| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| enterprise | Azure Expressroute | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/azure-expressroute.md | The services that aren't included with ExpressRoute for Microsoft 365 are Micros ## Implementing ExpressRoute for Microsoft 365 -Implementing ExpressRoute requires the involvement of network and application owners and requires careful planning to determine the new [network routing architecture](https://support.office.com/article/e1da26c6-2d39-4379-af6f-4da213218408), bandwidth requirements, where security will be implemented, high availability, and so on. To implement ExpressRoute, you'll need to: +Implementing ExpressRoute requires the involvement of network and application owners and requires careful planning to determine the new [network routing architecture](/azure/architecture/guide/networking/networking-start-here), bandwidth requirements, where security will be implemented, high availability, and so on. To implement ExpressRoute, you'll need to: 1. Fully understand the need ExpressRoute satisfies in your Microsoft 365 connectivity planning. Understand what applications will use the internet or ExpressRoute and fully plan your network capacity, security, and high availability needs in the context of using both the internet and ExpressRoute for Microsoft 365 traffic. |
| enterprise | Fix Problems With Directory Synchronization | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/fix-problems-with-directory-synchronization.md | Title: "Fixing problems with directory synchronization for Microsoft 365" Previously updated : 08/10/2020 Last updated : 09/14/2023 audience: Admin With directory synchronization, you can continue to manage users and groups on-p ## How do I know if something is wrong? -The first indication that something is wrong is when the DirSync Status tile in the Microsoft 365 admin center indicates there is a problem. +The first indication that something is wrong is when the DirSync Status tile in the Microsoft 365 admin center indicates there's a problem. -You will also receive a mail (to the alternate email and to your admin email) from Microsoft 365 that indicates your tenant has encountered directory synchronization errors. For details see [Identify directory synchronization errors in Microsoft 365](identify-directory-synchronization-errors.md). +You'll also receive a mail (to the alternate email and to your admin email) from Microsoft 365 that indicates your tenant has encountered directory synchronization errors. For details see [Identify directory synchronization errors in Microsoft 365](identify-directory-synchronization-errors.md). ## How do I get Azure Active Directory Connect tool? -In the [Microsoft 365 admin center](https://admin.microsoft.com), navigate to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">**Active users**</a>. Click the **More** menu (three dots) and select **Directory synchronization**. +In the [Microsoft 365 admin center](https://admin.microsoft.com), navigate to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">**Active users**</a>. Click the **More** menu (three dots) and select **Directory synchronization**. Follow the [instructions in the wizard](set-up-directory-synchronization.md) to download Azure AD Connect. -If you are still using Azure Active Directory (Azure AD) Sync (DirSync), take a look at [How to troubleshoot Azure Active Directory Sync Tool installation and Configuration Wizard error messages in Microsoft 365](/troubleshoot/azure/active-directory/installation-configuration-wizard-errors) for information about the system requirements to install dirsync, the permissions you need, and how to troubleshoot common errors. +If you're still using Azure Active Directory (Azure AD) Sync (DirSync), take a look at [How to troubleshoot Azure Active Directory Sync Tool installation and Configuration Wizard error messages in Microsoft 365](/troubleshoot/azure/active-directory/installation-configuration-wizard-errors) for information about the system requirements to install dirsync, the permissions you need, and how to troubleshoot common errors. To update from Azure AD Sync to Azure AD Connect, see [the upgrade instructions](/azure/active-directory/hybrid/how-to-dirsync-upgrade-get-started). To update from Azure AD Sync to Azure AD Connect, see [the upgrade instructions] - [Implementing password hash synchronization with Azure AD Connect sync](/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization) ### I'm seeing an alert that Object quota exceeded-- We have a built-in object quota to help protect the service. If you have too many objects in your directory that need to sync to Microsoft 365, you'll have to [Contact support for business products](https://support.office.com/article/32a17ca7-6fa0-4870-8a8d-e25ba4ccfd4b) to increase your quota.+- We have a built-in object quota to help protect the service. If you have too many objects in your directory that need to sync to Microsoft 365, you have to [Contact support for business products](https://support.office.com/article/32a17ca7-6fa0-4870-8a8d-e25ba4ccfd4b) to increase your quota. ### I need to know which attributes are synchronized - You can find a list of all the attributes that are synced between on-premises and the cloud [right here](https://go.microsoft.com/fwlink/p/?LinkId=396719). To update from Azure AD Sync to Azure AD Connect, see [the upgrade instructions] - [Script to fix duplicate user principal names](/samples/browse/?redirectedfrom=TechNet-Gallery) -- [How to prepare a non-routable domain (such as .local domain) for directory synchronization](prepare-a-non-routable-domain-for-directory-synchronization.md)+- [How to prepare a nonroutable domain (such as .local domain) for directory synchronization](prepare-a-non-routable-domain-for-directory-synchronization.md) - [Script to count total synchronized objects](/samples/browse/?redirectedfrom=TechNet-Gallery) |
