+|**Message center** <br/> |Learn about official service announcements and feature changes. You can read these messages in the Microsoft 365 admin center, the admin mobile app, or receive a weekly digest in email. Share these messages with others in your organization when you see a message someone else should act on. You can also use the Service Communications API to retrieve messages. <br/> |Sign in to the [admin center](../admin-overview/admin-center-overview.md) or [admin mobile app](../admin-overview/admin-mobile-app.md). Select **Health** \> **Message center**. Select a message to read or share. <br/> Change the services you see messages about or opt in to the weekly digest by choosing **Edit preferences** in the admin center. This is also where you can opt out of the weekly digest. <br/> [Overview of the Microsoft 365 Message center](message-center.md) <br/> |

+|**Targeted release** <br/> |Sign up for Targeted release for yourself and a select group of individuals at your organization. Get the latest Microsoft 365 updates before everyone else and then inform or train your users on the new experience. <br/> |Sign in to the [admin center](../admin-overview/admin-center-overview.md) or [admin mobile app](../admin-overview/admin-mobile-app.md). Select **Settings** \> **Organization profile** \> **Release preferences**. Learn more about [Targeted release](release-options-in-office-365.md). <br/> |

+|**Roadmap** <br/> |Visit the Microsoft 365 Roadmap to learn about features that have been launched, are rolling out, are in development, have been canceled, or previously released. The roadmap is the official site for Microsoft 365 updates and changes. <br/> |Visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap) frequently and learn about planned updates and releases. <br/> |

+Using features in this catalog requires either Microsoft Entra ID Governance or Microsoft Azure AD Premium P2 license. To find the right license for your requirements, see [Compare generally available features of Microsoft Azure AD](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+This catalog is designed to help customers with Microsoft Entra ID Governance or Azure AD P2 functionality, including access reviews, PIM, entitlement management (ELM), Access Reviews, HR-driven user provisioning, and life cycle workflows.

+> A Microsoft Entra ID Governance or Azure Active Directory P2 license is required to utilize the security features in this catalog.

+- Microsoft Entra ID Governance

+For customers with Entra ID Governance,Azure P1, or Azure P2, we provide customizable Conditional Access templates that include the most common and least intrusive security standards. When Azure licensing isnΓÇÖt available, we provide a one-click solution to enable Security Defaults, a baseline protection policy for all users, or we provide steps to enable legacy (per-user) MFA.

+Conditional Access requires Microsoft Entra ID Governance or an Azure Active Directory P1 or P2 license. Security defaults and per-user MFA are included with all Microsoft 365 subscriptions.

+| Teams Premium Introductory Pricing | CFQ7TTC0RM8K | Yes |

+You download this model in [PDF](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf) format and print it on letter, legal, or tabloid (11 x 17 inches) size paper.

+### Privileged Identity Management

+Rather than having your privileged accounts be permanently assigned an administrator role, you can use PIM to enable on-demand, just-in-time assignment of the administrator role when it's needed.

+Using this feature requires either Microsoft Entra ID Governance or Microsoft Azure AD Premium P2 subscriptions. To find the right license for your requirements, see [Compare generally available features of Microsoft Azure AD](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+For information about licenses for users, see [License requirements to use Privileged Identity Management](/azure/active-directory/privileged-identity-management/subscription-requirements).

+- [Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure).

+In the setup process, you define the following information with Azure AD attributes:

+You also determine team structure and team owners.

+Then, you can choose which locations you want to create dynamic frontline teams for.

+- Users must have a Microsoft 365 F3, F1, E1, E3, or E5 license. If a user doesn't have one of these licenses, they'll need an Azure AD P1 add-on license to use dynamic teams. [Learn more about frontline licensing](flw-licensing-options.md).

+ 1. Plan your frontline deployment.

+ 1. Test the deploy tools (dynamic or static team creation).

+ 1. Deploy to a pilot location.

+ 1. Deploy to a broader set of locations using a phased approach.

+1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Teams** > **Manage frontline teams**.

+2. In the table, choose **Setup**.

+ :::image type="content" source="media/dtas-manage-setup.png" alt-text="Screenshot of the manage frontline teams table in the Teams admin center." lightbox="media/dtas-manage-setup.png":::

+3. Review the prerequisites information.

+4. Select the Azure AD attribute that defines your frontline workers. You can only choose one Azure AD attribute, but you can define multiple values by separating them with commas.

+ :::image type="content" source="media/dtas-frontline-attribute.png" alt-text="Screenshot of where to enter your Azure AD attribute and values for frontline workers." lightbox="media/dtas-frontline-attribute.png":::

+5. Select the Azure AD attribute that defines the location your frontline employees work in. You can only choose one location attribute.

+ :::image type="content" source="media/dtas-location-attribute.png" alt-text="Screenshot of where to enter your Azure AD attribute for frontline locations." lightbox="media/dtas-location-attribute.png":::

+6. Define your team structure by choosing a prefix. The prefix is applied using the "prefix-location" format for all your teams.

