+ Title: "Monitor and maintain Microsoft 365 Business Premium and Defender for Business"

+- BCS160[Email and calendars](#email-and-calendars)

+description: "Keep your systems, devices, user accounts, and security policies up to date to help protect against cyberattacks."

+# Monitor and maintain Microsoft 365 Business Premium and Defender for Business

+After you have set up and configured [Microsoft 365 Business Premium](index.md) or [Microsoft Defender for Business](../security/defender-business/mdb-overview.md) (standalone), your next step is to prepare a plan for maintenance and operations. It's important to keep your systems, devices, user accounts, and security policies up to date to help protect against cyberattacks. You can use this article as a guide to prepare your plan.

+There are two main categories of tasks to perform, as listed in the following table:

+| Task type | Sections |

+|||

+| **[Security tasks](#security-tasks)** | [Daily security tasks](#daily-security-tasks) <br/>[Weekly security tasks](#weekly-security-tasks)<br/>[Monthly security tasks](#monthly-security-tasks)<br/>[Security tasks to perform as needed](#security-tasks-to-perform-as-needed) |

+| **[General admin tasks](#general-admin-tasks)** | [Admin center tasks](#admin-center-tasks)<br/>[Users, groups, and passwords](#users-groups-and-passwords)<br/>[Email and calendars](#email-and-calendars)<br/>[Devices](#devices)<br/>[Devices](#devices)<br/>[Subscriptions and billing](#subscriptions-and-billing) |

+## Security tasks

+Security tasks are typically performed by security administrators and security operators. [Learn more about admin roles](../admin/add-users/about-admin-roles.md) and [assign security roles and permissions](../security/defender-business/mdb-roles-permissions.md).

+### Daily security tasks

+### [**Microsoft 365 Business Premium**](#tab/M365BP)

+| Task | Description |

+|||

+| Check your threat vulnerability management dashboard | Get a snapshot of threat vulnerability by looking at your vulnerability management dashboard, which reflects how vulnerable your organization is to cybersecurity threats. A high exposure score means your devices are more vulnerable to exploitation. <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Vulnerability management > Dashboard**.<br/><br/>2. Take a look at your **Organization exposure score**. If it's in the acceptable or "High" range, you can move on. If it isn't, select **Improve score** to see more details and security recommendations to improve this score. <br/><br/>Being aware of your exposure score helps you to:<br/>- Quickly understand and identify high-level takeaways about the state of security in your organization<br/>- Detect and respond to areas that require investigation or action to improve the current state<br/>- Communicate with peers and management about the impact of security efforts |

+| Review pending actions in the Action center | As threats are detected, [remediation actions](#remediation-actions-for-devices) come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval, which is why these should be monitored regularly. Remediation actions are tracked in the Action center.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Action center**.<br/><br/>2. Select the **Pending** tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus or antimalware protection, automated investigations, manual response activities, or live response sessions.<br/><br/>3. Select the **History** tab to view a list of completed actions.|

+| Review devices with threat detections | When threats are detected on devices, your security team needs to know so that any needed actions, such as isolating a device, can be taken promptly. <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Reports > General > Security report**.<br/><br/>2. Scroll down to the **Vulnerable devices** row. If threats were detected on devices, you can see that information in this row.|

+| Learn about new incidents or alerts | As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft 365 Defender portal.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation menu, select **Incidents**. Incidents are displayed on the page with associated alerts.<br/><br/>2. Select an alert to open its flyout pane, where you can learn more about the alert.<br/><br/>3. In the flyout, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert. |

+| Run a scan or automated investigation | Your security team can initiate a scan or an automated investigation on a device that has a high risk level or detected threats. Depending on the results of the scan or automated investigation, [remediation actions](#remediation-actions-for-devices) can occur automatically or upon approval.<br/><br/>1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, choose **Assets** > **Devices**.<br/><br/>2. Select a device to open its flyout panel, and review the information that is displayed.<br/>- Select the ellipsis (...) to open the actions menu.<br/>- Select an action, such as **Run antivirus scan** or **Initiate Automated Investigation**. |

+### [**Defender for Business**](#tab/MDB)

