data Classification Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-overview.md
Data classification will scan your sensitive content and labeled content before
## Prerequisites
-A number of different subscriptions support Endpoint DLP. To see licensing options for Endpoint DLP see [Information Protection licensing for guidance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection).
- ### Permissions In order to get access to the data classification page, an account must be assigned membership in any one of these roles or role groups.
A number of different subscriptions support Endpoint DLP. To see licensing optio
- Compliance data administrator > [!NOTE]
-> As a best practice, always use the role with least privilege to grant access to Microsoft 365 Data Classification.
+> As a best practice, always use the role with least privilege to grant access to Microsoft 365 data classification.
## Sensitive information types used most in your content
To find out how many items are in any given classification category, hover over
![top sensitive information types hover detail](../media/data-classification-sens-info-types-hover.png) > [!NOTE]
-> If the card displays the message "No data found with sensitive information". It means that there are no items in your organization that have been classified as being a sensitive information type or no items that have been crawled. To get started with labels, see:
+> If the card displays the message "No data found with sensitive information", it means that there are no items in your organization that have been classified as being a sensitive information type or no items that have been crawled. To get started with labels, see:
>- [Get started with sensitivity labels](get-started-with-sensitivity-labels.md) >- [Get started with retention policies and retention labels](get-started-with-retention.md) >- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
To find out how many items are in any given classification category, hover over
When you apply a sensitivity label to an item either through Microsoft 365 or Azure Information Protection (AIP), two things happen: -- a tag that indicates the value of the item to your org is embedded in the document and will follow it everywhere it goes-- the presence of the tag enables various protective behaviors, such as mandatory watermarking or encryption. With end point protection enabled you can even prevent an item from leaving your organizational control.
+- A tag that indicates the value of the item to your org is embedded in the document and will follow it everywhere it goes.
+- The presence of the tag enables various protective behaviors, such as mandatory watermarking or encryption. With end point protection enabled you can even prevent an item from leaving your organizational control.
For more information on sensitivity labels, see: [Learn about sensitivity labels](sensitivity-labels.md)
The sensitivity label card shows the number of items (email or document) by sens
## Top retention labels applied to content
-Retention labels are used to manage the retention and disposition of content in your organization. When applied, they can be used to control how an item will be kept before deletion, whether it should be reviewed prior to deletion, when its retention period expires, and whether it should be marked as a record. For more information, see [Learn about retention policies and retention labels](retention.md).
+Retention labels are used to manage the retention and disposition of content in your organization. When applied, they can be used to control how long an item will be kept before deletion, whether it should be reviewed prior to deletion, when its retention period expires, and whether it should be marked as a record. For more information, see [Learn about retention policies and retention labels](retention.md).
The top applied retention labels card shows you how many items have a given retention label.
The point of the data classification reporting is to provide visibility into the
> If this card displays the message, "No locations detected, it means you haven't created or published any sensitivity labels or no content has had a retention label applied. To get started with sensitivity labels, see: >- [Sensitivity labels](sensitivity-labels.md)
+## Public preview release notes
+
+> [!NOTE]
+> **Exchange mailbox count**:
+>You will notice a small tool tip appear when you drill into Exchange mailboxes. This is to call out the fact that the aggregate count displayed for sensitive information type, sensitivity label and retention label may not exactly match the number of items that you will find inside the mailbox. This is because the drill-down into the folder fetches the live view of content, which is classified, while the aggregated count is calculated.Information the user should notice even if skimming
+
+> [!NOTE]
+> **Rendering of encrypted documents**:
+>SharePoint, Exchange, and OneDrive files that are encrypted don't render in the content explorer. This is a sensitive issue that requires a balance between the need to see file contents in content explorer and the need to keep the contents encrypted. With the permissions granted by **Content Explorer List Viewer**, and **Content Explorer Content Viewer** role groups, you will see a list view of the files, the file metadata, and a link you can use to access the content via the web client.Information the user should notice even if skimming
+
+> [!NOTE]
+> **Supported characters in retention label names in SharePoint search**:
+>SharePoint search doesn't support retention label names with `-`, or `_` in them. For example, `Label-MIP` and `Label_MIP` aren't supported. SharePoint search does support those characters in sensitivity label names and sensitive information type names.
+
+> [!NOTE]
+> **OneDrive remains in preview**:
+>Thanks for your valuable feedback on OneDrive integration during our preview program. As we work through the specifics, you may run into inconsistent data / flows. We'll continue to showcase OneDrive in preview until all fixes are in place. We appreciate your continued support.
+ ## See also - [View label activity](data-classification-activity-explorer.md)
compliance Data Classification Pub Preview Relnotes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-pub-preview-relnotes.md
- Title: "Data classification release notes"--- Previously updated : --
-localization_priority: normal
-recommendations: false
--- M365-security-compliance-- MOE150-- MET150
-description: "Release notes for data classification."
--
-# Data classification release notes
--
-## Exchange mailbox count
-
-You will notice a small tool tip appear when you drill into Exchange mailboxes. This is to call out the fact that the aggregate count displayed for sensitive information type, sensitivity label and retention label may not exactly match the number of items that you will find inside the mailbox. This is because the drill-down into the folder fetches the live view of content, which is classified, while the aggregated count is calculated.
--
-## Rendering of encrypted documents
-
-SharePoint, Exchange, and OneDrive files that are encrypted don't render in the content explorer. This is a sensitive issue that requires a balance between the need to see file contents in content explorer and the need to keep the contents encrypted. With the permissions granted by **Content Explorer List Viewer**, and **Content Explorer Content Viewer** role groups, you will see a list view of the files, the file metadata, and a link you can use to access the content via the web client.
-
-## Supported characters in retention label names in SharePoint search
-
-SharePoint search doesn't support retention label names with `-`, or `_` in them. For example, `Label-MIP` and `Label_MIP` aren't supported. SharePoint search does support those characters in sensitivity label names and sensitive information type names.
-
-## OneDrive remains in preview
-
-Thanks for your valuable feedback on OneDrive integration during our preview program. As we work through the specifics, you may run into inconsistent data / flows. We'll continue to showcase OneDrive in preview until all fixes are in place. We appreciate your continued support.
--
-## See also
--- [Get started with data classification (preview)](data-classification-overview.md)-- [View label activity (preview)](data-classification-activity-explorer.md)-- [View labeled content (preview)](data-classification-content-explorer.md)-- [Learn about sensitivity labels](sensitivity-labels.md)-- [Learn about retention policies and retention labels](retention.md)-- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
compliance Dlp Microsoft Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-microsoft-teams.md
If your organization has data loss prevention (DLP), you can define policies tha
[Data loss prevention](dlp-learn-about-dlp.md) capabilities were extended to include Microsoft Teams chat and channel messages, **including private channel messages** for: -- Office 365 E5/A5-- Microsoft 365 E5/A5-- Microsoft 365 Information Protection and Governance-- Office 365 Advanced Compliance
+- Office 365 E5/A5/G5
+- Microsoft 365 E5/A5/G5
+- Microsoft 365 E5/A5/G5 Information Protection and Governance
+- Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
Office 365 and Microsoft 365 E3 include DLP protection for SharePoint Online, OneDrive, and Exchange Online. This also includes files that are shared through Teams because Teams uses SharePoint Online and OneDrive to share files.
compliance Dlp Use Policies Non Microsoft Cloud Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-use-policies-non-microsoft-cloud-apps.md
To use DLP policy to a specific non-Microsoft cloud app, the app must be connect
- [Connect Box](/cloud-app-security/connect-box-to-microsoft-cloud-app-security) - [Connect Dropbox](/cloud-app-security/connect-dropbox-to-microsoft-cloud-app-security)-- [Connect G-Suite](/cloud-app-security/connect-google-apps-to-microsoft-cloud-app-security)
+- [Connect G-Workspace](/cloud-app-security/connect-google-apps-to-microsoft-cloud-app-security)
- [Connect Salesforce](/cloud-app-security/connect-salesforce-to-microsoft-cloud-app-security) - [Connect Cisco Webex](/cloud-app-security/connect-webex-to-microsoft-cloud-app-security)
compliance Endpoint Dlp Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md
You can use Microsoft 365 data loss prevention (DLP) to monitor the actions that
Microsoft Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items that are physically stored Windows 10 devices.
