+ Title: "Compliance capabilities for SharePoint data in Microsoft 365"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: high

+search.appverid:

+- MOE150

+- MET150

+recommendations: false

+description: "Learn about information governance, information protection, eDiscovery, and auditing capabilities in SharePoint in Microsoft 365."

+# Learn about compliance for SharePoint

+Microsoft 365 offers a full suite of tools and capabilities to maintain compliance for data stored in SharePoint and as your users collaborate in SharePoint. Review these capabilities and consider how they map to your business needs, the sensitivity of your data, and the scope of people that your users need to collaborate with.

+This article provides a quick reference (and links to more information) for the compliance capabilities for SharePoint that are available in Microsoft 365.

+## Information barriers

+Use information barriers to create policies that allow or prevent file collaboration between groups of people in your organization. The following table describes user segmentation capabilities of information barriers.

+|Capability|What problems does it solve?|Get started|

+|:|:|:-|

+|[Information barriers](/microsoft-365/compliance/information-barriers) | Segment your SharePoint data and users to restrict unwanted communication and collaboration between groups and avoid conflicts of interest in your organization | [Use information barriers with SharePoint](/sharepoint/information-barriers)|

+## Information protection

+Microsoft Information Protection (MIP) capabilities included with Microsoft Purview help you discover, classify, and protect sensitive information in SharePoint. The follow sections describe the MIP capabilities included with Microsoft Purview and give you the tools to [know your data](#know-your-data), [protect your data](#protect-your-data), and [prevent data loss](#prevent-data-loss).

+### Know your data

+The following table describes capabilities to help you your SharePoint data landscape and identify sensitive data across your hybrid environment.

+|Capability|What problems does it solve?|Get started|

+|:|:|:--|

+|[Sensitive information types](/microsoft-365/compliance/sensitive-information-type-learn-about)| Identifies sensitive data by using built-in or custom regular expressions or a function. Corroborative evidence includes keywords, confidence levels, and proximity.| [Customize a built-in sensitive information type](/microsoft-365/compliance/customize-a-built-in-sensitive-information-type)|

+|[Trainable classifiers](/microsoft-365/compliance/classifier-learn-about)| Identifies sensitive data by using examples of the data you're interested in rather than identifying elements in the item (pattern matching). You can use built-in classifiers or train a classifier with your own content.| [Get started with trainable classifiers](/microsoft-365/compliance/classifier-get-started-with) |

+|[Data classification](/microsoft-365/compliance/data-classification-overview) | A graphical identification of items in your organization that have a sensitivity label, a retention label, or have been classified. You can also use this information to gain insights into the actions that your users are taking on these items. | [Get started with content explorer](/microsoft-365/compliance/data-classification-content-explorer) <p> [Get started with activity explorer](/microsoft-365/compliance/data-classification-activity-explorer) |

+### Protect your data

+The following table describes protection actions that include encryption, access restrictions, and visual markings to documents stored in SharePoint.

+|Capability|What problems does it solve?|Get started|

+|:|:||

+|[Sensitivity labels](/microsoft-365/compliance/sensitivity-labels)| A single solution across apps, services, and devices to label and protect your data as it travels inside and outside your organization. <br /><br /> Example scenarios: <br />- [Manage sensitivity labels for Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps) <br />- [Encrypt documents](/microsoft-365/compliance/encryption-sensitivity-labels) <br />|[Get started with sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels) |

+|[Double Key Encryption](/microsoft-365/compliance/double-key-encryption)| Under all circumstances, only your organization can ever decrypt protected content or for regulatory requirements, you must hold encryption keys within a geographical boundary. | [Deploy Double Key Encryption](/microsoft-365/compliance/double-key-encryption#deploy-dke)|

+|[Service encryption with Microsoft Purview Customer Key](/microsoft-365/compliance/customer-key-overview) | Protects against viewing of data by unauthorized systems or personnel, and complements BitLocker disk encryption in Microsoft datacenters. | [Set up Customer Key for Office 365](/microsoft-365/compliance/customer-key-set-up)|