+| Task | Description |

+|||

+| **Check your threat vulnerability management dashboard** | Get a snapshot of threat vulnerability by looking at your vulnerability management dashboard, which reflects how vulnerable your organization is to cybersecurity threats. A high exposure score means your devices are more vulnerable to exploitation. <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Vulnerability management > Dashboard**.<br/><br/>2. Take a look at your **Organization exposure score**. If it's in the acceptable or "High" range, you can move on. If it isn't, select **Improve score** to see more details and security recommendations to improve this score. <br/><br/>Being aware of your exposure score helps you to:<br/>- Quickly understand and identify high-level takeaways about the state of security in your organization<br/>- Detect and respond to areas that require investigation or action to improve the current state<br/>- Communicate with peers and management about the impact of security efforts |

+| **Review pending actions in the Action center** | As threats are detected, [remediation actions](#remediation-actions-for-devices) come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval, which is why these should be monitored regularly. Remediation actions are tracked in the Action center.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Action center**.<br/><br/>2. Select the **Pending** tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus or antimalware protection, automated investigations, manual response activities, or live response sessions.<br/><br/>3. Select the **History** tab to view a list of completed actions.|

+| **Review devices with threat detections** | When threats are detected on devices, your security team needs to know so that any needed actions, such as isolating a device, can be taken promptly. <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Reports > General > Security report**.<br/><br/>2. Scroll down to the **Vulnerable devices** row. If threats were detected on devices, you can see that information in this row.|

+| **Learn about new incidents or alerts** | As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft 365 Defender portal.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation menu, select **Incidents**. Incidents are displayed on the page with associated alerts.<br/><br/>2. Select an alert to open its flyout pane, where you can learn more about the alert.<br/><br/>3. In the flyout, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert. |

+| **Run a scan or automated investigation** | Your security team can initiate a scan or an automated investigation on a device that has a high risk level or detected threats. Depending on the results of the scan or automated investigation, [remediation actions](#remediation-actions-for-devices) can occur automatically or upon approval.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Assets** > **Devices**.<br/><br/>2. Select a device to open its flyout panel, and review the information that is displayed.<br/>- Select the ellipsis (...) to open the actions menu.<br/>- Select an action, such as **Run antivirus scan** or **Initiate Automated Investigation**. |

+### Weekly security tasks

+### [**Microsoft 365 Business Premium**](#tab/M365BP)

+| Task | Description |

+|||

+| **Monitor and improve your Microsoft Secure Score** | Microsoft Secure Score is a measurement of your organization's security posture. Higher numbers indicate that fewer improvement actions are needed. By using Secure Score, you can: <br/>- Report on the current state of your organization's security posture.<br/>- Improve your security posture by providing discoverability, visibility, guidance, and control.<br/>- Compare with benchmarks and establish key performance indicators (KPIs).<br/><br/>To check your score, follow these steps:<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane choose **Secure score**. <br/><br/>2. Review and make decisions about the remediations and actions in order to improve your overall Microsoft secure score. |

+| **Improve your Secure Score for devices** | Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score.<br/><br/>To check your secure score, follow these steps: <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane select **Secure score**.<br/><br/>2. From the **Microsoft Secure Score for Devices** card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations.<br/><br/>3.Select an item on the list to display details related to the recommendation.<br/><br/>4. Select **Remediation options**.<br/><br/>5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created.<br/><br/>6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system.<br/><br/>7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions.<br/><br/>8. Select **Security controls** to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving. |

+### [**Defender for Business**](#tab/MDB)

+| Task | Description |

+|||

+| **Monitor and improve your Secure Score** | Microsoft Secure Score is a measurement of your organization's security posture. Higher numbers indicate that fewer improvement actions are needed. By using Secure Score, you can: <br/>- Report on the current state of your organization's security posture.<br/>- Improve your security posture by providing discoverability, visibility, guidance, and control.<br/>- Compare with benchmarks and establish key performance indicators (KPIs).<br/><br/>To check your score, follow these steps:<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane choose **Secure score**. <br/><br/>2. Review and make decisions about the remediations and actions in order to improve your overall Microsoft secure score. |