+ :::image type="content" source="media/dtas-prefix.png" alt-text="Screenshot of the prefix, team template, and team owner account fields." lightbox="media/dtas-prefix.png":::

+7. Optionally, choose a team template. The team template you choose defines the channel structure for all your frontline teams. [Learn more about Teams templates](/microsoftteams/get-started-with-teams-templates-in-the-admin-console).

+8. Enter a user account object ID to be the team owner. This account will be the owner for all frontline teams. It's recommended to choose a shared account rather than an individual person.

+ 1. To get a user's object ID, go to the [Azure portal](https://portal.azure.com).

+ 1. Select **Users**, and then choose your user.

+9. Review the settings, and then choose **Finish setup.**

+ >Setup can take several hours to run. You can refresh the **Manage frontline teams** page to get the latest status of your setup.

+ :::image type="content" source="media/dtas-setup-submitted.png" alt-text="Screenshot of the Manage frontline teams page with a banner showing that setup was submitted." lightbox="media/dtas-setup-submitted.png":::

+1. After setup is completed, go to the **Manage frontline teams** page, and then select the **Deploy** button.

+ :::image type="content" source="media/dtas-deploy.png" alt-text="Screenshot of the Deploy button." lightbox="media/dtas-deploy.png":::

+2. From here, you can review your settings and view the list of locations that don't yet have a frontline dynamic team created.

+3. In the table, select the locations that you want to create teams for.

+ :::image type="content" source="media/dtas-deploy-locations.png" alt-text="Screenshot of the table of locations." lightbox="media/dtas-deploy-locations.png":::

+4. Select **Deploy**. This process can take several hours depending on how many teams you're creating. After deployment is completed, you'll see the number updated in the **Frontline teams** tile. On this tile, you can download a CSV file with a list of your frontline teams. If any errors occurred, you can download the error CSV file on the **Last deployment health** tile.

+ :::image type="content" source="media/dtas-view-errors.png" alt-text="Screenshot of where you can get the CSV file on the Manage frontline teams page." lightbox="media/dtas-view-errors.png":::

+1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Teams** > **Manage frontline teams**.

+2. In the table, choose **Deploy**.

+3. Select the **Refresh location** button, and proceed when prompted by the dialog box. This process can take several hours depending on your number of new locations.

+ :::image type="content" source="media/dtas-refresh-locations.png" alt-text="Screenshot of the Refresh location button." lightbox="media/dtas-refresh-locations.png":::

+4. After your refresh completes, your setup status shows as **Complete**. You can proceed to [deploy your new teams](#deploy-your-frontline-dynamic-teams). Deployment can take several hours depending on how many new teams you're deploying.

+1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Teams** > **Manage frontline teams**.

+2. In the **Deploy settings** column, choose **Deploy frontline teams** .

+3. Edit your settings on this page, and then select **Save**. Your settings may take several hours to update. See the following table for the effects of updating your settings.

+|Define your frontline Azure AD attribute. |All existing frontline teams will be members that have the new Azure AD attribute defined. |All new frontline teams members will have the new Azure AD attribute defined. |

+|Choose the values applicable to your frontline Azure AD attribute. |All existing frontline team membership will reflect your updated values. |All new teams will be populated with members who have the updated Azure AD attributes that you defined. |

+|Define your frontline locations. | Existing teams will continue to persist. If a team is no longer tied to a location, there will be no users in that team, and users will be put in their respective location teams. |You can create new frontline teams based on the locations defined by your new Azure AD attribute. |

+|Set your team name prefix. |All existing team names will be updated to reflect the prefix and location name if that was changed. |All new teams will have the updated naming convention. |

+> Lighthouse GDAP templates use role-assignable security groups. An Azure AD P1 license is required to add users to these groups. To enable Just-in-Time (JIT) roles, Microsoft Entra IDE Governance or an Azure AD P2 license is required.

+> Features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, you should see it soon.

+## July 2023

+### Sales Advisor is now part of Microsoft 365 Lighthouse

+Sales Advisor, formerly known as Project Orland in Partner Center Insights, is now integrated into Microsoft 365 Lighthouse.

+Sales Advisor helps you harness the power of AI-driven insights to fuel business growth and deliver scalable managed services to your customers. With Sales Advisor, you can discover proactive, actionable, and personalized recommendations for acquiring new customers, boosting customer retention, and expanding your business with premium offers.

+To view Sales Advisor in Lighthouse, in the left navigation pane, select **Sales Advisor** > **Opportunities**. To learn more, see [Overview of Sales Advisor in Microsoft 365 Lighthouse](m365-lighthouse-sales-advisor-overview.md).

+5. Select **Next** and assign this profile to targeted devices and users.