| enterprise | M365 Dr Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-dr-overview.md | In order to promote clarity in the capability descriptions on data residency fun | **Term** | **Definition** | |:--|:--|-|Macro Region Geography <br/> |Macro Region Geography 1 ΓÇô EMEA, Macro Region Geography ΓÇô Asia Pacific, Macro Region Geography - Americas <br/> | +|Macro Region Geography <br/> |Macro Region Geography 1 ΓÇô EMEA, Macro Region Geography 2 ΓÇô Asia Pacific, Macro Region Geography 3 - Americas <br/> | |Macro Region Geography 1 - EMEA <br/> |Data centers in Austria, Finland, France, Ireland, Netherlands, Poland, Sweden <br/> | |Macro Region Geography 2 - Asia Pacific <br/> |Data centers in Hong Kong Special Administrative Region, Japan, Malaysia, Singapore, South Korea <br/> | |Macro Region Geography 3 - Americas <br/> |Data centers in Brazil, Chile, United States <br/> | |Local Region Geography <br/> |Australia, Brazil, Canada, France, Germany, India, Japan, Poland, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, United Kingdom <br/> |-|Expanded Local Region Geography <br/> | Future planned data center regions: Italy, Indonesia, Israel, Spain, Mexico, Malaysia, Austria, Chile, New Zealand, Denmark, Greece, Taiwan <br/> | +|Expanded Local Region Geography <br/> | Future planned data center regions: Italy, Indonesia, Israel, Spain, Mexico, Malaysia, Austria, Chile, New Zealand, Denmark, Greece, Taiwan, Saudi Arabia <br/> | |Geography <br/> |_Local Region Geography, Expanded Local Region Geography_, or _Macro Region Geography_ <br/> | |Satellite Geography <br/> |If a customer subscribes to the Multi Geo service, then they can cause defined user customer data to be stored in other Geographies outside of the _Tenant_ _Primary Provisioned Geography_ <br/> | |AAD <br/> |Azure Active Directory <br/> | |
| loop | Loop Compliance Summary | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-compliance-summary.md | Title: "Summary of compliance capabilities for Loop experiences" -+ recommendations: true audience: Admin f1.keywords: Because Loop components are stored as files in OneDrive, there are many capabili - [Sensitivity Labeling](/microsoft-365/compliance/information-protection) (Microsoft Information Protection) at the File-level - End-user ability to see [Data Loss Prevention (DLP)](/microsoft-365/compliance/dlp-learn-about-dlp) policy tips-- [Conditional Access](/azure/active-directory/conditional-access/overview) +- [Conditional Access](/azure/active-directory/conditional-access/overview) ++To configure Loop components in your organization, see [Manage Loop components in OneDrive and SharePoint](/microsoft-365/loop/loop-components-configuration). ## Summary of compliance capabilities for content created in Loop workspaces -Content created in a Loop workspace is stored in Syntex repository services. You can learn more about it here: [Introducing Syntex repository +Content created in a Loop workspace is stored in Microsoft Syntex repository services. For more information, see [Introducing Microsoft Syntex repository -Syntex repository services has many of the same compliance capabilities as the rest of SharePoint and OneDrive. However, the capabilities below are **not available** yet for content created in Loop workspaces. While we continue to improve rapidly in this area, if you require any of these capabilities, Microsoft recommends proactively disabling Loop workspaces using the instructions here: [Manage Loop workspaces in Syntex repository services](/microsoft-365/loop/loop-workspaces-configuration): +Microsoft Syntex repository services has many of the same compliance capabilities as the rest of SharePoint and OneDrive. However, the capabilities below are **not available** yet for content created in Loop workspaces. While we continue to improve rapidly in this area, if you require any of these capabilities, Microsoft recommends proactively disabling Loop workspaces using the instructions in [Manage Loop workspaces in Microsoft Syntex repository services](/microsoft-365/loop/loop-workspaces-configuration): - [Intune Device Management Support](/mem/intune/remote-actions/device-management) - Tenant admin experience: Restoring a deleted workspace Syntex repository services has many of the same compliance capabilities as the r - [Sensitivity Labeling](/microsoft-365/compliance/information-protection) (Microsoft Information Protection) at the File-level and Container-level - End-user ability to see [Data Loss Prevention (DLP)](/microsoft-365/compliance/dlp-learn-about-dlp) policy tips - Multiple owners on a workspace-- [Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo) account move support+- [Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo) support - [Conditional Access](/azure/active-directory/conditional-access/overview) *This list of capabilities is not exhaustive* > [!NOTE]-> The list of capabilities in this section applies to content created in Loop workspaces (Syntex repository services). It does not apply to Loop components created in either Teams, Outlook, Whiteboard or Word for the web (which are created in OneDrive). +> The list of capabilities in this section applies to content created in Loop workspaces (Microsoft Syntex repository services). It does not apply to Loop components created in either Teams, Outlook, Whiteboard or Word for the web (which are created in OneDrive). ++To configure Loop workspaces in your organization, see [Manage Loop workspaces in Microsoft Syntex repository services](/microsoft-365/loop/loop-workspaces-configuration) ## Related topics |
| security | Configure Endpoints Vdi | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md | The following configuration settings are recommended: #### Exclusions -Please review the FXLogix antivirus exclusion recommendations here: [Prerequisites for FSLogix](/fslogix/overview-prerequisites#file--folder-exclusions). +- Please review the FXLogix antivirus exclusion recommendations here: [Prerequisites for FSLogix](/fslogix/overview-prerequisites#file--folder-exclusions). #### Real-time Protection Please review the FXLogix antivirus exclusion recommendations here: [Prerequisit [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] + |
