How To Sign Up - Admin Help
How To Sign Up - Admin Help
Sign up for Microsoft 365 for business so that your team can begin using the latest versions of Word, Excel,
PowerPoint, and other Office programs.
If you're in China, Office 365 operated by 21Vianet is designed to meet the needs for secure, reliable, and
scalable cloud services in China. This service is powered by technology that Microsoft has licensed to 21Vianet.
Microsoft does not operate the service itself. 21Vianet operates, provides, and manages delivery of the service.
21Vianet is the largest carrier-neutral Internet data center services provider in China, providing hosting,
managed network services, and cloud computing infrastructure services. By licensing Microsoft technologies,
21Vianet operates local Microsoft datacenters to provide you the ability to use Microsoft services while keeping
your data within China. 21Vianet also provides your subscription and billing services, as well as support.
NOTE
These services are subject to Chinese laws.
Sign up for Office 365 operated by 21Vianet so that your team can begin using the latest versions of Word,
Excel, PowerPoint, and other Office programs.
Ready to sign up? Select a Plan.
Choose a plan
Before you buy, put some thought into the plan you sign up for. This will help prevent growing pains later.
NOTE
The email address you enter here is different from your Microsoft 365 email address (your logon name,
below). Because this is where we also send your billing information, we recommend you use an e-mail
address that's appropriate for receiving business email.
A sign-in name (user ID): This user ID becomes your initial Microsoft 365 email address, just to get
you started quickly.
This user ID is the email address that you use to sign in. For example, if your business name is Fourth
Coffee, you might choose [email protected] for your user ID.
Most people add their own custom domain shortly after they sign up so they can start getting email to it.
For example, if you have a custom domain named fourthcoffee.com, you can set up your email address
as [email protected].
Payment information:
You can pay for your subscription with a credit card. If the cost reaches a certain amount, you may also
have the option to pay by invoice.
IMPORTANT
When you sign up, be sure to choose the best payment option for your organization. Changing payment options
involves calling billing support.
Related content
Microsoft 365 for business training videos (link page)
Try or buy a Microsoft 365 for business subscription
2/9/2022 • 6 minutes to read • Edit Online
Microsoft 365 for business is a subscription service that lets you run your organization in the cloud while
Microsoft takes care of the IT for you. Microsoft manages devices, protects against real-world threats, and
provides your organization with the latest in business software. You can sign up for a free trial subscription for
Microsoft 365 Business Standard, Microsoft 365 Business Premium, or Microsoft 365 Apps for business and try
it out for 30 days.
NOTE
You must use a credit card when you sign up for a free trial. At the end of your free trial period, your trial subscription is
automatically converted to a paid subscription. Your credit card isn't billed until the end of the trial period.
IMPORTANT
Payment options for Office 365 operated by 21Vianet in China International credit cards are not accepted. You
can pay for your subscription by:
Invoice
Online payment using Alipay or China UnionPay Proof of payment will be provided in the form of Fapiaos. You can
submit your Fapiao request to our Fapiao system about three (3) days after you have paid. For more information, see
Apply for a Fapiao for Office 365 operated by 21Vianet.
As your users change roles, they may need features that aren't available in their current Microsoft 365 Business
Premium subscription. When this happens, you can add a new subscription that includes those features, and
assign licenses to the people who need them.
NOTE
For some subscriptions, you can only cancel during a limited window of time after you buy or renew your subscription. If
the cancellation window has passed, turn off recurring billing to cancel the subscription at the end of its term.
When you buy another subscription through the Microsoft 365 admin center, the new subscription is associated
with the same organization (domain name space) as your existing subscription. This makes it easier to move
users in your organization between subscriptions or assign them a license for the additional subscription they
need.
1. In the admin center, go to the Billing > Purchase services page.
2. On the Purchase ser vices page, select the plan that you want to buy, select Details , then select Buy .
3. Enter the number of licenses that you need and choose whether to pay each month or for the whole year.
Choose whether you want to automatically assign licenses to everyone who does not currently have a
license. Then select Check out now .
4. Review the pricing information and select Next .
5. Provide your payment information, and then select Place order > Go to Admin Home .
NOTE
You must move users from your free trial subscription to the new subscription before your 90-day grace period ends after
your trial subscription expires. By doing this, you keep your data, accounts, and configuration. Otherwise, that information
is deleted.
Payment options
You can pay for your subscription by:
Invoice
Online payment using Alipay or China UnionPay
Proof of payment will be provided in the form of Fapiaos. You can submit your Fapiao request to our Fapiao
system about three (3) days after you have paid. For more information, see Apply for a Fapiao for Office 365
operated by 21Vianet.
NOTE
International credit cards are not accepted.
Next steps
If you have a new account and are setting up your first subscription, you can use the guided setup articles to
help you get started.
Set up Microsoft 365 Business Basic
Set up Microsoft 365 Business Standard
Set up Microsoft 365 Business Premium
Set up Microsoft 365 Apps for business
If you already have a subscription and are adding a new subscription, you can move users to it. To learn how, see
Move users to a different subscription.
Related content
Microsoft 365 for business training videos (video)
Add users and assign licenses at the same time (article)
Assign licenses to users (article)
Upgrade to a different plan (article)
Buy or edit an add-on for Microsoft 365 for business (article)
Add storage space for your subscription (article)
Plan your setup of Microsoft 365 for business
2/9/2022 • 7 minutes to read • Edit Online
This article is for people who have subscribed to a Microsoft 365 for business plan.
Before moving your organization to Microsoft 365, there are requirements you need to meet, info you need to
have on hand, and decisions you have to make.
What happens when you run the Microsoft 365 setup wizard
The setup wizard walks you through installing the Microsoft 365 apps on your computer, adding and verifying
your domain, adding users and assigning licenses to them, and connecting your domain.
NOTE
If you need to Assign admin roles in Microsoft 365 for business to the users you add in the wizard, you can do that later
on the Users page.
If you don't complete the setup wizard, you can complete setup tasks at any time from admin center > Setup .
From here you can migrate email and contacts from another email service, change the domain of your admin
account, manage your billing information, add or remove users, reset passwords, and do other business
functions. For more information about the differences between the setup wizard and the Setup page, see
Differences between the Microsoft 365 setup wizard and the Setup page.
If you get stuck at any point, call us. We're here to help!.
Just a few If you don't want to use the Setup page to migrate the
mailboxes, you can let mailbox owners migrate their own
email and contacts. See Migrate email and contacts to
Microsoft 365 for business.
Protect against threats Microsoft 365 Business Premium helps protect you against
threats with advanced threat protection capabilities. These
capabilities include safe attachments and safe links
protection.
Secure business data Your personal data is protected on personal devices with PIN
access, and restricted copy and saving. You can also add
information protection to make sure that only authorized
people can access sensitive information.
Secure your devices You can protect your work files on devices by restricting
mobile access, such as copy and paste. You can also
selectively wipe business data from enrolled mobile devices if
they are lost or stolen.
Additional security features Advanced features in Microsoft 365 Business Premium are
available to help you protect your business against cyber-
threats and safeguard sensitive information. The capabilities
include Microsoft Defender for Office 365 Plan 1, Data loss
prevention policies (DLP), Exchange Online archiving, Azure
Information Protection, and Intune.
If you have Microsoft Business Premium, the quickest way to setup security and begin collaborating safely is to
follow the guidance in this library: Microsoft 365 for smaller businesses and campaigns. This guidance was
developed in partnership with the Microsoft Defending Democracy team to protect all small business customers
against cyber threats launched by sophisticated hackers.
For full details, see Microsoft 365 Business content.
Sign up for a Microsoft 365 Business Standard
subscription
2/9/2022 • 9 minutes to read • Edit Online
IMPORTANT
Microsoft 365 Business Standard subscriptions are for commercial use and are intended for business and enterprise
customers.
Sign up steps
To sign up and purchase Microsoft 365 Business Standard, complete the following steps.
IMPORTANT
The person who signs up for Microsoft 365 for business (usually the business owner) automatically becomes the technical
administrator of the organization. You can add other people as admins if you want help managing your Microsoft 365
services. Check out Assign admin roles for more info.
1. On the Microsoft 365 for business page, select See plans & pricing .
2. On the next page, find out the monthly cost, and then scroll down the page to find out more about what's
included in Microsoft 365. Under Microsoft 365 Business Standard, select Buy now .
3. On the Thank you for choosing Microsoft 365 Business Standard page, enter your information to get
started. Select Next .
4. Enter an email address that you already use. This can be any address you want Microsoft to use to
communicate with you during setup. It is also the address where we'll send you information about your bill
and renewals. Then select, Set up account .
5. Enter your name, business phone number, business size, company name, and location. Select Next .
NOTE
We display your company name in the admin center. This is where you manage Microsoft 365 users, licenses and other
features and services. We also include it in any internal SharePoint site URLs.
6. Help us make sure this is you. Enter a number that we can use to reach you and select Send Verification
Code . You'll receive a text. Enter your code and select Verify .
7. Decide how you'll sign in to Microsoft 365. You can create a new business email account by adding a
domain or sign in with your current personal email.
O P T IO N 1 – SIGN IN W IT H O UT LO O K ,
H OT M A IL , YA H O O, GM A IL O R OT H ER O P T IO N 2 – A DD A B USIN ESS DO M A IN
EM A IL A C C O UN T ( SIM P L IF IED SIGN - A N D C REAT E A N EW B USIN ESS EM A IL
UP ) A C C O UN T
Available apps and services Use Word, Excel, PowerPoint, Use Word, Excel, PowerPoint,
OneDrive, Teams, Access. This set of OneDrive, Teams, Access. Microsoft
apps is best for very small businesses 365 Business Standard with Option 2
who don't need branded email also lets you access a wide range of
immediately, or who already use additional services: New, branded
branded email from a different business email accounts with Outlook,
provider and do not intend to switch shared calendars within your business,
to use Microsoft Exchange. You’ll use Bookings appointment scheduling and
Outlook with your existing email Meeting recordings. Shared document
account (be it outlook.com, Hotmail, storage and SharePoint sites, Microsoft
Yahoo, Gmail or other). Planner and Microsoft Lists, Microsoft
365 Business Standard and Microsoft
365 Apps for business offer additional
services with Option 2. Easier
document sharing within your
business, support for the compliance
needs for your industry, Access and
control over your employees’ use of
services and the widest range of
integrations of non-Microsoft apps
(e.g. Salesforce, Adobe) that work
within Teams and Office.
Required knowledge Let’s you get started without technical Requires you to buy a domain, or to
know-how. own a domain. You may need technical
knowledge to prove ownership of the
domain.
O P T IO N 1 – SIGN IN W IT H O UT LO O K ,
H OT M A IL , YA H O O, GM A IL O R OT H ER O P T IO N 2 – A DD A B USIN ESS DO M A IN
EM A IL A C C O UN T ( SIM P L IF IED SIGN - A N D C REAT E A N EW B USIN ESS EM A IL
UP ) A C C O UN T
Data handling Available under the Supplement to the Available under the Microsoft Online
Microsoft Services Agreement and is Subscription Agreement and is best for
best for businesses that want some businesses that need Microsoft to act
remote work and collaboration tools as a processor for their data under
and are comfortable with Microsoft Microsoft's Data Protection Addendum
acting as controller for your data and need our full suite of remote work
under the Microsoft Privacy Statement. and collaboration tools. Subscribers
Subscribers to services using this who are in regulated industries or seek
option will not have access to an more control, both over the use of the
individual’s user content or data until a services by your employees and over
domain is attached. Subscribers should processing of related data by
evaluate data ownership and Microsoft, should choose Option 2 and
intellectual property rights attach a domain and sign up under the
considerations based on their needs. Domain Account enterprise-level
For example, if you are working agreement.
collaboratively with other users on a
document stored in their account, they
may choose to make those documents
inaccessible to you. As such, you
should evaluate data ownership and
intellectual property rights
considerations accordingly. Separately,
users may choose not to transfer
documents in their Simplified Sign-Up
account to your Domain Account
subscription, even after you invite
them to do so. This means their
documents may also not be accessible
to you even if you add a domain
account later
Use these three factors to determine which of the two options is best for your business needs.
Option 1: Sign in with your Outlook, Hotmail, Yahoo, Gmail or other email account
You'll sign in to Microsoft 365 with this email address. For example, [email protected].
1. Create a password on the next page, and select Create account to continue. On the next page, read
about how we handle your data and select whether you want Microsoft Partners to contact you. Select
Next .
2. Select how many Microsoft 365 Business Standard licenses you want for your organization and select
Add payment method and continue with checkout to Place order .
3. On the Confirmation details page, we'll give you some more info about your subscription. You can now
go to the Microsoft 365 admin center to add users, install Office apps, invite your team to use Microsoft
365 and more. We'll also send you an email with set up steps for Microsoft 365 Business Standard.
Remember this option doesn't provide branded email, admin control for use of the services by other users, or
industry specific compliance support. Subscribers don't have any access or control over other users’
(employees) usage or documents under this option Users may choose not to transfer data created in storage
such as OneDrive/Teams to your upgraded, enterprise-level domain account should you not choose option 2
immediately.
Option 2: Create a new business email account and attach a domain
With this option, you’ll be able to use Microsoft 365 Exchange as your professional, branded email provider. All
your users will have a shared domain email address. For example, their username, followed by @contoso.com.
You and your users sign into Microsoft 365 with this new email address. When you follow this process (add a
domain and create new business email accounts), you’ll get access to all the features provided in Microsoft 365
Business Standard. For steps on how to buy or add a domain, see Set up Microsoft 365 Business Standard.
This option provides immediate access to the full suite of features in your Microsoft 365 Business subscription
but may require technical steps to be completed up front.
If you would like to add a domain and create a business email account, you can follow the steps in the articles
below:
Add a domain to Microsoft 365
Finish setting up
Related articles
Set up Microsoft 365 Business Standard with a new or existing domain
Invite users to Microsoft 365 Business Standard
Set up Microsoft 365 Business Standard with a new
or existing domain
2/9/2022 • 5 minutes to read • Edit Online
When you purchase Microsoft 365 Business Standard, you have the option of adding a domain you own, or
buying one. Check out Sign up for a Microsoft 365 Business Standard subscription.
In this article, we'll walk you through the steps of adding an existing domain your already own or buying a new
one. If you purchased a new domain when you signed up, your domain is all set up and you can move to Add
users and assign licenses.
IMPORTANT
The person who signs up for Microsoft 365 for business (usually the business owner) automatically becomes the technical
administrator of the organization. You can add other people as admins if you want help managing your Microsoft 365
services. Check out Assign admin roles for more info.
IMPORTANT
If you purchased a domain during the sign-up, you will not see Add a domain step here. Go to Add users
instead.
4. Follow the steps to Create DNS records at any DNS hosting provider for Office 365 that verifies you own
the domain. If you know your domain host, see also Add a domain to Microsoft 365.
If your hosting provider is GoDaddy or another host enabled with domain connect, the process is easy
and you'll be automatically asked to sign in and let Microsoft authenticate on your behalf.
Add users and assign licenses
You can add users now, but you can also add users later in the admin center.
Any users you add get automatically assigned a Microsoft 365 Business Standard license.
1. If your Microsoft 365 Business Standard subscription has existing users you get an option to assign
licenses to them now. Go ahead and add licenses to them as well.
2. After you've added the users, you'll also get an option to share credentials with the new users you added.
You can choose to print them out, email them, or download them.
Finish setting up
Follow the steps below to set up Outlook, Teams, OneDrive and your website.
Step: Set up Outlook for email
1. On the Windows Start menu, search for Outlook, and select it.
(If you're using a Mac, open Outlook from the toolbar or locate it using the Finder.)
If you've just installed Outlook, on the Welcome page, select Next .
2. Choose File > Info > Add Account .
3. Enter your Microsoft email address and select Connect .
Related topics
Migrate data to my Microsoft 365 Business Standard subscription
Invite users to Microsoft 365 Business Standard
(Admin)
2/9/2022 • 3 minutes to read • Edit Online
IMPORTANT
These steps apply to Microsoft 365 Business Standard and Microsoft 365 Apps for business.
As the admin of a Microsoft 365 Business Standard subscription, you can invite your colleagues and coworkers
to share and use your Microsoft 365 for business subscription. When you invite your colleagues and coworkers
to your subscription, you share all the following features and services:
Get desktop versions of Office apps, including Outlook, Word, Excel, PowerPoint, and OneNote (plus Access
and Publisher for PC only).
Create a hub for teamwork to connect people using Microsoft Teams.
Store and share files with 1 TB of OneDrive cloud storage per user.
Use one license to cover fully installed Office apps on five mobile devices, five tablets, and five PCs or Macs
per user.
Get help anytime with around-the-clock phone and web support from Microsoft.
NOTE
The person who signs up for Microsoft 365 for business (usually the business owner) automatically becomes the technical
administrator of the organization. You can add other people as admins if you want help managing your Microsoft 365
services. Check out Assign admin roles for more info.
Next steps
Follow up with your users and make sure they got the email invite you sent about sharing your Microsoft 365
Business Standard subscription.
NOTE
Once you attach a domain, and you and your users use business accounts to save data into the Microsoft cloud, you can
conduct data subject requests on behalf of all users by following guidance in the Office 365 Data Subject Requests for the
GDPR and CCPA topic.
Related content
Set up Microsoft 365 Business Standard
Accept invite to Microsoft 365 Business Standard (User)
Accept an email invitation to a Microsoft 365
Business Standard subscription (User)
2/9/2022 • 3 minutes to read • Edit Online
When you’re already using Microsoft 365 Business with a Gmail, Outlook, Yahoo (or similar) email address,
someone (for example your administrator or business owner) may invite you to upgrade Microsoft 365 to start
using professional branded email. In this scenario, you’ll be switching email address and learning how to
upgrade.
If you’re an admin of an organization where users are still using Gmail, Outlook, Yahoo or similar email
addresses, and you’re looking how to set up branded email, check out these steps instead: Add a domain to
Microsoft 365 and Set up your organization with email and cloud storage.