+> [!IMPORTANT]

+> This feature is in Public Preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+## Device Tagging

+Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

+Use the following steps to configure the Device tags:

+1. In the Microsoft Intune admin center, go to **Apps > App configuration policies > Add > Managed apps**.

+2. Provide the policy a **name**.

+3. Under **Select Public Apps**, choose **Microsoft Defender for Endpoint** as the target app.

+4. In Settings page, select Use configuration designer and add **DefenderDeviceTag** as the key and value type as **String**.

+ - Admin can assign a new tag by adding the key **DefenderDeviceTag** and setting a value for device tag.

+ - Admin can edit an existing tag by modifying the value of the key **DefenderDeviceTag**.

+ - Admin can delete an existing tag by removing the key **DefenderDeviceTag**.

+5. Click Next and assign this policy to targeted devices and users.

+> [!NOTE]

+> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal.

+> [!IMPORTANT]

+> This feature is in Public Preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+## Device Tagging

+Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

+Use the following steps to configure the Device tags:

+1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** > **App configuration policies** > **Add** > **Managed devices**.

+2. Give the policy a name, select **Platform > Android Enterprise**, and select the profile type.

+3. Select **Microsoft Defender for Endpoint** as the target app.

+4. In Settings page, select Use configuration designer and add **DefenderDeviceTag** as the key and value type as **String**.

+ - Admin can assign a new tag by adding the key **DefenderDeviceTag** and setting a value for device tag.

+ - Admin can edit an existing tag by modifying the value of the key **DefenderDeviceTag**.

+ - Admin can delete an existing tag by removing the key **DefenderDeviceTag**.

+5. Click Next and assign this policy to targeted devices and users.

+> [!NOTE]

+> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal.

+- [Windows 11](/windows/whats-new/whats-new-windows-11-version-22h2)

+- [Windows Server 2022](/windows-server/get-started/whats-new-in-windows-server-2022)

+1. In the Microsoft Intune admin center, navigate to Apps > App configuration policies > Add > Managed apps.

+## Device Tagging

+Defender for Endpoint on iOS enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

+This configuration is available for both the enrolled (MDM) devices as well as unenrolled (MAM) devices. Admins can use the following steps to configure the Device tags.

+### Configure Device tags

+**For enrolled devices(MDM)**

+1. In the Microsoft Intune admin center, navigate to Apps \> App configuration policies \> Add \> Managed devices.

+1. Give the policy a name, select Platform \> iOS/iPadOS

+1. Select Microsoft Defender for Endpoint as the target app.

+1. In Settings page, select Use configuration designer and add **DefenderDeviceTag** as the key and value type as **String**.

+ - Admin can assign a new tag by adding the key **DefenderDeviceTag** and setting a value for device tag.

+ - Admin can edit an existing tag by modifying the value of the key **DefenderDeviceTag**.

+ - Admin can delete an existing tag by removing the key **DefenderDeviceTag**.

+1. Click Next and assign this policy to targeted devices/users.

+**For unenrolled devices(MAM)**

+1. In the Microsoft Intune admin center, navigate to Apps > App configuration policies > Add > Managed apps.

+1. Give the policy a name.

+1. Under the Select Public Apps, choose Microsoft Defender for Endpoint as the target app.

+1. In Settings page, add **DefenderDeviceTag** as the key under the General Configuration Settings.

+ - Admin can assign a new tag by adding the key **DefenderDeviceTag** and setting a value for device tag.

+ - Admin can edit an existing tag by modifying the value of the key **DefenderDeviceTag**.

+ - Admin can delete an existing tag by removing the key **DefenderDeviceTag**.

+1. Click Next and assign this policy to targeted devices/users.

+> [!NOTE]

+> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal.

+> After this rule change is performed, a full synchronization of your Active Directory is required. For large environments, it is recommended to schedule this rule change and full sync during on-premises Active Directory quiet periods.

+2. In the navigation pane under **Actions and submissions**, choose **Action center**. Or, in the Automated investigation & response card, select **Approve in Action Center**.

+2. In the navigation pane under Actions and submissions, choose **Action center**.

+Recommended actions have a "completed" status once all possible points for the recommended action have been achieved. Completed recommended actions are confirmed through Microsoft data, and you can't change the status.