+|[SharePoint Information Rights Management (IRM)](/microsoft-365/compliance/set-up-irm-in-sp-admin-center#irm-enable-sharepoint-document-libraries-and-lists)|Protects SharePoint lists and libraries so that when a user checks out a document, the downloaded file is protected so that only authorized people can view and use the file according to policies that you specify. | [Set up Information Rights Management (IRM) in SharePoint admin center](/microsoft-365/compliance/set-up-irm-in-sp-admin-center)|

+[Rights Management connector](/azure/information-protection/deploy-rms-connector) |Protection-only for existing on-premises deployments that use SharePoint Server, or file servers that run Windows Server and File Classification Infrastructure (FCI). | [Steps to deploy the RMS connector](/azure/information-protection/deploy-rms-connector#steps-to-deploy-the-rms-connector)

+|[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)| Discovers, labels, and protects sensitive information that resides in data stores that are in the cloud. | [Discover, classify, label, and protect regulated and sensitive data stored in the cloud](/cloud-app-security/best-practices#discover-classify-label-and-protect-regulated-and-sensitive-data-stored-in-the-cloud)|

+### Prevent data loss

+The following table describes data loss prevention capabilities that help you prevent accidental oversharing of sensitive information in SharePoint.

+|Capability|What problems does it solve?|Get started|

+|:|:|:|

+|[Data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp)| Helps prevent unintentional sharing of sensitive items. | [Get started with the default DLP policy](/microsoft-365/compliance/get-started-with-the-default-dlp-policy)|

+|[Microsoft 365 data loss prevention on-premises scanner](/microsoft-365/compliance/dlp-on-premises-scanner-learn)|Extends DLP monitoring of file activities and protective actions for those files to on-premises file shares and SharePoint folders and document libraries.|[Get started with Microsoft 365 data loss prevention on-premises scanner (preview)](/microsoft-365/compliance/dlp-on-premises-scanner-get-started)|

+## Information governance

+Use Microsoft Information Governance capabilities in Microsoft 365 to govern your SharePoint content for compliance or regulatory requirements. The following table describes the capabilities to help you keep the content you need you and delete what you don't need.

+|Capability|What problems does it solve?|Get started|

+|:|:|:-|

+|[Retention policies and retention labels](/microsoft-365/compliance/retention)<br /><br />[Learn about retention for SharePoint and OneDrive](/microsoft-365/compliance/retention-policies-sharepoint) | Retain or delete content with policy management for SharePoint documents | [Create and configure retention policies](/microsoft-365/compliance/create-retention-policies) <br /><br /> [Create retention labels for exceptions to your retention policies](/microsoft-365/compliance/create-retention-labels-information-governance)|

+## Records management

+The following table describes the lifecycle management capabilities to manage high-value SharePoint items for legal, business, or regulatory obligations.

+|Capability|What problems does it solve?|Get started|

+|:|:|:-|

+|[Records management](/microsoft-365/compliance/records-management)| A single solution for documents that incorporates flexible retention and deletion schedules and requirements to support the full lifecycle of your content with records declaration and defensible disposition when needed |[Get started with records management](/microsoft-365/compliance/get-started-with-records-management) |

+## eDiscovery

+Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used in internal and external investigations, and as evidence in legal cases. You can use eDiscovery tools in Microsoft Purview to search for content in SharePoint and OneDrive (as well as other Microsoft 365 services such as Exchange Online and Microsoft Teams). For more information, see [eDiscovery solutions in Microsoft Purview](/microsoft-365/compliance/ediscovery).

+The following table describes the eDiscovery tools to search for, preserve, review, and export content stored in SharePoint.

+|Capability|What problems does it solve?|Get started|

+|:|:|:-|

+|[Content search](/microsoft-365/compliance/content-search)| Best used as a search tool to discover content in internal investigations and for responding to security incidents.|[Search for content using the Content search tool](/microsoft-365/compliance/search-for-content) |

+|[eDiscovery (Standard)](/microsoft-365/compliance/get-started-core-ediscovery)|Lets you create eDiscovery cases and assign eDiscovery managers to specific cases. eDiscovery (Standard) also lets you associate searches and exports with a case and lets you preserve content that's relevant to the case.| [Create an eDiscovery hold](/microsoft-365/compliance/create-ediscovery-holds)<br /><br /> [Search for content in an case](/microsoft-365/compliance/search-for-content-in-core-ediscovery)<br /><br />[Export content from a case](/microsoft-365/compliance/export-content-in-core-ediscovery)|