IMPORTANT
If you’re an admin and you’re looking for steps on how to send a user an invite to your Microsoft 365 Business Standard
subscription, check out Invite users to Microsoft 365 Business Standard (Admin).
When someone adds you to a Microsoft 365 for business organization, you'll get an email invitation with steps
on how to join. In this scenario, you're joining an organization that doesn't have a different professional email
for users. You'll sign in with your regular email account.
IMPORTANT
If you’re an admin and you’re looking for steps on how to send a user an invite to your Microsoft 365 Business Standard
subscription, check out Invite users to Microsoft 365 Business Standard (Admin).
Follow the steps in this article to move your OneDrive, Outlook and Teams data to your Microsoft 365 Business
Standard subscription.
IMPORTANT
You can still keep your data in your personal account. The data in your personal account won’t expire once you create a
new business email account and migrate your data. You can move all your data to your new business account or you can
move some of your data. For example, you can move your work documents to your business account, but keep your
personal family photos in your personal account.
NOTE
You might need to select the Show hidden icons arrow next to the notification area to see the OneDrive icon. If
the icon doesn't appear in the notification area, OneDrive might not be running. Select Star t , type OneDrive in
the search box, and then select OneDrive in the search results.
2. To add your new business account, select Help & Settings > Settings .
3. In Settings , select Account > Add an account .
4. When OneDrive Setup starts, enter your new business account, and then select Sign in .
NOTE
If you haven't set up OneDrive with your current Microsoft 365 personal account before, follow the steps above
to set up your personal account on your device and sync your files before moving to the next steps.
Notes about moving files from OneDrive personal to OneDrive for work
If you’re moving a large number of files, we recommend that you move files in batches of no more than
100 files each.
Files you move from OneDrive personal to OneDrive for work are recognized as new files, and as a result,
these files don’t retain metadata details such as Modified and Modified By.
If you shared files in OneDrive before, you'll need to share these files again in your new OneDrive for
work after you move them. Also, once you share these files, we recommend that you delete the original
files from OneDrive. This way, people won’t be able to refer to out-of-date copies of files you’d shared
with them earlier.
Move data from your personal Microsoft Teams account to new Teams
for work account
1. Open Microsoft Teams, select your profile icon, and then Add work or school account .
2. Follow the steps to add your new account to Teams for work. Check out Sign in and get started with
Teams for more info.
Access Teams chats
When you start using Teams with your new work account your data won’t be migrated over. The best way to see
your old chats is to open your old Teams account and new work account side by side. You can do this by
selecting the ME icon on the top right of Teams and choosing the account’s you’d like to open. You can start
using Teams with your new work account with your colleagues. Make sure to tell other users you chat with to
start contacting you using your new Teams for work account.
Microsoft Teams meetings
Once you have your new Microsoft Teams account for work set up, you can recreate your meetings in the Teams
calendar. Remember to delete the original meetings in your old Teams account. This will allow you to access
richer functionality - for example, calendar availability when scheduling, and the ability to record meetings. You
can only delete meetings from your own Teams calendar, so make sure you let people who you have meetings
with know that you’ll be recreating your meetings. As you transition to use your new Teams account for your
meetings, if people who should be in your meetings are missing, contact them to make sure they haven’t joined
old meeting link.
Migrating contacts
To migrate your contacts from your personal Teams account, find the contact's email address and add the user to
your new Teams account for work.
Related content
Import or migrate email from Gmail or another email provider to Microsoft 365
Sign up for a Microsoft 365 Apps for business
subscription
2/9/2022 • 7 minutes to read • Edit Online
IMPORTANT
Microsoft 365 Apps for Business subscription is for commercial use and is intended for business and enterprise customers.
Sign up steps
To sign up and purchase Microsoft 365 Apps for business, complete the following steps.
IMPORTANT
The person who signs up for Microsoft 365 for business (usually the business owner) automatically becomes the technical
administrator of the organization. You can add other people as admins if you want help managing your Microsoft 365
services. Check out Assign admin roles for more info.
1. On the For business page, see what's included in Microsoft 365. Under Microsoft 365 Apps for business,
select Buy now .
2. On the You've selected Microsoft 365 Apps for business page, enter an email address that you already
use. This can be any address you want Microsoft to use to communicate with you during setup. It is also the
address where we'll send you information about your bill and renewals. Then select, Set up account .
3. Enter your name, business phone number, business size, company name, and location. Select Next .
NOTE
We display your company name in the admin center. This is where you manage Microsoft 365 users, licenses and other
features and services. We also include it in any internal SharePoint site URLs.
4. Help us make sure this is you. Enter a number that we can use to reach you and select Send Verification
Code . You'll receive a text. Enter your code and select Verify .
5. Decide how you'll sign in to Microsoft 365. You can sign in with your current personal email or create a
new account by adding a domain.
Choosing the right business subscription
When signing up for Microsoft 365 Apps for Business, you have 2 options for how to get started. Evaluate three
key factors to choose which best meets your needs:
Which apps and services do you want to use straight away?
How much technical skill do you have?
Do you need Microsoft to act as a processor for your data?
The table below outlines each choice.
O P T IO N 1 – SIGN IN W IT H O UT LO O K ,
H OT M A IL , YA H O O, GM A IL O R OT H ER
EM A IL A C C O UN T O P T IO N 2 – A DD A B USIN ESS DO M A IN
Available apps and services Use Word, Excel, PowerPoint, Use Word, Excel, PowerPoint,
OneDrive, Teams, Access. This set of OneDrive, Teams, Access. Option 2 also
apps is best for very small businesses lets you access a wide range of
who don't need branded email additional services: Bookings
immediately, or who already use appointment scheduling and Meeting
branded email from a different recordings.
provider and do not intend to switch
to use Microsoft Exchange. You’ll use
Outlook with your existing email
account (be it outlook.com, Hotmail,
Yahoo, Gmail or other).
Required knowledge Let’s you get started without technical Requires you to buy a domain, or to
know-how. own a domain. You may need technical
knowledge to prove ownership of the
domain.
O P T IO N 1 – SIGN IN W IT H O UT LO O K ,
H OT M A IL , YA H O O, GM A IL O R OT H ER
EM A IL A C C O UN T O P T IO N 2 – A DD A B USIN ESS DO M A IN
Data handling Available under the Supplement to the Available under the Microsoft Online
Microsoft Services Agreement and is Subscription Agreement and is best for
best for businesses that want some businesses that need Microsoft to act
remote work and collaboration tools as a processor for their data under
and are comfortable with Microsoft Microsoft's Data Protection Addendum
acting as controller for your data and need our full suite of remote work
under the Microsoft Privacy Statement. and collaboration tools. Subscribers
Subscribers to services using this who are in regulated industries or seek
option will not have access to an more control, both over the use of the
individual’s user content or data until a services by your employees and over
domain is attached. Subscribers should processing of related data by
evaluate data ownership and Microsoft, should choose Option 2 and
intellectual property rights attach a domain and sign up under the
considerations based on their needs. Domain Account enterprise-level
For example, if you are working agreement.
collaboratively with other users on a
document stored in their account, they
may choose to make those documents
inaccessible to you. As such, you
should evaluate data ownership and
intellectual property rights
considerations accordingly. Separately,
users may choose not to transfer
documents in their Simplified Sign-Up
account to your Domain Account
subscription, even after you invite
them to do so. This means their
documents may also not be accessible
to you even if you add a domain
account later
Use these three factors to determine which of the two options is best for your business needs.
Option 1: Sign in with your Outlook, Hotmail, Yahoo, Gmail or other email account
This applies to Microsoft 365 Business Standard and Microsoft 365 Apps for Business. You'll sign in to Microsoft
365 with this email address. For example, [email protected].
1. Create a password on the next page, and select Create account to continue. On the next page, read
about how we handle your data and select whether you want Microsoft Partners to contact you. Select
Next .
2. Select how many Microsoft 365 Apps for business licenses you want for your organization and select
Add payment method and continue with checkout to Place order .
3. On the Confirmation details page, we'll give you some more info about your subscription. You can now
go to the Microsoft 365 admin center to add users, install Office apps, invite your team to use Microsoft
365 and more. We'll also send you an email with set up steps for Microsoft 365 Business Standard.
Remember this option doesn't provide branded email, admin control for use of the services by other users, or
industry specific compliance support. Subscribers don't have any access or control over other users’
(employees) usage or documents under this option. Users may choose not to transfer data created in storage
such as OneDrive to your upgraded, enterprise-level domain account should you not choose Option 2 .
You can add a business domain at any point to access the rest of the functionality of your Apps for business
subscription, including:
Bookings appointment scheduling and Meeting recordings
Shared document storage with OneDrive
Follow these steps to finish setting up your Microsoft 365 Apps for business subscription. You can also add a
domain when you're ready.
Option 2: Add a domain
For steps on how to buy or add a domain, see Set up Microsoft 365 Business Standard.
Next steps
Related articles
Set up Microsoft 365 Apps for business
Set up Microsoft 365 Apps for business
2/9/2022 • 3 minutes to read • Edit Online
Install Office
Once you've created accounts for other people in your business, you and your team members will be able to
install the full desktop version of Office (Word, Excel, Outlook, etc.). Each person can install Office on up to 5 PCs
or Macs.
Go to https://admin.microsoft.com/OLS/MySoftware.aspx.
If you're using Office 365 operated by 21Vianet, go to
https://portal.partner.microsoftonline.cn/OLS/MySoftware.aspx.
1. Sign in with your work or school account.
2. Select Install .
Need more detailed steps or want to install the 64-bit version of Office? See Step-by-step installation
instructions.
Set up mobile
Install Office on your mobile device, and set up Outlook to work with your new Microsoft mailbox. Everyone on
your team will need to do this step. Each person can install the Office mobile apps on up to 5 phones and 5
tablets.
Get the steps for your device: Android | iOS | Windows Phone
Finish setting up
Follow the steps below to set up Outlook and OneDrive.
Step: Set up Outlook for email
1. On the Windows Start menu, search for Outlook, and select it.
(If you're using a Mac, open Outlook from the toolbar or locate it using the Finder.)
If you've just installed Outlook, on the Welcome page, select Next .
2. Choose File > Info > Add Account .
3. Enter your Microsoft email address and select Connect .
IMPORTANT
If you purchased a domain during the sign-up, you will not see Add a domain step here. Go to Add users
instead.
4. Follow the steps in the wizard to Create DNS records at any DNS hosting provider for Office 365 that
verifies you own the domain. If you know your domain host, see also Add a domain to Microsoft 365.
If your hosting provider is GoDaddy or another host enabled with domain connect, the process is easy
and you'll be automatically asked to sign in and let Microsoft authenticate on your behalf.
Add users and assign licenses
You can add users in the wizard, but you can also add users later in the admin center. Additionally, if you have a
local domain controller, you can add users with Azure AD Connect.
To set up services, you have to update some records at your DNS host or domain registrar.
1. The setup wizard typically detects your registrar and gives you a link to step-by-step instructions for
updating your NS records at the registrar website. If it doesn't, Change nameservers to set up Office 365
with any domain registrar.
If you have existing DNS records, for example an existing web site, but your DNS host is enabled for
domain connect, choose Add records for me . On the Choose your online ser vices page, accept
all the defaults, and choose Next , and choose Authorize on your DNS host's page.
If you have existing DNS records with other DNS hosts (not enabled for domain connect), you'll want
to manage your own DNS records to make sure the existing services stay connected. See domain
basics for more info.
2. Follow the steps in the wizard and email and other services will be set up for you.
When the signup process is complete, you'll be directed to the admin center, where you can add users,
and assign licenses. After you complete the initial setup, you can use the Setup page in the admin center
to continue setting up and configuring the services that come with your subscriptions.
For more information about the setup wizard and the admin center Setup page, see Difference between
the setup wizard and the Setup page.
Difference between the setup wizard and the Setup
page
2/9/2022 • 2 minutes to read • Edit Online
This article explains how to download software and product license keys for perpetual software bought through
the Cloud Solution Provider (CSP) program.
Now that you've set up Microsoft 365, you can install individual Office applications on your Mac, PC, or mobile
devices.
Next steps
Follow these links for information on how to:
Install Office applications: Install Office on your PC or Mac
Install other apps: Project, Visio, or Skype for Business
Set up mobile devices: Microsoft 365 mobile setup - Help
Set up email in Outlook: Windows or Mac
Upgrade users to the latest apps
If you purchased Azure Active Directory Premium (AADP) Plan 1 or Plan 2, you're eligible for Microsoft Identity
Manager (MIM). To download MIM, go to the Download Center.
Related content
Troubleshoot installing Office and Microsoft 365 (article)
Set up Windows devices for Microsoft 365 Business
Premium users
2/9/2022 • 3 minutes to read • Edit Online
2. In Settings , go to Accounts .
3. On Your info page, click Access work or school > Connect .
4. On the Set up a work or school account dialog, under Alternate actions , choose Join this device
to Azure Active Director y .
5. On the Let's get you signed in page, enter your work or school account > Next .
On the Enter password page, enter your password > Sign in .
6. On the Make sure this is your organization page, verify that the information is correct, and choose
Join .
On the You're all set! page, choose Done .
If you uploaded files to OneDrive for Business, sync them back down. If you used a third-party tool to migrate
profile and files, also sync those to the new profile.
Next steps
To set up your mobile devices, see Set up mobile devices for Microsoft 365 Business Premium users, To set
device protection or app protection policies, see Manage Microsoft 365 for business.
Related content
Microsoft 365 for business training videos (link page)
Set up mobile devices for Microsoft 365 for business
users
2/9/2022 • 2 minutes to read • Edit Online
Follow the instructions in the tabs to install Office on an iPhone or an Android phone. After you follow these
steps, your work files created in Office apps will be protected by Microsoft 365 for business.
The example is for Outlook, but applies for any other Office apps you want to install also.
Watch a short video on how to set up Office apps on iOS devices with Microsoft 365 for business.
If you found this video helpful, check out the complete training series for small businesses and those new to
Microsoft 365.
Go to App store , and in the search field type in Microsoft Outlook.
Enter your work email address on the Add Email Account screen > Add Account , and then enter your
Microsoft 365 for business credentials > Sign in .
If your organization is protecting files in apps, you'll see a dialog stating that your organization is now protecting
the data in the app and you need to restart the app to continue to use it. Tap OK and close Outlook.
Locate Outlook on the iPhone, and restart it. When prompted, enter a PIN and verify it. Outlook on your iPhone
is now ready to be used.
Set up Outlook for Microsoft 365 for business email
2/9/2022 • 2 minutes to read • Edit Online
Try it!
After installing the Office apps, you'll want set up Outlook to start using email, calendar, and contacts. Here's
how.
1. Open the Start menu. Search for Outlook, and choose it.
2. Enter your Microsoft 365 email address, and select Connect .
3. Enter any additional email addresses that you want to use, such as your previous or personal email address.
Select Next .
4. If prompted, enter a password, and then select Sign in .
5. After all of your accounts have been added, choose if you want to set up Outlook mobile or wait until later.
6. Select Done . It may take several minutes for Outlook to download your email and other data.
Now you can view email for the accounts you added. You can also view your calendar, contacts, and tasks.
Move files to OneDrive
2/9/2022 • 2 minutes to read • Edit Online
Try it!
1. From Windows, select the Star t button.
2. Search for OneDrive, and select it.
3. Enter your work email address.
4. Select Sign in , and then select Next .
5. Go through the short tutorial, and then select Open my OneDrive folder . If you also use the personal
version of OneDrive, you'll see it here.
6. In File Explorer, go to the files you want to copy.
7. Select the files, and then drag and drop them into your OneDrive folder. Blue circular arrows beside your files
mean that they're syncing to the cloud. When they're done syncing, green check marks are displayed.
In addition to working on your OneDrive files locally, you can access them from your web browser:
1. In your web browser, sign in to office.com with your work email.
2. Choose OneDrive . All of your files are listed, and you can work on them in the browser from any computer.
Move files to SharePoint
2/9/2022 • 2 minutes to read • Edit Online
After you sign up for Microsoft 365 Business Premium, you'll want to copy your company work files to
SharePoint. SharePoint is a good place to store shared company files that everyone needs access to. This
typically replaces the use of a file share or network drive.
Try it!
1. Open Microsoft Teams, and then open a team that everyone in your business has access to.
2. Select Files , and then select Open in SharePoint .
3. Select Documents to go to the location where everything is stored on the site.
4. Select Sync , and then select Yes . This synchronizes the files of the SharePoint site to your computer.
5. In File Explorer, you'll now see the synced documents folder from your company's SharePoint site. If you
synchronize additional SharePoint sites, they will show up above or below this one. Right-click the synced
documents folder, and open it in a new window to see it side by side with the company files you want to
move.
6. Select all the files you want to move, and then drag them to your synced SharePoint folder. Blue circular
arrows beside your files mean that they're syncing to the SharePoint site. When they're done syncing, green
check marks are displayed.
7. Return to your SharePoint site to see the files that have synced to the cloud.
In addition to working on your files directly from your computer, you can access them in a web browser on any
computer.
You can now access your files from your SharePoint site or Teams.
Migrate email and contacts to Microsoft 365
2/9/2022 • 2 minutes to read • Edit Online
Import or migrate email from Gmail or another email provider to Microsoft 365.
Want help with this? Contact Microsoft 365 for business support.
You need to use a version of Outlook that is installed on your desktop for this task. Outlook is included in most
Microsoft 365 plans.
Related content
Plan your setup of Microsoft 365 for business (article)
Install Office applications (link page)
[Overview of the Microsoft 365 admin center](Overview of the Microsoft 365 admin center](../admin-
overview/admin-center-overview.md) (video)
What subscription do I have?
2/9/2022 • 2 minutes to read • Edit Online
If you're an admin, you can verify which subscriptions your organization has by going to the admin center.
Not an admin? See What Microsoft 365 for business product or license do I have?
1. In the admin center, go to the Billing > Your products page.
2. On the Products tab, you see all your subscriptions. Each subscription line includes information about
licenses, subscription status, and billing.
3. If you want to change the columns that appear in the list, select Choose columns . Change the selection of
columns, then select Save .
