Updates from: 08/24/2021 03:23:56
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
description: Create retention labels and auto-labeling policies so you can autom
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).* > [!NOTE]
-> This scenario is not supported for [regulatory records](records-management.md#records).
+> This scenario is not supported for [regulatory records](records-management.md#records) or default labels for an organizing structure such as a document set or library in SharePoint, or a folder in Exchange. These scenarios require a [published retention label policy](create-apply-retention-labels.md#step-2-publish-retention-labels).
One of the most powerful features of [retention labels](retention.md) is the ability to apply them automatically to content that matches specified conditions. In this case, people in your organization don't need to apply the retention labels. Microsoft 365 does the work for them.
The processes to automatically apply a retention label based on these conditions
Use the following instructions for the two admin steps. > [!NOTE]
-> Auto-policies use service-side labeling with conditions to automatically apply retention labels. You can also automatically apply a retention label with a label policy when you do the following:
+> Auto-policies use service-side labeling with conditions to automatically apply retention labels to items. You can also automatically apply a retention label with a label policy when you do the following:
> > - Apply a retention label to a document understanding model in SharePoint Syntex > - Apply a default retention label for SharePoint and Outlook
All three conditions can automatically apply retention labels to emails as they
|Specific keywords or searchable properties| Yes |Yes | |Trainable classifiers| Yes | Yes (last six months only) |
+Additionally, SharePoint items that are in draft or that have never been published aren't supported for this scenario.
#### Auto-apply labels to content with specific types of sensitive information
Some things to consider when using keywords or searchable properties to auto-app
- Use the *DocumentLink* property instead of *Path* to match an item based on its URL. -- Suffix wildcard searches ( such as `*cat`) or substring wildcard searches (such as `*cat*`) aren't supported. However, prefix wildcard searches (such as `cat*`) are supported.
+- Suffix wildcard searches (such as `*cat`) or substring wildcard searches (such as `*cat*`) aren't supported. However, prefix wildcard searches (such as `cat*`) are supported.
- Be aware that partially indexed items can be responsible for not labeling items that you're expecting, or labeling items that you're expecting to be excluded from labeling when you use the NOT operator. For more information, see [Partially indexed items in Content Search](partially-indexed-items-in-content-search.md).
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
For more information on parent labels and sublabels, see [Sublabels (grouping la
## How to configure auto-labeling for Office apps
-Automatic labeling in Office apps for Windows is supported by the Azure Information Protection unified labeling client. For built-in labeling in Office apps, this capability is in [different stages of availability for different apps](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps).
+For built-in labeling in Office apps, check the [minimum versions required](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps) for automatic labeling in Office apps.
+
+The Azure Information Protection unified labeling client supports automatic labeling for built-in and custom sensitive info types, but not for trainable classifiers or sensitive info types that use Exact Data Match (EDM).
The auto-labeling settings for Office apps are available when you [create or edit a sensitivity label](create-sensitivity-labels.md). Make sure **Files & emails** is selected for the label's scope:
compliance Permissions Filtering For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md
Title: "Configure permissions filtering for Content Search"
+ Title: "Configure permissions filtering for Content search"
f1.keywords: - NOCSH
search.appverid:
- MOE150 - MET150 ms.assetid: 1adffc35-38e5-4f7d-8495-8e0e8721f377
-description: "Use Content Search permissions filtering to let an eDiscovery manager search only a subset of mailboxes and sites in your organization."
+description: "Use Content search permissions filtering to let an eDiscovery manager search only a subset of mailboxes and sites in your organization."
-# Configure permissions filtering for Content Search
+# Configure permissions filtering for Content search
You can use search permissions filtering to let an eDiscovery manager search only a subset of mailboxes and sites in your organization. You can also use permissions filtering to let that same eDiscovery manager search only for mailbox or site content that meets a specific search criteria. For example, you might let an eDiscovery manager search only the mailboxes of users in a specific location or department. You do this by creating a filter that uses a supported recipient filter to limit which mailboxes a specific user or group of users can search. You can also create a filter that specifies what mailbox content a user can search for. This is done by creating a filter that uses a searchable message property. Similarly, you can let an eDiscovery manager search only specific SharePoint sites in your organization. You do this by creating a filter that limits which site can be searched. You can also create a filter that specifies what site content can be searched. This is done by creating a filter that uses a searchable site property. You can also use search permissions filtering to create logical boundaries (called *compliance boundaries*) within an organization that control the user content locations (such as mailboxes, SharePoint sites, and OneDrive accounts) that specific eDiscovery managers can search. For more information, see [Set up compliance boundaries for eDiscovery investigations in Office 365](tagging-and-assessment-in-advanced-ediscovery.md).