+|[eDiscovery (Premium)](/microsoft-365/compliance/overview-ediscovery-20)| Provides an end-to-end workflow to identify, preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations. |[Set up eDiscovery (Premium)](/microsoft-365/compliance/get-started-with-advanced-ediscovery) |

+## Auditing

+Microsoft 365 auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Hundreds of user and admin operations performed in SharePoint and OneDrive (as well as thousands of operations for other Microsoft 365 services) are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by IT admins, compliance, and legal investigators in your organization. This capability provides visibility into SharePoint activities performed across your Microsoft 365 organization. For more information, see [Auditing solutions in Microsoft Purview](/microsoft-365/compliance/auditing-solutions-overview).

+The following table describes auditing capabilities in Microsoft Purview.

+|Capability|What problems does it solve?|Get started|

+|:|:|:-|

+|[Audit (Standard)](/microsoft-365/compliance/set-up-basic-audit)|Provides the ability to log and search for audited activities in SharePoint and OneDrive.|[Search the audit log](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance)<br /><br /> [Audited activities](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#audited-activities) <br /><br /> [Use sharing auditing in the audit log](/microsoft-365/compliance/use-sharing-auditing)|

+|[Audit (Premium)](/microsoft-365/compliance/advanced-audit)|Builds on the capabilities of Audit (Standard) by providing audit log retention policies, longer retention of audit records, and high-value crucial events, such as when a person searches for items in SharePoint. |[Set up Audit (Premium)](/microsoft-365/compliance/set-up-advanced-audit)|

+ The **eDiscovery (Standard)** page is displayed.

+**Purchase and assign licenses**. SharePoint comes with Microsoft 365 plans and Office 365 plans. It also comes as a standalone plan. For more info about the features available in each plan, see the [SharePoint service description](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-service-description). Some security features, such as Azure Information Protection, require an E3 or E5 plan. Cloud App Security, Advanced Threat Protection, Customer Lockbox, Customer Key, eDiscovery (Premium). For info, [see Office 365 platform service description](/office365/servicedescriptions/office-365-platform-service-description/office-365-platform-service-description).

+Loop components, Whiteboard on OneDrive, and OneNote collaborative Meeting Notes are discoverable but have limited eDiscovery workflow support. Currently, these files are stored in the creatorΓÇÖs OneDrive for Business and are available for search and collection in both eDiscovery (Standard) and eDiscovery (Premium). However, they do not render in preview and the export format for review is not consumable by existing tools. To view the exported content, upload them to any OneDrive for Business.

+### Which option to select

+**Link expiration** - You can require all "Anyone" links to expire, and specify the maximum number of days allowed. If you change the expiration time, existing links will keep their current expiration time if the new setting is longer, or be updated to the new setting if the new setting is shorter.

+ Title: "Accessibility guidelines for SharePoint Server"

+# Accessibility guidelines for SharePoint Server

+Administrators and other users who have administrative responsibilities typically use the SharePoint Central Administration website and the SharePoint Management Shell to manage deployments. The mouse and keyboard are typical devices that administrators use to interact with Central Administration.

+Because SharePoint Server runs as web sites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint Server supports the accessibility features of supported browsers. For more information, see [Plan browser support in SharePoint Server 2016 and 2019](install/browser-support-planning-2016-2019.md) and [Plan browser support in SharePoint Server Subscription Edition](install/browser-support-planning-subscription-edition.md).

+## SharePoint Server conformance statement

+The following SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition conformance statement, VPAT, and EN 301 549 reports are available at [Microsoft Accessibility Conformance Reports](https://cloudblogs.microsoft.com/industry-blog/government/2018/09/11/accessibility-conformance-reports/) You can download the WCAG Conformance Statement and the Section 508 VPAT for SharePoint Server 2016, click the provided link and search for SharePoint Server 2016, SharePoint Server 2019, or SharePoint Server Subscription Edition.