-|Activity |Description | Auditable/restictable|
+|Activity |Description | Auditable/restrictable|
|||| |upload to cloud service, or access by unallowed browsers | Detects when a user attempts to upload an item to a restricted service domain or access an item through a browser. If they are using a browser that is listed in DLP as an being an unallowed browser, the upload activity will be blocked and the user is redirected to use Edge Chromium. Edge Chromium will then either allow or block the upload or access based on the DLP policy configuration |auditable and restrictable| |copy to other app |Detects when a user attempts to copy information from a protected item and then paste it into another app, process or item. Copying and pasting information within the same app, process, or item is not detected by this activity. | auditable and restrictable|
compliance Endpoint Dlp Using https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-using.md
description: "Learn how to configure data loss prevention (DLP) policies to use
# Using Endpoint data loss prevention
-This article walks you through three scenarios where you create and modify a DLP policy that uses devices as a location.
+This article walks you through four scenarios where you create and modify a DLP policy that uses devices as a location.
## DLP settings
You can use this logic to construct your exclusion paths:
### Unallowed apps
-When a policy's **Access by unallowed apps and browsers** setting is turned on and users attempt to use these apps to access a protected file, the activity will be allowed, blocked, or blocked but users can override the restriction. All activity is audited and available to review in activity explorer.
+Unallowed apps is a list of applications that you create which will not be allowed to access a DLP protected file.
+When a policy's **Access by unallowed apps** setting is turned on, and an app that is on the unallowed list attempts to access a protected file, the activity will be allowed, blocked, or blocked but users can override the restriction. All activity is audited and available to review in activity explorer.
> [!IMPORTANT] > Do not include the path to the executable, but only the executable name (such as browser.exe).
+#### Protect sensitive data from cloud synchronization apps
+
+To prevent sensitive items from being synced to the cloud by cloud sync apps, like *onedrive.exe*, add the cloud sync app to the **Unallowed apps** list. When an unallowed cloud-sync app tries to accesses an item that is protected by a blocking DLP policy, DLP may generate repeated notifications. You can avoid these repeated notifications by enabling the **Auto-quarantine** option under **Unallowed apps**.
+
+##### Auto-quarantine (preview)
+
+When enabled, Auto-quarantine kicks in when an unallowed app attempts to access a DLP protected sensitive item. Auto-quarantine moves the sensitive item to an admin configured folder and can leave a placeholder **.txt** file in the place of the original. You can configure the text in the placeholder file to tell users where the item was moved to and other pertinent information.
+
+You can use auto-quarantine to prevent an endless chain of DLP notifications for the user and admins. See, [Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with auto-quarantine (preview)](#scenario-4-avoid-looping-dlp-notifications-from-cloud-synchronization-apps-with-auto-quarantine-preview).
+ ### Unallowed Bluetooth apps Prevent people from transferring files protected by your policies via specific Bluetooth apps. ### Browser and domain restrictions+ Restrict sensitive files that match your policies from being shared with unrestricted cloud service domains. #### Service domains
These scenarios require that you already have devices onboarded and reporting in
10. Check Activity explorer for the event.
+### Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with auto-quarantine (preview)
+
+#### Before you begin
+
+In this scenario, synchronizing files with the **Highly Confidential** sensitivity label to OneDrive is blocked. This is a complex scenario with multiple components and procedures. You will need:
+
+- An AAD user account to target and an onboarded Windows 10 computer that is already synchronizing a local OneDrive folder with OneDrive cloud storage.
+- Microsoft Word installed on the target Windows 10 computer
+- Sensitivity labels configured and published. See, [Get started with sensitivity labels](get-started-with-sensitivity-labels.md#get-started-with-sensitivity-labels) and [Create and configure sensitivity labels and their policies](create-sensitivity-labels.md#create-and-configure-sensitivity-labels-and-their-policies)
+
+There are three procedures.
+
+1. Configure the Endpoint DLP Auto-quarantine settings.
+2. Create a policy that blocks sensitive items that have the **Highly Confidential** sensitivity label.
+3. Create a Word document on the Windows 10 device that the policy is targeted to, apply the label, and copy it to the user accounts local OneDrive folder that is being synchronized.
+
+#### Configure Endpoint DLP unallowed app and Auto-quarantine settings
+
+1. Open [Endpoint DLP settings](https://compliance.microsoft.com/datalossprevention?viewid=globalsettings)
+
+2. Expand **Unallowed apps**.
+
+3. Choose **Add or edit unallowed apps** and add *OneDrive* as a display name and the executable name *onedrive.exe* to disallow onedrive.exe from accessing items the the **Highly Confidential** label.
+
+4. Select **Auto-quarantine** and **Save**.
+
+5. Under **Auto-quarantine settings** choose **Edit auto-quarantine settings**.
+
+6. Enable **Auto-quarantine for unallowed apps**.
+
+7. Enter the path to the folder on local machines where you want the original sensitive files to be moved to. For example:
+
+**'%homedrive%%homepath%\Microsoft DLP\Quarantine'** for the username *Isaiah langer* will place the moved items in a
+
+*C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive* folder and append a date and time stamp to the original file name.
+
+> [!NOTE]
+> DLP Auto-quarantine will create sub-folders for the files for each unallowed app. So if you have both *Notepad* and *OneDrive* in your unallowed apps list, a sub-folder will be created for **\OneDrive** and another sub-folder for **\Notepad**.
+
+8. Choose **Replace the files with a .txt file that contains the following text** and enter the text you want in the placeholder file. For example for a file named *auto quar 1.docx*:
+
+**%%FileName%% contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy %%PolicyName%% and was moved to the quarantine folder: %%QuarantinePath%%.**
+
+will leave a .txt file that contains this message
+
+*auto quar 1.docx contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy and was moved to the quarantine folder: C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive\auto quar 1_20210728_151541.docx.*
+
+9. Choose **Save**
+
+#### Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential
+
+1. Open the [Data loss prevention page](https://compliance.microsoft.com/datalossprevention?viewid=policies).
+
+2. Choose **Create policy**.
+
+3. For this scenario, choose **Custom**, then **Custom policy** and choose **Next**.
+
+4. Fill in the **Name** and **Description** fields, choose **Next**.
+
+5. Toggle the **Status** field to off for all locations except **Devices**. If you have a specific end user account that you want to test this from, be sure to select it in the scope. Choose **Next**.
+
+6. Accept the default **Create or customize advanced DLP rules** selection and choose **Next**.
+
+7. Create a rule with these values:
+ 1. **Name** > *Scenario 4 Auto-quarantine*
+ 1. **Conditions** > **Content contains** > **Sensitivity labels** > **Highly Confidential**
+ 1. **Actions** > **Audit or restrict activities on Windows devices** > **Access by unallowed apps** > **Block**. For the purposes of this scenario, clear all the other activities.
+ 1. **User notifications** > **On**
+ 1. **Endpoint devices** > Choose **Show users a policy tip notification when an activity** if not already enabled.
+
+8. Choose **Save** and **Next**.
+
+9. Choose **Turn it on right away**. Choose **Next**.
+
+10. Review your settings and choose **Submit**.
+
+> [!NOTE]
+> Allow at least an hour for the new policy to be replicated and applied to the target Windows 10 computer.
+
+11. The new DLP policy will appear in the policy list.
+
+#### Test Auto-quarantine on the Windows 10 device
+
+1. Login to the Windows 10 computer with the user account you specified in [Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential](#configure-a-policy-to-block-onedrive-synchronization-of-files-with-the-sensitivity-label-highly-confidential) step 5.
+
+2. Create a folder whose contents will not be synchronized to OneDrive. For example:
+
+ *C:\auto-quarantine source folder*
+
+3. Open Microsoft Word and create a file in the auto-quarantine source folder. Apply the **Highly confidential** sensitivity label. See, [Apply sensitivity labels to your files and email in Office](https://support.microsoft.com/topic/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9).
+
+4. Copy the file you just created to your OneDrive synchronization folder. A user notification toast should appear telling you that the action is not allowed and that the file will be quarantined. For example, for user name *Isaiah Langer*, and a document titled *auto-quarantine doc 1.docx* you would see this message:
+
+![Data loss prevention user notification popup stating that the OneDrive synchronization action is not allowed for the specified file and that the file will be quarantined](../media/auto-quarantine-user-notification-toast.png)
+
+The message reads:
+
+"Opening autoquarantine doc 1.docx with this app is not allowed. The file will be quarantined to 'C:\Users\IsaiahLanger\Microsoft DLP\OneDrive'"
+
+5. Choose **Dismiss**
+
+6. Open the place holder .txt file. It will be named **auto-quarantine doc 1.docx_*date_time*.txt**.
+
+7. Open the quarantine folder and confirm that the original file is there.
+
+8. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy. See, [Get started with activity explorer](data-classification-activity-explorer.md) if needed.
+
+9. Check Activity explorer for the event.