-Search permissions filtering is supported by the Content Search feature in the Security & Compliance Center. These four cmdlets let you configure and manage search permissions filters:
+Search permissions filtering is supported by the Content search feature in the Security & Compliance Center. These four cmdlets let you configure and manage search permissions filters:
[New-ComplianceSecurityFilter](#new-compliancesecurityfilter)
The **New-ComplianceSecurityFilter** is used to create a search permissions filt
| Parameter | Description | |:--|:--|
-| _Action_ <br/> | The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content Search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> |
+| _Action_ <br/> | The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> |
| _FilterName_ <br/> |The _FilterName_ parameter specifies the name of the permissions filter. This name is used to identity a filter when using the **Get-ComplianceSecurityFilter**, **Set-ComplianceSecurityFilter,** and **Remove-ComplianceSecurityFilter** cmdlets. <br/> |
-| _Filters_ <br/> | The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create three different types of filters: <br/><br/> **Mailbox or OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes and OneDrive accounts that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes and OneDrive accounts that have the value "OttawaUsers" in the CustomAttribute10 property. <br/> Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/> **Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName: value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content Search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. <br/> For a list of searchable message properties, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md). <br/> <br/> **Important:** A single search filter can't contain a mailbox filter and a mailbox content filter. To combine these in a single filter, you have to use a [filters list](#using-a-filters-list-to-combine-filter-types). But a filter can contain a more complex query of the same type. For example, `"Mailbox_CustomAttribute10 -eq 'FTE' -and Mailbox_MemberOfGroup -eq '$($DG.DistinguishedName)'"` <br/><br/> **Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/> - **Site_** _SearchableSiteProperty_ <br/> - **SiteContent_** _SearchableSiteProperty_ <br/><br/> These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` return the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.sharepoint.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/> For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> **Important:** <br/><br/> - Setting up a site filter with one of the supported properties does not mean the site property in the filter will propagate to all files on that site. This means the user is still responsible for populating the specific property fields associated with the files on that site in order for the site filter to work and capture the right content. For example, if the user has a security filter "Site_RefineableString00 -eq 'abc'" applied and then the user runs a compliance search using keyword query "xyz". The security filter gets appended to the query and the actual query running would be "xyz **AND RefineableString0:'abc'**". The user needs to ensure the files on the site indeed have values in the RefineableString00 field as abc. If not, this search query will not return any results. <br/><br/>- You have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites. |
-| _Users_ <br/> |The _Users_ parameter specifies the users who get this filter applied to their Content Searches. Identify users by their alias or primary SMTP address. You can specify multiple values separated by commas, or you can assign the filter to all users by using the value **All**. <br/> You can also use the _Users_ parameter to specify a Security & Compliance Center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/> You can't specify distribution groups with this parameter. <br/> |
+| _Filters_ <br/> | The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create three different types of filters: <br/><br/> **Mailbox or OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes and OneDrive accounts that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes and OneDrive accounts that have the value "OttawaUsers" in the CustomAttribute10 property. <br/> Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/> **Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName: value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. <br/> For a list of searchable message properties, see [Keyword queries and search conditions for Content search](keyword-queries-and-search-conditions.md). <br/> <br/> **Important:** A single search filter can't contain a mailbox filter and a mailbox content filter. To combine these in a single filter, you have to use a [filters list](#using-a-filters-list-to-combine-filter-types). But a filter can contain a more complex query of the same type. For example, `"Mailbox_CustomAttribute10 -eq 'FTE' -and Mailbox_MemberOfGroup -eq '$($DG.DistinguishedName)'"` <br/><br/> **Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/> - **Site_** _SearchableSiteProperty_ <br/> - **SiteContent_** _SearchableSiteProperty_ <br/><br/> These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` return the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.sharepoint.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/> For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> **Important:** <br/><br/> - Setting up a site filter with one of the supported properties does not mean the site property in the filter will propagate to all files on that site. This means the user is still responsible for populating the specific property fields associated with the files on that site in order for the site filter to work and capture the right content. For example, if the user has a security filter "Site_RefineableString00 -eq 'abc'" applied and then the user runs a search using keyword query "xyz". The security filter gets appended to the query and the actual query running would be "xyz **AND RefineableString0:'abc'**". The user needs to ensure the files on the site indeed have values in the RefineableString00 field as abc. If not, this search query will not return any results. <br/><br/>- You have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites. |
+| _Users_ <br/> |The _Users_ parameter specifies the users who get this filter applied to their Content searches. Identify users by their alias or primary SMTP address. You can specify multiple values separated by commas, or you can assign the filter to all users by using the value **All**. <br/> You can also use the _Users_ parameter to specify a Security & Compliance Center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/> You can't specify distribution groups with this parameter. <br/> |
### Using a filters list to combine filter types
Keep the following things in mind about using a filters list:
Here are examples of using the **New-ComplianceSecurityFilter** cmdlet to create a search permissions filter.
-This example allows the user annb@contoso.com to perform all Content Search actions only for mailboxes in Canada. This filter contains the three-digit numeric country code for Canada from ISO 3166-1.
+This example allows the user annb@contoso.com to perform all Content search actions only for mailboxes in Canada. This filter contains the three-digit numeric country code for Canada from ISO 3166-1.
```powershell New-ComplianceSecurityFilter -FilterName CountryFilter -Users annb@contoso.com -Filters "Mailbox_CountryCode -eq '124'" -Action All
This example allows the users donh and suzanf to search only the mailboxes that
New-ComplianceSecurityFilter -FilterName MarketingFilter -Users donh,suzanf -Filters "Mailbox_CustomAttribute1 -eq 'Marketing'" -Action Search ```
-This example allows members of the "US Discovery Managers" role group to perform all Content Search actions only on mailboxes in the United States. This filter contains the three-digit numeric country code for the United States from ISO 3166-1.
+This example allows members of the "US Discovery Managers" role group to perform all Content search actions only on mailboxes in the United States. This filter contains the three-digit numeric country code for the United States from ISO 3166-1.
```powershell New-ComplianceSecurityFilter -FilterName USDiscoveryManagers -Users "US Discovery Managers" -Filters "Mailbox_CountryCode -eq '840'" -Action All
New-ComplianceSecurityFilter -FilterName OneDriveOnly -Users "OneDrive eDiscove
> [!NOTE] > To restrict users to searching specific sites, use the filter `Site_Path`, as shown in the previous example. Using `Site_Site` will not work.
-This example restricts the user to performing all Content Search actions only on email messages sent during the calendar year 2015.
+This example restricts the user to performing all Content search actions only on email messages sent during the calendar year 2015.
```powershell New-ComplianceSecurityFilter -FilterName EmailDateRestrictionFilter -Users donh@contoso.com -Filters "MailboxContent_Received -ge '01-01-2015' -and MailboxContent_Received -le '12-31-2015'" -Action All ```
-Similar to the previous example, this example restricts the user to performing all Content Search actions on documents that were last changed sometime in the calendar year 2015.
+Similar to the previous example, this example restricts the user to performing all Content search actions on documents that were last changed sometime in the calendar year 2015.