| security | Configure Remediation Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md | If you're using Configuration Manager, see the following articles: |Scan <br/>Create a system restore point.|A system restore point is created each day before cleaning or scanning is attempted. |Disabled| |Scan<br/>Turn on removal of items from scan history folder.|Specify how many days items should be kept in the scan history.|30 days| |Root<br/>Turn off routine remediation.|Specify whether Microsoft Defender Antivirus automatically remediates threats, or whether to prompt the user.|Disabled. Threats are remediated automatically.|- |Quarantine<br/>Configure removal of items from Quarantine folder.|Specify how many days items should be kept in quarantine before being removed.|Items are kept in the quarantine folder indefinitely and aren't automatically removed. | + |Quarantine<br/>Configure removal of items from Quarantine folder.|Specify how many days items should be kept in quarantine before being removed.|90 days| |Threats<br/>Specify threat alert levels at which default action shouldn't be taken when detected.|Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored). |Not applicable| |Threats<br/>Specify threats upon which default action shouldn't be taken when detected.|Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored.|Not applicable| |
| security | Get Machines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines.md | Title: List machines API description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender for Endpoint cloud. -keywords: apis, graph api, supported apis, get, devices -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium Retrieves a collection of [Machines](machine.md) that have communicated with Mi Supports [OData V4 queries](https://www.odata.org/documentation/). The OData's `$filter` query is supported on: `computerDnsName`, `id`, `version`, `deviceValue`, `aadDeviceId`, `machineTags`, `lastSeen`,`exposureLevel`, `onboardingStatus`, `lastIpAddress`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.-<br>```$stop``` with max value of 10,000 +<br>```$top``` with max value of 10,000 <br>```$skip``` See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md) ## Limitations -1. You can get devices last seen according to your configured retention period. -2. Maximum page size is 10,000. -3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. +- You can get devices last seen according to your configured retention period. +- Maximum page size is 10,000. +- Rate limitations for this API are 100 calls per minute and 1500 calls per hour. ## Permissions Content-type: application/json ## Related articles - [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
| security | Tvm Dashboard Insights | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-dashboard-insights.md | Title: Dashboard insights + Title: Microsoft Defender Vulnerability Management dashboard description: The Microsoft Defender Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. search.appverid: met150 Last updated 03/04/2022 -# Dashboard insights +# Microsoft Defender Vulnerability Management dashboard **Applies to:** Defender vulnerability management provides both security administrators and secu - Invaluable device vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager -You can use the vulnerability management capability in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> to: +You can use Defender Vulnerability Management dashboard in the Microsoft 365 Defender portal to: - View your exposure score and Microsoft Secure Score for Devices, along with top security recommendations, software vulnerability, remediation activities, and exposed devices - Correlate EDR insights with endpoint vulnerabilities and process them Watch this video for a quick overview of what is in the Defender Vulnerability M > [!TIP] > Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md). -## Vulnerability management dashboard +## Defender Vulnerability Management dashboard :::image type="content" source="../../mediashboard.png" alt-text="Defender Vulnerability Management dashboard "::: |
| security | Before You Begin Defender Experts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-defender-experts.md | Microsoft Defender Experts for Hunting is a separate service from your existing ### Eligibility and licensing -Defender Experts for Hunting customers are assigned two Ask Defender Experts (Experts on Demand) credits on the first of each month, which you can use to submit questions. You can still submit inquiries beyond your initial number of allocated credits. Unused credits expire 90 days from date of assignment or at the end of the subscription term, whichever is shortest. +Defender Experts for Hunting customers are assigned 10 **Ask Defender Experts** credits, which you can use to submit questions, at the start of each calendar quarter. Unused credits from the current quarter roll up to the next one. You can use up to 20 credits only per quarter. All unused credits expire by the end of the calendar year or at the end of your subscription term, whichever is shortest. For more information about Microsoft's commercial licensing terms, visit [this page](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA). |