+Many of the accessibility features in SharePoint in Microsoft 365 also apply to SharePoint 2013, SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. For more information about these accessibility features, see the following articles:

+- [Plan browser support in SharePoint Server 2016 and 2019](install/browser-support-planning-2016-2019.md)

+- [Plan browser support in SharePoint Server Subscription Edition](install/browser-support-planning-subscription-edition.md)

+[Accessibility support for enterprise](https://support.microsoft.com/accessibility/enterprise-answer-desk)

+Learn about [eDiscovery (Standard) for SharePoint](/microsoft-365/compliance/get-started-core-ediscovery).

+ Title: "Plan browser support in SharePoint Server Subscription Edition"

+audience: ITPro

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+- IT_Sharepoint_Server

+- IT_Sharepoint_Server_Top

+ms.assetid: ff6c5b8c-59bd-4079-8f0b-de4f8b4e0a86

+description: "Learn about how SharePoint Server Subscription Edition supports Internet Explorer, Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge."

+# Plan browser support in SharePoint Server Subscription Edition

+

+SharePoint Server Subscription Edition supports several commonly used web browsers, such as  Microsoft Edge,  Google Chrome,  Mozilla Firefox,  Apple Safari, and  Internet Explorer. However, certain web browsers can cause SharePoint Server Subscription Edition functionality to be downgraded, limited, or available only through alternative steps.

+> [!NOTE]

+> Internet Explorer 11 is supported only in the SharePoint Central Administration site. Internet Explorer 11 is not supported in Team sites, OneDrive personal sites, or any other types of SharePoint content sites. Microsoft recommends exploring Microsoft Edge as the replacement for Internet Explorer 11.

+As you plan your deployment of SharePoint Server Subscription Edition, we recommend that you review the browsers used in your organization to guarantee optimal performance with SharePoint Server Subscription Edition.

+

+## Key planning phase of browser support

+<a name="section2"> </a>

+Browser support is an important part of your SharePoint Server Subscription Edition implementation. Before you install SharePoint Server, make sure that you know the browsers that SharePoint Server supports. The information in this article describes browser support in the following sections:

+

+- Browser support levels

+

+- Browser details

+

+### Browser support levels in SharePoint Server Subscription Edition

+<a name="supportmatrix"> </a>

+The following table summarizes the support levels of typically used web browsers.

+

+|**Browser**|**Supported**|**Not supported**|

+|:--|:--|:--|

+|Microsoft Edge (Chromium) <br/> |X <br/> ||

+|Microsoft Edge (EdgeHTML - Legacy) <br/> ||X <br/>|

+|Internet Explorer 11 <br/> |X <br/> ||

+|Internet Explorer 10 <br/> ||X <br/> |

+|Internet Explorer 9 <br/> ||X <br/> |

+|Internet Explorer 8 <br/> ||X <br/> |

+|Internet Explorer 7 <br/> ||X <br/> |

+|Internet Explorer 6 <br/> ||X <br/> |

+|Google Chrome (latest released version) <br/> |X <br/> ||

+|Mozilla Firefox (latest released version plus immediate previous version) <br/> |X <br/> ||

+|Apple Safari (latest released version) <br/> |X <br/> ||

+

+### Browser details

+<a name="browserdetail"> </a>

+Review the details of the web browser that you have or plan to use in your organization to ensure that the web browser works with SharePoint Server Subscription Edition, and according to your business needs.

+ **Internet Explorer and older functionalities**

+

+> [!NOTE]

+> Some older SharePoint functionalities that rely on NPAPI or ActiveX will not work on browsers other than Internet Explorer. Since Internet Explorer 11 is no longer supported in all types of SharePoint Sites except Central Administration site, these old functionalities are deprecated as well. Although these functionalities still exist in SharePoint Server Subscription Edition, we recommend not to rely on them anymore.

+

+

+#### Using ActiveX controls in SharePoint Server

+<a name="activex"> </a>

+Some functionalities in SharePoint Server require ActiveX controls. This imposes limitations on browsers that don't support ActiveX. Currently only 32-bit versions of Internet Explorer support this functionality. Since Internet Explorer 11 isn't supported in all types of SharePoint sites except Central Administration site, all supported browsers (including Microsoft Edge) have the following limitations.