```powershell New-ComplianceSecurityFilter -FilterName DocumentDateRestrictionFilter -Users donh@contoso.com -Filters "SiteContent_LastModifiedTime -ge '01-01-2015' -and SiteContent_LastModifiedTime -le '12-31-2015'" -Action All
The **Set-ComplianceSecurityFilter** is used to modify an existing search permis
| Parameter | Description | |:--|:--|
-| _Action_| The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content Search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> |
+| _Action_| The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> |
| _FilterName_|The _FilterName_ parameter specifies the name of the permissions filter. |
-| _Filters_| The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create two different types of filters: <br/><br/>**Mailbox and OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes that have the value "OttawaUsers" in the CustomAttribute10 property. Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/>**Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName:value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content Search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. For a list of searchable message properties, see [Keyword queries for Content Search](keyword-queries-and-search-conditions.md). <br/><br/>**Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/>- **Site_** *SearchableSiteProperty* <br/>- **SiteContent**_*SearchableSiteProperty*<br/><br/>These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` returns the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.spoppe.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/>For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> |
-| _Users_|The _Users_ parameter specifies the users who get this filter applied to their Content Searches. Because this is a multi-value property, specifying a user or group of users with this parameter overwrite the existing list of users. See the following examples for the syntax to add and remove selected users. <br/><br/>You can also use the _Users_ parameter to specify a Security & Compliance Center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/><br/>You can't specify distribution groups with this parameter. |
+| _Filters_| The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create two different types of filters: <br/><br/>**Mailbox and OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes that have the value "OttawaUsers" in the CustomAttribute10 property. Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/>**Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName:value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. For a list of searchable message properties, see [Keyword queries for Content search](keyword-queries-and-search-conditions.md). <br/><br/>**Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/>- **Site_** *SearchableSiteProperty* <br/>- **SiteContent**_*SearchableSiteProperty*<br/><br/>These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` returns the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.spoppe.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/>For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> |
+| _Users_|The _Users_ parameter specifies the users who get this filter applied to their Content searches. Because this is a multi-value property, specifying a user or group of users with this parameter overwrite the existing list of users. See the following examples for the syntax to add and remove selected users. <br/><br/>You can also use the _Users_ parameter to specify a Security & Compliance Center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/><br/>You can't specify distribution groups with this parameter. |
## Examples of changing search permissions filters
The **Remove-ComplianceSecurityFilter** is used to delete a search filter. Use t
## More information -- **How does search permissions filtering work?** The permissions filter is added to the search query when a Content Search is run. The permissions filter is joined to the search query by the **AND** Boolean operator. For example, you have a permissions filter that allows Bob to perform all search actions on the mailboxes of members of the Workers distribution group. Then Bob runs a Content Search on all mailboxes in the organization with the search query `sender:jerry@adatum.com`. Because the permissions filter and the search query are logically combined by an **AND** operator, the search returns any message sent by jerry@adatum.com to any member of the Workers distribution group.
-
-- **What happens if you have multiple search permissions filters?** In a Content Search query, multiple permissions filters are combined by **OR** Boolean operators. So results will be returned if any of the filters are true. In a Content Search, all filters (combined by **OR** operators) are then combined with the search query by the **AND** operator. Let's take the previous example, where a search filter allows Bob to search only the mailboxes of the members of the Workers distribution group. Then we create another filter that prevents Bob from searching Phil's mailbox ("Mailbox_Alias -ne 'Phil'"). And let's also assume that Phil is a member of the Workers group. When Bob runs a Content Search (from the previous example) on all mailboxes in the organization, search results are returned for Phil's mailbox even though you applied filter to prevent Bob from searching Phil's mailbox. This is because the first filter, which allows Bob to search the Workers group, is true. And because Phil is a member of the Workers group, Bob can search Phil's mailbox.
-
+- **How does search permissions filtering work?** The permissions filter is appended to the search query when a Content search is run. The permissions filter is joined to the search query by the **AND** Boolean operator. The query logic for the search query and the permissions filter would look like this:
+
+ ```text
+ <SearchQuery> AND <PermissionsFilter>
+ ```
+
+ For example, you have a permissions filter that allows Bob to perform all search actions on the mailboxes of members of the Workers distribution group. Then Bob runs a Content search on all mailboxes in the organization with the search query `sender:jerry@adatum.com`. Because the permissions filter and the search query are logically combined by an **AND** operator, the search returns any message sent by jerry@adatum.com to any member of the Workers distribution group.
+
+- **What happens if you have multiple search permissions filters?** In a Content search query, multiple permissions filters are combined by **OR** Boolean operators. So results will be returned if any of the filters are true. In a Content search, all filters (combined by **OR** operators) are then combined with the search query by the **AND** operator.
+
+ ```text
+ <SearchQuery> AND (<PermissionsFilter1> OR <PermissionsFilter2> OR <PermissionsFilter3>)
+ ```
+
+ Let's take the previous example, where a search filter allows Bob to search only the mailboxes of the members of the Workers distribution group. Then we create another filter that prevents Bob from searching Phil's mailbox ("Mailbox_Alias -ne 'Phil'"). And let's also assume that Phil is a member of the Workers group. When Bob runs a Content search (from the previous example) on all mailboxes in the organization, search results are returned for Phil's mailbox even though you applied filter to prevent Bob from searching Phil's mailbox. This is because the first filter, which allows Bob to search the Workers group, is true. And because Phil is a member of the Workers group, Bob can search Phil's mailbox.
+ - **Does search permissions filtering work for inactive mailboxes?** Yes, you can use mailbox and mailbox content filters to limit who can search inactive mailboxes in your organization. Like a regular mailbox, an inactive mailbox has to be configured with the recipient property that's used to create a permissions filter. If necessary, you can use the **Get-Mailbox -InactiveMailboxOnly** command to display the properties of inactive mailboxes. For more information, see [Create and manage inactive mailboxes in Office 365](create-and-manage-inactive-mailboxes.md). - **Does search permissions filtering work for public folders?** No. As previously explained, search permissions filtering can't be used to limit who can search public folders in Exchange. For example, items in public folder locations can't be excluded from the search results by a permissions filter.
The **Remove-ComplianceSecurityFilter** is used to delete a search filter. Use t
- **Does allowing a user to search all content locations in a specific service also prevent them from searching content locations in a different service?** No. As previously explained, you have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites. - **Do search permissions filters count against search query character limits?** Yes. Search permissions filters count against the character limit for search queries. For more information, see [Limits in Advanced eDiscovery](limits-ediscovery20.md).-
compliance Set Up Compliance Boundaries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-compliance-boundaries.md
We use the example in the following illustration to explain how compliance bound
![Compliance boundaries consist of search permissions filters that control access to agencies and admin role groups that control access to eDiscovery cases](../media/M365_ComplianceBoundary_OrgChart_v2.png)
-In this example, Contoso LTD is an organization that consists of two subsidiaries, Fourth Coffee and Coho Winery. The business requires that eDiscovery mangers and investigators can only search the Exchange mailboxes, OneDrive accounts, and SharePoint sites in their agency. Also, eDiscovery managers and investigators can only see eDiscovery cases in their agency, and they can only access the cases that they're a member of. Additionally in this scenario, investigators cannot place content locations on hold or export content from a case. Here's how compliance boundaries meet these requirements.
+In this example, Contoso LTD is an organization that consists of two subsidiaries, Fourth Coffee and Coho Winery. The business requires that eDiscovery managers and investigators can only search the Exchange mailboxes, OneDrive accounts, and SharePoint sites in their agency. Also, eDiscovery managers and investigators can only see eDiscovery cases in their agency, and they can only access the cases that they're a member of. Additionally in this scenario, investigators cannot place content locations on hold or export content from a case. Here's how compliance boundaries meet these requirements.