+| **Improve your Secure Score for devices** | Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score.<br/><br/>To check your secure score, follow these steps: <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane select **Secure score**.<br/><br/>2. From the **Microsoft Secure Score for Devices** card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations.<br/><br/>3.Select an item on the list to display details related to the recommendation.<br/><br/>4. Select **Remediation options**.<br/><br/>5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created.<br/><br/>6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system.<br/><br/>7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions.<br/><br/>8. Select **Security controls** to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving. |

+### Monthly security tasks

+### [**Microsoft 365 Business Premium**](#tab/M365BP)

+| Task | Description |

+|||

+| **Run reports** | Several reports are available in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Reports**.<br/><br/>2. Choose a report to review. Each report displays many pertinent categories for that report.<br/><br/>3. Select **View details** to see deeper information for each category.<br/><br/>4. Select the title of a particular threat to see details specific to it.|

+| **Run a simulation tutorial** | It's always a good idea to increase the security preparedness for you and your team through training. You can access simulation tutorials in the Microsoft 365 Defender portal. The tutorials cover several types of cyber threats. To get started, follow these steps:<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Tutorials**.<<br/><br/>2. Read the walk-through for a tutorial you're interested in running, and then download the file, or copy the script needed to run the simulation according to the instructions. |

+| **Explore the Learning hub** | Use the Learning hub to increase your knowledge of cybersecurity threats and how to address them. We recommend exploring the resources that are offered, especially in the Microsoft 365 Defender and Endpoints sections.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Learning hub**.<br/><br/>2. Select an area, such as **Microsoft 365 Defender** or **Endpoints**.<br/><br/>3. Select an item to learn more about each concept. <br/><br/>Some resources in the Learning hub might cover functionality that isn't included in Microsoft 365 Business Premium. For example, advanced hunting capabilities are included in enterprise subscriptions, such as Defender for Endpoint Plan 2 or Microsoft 365 Defender, but not in Microsoft 365 Business Premium. [Compare security features in Microsoft 365 plans for small and medium-sized businesses](../security/defender-business/compare-mdb-m365-plans.md). |

+### [**Defender for Business**](#tab/MDB)

+| Task | Description |

+|||

+| **Run security reports** | Several reports are available in the Microsoft 365 Defender portal.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Reports**.<br/><br/>2. Choose a report to review. Each report displays many pertinent categories for that report.<br/><br/>3. Select **View details** to see deeper information for each category.<br/><br/>4. Select the title of a particular threat to see details specific to it.|

+| **Run a simulation tutorial** | It's always a good idea to increase the security preparedness for you and your team through training. You can access simulation tutorials in the Microsoft 365 Defender portal. The tutorials cover several types of cyber threats. To get started, follow these steps:<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Tutorials**.<<br/><br/>2. Read the walk-through for a tutorial you're interested in running, and then download the file, or copy the script needed to run the simulation according to the instructions. |

+| **Explore the Learning hub** | Use the Learning hub to increase your knowledge of cybersecurity threats and how to address them. We recommend exploring the resources that are offered, especially in the Microsoft 365 Defender and Endpoints sections.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Learning hub**.<br/><br/>2. Select an area, such as **Microsoft 365 Defender** or **Endpoints**.<br/><br/>3. Select an item to learn more about each concept. <br/><br/>Some resources in the Learning hub might cover functionality that isn't included in Defender for Business. For example, advanced hunting capabilities are included in enterprise subscriptions, such as Defender for Endpoint Plan 2 or Microsoft 365 Defender, but not in Defender for Business. [Compare security features in Microsoft 365 plans for small and medium-sized businesses](../security/defender-business/compare-mdb-m365-plans.md). |

+### Security tasks to perform as needed

+### [**Microsoft 365 Business Premium**](#tab/M365BP)

+| Task | Description |

+|||

+| **Manage false positives/negatives** | A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Microsoft Defender for Office 365 and Microsoft Defender for Business, which are both included in Microsoft 365 Business Premium. Fortunately, steps can be taken to address and reduce these kinds of issues. <br/><br/>For false positives/negatives on devices, see [Address false positives/negatives in Microsoft Defender for Endpoint](../security/defender-endpoint/defender-endpoint-false-positives-negatives.md).<br/><br/>For false positives/negatives in email, see the following articles: <br/>- [How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365)<br/>- [How to handle Legitimate emails getting blocked (False Positive), using Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-positives-in-microsoft-defender-for-office-365) |