+|**Attack Simulator Administrators**|Don't use this role group in these portals. Use the corresponding role in Azure AD.|Attack Simulator Admin|

+|**Attack Simulator Payload Authors**|Don't use this role group in these portals. Use the corresponding role in Azure AD.|Attack Simulator Payload Author|

+|**Audit Manager**|Manage Audit log settings and Search, View, and Export Audit logs.|Audit Logs <br/><br/> View-Only Audit Logs|

+|**Audit Reader**|Search, View, and Export Audit logs.|View-Only Audit Logs|

+|**Billing Administrator**|Configure Billing features.|Billing Admin|

+|**Compliance Administrator**¹|Members can manage settings for device management, data loss prevention, reports, and preservation.|Case Management <br/><br/> Communication Compliance Admin <br/><br/> Communication Compliance Case Management <br/><br/> Compliance Administrator <br/><br/> Compliance Manager Administration <br/><br/> Compliance Search <br/><br/> Data Classification Feedback Provider <br/><br/> Data Classification Feedback Reviewer <br/><br/> Data Connector Admin <br/><br/> Data Investigation Management <br/><br/> Device Management <br/><br/> Disposition Management <br/><br/> DLP Compliance Management <br/><br/> Hold <br/><br/> IB Compliance Management <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Reader <br/><br/> Insider Risk Management Admin <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> Scope Manager <br/><br/> View-Only Audit Logs <br/><br/> View-Only Case <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|

+|**Compliance Data Administrator**|Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.|Compliance Administrator <br/><br/> Compliance Manager Administration <br/><br/> Compliance Search <br/><br/> Device Management <br/><br/> Disposition Management <br/><br/> DLP Compliance Management <br/><br/> IB Compliance Management <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Reader <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> Scope Manager <br/><br/> Sensitivity Label Administrator <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|

+|**Data Catalog Curators**|Perform create, read, modify, and delete actions on catalog data objects and establish relationships between objects.|Data Map Reader <br/><br/> Data Map Writer|

+|**Data Estate Insights Readers**|Provides read-only access to all insights reports across platforms and providers.|Data Map Reader <br/><br/> Insights Reader|

+|**Data Source Administrators**|Manage data sources and data scans.|Credential Reader <br/><br/> Credential Writer <br/><br/> Scan Reader <br/><br/> Scan Writer <br/><br/> Source Reader <br/><br/> Source Writer|

+|**Information Protection**|Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports.|Data Classification Content Viewer <br/><br/> Data Classification List Viewer <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator <br/><br/> Information Protection Reader <br/><br/> Purview Evaluation Administrator|

+|**Information Protection Admins**|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.|Information Protection Admin <br/><br/> Purview Evaluation Administrator|

+|**Information Protection Analysts**|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification List Viewer <br/><br/> Information Protection Analyst <br/><br/> Purview Evaluation Administrator|

+|**Information Protection Investigators**|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification Content Viewer <br/><br/> Data Classification List Viewer <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator <br/><br/> Purview Evaluation Administrator|

+|**Insider Risk Management**|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This role group is the easiest way to quickly get started with insider risk management and is a good fit for organizations that don't need separate permissions defined for separate groups of users.|Case Management <br/><br/> Custodian <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> Insider Risk Management Analysis <br/><br/> Insider Risk Management Approval <br/><br/> Insider Risk Management Audit <br/><br/> Insider Risk Management Investigation <br/><br/> Insider Risk Management Sessions <br/><br/> Review <br/><br/> View-Only Case|

+|**Insider Risk Management Admins**|Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.|Case Management <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> View-Only Case|

+|**Organization Management**¹|Members can control permissions for accessing features in these portals, and also manage settings for device management, data loss prevention, reports, and preservation. <br/><br/> Users who aren't global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <br/><br/> Global admins are automatically added as members of this role group, but you don't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance PowerShell](/powershell/module/exchange/get-rolegroupmember).|Audit Logs <br/><br/> Case Management <br/><br/> Communication Compliance Admin <br/><br/> Communication Compliance Case Management <br/><br/> Compliance Administrator <br/><br/> Compliance Manager Administration <br/><br/> Compliance Search <br/><br/> Data Connector Admin <br/><br/> Device Management <br/><br/> DLP Compliance Management <br/><br/> Hold <br/><br/> IB Compliance Management <br/><br/> Insider Risk Management Admin <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> Quarantine <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> Role Management <br/><br/> Scope Manager <br/><br/> Search And Purge <br/><br/> Security Administrator <br/><br/> Security Reader <br/><br/> Sensitivity Label Administrator <br/><br/> Sensitivity Label Reader <br/><br/> Service Assurance View <br/><br/> Tag Contributor <br/><br/> Tag Manager <br/><br/> Tag Reader <br/><br/> View-Only Audit Logs <br/><br/> View-Only Case <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|

+|**Privacy Management**|Manage access control for Privacy Management solution in the Microsoft Purview compliance portal.|Case Management <br/><br/> Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Data Classification Content Viewer <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Admin <br/><br/> Privacy Management Analysis <br/><br/> Privacy Management Investigation <br/><br/> Privacy Management Permanent contribution <br/><br/> Privacy Management Temporary contribution <br/><br/> Privacy Management Viewer <br/><br/> Subject Rights Request Admin <br/><br/> View-Only Case|

+|**Privacy Management Administrators**|Administrators of privacy management solution that can create/edit policies and define global settings.|Case Management <br/><br/> Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Privacy Management Admin <br/><br/> View-Only Case|