- The search permissions filtering functionality in Content search controls the content locations that eDiscovery managers and investigators can search. This means eDiscovery managers and investigators in the Fourth Coffee agency can only search content locations in the Fourth Coffee subsidiary. The same restriction applies to the Coho Winery subsidiary.
If the region specified in the search permissions filter doesn't exist in your o
**What is the maximum number of search permissions filters that can be created in an organization?**
-There is no limit to the number of search permissions filters that can be created in an organization. However, search performance will be impacted when there are more than 100 search permissions filters. To keep the number of search permissions filters in your organization as small as possible, create filters that combine rules for Exchange, SharePoint, and OneDrive into a single search permissions filter whenever possible.
+There is no limit to the number of search permissions filters that can be created in an organization. However, a search query can have a maximum of 100 conditions. In this case, a condition is defined as something that's connected to the query by a Boolean operator (such as **AND**, **OR**, and **NEAR**). The limit of the number of conditions includes the search query itself plus all search permissions filters that are applied to the user who runs the search. Therefore, the more search permissions filters you have (especially if these filters are applied to the same user or group of users), the better the chance of exceeding the maximum number of conditions for a search.
+
+To understand how this limit works, you need to understand that a search permissions filter is appended to the search query when a search is run. A search permissions filter is joined to the search query by the **AND** Boolean operator. The query logic for the search query and a single search permissions filter would look like this:
+
+```text
+<SearchQuery> AND <PermissionsFilter>
+```
+
+Multiple search permissions filters are combined together by the **OR** Boolean operator, and then those conditions are connected to the search query by the **AND** operator.
+
+The query logic for the search query and multiple search permissions filters would look like this:
+
+```text
+<SearchQuery> AND (<PermissionsFilter1> OR <PermissionsFilter2> OR <PermissionsFilter3>...)
+```
+
+It's possible the search query itself may consist of multiple conditions connected by Boolean operators. Each condition in the search query would also count against the 100-condition limit.
+
+Also, the number of search permissions filters appended to a query depends on the user who is running the search. When a specific user runs a search, the search permissions filters that are applied to the user (which is defined by the *Users* parameter in the filter) are appended to the query. Your organization could have hundreds of search permissions filters, but if more than 100 filters are applied to the same users, then it's likely the 100-condition limit will be exceeded when those users run searches.
+
+There's one more thing to keep in mind about the condition limit. The number of specific SharePoint sites that are included in the search query or search permissions filters also count against this limit.
+
+To prevent your organization from reaching the conditions limit, keep the number of search permissions filters in your organization to few as possible to meet your business requirements.
enterprise Multi Geo User Experience https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-user-experience.md
The SharePoint Mobile Client is multi-geo aware and will display pertinent conte
## Sharing
-The People Picker experience shows all users regardless of their geo location. This allows a user to share with another user in their same geo or in any other of your tenant's geo locations. Content from different geo locations will show up in the **Shared with Me** view in the user's OneDrive and can be accessed with Single Sign-On experience regardless of which geo location it is hosted in.
+The People Picker experience shows all users regardless of their geo location. This allows a user to share with another user in their same geo or in any other of your tenant's geo locations. Content from different geo locations will show up in the **Shared with Me** view in the user's OneDrive, Word, Excel, PowerPoint and Office.com and can be accessed with Single Sign-On experience regardless of which geo location it is hosted in.
## Teams Experience
learning Content Sources 365 Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/learning/content-sources-365-admin-center.md
Title: "Configure learning content sources for Microsoft Viva Learning (Preview) in the Microsoft 365 admin center"
+ Title: Configure learning content sources for Microsoft Viva Learning (Preview) in the Microsoft 365 admin center
Previously updated : 05/12/2021 Last updated : audience: admin
- enabler-strategic - m365initiative-viva-learning localization_priority: None
-description: "Learn how to configure learning content sources for Microsoft Viva Learning (Preview) in the Microsoft 365 admin center."
+description: Learn how to configure learning content sources for Microsoft Viva Learning (Preview) in the Microsoft 365 admin center.
# Configure learning content sources for Microsoft Viva Learning (Preview) in the Microsoft 365 admin center
learning Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/learning/index.md
Title: "Introduction to Microsoft Viva Learning (Preview)"
+ Title: Introduction to Microsoft Viva Learning (Preview)
Previously updated : 05/12/2021 Last updated : audience: enabler ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-viva-learning localization_priority: None
-description: "Learn how to find resources for Microsoft Viva Learning (Preview)."
+description: Learn how to find resources for Microsoft Viva Learning (Preview).
# Introduction to Microsoft Viva Learning (Preview)
learning Overview Viva Learning https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/learning/overview-viva-learning.md
Title: "Overview of Microsoft Viva Learning (Preview)"
+ Title: Overview of Microsoft Viva Learning (Preview)
Previously updated : 05/12/2021 Last updated : audience: admin
- enabler-strategic - m365initiative-viva-learning localization_priority: None
-description: "Learn about Microsoft Viva Learning (Preview) in your Microsoft 365 environment."
+description: Learn about Microsoft Viva Learning (Preview) in your Microsoft 365 environment.
# Overview of Microsoft Viva Learning (Preview)
learning Set Up Teams Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/learning/set-up-teams-admin-center.md
Title: "Set up Microsoft Viva Learning (Preview) in the Teams admin center"
+ Title: Set up Microsoft Viva Learning (Preview) in the Teams admin center
- enabler-strategic - m365initiative-viva-learning localization_priority: None
-description: "Learn how to configure Microsoft Viva Learning (Preview) in the Teams admin center."
+description: Learn how to configure Microsoft Viva Learning (Preview) in the Teams admin center.