+ ## See also - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Here are a few of the changes to Microsoft 365 compliance solutions and content
Content was added or updated in the following topics: - [Get started with content explorer](/microsoft-365/compliance/data-classification-content-explorer)-- [Data classification release notes](/microsoft-365/compliance/data-classification-pub-preview-relnotes) ### Data loss prevention
enterprise Portallaunchscheduler https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md
Site permissions must be set up separately from waves as part of the launch. For
> [!NOTE] >
-> - This feature will be accessible from the **Settings** panel on the home page of SharePoint communication sites for Targeted release customers starting in May 2021 and will become available to all customers by July 2021
-> - The PowerShell version of this tool is available today
-> - This feature can only be used on modern SharePoint communication sites
-> - You must have site owner permissions for the site to customize and schedule the launch of a portal
-> - Launches must be scheduled at least seven days in advance and each wave can last one to seven days
-> - The number of waves required is automatically determined by the expected number of users
-> - Before scheduling a portal launch, the [Page Diagnostics for SharePoint tool](https://aka.ms/perftool) must be run to verify that the home page of the site is healthy
-> - At the end of the launch, all users with permissions to the site will be able to access the new site
-> - If your organization is using [Viva Connections](/SharePoint/viva-connections), users may see your organization's icon in the Microsoft Teams app bar, however when the icon is selected users will not be able to access the portal until their wave has launched
-> - This feature is not available for Office 365 Germany, Office 365 operated by 21Vianet (China), or Microsoft 365 US Government plans
+> - This feature will be accessible from the **Settings** panel on the home page of SharePoint communication sites for Targeted release customers starting in May 2021 and will become available to all customers by July 2021.
+> - The PowerShell version of this tool is available today.
+> - This feature can only be used on modern SharePoint communication sites.
+> - You must have site owner permissions for the site to customize and schedule the launch of a portal.
+> - Launches must be scheduled at least seven days in advance and each wave can last one to seven days.
+> - The number of waves required is automatically determined by the expected number of users.
+> - Before scheduling a portal launch, the [Page Diagnostics for SharePoint tool](https://aka.ms/perftool) must be run to verify that the home page of the site is healthy.
+> - At the end of the launch, all users with permissions to the site will be able to access the new site.
+> - If your organization is using [Viva Connections](/SharePoint/viva-connections), users may see your organization's icon in the Microsoft Teams app bar, however when the icon is selected users will not be able to access the portal until their wave has launched.
+> - This feature is not available for Office 365 Germany, Office 365 operated by 21Vianet (China), or Microsoft 365 US Government plans.
## Understand the differences between Portal launch scheduler options:
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
7. Determine who needs to view the site right away and enter their information into the **Users exempt from waves** field. These users are excluded from waves and will not be redirected before, during, or after the launch.
- > [!NOTE]
- > Up to 50 distinct users or security groups max can be used for the entire launch. Each launch is independent of each other, so if you schedule a launch on another portal, then you could use up to 50 users/security groups for that launch. Additionally, you can use up to 20 distinct users or security groups per wave.
- >
- > The portal launch scheduler supports security groups and mail enabled security groups.
-8. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.
+ >[!NOTE]
+ > Up to 50 distinct users or security groups max can be added. Use security groups when you need more than 50 individuals to get access to the portal before the waves start launching.
+
+8. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.
+ ### Launch a portal with over 100k users
The SharePoint Portal launch scheduler tool was originally only available via [S
1. [Download the latest SharePoint Online Management Shell](https://go.microsoft.com/fwlink/p/?LinkId=255251). > [!NOTE]
- > If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell." <br>On the Download Center page, select your language and then click the Download button. You'll be asked to choose between downloading a x64 and x86 .msi file. Download the x64 file if you're running the 64-bit version of Windows or the x86 file if you're running the 32-bit version. If you don't know, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-operating-system). After the file downloads, run it and follow the steps in the Setup Wizard.
+ > If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell."
+ >
+ > On the Download Center page, select your language and then click the Download button. You'll be asked to choose between downloading a x64 and x86 .msi file. Download the x64 file if you're running the 64-bit version of Windows or the x86 file if you're running the 32-bit version. If you don't know, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-operating-system). After the file downloads, run it and follow the steps in the Setup Wizard.
2. Connect to SharePoint as a [global admin or SharePoint admin](/sharepoint/sharepoint-admin-role) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).
enterprise Assign Licenses To User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell.md
Next, list the license plans for your tenant with this command.
Get-AzureADSubscribedSku | Select SkuPartNumber ```
-Next, get the sign-in name of the account to which you want add a license, also known as the user principal name (UPN).
+Next, get the sign-in name of the account to which you want to add a license, also known as the user principal name (UPN).
Next, ensure that the user account has a usage location assigned.
enterprise Assign Per User Skype For Business Online Policies With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-per-user-skype-for-business-online-policies-with-microsoft-365-powershell.md
This command sets the name of the external access policy assigned to Alex to a n
To manage large numbers of users (1000 or more), you need to batch the commands via a script block using the [Invoke-Command](/powershell/module/microsoft.powershell.core/invoke-command) cmdlet. In previous examples, each time a cmdlet is executed, it must set up the call and then wait for the result before sending it back. When using a script block, this allows the cmdlets to be executed remotely, and once completed, send the data back. ```powershell
+$s = Get-PSSession | Where-Object { ($.ComputerName -like '*.online.lync.com' -or $.Computername -eq 'api.interfaces.records.teams.microsoft.com') -and $.State -eq 'Opened' -and $.Availability -eq 'Available' }
+ $users = Get-CsOnlineUser -Filter { ClientPolicy -eq $null } -ResultSize 500 $batch = 50
This will find 500 users at a time who do not have a client policy. It will gran
[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)
-[Getting started with PowerShell for Microsoft 365](getting-started-with-microsoft-365-powershell.md)
+[Getting started with PowerShell for Microsoft 365](getting-started-with-microsoft-365-powershell.md)
knowledge Set Up Topic Experiences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/set-up-topic-experiences.md
It is important to plan the best way to set up and configure topics in your envi
You must be [subscribed to Viva Topics](https://www.microsoft.com/microsoft-viva/topics) and be a global administrator or SharePoint administrator to access the Microsoft 365 admin center and set up Topics.
-If you have configured SharePoint to [require managed devices](/sharepoint/control-access-from-unmanaged-devices), be sure to set up Topics from a managed device.
+> [!IMPORTANT]
+> If you have configured SharePoint to [require managed devices](/sharepoint/control-access-from-unmanaged-devices), you must set up Topics from a managed device.
## Video demonstration
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
##### [Customize controlled folder access](customize-controlled-folders.md) #### [Device Control]()
+##### [Control USB devices and other removable media](control-usb-devices-using-intune.md)
##### [Removable Storage Protection](device-control-removable-storage-protection.md) ##### [Removable Storage Access Control](device-control-removable-storage-access-control.md) ##### [Device Control Printer Protection](printer-protection.md)
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
run:
1. Open a terminal or SSH into the relevant machine. 2. Run `wget --quiet -O XMDEClientAnalyzer.zip*
- <http://aka.ms/XMDEClientAnalyzer> *&& unzip -q XMDEClientAnalyzer.zip && cd
+ <https://aka.ms/XMDEClientAnalyzer> *&& unzip -q XMDEClientAnalyzer.zip && cd
XMDEClientAnalyzer && chmod +x mde_support_tool.sh"` 3. Run ` ./mde_support_tool.sh -d ` to generate the result archive file.
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
You view and manage your quarantined messages in the Microsoft 365 Defender port
When you're finished, click **Apply**.
-3. To filter the results, click **Filter**. The available filters are:
-
- - Message
-
- - **Expires time**: Filter messages by when they will expire from quarantine:
- - **Today**
- - **Next 2 days**
- - **Next 7 days**
- - **Custom**: Enter a **Start date** and **End date**.
-
- - **Received time**: Enter a **Start date** and **End date**.
-
- - **Quarantine reason**:
- - **Bulk**
- - **Spam**
- - **Phish**
-
- - **Policy Type**: Filter messages by policy type:
- - **Anti-malware policy**
- - **Safe Attachments policy** (Defender for Office 365)
- - **Anti-phish policy**
- - **Anti-spam policy**
- - **Transport rule** (mail flow rule)
-
- To clear the filter, click **Clear**. To hide the filter flyout, click **Filter** again.
-
-4. To filter the results, click **Filter**. The following filters are available in the **Filters** flyout that appears:
+3. To filter the results, click **Filter**. The following filters are available in the **Filters** flyout that appears:
- **Message ID**: The globally unique identifier of the message. - **Sender address** - **Recipient address**
You view and manage your quarantined messages in the Microsoft 365 Defender port
- **Today** - **Next 2 days** - **Next 7 days**
- - **Custom**: Enter a **Start date** and **End date**.
+ - **Custom**: Enter a **Start time** and **End time** (date).