| security | Before You Begin Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-xdr.md | Defender Experts for XDR also covers serversΓÇöwhether on premises or on a hyper ### Ask Defender Experts -As part of the service's built-in [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md), you're also assigned two **Ask Defender Experts** credits on the first of each month, which you may use to submit questions. You can still submit inquiries beyond the initial number of allocated credits. Unused credits expire 90 days from date of assignment or at the end of the subscription term, whichever is shortest. +As part of the service's built-in [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md), you're also assigned 10 **Ask Defender Experts** credits, which you can use to submit questions, at the start of each calendar quarter. Unused credits from the current quarter roll up to the next one. You can use up to 20 credits only per quarter. All unused credits expire by the end of the calendar year or at the end of your subscription term, whichever is shortest. [Learn more about Microsoft's commercial licensing terms](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA). |
| security | Mto Advanced Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-advanced-hunting.md | + + Title: Advanced hunting in multi-tenant management in Microsoft 365 Defender +description: Learn about advanced hunting in multi-tenant management in Microsoft 365 Defender +search.appverid: met150 +++++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - highpri + - tier1 + Last updated : 09/01/2023+++# Advanced hunting in multi-tenant management in Microsoft 365 Defender ++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++## Advanced hunting ++Advanced hunting in multi-tenant management in Microsoft 365 Defender allows you to proactively hunt for intrusion attempts and breach activity affecting your email, data, devices, and accounts over multiple tenants at the same time. ++## Run cross-tenant queries ++In multi-tenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the **Queries** tab. Select a tenant to view the queries available under each one. ++Once you have loaded the query in the query editor, you can then specify the scope of the query by tenant by selecting **Tenant scope**: ++ :::image type="content" source="../../media/defender/mto-cross-tenants-query.png" alt-text="Screenshot of the Microsoft 365 Defender cross tenants advanced hunting query page" lightbox="../../media/defender/mto-cross-tenants-query.png"::: ++This opens a side pane from which you can specify the tenants to include in the query: ++ :::image type="content" source="../../media/defender/mto-cross-tenants-sidepane.png" alt-text="Screenshot of the Microsoft 365 Defender cross tenants advanced hunting query side pane scope" lightbox="../../media/defender/mto-cross-tenants-sidepane.png"::: ++Select the tenants you want to include in your query. Select **Apply**, then **Run query**. ++>[!NOTE] +> Queries that use the `join` operator are currently not supported in multi-tenant management advanced hunting. ++The query results contain the tenant ID: ++ :::image type="content" source="../../media/defender/mto-cross-tenants-query-tenant-id.png" alt-text="Screenshot of the Microsoft 365 Defender ross tenants advanced hunting query scope column" lightbox="../../media/defender/mto-cross-tenants-query-tenant-id.png"::: ++To learn more about advanced hunting in Microsoft 365 Defender, read [Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](advanced-hunting-overview.md). ++## Custom detection rules ++Likewise, you can manage custom detection rules from multiple tenants in the custom detection rules page. ++### View custom detection rules by tenant ++1. To view custom detection rules, go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in multi-tenant management in Microsoft 365 Defender. +2. View the **Tenant name** column to see which tenant the detection rule comes from: ++ :::image type="content" source="../../media/defender/mto-custom-detection-tenant-name.png" alt-text="Screenshot of the Microsoft 365 Defender multi-tenant custom detection page" lightbox="../../media/defender/mto-custom-detection-tenant-name.png"::: ++To view only a specific tenantΓÇÖs custom detection rules, select **Filter**, choose the tenant or tenants and select **Apply**. ++To read more about custom detection rules, read [Custom detections overview](custom-detections-overview.md). ++### Manage custom detection rules ++You can **Run**, **Turn off**, and **Delete** detection rules from multi-tenant management in Microsoft 365 Defender. ++To manage detection rules: ++1. Go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in multi-tenant management in Microsoft 365 Defender +2. Choose the detection rule you want to manage ++When you select a single detection rule, a flyout panel opens with the detection rule details: ++ :::image type="content" source="../../media/defender/custom-detection-rule-details.png" alt-text="Screenshot of the Microsoft 365 Defender custom detection rule details page" lightbox="../../media/defender/custom-detection-rule-details.png"::: ++Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft 365 Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](./custom-detection-rules.md). |
| security | Mto Dashboard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-dashboard.md | + + Title: Vulnerability management in multi-tenant management +description: Learn about the capabilities of the vulnerability management dashboard in multi-tenant management in Microsoft 365 Defender +search.appverid: met150 +++++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - highpri + - tier1 + Last updated : 09/01/2023+++# Vulnerability management in multi-tenant management ++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++## Microsoft Defender Vulnerability Management dashboard ++You can use the Defender Vulnerability Management dashboard in multi-tenant management to view aggregated and summarized information across all tenants, such as: ++- Your exposure score and exposure level for devices across all tenants. +- Your most exposed tenants along with details of the number of weaknesses, exposed devices, and available recommendations for each tenant. ++ :::image type="content" source="../../medivm-dashboard.png"::: ++The Defender Vulnerability Management dashboard in multi-tenant management provides the following information across all the tenants you have access to: ++|Area|Description| +||| +|**Organization Exposure score**|See the current state of your organization's device exposure to threats and vulnerabilities across all tenants.