# Set up Microsoft Viva Learning (Preview) in the Teams admin center
scheduler Scheduler Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-setup.md
Tenant admins need to setup a Scheduler assistant mailbox and obtain Scheduler l
## Licensing
-Learn more: [Scheduler for Microsoft 365 licensing](https://wwww.microsoft.com/microsoft-365/meeting-scheduler-pricing)
+Learn more: [Scheduler for Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/meeting-scheduler-pricing)
>[Note] >Meeting attendees do not need a Scheduler or Microsoft 365 license. <br>The Scheduler assistant mailbox does not require a Microsoft 365 or a Scheduler license.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
### [Helpful resources](helpful-resources.md)
-### [Troubleshoot Microsoft Defender for Endpoint]()
-#### [Troubleshoot sensor state]()
-##### [Check sensor state](check-sensor-status.md)
-##### [Fix unhealthy sensors](fix-unhealthy-sensors.md)
-##### [Inactive devices](fix-unhealthy-sensors.md#inactive-devices)
-##### [Misconfigured devices](fix-unhealthy-sensors.md#misconfigured-devices)
-##### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md)
-
-#### [Troubleshoot sensor health issues using Client Analyzer]()
-##### [Client analyzer overview](overview-client-analyzer.md)
-##### [Download and run the client analyzer](download-client-analyzer.md)
-##### [Run the client analyzer on Windows](run-analyzer-windows.md)
-##### [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md)
-##### [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
-##### [Understand the analyzer HTML report](analyzer-report.md)
-##### [Provide feedback on the client analyzer tool](analyzer-feedback.md)
-
-
-
-#### [Troubleshoot Microsoft Defender for Endpoint service issues]()
-##### [Troubleshoot service issues](troubleshoot-mdatp.md)
-##### [Check service health](service-status.md)
-##### [Contact Microsoft Defender for Endpoint support](contact-support.md)
-
-#### [Troubleshoot live response issues](troubleshoot-live-response.md)
-
-#### [Collect support logs using LiveAnalyzer](troubleshoot-collect-support-log.md)
-
-#### [Troubleshoot attack surface reduction issues]()
-##### [Network protection](troubleshoot-np.md)
-##### [Attack surface reduction rules](troubleshoot-asr.md)
-##### [Migrate to Attack surface reduction rules](migrating-asr-rules.md)
+## [Troubleshoot]()
+### [Troubleshoot sensor state]()
+#### [Check sensor state](check-sensor-status.md)
+#### [Fix unhealthy sensors](fix-unhealthy-sensors.md)
+#### [Inactive devices](fix-unhealthy-sensors.md#inactive-devices)
+#### [Misconfigured devices](fix-unhealthy-sensors.md#misconfigured-devices)
+#### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md)
+
+### [Troubleshoot sensor health issues using Client Analyzer]()
+#### [Client analyzer overview](overview-client-analyzer.md)
+#### [Download and run the client analyzer](download-client-analyzer.md)
+#### [Run the client analyzer on Windows](run-analyzer-windows.md)
+#### [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md)
+#### [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
+#### [Understand the analyzer HTML report](analyzer-report.md)
+#### [Provide feedback on the client analyzer tool](analyzer-feedback.md)
+
+
+
+### [Troubleshoot Microsoft Defender for Endpoint service issues]()
+#### [Troubleshoot service issues](troubleshoot-mdatp.md)
+#### [Check service health](service-status.md)
+#### [Contact Microsoft Defender for Endpoint support](contact-support.md)
+
+### [Troubleshoot live response issues](troubleshoot-live-response.md)
+
+### [Collect support logs using LiveAnalyzer](troubleshoot-collect-support-log.md)
+
+### [Troubleshoot attack surface reduction issues]()
+#### [Network protection](troubleshoot-np.md)
+#### [Attack surface reduction rules](troubleshoot-asr.md)
+#### [Migrate to Attack surface reduction rules](migrating-asr-rules.md)
# [Microsoft 365 Defender](../defender/index.yml) # [Defender for Office 365](../office-365-security/index.yml)
security Get Assessment Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-methods-properties.md
Export secure configuration assessment **(via files)**|Secure configuration by d
Property (ID)|Data type|Description :|:|:
-ConfigurationCategory|string|Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls
-ConfigurationId|string|Unique identifier for a specific configuration
-ConfigurationImpact|string|Rated impact of the configuration to the overall configuration score (1-10)
-ConfigurationName|string|Display name of the configuration
-ConfigurationSubcategory|string|Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.
-DeviceId|string|Unique identifier for the device in the service.
-DeviceName|string|Fully qualified domain name (FQDN) of the device.
-IsApplicable|bool|Indicates whether the configuration or policy is applicable
-IsCompliant|bool|Indicates whether the configuration or policy is properly configured
-IsExpectedUserImpact|bool|Indicates whether there will be user impact if the configuration will be applied
-OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
-RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
-RecommendationReference|string|A reference to the recommendation ID related to this software.
-Timestamp|string|Last time the configuration was seen on the device
+configurationCategory|string|Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls.
+configurationId|string|Unique identifier for a specific configuration.
+configurationImpact|string|Rated impact of the configuration to the overall configuration score (1-10).
+configurationName|string|Display name of the configuration.
+configurationSubcategory|string|Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.
+deviceId|string|Unique identifier for the device in the service.
+deviceName|string|Fully qualified domain name (FQDN) of the device.
+isApplicable|bool|Indicates whether the configuration or policy is applicable.
+isCompliant|bool|Indicates whether the configuration or policy is properly configured.
+isExpectedUserImpact|bool|Indicates whether there will be user impact if the configuration will be applied.
+osPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See TVM supported operating systems and platforms for details.
+osVersion|string|Specific version of the operating system running on the device.
+rbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+rbacGroupId|string|The role-based access control (RBAC) group ID.
+recommendationReference|string|A reference to the recommendation ID related to this software.
+timestamp|string|Last time the configuration was seen on the device.
### 1.3 Properties (via files)
DeviceName|string|Fully qualified domain name (FQDN) of the device.
DiskPaths|Array[string]|Disk evidence that the product is installed on the device. EndOfSupportDate|string|The date in which support for this software has or will end. EndOfSupportStatus|string|End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software.
-Id|string|Unique identifier for the record.
-NumberOfWeaknesses|int|Number of weaknesses on this software on this device
+NumberOfWeaknesses|int|Number of weaknesses on this software on this device.
OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+rbacGroupId|string|The role-based access control (RBAC) group ID.
RegistryPaths|Array[string]|Registry evidence that the product is installed in the device. SoftwareFirstSeenTimestamp|string|The first time this software was seen on the device. SoftwareName|string|Name of the software product.
Id|string|Unique identifier for the record.
LastSeenTimestamp|string|Last time the CVE was seen on the device. OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+rbacGroupId|string|The role-based access control (RBAC) group ID.
RecommendationReference|string|A reference to the recommendation ID related to this software. RecommendedSecurityUpdate|string|Name or description of the security update provided by the software vendor to address the vulnerability.
-RecommendedSecurityUpdateId|string|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles
+RecommendedSecurityUpdateId|string|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles.