+

+|Plugin name |DLL file name |What it does | &nbsp; |Known limitations |

+|:--|:--|:--|:--|:--|

+|Digital Signature <br/> |`Dsigctrl.dll`, `dsigres.dll` <br/> | Digital signing takes place in both the InfoPath client and on the InfoPath Forms Services server. Ensure that the following conditions exist: <br/> Forms that are signed on the client can be verified on the server. <br/> Forms that are signed on the server can be verified on the client. <br/> | <br/> |An inability to verify a form produces an error that states that the form can't be signed. <br/> |

+|NameCtrl <br/> |`Name.dll` <br/> |Enables a webpage to display a contact card and presence status for people. Integrates through client-side APIs with Office client and Skype for Business client. <br/> |

+|TaskLauncher <br/> |`Nameext.dll` <br/> |Used to export items in a task list to Project Server if Project client is installed on the client computer. <br/> | |If software requirements aren't met, an error message states that you need to install Project client. <br/> |

+|SpreadSheetLauncher <br/> |`Owssupp.dll` <br/> |Used to verify whether Excel is installed for Export to Excel feature. <br/> | |If Excel isn't installed, the user may be prompted to download the file `query.iqy` which can then be opened in Excel. <br/> |

+|StssyncHandler <br/> |`Owssupp.dll` <br/> |Enables synchronization of lists of events and lists of contacts in SharePoint with a messaging application such as Outlook. Non-IE clients may have an additional prompt to open the calendar in Outlook. <br/> |

+|ExportDatabase <br/> |`Owssupp.dll` <br/> |Enables a user to use an application such as Access to create or open a database that contains SharePoint list data. <br/> | |To export a list, the client computer must have a SharePoint compatible application. <br/> |

+|OpenDocuments <br/> |`Owssupp.dll` <br/> |Starts Office client applications so that a user can create or edit a document. Enables users to create documents that are based on a specified template, open documents as read-only, or open documents as read/write. <br/> | |If a compatible Office application or browser isn't installed on a client, an error message states that the feature requires a SharePoint compatible application and web browser. <br/> |

+|CopyCtl <br/> |`Stsupld.dll` <br/> |Enables a user to copy a document on a SharePoint site to one or more locations on a server. <br/> | |In Firefox, Google Chrome, and immersive mode of Internet Explorer version 10, the copy progress dialog isn't displayed. <br/> |

+|PPActiveX <br/> |`PPSLAX.dll` <br/> |Starts PowerPoint to open presentations from a slide library or publish individual slides to a slide library. <br/> | |Doesn't work on Click-to-Run installations of Office and version of Office that run on Windows for ARM. <br/> |

+|BCSLauncher <br/> |`BCSLaunch.dll` <br/> |Starts the Visual Studio Tools for Office installer to install a Visual Studio Tools for Office package that has been generated on the server. <br/> |

+Other functionality, such as **Form settings** in **List settings** only function with Internet Explorer.

+

+## Mobile browser support

+<a name="mobile"> </a>

+SharePoint Server Subscription Edition supports the following versions:

+

+- Internet Explorer and Microsoft Edge on Windows Phone 8.1 or later.

+

+- Latest version of Microsoft Edge or Chrome on Android 4.4 or later.

+- Microsoft Edge, Chrome or Safari on iOS10 or later

+> [!NOTE]

+> In SharePoint Server Subscription Edition, we now support OIDC 1.0 authentication. For more information on how to work with this new authentication type, see [OpenID Connect 1.0 authentication](/sharepoint/security-for-sharepoint-server/oidc-1-0-authentication).

+SharePoint Server supports Windows, forms-based, Security Assertion Markup Language(SAML) and Open ID Connect (OIDC)-based claims authentication. For information about how Windows, forms-based and SAML based authentication methods work, see the following videos. For information about how OIDC authentication works, check OIDC setup guide.

+> This information in the videos applies to SharePoint Server 2013, SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition.

+If the SharePoint app doesn't require a SharePoint secured resource to render the page for the user, app authentication isn't needed. For example, a SharePoint app that provides weather forecast information and only has to access a weather information server on the Internet doesn't have to use app authentication.