| +|**Most exposed tenants**|Real time visibility into the tenants with the highest current exposure level.| +|**Tenants with the largest increase in exposure**|Identify tenants with the largest increase in exposure over the last 30 days.| +|**Device exposure distribution**|See how many devices are exposed based on their exposure level, across all tenants. Select a section in the doughnut chart to see the number of exposed devices at each level.| +|**Tenant exposure distribution**|View a summary of exposed tenants aggregated by exposure level.| ++## Tenant vulnerability details ++The **Tenants page** under **Vulnerability management** includes vulnerability information for all tenants, and at a tenant-specific level, such as exposed devices, security recommendations, weaknesses, and critical CVEs. ++ :::image type="content" source="../../media/defender/mto-multi-tenant-view.png" alt-text="Screenshot of multi-tenant vulnerability management in Microsoft 365 Defender" lightbox="../../media/defender/mto-multi-tenant-view.png"::: ++At the top of the page, you can view the number of tenants and the aggregate number of: ++- Exposed devices +- Critical CVEs +- High severity CVEs +- Security recommendations ++Select a tenant name to navigate to the Defender Vulnerability Management dashboard for that tenant in the [Microsoft 365 Defender](https://security.microsoft.com/machines) portal. ++For more information, see [Microsoft Defender Vulnerability Management dashboard](../defender-vulnerability-management/tvm-dashboard-insights.md). ++## Related articles ++- [Exposure score](../defender-vulnerability-management/tvm-exposure-score.md) +- [Security recommendations](../defender-vulnerability-management/tvm-security-recommendation.md) |
| security | Mto Incidents Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-incidents-alerts.md | + + Title: View and manage incidents and alerts in multi-tenant management in Microsoft 365 Defender +description: Learn about incidents and alerts in multi-tenant management in Microsoft 365 Defender +search.appverid: met150 +++++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - highpri + - tier1 + Last updated : 09/01/2023+++# View and manage incidents and alerts ++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++Multi-tenant management in Microsoft 365 Defender enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats. ++You can manage incidents & alerts originating from multiple tenants under **Incidents & alerts**. ++## View and investigate incidents ++1. To View or investigate an incident, go to the [Incidents page](https://mto.security.microsoft.com/incidents) in multi-tenant management in Microsoft 365 Defender. The **Tenant name** column shows which tenant the incident originates from: ++ :::image type="content" source="../../media/defender/mto-incidents.png" alt-text="Screenshot of the Microsoft 365 Defender multi-tenant incidents page" lightbox="../../media/defender/mto-incidents.png"::: ++2. Select the incident you want to view. A flyout panel opens with the incident details page: ++ :::image type="content" source="../../media/defender/mto-incident-details.png" alt-text="Screenshot of the Microsoft 365 Defender incidents details page" lightbox="../../media/defender/mto-incident-details.png"::: ++3. From the incident details page you can: ++- Select **Open incident page** to view this incident in a new tab for the specific tenant in the [Microsoft 365 Defender portal](https://security.microsoft.com). +- Select **Manage incident** to assign the incident, set incident tags, set the incident status, and classify the incident. ++To learn more, see [Investigate incidents](../defender-endpoint/investigate-incidents.md). ++## Manage multiple incidents ++To manage incidents across multiple tenants: ++1. Go to the [Incidents page](https://mto.security.microsoft.com/incidents) in multi-tenant management. +2. Choose the incidents you want to manage from the incidents list and select **Manage incidents**. ++ :::image type="content" source="../../media/defender/mto-manage-incidents.png" alt-text="Screenshot of the Microsoft 365 Defender incidents page" lightbox="../../media/defender/mto-manage-incidents.png"::: ++On the incidents fly-out you can assign incidents, assign incidents tags, set the incident status, and classify multiple incidents for multiple tenants simultaneously. ++>[!Note] +> Currently, you can only assign multiple incidents from same tenant. ++To learn more about incidents in the Microsoft 365 Defender portal, see [Manage incidents](../defender-endpoint/manage-incidents.md). ++## View and investigate alerts ++1. To view or investigate an alert, go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multi-tenant management and select the alert you want to view. A flyout panel opens with the alert details page: ++ :::image type="content" source="../../media/defender/mto-alerts-details.png" alt-text="Screenshot of the Microsoft 365 Defender alert details page" lightbox="../../media/defender/mto-alerts-details.png"::: ++2. From the alert details page you can: ++- Select actions such as **Open alerts page**, **See in timeline**, and **Tune alert** to view this alert in a new tab for the specific tenant in the [Microsoft 365 Defender portal](https://security.microsoft.com). +- Select **Manage alert** to assign the alert, set the alert status, and classify the alert. ++To learn more, see [Investigate alerts](../defender-endpoint/investigate-alerts.md). ++## Manage multiple alerts ++To manage alerts across multiple tenants: ++1. Go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multi-tenant management. +2. Choose the alerts you want to manage from the alerts list and select **Manage alerts**. ++ :::image type="content" source="../../media/defender/mto-manage-alerts.png" alt-text="Screenshot of the Microsoft 365 Defender alerts page" lightbox="../../media/defender/mto-manage-alerts.png"::: ++On the alert fly-out you can assign alerts, set the alert status, and classify the alerts for multiple tenants simultaneously. ++> [!Note] +> Currently, you can only assign multiple alerts from same tenant. +To learn more about alerts in the Microsoft 365 Defender portal, see [Manage alerts](../defender-endpoint/manage-alerts.md). + |