Registry Paths Array\[string\]|Registry evidence that the product is installed in the device. SoftwareName|string|Name of the software product. SoftwareVendor|string|Name of the software vendor.
security Get Remediation One Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-one-activity.md
One of the following permissions is required to call this API. To learn more, in
Permission type|Permission|Permission display name :|:|:
-Application|RemediationTask.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Application|RemediationTasks.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
Delegated (work or school account)|RemediationTask.Read.Read|\'Read Threat and Vulnerability Management vulnerability information\' ## Properties
security Machineaction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machineaction.md
ms.technology: mde
|Property|Type|Description| |||| |ID|Guid|Identity of the [Machine Action](machineaction.md) entity.|
-|type|Enum|Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"|
+|type|Enum|Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "Live Response", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution", and "UnrestrictCodeExecution".|
|scope|string|Scope of the action. "Full" or "Selective" for Isolation, "Quick" or "Full" for Anti-Virus scan.| |requestor|String|Identity of the person that executed the action.|
+|externalID|String|Id the customer can submit in the request for custom correlation.|
+|requestSource|string|The name of the user/application that submitted the action.|
+|commands|array|Commands to run. Allowed values are PutFile, RunScript, GetFile.|
+|cancellationRequestor|String|Identity of the person that canceled the action.|
|requestorComment|String|Comment that was written when issuing the action.|
-|status|Enum|Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Canceled".|
+|cancellationComment|String|Comment that was written when canceling the action.|
+|status|Enum|Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut", and "Cancelled".|
|machineId|String|ID of the [machine](machine.md) on which the action was executed.| |machineId|String|Name of the [machine](machine.md) on which the action was executed.| |creationDateTimeUtc|DateTimeOffset|The date and time when the action was created.|
-|lastUpdateTimeUtc|DateTimeOffset|The last date and time when the action status was updated.|
-|relatedFileInfo|Class|Contains two Properties. string `fileIdentifier`, Enum `fileIdentifierType` with the possible values: "Sha1", "Sha256" and "Md5".|
+|cancellationDateTimeUtc|DateTimeOffset|The date and time when the action was canceled.|
+|lastUpdateDateTimeUtc|DateTimeOffset|The last date and time when the action status was updated.|
+|title|String|Machine action title.|
+|relatedFileInfo|Class|Contains two Properties. string `fileIdentifier`, Enum `fileIdentifierType` with the possible values: "Sha1", "Sha256", and "Md5".|
## Json representation
security Use Power Automate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/use-power-automate.md
+
+ Title: Use Power Automate
+description: Learn about power automate in Microsoft 365 Defender and how to use them.
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, custom detections, schema, secops
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Use Power Automate in Microsoft 365 Defender
+++
+**Applies to:**
+- Microsoft 365 Defender
+
+> Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) or [run your pilot project in production](m365d-pilot.md?ocid=cx-evalpilot).
+>
+
+Modern security operations (SecOps) teams need automation to work effectively. To focus on hunting and investigating real threats, SecOps teams use Power Automate to triage through the list of alerts and eliminate the ones that aren't threats.
+
+## Criteria for resolving alerts
+
+- User has Out-of-office message turned on
+
+- User isn't tagged as high risk
+
+If both are true, SecOps marks the alert as legitimate travel and resolves it. A notification is posted in Microsoft Teams after the alert is resolved.
+
+## Connect Power Automate to Microsoft Cloud App Security
+
+To create the automation, you'll need an API token before you can connect Power Automate to Microsoft Cloud App Security (MCAS).
+
+1. Click **Settings**, select **Security extensions**, and then click **Add token** in the **API tokens** tab.
+
+2. Provide a name for your token, and then click **Generate**. Save the token as you'll need it later.
+
+## Create an automated flow
+
+For the detailed step-by-step process, see the video [here](https://www.microsoft.com/en-us/videoplayer/embed/RWFIRn).
+
+This video also describes how to connect power automate to MCAS.
+
+## Related information
+
+- [Integrate Power Automate with Microsoft Cloud App Security](https://aka.ms/flow-integration)
+
+- [Microsoft Power Automate documentation](https://aka.ms/power-automate-docs)
security Configure Advanced Delivery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md
The SecOps mailbox entries that you configured are displayed on the **SecOps mai
- Single IP: For example, 192.168.1.1. - IP range: For example, 192.168.0.1-192.168.0.254. - CIDR IP: For example, 192.168.0.1/25.
- - **Simulation URLs to allow**: Expand this setting and optionally enter specific URLs that are part of your phishing simulation campaign that should not be blocked or detonated by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. You can add up to 10 entries. For the URL syntax format, see [URL syntax for the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list#url-syntax-for-the-tenant-allowblock-list).
+ - **Simulation URLs to allow**: Expand this setting and optionally enter specific URLs that are part of your phishing simulation campaign that should not be blocked or detonated by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. You can add up to 10 entries. For the URL syntax format, see [URL syntax for the Tenant Allow/Block List](tenant-allow-block-list.md#url-syntax-for-the-tenant-allowblock-list).
To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
In Security & Compliance Center PowerShell, the basic elements of third-party ph
- **The phishing simulation override policy**: Controlled by the **\*-PhishSimOverridePolicy** cmdlets. - **The phishing simulation override rule**: Controlled by the **\*-PhishSimOverrideRule** cmdlets.
+- **The allowed (unblocked) phishing simulation URLs**: Controlled by the **\*-TenantAllowBlockListItems** cmdlets.
This behavior has the following results:
This behavior has the following results:
### Use PowerShell to configure third-party phishing simulations
-Configuring a third-party phishing simulation in the advanced delivery policy in PowerShell is a two-step process:
+Configuring a third-party phishing simulation in PowerShell is a multi-step process:
1. Create the phishing simulation override policy.
-2. Create the phishing simulation override rule that specifies the policy that the rule applies to.
+2. Create the phishing simulation override rule that specifies:
+ - The policy that the rule applies to.
+ - The source IP address of the phishing simulation messages.
+3. Optionally, identity the phishing simulation URLs that should be allowed (that is, not blocked or scanned).
#### Step 1: Use PowerShell to create the phishing simulation override policy
New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy PhishSimOverridePoli
For detailed syntax and parameter information, see [New-PhishSimOverrideRule](/powershell/module/exchange/new-phishsimoverriderule).