4. To see more details for a single subscription, select that subscription.
Related content
Subscriptions and billing (link page)
View your bill or invoice (article)
Paying for your subscription (article)
Change your billing addresses (article)
Add your company branding to the Sign In page
2/9/2022 • 2 minutes to read • Edit Online
You can now use the Azure Active Directory (AD) subscription that is included with your Microsoft 365
subscription to customize the sign-in page your users see.
Add company branding to your sign in page and Access Panel pages
If you have a paid subscription to Microsoft 365 for business, Microsoft Dynamics CRM Online, Enterprise
Mobility Suite, or other Microsoft services, you have a free subscription to Azure Active Directory. You can use
Azure Active Directory to create and manage user and group accounts, and add company branding to your
pages. To activate this subscription and access the Microsoft Azure Management Portal, you have to complete a
one-time registration process. Afterward, you can access Azure Active Directory from your Microsoft service
that uses it. For instructions on how to register your Microsoft 365 subscription see Register your free Azure
Active Directory subscription, and see Manage the directory for your Microsoft 365 subscription in Azure for
general management instructions.
The following figure shows which parts of the sign-in page can be modified in Azure.
Next steps
If you are ready to add branding, explore the customization options in the Azure content set: Add company
branding to your Sign-in and Access Panel pages.
Related content
Customize the Microsoft 365 theme for your organization (article)
Difference between the setup wizard and the Setup page (article)
Set up mobile devices for Microsoft 365 for business users (video)
Customize the Microsoft 365 theme for your
organization
2/9/2022 • 5 minutes to read • Edit Online
As the admin of your organization, you can create multiple themes for the people in your organization, and
select which themes apply to different members of your organization. The organization theme is what appears
in the top navigation bar for people in your organization.
You can add or update a default theme that applies to everyone within your org. You can also create up to four
additional group themes that can be assigned to multiple Microsoft 365 groups.
TA B W H AT C A N Y O U DO ?
Logos Add your organization logo, including alternate logo for dark
theme.
IMPORTANT
The default theme is unique, it can't be renamed and applies to everyone within your organization. To delete the default
theme, you have to delete all other themes first.
Create a group theme
You can create up to four additional group themes.
1. On the General page, enter a name for your new theme.
2. Under Groups , you can select up to 5 Microsoft 365 Groups that can see your group theme, instead of
using the default theme. You can also prevent users from overriding their theme and show the user's
display name.
3. Select Save .
You can remove your logos at any time. Just return to the Logos page and select Remove .
NOTE
You can convert distribution groups to Microsoft 365 groups in Outlook.
Related content
Add custom tiles to the My apps page and app launcher (article)
Overview of Microsoft 365 Groups for administrators (article)
Synchronize domain users to Microsoft 365
2/9/2022 • 2 minutes to read • Edit Online
NOTE
There are some additional steps for password writeback beyond the check box in Azure AD Connect. For more
information, see How-to: configure password writeback.
If you also want to manage domain-joined Windows 10 devices, see Enable domain-joined Windows 10 devices
to be managed by Microsoft 365 Business Premium to set up a hybrid Azure AD Join.
Enable domain-joined Windows 10 devices to be
managed by Microsoft 365 Business Premium
2/9/2022 • 4 minutes to read • Edit Online
If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business
Premium to protect your Windows 10 devices, while still maintaining access to on-premises resources that
require local authentication. To set up this protection, you can implement Hybrid Azure AD joined devices .
These devices are joined to both your on-premises Active Directory and your Azure Active Directory.
Install-Module SecMgmt
IMPORTANT
It is recommended that you install this module on the Windows Server running Azure AD Connect.
To create the required service connection point and group policy, you will invoke the Initialize-
SecMgmtHybirdDeviceEnrollment cmdlet. You will need your Microsoft 365 Business Premium global admin
credentials when performing this task. When you are ready to create the resources, invoke the following:
PS C:\> Connect-SecMgmtAccount
PS C:\> Initialize-SecMgmtHybirdDeviceEnrollment -GroupPolicyDisplayName 'Device Management'
The first command will establish a connection with the Microsoft cloud, and when you are prompted, specify
your Microsoft 365 Business Premium global admin credentials.
Related content
Synchronize domain users to Microsoft 365 (article)
Create a group in the admin center (article)
Tutorial: Configure hybrid Azure Active Directory join for managed domains (article)
Access on-premises resources from an Azure AD-
joined device in Microsoft 365 Business Premium
2/9/2022 • 2 minutes to read • Edit Online
Who is an admin?
By default, the person who signs up for and buys an Microsoft 365 for business subscription gets admin
permissions. That person can assign admin permissions to other people to help them manage Microsoft 365 for
their organization.
If you get the message "You don't have permission to access this page or perform this action ," you
aren't an admin.
Who has admin permissions in my business?
When looking for your admin to reset your password, delete an account, or do other tasks, here's who you
should contact:
Universities and schools : Contact your technical support team. Usually you can find a link on your
university site. At smaller schools, there may be just a few individuals who have admin permissions.
Large businesses : Contact your internal help desk / technical support.
Small businesses : Contact the business owner / co-owner. Often they give admin permissions to their
IT consultant who does all the computer maintenance work for their business.
If you have no idea who to contact at your work or school for help, try asking the person who gave you your
user account and password.
NOTE
Targeted release admins have first access to new features. New features later roll out to all admins. This means that you
might not see the admin center, or it might look different than what is described in help articles. To be among the first to
see new features, see Participate in the admin center, below.
Arabic ar
Bulgarian bg
Catalan ca
Czech cs
Danish da
German de
Greek el
Spanish es
English en
Estonian et
Basque eu
Finnish fi
French fr
Galician gl
Hebrew he
Croatian hr
Hungarian hu
Indonesian id
Italian it
Japanese ja
Korean ko
Lithuanian lt
Latvian lv
Dutch nl
Norwegian no
L A N GUA GE LO C A L E
Polish pl
Portuguese (Brazil) pt
Romanian ro
Russian ru
Slovak sk
Slovenian sl
Serbian Latin sr
Swedish sv
Thai th
Turkish tr
Ukrainian uk
Vietnamese vi
Related content
What is a Microsoft 365 admin? (video)
Assign admin roles (video)
Customize the Microsoft 365 theme for your organization (article)
About admin roles
2/9/2022 • 8 minutes to read • Edit Online
Microsoft 365 or Office 365 subscription comes with a set of admin roles that you can assign to users in your
organization using the Microsoft 365 admin center. Each admin role maps to common business functions and
gives people in your organization permissions to do specific tasks in the admin centers.
The Microsoft 365 admin center lets you manage Azure AD roles and Microsoft Intune roles. However, these
roles are a subset of the roles available in the Azure AD portal and the Intune admin center.
Have 2 to 4 global admins Because only another global admin can reset a global
admin's password, we recommend that you have at least 2
global admins in your organization in case of account
lockout. But the global admin has almost unlimited access to
your org's settings and most of the data, so we also
recommend that you don't have more than 4 global admins
because that's a security threat.
Assign the least permissive role Assigning the least permissive role means giving admins
only the access they need to get the job done. For example,
if you want someone to reset employee passwords you
shouldn't assign the unlimited global admin role, you should
assign a limited admin role, like Password admin or Helpdesk
admin. This will help keep your data secure.
REC O M M EN DAT IO N W H Y IS T H IS IM P O RTA N T ?
Require multi-factor authentication for admins It's actually a good idea to require MFA for all of your users,
but admins should definitely be required to use MFA to sign
in. MFA makes users enter a second method of identification
to verify they are who they say they are. Admins can have
access to a lot of customer and employee data and if you
require MFA, even if the admin's password gets
compromised, the password is useless without the second
form of identification.
When you turn on MFA, the next time the user signs in,
they'll need to provide an alternate email address and phone
number for account recovery.
Set up multi-factor authentication
If you get a message in the admin center telling you that you don't have permissions to edit a setting or page,
it's because you are assigned a role that doesn't have that permission.
A DM IN RO L E W H O SH O UL D B E A SSIGN ED T H IS RO L E?
Billing admin Assign the Billing admin role to users who make purchases,
manage subscriptions and service requests, and monitor
service health.
Exchange admin Assign the Exchange admin role to users who need to view
and manage your user's email mailboxes, Microsoft 365
groups, and Exchange Online.
Global admin Assign the Global admin role to users who need global
access to most management features and data across
Microsoft online services.
Global reader Assign the global reader role to users who need to view
admin features and settings in admin centers that the global
admin can view. The global reader admin can't edit any
settings.
Groups admin Assign the groups admin role to users who need to manage
all groups settings across admin centers, including the
Microsoft 365 admin center and Azure Active Directory
portal.
Helpdesk admin Assign the Helpdesk admin role to users who need to do the
following:
- Reset passwords
- Force users to sign out
- Manage service requests
- Monitor service health
License admin Assign the License admin role to users who need to assign
and remove licenses from users and edit their usage
location.
Office Apps admin Assign the Office Apps admin role to users who need to do
the following:
- Use the Office cloud policy service to create and manage
cloud-based policies for Office
- Create and manage service requests
- Manage the What's New content that users see in their
Office apps
- Monitor service health
Password admin Assign the Password admin role to a user who needs to
reset passwords for non-administrators and Password
Administrators.
Message center reader Assign the Message center reader role to users who need to
do the following:
- Monitor message center notifications
- Get weekly email digests of message center posts and
updates
- Share message center posts
- Have read-only access to Azure AD services, such as users
and groups
Power Platform admin Assign the Power Platform admin role to users who need to
do the following:
- Manage all admin features for Power Apps, Power
Automate, and data loss prevention
- Create and manage service requests
- Monitor service health
Reports reader Assign the Reports reader role to users who need to do the
following:
- View usage data and the activity reports in the Microsoft
365 admin center
- Get access to the Power BI adoption content pack
- Get access to sign-in reports and activity in Azure AD
- View data returned by Microsoft Graph reporting API
Service Support admin Assign the Service Support admin role as an additional role
to admins or users who need to do the following in addition
to their usual admin role:
- Open and manage service requests
- View and share message center posts
- Monitor service health
SharePoint admin Assign the SharePoint admin role to users who need to
access and manage the SharePoint Online admin center.
Teams administrator Assign the Teams administrator role to users who need to
access and manage the Teams admin center.
User admin Assign the User admin role to users who need to do the
following for all users:
- Add users and groups
- Assign licenses
- Manage most users properties
- Create and manage user views
- Update password expiration policies
- Manage service requests
- Monitor service health
The user admin can also do the following actions for users
who aren't admins and for users assigned the following roles:
Directory reader, Guest inviter, Helpdesk admin, Message
center reader, Reports reader:
- Manage usernames
- Delete and restore users
- Reset passwords
- Force users to sign out
- Update (FIDO) device keys
Related content
Assign admin roles (article)
Azure AD roles in the Microsoft 365 admin center (article)
Activity reports in the Microsoft 365 admin center (article)
Exchange Online admin role (article)
About the Microsoft 365 admin mobile app
2/9/2022 • 4 minutes to read • Edit Online
Are you an admin who’s usually on the go? Even if you aren’t, there may be times when you need to manage
Microsoft 365 from your phone or tablet. Check out the free Microsoft 365 Admin app, the perfect companion
to the web-based Microsoft 365 admin center. You can download the app from the Apple App Store, and from
the Google Play Store.
The admin app has a lot of capabilities which will enable you to manage Microsoft 365 from your mobile or
tablet device, when you can’t get to a computer. Here's a list of a few of the tasks you can do from the app:
Manage users and devices Add or edit a user, reset a user’s password, assign a role, block user, delete
user, manage alias, assign licenses, wipe device data and more.
Manage groups Add a group, add or remove users from groups.
License management and billing View a list of purchased and assigned licenses, assign licenses to users,
purchase or remove licenses and view and download invoices.
Suppor t Create a new service request and keep track of all the updates related to the service requests while
you are on the go.
Message Center Stay on top of all the upcoming changes, planned maintenance, or other important
announcements related to Microsoft 365
Ser vice Health Monitor the health of all the services by viewing the current status of the service and details
about service disruption and outages.
Notifications Stay on top of all the important information and updates related to message center posts,
service health and billing through push notifications. You can even customize what you want to be notified of.
If you're an admin and you're responsible for more than one Microsoft 365 organization, you can sign in to
multiple organizations and quickly switch between them. The app supports dark theme and is available in 39
languages.
IMPORTANT
If you're having issues using the Admin mobile app on iOS or Android, email us at [email protected] to let us
know.
Next steps
Once you've downloaded the admin mobile, you can add users to get you started.
Related content
Microsoft 365 for business training videos
What's new in the Microsoft 365 admin center
2/9/2022 • 25 minutes to read • Edit Online
NOTE
Some of the information in this article might not apply to Office 365 operated by 21Vianet.
We're continuously adding new features to [the Microsoft 365 admin center](Overview of the Microsoft 365
admin center](admin-overview/admin-center-overview.md), fixing issues we learn about, and making changes
based on your feedback. Take a look below to see what's available for you today. Some features get rolled out at
different speeds to our customers. If you aren't seeing a feature yet, try adding yourself to targeted release.
And if you'd like to know what's new with other Microsoft cloud services:
What's new in Azure Active Directory
What's new in the Exchange admin center
What's new in Microsoft Intune
What's new in the Microsoft 365 compliance center
What's new in Microsoft 365 Defender
What's new in the SharePoint admin center
Office updates
How to check Windows release health
February 2022
Net promoter score (NPS ) survey insights
You can now view NPS survey data and insights from your users in the Microsoft 365 admin center. With this
new feature you can obtain actionable insights from NPS survey responses from your end users, and achieve
higher end user delight by addressing any issues and concerns.
In the admin center, go to Health > Product feedback > NPS sur vey insights .
We've identified the common themes from user feedback. Then we used machine learning models techniques to
train the data sets and automatically organize the feedback into Top Topics.
There are nine topics available. Look out for more topics in future updates.
The NPS survey insight dashboard also contains these three new reports and pivots:
NPS monthly NPS trend volume for the last 12 months
Able to identify passives, promoters, and detractors
NPS volume per platform and app
To provide you with a better experience using the NPS survey insight dashboard:
Encourage your end users to submit feedback
Confirm in-product surveys policies are enabled
Improve diagnosis by turning on Windows Error Reporting
Learn more at Microsoft product NPS feedback and insights for your organization.
NOTE
If you're interested in joining our design sessions, send us an email at: [email protected]
The Volume trend by product graph shows the top 3 products of each month with the highest support cases.
We've enabled filtering in the table and you can now filter the results by Product , Severity , and Date .
We've also added 2 new fields, Severity and Closed Date in the View Ser vice Request table to give you
more insights about your tickets.
To check out these updates in Microsoft 365 admin center, go to Suppor t > View Ser vice requests in left
navigation pane.
June 2021
Microsoft 365 admin center search
We've added a couple of new categories to Search functionality.
You can now search for Microsoft 365 admin roles in global search and quickly view and manage role
assignments from any page. For example, search for Intune administrator .
You can now find simplified setup experiences through global search. This can help you and your team
quickly get started with how to use new features. For example, search for set password to never
expire .
To learn more about search in the admin center, see Search in the Microsoft 365 admin center.
May 2021
Admin mobile app
Keep track of support ticket updates using the Admin mobile app
For all the service requests created in your tenant you can now keep track of the ticket status, view ticket details
and provide / request additional information by adding notes & attachments.
Stay on top of all the major updates to the app and your Microsoft 365 subscription
Stay on top of all the major updates to your Microsoft 365 subscription through Message Center push
notifications (now enabled by default).
Keep track of the latest features available in the app using the What's New section. Go to Settings >
What’s new?
April 2021
Admin mobile app
Manage licenses and bills from the Admin mobile app
You can now view all available and assigned licenses for your subscriptions. You can also assign or un-assign
licenses to users, and add or remove licenses.
You can now view detailed invoices in the app.
These updates are available on both Android and iOS devices.
NOTE
Not all features are going to be available to everyone right away. If you aren't seeing the new features, join Targeted
Release.
Message center
We’ve revamped the Message center to help you discover relevant messages and added a more flexible reading
experience. We've added a new Ser vice column to help you scan which Service a message applies to and filter
messages by Service and other metadata. You can favorite a message to mark it for follow up, choose which
columns appear in the message list, and navigate between messages with the back and next buttons. We've also
improved the process to make it easier to give feedback on Message center posts.
To learn more about the new features, check out Message center.
What's new features
We've made improvements to how you view the "What's new" features for users in the Office apps. You can now
see the rich content in the What's new pane that your users can see. You can also learn more about the feature
before you decide to let your users know about the feature. For more info, check out Manage which Office
features appear in What's New.
NOTE
Not all features are going to be available to everyone right away. If you aren't seeing the new features, join Targeted
Release.
Multi-tenant management
We've developed a set of features for multi-tenant admins like you to get your job done faster and more
efficiently. For more information, see Manage multiple tenants.
Your tenants : Quickly switch between the tenants you manage.
All tenants : A new page where you can quickly see the health of all your tenants' services, any open service
requests, your products and billing, recommended setup tasks, and the number of users in that tenant.
Setup : The multi-tenant Setup page gives you a list view of the Setup page, but organized for many tenants.
You can see which features aren't turned on, which tasks are complete for all tenants, tasks that tenants still
need to complete. This view will help you keep track of feature adoption and to make sure the recommended
security setup tasks are always done.
Ser vice health : The service health view shows you if any incidents or advisories are affecting the tenants. It
will even tell you how many of your managed tenants are affected. Just select an incident to get more
information on the overview tab, then switch over to the Tenants affected tab to drill down and support that
tenant.
Cross-tenant mailbox migrations is a new service, now in public preview, that lets you move mailboxes
between tenants without the need to offboard and then onboard mailboxes.
Cross-tenant domain sharing : Soon, you can join a private preview for capabilities that allow you to share
a domain across multiple tenants. For example, if Contoso acquires Wingtip Toys, Contoso can share the
domain with Wingtip Toys so that people in both tenants can use "contoso.com" as their email addresses.