- **Quarantine reason**: - **Bulk** - **Spam**
You view and manage your quarantined messages in the Microsoft 365 Defender port
- **Safe Attachments policy** - **Anti-phishing policy** - **Anti-spam policy**
- - **Transport rule** (mail flow rule)
When you're finished, click **Apply**. To clear the filters, click ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
-5. Use **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
+4. Use **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
- Message ID - Sender email address - Recipient email address
security Manage Quarantined Messages And Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files.md
You view and manage quarantined messages in the Microsoft 365 Defender portal or
- **Today** - **Next 2 days** - **Next 7 days**
- - **Custom**: Enter a **Start date** and **End date**.
+ - **Custom**: Enter a **Start time** and **End time** (date).
- **Recipient tag** - **Quarantine reason**: - **Transport rule** (mail flow rule)
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
search.appverid:
ms.assetid: - M365-security-compliance-+ description: Admins can learn how to use quarantine policies to control what users are able to do to their quarantined messages. ms.technology: mdo ms.prod: m365-security
ms.prod: m365-security
> [!NOTE] > The features that are described in this article are currently in Preview, aren't available to everyone, and are subject to change.
-Quarantine policies (formerly known as _quarantine tags_) in Exchange Online Protection (EOP) allow admins to control what users are able to do to their quarantined messages based on how the message arrived in quarantine.
+Quarantine policies (formerly known as _quarantine tags_) in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 allow admins to control what users are able to do to their quarantined messages based on why the message was quarantined.
-EOP has traditionally allowed or prevented certain levels of interactivity for messages in [quarantine](find-and-release-quarantined-messages-as-a-user.md) and in [end-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md). For example, users can view and release messages that were quarantined by anti-spam filtering as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing (only admins can do that).
+Traditionally, users have been allowed or denied levels of interactivity for messages in [quarantine](find-and-release-quarantined-messages-as-a-user.md) and in [end-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md). For example, users can view and release messages that were quarantined by anti-spam filtering as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing (only admins can do that).
-For [supported protection features](#step-2-assign-a-quarantine-policy-to-supported-features), quarantine policies specify what users are allowed to do in end-user spam notification messages and in their quarantined messages in quarantine (messages where the user is a recipient). Default quarantine policies are automatically assigned to enforce the historical capabilities for users on quarantined messages. Or, you can create and assign custom quarantine policies to allow or prevent end users from performing specific actions on quarantined messages.
+For [supported protection features](#step-2-assign-a-quarantine-policy-to-supported-features), quarantine policies specify what users are allowed to do in end-user spam notification messages and in quarantine (messages where the user is a recipient). Default quarantine policies are automatically assigned to enforce the historical capabilities for users on quarantined messages. Or, you can create and assign custom quarantine policies to allow or prevent end users from performing specific actions on quarantined messages.
The individual permissions are combined into the following preset permission groups: -- Admin only access
+- No access
- Limited access - Full access
The available individual permissions and what's included or not included in the
****
-|Permission|Admin only access|Limited access|Full access|
+|Permission|No access|Limited access|Full access|
||::|::|::| |**Block sender** (_PermissionToBlockSender_)||![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)| |**Delete** (_PermissionToDelete_)||![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
The available individual permissions and what's included or not included in the
|**Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_)||![Check mark](../../media/checkmark.png)|| |
+The default quarantine policies and their associated permission groups are described in the following table:
+
+<br>
+
+|Default quarantine policy|Permission group used|
+|||
+|AdminOnlyAccessPolicy|No access|
+|DefaultFullAccessPolicy|Full access|
+|
+ If you don't like the default permissions in the preset permission groups, you can use custom permissions when you create or modify custom quarantine policies. For more information about what each permission does, see the [Quarantine policy permission details](#quarantine-policy-permission-details) section later in this article. You create and assign quarantine policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with Exchange Online Mailboxes; standalone EOP PowerShell in EOP organizations without Exchange Online mailboxes). ## What do you need to know before you begin? -- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. Or to go directly to the **Quarantine policies** page, open <https://security.microsoft.com/quarantineTags>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. Or to go directly to the **Quarantine policies** page, open <https://security.microsoft.com/quarantinePolicies>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). -- To view, create, modify, or remove quarantine policies, you need to be a member of the **Organization Management** or **Security Administrator** roles in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
+- To view, create, modify, or remove quarantine policies, you need to be a member of the **Organization Management**, **Security Administrator**, or **Quarantine Administrator** roles in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
## Step 1: Create quarantine policies in the Microsoft 365 Defender portal
You create and assign quarantine policies in the Microsoft 365 Defender portal o
3. The **New policy** wizard opens. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. You'll need to identify and select the quarantine policy by name in upcoming steps. When you're finished, click **Next**. 4. On the **Recipient message access** page, select one of the following values:
- - **Limited access**
-
- The individual permissions that are included in these permission groups are described earlier in this article.
-
- To specify custom permissions, select **Set specific access (Advanced)** and the configure the following settings that appear:
-
- - **Select release action preference**: Select one of the following values:
- - **No release action**: This is the default value.
- - **Allow recipients to release a message from quarantine**
- - **Allow recipients to request a message to be released from quarantine**
- - **Select additional actions recipients can take on quarantined messages**: Select some, all, or none of the following values:
- - **Delete**
- - **Preview**
- - **Block sender**
+ - **Limited access**: The individual permissions that are included in this permission group are described earlier in this article.
+ - **Set specific access (Advanced)**: Use this value to specify custom permissions. Configure the following settings that appear:
+ - **Select release action preference**: Select one of the following values:
+ - **No release action**: This is the default value.
+ - **Allow recipients to release a message from quarantine**
+ - **Allow recipients to request a message to be released from quarantine**
+ - **Select additional actions recipients can take on quarantined messages**: Select some, all, or none of the following values:
+ - **Delete**
+ - **Preview**
+ - **Block sender**
These permissions and their effect on quarantined messages and in end-user spam notifications are described in the [Quarantine policy permission details](#quarantine-policy-permission-details) section later in this article. When you're finished, click **Next**.
-5. On the **End user spam notification** page, enable the notification if needed.
+5. On the **End user spam notification** page, you can check the box to enable notification.
6. On the **Review policy** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
Now you're ready to assign the quarantine policy to a quarantine feature as desc
If you'd rather use PowerShell to create quarantine policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the **New-QuarantineTag** cmdlet. You have two different methods to choose from: -- Use the _EndUserQuarantinePermissionsValue_ parameter.-- Use the _EndUserQuarantinePermissions_ parameter.
+- [Use the _EndUserQuarantinePermissionsValue_ parameter](#use-the-enduserquarantinepermissionsvalue-parameter).
+- [Use the _EndUserQuarantinePermissions_ parameter](#use-the-enduserquarantinepermissions-parameter).
These methods are described in the following sections.
Use the following syntax:
$<VariableName> = New-QuarantinePermissions [-PermissionToBlockSender <$true | $False>] [-PermissionToDelete <$true | $False>] [-PermissionToPreview <$true | $False>] [-PermissionToRelease <$true | $False>] [-PermissionToRequestRelease <$true | $False>] ```
-The default value for any unused parameters is `$false`, so you only need to use the parameters where you want to set value to `$true`.
+The default value for unused parameters is `$false`, so you only need to use the parameters where you want to set value to `$true`.