+#### Step 3: (Optional) Use PowerShell to identify the phishing simulation URLs to allow
+
+Use the following syntax:
+
+```powershell
+New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries "<URL1>","<URL2>",..."<URLN>" <[-NoExpiration] | [-ExpirationDate <DateTime>]>
+```
+
+For details about the URL syntax, see [URL syntax for the Tenant Allow/Block List](tenant-allow-block-list.md#url-syntax-for-the-tenant-allowblock-list).
+
+This example adds a URL allow entry for the specified third-party phishing simulation URL with no expiration.
+
+```powershell
+New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries *.fabrikam.com -NoExpiration
+```
+
+For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
+ ### Use PowerShell to view the phishing simulation override policy This example returns detailed information about the one and only phishing simulation override policy.
After you identify the invalid rules, you can remove them by using the **Remove-
For detailed syntax and parameter information, see [Get-PhishSimOverrideRule](/powershell/module/exchange/get-phishsimoverriderule).
-### Use PowerShell to modify the phishing simulation override policy
+### Use PowerShell to view the allowed phishing simulation URL entries
-To modify the phishing simulation override policy, use the following syntax:
+To view the allowed phishing simulation URLs, run the following command:
```powershell
-Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy [-Comment "<DescriptiveText>"] [-Enabled <$true | $false>]
+Get-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery
```
-This example disables the phishing simulation override policy.
-
-```powershell
-Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy -Enabled $false
-```
+For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
-For detailed syntax and parameter information, see [Set-PhishSimOverridePolicy](/powershell/module/exchange/set-phishsimoverridepolicy).
-
-### Use PowerShell to modify the simulation url settings
+### Use PowerShell to modify the phishing simulation override policy
To modify the phishing simulation override policy, use the following syntax: ```powershell
-New-TenantAllowBlockListItems -ListType URL -ListSubType AdvancedDelivery -Entries "<url>"
+Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy [-Comment "<DescriptiveText>"] [-Enabled <$true | $false>]
```
-For the URL syntax format, see [URL syntax for the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list#url-syntax-for-the-tenant-allowblock-list).
-This example adds a simulation URL for sub-domains of contoso.com.
+This example disables the phishing simulation override policy.
```powershell
-New-TenantAllowBlockListItems -ListType URL -ListSubType AdvancedDelivery -Entries "*.contoso.com"
+Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy -Enabled $false
```
-For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
+For detailed syntax and parameter information, see [Set-PhishSimOverridePolicy](/powershell/module/exchange/set-phishsimoverridepolicy).
-### Use PowerShell to modify a phishing simulation override rule
+### Use PowerShell to modify phishing simulation override rules
To modify the phishing simulation override rule, use the following syntax:
Set-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b
For detailed syntax and parameter information, see [Set-PhishSimOverrideRule](/powershell/module/exchange/set-phishsimoverriderule).
+### Use PowerShell to modify the allowed phishing simulation URL entries
+
+You can't modify the URL values directly. You can [remove existing URL entries](#use-powershell-to-remove-the-allowed-phishing-simulation-url-entries) and [add new URL entries](#step-3-optional-use-powershell-to-identify-the-phishing-simulation-urls-to-allow) as described in this article.
+
+To modify other properties of an allowed phishing simulation URL entry (for example, the expiration date or comments), use the following syntax:
+
+```powershell
+Set-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity>> -ListType URL -ListSubType AdvancedDelivery <[-NoExpiration] | [-ExpirationDate <DateTime>]> [-Notes <String>]
+```
+
+You identify the entry to modify by its URL values (the _Entries_ parameter) or the Identity value from the output of the **Get-TenantAllowBlockListItems** cmdlet (the _Ids_ parameter).
+
+This example modified the expiration date of the specified entry.
+
+```powershell
+Set-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery ΓÇôEntries "*.fabrikam.com" -ExpirationDate 9/11/2021
+```
+
+For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).
+ ### Use PowerShell to remove a phishing simulation override policy This example removes the phishing simulation override policy and the corresponding rule.
Remove-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-932
``` For detailed syntax and parameter information, see [Remove-PhishSimOverrideRule](/powershell/module/exchange/remove-phishsimoverriderule).+
+### Use PowerShell to remove the allowed phishing simulation URL entries
+
+To remove an existing phishing simulation URL entry, use the following syntax:
+
+```powershell
+Remove-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity>> -ListType URL -ListSubType AdvancedDelivery
+```
+
+You identify the entry to modify by its URL values (the _Entries_ parameter) or the Identity value from the output of the **Get-TenantAllowBlockListItems** cmdlet (the _Ids_ parameter).
+
+This example modified the expiration date of the specified entry.
+
+```powershell
+Remove-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery ΓÇôEntries "*.fabrikam.com" -ExpirationDate 9/11/2021
+```
+
+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems).
+
security Use Privileged Identity Management In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-privileged-identity-management-in-defender-for-office-365.md
+
+ Title: Use Privileged Identity Management (PIM) in Defender for Office 365.
+f1.keywords:
+ - NOCSH
+++ Last updated : 08/09/2021
+audience: ITPro
++
+localization_priority: Priority
+search.appverid:
+ - MET150
+ms.assetid: 56fee1c7-dc37-470e-9b09-33fff6d94617
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+
+ - seo-marvel-apr2020
+description: Learn to integrate PIM in order to grant just-in-time, time limited access to users to do elevated privilege tasks in Microsoft Defender for Office 365, lowering risk to your data.
+ms.technology: mdo
++
+# Privileged Identity Management (PIM) and why to use it with Microsoft Defender for Office 365
+
+Privileged Identity Management (PIM) is an Azure feature that, once set up, gives users access to data for a limited period of time (sometimes called time-boxed period of time) so that a specific task can be done. This access is given 'just-in-time' to do the action that's required, and then revoked. PIM limits the access and time that user has to sensitive data, reducing exposure risk when compared to privileged administration accounts that have long-term access to data and other settings. So how can we use this feature (PIM) in conjunction with Microsoft Defender for Office 365?
+
+> [!TIP]
+> PIM access is scoped to the role and identity level and allows completion of multiple tasks. It's not to be confused with Privileged Access Management (PAM) which is scoped at a Task level.
+
+## Steps to use PIM to grant just-in-time access to Defender for Office 365 related tasks
+
+By setting up PIM to work with Defender for Office 365, admins create a process for a user to request access to take the actions they need. The user must *justify* the need for the elevation of their privileges.
+
+In this example we will configure "Alex", a member of our security team who will have zero standing access within Office 365, but can elevate to both a role required for normal day to day operations, and then also to a higher level of privilege when less frequent but sensitive operations, such as purging email is required.