+| **Strengthen your security posture** | Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture. <br/><br/>See the following articles:<br/>- [Use your vulnerability management dashboard in Microsoft Defender for Business](../security/defender-business/mdb-view-tvm-dashboard.md)<br/>- [Dashboard insights](../security/defender-vulnerability-management/tvm-dashboard-insights.md) |

+| **Adjust security policies** | [Reports](../security/defender-business/mdb-reports.md) are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others. <br/><br/>See the following articles: <br/>- For device protection: [View or edit policies in Microsoft Defender for Business](../security/defender-business/mdb-view-edit-create-policies.md) <br/>- For email protection: [Recommended settings for EOP and Microsoft Defender for Office 365 security](../security/office-365-security/recommended-settings-for-eop-and-office365.md) |

+| **Analyze admin submissions** | Sometimes it's necessary to submit entities, such as email messages, URLs, or attachments to Microsoft for further analysis. Reporting items can help reduce the occurrence of false positives/negatives and improve threat detection accuracy. <br/><br/>See the following articles: <br/>- [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](../security/office-365-security/submissions-admin.md)<br/>- [Admin review for user reported messages](../security/office-365-security/submissions-admin-review-user-reported-messages.md) |

+| **Protect priority user accounts** | Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.<br/><br/>See the following articles: <br/>- [Protect your administrator accounts](m365bp-protect-admin-accounts.md) <br/>- [Security recommendations for priority accounts in Microsoft 365](../security/office-365-security/priority-accounts-security-recommendations.md) |

+| **Protect high-risk devices** | The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases. <br/><br/>See [Manage devices in Microsoft Defender for Business](../security/defender-business/mdb-manage-devices.md). |

+| **Onboard or offboard devices** | As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business. <br/><br/>See the following articles: <br/>- [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md) <br/>- [Offboard a device from Microsoft Defender for Business](../security/defender-business/mdb-offboard-devices.md) |

+| **Remediate an item** | Microsoft 365 Business Premium includes several [remediation actions](#remediation-actions-for-devices). Some actions are taken automatically, and others await approval by your security team.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Assets** > **Devices**.<br/><br/>2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item.<br/><br/>3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions.<br/><br/>4. Select an available action. For example, you might choose **Run antivirus scan**, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select **Initiate Automated Investigation** to trigger an automated investigation on the device. |

+### [**Defender for Business**](#tab/MDB)

+| Task | Description |

+|||

+| **Manage false positives/negatives** | A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Microsoft Defender for Office 365 and Microsoft Defender for Business, which are both included in Microsoft 365 Business Premium. Fortunately, steps can be taken to address and reduce these kinds of issues. <br/><br/>For false positives/negatives on devices, see [Address false positives/negatives in Microsoft Defender for Endpoint](../security/defender-endpoint/defender-endpoint-false-positives-negatives.md).<br/><br/>For false positives/negatives in email, see the following articles: <br/>- [How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365)<br/>- [How to handle Legitimate emails getting blocked (False Positive), using Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-positives-in-microsoft-defender-for-office-365) |

+| **Strengthen your security posture** | Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture. <br/><br/>See the following articles:<br/>- [Use your vulnerability management dashboard in Microsoft Defender for Business](../security/defender-business/mdb-view-tvm-dashboard.md)<br/>- [Dashboard insights](../security/defender-vulnerability-management/tvm-dashboard-insights.md) |

+| **Adjust security policies** | [Reports](../security/defender-business/mdb-reports.md) are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others. <br/><br/>See the following articles: <br/>- For device protection: [View or edit policies in Microsoft Defender for Business](../security/defender-business/mdb-view-edit-create-policies.md) <br/>- For email protection: [Recommended settings for EOP and Microsoft Defender for Office 365 security](../security/office-365-security/recommended-settings-for-eop-and-office365.md) |