+To perform app authentication, the application obtains an access token either from the Microsoft Azure Access Control Service (ACS) or by self-signing an access token using a certificate that SharePoint Server trusts. The access token asserts a request for access to a specific SharePoint resource and contains information that identifies the app and the associated user, instead of the validation of the user's credentials. The access token isn't a sign in token.

+For more information, see [Plan for app authentication in SharePoint Server](./plan-for-app-authentication-in-sharepoint-server.md).

+For example, a server running Exchange Server 2016 can request resources of a server running SharePoint Server for a specific user account. This provision contrasts with app authentication, in which the app doesn't have access to user account credential information. The user can be currently signed in to the server making the resource request or not, depending on the service and the request.

+When a server running SharePoint Server attempts to access a resource on a server or a server attempts to access a resource on a server running SharePoint Server, the incoming access request must be authenticated so that the server accepts the incoming access request and subsequent data. Server-to-server authentication verifies that the server running SharePoint Server and the user whom it's representing are trusted.

+The token that is used for a server-to-server authentication is a server-to-server token, not a sign in token. The server-to-server token contains information about the server that requests access and the user account on whose behalf the server is acting.

+2. Start SharePoint Central Administration.

+In federated authentication, SharePoint processes SAML tokens issued by a trusted, external Security Token Service (STS). A user who attempts to sign in is redirected to that STS, which authenticates the user and generates a SAML token upon successful authentication. Then SharePoint processes this token, and uses it to create its own and authorize the user to access the site.

+- SharePoint URL that will use AD FS federation must be configured with HTTPS.

+There are two possible configurations:

+

+ :::image type="content" source="../media/SharePointTrustedAuthN_AAM1ZoneWebapp.png" alt-text="Alternate Access Mappings of web application" lightbox="../media/SharePointTrustedAuthN_AAM1ZoneWebapp.png":::

+

+ :::image type="content" source="../media/SharePointTrustedAuthN_AAMExtendedWebapp.png" alt-text="Alternate Access Mappings of extended application" lightbox="../media/SharePointTrustedAuthN_AAMExtendedWebapp.png":::

+## Set an HTTPS certificate in IIS

+1. In the **Primary Site Collection Administrator** section, click the book icon to open the people picker dialog.

+1. On the left, filter the list by clicking **Organizations**. You should see an output like this:

+

+ :::image type="content" source="../media/SharePointTrustedAuthN_ppicker_winadmin.png" alt-text="People picker Windows administrator" lightbox="../media/SharePointTrustedAuthN_ppicker_winadmin.png":::

+1. In the **Secondary Site Collection Administrator** section, click the book icon to open the people picker dialog.

+1. On the left, filter the list by clicking **Contoso.local**. You should see an output like this:

+

+ :::image type="content" source="../media/SharePointTrustedAuthN_ppicker_trustedadmin.png" alt-text="People picker FS administrator email" lightbox="../media/SharePointTrustedAuthN_ppicker_trustedadmin.png":::

+Once the site collection is created, you should be able to sign in to it using either the Windows or the federated site collection administrator account.

+In federated authentication, the people picker doesn't validate the input, which can lead to misspellings or users accidentally choosing the wrong claim type. This can be addressed using a custom claims provider; for example, [LDAPCP](https://ldapcp.com/).

+In SharePoint Server Subscription Edition, native people picker can search and resolve people by using user profile service application for federated authentication. [Learn how to configure people picker to work with federated authentication](../administration/enhanced-people-picker-for-trusted-authentication-method.md).

+> Excel Services and User Profile Synchronization Service only apply to SharePoint 2013.<p>

+> Access Services and PerformancePoint Service do not apply to Subscription Edition.

+

+> [!NOTE]

+> The user authentication methods mentioned here applies to SharePoint Server 2013, SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.

+> [!NOTE]

+> In SharePoint Server Subscription Edition, we now support OIDC 1.0 authentication. For more information on how to work with this new authentication type, see [OpenID Connect 1.0 authentication](/sharepoint/security-for-sharepoint-server/oidc-1-0-authentication).

+ > Windows classic mode authentication is no longer supported in SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.