The Search box moved to the header area where it says "Microsoft 365 admin center" so you now search
from any page, not just the Home page. We've even got a shortcut: Alt+S .
Search is smarter and will give you better results, even faster. Try typing "2fa" to get started.
Search results are organized by the type of item or action you can take.
Users : Select the user's name and you can edit that user right there. If you select the three dots (more
actions) menu next to their name, you can reset their password. You can search by display name, last
name, first name, username or primary email address, and email aliases. But to get an exact match,
search by primary email address or username.
Groups : Edit the group from any page, add members, assign owners.
Actions : Similar to how you can search for a user and then reset their password, you can also search
"reset password" from any page and then reset one or more passwords for users.
Navigation : Results under Navigation can quickly help you get to a page in the admin center quickly.
For example, searching "roles" will take you to the Roles page for Azure AD roles.
Settings : Search for any setting related to your organization, the services you subscribe to, and
security and privacy settings.
Domains : You can find quick links to your domains, and then the link will take you to that domain's
Overview and health page.
Documentation : If we can't find a result for you, we'll try to find some documentation to help. It takes
a little longer for the curated list of articles to find a match, so wait a second to let Search find the
results.
Feedback : Didn't find what you were looking for? Send us feedback from Search. We will add
searching functionality for more pages and more features across the admin center.
Microsoft 365 admin mobile app
The Microsoft 365 admin mobile app, which is included with your subscription, lets you manage Microsoft 365
from your mobile device so you can get away from your desk to do every day tasks. In fact, there are over 90
features in the app--and we just added a few more:
Suppor t for Microsoft Intune's Mobile Application Management and Conditional Access policies :
You can now use your personal device to manage Microsoft 365 even if your org has turned on Intune's
Mobile Application Management and conditional access policies.
Message center notifications : Turn on message center notifications at Settings > Notifications if you
wish to be alerted about new message center posts. Through notifications, we want to ensure you stay
informed about important information and events across your tenant.
Billing aler ts : You can also turn on billing notifications at Settings > Notifications if you want to get
billing notifications on your device if a subscription is about to expire.
Dark mode : Welcome to the dark side of the mobile app. This was one of our most requested features. Go
to Settings > Themes to turn it on.
Repor t an issue : You can now report an issue in the app or view issues reported by other admins. Visit
Ser vice health to check it out.
Usage recommendations for small and medium businesses
Small and medium businesses might get a recommendation on the Home page if some of the people in the org
aren't actively using Teams, OneDrive, or Office apps. When you view the recommendation, you can quickly
email Microsoft training to inactive users to help them get started with the app and to make sure you are
getting the full value from your subscriptions.
Remote work collection
In October, we'll be adding a remote work collection to help small business owners and their staff get online and
working remotely. Remote work essentials setup is a curated list of all features Microsoft recommends to
securely enable remote work and to collaborate effectively. In a couple of weeks, you can try it out in Setup >
Remote work essentials .
For more information about how to securely allow remote work and a handy web address that's easy to
remember and share, go to aka.ms/remote-business.
Need help? moving to more admin centers
We're continuously looking at and updating the content and tools to keep up with changes in the product. We
now have many more self-serve diagnostic tools to help you resolve issues quickly and efficiently. Here are a
few that were recently added:
Change your Exchange Web Service throttling policy
Checking status of Teams provisioning and validation to specific users
Fix DKIM setup issues
Diagnose Intune user enrollment errors
And we are rolling out the new and improved support experience you already see in the Microsoft 365 admin
center to some of the other admin centers. Teams admin center and Security and Compliance admin centers
already have this new experience. And soon, Exchange admin center , SharePoint admin center , and
Office.com will be updated along with this new help experience for admins.
Manage changes with Microsoft Planner
In May, we announced that you'll soon be able to sync Message center posts to Microsoft Planner and now it's
available for everyone to use. You can now create tasks from messages, assign them, and track them to
completion. The first time, you select Planner syncing you'll need to connect to the appropriate plan.
To learn more about it, check out this article and video to see how it works: Track your message center posts in
Planner
Documentation, Training, and Videos
Brand new and just in time for Microsoft Ignite--The Virtual Hub. Deep dive into technical training for IT pros
and developers. Quickly find around 20 new videos as part of #SIDETRACKED, the name of the Ignite admin
track this year.
What's new with Microsoft 365 video series: This month, we cover new features available in Whiteboard for
Teams and on the web, how to automate user provisioning to Azure AD, new Power Automate triggers and
actions in Teams, and more. And stay tuned for next month, where we'll have a recap of all the great things
happening at Ignite!
We did a redesign of the Microsoft 365 documentation page that focuses on solutions first. We'll highlight
new solutions as they become available on this page, so keep an eye out.
July 2020
Getting ready for Ignite 2020
As we're moving into Ignite season at Microsoft, we're not releasing as many features so that we have a lot to
talk about during our sessions.
The next update to this article will be on opening day of our first online-only Ignite. And this year, it is free to
attend! Check it out, get signed up: Microsoft Ignite 2020.
Your products
There has been a lot of work done in the subscriptions management to make the page faster to load, faster to
find what you're looking for, and to meet the web accessibility standards (WCAG 2.1 guidelines).
Table redesign : The table was redesigned so that you can group similar subscriptions. Go to Billing > Your
products .
Product details : Get more details than ever about your subscriptions by selecting the product in the list.
Do it all from here : And you don't have to go to jump around several pages to manage one product. For
example, if you need to cancel a subscription, the panel will open to do the action right there.
Domains
Domain management can be complicated, and we've released a new feature to make that easier. Go to Settings
> Domains and then select a domain to get more information about your domain and the domain's health.
June 2020
Keeping up with Office What's New management
A few months ago, we added a setting that lets you manage the What's New messages that show up in a user's
Office apps. This month, we released a new Home page card that will help you act quickly and keep track of the
What's New messages that you want shown to the users in your organization.
Docs, training, and videos (June )
Getting started with Teams
May 2020
New update channel for Office
On May 12, we announced the availability of a new update channel for Office: Monthly Enterprise Channel. This
update channel provides your users with new Office features once a month, on the second Tuesday of the
month.
If you allow your users to self-install Office from the portal, you can select Monthly Enterprise Channel for them.
To do this, sign in to the Microsoft 365 admin center and go to Show all >Settings > Org settings >
Ser vices > Office software download settings . If you select Once a month (Monthly Enterprise
Channel) , then any new self-installs of Office are configured to use Monthly Enterprise Channel.
In conjunction with the release of Monthly Enterprise Channel, we’re also revising the names of the existing
update channels. For example, Monthly Channel is being renamed to Current Channel. The new names take
effect on June 9, 2020.
For more information, see Changes to update channels for Microsoft 365 Apps.
New admin roles
We've added some new Azure Active Directory admin roles to the Microsoft 365 admin center.
Hybrid identity admin role gives users permission to manage cloud provisioning and authentication services.
Network admin role lets users manage network locations and review network insights for Microsoft 365
Software as a Service app.
Printer admin role grants permission to manage all aspects of printers and printer connections.
Printer technician is a subset of the Printer admin role where those users can register and unregister printers,
and update printer status. To find out more about these roles, see About admin roles.
Export groups list
We've heard from a lot of admins that they need to share information about groups and their usage to people
who don't have access to the admin centers. You can now export the Groups list to a CSV file for auditing
purposes, which means you can throw out that old PowerShell script. To try it out, go to Groups > Groups , and
then select Expor t groups from the command bar.
Microsoft 365 solution and architecture center
Just this month, we released a new site on docs.microsoft.com called the Microsoft 365 solution and architecture
center, which brings together the technical guidance you need to understand, plan, and implement integrated
Microsoft 365 solutions for secure and compliant collaboration. In this center, you'll find:
Foundational solution guidance
Workload solutions and scenario guidance
Solution and architecture illustrations (The posters!!!)
Industry specific guidance
Enterprise architecture design principals
Docs, training, and videos (May)
What's new in Microsoft 365 video series : This month, we cover the new support experience in the
Teams admin and Security and Compliance Centers, Planner integration with the Message Center, and the
new 3x3 video layout in Microsoft Teams.
The Microsoft 365 admin center help hub page was updated to help you find what you need more quickly.
And if you go look at that page right now, we've added a card to inform you of important updates and
changes.
April 2020
Intune roles management
April 2020
Well, we did it! We've taken the second step towards a unified roles experience and you can now manage Intune
roles in the Microsoft 365 admin center. You can also leverage features such as the ability to search for roles and
view role permissions. This means you don’t need two separate tools to manage roles for Microsoft 365 and
Intune. When you sign into the Microsoft 365 admin center, you’ll see that there are two pivots on the Roles
page, one for Azure AD and one for Intune.
C URREN T N A M E N EW N A M E
February 2020
Featured Feedback Fix: Multi-organization switcher
We received a lot of feedback from partners and admins about the challenges of managing multiple Microsoft
cloud orgs. One of our first multi-org management features is the Organization switcher , which lets you
change between the orgs that you manage in just 2 clicks.
TIP
You don't have to do anything to make the organization switcher appear as long as you are the Partner of record for at
least one organization.
As the administrator of a Microsoft 365 organization, you can use search to find users, perform actions, navigate
to different settings, and read documentation. With new search functionality, search speed has improved, and
you can now search from every page in the admin center. The search box has moved to the banner area at the
top of the admin center. You can use the Alt+S shor tcut to use search from any page.
Search results are organized into different categories. Most of the categories are items in the admin center. For
example, users, groups, shared mailboxes or domains. Other categories show you places you can navigate to,
actions you can take or app level settings that you can change. And there's also a category related to
documentation.
The following sections describe the different areas and categories in the admin center that are searchable.
Users
Users can be found by display name, last name, first name, username, primary email address, or email aliases.
Select the user's name edit to edit the user’s details.
If you select the three dots (more actions) menu next to their name, you can reset their password.
Groups
You can search for Groups by group name or group email address. You can select the Group and edit the group
from any page.
Actions
You can search for Actions category contains frequently used actions in M365 Admin Center. Think of actions as
verb in the system. For example, you can also search "reset password" from any page and then reset one or
more passwords for users. You can search for “delete a user” and delete the user from the Delete user page.
Navigation
Results provides a way to quickly navigate to a specific page in the admin center. For example, searching for
RBAC will take you to the Roles page for Azure AD roles.
Settings
Search for supported app level settings related to your organization, the services you subscribe to, and security
and privacy settings.
Domain
You can find quick links to your domains, and then the link will take you to that domain's overview page.
Documentation
A documentation search provides relevant help documentation based on your search phrase. Click on the topic
to learn more.
Send us feedback
Use this section to submit feedback on the search experience. We can't respond to all feedback, but we read all
of it, and use your feedback to improve the search experience. Make sure to provide as much detail as you can in
your feedback.
Stay on top of changes
2/9/2022 • 2 minutes to read • Edit Online
With Microsoft 365, you receive new product updates and features as they become available instead of
scheduled updates that are months or years apart. As a result, you and your users will routinely experience new
and improved ways to do your job rather than a costly and time-consuming company-wide upgrade. The
challenge with such a model is keeping up with the changes and updates. Here are a few ways that you can stay
on top of the Microsoft 365 updates in your organization.
Message center Learn about official service Sign in to the admin center or admin
announcements and feature changes. mobile app. Select Health > Message
You can read these messages in the center . Select a message to read or
Microsoft 365 admin center, the admin share.
mobile app, or receive a weekly digest Change the services you see messages
in email. Share these messages with about or opt-in to the weekly digest
others in your organization when you by choosing Edit preferences in the
see a message someone else should admin center. This is also where you
act on. You can also use the Service can opt-out of the weekly digest.
Communications API to retrieve Overview of the Microsoft 365
messages. Message center
Targeted release Sign up for Targeted release for Sign in to the admin center or admin
yourself and a select group of mobile app. Selece Settings >
individuals at your organization. Get Organization profile > Release
the latest Microsoft 365 updates preferences . Learn more about
before everyone else and then inform Targeted release.
or train your users on the new
experience.
Roadmap Visit the Microsoft 365 Roadmap to Visit the Microsoft 365 Roadmap
learn about features that have been frequently and learn about planned
launched, are rolling out, are in updates and releases.
development, have been cancelled, or
previously released. The roadmap is
the official site for Microsoft 365
updates and changes.
Blogs and Community Visit Office Blogs, Microsoft Visit Office Blogs. Visit Microsoft
Community, and Microsoft Tech Community. Visit Microsoft Tech
Community to learn more details Community.
about changes in Microsoft 365 and
share experiences with other users.
NOTE
You need to be a global administrator to make changes to release preferences.
Multi-tenant management
2/9/2022 • 2 minutes to read • Edit Online
Multi-tenant management offers a unified form of management that allows Microsoft 365 partner admins the
ability to administer all the tenants they manage from a single location. If you're a partner who manages
multiple tenants, you can:
Move quickly between tenants you manage.
Assess service health, products, and billing across multiple tenants.
On the All tenants page, you can quickly see the health of all your tenants' services, any open service
requests, your products and billing, and the number of users in that tenant.
From the Tenant switcher , you can move quickly between tenants you manage.
3. Select an incident on the All ser vices or All issues tab to get more information about any incident on
the Over view tab. Select the Tenants affected tab to get a list of the affected tenants.
The list of affected tenants can be exported to CSV format so that admins can share it with support teams.
View a single tenant in the Microsoft 365 admin center
You can return to the Microsoft 365 admin center for any of the tenants from the All tenants page.
1. On the All tenants page, select the tenant name for which you want to view the admin center.
2. You are directed to the admin center for that tenant.
Office 365 operated by 21Vianet
2/9/2022 • 13 minutes to read • Edit Online
Office 365 operated by 21Vianet is designed to meet the needs for secure, reliable and scalable cloud services in
China. This service is powered by technology that Microsoft has licensed to 21Vianet.
Microsoft does not operate the service itself. 21Vianet operates, provides, and manages delivery of the service.
21Vianet is the largest carrier-neutral Internet data center services provider in China, providing hosting,
managed network services, and cloud computing infrastructure services. By licensing Microsoft technologies,
21Vianet operates local Office 365 datacenters to provide you the ability to use Office 365 services while
keeping your data within China. 21Vianet also provides your subscription and billing services, as well as
support.
NOTE
These services are subject to Chinese laws.
Follow us on WeChat
Scan this QR code to follow us on WeChat and get the latest updates for Office 365 operated by 21Vianet.
Subscriptions, billing, and technical support Provided by 21Vianet. For information on how to contact
support, see Contact Office 365 for business support.
Self-service password reset Available for admins only. For more information, see Change
or reset your password in Office 365 operated by 21Vianet.
Office Desktop Setup Office desktop setup is not available for Office 2010 and
Office 2007. However, administrators can Configure current
Office desktop applications to work with Office 365.
Mobile and device support* Coming soon are the following mobile features:
Mobile Device Management (MDM)
Blackberry Business Cloud Services (BBCS) is not available,
but you can use Exchange ActiveSync devices or an offering
from Research in Motion (RIM, the BlackBerry wireless email
solution) to run Blackberry Enterprise Server (BES).
For more information on mobile support, see Set up and
manage mobile access for your users.
Help in multiple languages Help is available in Simplified Chinese and English only.
Community-provided help Community-provided help is not available yet, but you can
select the Help button ( ? ) in the upper right corner of your
portal to see help articles.
*Optional services provided directly by Microsoft, and subject to Microsoft's Terms of Service and privacy
statements.
SharePoint Online
F UN C T IO N AVA IL A B IL IT Y
Sharing a document, library, or site by email with someone This feature is available, but off by default as using it could
outside of your organization make files shared accessible outside of your country.
Administrators do have the ability to turn it on, but will get a
warning message indicating that it could make files shared
accessible outside of your country. Users who attempt to
share with someone outside of the organization will also
receive a warning. For more information, see Share
SharePoint files or folders in Office 365.
Access Services Access 2013 is supported, but adding new Access apps may
not be available as this feature will be retired from Office 365
and SharePoint Online. Creation of new Access-based web
apps and Access web databases in Office 365 and SharePoint
Online will stop starting in June 2017 and any remaining
web apps and web databases by April 2018. Additionally,
Access 2010 functionality is not supported, and attempting
to use an Access 2010 database will result in errors and
possible data loss.
Microsoft Power Apps Microsoft Power Apps and Microsoft Power Automate are
now available to customers in regulated industries and
commercial organizations that do business with tables in
China and require local data residency.
Information Rights Management (IRM) The ability to set IRM capabilities to SharePoint for your
organization is coming soon.
Ability to translate text or pages Available, but off by default. Tenant admins can turn this
ability on, but the translation cloud service may be located
outside your country. If you do not want users to send
content to a translation cloud service, you may keep these
features disabled.
Public website ICP registration China Internet compliance policy requires that you get an
Internet Content Provider (ICP) number for your public
website.
Public website features Public websites are available only if you purchased Office
365 before March 9, 2015. However, Bing maps, external
sharing, and comments are not available in a public web site
as these features may send data outside of your country.
Newsfeed and Yammer (enterprise social networks) Newsfeed (the social hub where you'll see updates from the
people, documents, sites, and tags you're following) is
available. Yammer is unavailable.
Autohosted apps You can deploy a provider-hosted app that uses SharePoint
and SQL Azure. For more information, see Create a basic
provider hosted app for SharePoint. Coming soon is the
ability for developers to deploy an app that uses an
autohosted web site.
SharePoint Store The Office and SharePoint App Stores are optional services
operated by Microsoft Corporation or its affiliate from any of
Microsoft's worldwide facilities. The apps available in the
Store are provided by various app publishers, and are subject
to the app publisher's terms and conditions and privacy
statement. Your use of any of these apps may result in your
data being transferred to, stored, or processed in any
country where the app publisher, its affiliates or service
providers maintain facilities. Please carefully review the app
publisher's terms and conditions and privacy statements
before downloading and using such apps.
Office 365 Developer Site: Publish to SharePoint Store using Learn about the requirements for submitting apps for
the Seller Dashboard* SharePoint for distribution to users of Office 365 operated
by 21Vianet.