The following example shows how to create permission objects that correspond to the **Limited access** preset permissions group:
In _supported_ protection features that quarantine messages or files (automatica
|Feature|Quarantine policies supported?|Default quarantine policies used| ||::|| |[Anti-spam policies](configure-your-spam-filter-policies.md): <ul><li>**Spam** (_SpamAction_)</li><li>**High confidence spam** (_HighConfidenceSpamAction_)</li><li>**Phishing** (_PhishSpamAction_)</li><li>**High confidence phishing** (_HighConfidencePhishAction_)</li><li>**Bulk** (_BulkSpamAction_)</li></ul>|Yes|<ul><li>DefaultFullAccessPolicy (Full access)</li><li>DefaultFullAccessPolicy (Full access)</li><li>DefaultFullAccessPolicy (Full access)</li><li>AdminOnlyAccessPolicy (No access)</li><li>DefaultFullAccessPolicy (Full access)</li></ul>|
-|Anti-phishing policies: <ul><li>[Spoof intelligence protection](set-up-anti-phishing-policies.md#spoof-settings) (_AuthenticationFailAction_)</li><li>[Impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) (Defender for Office 365): <ul><li>**If message is detected as an impersonated user** (_TargetedUserProtectionAction_)</li><li>**If message is detected as an impersonated domain** (_TargetedDomainProtectionAction_)</li><li>**If mailbox intelligence detects and impersonated user** (_MailboxIntelligenceProtectionAction_)</li></ul></li></ul></ul>|Yes|<ul><li>DefaultFullAccessPolicy (Full access)</li><li>DefaultFullAccessPolicy (Full access)</li></ul>|
-|[Anti-malware policies](configure-anti-malware-policies.md): All detected messages are always quarantined.|Yes|AdminOnlyAccessPolicy (Admin only access)|
-|[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) (Defender for Office 365)|Yes|AdminOnlyAccessPolicy (Admin only access)|
+|Anti-phishing policies: <ul><li>[Spoof intelligence protection](set-up-anti-phishing-policies.md#spoof-settings) (_AuthenticationFailAction_)</li><li>[Impersonation protection in Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365):<ul><li>**If message is detected as an impersonated user** (_TargetedUserProtectionAction_)</li><li>**If message is detected as an impersonated domain** (_TargetedDomainProtectionAction_)</li><li>**If mailbox intelligence detects and impersonated user** (_MailboxIntelligenceProtectionAction_)</li></ul></li></ul>|Yes|<ul><li>DefaultFullAccessPolicy (Full access)</li><li>Impersonation protection:<ul><li>DefaultFullAccessPolicy (Full access)</li><li>DefaultFullAccessPolicy (Full access)</li><li>DefaultFullAccessPolicy (Full access)</li></ul></li></ul>|
+|[Anti-malware policies](configure-anti-malware-policies.md): All detected messages are always quarantined.|Yes|AdminOnlyAccessPolicy (No access)|
+|[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) (Defender for Office 365)|Yes|AdminOnlyAccessPolicy (No access)|
|[Mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) with the action: **Deliver the message to the hosted quarantine** (_Quarantine_).|No|n/a| | If you're happy with the default end-user permissions that are provided by the default quarantine policies, you don't need to do anything. If you want to add or remove end-user capabilities (available buttons) in end-user spam notifications or in quarantined message details, you can assign a custom quarantine policy.
-### Assign quarantine policies in anti-spam policies in the Microsoft 365 Defender portal
+## Assign quarantine policies in supported polices in the Microsoft 365 Defender portal
-Full instructions for creating and modifying anti-spam policies are described in [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
+### Anti-spam policies
1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-spam** in the **Rules** section.
Full instructions for creating and modifying anti-spam policies are described in
- Create a new **inbound** anti-spam policy. 3. Do one of the following steps:
- - **Edit existing anti-spam policy**: In the policy details flyout, go to the **Actions** section and then click **Edit actions**.
- - **Create new anti-spam policy**: In the new policy wizard, get to the **Actions** page.
+ - **Edit existing**: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the **Actions** section and then click **Edit actions**.
+ - **Create new**: In the new policy wizard, get to the **Actions** page.
-4. On the **Actions** page, every verdict that has the **Quarantine message** action will also have the **Select quarantine policy** box for you to select a corresponding quarantine policy.
+4. On the **Actions** page, every verdict that has the **Quarantine message** action will also have the **Apply quarantine policy** box for you to select a corresponding quarantine policy.
**Note**: When you create a new policy, a blank **Select quarantine policy** value indicates the default quarantine policy for that verdict is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table. ![Quarantine policy selections in an anti-spam policy](../../media/quarantine-tags-in-anti-spam-policies.png)
-5. When you're finished, click **Save**.
+Full instructions for creating and modifying anti-spam policies are described in [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
-#### Assign quarantine policies in anti-spam policies in PowerShell
+#### Anti-spam policies in PowerShell
If you'd rather use PowerShell to assign quarantine policies in anti-spam policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax: ```powershell
-<New-HostedContentFilterPolicy -Name "<Unique name>" | Set-HostedContentFilterPolicy -Identity "<Policy name>"> [-SpamAction Quarantine] [-SpamQuarantineTag <QuarantineTagName>] [-HighConfidenceSpamAction Quarantine] [-HighConfidenceSpamQuarantineTag <QuarantineTagName>] [-PhishSpamAction Quarantine] [-PhishQuarantineTag <QuarantineTagName>] [-HighConfidencePhishQuarantineTag <QuarantineTagName>] [-BulkSpamAction Quarantine] [-BulkQuarantineTag <QuarantineTagName>] ...
+<New-HostedContentFilterPolicy -Name "<Unique name>" | Set-HostedContentFilterPolicy -Identity "<Policy name>"> [-SpamAction Quarantine] [-SpamQuarantineTag <QuarantineTagName>] [-HighConfidenceSpamAction Quarantine] [-HighConfidenceSpamQuarantineTag <QuarantineTagName>] [-PhishSpamAction Quarantine] [-PhishQuarantineTag <QuarantineTagName>] [-HighConfidencePhishQuarantineTag <QuarantineTagName>] [-BulkSpamAction Quarantine] [-BulkQuarantineTag <QuarantineTagName>] ...
``` **Notes**: -- The default value for the _HighConfidencePhishAction_ parameter is Quarantine, so you don't need to set the Quarantine action for high confidence phishing detections in new anti-spam policies. For all other spam filtering verdicts in new or existing anti-spam policies, the quarantine policy is only effective if the action value is Quarantine. To see the action values in existing anti-spam policies, run the following command:
+- The default value for the _PhishSpamAction_ and _HighConfidencePhishAction_ parameters is Quarantine, so you don't need to use these parameters when you create new spam filter polices in PowerShell. For the _SpamAction_, _HighConfidenceSpamAction_, and _BulkSpamAction_ parameters in new or existing anti-spam policies, the quarantine policy is effective only if the value is Quarantine.
+
+ To see the important parameter values in existing anti-spam policies, run the following command:
```powershell
- Get-HostedContentFilterPolicy | Format-Table Name,*SpamAction,HighConfidencePhishAction
+ Get-HostedContentFilterPolicy | Format-List Name,*SpamAction,HighConfidencePhishAction,*QuarantineTag
``` For information about the default action values and the recommended action values for Standard and Strict, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings). - A spam filtering verdict without a corresponding quarantine policy parameter means the [default quarantine policy](#step-2-assign-a-quarantine-policy-to-supported-features) for that verdict is used.
- You only need to replace a default quarantine policy with a custom quarantine policy if you want to change the default end-user capabilities on quarantined messages for that particular verdict.
+ You need to replace a default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on quarantined messages for that particular verdict.
-- A new anti-spam policy in PowerShell requires a spam filter policy (settings) using the **New-HostedContentFilterPolicy** cmdlet and a new spam filter rule (recipient filters) using the **New-HostedContentFilterRule** cmdlet. For instructions, see [Use PowerShell to create anti-spam policies](configure-your-spam-filter-policies.md#use-powershell-to-create-anti-spam-policies).
+- A new anti-spam policy in PowerShell requires a spam filter policy (settings) using the **New-HostedContentFilterPolicy** cmdlet and an exclusive spam filter rule (recipient filters) using the **New-HostedContentFilterRule** cmdlet. For instructions, see [Use PowerShell to create anti-spam policies](configure-your-spam-filter-policies.md#use-powershell-to-create-anti-spam-policies).
This example creates a new spam filter policy named Research Department with the following settings:
This example creates a new spam filter policy named Research Department with the
- The custom quarantine policy named NoAccess that assigns **No access** permissions replaces any default quarantine policies that don't already assign **No access** permissions by default. ```powershell
-New-HostedContentFilterPolicy -Name Research Department -SpamAction Quarantine -SpamQuarantineTag NoAccess -HighConfidenceSpamAction Quarantine -HighConfidenceSpamQuarantineTag NoAction -PhishSpamAction Quarantine -PhishQuarantineTag NoAction -BulkSpamAction Quarantine -BulkQuarantineTag NoAccess
+New-HostedContentFilterPolicy -Name "Research Department" -SpamAction Quarantine -SpamQuarantineTag NoAccess -HighConfidenceSpamAction Quarantine -HighConfidenceSpamQuarantineTag NoAction -PhishSpamAction Quarantine -PhishQuarantineTag NoAction -BulkSpamAction Quarantine -BulkQuarantineTag NoAccess
``` For detailed syntax and parameter information, see [New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy).
Set-HostedContentFilterPolicy -Identity "Human Resources" -SpamAction Quarantine
For detailed syntax and parameter information, see [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy).
+### Anti-phishing policies
+
+Spoof intelligence is available in EOP and Defender for Office 365. User impersonation protection, domain impersonation protection, and mailbox intelligence are available only in Defender for Office 365. For more information, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md).
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-phishing** in the **Rules** section.
+
+ Or, to go directly to the **Ant-spam policies** page, use <https://security.microsoft.com/antiphishing>.
+
+2. On the **Anti-phishing** page, do one of the following steps:
+ - Find and select an existing anti-phishing policy.