+| **Analyze admin submissions** | Sometimes it's necessary to submit entities, such as email messages, URLs, or attachments to Microsoft for further analysis. Reporting items can help reduce the occurrence of false positives/negatives and improve threat detection accuracy. <br/><br/>See the following articles: <br/>- [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](../security/office-365-security/submissions-admin.md)<br/>- [Admin review for user reported messages](../security/office-365-security/submissions-admin-review-user-reported-messages.md) |

+| **Protect priority user accounts** | Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.<br/><br/>See the following articles: <br/>- [Protect your administrator accounts](m365bp-protect-admin-accounts.md) <br/>- [Security recommendations for priority accounts in Microsoft 365](../security/office-365-security/priority-accounts-security-recommendations.md) |

+| **Protect high-risk devices** | The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases. <br/><br/>See [Manage devices in Microsoft Defender for Business](../security/defender-business/mdb-manage-devices.md). |

+| **Onboard or offboard devices** | As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business. <br/><br/>See the following articles: <br/>- [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md) <br/>- [Offboard a device from Microsoft Defender for Business](../security/defender-business/mdb-offboard-devices.md) |

+| **Remediate an item** | Defender for Business includes several [remediation actions](#remediation-actions-for-devices). Some actions are taken automatically, and others await approval by your security team.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Assets** > **Devices**.<br/><br/>2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item.<br/><br/>3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions.<br/><br/>4. Select an available action. For example, you might choose **Run antivirus scan**, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select **Initiate Automated Investigation** to trigger an automated investigation on the device. |

+### Remediation actions for devices

+The following table summarizes remediation actions that are available for devices in Microsoft 365 Business Premium and Defender for Business:

+| Source | Actions |

+|||

+| **Automated investigations** | Quarantine a file<br/>Remove a registry key<br/>Kill a process<br/>Stop a service<br/>Disable a driver<br/>Remove a scheduled task |

+| **Manual response actions** | Run antivirus scan<br/>Isolate device<br/>Add an indicator to block or allow a file |

+| **Live response** | Collect forensic data<br/>Analyze a file<br/>Run a script<br/>Send a suspicious entity to Microsoft for analysis<br/>Remediate a file<br/>Proactively hunt for threats |

+## General admin tasks

+Maintaining your environment includes managing user accounts, managing devices, and keeping things up to date and working correctly. Admin tasks are typically performed by global admins and tenant admins. [Learn more about admin roles](../admin/add-users/about-admin-roles.md).

+### Admin center tasks

+| Determine whether to allow guest access to groups for their whole organization or for individual groups<br/>(*applies to Microsoft 365 Business Premium*) | [Guest users in Microsoft 365 admin center](../admin/add-users/about-guest-users.md) |

+| Use Windows Autopilot to set up and preconfigure new devices or to reset, repurpose, and recover devices<br/>(*applies to Microsoft 365 Business Premium*) | [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) |

+ Title: "About registration numbers and under-review notifications in the Microsoft 365 admin center"

+description: "Learn about registration numbers and under-review notifications when you buy Microsoft business products or services."

+# About registration numbers and under-review notifications in the Microsoft 365 admin center

+This article only applies to commercial customers who buy or activate business products or services directly from Microsoft.

+A registration number, sometimes referred to as a Tax Identification Number (TIN), is a number issued by the tax authority in your country/region to identify your organization for tax purposes. We use the registration number to review the details of your account. The review lets us determine if Microsoft can provide you with products and services. For information about what registration numbers are needed for a country/region, see [Tax Identification Numbers](https://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/).

+For countries/regions where the registration number is mandatory, the label above the text box indicates what type of number is required. For example, in the following screenshot, the label indicates that a CNPJ (Brazilian) registration number is needed.

+For countries/regions where the registration number is optional, you can choose to provide a company legal registration number. Don't enter a personal ID in this field. The following screenshot shows an example of when the registration number is optional.

+To find out the format and type of registration number issued by your country/region, see [Tax Identification Numbers](https://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/).

+## How do I know if my account is under review?

+When you complete a purchase, you might receive a notification that your account is under review. The review process normally takes about one day to complete but can take longer.