*Optional services provided directly by Microsoft, and subject to Microsoft's Terms of Service and privacy
statements.
Blackberry Business Cloud Services (BBCS) Not available, but you can use Exchange ActiveSync devices
or an offering from Research in Motion (RIM, the BlackBerry
wireless email solution) to run Blackberry Enterprise Server
(BES).
Sharing your calendar Calendar sharing between on-premises and Exchange Online
mailboxes is available.
Exchange
New with Exchange 2013 Cumulative Update 5 (CU5), full-featured hybrid deployments between on-premises
Exchange 2013 organizations and Office 365 services are now supported. Leveraging new improvements in the
Hybrid Configuration wizard, Exchange 2013 CU5 supports the following hybrid features between your on-
premises and Exchange Online organizations:
Secure mail routing between on-premises and Exchange Online organizations.
Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online
organizations use the @contoso.com SMTP domain.
A unified global address list (GAL), also called a "shared address book."
Free/busy and calendar sharing between on-premises and Exchange Online organizations.
Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound
Exchange Online messages to be routed through the on-premises Exchange organization.
A single Office Outlook Web App URL for both the on-premises and Exchange Online organizations.
The ability to move existing on-premises mailboxes to the Exchange Online organization. Exchange Online
mailboxes can also be moved back to the on-premises organization if needed.
Centralized mailbox management using the on-premises Exchange admin center (EAC).
MailTips, HD photo support for Outlook contacts, and multi-mailbox search between on-premises and
Exchange Online organizations.
Cloud-based message archiving for on-premises Exchange mailboxes.
For organizations running older or mixed versions of Exchange Server, some hybrid features aren't fully
supported for Office 365 tenants hosted by 21Vianet. Use the following table to learn more about hybrid feature
support in different Exchange deployment scenarios:
O N - P REM ISES EXC H A N GE EXC H A N GE H Y B RID SERVER H Y B RID C O N F IGURAT IO N SUP P O RT ED H Y B RID
VERSIO N VERSIO N W IZ A RD SUP P O RT ED? F EAT URES
Mixed 2013 SP1/2010 SP3 2013 CU5 Yes All, except In-place
eDiscovery/Archiving, OWA
access (see table below)
Mixed 2013 SP1/2010 SP3 2013 SP1 Yes Only manually configured
free/busy
IMPORTANT
Delegate calendar access, when a user or set of users is provided access to another user's calendar, isn't supported in
hybrid deployments with Office 365 tenants hosted by 21Vianet.
Additionally, some Exchange messaging policy and compliance features aren't fully supported in hybrid
deployments with Office 365 tenants hosted by 21Vianet. These features include:
Messaging Records Management (MRM)
In-Place eDiscovery
In-Place Hold
In-Place Archiving
Mailbox auditing
Accessing online archives with Outlook Web App (OWA)
Use the following table to learn more about feature support in different Exchange deployment scenarios:
O N - P REM ISES IN - P L A C E
EXC H A N GE M RM ( SP L IT O WA A C C ESS IN - P L A C E M A IL B O X H O L D/ A RC H IVIN
VERSIO N A RC H IVE) ( SP L IT A RC H IVE) EDISC O VERY A UDIT IN G G
All 2010 SP3 Not supported Not supported Supported1 Supported Supported
At least one pre- Supported2 Not supported Not supported Supported Supported
2013 CU5 server
1 Separate searches are required for on-premises and Exchange Online mailboxes.
2 MRM move-to-archive policies can be used for mailboxes located on an Exchange 2013 CU5 or greater server.
To learn more about configuring a hybrid deployment with Office 365 tenants hosted by 21Vianet, see the
following topics:
Hybrid Deployment Prerequisites
Certificate Requirements for Hybrid Deployments
Create a Hybrid Deployment with the Hybrid Configuration Wizard
IMPORTANT
The Exchange Server Deployment Assistant is a free web-based tool that helps you configure a hybrid deployment
between your on-premises organization and Office 365, or to migrate completely to Office 365. The tool asks you a small
set of simple questions and then, based on your answers, creates a customized checklist with instructions to configure
your hybrid deployment. We strongly recommend using the Deployment Assistant to configure a hybrid deployment. >
For organizations not wishing to upgrade to or add Exchange 2013 CU5 servers, Exchange 2013 SP1 organizations can
configure shared calendar free/busy sharing between their on-premises and Exchange Online organizations. To configure
this hybrid deployment feature, see Configuring Exchange hybrid deployment features with Office 365 operated by
21Vianet.
F UN C T IO N AVA IL A B IL IT Y
Coexistence and Free/Busy Sharing Sharing calendar free/busy information between two or
more on-premises Exchange organizations or sharing
between two 21Vianet Office 365 tenants isn't supported.
This feature is coming soon!
F UN C T IO N AVA IL A B IL IT Y
Sharing Exchange contact data on Apple mobile devices to This setting/feature is enabled by default. Administrators
the Apple iCloud. should turn this feature off to help prevent users from
sharing Exchange data outside of your organization.
Office
F UN C T IO N AVA IL A B IL IT Y
Open an Office application from the File > Open in … Available. The ability to do so while roaming is coming soon.
button
Save to OneDrive for Business while signed in with a To keep your data within your country, you cannot save a
Microsoft account document to your organization site (OneDrive for Business)
when you are signed in to Office with a Microsoft account.
Ability to translate text or pages This feature is available, but off by default. Administrators do
have the ability to turn it on, but will get a warning message
indicating that it could make data accessible outside of your
country.
Office client
F UN C T IO N AVA IL A B IL IT Y
Manage account (from within the Office client) This feature, and others like it that are intended to go to
your Office 365 portal, currently point to the worldwide
Office 365 portal, and you cannot sign in with your Office
365 operated by 21Vianet account. This is a known issue
that is being fixed. In the meantime, you can use the URL
https://portal.partner.microsoftonline.cn/ to sign into your
account and manage settings from there. For more
information, see Manage your Microsoft 365 Apps for
enterprise account for Office 365 operated by 21Vianet.
OneNote
F UN C T IO N AVA IL A B IL IT Y
Live Search (ability to search in online notebooks that are Not available.
not opened in the client)
Integration with Mac and iOS platform smart look up service Not available.
Domain providers to support Skype for Business You will need to register your domain with a Chinese-specific
domain provider that supports SRV records. For more
information on how to register domains, see Find your
domain registrar or DNS hosting provider.
Dial-in conferencing (the ability to add telephone access to You may see options in Skype for Business and in the Skype
meetings for users who can't get to a computer) for Business Admin Center for Dial-in conferencing and
providers, but these features are not yet available. They are
coming soon.
Skype for Business desktop help You can find help for Skype for Business desktop here.
However, desktop help is not available from the product
unless you are using Office Click-To-Run.
Ability to join a meeting from your calendar when you're Coming soon. In the meantime, you can open Skype for
using a Samsung-based device with Google Chrome Business, go to the Meetings view, and join the meeting
from there.
Desk Phone Devices like Polycom, Ares, and Tanjay Not available.
Voice features, such as voice mail, ability to make and receive Not available. These features require syndication partners.
calls from PSTN numbers, call transferring, call forwarding
Archiving, or ability to tag a user and archive that user's Not available.
emails and IMs in Exchange
Skype for Business Web client (LWA) browser support for Not available, but you can use an older version of Firefox.
Firefox 29
Unified Contact Store (UCS) The ability for users to keep all of their Skype for Business
contact information in Microsoft Exchange Server 2013 is
disabled.
Related content
Try or buy a Microsoft 365 for business subscription (article)
Azure Information Protection support for Office 365 operated by 21Vianet (article)
View your bill or get a Fapiao (article)
Office app for Android for Office 365 operated by
21Vianet
2/9/2022 • 2 minutes to read • Edit Online
The Microsoft Office app for Android combines Word, Excel, and PowerPoint mobile apps into a single app
available for download for Android phones. With the Office app for Android, you can connect to Office 365 just
as you would with the Word, Excel, and PowerPoint mobile apps. The Office app for Android download won't
affect any existing installations of Word, Excel, and PowerPoint.
A few Office app for Android features aren't available for Office 365 operated by 21Vianet customers:
Image to text and Image to table
Converting photos to Word documents from Lens
Transfer files action
Notes remain local and don't sync to server
Link preview within Scan QR
Live persona cards in the Me section
Classification, labeling, and protection (CLP)
NOTE
The Office app for Android is currently available for phones only. Support for tablets will be added at a later time.
Security considerations
If your organization pushes apps to employee mobile devices, we suggest replacing the Word, Excel, and
PowerPoint apps with the Office app for Android.
Office app for iOS for Office 365 operated by
21Vianet
2/9/2022 • 2 minutes to read • Edit Online
The Microsoft Office app for iOS combines Word, Excel, and PowerPoint mobile apps into a single app available
for download for iOS phones. With the Office app for iOS, you can connect to Office 365 just as you would with
the Word, Excel, and PowerPoint mobile apps. The Office app for iOS download won't affect any existing
installations of Word, Excel, and PowerPoint.
A few Office app for iOS features isn't available for Office 365 operated by 21Vianet customers:
Image to text and Image to table
Converting photos to Word documents from Lens
Transfer files action
Notes remain local and don't sync to server
Link preview within Scan QR
Live persona cards in the Me section
Classification, labeling, and protection (CLP)
NOTE
The Office app for iOS is currently available for iPhone only. Support for iPad will be added at a later time.
Security considerations
If your organization pushes apps to employee mobile devices, we suggest replacing the Word, Excel, and
PowerPoint apps with the Office app for iOS.
Apply for a Fapiao for Office 365 operated by
21Vianet
2/9/2022 • 3 minutes to read • Edit Online
You can submit your Fapiao request to the 21Vianet Fapiao management system about three days after you
have paid. After you submit your Fapiao request, it will be processed in two days.
3. After your registration is complete, the system will send an activation email message to your email
address. Open the email message and select the link to activate your account.
NOTE
The payment system is on a third-party platform and takes three days to synchronize the order and payment
record.
3. Select the Fapiao type, enter the required information, then select Next .
NOTE
For a normal VAT Fapiao, you only need to enter the buyer's name.
If necessary, you can apply for a Fapiao with different a title. However, you can only apply one Fapiao title for
one bill in the system. If you want to split the Fapiao into different amounts or titles, please submit your
request in the admin center.
The next time you apply for a Fapiao, the system automatically presents the previous Fapiao information.
If you need a purchase certificate or a refund, the payer name and the Fapiao title must match.
4. Select a shipping method and enter the mailing information. You can choose Yunda or SF (freight collect).
You can also go to the 21Vianet Shanghai branch to get the Fapiao. select Next .
When Fapiao is out of use, the system will display a notice, and will indicate the expected time to issue the
Fapiao.
FAQs
What services can I get from online support?
You can check the progress of your Fapiao request, and find out why you haven't received the Fapiao.
If you want to change the Fapiao title, please send the Fapiao back to us and we will reissue the Fapiao. You can
submit the request through the admin center.
3. If you forgot your login email address, please contact 21Vianet customer service at (86) 400-089-0365.
How do I find my order ID?
1. In the admin center, go to the Billing > Bills & payments page.
2. Find the invoice you want, select to view, or choose to download the PDF.
What if I enter the wrong email address when I register?
If you enter the wrong email address when you register, you won't receive the activation email. The registration
link in the email will automatically expire after 24 hours. You can return to the registration page and register
again with the correct email address.
What if I don't receive an activation email?
If you don't receive an account activation email within 24 hours after you register, go to the 21Vianet Fapiao
information management system, enter your email address, then select Resend the activation email . The
system will resend the account activation email to your registered email address.
If you still don't receive an activation email, please contact 21Vianet customer service at (86) 400-089-0365.
Azure Information Protection support for Office 365
operated by 21Vianet
2/9/2022 • 10 minutes to read • Edit Online
This article covers the differences between Azure Information Protection (AIP) support for Office 365 operated
by 21Vianet and commercial offerings, as well as specific instructions for configuring AIP for customers in China
—including how to install the AIP on-premises scanner and manage content scan jobs.
3. Create the Microsoft Information Protection Sync Ser vice service principal manually using the
New-AzADServicePrincipal cmdlet and the 870c4f2e-85b6-4d43-bdda-6ed9a579b725 application ID for the
Microsoft Information Protection Sync Service:
4. After adding the service principal, add the relevant permissions required to the service.
Step 3: Configure DNS encryption
For encryption to work correctly, Office client applications must connect to the China instance of the service and
bootstrap from there. To redirect client applications to the right service instance, the tenant admin must
configure a DNS SRV record with information about the Azure RMS URL. Without the DNS SRV record, the
client application will attempt to connect to the public cloud instance by default and will fail.
Also, the assumption is that users will log in with a username based off the tenant-owned domain (for example,
[email protected] ), and not the onmschina username (for example, [email protected] ). The domain name
from the username is used for DNS redirection to the correct service instance.
Configure DNS encryption - Windows
1. Get the RMS ID:
a. Launch PowerShell as an administrator.
b. If the AIPService module isn't installed, run Install-Module AipService .
c. Connect to the service using Connect-AipService -environmentname azurechinacloud .
d. Run (Get-AipServiceConfiguration).RightsManagementServiceId to get the RMS ID.
2. Log in to your DNS provider, navigate to the DNS settings for the domain, and then add a new SRV
record.
Service = _rmsredir
Protocol = _http
Name = _tcp
Target = [GUID].rms.aadrm.cn (where GUID is the RMS ID)
Priority, Weight, Seconds, TTL = default values
3. Associate the custom domain with the tenant in the Azure portal. This will add an entry in DNS, which
might take several minutes to get verified after you add the value to the DNS settings.
4. Log in to the Microsoft 365 admin center with the corresponding global admin credentials and add the
domain (for example, contoso.cn ) for user creation. In the verification process, additional DNS changes
might be required. Once verification is done, users can be created.
Configure DNS encryption - Mac, iOS, Android
Log in to your DNS provider, navigate to the DNS settings for the domain, and then add a new SRV record.
Service = _rmsdisco
Protocol = _http
Name = _tcp
Target = api.aadrm.cn
Port = 80
Priority, Weight, Seconds, TTL = default values
Step 4: Install and configure the AIP unified labeling client
Download and install the AIP unified labeling client from the Microsoft Download Center.
For more information, see:
AIP documentation
AIP version history and support policy
AIP system requirements
AIP quickstart: Deploy the AIP client
AIP administrator guide
AIP user guide
Learn about Microsoft 365 sensitivity labels
Step 5: Configure AIP apps on Windows
AIP apps on Windows need the following registry key to point them to the correct sovereign cloud for Azure
China:
Registry node = HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP
Name = CloudEnvType
Value = 6 (default = 0)
Type = REG_DWORD
IMPORTANT
Make sure you don't delete the registry key after an uninstall. If the key is empty, incorrect, or non-existent, the
functionality will behave as the default value (default value = 0 for the commercial cloud). If the key is empty or incorrect,
a print error is also added to the log.
Step 6: Install the AIP on-premises scanner and manage content scan jobs
Install the AIP on-premises scanner to scan your network and content shares for sensitive data, and apply
classification and protection labels as configured in your organization's policy.
When configuring and managing your content scan jobs, use the following procedure instead of the Azure
portal interface that's used by the commercial offerings.
For more information, see What is the Azure Information Protection unified labeling scanner? and Manage your
content scan jobs using PowerShell only.
To install and configure your scanner :
1. Sign in to the Windows Server computer that will run the scanner. Use an account that has local
administrator rights and that has permissions to write to the SQL Server master database.
2. Start with PowerShell closed. If you've previously installed the AIP client and scanner, make sure that the
AIPScanner service is stopped.
3. Open a Windows PowerShell session with the Run as an administrator option.
4. Run the Install-AIPScanner cmdlet, specifying your SQL Server instance on which to create a database for
the Azure Information Protection scanner, and a meaningful name for your scanner cluster.
TIP
You can use the same cluster name in the Install-AIPScanner command to associate multiple scanner nodes to the
same cluster. Using the same cluster for multiple scanner nodes enables multiple scanners to work together to
perform your scans.
5. Verify that the service is now installed by using Administrative Tools > Ser vices .
The installed service is named Azure Information Protection Scanner and is configured to run by
using the scanner service account that you created.
6. Get an Azure token to use with your scanner. An Azure AD token allows the scanner to authenticate to the
Azure Information Protection service, enabling the scanner to run non-interactively.
a. Open the Azure portal and create an Azure AD application to specify an access token for
authentication. For more information, see How to label files non-interactively for Azure
Information Protection.
TIP
When creating and configuring Azure AD applications for the Set-AIPAuthentication command, the
Request API permissions pane shows the APIs my organization uses tab instead of the Microsoft
APIs tab. Select the APIs my organization uses to then select Azure Rights Management
Ser vices .
b. From the Windows Server computer, if your scanner service account has been granted the Log on
locally right for the installation, sign in with this account and start a PowerShell session.
If your scanner service account cannot be granted the Log on locally right for the installation,
use the OnBehalfOf parameter with Set-AIPAuthentication, as described in How to label files non-
interactively for Azure Information Protection.
c. Run Set-AIPAuthentication, specifying values copied from your Azure AD application:
Set-AIPAuthentication -AppId <ID of the registered app> -AppSecret <client secret sting> -TenantId
<your tenant ID> -DelegatedUser <Azure AD account>
For example:
The scanner now has a token to authenticate to Azure AD. This token is valid for one year, two years, or
never, according to your configuration of the Web app /API client secret in Azure AD. When the token
expires, you must repeat this procedure.
7. Run the Set-AIPScannerConfiguration cmdlet to set the scanner to function in offline mode. Run:
The syntax above configures the following settings while you continue the configuration:
Keeps the scanner run scheduling to manual
Sets the information types to be discovered based on the sensitivity labeling policy
Does not enforce a sensitivity labeling policy
Automatically labels files based on content, using the default label defined for the sensitivity labeling
policy
Does not allow for relabeling files
Preserves file details while scanning and auto-labeling, including date modified, last modified, and
modified by values
Sets the scanner to exclude .msg and .tmp files when running
Sets the default owner to the account you want to use when running the scanner
9. Use the Add-AIPScannerRepository cmdlet to define the repositories you want to scan in your content
scan job. For example, run:
Use one of the following syntaxes, depending on the type of repository you're adding:
For a network share, use \\Server\Folder .