+ - Create a new anti-phishing policy.
+
+3. Do one of the following steps:
+ - **Edit existing**: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the **Protection settings** section and then click **Edit protection settings**.
+ - **Create new**: In the new policy wizard, get to the **Actions** page.
+
+4. On the **Protection settings** page, verify that the following settings are turned on and configured as required:
+ - **Enabled users to protect**: Specify users.
+ - **Enabled domains to protect**: Select **Include domains I own** and/or **Include custom domains** and specify the domains.
+ - **Enable mailbox intelligence**
+ - **Enable intelligence for impersonation protection**
+ - **Enable spoof intelligence**
+
+5. Do one of the following steps:
+ - **Edit existing**: In the policy details flyout, go to the **Actions** section and then click **Edit actions**.
+ - **Create new**: In the new policy wizard, get to the **Actions** page.
+
+6. On the **Actions** page, every verdict that has the **Quarantine the message** action will also have the **Apply quarantine policy** box for you to select a corresponding quarantine policy.
+
+ **Note**: When you create a new policy, a blank **Apply quarantine policy** value indicates the default quarantine policy for that action is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table.
+
+ ![Quarantine policy selections in an anti-spam policy](../../media/quarantine-tags-in-anti-phishing-policies.png)
+
+Full instructions for creating and modifying anti-phishing polices are available in the following topics:
+
+- [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md)
+- [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md)
+
+#### Anti-phishing policies in PowerShell
+
+If you'd rather use PowerShell to assign quarantine policies in anti-phishing policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
+
+```powershell
+<New-AntiPhishPolicy -Name "<Unique name>" | Set-AntiPhishPolicy -Identity "<Policy name>"> [-EnableSpoofIntelligence $true] [-AuthenticationFailAction Quarantine] [-SpoofQuarantineTag <QuarantineTagName>] [-EnableMailboxIntelligence $true] [-EnableMailboxIntelligenceProtection $true] [-MailboxIntelligenceProtectionAction Quarantine] [-MailboxIntelligenceQuarantineTag <QuarantineTagName>] [-EnableOrganizationDomainsProtection $true] [-EnableTargetedDomainsProtection $true] [-TargetedDomainProtectionAction Quarantine] [-TargetedDomainQuarantineTag <QuarantineTagName>] [-EnableTargetedUserProtection $true] [-TargetedUserProtectionAction Quarantine] [-TargetedUserQuarantineTag <QuarantineTagName>] ...
+```
+
+**Notes**:
+
+- The _Enable\*_ parameters are required to turn on the specific protection features. The default value for the _EnableMailboxIntelligence_ and _EnableSpoofIntelligence_ parameters is $true, so you don't need to use these parameters when you create new anti-phish policies in PowerShell. All other _Enable\*_ parameters need to have the value $true so you can set the value Quarantine in the corresponding _\*Action_ parameters to then assign a quarantine policy. None of the _*\Action_ parameters have the default value Quarantine.
+
+ To see the important parameter values in existing anti-phish policies, run the following command:
+
+ ```powershell
+ Get-AntiPhishPolicy | Format-List Name,Enable*Intelligence,Enable*Protection,*Action,*QuarantineTag
+ ```
+
+ For information about the default action values and the recommended action values for Standard and Strict, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings) and [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+
+- An anti-phishing action without a corresponding quarantine policy parameter means the [default quarantine policy](#step-2-assign-a-quarantine-policy-to-supported-features) for that verdict is used.
+
+ You need to replace a default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on quarantined messages for that particular verdict.
+
+- A new anti-phishing policy in PowerShell requires an anti-phish policy (settings) using the **New-AntiPhishPolicy** cmdlet and an exclusive anti-phish rule (recipient filters) using the **New-AntiPhishRule** cmdlet. For instructions, see the following topics:
+ - [Use PowerShell to configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md#use-exchange-online-powershell-to-configure-anti-phishing-policies)
+ - [Use Exchange Online PowerShell to configure anti-phishing policies](configure-mdo-anti-phishing-policies.md#use-exchange-online-powershell-to-configure-anti-phishing-policies)
+
+This example creates a new anti-phish policy named Research Department with the following settings:
+
+- The action for all spam filtering verdicts is set to Quarantine.
+- The custom quarantine policy named NoAccess that assigns **No access** permissions replaces any default quarantine policies that don't already assign **No access** permissions by default.
+
+```powershell
+New-AntiPhishPolicy -Name "Research Department" -AuthenticationFailAction Quarantine -SpoofQuarantineTag NoAccess -EnableMailboxIntelligenceProtection $true -MailboxIntelligenceProtectionAction Quarantine -MailboxIntelligenceQuarantineTag NoAccess -EnableOrganizationDomainsProtection $true -EnableTargetedDomainsProtection $true -TargetedDomainProtectionAction Quarantine -TargetedDomainQuarantineTag NoAccess -EnableTargetedUserProtection $true -TargetedUserProtectionAction Quarantine -TargetedUserQuarantineTag NoAccess
+```
+
+For detailed syntax and parameter information, see [New-AntiPhishPolicy](/powershell/module/exchange/new-antiphishpolicy).
+
+This example modifies the existing anti-phish policy named Human Resources. The action for messages detected by user impersonation and domain impersonation is set to Quarantine, and the custom quarantine policy named NoAccess is assigned.
+
+```powershell
+Set-AntiPhishPolicy -Identity "Human Resources" -EnableTargetedDomainsProtection $true -TargetedDomainProtectionAction Quarantine -TargetedDomainQuarantineTag NoAccess -EnableTargetedUserProtection $true -TargetedUserProtectionAction Quarantine -TargetedUserQuarantineTag NoAccess
+```
+
+For detailed syntax and parameter information, see [Set-AntiPhishPolicy](/powershell/module/exchange/set-antiphishpolicy).
+
+### Anti-malware policies
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-malware** in the **Rules** section.
+
+ Or, to go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
+
+2. On the **Anti-malware** page, do one of the following steps:
+ - Find and select an existing anti-malware policy.
+ - Create a new anti-malware policy.
+
+3. Do one of the following steps:
+ - **Edit existing**: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the **Protection settings** section and then click **Edit protection settings**.
+ - **Create new**: In the new policy wizard, get to the **Actions** page.
+
+4. On the **Protection settings** page, select a quarantine policy in the **Quarantine policy** box.
+
+ **Note**: When you create a new policy, a blank **Quarantine policy** value indicates the default quarantine policy for that is used. When you later edit the policy, the blank value is replaced by the actual default quarantine policy name as described in the previous table.
+
+#### Anti-malware policies in PowerShell
+
+If you'd rather use PowerShell to assign quarantine policies in anti-malware policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
+
+```powershell
+<New-AntiMalwarePolicy -Name "<Unique name>" | Set-AntiMalwarePolicy -Identity "<Policy name>"> [-QuarantineTag <QuarantineTagName>]
+```
+
+**Notes**:
+
+- You need to replace the default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on messages that were quarantined for malware.
+
+ To see the important parameter values in existing anti-phish policies, run the following command:
+
+ ```powershell
+ Get-MalwareFilterPolicy | Format-Table Name,QuarantineTag
+ ```
+
+- A new anti-malware policy in PowerShell requires a malware filter policy (settings) using the **New-MalwareFilterPolicy** cmdlet and an exclusive malware filter rule (recipient filters) using the **New-MalwareFilterRule** cmdlet. For instructions, see [Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-malware policies](configure-anti-malware-policies.md#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-anti-malware-policies).
+
+This example creates a malware filter policy named Research Department that uses the custom quarantine policy named NoAccess that assigns **No access** permissions.
+
+```powershell
+New-MalwareFilterPolicy -Name "Research Department" -QuarantineTag NoAccess
+```
+
+For detailed syntax and parameter information, see [New-MalwareFilterPolicy](/powershell/module/exchange/new-malwarefilterpolicy).
+
+This example modifies the existing malware filter policy named Human Resources by assigning the custom quarantine policy named NoAccess that assigns **No access** permissions.
+
+```powershell
+New-MalwareFilterPolicy -Identity "Human Resources" -QuarantineTag NoAccess
+```
+
+For detailed syntax and parameter information, see [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy).
+
+### Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
+
+Typically, protection by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams does not require membership in a Safe Attachments polices (you turn the protection on or off in the **Global settings** of Safe Attachments policies). However, to assign a quarantine policy for messages that were quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the affected users need to be assigned in a quarantine policy.
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Safe Attachments** in the **Rules** section.
+
+ Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+
+2. On the **Safe Attachments** page, do one of the following steps:
+ - Find and select an existing Safe Attachments policy.
+ - Create a new Safe Attachments policy.