| security | Mto Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-overview.md | + + Title: Multi-tenant management in Microsoft 365 Defender +description: Overview of multi-tenant management in Microsoft 365 Defender. +++++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - highpri + - tier1 + Last updated : 09/01/2023+++# Overview of multi-tenant management in Microsoft 365 Defender ++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++>[!Tip] +>To learn how to turn on preview features, see [Microsoft 365 Defender preview features](preview.md). ++Managing multi-tenant environments can add an additional layer of complexity when it comes to keeping up with the ever-evolving security threats facing your enterprise. Navigating across multiple tenants can be time consuming and reduce the overall efficiency of security operation center (SOC) teams. ++Multi-tenant management in Microsoft 365 Defender was designed to provide security operation teams with a single, unified view of all the tenants they manage. This view enables teams to quickly investigate incidents and perform advanced hunting across data from multiple tenants, improving their security operations. ++>[!Tip] +>To learn more about multi-tenant organizations, see [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations/). ++Some of the key benefits you get with multi-tenant management in Microsoft 365 Defender include: ++- **A centralized place to manage incidents across tenants**: A unified view provides SOC analysts with all the information they need for incident investigation across multiple tenants, eliminating the need to sign in and out of each one. ++- **Streamlined threat hunting**: Multi-tenancy support enables SOC teams use Microsoft 365 Defender advanced hunting capabilities to create KQL queries that will proactively hunt for threats across multiple tenants. ++- **Multi-customer management for partners**: Managed Security Service Provider (MSSP) partners can now gain visibility into security incidents, alerts, and threat hunting across multiple customers through a single pane of glass. ++## What's included in multi-tenant management in Microsoft 365 Defender ++The following key capabilities are available for each tenant you have access to in multi-tenant management in Microsoft 365 Defender: ++| Capability | Description | +| | | +|**Incidents & alerts** > **Incidents** | Manage incidents originating from multiple tenants.| +|**Incidents & alerts** > **Alerts** | Manage alerts originating from multiple tenants. | +|**Hunting** > **Advanced hunting**| Proactively hunt for intrusion attempts and breach activity across multiple tenants at the same time.| +|**Hunting** > **Custom detection rules**|View and manage custom detection rules across multiple tenants.| +|**Assets** > **Devices** > **Tenants**| For all tenants and at a tenant-specific level, explore the device counts across different values such as device type, device value, onboarding status, and risk status.| +|**Endpoints** >**Vulnerability Management** > **Dashboard** |The Microsoft Defender Vulnerability Management dashboard provides both security administrators and security operations teams with aggregated vulnerability management information across multiple tenants. | +|**Endpoints** > **Vulnerability management** > **Tenants** |For all tenants and at a tenant-specific level, explore vulnerability management information across different values such as exposed devices, security recommendations, weaknesses, and critical CVEs. | +|**Configuration** > **Settings**|Lists the tenants you have access to. Use this page to view and manage your tenants.| ++## Next steps ++- [Set up multi-tenant management in Microsoft 365 Defender](mto-requirements.md) |
| security | Mto Requirements | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-requirements.md | + + Title: Set up multi-tenant management in Microsoft 365 Defender +description: Learn what steps you need to take to get started with multi-tenant management in Microsoft 365 Defender +++++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - highpri + - tier1 + Last updated : 09/01/2023+++# Set up multi-tenant management in Microsoft 365 Defender ++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++This article describes the steps you need to take to start using multi-tenant management in Microsoft 365 Defender. ++1. [Review the requirements](#review-the-requirements) +2. [Verify your tenant access](#verify-your-tenant-access) +3. [Set up multi-tenant management in Microsoft 365 Defender](#set-up-multi-tenant-management) ++>[!Note] +> [Data privacy](data-privacy.md), [role-based access control (RBAC)](m365d-permissions.md) and [Licensing](prerequisites.md#licensing-requirements) are respected by multi-tenant management in Microsoft 365 Defender. ++## Review the requirements ++The following table lists the basic requirements you need to use multi-tenant management in Microsoft 365 Defender. ++| Requirement | Description | +|:|:| +| Microsoft 365 Defender prerequisites | Verify you meet the [Microsoft 365 Defender prerequisites](prerequisites.md)| +| Multi-tenant access | To view and manage the data you have access to in multi-tenant management, you need to ensure you have the necessary access. For each tenant you want to view and manage, you need to have either: <br/> <br/> - [Granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction) <br/> - [Azure Active Directory B2B authentication](/azure/active-directory/external-identities/what-is-b2b) <br/> <br/> To learn more about how to synchronize multiple B2B users across tenants, see [Configure cross-tenant synchronization](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure).| +| Permissions | Users must be assigned the correct roles and permission,s at the individual tenant level, in order to view and manage the associated data in multi-tenant management. To learn more, see: <br/><br/> - [Manage access to Microsoft 365 Defender with Azure Active Directory global roles](./m365d-permissions.md) <br/> - [Custom roles in role-based access control for Microsoft 365 Defender](./custom-roles.md)<br/><br/> To learn how to grant permissions for multiple users at scale, see [What is entitlement management](/azure/active-directory/governance/entitlement-management-overview).| ++>[!Note] +> Setting up [multi-factor authentication trust](/azure/active-directory/external-identities/authentication-conditional-access) is highly recommended for each tenant to avoid missing data in multi-tenant management Microsoft 365 Defender. ++## Verify your tenant access ++In order to view and manage the data you have access to in multi-tenant management, you need to ensure you have the necessary permissions. For each tenant you want to view and manage, you need to either: ++- [Verify your tenant access with Azure Active Directory B2B](#verify-your-tenant-access-with-azure-active-directory-b2b) +- [Verify your tenant access with GDAP](#verify-your-tenant-access-with-gdap) ++### Verify your tenant access with Azure Active Directory B2B ++1. Go to [My account](https://myaccount.microsoft.com/organizations) +2. Under **Organizations > Other organizations you collaborate with** see the list of organizations you have guest access to. ++ :::image type="content" source="../../media/defender/mto-myaccount.png" alt-text="Screenshot of organizations in the myaccount portal" lightbox="../../media/defender/mto-myaccount.png"::: ++3. Verify all the tenants you plan to manage appear in the list. +4. For each tenant, go to the [Microsoft 365 Defender portal](https://security.microsoft.com/?tid=tenant_id) and sign in to validate you can successfully access the tenant. ++### Verify your tenant access with GDAP ++1. Go to the [Microsoft Partner Center](https://partner.microsoft.com/commerce/granularadminaccess/list). +2. Under **Customers** you can find the list of organizations you have guest access to. +3. Verify all the tenants you plan to manage appear in the list. +4. For each tenant, go to the [Microsoft 365 Defender portal](https://security.microsoft.com/?tid=tenant_id) and sign in to validate you can successfully access the tenant. ++## Set up multi-tenant management ++The first time you use multi-tenant management in Microsoft 365 Defender, you need setup the tenants you want to view and manage. To get started: ++1. Sign in to [Multi-tenant management in Microsoft 365 Defender](https://mto.security.microsoft.com/). +2. Select **Add tenants**. ++ :::image type="content" source="../../media/defender/mto-add-tenants.png" alt-text="Screenshot of the Microsoft 365 Defender multi-tenant portal setup screen" lightbox="../../media/defender/mto-add-tenants.png"::: ++3. Choose the tenants you want to manage and select **Add**. ++The features available in multi-tenant management now appear on the navigation bar and you're ready to view and manage security data across all your tenants. ++ :::image type="content" source="../../media/defender/mto-tenant-selection.png" alt-text="Screenshot of multi-tenant management in Microsoft 365 Defender" lightbox="../../media/defender/mto-tenant-selection.png"::: ++## Next step ++Use these articles to get started with multi-tenant management in Microsoft 365 Defender: ++- [View and manage incidents and alerts](./mto-incidents-alerts.md) +- [Advanced hunting](./mto-advanced-hunting.md) +- [Multi-tenant devices](./mto-tenant-devices.md) +- [Vulnerability management](./mto-dashboard.md) +- [Manage tenants](./mto-tenants.md) |
| security | Mto Tenant Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-tenant-devices.md | + + Title: Devices in multi-tenant management +description: Learn about multi-tenant device view in multi-tenant management of the Microsoft 365 Defender +search.appverid: met150 +++++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - highpri + - tier1 + Last updated : 09/01/2023+++# Multi-tenant devices ++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++## Tenant device list ++The Tenants page in multi-tenant management lists each tenant you have access to. For each tenant, the page includes details such as the number of devices and device types, the number of high value and high exposure devices, and the number of devices available to onboard: ++ :::image type="content" source="../../media/defender/mto-tenant-page.png" alt-text="Screenshot of the Microsoft 365 Defender multi-tenant device list" lightbox="../../media/defender/mto-tenant-page.png"::: ++At the top of the page, you can view the number of tenants and the number of devices onboarded or discovered, across all tenants. You can also see the aggregate number of devices identified as: ++- High risk +- High exposure +- Internet facing +- Can be onboarded +- Newly discovered +- High value ++Select a tenant name to navigate to the device inventory for that tenant in the [Microsoft 365 Defender](https://security.microsoft.com/machines) portal where all data and inventory-related actions are available. ++For more information, see [Device inventory](../defender-endpoint/machines-view-overview.md). + |