For a SharePoint library, use http://sharepoint.contoso.com/Shared%20Documents/Folder .
For a local path: C:\Folder
For a UNC path: \\Server\Folder
NOTE
Wildcards are not supported and WebDav locations are not supported.
To modify the repository later on, use the Set-AIPScannerRepository cmdlet instead.
C M DL ET DESC RIP T IO N
Get-AIPScannerRepository Gets details about repositories defined for your content scan
job.
The people on your team each need a user account before they can sign in and access Microsoft 365 for
business. The easiest way to add user accounts is to add them one at a time in the Microsoft 365 admin center.
After you do this step, your users have Microsoft 365 licenses, sign in credentials, and Microsoft 365 mailboxes.
NOTE
The steps used in the video show a different starting point for adding users, but the remaining steps are the same as the
following procedure.
Related content
Add a new employee to Microsoft 365 (article)
Add several users at the same time to Microsoft 365 (article)
Restore a user in Microsoft 365 (article)
Assign licenses to users (article)
Delete a user from your organization (article)
Add a new employee to Microsoft 365
2/9/2022 • 4 minutes to read • Edit Online
This article helps you onboard a new employee to Microsoft 365 for business. We assume you're an Admin and
you've already completed Microsoft 365 set up, and now you have someone new joining your company.
You're in the right place if your new employee needs Microsoft 365, and you're using a Microsoft 365 plan that
lets you install Office apps like Word and Excel on a computer.
Not an admin? Learn your way around Microsoft 365 helps business and home users with set up.
No Office apps in your plan? Follow the steps below, but skip the sections for installing apps. Use the Online
versions of Office instead.
Here's a quick overview:
ST EP W H Y DO T H IS?
Step 1: Create a Microsoft 365 account for the employee Each time a new employee joins your business, create an
account for them so they can start using Microsoft 365.
Step 2: Give the employee their user ID and password When you create an account, you'll get an ID and password
that you can pass to your employee so they can sign in.
Step 4: Help your employee get started Let your employee know how to use OneDrive or any team
sites in your organization.
TA SK F IN D T H E DETA IL S
Install Office apps onto your computer. When you sign in, the home page has a link to download
and install apps like Word and Outlook. Select Install
Office . For instructions, see How to install Office.
Set up your email in Outlook 2016 . Once Office apps are installed on your computer, set up your
email. For instructions, see How to set up Outlook.
Set up Skype for Business so you can connect with co- Install Skype for Business on your computer.
workers or business partners in your company or around
the world. You can start conversations with IM, voice, or To learn how to use Skype for Business, watch a video.
video calls.
Have you set up Skype for Business so your employees can
contact people external to your business who are using the
free Skype app? If not, tell your new employee so they know
what to expect when using Skype for Business.
Install apps on your mobile device if you want to get email If you want to set up the Outlook mobile app so you can get
or use Skype for Business on your phone. email via your phone. For instructions, see iOS, Android,
Windows Phone
Complete the OneDrive for Business training to help you Keep your business-related documents in the cloud by using
learn how to store and organize your documents, OneDrive for Business. You can always get to your content,
presentations, and spreadsheets in the cloud. even if you're signed in to Microsoft 365 on a different
computer. Watch a video to learn how to use your OneDrive
for Business
Complete the SharePoint Online training to help you The best place to keep documents that your coworkers will
collaborate with coworkers and share content. also access is in SharePoint Online.
Related content
Remove a former employee from Microsoft 365 (article)
Add users and assign licenses at the same time65 (article)
Assign licenses to users
2/9/2022 • 4 minutes to read • Edit Online
You can assign licenses to users on either the Active users page, or on the Licenses page. The method you use
depends on whether you want to assign product licenses to specific users or assign users licenses to a specific
product.
NOTE
As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your
organization. You can take over a self-service purchase subscription, and then assign or unassign licenses.
For some subscriptions, you can only cancel during a limited window of time after you buy or renew your subscription.
If the cancellation window has passed, turn off recurring billing to cancel the subscription at the end of its term.
Learn how to add a user and assign a license at the same time.
NOTE
If you want to assign licenses for a large number of users, use Assign licenses to users by group membership in Azure
Active Directory
Next steps
If your users don't yet have the Office apps installed, you can share the Employee quick start guide with your
users to set up things, like how to download and install Microsoft 365 or Office 2019 on a PC or Mac and how to
set up Office apps and email on a mobile device.
Related content
Understand subscriptions and licenses (article)
Unassign licenses from users (article)
Buy or remove licenses for your subscription (article)
Assign admin roles
2/9/2022 • 2 minutes to read • Edit Online
If you're the person who purchased your Microsoft business subscription, you are the global admin. This means
you have unlimited control over the products in your subscriptions and you can access most data.
For more information, see About admin roles.
When you add new users, if you don't assign them an admin role then they are in the user role and don't have
admin privileges to any of the Microsoft admin centers. But if you need help getting things done, you can assign
an admin role to a user. For example, if you need someone to help reset passwords, you shouldn't assign them
the global admin role, you should assign them the password admin role. Having too many global admins, with
unlimited access to your data and online business, is a security risk.
Related content
About Microsoft 365 admin roles (article)
Azure AD built-in roles (article)
Assign roles to user accounts with PowerShell (article)
Authorize or remove partner relationships (article)
Unassign licenses from users
2/9/2022 • 3 minutes to read • Edit Online
You can unassign licenses from users on either the Active users page, or on the Licenses page. The method
you use depends on whether you want to unassign product licenses from specific users or unassign users
licenses from a specific product.
NOTE
As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in
your organization. You can take over a self-service purchase subscription, and then assign or unassign licenses.
For some subscriptions, you can only cancel during a limited window of time after you buy or renew your
subscription. If the cancellation window has passed, turn off recurring billing to cancel the subscription at the end
of its term.
Next steps
If you’re not going to reassign the unused licenses to other users, consider removing the licenses from your
subscription so that you’re not paying for more licenses than you need.
Related content
Remove licenses from your subscription (article)
Assign licenses to users (article)
Understand subscriptions and licenses in Microsoft 365 for business (article)
Guest users in Microsoft 365 admin center
2/9/2022 • 2 minutes to read • Edit Online
Any guests you add to your Microsoft Teams, SharePoint, or Azure Active Directory are also added to the Guest
users list in the Microsoft 365 admin center. Guests can attend meetings, view documents and chat in Teams
they're invited to. Once a user shows up in the Guest users list, you can remove their access there.
To view guest users, in the Microsoft 365 admin center, in the left nav, expand Users , and then choose Guest
users .
Related content
guest users in microsoft 365 admin center
prevent guests from being added to a specific microsoft 365 group or microsoft teams team
Manage guest access in Microsoft 365 groups
2/9/2022 • 2 minutes to read • Edit Online
By default, guest access for Microsoft 365 groups is turned on for your organization. Admins can control
whether to allow guest access to groups for their whole organization or for individual groups.
When it's turned on, group members can invite guest users to a Microsoft 365 group through Outlook on Web.
Invitations are sent to the group owner for approval.
Once approved, the guest user is added to the directory and the group.
NOTE
Yammer Enterprise networks that are in Native Mode or the EU Geo do not support network guests. Microsoft 365
Connected Yammer groups do not currently support guest access, but you can create non-connected, external groups in
your Yammer network. See Create and manage external groups in Yammer for instructions.
Guest access in groups is often used as part of a broader scenario that includes SharePoint or Teams. These
services have their own guest sharing settings. For complete instructions for setting up guest sharing across
groups, SharePoint, and Teams, see:
Collaborate with guests in a site
Collaborate with guests in a team
You may need to change someone's email address and display name if, for example, they get married and their
last name changes.
IMPORTANT
If you get an error message, see Resolve error messages.
4. You'll see a big yellow warning that you're about to change the person's sign-in information. Select Save ,
then Close .
5. Give the person the following information:
This change could take a while.
Their new username. They'll need it to sign in to Microsoft 365.
If they are using Skype for Business Online, they must reschedule any Skype for Business Online
meetings that they organized, and tell their external contacts to update their contact information.
If they are using OneDrive, the URL to this location has changed. If they have OneNote notebooks
in their OneDrive, they might need to close and reopen them in OneNote. If they have shared files
from their OneDrive, the links to the files might not work and the user can reshare.
If their password changed too, they are prompted to enter the new password on their mobile
device, or it won't sync.
What if the person's offline address book won't sync with the Global
Address List?
If they are using Exchange Online or if their account is linked with your organization's on-premises Exchange
environment, you might see this error when you try to change a username and email address: "This user is
synchronized with your local Active Directory. Some details can be edited only through your local Active
Directory."
This is due to the Microsoft Online Email Routing Address (MOERA). The MOERA is constructed from the
person's userPrincipalName attribute in Active Directory and is automatically assigned to the cloud account
during the initial sync and once created, it cannot be modified or removed in Microsoft 365. You can
subsequently change the username in the Active Directory, but it doesn't change the MOERA and you may run
into issues displaying the newly changed name in the Global Address List.
To fix this, log in to the Azure Active Directory Module for PowerShell with your Microsoft 365 administrator
credentials. and use the following syntax:
TIP
This changes the person's userPrincipalName attribute and has no bearing on their Microsoft Online Email Routing
Address (MOERA) email address. It is best practice, however, to have the person's logon UPN match their primary SMTP
address.
To learn how to change someone's username in Active Directory, in Windows Server 2003 and earlier, see
Rename a user account.
Related content
Add a domain Admins: Reset a password for one or more users Add another email address to a user Create a
shared mailbox
Restore a user
2/9/2022 • 2 minutes to read • Edit Online
When you restore a user account within 30 days after deleting it, the account and all associated data are
restored. The user can sign in with the same work or school account. Their mailbox will be fully restored. To find
out how much time remains before a specific user account can no longer be restored, contact us.
Here are a couple of tips:
Make sure licenses are available to assign to the account.
If your business uses Active Directory, for instructions on restoring a user account, see How to
troubleshoot deleted user accounts in Office 365.
NOTE
If two or more users fail to be restored, an error message advises you that the restore operation failed for some
users. View the log to see which users were not restored, and then restore the failed accounts one at a time.
Related content
Delete a user (article)
Assign admin roles (video)
Assign licenses to users (article)
Create and use a template to add users
2/9/2022 • 2 minutes to read • Edit Online
You can create and use a template to save time and standardize settings when you are adding multiple users.
Templates are particularly useful if you have users who share many common properties, like those who have
the same role and work at the same location and those who require the same software. For example, you might
have a team of support engineers who work in the same office.
Create a template
Templates are easy to create—you can select Users > Active users > User templates , and then select Add a
template from the drop-down list, or you can add a new user and when you are finished, you will have the
option of saving the entry as a template.
When you create a template after adding a user, the values you choose for the following settings are saved in
the template:
Domain name
Password settings choice: you can choose to create passwords or have them auto-generated
One-time password choice: you can require the user to create a new password after first sign in
License location
License choices
Application choices
Role
Most profile information, such as Job profile , Depar tment , Office , Office phone , and Street address
The following information is user-specific and isn't saved in the template:
First and last name
Display name
User name
Choice to send the password in email and who the password email is sent to
Mobile phone number
If you choose not to enter information for a setting within a section, that value will be blank and that setting will
not display in the template. For example, if you leave Job title blank, when you review your template and when
you use your template, Job title will not appear at all. If you leave all the Profile section settings blank, the
Profile section will display None provided in your final template.
When you create a template by selecting the Add a template option, you can choose which values to complete.
Anything that is left blank will appear as None provided in the template.
3. Follow the steps to create a user from the template you selected.
NOTE
If you have insufficient licenses available for a user that you add, and your payment information is available, we
will attempt to purchase another license using your existing payment information. If your payment information is
unavailable, the user will be created as an unlicensed user.
Manage templates
You can only delete templates you no longer need and add new ones. To delete a template:
1. In the admin center, select Users > Active users .
2. Select Templates , and then select Manage templates from the drop-down list.
3. A list of templates will appear. You can delete a template by doing any of the following:
Select one or more templates, and then select Delete .
Select the three dots to the right of the template name, and then select Delete .
Select the template name. When the template details appear on the right side of your screen, select
Delete template .
Related articles
Add users and assign licenses at the same time
Remove a former employee from Microsoft 365
Upgrade your Microsoft 365 for business users to
the latest Office client
2/9/2022 • 4 minutes to read • Edit Online
Upgrade steps
The steps below will guide you through the process of upgrading your users to the latest Office desktop client.
We recommend you read through these steps before beginning the upgrade process.
TIP
If you have users in your organization running older versions of Windows on their PCs or laptops, we recommend
upgrading to Windows 10. Windows 7 has reached end of support. Read Support for Windows 7 ends in January 2020
for more info.
Check out the Windows 10 system requirements to see if you can upgrade their operating systems.
Check application compatibility
To ensure a successful upgrade, we recommend identifying your Office applications--including VBA scripts,
macros, third-party add-ins, and complex documents and spreadsheets--and assessing their compatibility with
the latest version of Office.
For example, if you're using third-party add-ins with your current Office install, contact the manufacture to make
sure they're compatible with the latest version of Office.
TIP
If you run into issues while uninstalling Office, you can use the Microsoft Support and Recovery Assistant tool to help you
remove Office: Download and run the Microsoft Support and Recovery Assistant.
TIP
If you don't want your users installing Office themselves, see Manage software download settings in Office 365. You can
use the Office Deployment Tool to download the Office software to your local network and then deploy Office by using
the software deployment method you typically use.
Overview: Remove a former employee and secure
data
2/9/2022 • 3 minutes to read • Edit Online
A question we often get is, "What should I do to secure data and protect access when an employee leaves my
organization?" This article series explains how to block access to Microsoft 365 so these user's can't sign in to
Microsoft 365, the steps you should take to secure organization data, and how to allow other employees to
access email and OneDrive data.
Microsoft 365 admin center Convert mailbox, forward email, revoke access, remove user
Exchange admin center Block user, block access to email, wipe device
ST EP W H Y DO T H IS
Step 1 - Prevent a former employee from logging in and This blocks your former employee from logging in to
block access to Microsoft 365 services Microsoft 365 and prevents the person from accessing
Microsoft 365 services.
Step 2 - Save the contents of a former employee's mailbox This is useful for the person who is going to take over the
employee's work, or if there is litigation.
Step 3 - Forward a former employee's email to another This lets you keep the former employee's email address
employee or convert to a shared mailbox active. If you have customers or partners still sending email
to the former employee's address, this gets them to the
person taking over the work.
Step 4 - Give another employee access to OneDrive and If you only remove a user's license but don't delete the
Outlook data account, the content in the user's OneDrive will remain
accessible to you even after 30 days.
Before you delete the account, you should give access of
their OneDrive and Outlook to another user. After you
delete an employee's account, the content in their
OneDrive and Outlook is retained for 30 days. During
that 30 days, however, you can restore the user's
account, and gain access to their content. If you restore
the user's account, the OneDrive and Outlook content
will remain accessible to you even after 30 days.
Step 5 - Wipe and block a former employee's mobile device Removes your business data from the phone or tablet.
Step 6 - Remove and delete the Microsoft 365 license from a When you remove a license, you can assign it to someone
former employee else. Or, you can delete the license so you don't pay for it
until you hire another person.
When you remove or delete a license, the user's old
email, contacts, and calendar are retained for 30 days ,
then permanently deleted. If you remove or delete a
license but don't delete the account, the content in the
user's OneDrive will remain accessible to you even after
30 days.
Step 7 - Delete a former employee's user account This removes the account from your admin center. Keeps
things clean.
ST EP W H Y DO T H IS
Related content
Restore a user (article)
Add a new employee to Microsoft 365 (article)
Assign licenses to users (article)
Unassign licenses from users (article)
Step 1 - Prevent a former employee from logging in
and block access to Microsoft 365 services
2/9/2022 • 2 minutes to read • Edit Online
If you need to immediately prevent a user's sign-in access, you should reset their password. In this step, force a
sign out of the user from Microsoft 365.
NOTE
You need to be a global administrator to initiate sign-out for other administrators. For non administrator users, you can
use a User Administrator or a Helpdesk Administrator user to perform this action. Learn more about the Admin Roles
IMPORTANT
If the user is in Outlook on the web, just clicking around in their mailbox, they may not be kicked out immediately. As
soon as they select a different tile, such as OneDrive, or refresh their browser, the sign-out is initiated.
To use PowerShell to sign out a user immediately, see the Revoke-AzureADUserAllRefreshToken cmdlet.
For more information about how long it takes to get someone out of email, see What you need to know about
terminating an employee's email session.
Related content
Exchange admin center in Exchange Online (article)\
Restore a user (article)
Step 2 - Save the contents of a former employee's
mailbox
2/9/2022 • 2 minutes to read • Edit Online
In this step, place a Litigation Hold or In-place Hold on the user or export their Outlook data to a .pst file.
Related content
Exchange admin center in Exchange Online
Restore a user
Step 3 - Forward a former employee's email to
another employee or convert to a shared mailbox
2/9/2022 • 2 minutes to read • Edit Online
In this step, you assign the former employee's email address to another employee, or convert the user's mailbox
to a shared mailbox.
Related content
Open and use a shared mailbox in Outlook
Access another person's mailbox
Exchange admin center in Exchange Online
Manager another person's mail and calendar items
Step 4 - Give another employee access to OneDrive
and Outlook data
2/9/2022 • 5 minutes to read • Edit Online
When an employee leaves your organization, you'll want to access their OneDrive and Outlook data, back it up,
and choose whether to give it to another employee.
NOTE
You can move or copy up to 500 MB of files and folders at a time.
When you move or copy documents that have version history, only the latest version is moved.
You can also grant access to another user to access a former employee's OneDrive.