+|**Privacy Management Analysts**|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.|Case Management <br/><br/> Compliance Manager Reader <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Analysis <br/><br/> View-Only Case|

+|**Privacy Management Contributors**|Manage contributor access for privacy management cases.|Compliance Manager Reader <br/><br/> Privacy Management Permanent contribution <br/><br/> Privacy Management Temporary contribution|

+|**Privacy Management Investigators**|Investigators of privacy management solution that can investigate policy matches, view message content, and take remediation actions.|Case Management <br/><br/> Compliance Manager Reader <br/><br/> Data Classification Content Viewer <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Investigation <br/><br/> View-Only Case|

+|**Privacy Management Viewers**|Viewer of privacy management solution that can access the available dashboards and widgets.|Compliance Manager Reader <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Viewer|

+|**Security Administrator**|Members have access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. <br/><br/> By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. <br/><br/> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in these portals (membership or roles), those changes apply only to the security and compliance areas and not to any other services. <br/><br/> This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same

+|**Security Operator**|Members can manage security alerts, and also view reports and settings of security features.|Compliance Search <br/><br/> Manage Alerts <br/><br/> Security Reader <br/><br/> Tag Contributor <br/><br/> Tag Reader <br/><br/> Tenant AllowBlockList Manager <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts|

+|**Subject Rights Request Administrators**|Create subject rights requests.|Case Management <br/><br/> Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Subject Rights Request Admin <br/><br/> View-Only Case|

+|**Subject Rights Request Approvers**|Approvers who are able to approve subject rights requests.|Compliance Manager Reader <br/><br/> Subject Rights Request Approver|

+Roles that aren't assigned to the Organization Management role group by default are marked with ^\*

+|**Attack Simulator Admin**^\*|Don't use this role in the portals. Use the corresponding role in Azure AD.|Attack Simulator Administrators|

+|**Attack Simulator Payload Author**^\*|Don't use this role in the portals. Use the corresponding role in Azure AD.|Attack Simulator Payload Authors|

+|**Audit Logs**|Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file.|Audit Manager <br/><br/> Organization Management <br/><br/> Security Administrator|

+|**Billing Admin**^\*|Allows billing admin for selected feature.|Billing Administrator|

+|**Communication**^\*|Manage all communications with the custodians identified in an eDiscovery (Premium) case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that's used by each custodian in a case to track communications for the cases where they were identified as a custodian.|Data Investigator <br/><br/> eDiscovery Manager|

+|**Communication Compliance Analysis**^\*|Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data.|Communication Compliance <br/><br/> Communication Compliance Analysts <br/><br/> Communication Compliance Investigators|

+|**Communication Compliance Investigation**^\*|Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message.|Communication Compliance <br/><br/> Communication Compliance Investigators|

+|**Communication Compliance Viewer**^\*|Used to access reports and widgets in the Communication Compliance feature.|Communication Compliance <br/><br/> Communication Compliance Viewers|

+|**Compliance Manager Assessment**^\*|Create assessments, implement improvement actions, and update test status for improvement actions.|Compliance Manager Administrators <br/><br/> Compliance Manager Assessors|

+|**Compliance Manager Contribution**^\*|Create assessments and perform work to implement improvement actions.|Compliance Manager Administrators <br/><br/> Compliance Manager Assessors <br/><br/> Compliance Manager Contributors <br/><br/> Privacy Management <br/><br/> Privacy Management Administrators <br/><br/> Subject Rights Request Administrators|

+|**Compliance Manager Reader**^\*|View all Compliance Manager content except for administrator functions.|Compliance Manager Administrators <br/><br/> Compliance Manager Assessors <br/><br/> Compliance Manager Contributors <br/><br/> Compliance Manager Readers <br/><br/> Global Reader <br/><br/> Privacy Management <br/><br/> Privacy Management Administrators <br/><br/> Privacy Management Analysts <br/><br/> Privacy Management Contributors <br/><br/> Privacy Management Investigators <br/><br/> Privacy Management Viewers <br/><br/> Security Reader <br/><br/> Subject Rights Request Administrators <br/><br/> Subject Rights Request Approvers|

+|**Credential Reader**^\*|Read the different credentials created in the tenant.|Data Source Administrators|

+|**Credential Writer**^\*|Create and edit credentials.|Data Source Administrators|

+|**Custodian**^\*|Identify and manage custodians for eDiscovery (Premium) cases and use the information from Azure Active Directory and other sources to find data sources associated with custodians. Associate other data sources such as mailboxes, SharePoint sites, and Teams with custodians in a case. Place a legal hold on the data sources associated with custodians to preserve content in the context of a case.|Data Investigator <br/><br/> eDiscovery Manager <br/><br/> Insider Risk Management <br/><br/> Insider Risk Management Investigators|