| security | Mto Tenants | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-tenants.md | + + Title: Manage tenants with multi-tenant management in Microsoft 365 Defender +description: Learn about the tenant list in multi-tenant management in Microsoft 365 Defender +search.appverid: met150 +++++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - highpri + - tier1 + Last updated : 09/01/2023+++# Manage tenants ++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++## View the tenants page ++To view the list of tenants that appear in multi-tenant management, go to [Settings page](https://mto.security.microsoft.com/mtosettings) in multi-tenant management in Microsoft 365 Defender: ++ :::image type="content" source="../../media/defender/mto-tenant-settings.png" alt-text="Screenshot of multi-tenant management in Microsoft 365 Defender" lightbox="../../media/defender/mto-tenant-settings.png"::: ++From the **Settings** page you can: ++- **Add a tenant**: Select **Add tenants** > Choose the tenants to want to add > Select **Add tenant**. +- Select a tenant from the list to open the [Microsoft 365 Defender portal](https://security.microsoft.com) for that tenant. +- **Remove a tenant**: Select the tenant you'd like to remove > select **Remove**. ++## Multi-tenant management status indicator ++The multi-tenant management status indicator provides information on whether data issues exist for the page you're viewing, such as data loading issues or permissions issues. The indicator appears in the bottom right corner of the page: ++When no issue exists, the status indicator is a green tick: ++-  ++When an issue exists, the status indicator shows a red warning sign: ++-  ++Hovering over the red warning sign displays the issues that have occurred and the tenant information. By expanding each section, you see all the tenants with this issue. ++-  + |
| security | Opt Out Of Preview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/opt-out-of-preview.md | - Title: How to opt out of Microsoft Defender Experts for XDR preview- -description: Consult your Service Delivery Manager (SDM) to opt out of the preview. -keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, real-time visibility with XDR experts, threat hunting and analysis -search.product: Windows 10 ---ms.sitesec: library -ms.pagetype: security ----- - m365-security - - tier1 - Previously updated : 11/17/2022---# Opt out of Microsoft Defender Experts for XDR preview --Consult your service delivery manager (SDM) to opt out of the preview. |
| security | Anti Phishing Policies About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-about.md | The relationship between spoof intelligence and whether sender DMARC policies ar | |Honor DMARC policy On|Honor DMARC policy Off| ||||-|**Spoof intelligence On**|Separate actions for implicit and explicit email authentication failures: <ul><li>Implicit failures use the **If the message is detected as spoof by spoof intelligence** action the anti-phishing policy.</li><li>Explicit failures for `p=quarantine` and `p=reject` DMARC policies use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** and **If the message is detected as spoof and DMARC policy is set as p=reject** actions in the anti-phishing policy.</li></ul>|The **If the message is detected as spoof by spoof intelligence** action in the anti-phishing policy is used for both implicit and explicit email authentication failures. In other words, explicit email authentication failures ignore `p=quarantine` and `p=reject` in the DMARC policy.| -|**Spoof intelligence Off**|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` and `p=reject` DMARC policies use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** and **If the message is detected as spoof and DMARC policy is set as p=reject** actions in anti-phishing policies.|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` DMARC policies are quarantined, and failures for `p=reject` DMARC policies are quarantined.| +|**Spoof intelligence On**|Separate actions for implicit and explicit email authentication failures: <ul><li><u>Implicit failures</u>: Use the **If the message is detected as spoof by spoof intelligence** action in the anti-phishing policy.</li><li><u>Explicit failures</u>: <ul><li>DMARC policy `p=quarantine`: Use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** action in the anti-phishing policy.</li><li>DMARC policy `p=reject`: Use the **If the message is detected as spoof and DMARC policy is set as p=reject** action in the anti-phishing policy.</li><li>DMARC policy `p=none` or other values: Use the **If the message is detected as spoof by spoof intelligence** action in the anti-phishing policy.</li></ul></li></ul>|The **If the message is detected as spoof by spoof intelligence** action in the anti-phishing policy is used for both implicit and explicit email authentication failures. Explicit email authentication failures ignore `p=quarantine`, `p=reject`, `p=none`, or other values in the DMARC policy.| +|**Spoof intelligence Off**|Implicit email authentication checks aren't used. <br/><br/> Explicit email authentication failures: <ul><li>DMARC policy `p=quarantine`: Use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** action in the anti-phishing policy.</li><li>DMARC policy `p=reject`: Use the **If the message is detected as spoof and DMARC policy is set as p=reject** action in the anti-phishing policy.</li><li>DMARC policy `p=none`: The message isn't identified as spoofing by Microsoft 365, but other protection features in the filtering stack are still able to act on the message.</li></ul>|Implicit email authentication checks aren't used. <br/><br/> Explicit email authentication failures: <ul><li>DMARC policy `p=quarantine`: Messages are quarantined.</li><li>DMARC policy `p=reject`: Messages are quarantined.</li><li>DMARC policy `p=none`: The message isn't identified as spoofing by Microsoft 365, but other protection features in the filtering stack are still able to act on the message.| > [!NOTE] > If the MX record for the domain points to a third-party service or device that sits in front of Microsoft 365, the **Honor DMARC policy** setting is applied only if [Enhanced Filtering for Connectors](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) is enabled for the connector that receives inbound messages. |