1. Sign in to the admin center as a global admin or SharePoint admin.
If you get a message that you don't have permission to access the admin center, then you don't have
administrator permissions in your organization.
2. In the left pane, select Admin centers > SharePoint . (You might need to select Show all to see the list
of admin centers.)
3. If the classic SharePoint admin center appears, select Open it now at the top of the page to open the
SharePoint admin center.
4. In the left pane, select More features .
5. Under User profiles , select Open .
6. Under People , select Manage User Profiles .
7. Enter the former employee's name and select Find .
8. Right-click the user, and then choose Manage site collection owners .
9. Add the user to Site collection administrators and select Ok .
10. The user will now be able to access the former employee's OneDrive using the OneDrive URL.
Revoke admin access to a user's OneDrive
You can give yourself access to the content in a user's OneDrive, but you may want to remove your access when
you no longer need it.
1. Sign in to the admin center as a global admin or SharePoint admin.
If you get a message that you don't have permission to access the admin center, then you don't have
administrator permissions in your organization.
2. In the left pane, select Admin centers > SharePoint . (You might need to select Show all to see the list
of admin centers.)
3. If the classic SharePoint admin center appears, select Open it now at the top of the page to open the
SharePoint admin center.
4. In the left pane, select More features .
5. Under User profiles , select Open .
6. Under People , select Manage User Profiles .
7. Enter the user's name and select Find .
8. Right-click the user, and then choose Manage site collection owners .
9. Remove the person who no longer needs access to the user's data, and then select OK .
NOTE
You can export one account at a time. If you want to export multiple accounts, after one account is exported,
repeat these steps.
7. Select Next .
8. Select Browse to select where to save the Outlook Data File (.pst). Type a file name, and then select OK to
continue.
NOTE
If you've used export before, the previous folder location and file name appear. Type a different file name before
selecting OK .
9. If you are exporting to an existing Outlook Data File (.pst), under Options , specify what to do when
exporting items that already exist in the file.
10. Select Finish .
Outlook begins the export immediately unless a new Outlook Data File (.pst) is created or a password-protected
file is used.
If you're creating an Outlook Data File (.pst), an optional password can help protect the file. When the
Create Outlook Data File dialog box appears, type the password in the Password and Verify
Password boxes, and then select OK . In the Outlook Data File Password dialog box, type the
password, and then select OK .
If you're exporting to an existing Outlook Data File (.pst) that is password protected, in the Outlook Data
File Password dialog box, type the password, and then select OK .
See how to Export or backup email, contacts, and calendar to an Outlook .pst file in Outlook 2010.
NOTE
By default, your email is available offline for a period of 12 months. If required, see how to increase the data available
offline.
NOTE
You can also convert the former user's mailbox to a shared mailbox or forward a former employee's email to another
employee.
NOTE
The steps remain the same for accessing an existing user's OneDrive and email data.
TIP
If you want to import or restore only a few items from an Outlook Data File (.pst), you can open the Outlook Data File.
Then, in the navigation pane, drag the items from Outlook Data File folders to your existing Outlook folders.
Related content
Add and remove admins on a OneDrive account (article)
Restore a deleted OneDrive (article)
OneDrive retention and deletion (article)
Share OneDrive files and folders
Step 5 - Wipe and block a former employee's
mobile device
2/9/2022 • 2 minutes to read • Edit Online
If your former employee had an organization phone, you can use the Exchange admin center to wipe and block
that device so that all organization data is removed from the device and it can no longer connect to Office 365. If
your organization uses Basic Mobility and Security to manage mobile devices, you can wipe and block those
devices using Basic Mobility and Security.
TIP
Be sure you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also
disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if
you need specific steps on how to disable the user.
Related content
Exchange admin center in Exchange Online
Step 6 - Remove the Microsoft 365 license from a
former employee
2/9/2022 • 2 minutes to read • Edit Online
If you don't want to pay for a license after someone leaves your organization, you need to remove their
Microsoft 365 license and then delete it from your subscription. You can assign a license to another user if you
don't delete it.
When you remove the license, all that user's data is held for 30 days. You can access the data, or restore the
account if the user comes back. After 30 days, all the user's data (except for documents stored on SharePoint
Online) is permanently deleted from Microsoft 365 and can't be recovered.
1. In the admin center, go to the Users > Active users page.
2. Select the name of the employee that you want to block, and then select the Licenses and Apps tab.
3. Clear the check boxes for the license(s) you want to remove, and then select Save changes .
To reduce the number of licenses you're paying for until you hire another person, do the following steps:
1. In the admin center, go to the Billing > Your products page, and select the Products tab.
2. Select the subscription from which you want to remove licenses.
3. On the details page, select Remove licenses .
4. In the Remove licenses pane, under New quantity, in the Total licenses box, enter the total number of
licenses that you want for this subscription. For example, if you have 25 licenses and you want to remove one
of them, enter 24.
5. Select Save .
When you add another person to your business, you'll be prompted to buy a license at the same time, with just
one step!
For more information about managing user licenses for Microsoft 365 for business, see Assign licenses to users
in Microsoft 365 for business, and Unassign licenses from users in Microsoft 365 for business.
After you've saved and accessed all the former employee's user data, you can delete the former employee's
account.
IMPORTANT
Don't delete the account if you've set up email forwarding or converted it to a shared mailbox. Both need the account to
anchor the forwarding or shared mailbox.
W H AT Y O U C A N DO H O W Y O U DO IT
Terminate a session and block access to future sessions (for Disable the account. For example, (in the Exchange admin
all protocols) center or using PowerShell):
Set-Mailbox [email protected] -
AccountDisabled:$true
Terminate the session for a particular protocol (such as Disable the protocol. For example, (in the Exchange admin
ActiveSync) center or using PowerShell):
Set-CASMailbox [email protected] -
ActiveSyncEnabled:$false
In the Exchange admin center or using PowerShell Expected delay is within 30 min
Related content
Restore a user (article)
Reset passwords (article)
Overview of Microsoft 365 Groups for
administrators
2/9/2022 • 5 minutes to read • Edit Online
Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365.
With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. These
resources include:
A shared Outlook inbox
A shared calendar
A SharePoint document library
A Planner
A OneNote notebook
Power BI
Yammer (if the group was created from Yammer)
A Team (if the group was created from Teams)
Roadmap (if you have Project for the web)
Stream
With a Microsoft 365 group, you don't have to manually assign permissions to each of these resources. Adding
people to the group automatically gives them the permissions they need.
Any user can create a group unless you limit group creation to a specific set of people. If you limit group
creation, users who cannot create groups will not be able to create SharePoint sites, Planners, teams, Outlook
group calendars, Stream groups, Yammer groups, Shared libraries in OneDrive, or shared Power BI workspaces.
These services require the people creating them to be able to create a group. Users can still participate in group
activities, such as creating tasks in Planner or using Teams chat, provided they are a member of the group.
Groups have the following roles:
Owners - Group owners can add or remove members and have unique permissions like the ability to delete
conversations from the shared inbox or change different settings about the group. Group owners can
rename the group, update the description or picture and more.
Members - Members can access everything in the group, but can't change group settings. By default group
members can invite guests to join your group, though you can control that setting.
Guests - Group guests are members who are from outside your organization.
Only global admins, user admins, and groups admins can create and manage groups in the Microsoft 365
admin center. You can't be a delegated admin (for example, a consultant who is an admin on behalf of).
As an administrator, you can:
Specify who can create groups
Create a naming policy for groups in your organization
Choose which domain to use when creating a group
Manage guest access to groups
Recover a deleted group (within 30 days of deletion)
If you prefer a more automated way to manage the lifecycle of your Microsoft 365 groups, you can use
expiration policies to expire groups at a specific time interval. The group's owners will get an email 30, 15, and 1
day before the group expiration that allows them to renew the group if it's still needed. See: Microsoft 365
group Expiration Policy.
You can administer your groups from the Microsoft 365 admin center or by using PowerShell.
If you have many users, such as in a large corporation or enterprise, you may have many users who create
groups for various purposes. We highly recommend that you review Plan for governance in Microsoft 365
groups for best practices.
Group limits
The following limits apply to Microsoft 365 Groups:
M A XIM UM . . . VA L UE
Number of members More than 1,000, though only 1,000 can access the Group
conversations concurrently.
Users might notice delays when accessing the calendar and
conversations in large groups in Outlook.
The default maximum number of Microsoft 365 groups that an organization can have is 500,000. To go beyond
the default limit, you must contact Microsoft Support. For more information on Microsoft 365 Groups limits, see
Microsoft 365 Groups - Admin help.
Managing your Microsoft 365 groups is more effective when you have actionable information about groups
usage. The Microsoft 365 admin center has a reporting tool that lets you see storage use, how many active
groups you have, and how users are using the groups. See: Microsoft 365 Reports in the admin center for more
information.
Sensitivity labels
You can create sensitivity labels that the users in your organization can set when they create a Microsoft 365
group. With sensitivity labels, you can configure:
Privacy (public or private)
External users access
Unmanaged device access
For example, you can create a label called Highly Confidential and specify that any group created with this label
will be private and not allow external users. When users in your organization select this label during group
creation, the group will be set to private and group members will not be allowed to add external users to the
group.
IMPORTANT
If you are currently using classification labels, they will no longer be available to users who create groups once sensitivity
labels are enabled.
For information about creating, managing, and using sensitivity labels, see Use sensitivity labels to protect
content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites.
NOTE
For more details about Microsoft 365 service families and plans, see Microsoft 365 plan options.
If you have an Exchange-only plan you can still get the shared inbox and shared calendar features of groups in
Outlook but you won't get the document library, Planner or any of the other capabilities.
Microsoft 365 groups work with Azure Active Directory. The groups features you get depends on which Azure
Active Directory subscription you have, and what licenses are assigned to the organizer of the group.
IMPORTANT
For all the groups features, if you have an Azure AD Premium subscription, users can join the group whether or not they
have an AAD P1 license assigned to them. Licensing isn't enforced. Periodically we will generate usage reports that tell you
which users are missing a license, and need one assigned to them to be compliant with the licensing requirements. For
example, let's say a user doesn't have a license and they are added to a group where the naming policy is enforced. The
report will flag for you that they need a license.
Related content
Learn about Microsoft 365 Groups (article)
Upgrade distribution lists to Microsoft 365 Groups (article)
Manage Microsoft 365 Groups with PowerShell (article)
SharePoint Online Limits (article)
Organize groups and channels in Microsoft Stream (article)
Compare groups
2/9/2022 • 4 minutes to read • Edit Online
In the Groups section of the Microsoft 365 admin center, you can create and manage these types of groups:
Microsoft 365 Groups are used for collaboration between users, both inside and outside your company.
They include collaboration services such as SharePoint and Planner.
Distribution groups are used for sending email notifications to a group of people.
Security groups are used for granting access to resources such as SharePoint sites.
Mail-enabled security groups are used for granting access to resources such as SharePoint, and emailing
notifications to those users.
Shared mailboxes are used when multiple people need access to the same mailbox, such as a company
information or support email address.
Dynamic distribution groups are created to expedite the mass sending of email messages and other
information within an organization.
Some groups allow dynamic membership or email.
M A IL -
EN A B L ED DY N A M IC
M IC RO SO F T DIST RIB UT IO SEC URIT Y SEC URIT Y SH A RED DIST RIB UT IO
365 GRO UP S N GRO UP S GRO UP S GRO UP S M A IL B O XES N GRO UP S
Security groups
Security groups are used for granting access to Microsoft 365 resources, such as SharePoint. They can make
administration easier because you need only administer the group rather than adding users to each resource
individually.
Security groups can contain users or devices. Creating a security group for devices can be used with mobile
device management services, such as Intune.
Security groups can be configured for dynamic membership in Azure Active Directory, allowing group members
or devices to be added or removed automatically based on user attributes such as department, location, or title;
or device attributes such as operating system version.
Security groups can be added to a team.
Microsoft 365 Groups can't be members of security groups.
Shared mailboxes
Shared mailboxes are used when multiple people need access to the same mailbox, such as a company
information or support email address, reception desk, or other function that might be shared by multiple
people.
Shared mailboxes can receive external emails if the administrator has enabled this.
Shared mailboxes include a calendar that can be used for collaboration.
Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the
administrator has given that user permissions to do that. This is particularly useful for help and support
mailboxes because users can send emails from "Contoso Support" or "Building A Reception Desk."
It's not possible to migrate a shared mailbox to a Microsoft 365 Group.
Related content
Learn about Microsoft 365 Groups
Upgrade distribution lists to Microsoft 365 Groups in Outlook
Why you should upgrade your distribution lists to groups in Outlook
Create a group in the Microsoft 365 admin center
2/9/2022 • 2 minutes to read • Edit Online
While users can create a Microsoft 365 group from Outlook or other apps, as an admin, you may need to create
or delete groups, add or remove members, and customize how they work. The Microsoft 365 admin center is
the place to do this.
TIP
Microsoft 365 connected Yammer groups must be created in Yammer, but can be managed in the Microsoft 365 admin
center like other Microsoft 365 groups. To learn more, see Yammer and Microsoft 365 groups.
Next steps
After creating a new group and adding members, you can further configure your group, such as editing the
group name or description, changing owners or members, and specifying whether external senders can email
the group and whether to send copies of group conversations to members. See Manage a Microsoft 365 group
for information.
Related content
Manage guest access to Microsoft 365 groups (article)
Choose the domain to use when creating Microsoft 365 groups (article)
Upgrade distribution lists to Microsoft 365 groups (article)
Explaining Microsoft 365 Groups to your users
2/9/2022 • 2 minutes to read • Edit Online
Microsoft 365 Groups allow you to set up a collection of resources to share, including a shared mailbox and
calendar, a SharePoint site with a OneNote notebook, and a Microsoft Planner among others. Microsoft Teams
can also be included when you create a group, or it can be added later. Permissions groups resources are
managed via the group.
Groups can be created by creating any of the shared resources. Creating a group in Outlook yields the same
result as creating a group-connected SharePoint team site or a plan in Planner. If your users are new to
Microsoft 365 Groups, they may not realize this. This can lead to confusion for your users and the possibility of
creating duplicate resources. (For examples, someone might create a SharePoint site for document collaboration
and later create a separate instance of Planner, not realizing Planner was already available as part of the group.)
Because groups can be created in several ways, we recommend training your users to use the method that fits
your organization the best:
If your organization does most of its communication using email, instruct your users to create groups in
Outlook.
If your organization heavily uses SharePoint or is migrating from SharePoint on-premises, instruct your users
to create SharePoint team sites for collaboration.
If your organization has deployed Teams, instruct your users to create a team when they need a collaboration
space.
If you train your users to always use the group creation method that most aligns with their way of working
when they need a space to collaborate with others, you can help avoid confusion and duplication of resources.
As users become more experienced, they will understand better the collection of services that come with a
group and that different creation methods lead to the same result.
You can use the Microsoft 365 Groups for Business User - PowerPoint template as a starting point for training
presentations for your users.
Related topics
Learn about Microsoft 365 Groups
Manage a group in the Microsoft 365 admin center
2/9/2022 • 3 minutes to read • Edit Online
After you have created a Microsoft 365 group and added group members, you can configure your group. You
can edit the group name or description, manage owners or members, and specify whether external senders can
email the group and whether to send copies of group conversations to members.
Go to the Microsoft 365 admin center at https://admin.microsoft.com.
NOTE
It may take up to 30 minutes before users outside the organization can email the group.
Get-AzureADMSDeletedGroup
Take note of the object ID of the group, or groups, that you want to permanently delete.
Cau t i on
Purging the group removes the group and its data forever.
To purge the group run this command in PowerShell:
To confirm that the group has been successfully purged, run the Get-AzureADMSDeletedGroup cmdlet again to
confirm that the group no longer appears on the list of soft-deleted groups. In some cases it may take as long as
24 hours for the group and all of its data to be permanently deleted.
Related articles
Create a Microsoft 365 group
Manage guest access to Microsoft 365 Groups
Choose the domain to use when creating Microsoft 365 Groups
Allow members to send as or send on behalf of a Microsoft 365 group
Upgrade distribution lists to Microsoft 365 Groups
Manage Microsoft 365 Groups with PowerShell
Add or remove members from Microsoft 365
groups using the admin center
2/9/2022 • 2 minutes to read • Edit Online
In Microsoft 365, group members typically create their own groups, add themselves to groups they want to join,
or are invited by group owners. If group ownership changes, or if you determine that a member should be
added or removed, as the admin you can also make that change. Only a global administrator, Exchange
administrator, Groups administrator, or user administrator can make these changes. What is a Microsoft 365
group?
TIP
If you're not an admin, you can add or remove members using Outlook.
Next steps
Manage groups dynamically in Azure Active Directory: see the section "How can I manage the
membership of a group dynamically?"
To add hundreds or thousands of users to groups, use the Add-UnifiedGroupLinks.
Assign a new owner to an orphaned group
Related content
Upgrade distribution lists to Microsoft 365 groups in Outlook (article)
Why you should upgrade your distribution lists to groups in Outlook (article)
Manage guest access in Microsoft 365 groups (article)
Manage Microsoft 365 groups with PowerShell: this article introduces you to key cmdlets and provides
examples (article)
Microsoft 365 groups naming policy (article)
Restore a deleted Microsoft 365 group
2/9/2022 • 2 minutes to read • Edit Online
If you've deleted a group, it will be retained for 30 days by default. This 30-day period is considered a "soft-
delete" because you can still restore the group. After 30 days, the group and its associated contents are
permanently deleted and cannot be restored.
When a group is restored, the following content is restored:
Azure Active Directory (AD) Microsoft 365 Groups object, properties, and members.
Group's e-mail addresses.
Exchange Online shared Inbox and calendar.
SharePoint Online team site and files.
OneNote notebook
Planner
Teams
Yammer group and group content (If the Microsoft 365 group was created from Yammer)
Power BI Classic workspace
NOTE
This article describes restoring only Microsoft 365 groups. All other groups cannot be restored once deleted.