+|**Data Classification Content Viewer**^\*|View in-place rendering of files in Content explorer.|Content Explorer Content Viewer <br/><br/> Information Protection <br/><br/> Information Protection Investigators <br/><br/> Privacy Management <br/><br/> Privacy Management Investigators|

+|**Data Classification Feedback Provider**^\*|Allows providing feedback to classifiers in content explorer.|Communication Compliance <br/><br/> Communication Compliance Investigators <br/><br/> Compliance Administrator|

+|**Data Classification Feedback Reviewer**^\*|Allows reviewing feedback from classifiers in feedback explorer.|Compliance Administrator|

+|**Data Classification List Viewer**^\*|View the list of files in content explorer.|Content Explorer List Viewer <br/><br/> Information Protection <br/><br/> Information Protection Analysts <br/><br/> Information Protection Investigators <br/><br/> Privacy Management <br/><br/> Privacy Management Analysts <br/><br/> Privacy Management Investigators <br/><br/> Privacy Management Viewers|

+|**Data Investigation Management**^\*|Create, edit, delete, and control access to data investigation.|Compliance Administrator <br/><br/> Data Investigator|

+|**Data Map Reader**^\*|Read actions on data map objects.|Data Catalog Curators <br/><br/> Data Estate Insights Readers|

+|**Data Map Writer**^\*|Create, read, modify, and delete actions on data map objects and establish relationships between objects.|Data Catalog Curators|

+|**Disposition Management**^\*|Control permissions for accessing Manual Disposition in the Defender and compliance portals.|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Records Management|

+|**Export**^\*|Export mailbox and site content that's returned from searches.|Data Investigator <br/><br/> eDiscovery Manager|

+|**Information Protection Admin**^\*|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Information Protection <br/><br/> Information Protection Admins|

+|**Information Protection Analyst**^\*|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Information Protection <br/><br/> Information Protection Analysts <br/><br/> Information Protection Investigators|

+|**Information Protection Investigator**^\*|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Information Protection <br/><br/> Information Protection Investigators|

+|**Information Protection Reader**^\*|View-only access to reports for DLP policies and sensitivity labels and their policies.|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Information Protection <br/><br/> Information Protection Readers|

+|**Insider Risk Management Analysis**^\*|Access all insider risk management alerts, cases, and notices templates.|Insider Risk Management <br/><br/> Insider Risk Management Analysts|

+|**Insider Risk Management Approval**^\*|Perform investigation, remediation, and review message violations in Privacy Management solution. Can view message metadata and full messages.|Insider Risk Management <br/><br/> Insider Risk Management Approvers|

+|**Insider Risk Management Audit**^\*|Allow viewing Insider Risk audit trails.|Insider Risk Management <br/><br/> Insider Risk Management Auditors|

+|**Insider Risk Management Investigation**^\*|Access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.|Insider Risk Management <br/><br/> Insider Risk Management Investigators|

+|**Insider Risk Management Permanent contribution**^\*|This role group is visible, but is used by background services only.|IRM Contributors|

+|**Insider Risk Management Sessions**^\*|Perform investigation and remediation of message violations in Privacy Management solution. Can view only message metadata.|Insider Risk Management <br/><br/> Insider Risk Management Session Approvers|

+|**Insider Risk Management Temporary contribution**^\*|This role group is visible, but is used by background services only.|IRM Contributors|

+|**Insights Reader**^\*|Provides read-only access to all Insights reports in the Data Estate Insights app. Insights readers need to have at least data reader role access to a collection to view reports about that specific collection.|Data Estate Insights Readers|

+|**Knowledge Admin**^\*|Configure knowledge, learning, assign trainings and other intelligent features.|Knowledge Administrators|

+|**Manage Review Set Tags**^\*|Decrypt RMS-protected content when exporting search results.|eDiscovery Manager|

+|**Preview**^\*|View a list of items that are returned from content searches, and open each item from the list to view its contents.|Data Investigator <br/><br/> eDiscovery Manager|

+|**Privacy Management Admin**^\*|Manage policies in Privacy Management and has access to all functionality of the solution.|Privacy Management <br/><br/> Privacy Management Administrators|

+|**Privacy Management Analysis**^\*|Perform investigation and remediation of the message violations in Privacy Management. Can only view messages metadata.|Privacy Management <br/><br/> Privacy Management Analysts|

+|**Privacy Management Investigation**^\*|Perform investigation, remediation, and review message violations in Privacy Management. Can view message metadata and the full message.|Privacy Management <br/><br/> Privacy Management Investigators|

+|**Privacy Management Permanent contribution**^\*|Access Privacy Management cases as a permanent contributor.|Privacy Management <br/><br/> Privacy Management Contributors|

+|**Privacy Management Temporary contribution**^\*|Access Privacy Management cases as a temporary contributor.|Privacy Management <br/><br/> Privacy Management Contributors|