+
+> [!NOTE]
+> This will walk you through the steps required to setup PIM for a Security Analyst who requires the ability to purge emails using Threat Explorer in Microsoft Defender for Office 365, but the same steps can be used for other RBAC roles within the Security, and Compliance portal. For example this process could be used for a information worker who requires day to day access in eDiscovery to perform searches and case work, but only occasionally needs the elevated right to export data from the tenant.
++
+***Step 1***. In the Azure PIM console for your subscription, add the user (Alex) to the Azure Security Reader role and configure the security settings related to activation.
+
+1. Sign into the [Azure AD Admin Center](https://aad.portal.azure.com/) and select **Azure Active Directory** > **Roles and administrators**.
+2. Select **Security Reader** in the list of roles and then **Settings** > **Edit**
+3. Set the '**Activation maximum duration (hours)**' to a normal working day and 'On activiation' to require **Azure MFA**.
+4. As this is Alex's normal privilege level for day to day operations, we will Uncheck **Require justification on activation**' > **Update**.
+5. Select **Add Assignments** > **No member selected** > select or type the name to search for the correct member.
+6. Click the **Select** button to choose the member you need to add for PIM privileges > click **Next** > make no changes on the Add Assignment page (both assignment type *Eligible* and duration *Permenantly Eligible* will be defaults ) and **Assign**.
+
+The name of your user (here 'Alex') will appear under Eligible assignments on the next page, this means they are able to PIM into the role with the settings configured earlier.
+
+> [!NOTE]
+> For a quick review of Privileged Identity Management see [this video](https://www.youtube.com/watch?v=VQMAg0sa_lE).
++
+***Step 2***. Create the required second (elevated) permission group for additional tasks and assign eligibility.
+
+Using [Privileged Access groups])https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features) we can now create our own custom groups and combine permissions or increase granularity where required to meet your organisational practices and needs.
+
+### Create a role group requiring the permissions we need.
+
+In the Security Portal, create a custom role group that contains the permissions that we want.
+
+1. Browse to Microsoft 365 Defender portal (https://security.microsoft.com) > **Permissions & Roles** > select **Roles** under Email and Collaboration > **Create**.
+2. Name your group to reflect its purpose such as 'Search and Purge PIM'.
+3. Don't add members, simply save the group and move on to the next part!
+
+### Create the security group in Azure AD for elevated permissions
+
+1. Browse back to the [Azure AD Admin Center](https://aad.portal.azure.com/) and navigate to **Azure AD** > **Groups** > **New Group**.
+2. Name your AAD group to reflect its purpose, **no owners or members are required** right now.
+3. Turn **Azure AD roles can be assigned to the group** to **Yes**.
+4. Don't add any roles, members or owners, create the group.
+5. Go back into the group you've just created, and select **Privileged Access** > **Enable Privileged Access**.
+6. Within the group select **Eligible assignments** > **Add assignments** > Add the user who needs Search & Purge as a role of **Member**.
+7. Configure the **Settings** within the group's Privileged Access pane. Choose to **Edit** the settings for the role of **Member**.
+8. Change the activation time to suit your organization. In this example require *Azure MFA*, *justification*, and *ticket information* before selecting **Update**.
+
+### Nest the newly created security group into the role group.
+
+1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following:
+
+ `Add-RoleGroupMember "<<Role Group Name>>" -Member "<<Azure Security Group>>"`
++
+## How do you know this worked?
+
+1. Login with the test user, who will have zero administrative access.
+2. Navigate to PIM, where the user can activate their day to day security reader role.
+3. If you try to purge an email using Threat Explorer, you get an error stating you need additional permissions.
+4. PIM a second time into the more elevated role, after a short delay you should now be able to purge emails without issue.
+
+Permanent assignment of the Search and Purge Role doesn't hold with the Zero Trust security initiative, but PIM can be used to grant just-in-time access to the toolset required.
++
+Permanent assignment of the Search and Purge Role doesn't hold with the Zero Trust security initiative, but PIM can be used to grant just-in-time access here too.
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
Title: User reported message settings
+f1.keywords:
- NOCSH Previously updated : Last updated : audience: ITPro localization_priority: Normal
+search.appverid:
- MET150-+ - M365-security-compliance - m365initiative-defender-office365 description: Admins can learn how to configure a mailbox to collect spam and phishing email that are reported by users.
After you've verified that your mailbox meets all applicable prerequisites, you
- To modify the configuration for User submissions, you need to be a member of one of the following role groups: - **Organization Management** or **Security Administrator** in the [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
-
+ - You need access to Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that looks like this when specify the submissions mailbox: > Specify an email address in your domain For more information about enabling or disabling access to Exchange Online PowerShell, see the following topics:
- - [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell)
+ - [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell)
- [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) ## Use the Microsoft 365 Defender portal to configure the user submissions mailbox
-1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat policies** \> **Others** section \> **User reported message settings** \> **User submissions**.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat policies** \> **User reported message settings** in the **Others** \> **User submissions**.
2. On the **User submissions** page, what you see is determined by whether the **Microsoft Outlook Report Message button** setting is **Off** or **On**:
After you've verified that your mailbox meets all applicable prerequisites, you
- **My organization's mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. Use this option if you want the message to only go to an admin or the security operations team for analysis first. Messages will not go to Microsoft unless the admin forwards it themselves. > [!IMPORTANT]
- >
> U.S. Government organizations (GCC, GCC High, and DoD) can only configure **My organization's mailbox**. The other two options are disabled. > > If organizations are configured to send to custom mailbox only, reported messages will not be sent for rescan and results in the User reported messages portal will always be empty.
After you've verified that your mailbox meets all applicable prerequisites, you
> [!CAUTION] > If you have [disabled junk email reporting in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md#disable-or-enable-junk-email-reporting-in-outlook-on-the-web) using Outlook on the web mailbox policies, but you configured any of the previous settings to report messages to Microsoft, users will be able to report messages to Microsoft in Outlook on the web using the Report Message add-in or the Report Phishing add-in.
+ Leave the **Microsoft Outlook Report Message button** setting ![Toggle on](../../media/scc-toggle-on.png) **On** to allow end-users to report false positive messages from the quarantine portal.
+ - **User reporting experience section** - **Before reporting** tab: In the **Title** and **Message body** boxes, enter the descriptive text that users see before they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type (junk, not junk, phish, etc.). - **After reporting** tab: In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see after they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type.