+We send an email notification about the review to all global and billing admins on your account. In some cases, the notification is sent to users who have the Billing Account Owner or Billing Account Contributor role on the account. The notification says that a review is currently in process. A confirmation email notification is sent after the review process is complete.

+## How do I check the review status of my account?

+You can check the status of your account in the Microsoft 365 admin center during the review period. To check the status of your review, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page and select the account that you used to complete your purchase.

+ - If youΓÇÖre using the **Simplified view**, select **Billing**, then select **View payment methods**.

+ - If youΓÇÖre using the **Simplified view**, select **Billing**, then select **View payment methods**.

+ - If youΓÇÖre using the **Simplified view**, select **Billing**.

+ - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

+ - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

+ - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

+When you buy Microsoft business products or services, you can use an existing payment method to pay for then, or add a new one. You can use a credit or debit card to pay for the things you buy.

+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to dp the tasks in this article. For more information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Understand your Microsoft business billing profile](manage-billing-profiles.md).

+- If you have a Microsoft Online Subscription Agreement (MOSA), you must be a global or billing admin to do the tasks in this article. For more information, see [[About admin roles]](../../admin/add-users/about-admin-roles.md).

+- If you have an MCA billing account type and youΓÇÖre a billing profile owner or contributor, you can use the billing profile that's backed by a credit or debit card or invoice payment to make purchases or pay bills. If you're a billing invoice manager, you can only use a billing profile to pay bills. To learn more about billing profiles and roles, see [Understand your Microsoft business billing profile](manage-billing-profiles.md).

+> [!NOTE]

+> If you're the person who signed up for the subscription, you're automatically a billing account owner or global admin.

+If you have an MOSA billing account type, you can replace the payment method for all subscriptions that use another payment method as part of adding a new one. You can also [replace a payment method](#replace-a-payment-method) later on. To assign a single subscription to the payment method, see [Replace the payment method for a single subscription](#replace-the-payment-method-for-a-single-subscription).

+ - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

+ - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

+2. Select the payment method to update. In the edit pane, select **Edit**.

+When you replace an existing payment method, you can add a new one, or use a payment method thatΓÇÖs already in your account. You can replace the payment method in the Microsoft 365 admin center. However, the steps to replace a payment method depend on the type of billing account that you have. [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).

+> Replacing a payment method doesn't delete the existing payment method. The old payment method is still available for you to select and use for other subscriptions and billing profiles. Learn how to delete a payment method.

+If you have an MCA billing account type, you can replace the payment method that's linked with a billing profile.

+ - If you're using the **Simplified view**, select **Billing** > **View payment methods**.

+ - If you're using the **Simplified view**, select **Billing**.

+5. In the Replace payment method pane, select a different payment method from the drop-down list, then select **Replace**.

+If you have an MOSA billing account type, you can change the payment method used to pay for all your subscriptions at once. If you only want to change the payment method for one subscription, see [Replace the payment method for a single subscription](#replace-the-payment-method-for-a-single-subscription).

+ - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

+5. To use a different payment method already on file, select **Use another payment method**. To add a new payment method, select **Add a payment method**.

+8. Review the list of subscriptions or billing profiles that are about move to the new payment method, then select **Next**.

+ - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

+2. Select the payment method to delete.

+3. In the edit pane, select **Delete**.

+4. Review the payment method details, then select **Next**.

+5. On the next page, select **Delete**, then select **Close**.

+ - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

+2. Select the payment method to delete.

+3. In the edit pane, select **Delete**. The **Delete a payment method** pane lists existing subscriptions and billing profiles that use that payment method.

+4. Select **Next**.

+5. To use a different payment method already on file, select **Use another payment method**. To add a new payment method, select **Add a payment method**.

+6. Select **Next**.

+7. To use an existing payment method, choose one from the drop-down list, then select **Next**. To add a new payment method, enter the information, then select **Next**.

+8. Review the subscriptions or billing profiles to move, then select **Move subscriptions**.

+9. Review the details of the payment method you want to delete, select **Delete**, then select **Close**.