+User identity in AD DS is based on a user account. For successful authentication, the user provides the account name and proof of knowledge of the password. To determine access to resources, applications might have to query AD DS for account attributes and other information, such as group membership or role on the network. While this functionality works well for Windows environments, it doesn't scale out to third-party authentication providers and multi-vendor environments that support Internet, partner, or cloud-based computing models.

+You don't have to be a claims architect to use claims-based authentication in SharePoint Server. However, implementing SAML token-based authentication requires coordination with administrators of your claims-based environment, as described in [Plan for SAML token-based authentication](#plansaml).

+A SharePoint 2013 farm can include a mix of web applications that use both modes. Some services don't differentiate between user accounts that are traditional Windows accounts and Windows claims accounts.

+For information about how to create web applications that use classic mode authentication in SharePoint 2013, see [Create web applications that use classic mode authentication in SharePoint Server](/previous-versions/office/sharepoint-server-2010/gg276326(v=office.14)). You can't migrate a web application that uses claims-based authentication to use classic mode authentication.

+Although not a Windows authentication type, SharePoint Server also supports anonymous authentication. Users can access SharePoint content without validating their credentials. Anonymous authentication is disabled by default. You typically use anonymous authentication when you use SharePoint Server to publish content that doesn't require security and is available for all users, such as a public Internet website.

+Forms-based authentication validates users based on credentials that users type in a logon form (typically a web page). Unauthenticated requests are redirected to a sign in page, where a user must provide valid credentials and submit the form. The system issues a cookie for authenticated requests that contains a key for reestablishing the identity for subsequent requests.

+Forms-based authentication or SAML token-based authentication can use LDAP environments. Use the authentication type that matches your current LDAP environment. If you don't already have an LDAP environment, we recommend that you use forms-based authentication because it's less complex. However, if your authentication environment already supports WS-Federation 1.1 and SAML 1.1, then we recommend SAML. SharePoint Server has a built-in LDAP provider.

+The process of planning and implementing Windows authentication methods is similar for claims-based authentication. Claims-based authentication for a web application doesn't increase the complexity of implementing Windows authentication methods. This section summarizes the planning for the Windows authentication methods.

+- Users who access SharePoint sites from Internet Explorer use the credentials under which the Internet Explorer process is running to authenticate. By default, these credentials are the credentials that the user used to sign in the computer.

+With the Digest authentication method, the user account credentials are sent as an MD5 message digest to the Internet Information Services (IIS) service on the web server that hosts the web application or zone. With the Basic authentication method, the user account credentials are sent as plaintext. Therefore, you shouldn't use the Basic authentication method unless you're also using SSL to encrypt the website traffic.

+If you're using claims-based authentication, see:

+To use forms-based authentication to authenticate users against an identity management system that isn't based on Windows or that is external, you must register the membership provider and role manager in the Web.config file. SharePoint Server uses the standard ASP.NET role manager interface to collect group information about the current user. Each ASP.NET role is treated as a domain group by the authorization process in SharePoint Server. You register role managers in the Web.config file exactly as you register membership providers for authentication.

+- **Token-signing certificate (ImportTrustCertificate)** This certificate is the one you export from an IP-STS and then copy to one server in the farm and add it to the farm's Trusted Root Authority list. Once you use this certificate to create an SPTrustedIdentityTokenIssuer, you can't use it to create another one. To use the certificate to create a different SPTrustedIdentityTokenIssuer, you must delete the existing one first. Before you delete an existing one, you must disassociate it from all web applications that may be using it.

+ Some IP-STS servers require the _Wreply_ parameter, which is set to either true or false. False is the default. Use the _Wreply_ parameter only if it's required by the IP-STS.

+3. Define extra claims mappings. Define the extra claims from the incoming token that the SharePoint Server farm will use. User roles are an example of a claim that can be used to assign permissions to resources in the SharePoint Server farm. All claims from an incoming token that don't have a mapping will be discarded.

+4. Use PowerShell to create a new authentication provider to import the token-signing certificate. This process creates the **SPTrustedIdentityTokenIssuer**. During this process, you specify the identity claim and extra claims that you've mapped. Create and specify a realm that is associated with the first SharePoint web applications that you're configuring for SAML token-based authentication. After you create the **SPTrustedIdentityTokenIssuer**, you can create and add more realms for extra SharePoint web applications. This procedure enables you to configure multiple web applications to use the same **SPTrustedIdentityTokenIssuer**.