+
+3. Do one of the following steps:
+ - **Edit existing**: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the **Settings** section and then click **Edit settings**.
+ - **Create new**: In the new policy wizard, get to the **Settings** page.
+
+4. On the **Settings** page, select a quarantine policy in the **Quarantine policy** box.
+
+ **Note**: When you create a new policy, a blank **Quarantine policy** value indicates the default quarantine policy is used. When you later edit the policy, the blank value is replaced by the actual default quarantine policy name as described in the previous table.
+
+Full instructions for creating and modifying Safe Attachments policies are described in [Set up Safe Attachments policies in Microsoft Defender for Office 365](set-up-safe-attachments-policies.md).
+
+#### Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in PowerShell
+
+If you'd rather use PowerShell to assign quarantine policies for Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
+
+```powershell
+Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true
+<New-SafeAttachmentPolicy -Name "<Unique name>" | Set-SafeAttachmentPolicy -Identity "<Policy name>"> [-QuarantineTag <QuarantineTagName>]
+```
+
+**Notes**:
+
+- You need to replace the default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on files that were quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
+
+ To see the important parameter values, run the following command:
+
+ ```powershell
+ Get-AtpPolicyForO365 | Format-Table EnableATPForSPOTeamsODB; Get-SafeAttachmentPolicy | Format-Table Name,QuarantineTag
+ ```
+
+- To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](turn-on-mdo-for-spo-odb-and-teams.md).
+
+- A new Safe Attachments policy in PowerShell requires a safe attachment policy (settings) using the **New-SafeAttachmentPolicy** cmdlet and an exclusive safe attachment rule (recipient filters) using the **New-SafeAttachmentRule** cmdlet. For instructions, see [Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Attachments policies](set-up-safe-attachments-policies.md#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-safe-attachments-policies).
+
+This example turns on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and then creates a safe attachment policy named Research Department that uses the custom quarantine policy named NoAccess that assigns **No access** permissions.
+
+```powershell
+Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true
+New-SafeAttachmentPolicy -Name "Research Department" -QuarantineTag NoAccess
+```
+
+For detailed syntax and parameter information, see [New-MalwareFilterPolicy](/powershell/module/exchange/new-malwarefilterpolicy).
+
+This example modifies the existing safe attachment policy named Human Resources by assigning the custom quarantine policy named NoAccess that assigns **No access** permissions.
+
+```powershell
+New-SafeAttachmentPolicy -Identity "Human Resources" -QuarantineTag NoAccess
+```
+
+For detailed syntax and parameter information, see [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy).
+ ## Configure global quarantine notification settings in the Microsoft 365 Defender portal The global settings for quarantine policies allow you to customize the end-user spam notifications that are sent to recipients of messages that were quarantined. For more information about these notifications, see [End-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md).
The following sections describe the effects of preset permission groups and indi
The individual permissions that are included in preset permission groups are listed in the table at the beginning of this article.
-#### Admin Only access
+#### No access
-If the quarantine policy assigns the **Admin Only access** permissions (no permissions), users will not able to see those messages that are quarantined:
+If the quarantine policy assigns the **No access** permissions (admin only access), users will not able to see those messages that are quarantined:
-- **Quarantined message details**: No message will show in the end user view.-- **End-user spam notifications**: No notification will be sent for those message
+- **Quarantined message details**: No messages will show in the end user view.
+- **End-user spam notifications**: No notifications will be sent for those messages.
#### Limited access
If the quarantine policy assigns the **Limited access** permissions, users get t
- **Quarantined message details**: The following buttons are available: - **Request release**
- - **View message header**
+ - **View message headers**
- **Preview message**
- - **Block sender**
- **Remove from quarantine**
+ - **Block sender**
![Available buttons in the quarantined message details if the quarantine policy gives the user Limited access permissions](../../media/quarantine-tags-quarantined-message-details-limited-access.png) - **End-user spam notifications**: The following buttons are available: - **Block sender**
+ - **Request release**
- **Review** ![Available buttons in the end-user spam notification if the quarantine policy gives the user Limited access permissions](../../media/quarantine-tags-esn-limited-access.png)
If the quarantine policy assigns the **Full access** permissions (all available
- **Quarantined message details**: The following buttons are available: - **Release message**
- - **View message header**
+ - **View message headers**
- **Preview message**
- - **Block sender**
- **Remove from quarantine**
+ - **Block sender**
![Available buttons in the quarantined message details if the quarantine policy gives the user Full access permissions](../../media/quarantine-tags-quarantined-message-details-full-access.png)
The **Block sender** permission (_PermissionToBlockSender_) controls access to t
- **Block sender** permission disabled: The **Block sender** button is not available. - **End-user spam notifications**:
- - **Block sender** permission disabled: The **Block sender** button is not available.
- **Block sender** permission enabled: The **Block sender** button is available.
+ - **Block sender** permission disabled: The **Block sender** button is not available.
For more information about the Blocked Senders list, see [Block messages from someone](https://support.microsoft.com/office/274ae301-5db2-4aad-be21-25413cede077#__toc304379667) and [Use Exchange Online PowerShell to configure the safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox).
The **Allow recipients to request a message to be released from quarantine** per
- Permission enabled: The **Request release** button is available. - Permission disabled: The **Request release** button is not available. -- **End-user spam notifications**: The **Release** button is not available.
+- **End-user spam notifications**:
+ - Permission enabled: The **Request release** button is available.
+ - Permission disabled: The **Request release** button is not available.
security Security Roadmap https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-roadmap.md
f1.keywords:
Previously updated : 10/08/2018 Last updated : 08/20/2021 audience: Admin - localization_priority: Normal - Ent_O365
These tasks can be accomplished quickly and have low impact to users.
|Area|Tasks| |||
-|Security management|<ul><li>Check Secure Score and take note of your current score (<https://securescore.office.com>).</li><li>Turn on audit logging for Office 365. See [Search the audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md).</li><li>[Configure Microsoft 365 for increased security](tenant-wide-setup-for-increased-security.md).</li><li>Regularly review dashboards and reports in the Microsoft 365 Defender portal and Cloud App Security.</li></ul>|
+|Security management|<ul><li>Check Secure Score and take note of your current score (<https://security.microsoft.com/securescore>).</li><li>Turn on audit logging for Office 365. See [Search the audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md).</li><li>[Configure Microsoft 365 for increased security](tenant-wide-setup-for-increased-security.md).</li><li>Regularly review dashboards and reports in the Microsoft 365 Defender portal and Cloud App Security.</li></ul>|
|Threat protection|[Connect Microsoft 365 to Microsoft Cloud App Security](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security) to start monitoring using the default threat detection policies for anomalous behaviors. It takes seven days to build a baseline for anomaly detection. <p> Implement protection for admin accounts:<ul><li>Use dedicated admin accounts for admin activity.</li><li>Enforce multi-factor authentication (MFA) for admin accounts.</li><li>Use a [highly secure Windows 10 device](/windows-hardware/design/device-experiences/oem-highly-secure) for admin activity.</li></ul>| |Identity and access management|<ul><li>[Enable Azure Active Directory Identity Protection](/azure/active-directory/active-directory-identityprotection-enable).</li><li>For federated identity environments, enforce account security (password length, age, complexity, etc.).</li></ul>| |Information protection|Review example information protection recommendations. Information protection requires coordination across your organization. Get started with these resources:<ul><li>[Office 365 Information Protection for GDPR](/compliance/regulatory/gdpr)</li><li>[Configure Teams with three tiers of protection](../../solutions/configure-teams-three-tiers-protection.md) (includes sharing, classification, data loss prevention, and Azure Information Protection)</li></ul>|
These tasks take a bit more time to plan and implement but greatly increase your
|Area|Task| |||
-|Security management|<ul><li>Check Secure Score for recommended actions for your environment (<https://securescore.office.com>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Cloud App Security, and SIEM tools.</li><li>Look for and implement software updates.</li><li>Conduct attack simulations for spear-phishing, password-spray, and brute-force password attacks using [Attack simulation training](attack-simulation-training.md) (included with [Office 365 Threat Intelligence](office-365-ti.md)).</li><li>Look for sharing risk by reviewing the built-in reports in Cloud App Security (on the Investigate tab).</li><li>Check [Compliance Manager](../../compliance/compliance-manager.md) to review status for regulations that apply to your organization (such as GDPR, NIST 800-171).</li></ul>|
+|Security management|<ul><li>Check Secure Score for recommended actions for your environment (<https://security.microsoft.com/securescore>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Cloud App Security, and SIEM tools.</li><li>Look for and implement software updates.</li><li>Conduct attack simulations for spear-phishing, password-spray, and brute-force password attacks using [Attack simulation training](attack-simulation-training.md) (included with [Office 365 Threat Intelligence](office-365-ti.md)).</li><li>Look for sharing risk by reviewing the built-in reports in Cloud App Security (on the Investigate tab).</li><li>Check [Compliance Manager](../../compliance/compliance-manager.md) to review status for regulations that apply to your organization (such as GDPR, NIST 800-171).</li></ul>|
|Threat protection|Implement enhanced protections for admin accounts: <ul><li>Configure [Privileged Access Workstations](/security/compass/privileged-access-devices) (PAWs) for admin activity.</li><li>Configure [Azure AD Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure).</li><li>Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Cloud App Security, and other services, including AD FS. The audit log stores data for only 90 days. Capturing this data in SIEM tool allows you to store data for a longer period.</li></ul>| |Identity and access management|<ul><li>Enable and enforce MFA for all users.</li><li>Implement a set of [conditional access and related policies](microsoft-365-policies-configurations.md).</li></ul>| |Information protection| Adapt and implement information protection policies. These resources include examples: <ul><li>[Office 365 Information Protection for GDPR](/compliance/regulatory/gdpr)</li><li>[Configure Teams with three tiers of protection](../../solutions/configure-teams-three-tiers-protection.md)</li></ul> <p> Use data loss prevention policies and monitoring tools in Microsoft 365 for data stored in Microsoft 365 (instead of Cloud App Security). <p> Use Cloud App Security with Microsoft 365 for advanced alerting features (other than data loss prevention).|
These are important security measures that build on previous work.