+[Payment options for your Microsoft business subscription](pay-for-your-subscription.md) (article) \

+[Understand your Microsoft business billing profile](manage-billing-profiles.md) (article) \

+ - If you're using the **Simplified view**, select **Billing**.

+ - If youΓÇÖre using the **Simplified view**, select **Billing**.

+ - If you're using the **Simplified view**, select **Billing**, then select **View invoices**.

+ - If youΓÇÖre using the **Simplified view**, select **Billing**.

+| Visio Plan 1* | CFQ7TTC0HD33 | Yes |

+ - If youΓÇÖre using the **Simplified view**, select **Billing**.

+ - If youΓÇÖre using the **Simplified view**, select **Billing**.

+ - If youΓÇÖre using the **Simplified view**, select **Billing**.

+ - If you're using the **Simplified view**, select **Billing**, then select your trial subscription.

+ - If you're using the **Simplified view**, select **Billing**, then select your trial subscription.

+ - If you're using the **Simplified view**, select **Billing**, then select your trial subscription.

+ - If you're using the **Simplified view**, select **Billing**, then select your trial subscription.

+ - If you're using the **Simplified view**, select **Billing**, then select **Add more products**.

+ - If you're using the **Simplified view**, select **Billing**, then select **Add more products**.

+ - If you're using the **Simplified view**, select **Billing**, then select **Add more products**.

+ - If you're using the **Simplified view**, select **Billing**, then select **Add more products**.

+ Example **source** Mailbox object:

+While you configure Microsoft 365 multi-tenant organizations in the Microsoft 365 admin center, much of the supporting infrastructure is in Azure Active Directory (Azure AD). For details about how multi-tenant organizations work in Azure AD, see [What is a multi-tenant organization in Azure Active Directory?](/azure/active-directory/multi-tenant-organizations/multi-tenant-organization-overview) and [Topologies for cross-tenant synchronization](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-topology).

+- Support for a guest UserType of member in Power BI is currently in preview. For more information, see [Distribute Power BI content to external guest users with Azure AD B2B](/power-bi/enterprise/service-admin-azure-ad-b2b#who-can-you-invite).

+## August 2023

+### Microsoft Secure Score

+Microsoft Secure Score, which is a representation of an organization's security posture, is now integrated into Microsoft 365 Lighthouse. Lighthouse provides an aggregate view of the Secure Score across all your managed tenants, as well as Secure Score details for each individual tenant. You can access Secure Score via a new card on the **Home** page or by selecting a tenant on the **Tenants** page. Once you select a tenant, select the **Scores** tab to see historical Secure Score data for the tenant.

+To learn more, see [Microsoft Secure Score](../security/defender/microsoft-secure-score.md).

+### Alerts in Microsoft 365 Lighthouse

+Microsoft 365 Lighthouse now provides a consolidated view of prioritized alerts so you can quickly view the top alerts you should act on across your managed tenants. You can also configure alert rules based on the data within Lighthouse, which allows you to prioritize items that need immediate attention.

+Lighthouse also now supports the ability to configure customized push-alerts to allow integration with your existing ticketing and support systems.

+To access this functionality, in the left navigation pane in Lighthouse, select **Alerts**.

+To learn more, see [Overview of the Alerts page in Microsoft 365 Lighthouse](m365-lighthouse-alerts-overview.md).

+- Graph API to convert Loop content into HTML for export

+A graph export API solution is also available for Loop pages and components that supports both raw export and an HTML offline format.

+- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see [Microsoft 365 data locations](../../enterprise/o365-data-locations.md). Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, FRA, GBR, IND, JPN, KOR, LAM, NOR, POL, QAT, SGP, SWE, and ZAF.

+> [!NOTE]

+> Try the [Defender for Office 365 setup guide](https://go.microsoft.com/fwlink/?linkid=2224785) for step-by-step instructions that are tenant-aware and customized to your organization's needs. This setup guide helps you implement anti-malware policies, anti-phishing policies, safe attachments, and more.

+> [!NOTE]

+> For Government Community Cloud (GCC) organizations, pay-as-you-go licensing is not yet available. GCC organizations can continue to purchase and use per-user licenses until pay-as-you-go becomes available.