+|**Privacy Management Viewer**^\*|Access dashboards and widgets in Privacy Management.|Privacy Management <br/><br/> Privacy Management Viewers|

+|**Purview Evaluation Administrator**^\*|Create and manage the Microsoft 365 Purview Evaluation lab.|Information Protection <br/><br/> Information Protection Admins <br/><br/> Information Protection Analysts <br/><br/> Information Protection Investigators|

+|**Review**^\*|This role lets users access review sets in eDiscovery (Premium) cases. Users who are assigned this role can see and open the list of cases on the **eDiscovery \> Advanced** page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set.|Data Investigator <br/><br/> eDiscovery Manager <br/><br/> Insider Risk Management <br/><br/> Insider Risk Management Investigators <br/><br/> Reviewer|

+|**RMS Decrypt**^\*|Decrypt RMS-protected content when exporting search results.|Data Investigator <br/><br/> eDiscovery Manager|

+|**Scan Reader**^\*|Read the different scans created in the tenant.|Data Source Administrators|

+|**Scan Writer**^\*|Create, update and delete scans in the tenant.|Data Source Administrators|

+|**Source Reader**^\*|Read the different sources created in the tenant.|Data Source Administrators|

+|**Source Writer**^\*|Create, update and delete sources in the tenant.|Data Source Administrators|

+|**Subject Rights Request Admin**^\*|Manage supervisory review policies, including which communications to review and who should perform the review.|Privacy Management <br/><br/> Subject Rights Request Administrators|

+|**Subject Rights Request Approver**^\*|Create, edit, delete, and control access to custodian.|Subject Rights Request Approvers|

+|**Supervisory Review Administrator**^\*|Manage supervisory review policies, including which communications to review and who should do the review.|Supervisory Review|

+|**Tag Contributor**|Enables viewing and updating of existing tags.|Organization Management <br/><br/> Security Administrator <br/><br/> Security Operator|

+|**Tenant AllowBlockList Manager**^\*|Manage Tenant Allow/Block List settings.|Security Operator|

+|**View-Only Audit Logs**|View and export audit reports. Because these reports might contain sensitive information, you should only assign this role to people with an explicit need to view this information.|Audit Manager <br/><br/> Audit Reader <br/><br/> Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Global Reader <br/><br/> Organization Management <br/><br/> Security Administrator <br/><br/> Security Operator|

+|**View-Only Retention Management**|View the configuration of retention policies, retention labels, and retention label policies.|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Global Reader <br/><br/> Organization Management|

+You can use [Entitlement Management](/azure/active-directory/governance/entitlement-management-overview) to create a B2B extranet to collaborate with a partner organization that uses Azure Active Directory. This allows users to self-enroll in the extranet site or team and receive access via an approval workflow.

+This article walks through the steps to create a package of resources (in this case, a site or team) that you can share with a partner organization through a self-service access registration model.

+Using this feature requires Microsoft Entra ID Governance licenses. To find the right license for your requirements, see [Compare generally available features of Microsoft Azure AD](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+Specialized clouds, such as Azure Germany and Azure China 21Vianet, aren't currently available for use.

+1. In the [Microsoft Entra admin center](https://aad.portal.azure.com), select **Identity Governance**.

+2. Select **Connected organizations**.

+4. Select **Add connected organization**.

+5. Type a name and description for the organization, and then select **Next: Directory + domain**.

+6. Select **Add directory + domain**.

+7. Type the domain for the organization that you want to connect, and then select **Add**.

+8. Select **Connect**, and then Select **Next: Sponsors**.

+10. Select **Next: Review + Create**.

+11. Review the settings that you've chosen and then select **Create**.

+ 

+1. In the [Microsoft Entra admin center](https://aad.portal.azure.com), select **Identity Governance**.

+2. Select **Catalogs**.

+3. Select **New catalog**.

+5. Select **Create**.

+ 

+1. In the Microsoft Entra Admin Center, select **Catalogs**, and then select the catalog where you want to add resources.

+2. Select **Resources** and then select **Add resources**.

+3. Select the teams or SharePoint sites that you want to include in your extranet, and then select **Add**.

+ 

+1. In the Microsoft Entra Admin Center, select **Catalogs**, and then select the catalog where you want to create an access package.

+2. Select **Access packages**, and then select **New access package**.

+3. Type a name and description for the access package, and then select **Next: Resource roles**.

+6. Select **Next: Requests**.

+8. Ensure that the **Specific connected organizations** option is selected, and then select **Add directories**.

+9. Choose the connected organization that you add earlier, and then select **Select**

+12. CliSelectck **Add fallback** and select a fallback approver.

+14. Select **Next: Lifecycle**.

+15. Choose the expiration and access review settings that you want to use, and then select **Next: Review + Create**.

+16. Review your settings, and then select **Create**.