|Area|Task| |||
-|Security management|<ul><li>Continue planning next actions by using Secure Score (<https://securescore.office.com>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Cloud App Security, and SIEM tools.</li><li>Continue to look for and implement software updates.</li><li>Integrate eDiscovery into your legal and threat response processes.</li></ul>|
+|Security management|<ul><li>Continue planning next actions by using Secure Score (<https://security.microsoft.com/securescore>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Cloud App Security, and SIEM tools.</li><li>Continue to look for and implement software updates.</li><li>Integrate eDiscovery into your legal and threat response processes.</li></ul>|
|Threat protection|<ul><li>Implement [Secure Privileged Access](/windows-server/identity/securing-privileged-access/securing-privileged-access) (SPA) for identity components on premises (AD, AD FS).</li><li>Use Cloud App Security to monitor for insider threats.</li><li>Discover shadow IT SaaS usage by using Cloud App Security.</li></ul>| |Identity and access management|<ul><li>Refine policies and operational processes.</li><li>Use Azure AD Identity Protection to identify insider threats.</li></ul>| |Information protection|Refine information protection policies: <ul><li>Microsoft 365 and Office 365 sensitivity labels and data loss prevention (DLP), or Azure Information Protection.</li><li>Cloud App Security policies and alerts.</li></ul>|
solutions Identity Design Principles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/identity-design-principles.md
It is important to understand relationships between various services in the same
3. After all components are approved, assemble these into a unified deliverable(s) (Azure) [Microsoft Graph API](/azure/active-directory/develop/microsoft-graph-intro) is your best friend for these. Not impossible, but significantly more complex to design a solution spanning [multiple tenants](/azure/active-directory/develop/single-and-multi-tenant-apps).
-Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. Details are out of scope for this document, but for more information on RBAC, see [What is role-based access control (RBAC) in Azure?](/azure/role-based-access-control/overview) RBAC is important but only part of the governance considerations for Azure. [Cloud Adoption Framework](/azure/cloud-adoption-framework/govern/) is a great starting point to learn more. I like how my friend, Andres Ravinet walks customers step by step though various components to decide on the approach. High-level view for various elements (not as good as the process to get to actual customer model) is something like this:
+Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. Details are out of scope for this document, but for more information on RBAC, see [What is role-based access control (RBAC) in Azure?](/azure/role-based-access-control/overview) RBAC is important but only part of the governance considerations for Azure. [Cloud Adoption Framework](/azure/cloud-adoption-framework/govern/) is a great starting point to learn more. I like how my friend, [Andres Ravinet](https://www.linkedin.com/in/andres-ravinet/), walks customers step by step though various components to decide on the approach. High-level view for various elements (not as good as the process to get to actual customer model) is something like this:
![High-level view of Azure components for delegated administration](../media/solutions-architecture-center/identity-beyond-illustration-5.png)
solutions Microsoft 365 Guest Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/microsoft-365-guest-settings.md
Because OneDrive is a hierarchy of sites within SharePoint, the organization-lev
**Navigation:** SharePoint admin center > Sharing
-![Screenshot of SharePoint organization-level sharing settings](../media/sharepoint-organization-external-sharing-controls.png)
+![Screenshot of SharePoint organization-level sharing settings](../media/external-sharing.png)
| Setting | Default | Description | |:--|:--|:--|
Because OneDrive is a hierarchy of sites within SharePoint, the organization-lev
**Navigation:** SharePoint admin center > Sharing
-![Screenshot of SharePoint organization-level additional sharing settings](../media/sharepoint-organization-advanced-sharing-settings.png)
+![Screenshot of SharePoint organization-level additional sharing settings](../media/external-sharing.png)
| Setting | Default | Description | |:--|:--|:--|
solutions Networking Design Principles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/networking-design-principles.md
In this article, [Ed Fisher](https://www.linkedin.com/in/edfisher/), Security &
![Ed Fisher photo](../media/solutions-architecture-center/ed-fisher-networking.jpg)
-I'm currently a Principal Technical Specialist in the South East region focusing on Security & Compliance. I've worked with customers moving to Office 365 for the past 10 years. IΓÇÖve worked with smaller shops with a handful of locations to government agencies and enterprises with millions of users distributed around the world, and many other customers in between, with the majority having tens of thousands of users, multiple locations in various parts of the world, the need for a higher degree of security, and a multitude of compliance requirements. I've helped hundreds of enterprises and millions of users move to the cloud safely and securely.
+I am currently a Principal Technical Specialist in our Retail and Consumer Goods team, focusing on Security & Compliance. I have worked with customers moving to Office 365 for the past ten years. IΓÇÖve worked with smaller shops with a handful of locations to government agencies and enterprises with millions of users distributed around the world, and many other customers in between, with the majority having tens of thousands of users, multiple locations in various parts of the world, the need for a higher degree of security, and a multitude of compliance requirements. I have helped hundreds of enterprises and millions of users move to the cloud safely and securely.
With a background over the past 25 years that includes security, infrastructure, and network engineering, and having moved two of my previous employers to Office 365 before joining Microsoft, IΓÇÖve been on your side of the table plenty of times, and do remember what thatΓÇÖs like. While no two customers are ever the same, most have similar needs, and when consuming a standardized service such as any SaaS or PaaS platform, the best approaches tend to be the same.
With a background over the past 25 years that includes security, infrastructure,
No matter how many times it happens, it never fails to amaze me how *creative* security teams and networking teams try to get with how they think they should connect to Microsoft cloud services. ThereΓÇÖs always some security policy, compliance standard, or better way they insist on using, without being willing to engage in a conversation about what it is they're trying to accomplish, or *how* they're better, easier, more cost-effective, and more performant ways of doing so.
-When this sort of thing is escalated to me, IΓÇÖm usually willing to take the challenge and walk them through the how's and the why's and get them to where they need to be. But if I'm being completely frank, I have to share that sometimes I want to just let them do what they will, and come back to say I told you so when they finally concede it doesnΓÇÖt work. I may want to do that sometimes, but I *donΓÇÖt*. What I do is try to explain all of what I'm going to include in this post. Regardless of your role, if your organization wants to use Microsoft cloud services, thereΓÇÖs probably some wisdom in what follows that can help you out.
+## ItΓÇÖs not the network ΓÇö itΓÇÖs how youΓÇÖre (mis)using it!
+
+No matter how many times it happens, it never fails to amaze me how *creative* security teams and networking teams try to get with how they think they should connect to Microsoft cloud services. ThereΓÇÖs always some security policy, compliance standard, or better way they insist on using, without being willing to engage in a conversation about what it is they are trying to accomplish, or *how* there are better, easier, more cost-effective, and more performant ways of doing so.
+
+When this sort of thing is escalated to me, IΓÇÖm usually willing to take the challenge and walk them through the hows and the whys and get them to where they need to be. But if I am being completely frank, I have to share that sometimes I want to just let them do what they will, and come back to say I told you so when they finally concede it doesnΓÇÖt work. I may want to do that sometimes, but I *donΓÇÖt*. What I do is try to explain all of what I am going to include in this post. Regardless of your role, if your organization wants to use Microsoft cloud services, thereΓÇÖs probably some wisdom in what follows that can help you out.
## Guiding principles