+You can configure multiple SAML token-based authentication providers. However, you can only use a token-signing certificate once in a farm. All configured providers are displayed as options in Central Administration. Claims from different trusted STS environments won't conflict.

+If you implement SAML token-based authentication with a partner company and your own environment includes an IP-STS, we recommend that you and the administrator of your internal claims environment establish a one-way trust relationship from your internal IP-STS to the partner STS. This approach doesn't require you to add an authentication provider to your SharePoint Server farm. It also enables your claims administrators to manage the whole claims environment.

+- Central Administration allows you to use both an Integrated Windows method and Basic at the same time. Otherwise, you can't implement more than one type of Windows authentication on a zone.

+The crawl component requires NTLM to access content. At least one zone must be configured to use NTLM authentication. If NTLM authentication isn't configured on the default zone, the crawl component can use a different zone that is configured to use NTLM authentication.

+- Use the default zone to implement your most secure authentication settings. If a request can't be associated with a specific zone, the authentication settings and other security policies of the default zone are applied. The default zone is the zone that is created when you create a web application. Typically, the most secure authentication settings are designed for end-user access. So, end users are likely to access the default zone.

+- Use the minimum number of zones that are required to provide access to users. Each zone is associated with a new IIS site and domain for accessing the web application. Only add new access points when they're required.

+- Ensure that at least one zone is configured to use NTLM authentication for the crawl component. Don't create a dedicated zone for the index component unless it's necessary.

+In the diagram, the default zone is used for remote employees. Each zone has a different URL associated with it. Employees use a different zone depending on whether they're working in the office or are working remotely.

+- SSL 3.0

+ > [!NOTE]

+ > SharePoint Server 2016 does not fully support SSL 3.0. This is because SharePoint Server 2016 disables SSL 3.0 connection encryption by default for some, but not all features.

+> We recommend completely disabling the SSL 3.0 protocol due to its security vulnerability. For additional information on how to completely disable SSL 3.0, see the "Disabled SSL 3.0 in Windows For Server Software" and "Disabled SSL 3.0 in Windows For Client Software" sections in [Microsoft Security Advisory 3009008](/security-updates/SecurityAdvisories/2015/3009008).

+- [Strong Transport Layer Security (TLS) Encryption in Sharepoint Server Subscription Edition](strong-tls-encryption.md)

+- [Enable TLS 1.1 and TLS 1.2 support in SharePoint Server 2019](enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2019.md)

+- [Enable TLS 1.1 and TLS 1.2 support in SharePoint Server 2016](enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2016.md)

+## See also

+[Transport Layer Security (TLS) in SharePoint Server Subscription Edition](strong-tls-encryption.md)

+| <br/> |Describes the versions of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols that SharePoint Server supports. <br/> |

+| |Describes strong Transport Layer Security (TLS) encryption in SharePoint Server Subscription Edition with Windows Server 2022 or higher. <br/> |

+| <br/> |Describes how to enable Transport Layer Security (TLS) protocol versions 1.1 and 1.2 in a SharePoint Server 2019 environment. SharePoint Server 2019 fully supports TLS 1.1 and TLS 1.2. <br/> |

+Learn about [How SharePoint and OneDrive safeguard your data in the cloud for SharePoint in Microsoft 365](../../SharePointOnline/safeguarding-your-data.md).

+

+ - Internet Explorer 11

+### Internet Explorer 11

+Internet Explorer 11 is only supported in the SharePoint Central Administration site. Internet Explorer 11 is not supported in Team sites, OneDrive personal sites, or any other types of SharePoint content sites. Microsoft recommends exploring Microsoft Edge as the replacement for Internet Explorer 11.

+PerformancePoint Services had a significant dependency on Microsoft Silverlight, which is a technology that is no longer be supported as of October 12, 2021. PerformancePoint Services has been removed from SharePoint Server Subscription Edition. We recommend exploring Microsoft [Power BI](https://powerbi.microsoft.com/) as an alternative to PerformancePoint Services as we're making many new business intelligence investments in Power BI.

+[About SharePoint](/sharepoint)