+ 

+If you're partnering with a large organization, you may want to hide the access package. If the package is hidden, then users in the partner organization won't see the package on their *My Access* portal. Instead, they must be sent a direct link to sign up for the package. Hiding the access package can reduce the number of inappropriate access requests and can also help keep available access packages organized in the partner organization's portal.

+1. In the Microsoft Entra admin center, select **Access packages**, and then select your access package.

+2. On the **Overview** page, select **Edit**.

+3. Under **Properties**, choose **Yes** for **Hidden**, and then select **Save**.

+1. In the Microsoft Entra Admin Center, select **Access packages**, and then select your access package.

+2. On the **Overview** page, select **Copy to clipboard** link for the **My Access portal link**.

+Once you have copied the link, you can share it with your contact at the partner organization, and they can send it to the users on their collaboration team.

+ Title: 'Test against Windows new features'

+description: This section shows you how to set up your own scheduled tests against preview features in Windows insider channel

+search.appverid: MET150

+audience: Software-Vendor

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+# Test against Windows new features

+If youΓÇÖre seeking further validation of your eco-system solution(s) against Windows new features, or hesitating whether to deploy the latest Windows feature or the next version of security solution to your organization, Test Base provides you a way to automatically test your applications against preview builds in Windows Insider program (More about [Windows Insider](https://www.microsoft.com/windowsinsider/about-windows-insider-program)).

+This section shows you how to set up your own scheduled tests against preview features in Windows insider channel.

+## Prepare your package

+1. **Define content:** Depending on your package type, you may select below instructions:

+- [Creating and Testing Binary Files on Test Base](testapplication.md)

+- [Test your Intune application on Test Base](testintuneapplication.md)

+- [Uploading a pre-built zip package](uploadapplication.md)

+2. **Configure test:** Both *Out-of-Box* test and *Functional* test are supported. Selecting *Out-of-Box* will leverage the officially suggested test flow and automatically generate install / uninstall / launch / close test scripts for you; *Functional* tests will allow you more flexibility to set up your own test flow. You may also select both.

+3. **Edit package:** Edit test scripts and test flow as you need.

+ > [!Note]

+ > All your tests would be directly launched against the latest Windows OS with new features. No need to add any additional test script for system feature enablement. Thus, feature update testing would be more economical for you if you only want to validate potential compatibility issues against Windows new features since you wonΓÇÖt spend time in update/upgrade validation.

+## Sign-up for scheduled tests against preview Windows builds

+Scheduled tests against preview Windows builds are set in the **Test matrix** step. By selecting **Feature update**, your package would be tested against preview builds flight to your indicated insider channel.

+> [!div class="mx-imgBorder"]

+> [](Media/test-against-windows-new-features-1.png#lightbox)

+To set up for feature updates, you must specify the target product and its preview channel from ΓÇ£*Insider Channel*ΓÇ¥ dropdown list.

+> [!div class="mx-imgBorder"]

+> [](Media/test-against-windows-new-features-2.png#lightbox)

+Your selection will register your application for automatic test runs against the latest feature updates of your selected product channel and all future new updates in the latest Windows Insider Preview Builds of your selection.

+> [!Note]

+> - Check in [Flight Hub](/windows-insider/flight-hub/) for more details on the Windows Insider Preview builds.

+> - Windows 11, version 23H2 shares the same servicing branch as Windows 11, version 22H2. New features are firstly flight to insider audience via a simple update with enablement package(eKB) (See in [Windows client roadmap update](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-client-roadmap-update-july-2023/ba-p/3871736)). Testing against these new features will soon be supported also in Test Base Feature Update.

+You may also set your current OS in ΓÇ£*OS baseline for Insight*ΓÇ¥. We would provide you with more test insights by regression analysis of your as-is OS environment and the latest target OS.

+> [!div class="mx-imgBorder"]

+> [](Media/test-against-windows-new-features-3.png#lightbox)

+- If the OS youΓÇÖre looking for didnΓÇÖt show up in our current supported product list, feel free to [Let us know your request](https://forms.office.com/r/ZeGihXBXHk), or contact us via [testbasepreview@microsoft.com](mailto:testbasepreview@microsoft.com).

+## Check Feature update test results

+A test run will be executed after the package passes the validation. For all new feature updates in your selected insider channel, an automated run will be scheduled.

+You can view the results of the test run under the **Test summary** page by clicking the link on the package name.

+> [!div class="mx-imgBorder"]

+> [](Media/test-against-windows-new-features-4.png#lightbox)

+You may use the release number / release version / KB number to map with the update version pushed to your organization. You will not only get the detailed script execution results with test logs but also compare regressively with previous monthΓÇÖs execution result to deep dive into any further performance risks. In case you might need to reproduce the failure and see in detail the execution process in video, you may click on **Re-run test**.

+> [!div class="mx-imgBorder"]

+> [](Media/test-against-windows-new-features-5.png#lightbox)