Restore a group
Outlook
Admin center
If you are the owner of a Microsoft 365 group, you can restore the group yourself in Outlook on the web by
following these steps:
1. On the deleted groups page, select the Manage groups option under the Groups node, and then
choose Deleted .
2. Click on the Restore tab next to the group you want to restore.
If the deleted group doesn't appear here, contact an administrator.
Related content
Manage Microsoft 365 Groups with PowerShell (article)
Delete groups using the Remove-UnifiedGroup cmdlet (article)
Manage your group-connected team site settings (article)
Delete a group in Outlook (article)
Manage guest access in Microsoft 365 groups
2/9/2022 • 2 minutes to read • Edit Online
By default, guest access for Microsoft 365 groups is turned on for your organization. Admins can control
whether to allow guest access to groups for their whole organization or for individual groups.
When it's turned on, group members can invite guest users to a Microsoft 365 group through Outlook on Web.
Invitations are sent to the group owner for approval.
Once approved, the guest user is added to the directory and the group.
NOTE
Yammer Enterprise networks that are in Native Mode or the EU Geo do not support network guests. Microsoft 365
Connected Yammer groups do not currently support guest access, but you can create non-connected, external groups in
your Yammer network. See Create and manage external groups in Yammer for instructions.
Guest access in groups is often used as part of a broader scenario that includes SharePoint or Teams. These
services have their own guest sharing settings. For complete instructions for setting up guest sharing across
groups, SharePoint, and Teams, see:
Collaborate with guests in a site
Collaborate with guests in a team
This article explains how to reset passwords for yourself and for your users when you have a Microsoft 365 for
business subscription.
NOTE
You can also set up self-service password reset for your users so they can reset their own passwords. To learn more, see
Let users reset their own passwords.
1. When a user requests a new password, you'll receive a password reset request in email. To reset the
password, open the app launcher and select Admin .
2. In the Microsoft 365 admin center, select Users , Active users , and then select the key icon next to the user
who requested the reset.
3. Select Auto-generate password to have a random password automatically created.
4. Select Reset .
If you found this video helpful, check out the complete training series for small businesses and those new to
Microsoft 365.
Related content
Let users reset their own passwords (article)
Reset passwords (article)
Set an individual user's password to never expire (article)
Set the password expiration policy for your organization (article)
Microsoft 365 for business training videos (link page)
Let users reset their own passwords
2/9/2022 • 2 minutes to read • Edit Online
As the Microsoft 365 admin, you can let people use the self-service password reset tool so you don't have to
reset passwords for them. Less work for you!
This article explains how to set a password for an individual user to not expire. You have to complete these steps
using PowerShell.
Example:
To see the Password never expires setting for all users, run the following cmdlet:
To get a report of all the users with PasswordNeverExpires in Html on the desktop of the current user
with name Repor tPasswordNeverExpires.html
Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}
} | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html
To get a report of all the users with PasswordNeverExpires in CSV on the desktop of the current user with
name Repor tPasswordNeverExpires.csv
To set the passwords of all the users in an organization to never expire, run the following cmdlet:
WARNING
User accounts configured with the -PasswordPolicies DisablePasswordExpiration parameter still age based on the
pwdLastSet attribute. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None ,
all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This
change can affect a large number of users.
To set the passwords of all users in the organization so that they expire, use the following cmdlet:
Related content
Let users reset their own passwords (article)
Reset passwords (article)
Set the password expiration policy for your organization (article)
Resend a user's password - Admin Help
2/9/2022 • 2 minutes to read • Edit Online
This article explains how to resend the notification email to a new user in Office 365. This can happen when you
create a new user and they don't get an email with their new password. You do this by resetting the user's
password.
Related content
Let users reset their own passwords
Reset passwords
Turn off strong password requirements for users
2/9/2022 • 2 minutes to read • Edit Online
This article explains how to turn off strong password requirements for your users. Strong password
requirements are turned on by default in your Microsoft 365 for business organization. Your organization might
have requirements to disable strong passwords. Follow the steps below to turn off strong password
requirements. You have to complete these steps using PowerShell.
3. You can turn OFF strong password requirements for specific users with this command:
NOTE
The userPrincipalName must be in the Internet-style sign-in format where the user name is followed by the at sign (@)
and a domain name. For example: [email protected].
Related content
How to connect to Microsoft 365 with PowerShell
More information on PowerShell MsolUser commands
More information on password policy
Set the password expiration policy for your
organization
2/9/2022 • 3 minutes to read • Edit Online
IMPORTANT
Password expiration notifications are no longer supported in the Microsoft 365 admin center or any Office apps.
Related content
Let users reset their own passwords (article)/
Reset passwords (article)
User email settings
2/9/2022 • 2 minutes to read • Edit Online
As the admin of an organization, there are email settings you can manage on your users. This article gives you
information on managing these settings.
Mailbox permissions Read and manage allows you to set whether people can
read and manage other people's mailboxes. You can also set
Send as and Send on behalf permissions for a person.
Check out Give mailbox permissions to another user in
Microsoft 365 - Admin Help for more details.
Email apps Email apps allows you to choose the apps a user can use to
access their Microsoft email.
Show in global address list Show in global address list allows you to enable or disable
the visibility of the user's mailbox in the organization's
address list.
Automatic replies Automatic replies allows you to set an automatic reply when
someone sends an email to the person's email address. You
might want to do this if an employee leaves your company
and you want to let the email sender know.
NOTE
1You can only manage email apps for mailboxes that are hosted fully in Microsoft 365. You cannot use this feature to
manage email apps for mailboxes that are hosted on-premises.
Add another email alias for a user
2/9/2022 • 4 minutes to read • Edit Online
This article is for Microsoft 365 administrators who have business subscriptions. It's not for home users.
A primary email address in Microsoft 365 is usually the email address a user was assigned when their account
was created. When the user sends email to someone else, their primary email address is what typically appears
in the From field in email apps. They can also have more than one email address associated with their Microsoft
365 for business account. These additional addresses are called aliases.
For example, let's say Jenna has the email address [email protected], but she also wants to receive email at
[email protected] because some people refer to her by that name. You can create aliases for her so that both
email addresses go to Jenna's inbox.
You can create up to 400 aliases for a user. No additional fees or licenses are required.
TIP
If you want multiple people to manage email sent to a single email address like [email protected] or
[email protected], create a shared mailbox. To learn more, see Create a shared mailbox.
IMPORTANT
If you get the error message "A parameter cannot be found that matches parameter name
'EmailAddresses ," it means that it's taking a bit longer to finish setting up your tenant, or your custom domain if
you recently added one. The setup process can take up to 4 hours to complete. Wait a while so the set up process
has time to finish, and then try again. If the problem persists, call Support and they will do a full sync for you.
IMPORTANT
If you purchased your subscription from GoDaddy or another Partner, to set the new alias as the primary, you
must go to the GoDaddy/partner management console.
IMPORTANT
If you get the error message This user is synchronized with your local Active Director y . Some details
can be edited only through your local Active Director y , It means that the Active Directory is authoritative
for attributes on synchronized users, you need to modify the attributes in your on-premises Active Directory.
TIP
The email alias must end with a domain from the drop-down list. To add another domain name to the list, see Add
a domain to Microsoft 365.
Did you get "A parameter cannot be found that matches parameter
name EmailAddresses"?
If you get the error message "A parameter cannot be found that matches parameter name
EmailAddresses " it means that it's taking a bit longer to finish setting up your tenant, or your custom domain
if you recently added one. The setup process can take up to 4 hours to complete. Wait a while so the set up
process has time to finish, and then try again. If the problem persists, call Support and they will do a full sync for
you.
Related content
Send email from a different address (article)
Change a user name and email address (article)
Configure email forwarding in Microsoft 365 (article)
Change your email address to use your custom
domain
2/9/2022 • 2 minutes to read • Edit Online
Check the Domains FAQ if you don't find what you're looking for.
Your initial email address in Microsoft 365 includes .onmicrosoft.com, like [email protected].
You can change it to a friendlier address like [email protected]. You'll need your own domain name, like
fourthcoffee.com first. If you already have one, great! If not, you can learn how to buy one from a domain
registrar.
Your initial email address in Office 365 operated by 21Vianet includes partner.onmschina.cn, like
[email protected]. You can change it to a friendlier address like [email protected].
You'll need your own domain name, like fourthcoffee.cn first. If you already have one, great! If not, you can learn
how to buy one from a domain registrar.
When you change your domain's email to come to Microsoft 365, by updating your domain's MX record during
setup, ALL email sent to that domain will start coming to Microsoft 365. Make sure you've added users and
created mailboxes in Microsoft 365 for everyone who has email on your domain BEFORE you change the MX
record. Don't want to move email for everyone on your domain to Microsoft 365? You can take steps to pilot
Microsoft 365 with just a few email addresses instead.
Change your email address to use your custom domain using the
Microsoft 365 admin center
You must be a global admin to perform these steps.
1. Go to the admin center at https://admin.microsoft.com.
1. Go to the admin center at https://portal.partner.microsoftonline.cn.
2. Go to the Setup > Domains page.
3. On the Domains page, select Add domain .
4. Follow the steps to confirm that you own your domain. You'll be guided to get everything set up correctly
with your domain in Microsoft 365.
5. Go to Users > Active users .
6. Select a user to edit their username and change it to the domain you just added.
NOTE
If you are not using an Exchange license, you cannot use the domain to send or receive emails from the Microsoft 365
tenant.
Related content
Buy a custom domain using Microsoft 365 (article)
Manage domains (link page)
Domains FAQ (article)
Migrate email and contacts to Microsoft 365
2/9/2022 • 2 minutes to read • Edit Online
Import or migrate email from Gmail or another email provider to Microsoft 365.
Want help with this? Contact Microsoft 365 for business support.
You need to use a version of Outlook that is installed on your desktop for this task. Outlook is included in most
Microsoft 365 plans.
Related content
Plan your setup of Microsoft 365 for business (article)
Install Office applications (link page)
[Overview of the Microsoft 365 admin center](Overview of the Microsoft 365 admin center](../admin-
overview/admin-center-overview.md) (video)
Create organization-wide signatures and disclaimers
2/9/2022 • 2 minutes to read • Edit Online
You can manage email signatures by adding an email signature, legal disclaimer, or disclosure statement to the
email messages that enter or leave your organization. You can set it up to apply to all incoming and outgoing
messages as shown below. Or you can apply it to certain messages like those containing specific words or text
patterns.
TIP
Learn more about applying conditions if you don't want the disclaimer applied to all messages. (This scoping
article is for Exchange Server, but it also applies to Microsoft 365.)
TIP
Learn more about formatting disclaimers. (This formatting article is for Exchange Server, but it also applies to
Microsoft 365.)
9. Select Select one and choose Wrap as a fallback option. Then OK . This means that if the disclaimer can't
be added because of encryption or another mail setting, it will be wrapped in a message envelope.
10. Leave Audit this rule with severity level selected. Then choose Low , Medium , or High to be used in
the message log.
11. Choose Enforce to turn on the disclaimer immediately, unless you want to test it first.
12. Choose More options to include additional conditions or exceptions.
13. Choose Save when finished.
More resources
For information about using PowerShell, see Organization-wide message disclaimers, signatures, footers, or
headers in Exchange Online.
Related content
Migrate email and contacts to Microsoft 365 (video)
User email settings (article)
[Overview of the Microsoft 365 admin center](Overview of the Microsoft 365 admin center](../admin-
overview/admin-center-overview.md) (video)
Create, edit, or delete a security group in the
Microsoft 365 admin center
2/9/2022 • 3 minutes to read • Edit Online
On the Microsoft 365 Groups page, you can create groups of user accounts that you can use to assign the same
permissions to in SharePoint Online and CRM Online. For example, an administrator can create a security group
to grant a certain group of people access to a SharePoint site. Only global and user management administrators
have permissions to create, edit, or delete security groups; for more information about administrator roles, see
Assigning admin roles.
There are also Groups in Exchange Online and SharePoint Online that you can use to send email or assign
permissions to a group of users, and Groups in Exchange Online and SharePoint Online that grant users rights
and access to sites and site collections.
IMPORTANT
Planning on using site mailboxes? All the users that are added to a SharePoint site via a security group rather than being
added individually can use only the site mailbox from SharePoint. These users won't be able to access the site mailbox
from Outlook. For more information, see Use Microsoft 365 Groups instead of Site Mailboxes.
Related content
Create a group in the Microsoft 365 admin center (article)
Explaining Microsoft 365 Groups to your users (article)
Manage a group in the Microsoft 365 admin center (article)
Configure email forwarding in Microsoft 365
2/9/2022 • 3 minutes to read • Edit Online
As the admin of an organization, you might have company requirements to set up email forwarding for a user's
mailbox. Email forwarding lets you forward email messages sent to a user's mailbox to another user's mailbox
inside or outside of your organization.
IMPORTANT
You can use outbound spam filter policies to control automatic forwarding to external recipients. For more information,
see Control automatic external email forwarding in Microsoft 365.
Related content
Create a shared mailbox (article)
Send email from a different address (article)
Change a user name and email address (article)
Control automatic external email forwarding in Microsoft 365 (article)
About shared mailboxes
2/9/2022 • 4 minutes to read • Edit Online
Shared mailboxes are used when multiple people need access to the same mailbox, such as a company
information or support email address, reception desk, or other function that might be shared by multiple
people.
Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the
administrator has given that user permissions to do that. This is particularly useful for help and support
mailboxes because users can send emails from "Contoso Support" or "Building A Reception Desk."
NOTE
To access a shared mailbox, a user must have an Exchange Online license, but the shared mailbox doesn't require a
separate license. Every shared mailbox has a corresponding user account. Notice how you weren't asked to provide a
password when you created the shared mailbox? The account has a password, but it's system-generated (unknown). You
shouldn't use the account to log in to the shared mailbox. Without a license, shared mailboxes are limited to 50 GB. To
increase the size limit to 100 GB, the shared mailbox must be assigned an Exchange Online Plan 2 license. The Exchange
Online Plan 1 license with an Exchange Online Archiving add-on license will only increase the size of the archive mailbox.
This will also let you enable auto-expanding archiving for additional archive storage capacity. Similarly, if you want to place
a shared mailbox on litigation hold, the shared mailbox must have an Exchange Online Plan 2 license or an Exchange
Online Plan 1 license with an Exchange Online Archiving add-on license. If you want to apply advanced features such as
Microsoft Defender for Office 365, Advanced eDiscovery, or automatic retention policies, the shared mailbox must be
licensed for those features.
Related content
Create a shared mailbox (article)
Configure a shared mailbox (article)
Convert a user mailbox to a shared mailbox (article)
Remove a license from a shared mailbox (article)
Resolve issues with shared mailboxes (article)
Create a shared mailbox
2/9/2022 • 6 minutes to read • Edit Online
NOTE
If your organization uses a hybrid Exchange environment, you should use the on-premises Exchange admin center to
create and manage shared mailboxes. See Create shared mailboxes in the Exchange admin center
If you're not sure if you should create a shared mailbox or a Microsoft 365 group for Outlook, see Compare groups for
some guidance. Note that currently, it's not possible to migrate a shared mailbox to a Microsoft 365 group. If this is
something you want, let us know by voting here.
It's easy to create shared mailboxes so a group of people can monitor and send email from a common email
addresses, like [email protected]. When a person in the group replies to a message sent to the shared mailbox,
the email appears to be from the shared mailbox, not from the individual user.
Shared mailboxes include a shared calendar. A lot of small businesses like to use the shared calendar as a place
for everyone to enter their appointments. For example, if you have 3 people who do customer visits, all can use
the shared calendar to enter the appointments. This is an easy way to keep everyone informed where people
are.
Before creating a shared mailbox, be sure to read About shared mailboxes for more information.
4. Select Save changes . It may take a few minutes before you can add members.
5. Under Next steps , select Add members to this mailbox . Members are the people who will be able to
view the incoming mail to this shared mailbox, and the outgoing replies.
6. Select the +Add members button. Put a check mark next to the people who you want to use this shared
mailbox, and then select Save .
7. Select Close .
You have a shared mailbox and it includes a shared calendar. Go on to the next step: Block sign-in for the shared
mailbox account.
NOTE
The Full Access permission allows a user to open the mailbox as well as create and modify items in it. The Send As
permission allows anyone other than the mailbox owner to send email from this shared mailbox. Both permissions
are required for successful shared mailbox operation.
3. Select the user to open their properties pane, and then select the Block this user icon .
NOTE
If the account is already blocked, Sign in blocked will appear at the top and the icon will read Unblock this
user .
4. In the Block this user? pane, select Block the user from signing in , and then select Save changes .
For instructions on how to block sign-in for accounts using Azure AD PowerShell (including many accounts at
the same time), see Block user accounts with Office 365 PowerShell.
NOTE
Shared mailbox can only be added to Outlook for iOS app or the Outlook for Android mobile app
Related content
About shared mailboxes (article)
Configure a shared mailbox (article)
Convert a user mailbox to a shared mailbox (article)
Remove a license from a shared mailbox (article)
Resolve issues with shared mailboxes (article)
Configure shared mailbox settings
2/9/2022 • 4 minutes to read • Edit Online
After you have created a shared mailbox, you'll want to configure some settings for the mailbox users, such as
email forwarding and automatic replies. Later, you might want to change other settings, such as the mailbox
name, members, or member permissions.
Choose the apps that a shared mailbox can use to access Microsoft
email
1. In the admin center, go to the Groups > Shared mailboxes page.
2. Select the shared mailbox you want to edit, then select Email apps > Edit .
3. Set the toggle to On for all of the apps you want members to be able to use to access the shared mailbox.
Set the toggle to Off for any apps you don't want them to use.
4. Select Save .
NOTE
Hiding a shared mailbox from address list will make it impossible for new shared mailbox members to add the hidden
mailbox to their Outlook profile until the shared mailbox is again shown in the address list.
Related content
About shared mailboxes (article)
Create a shared mailbox (article)
Convert a user mailbox to a shared mailbox (article)
Remove a license from a shared mailbox (article)
Resolve issues with shared mailboxes (article)
Convert a user mailbox to a shared mailbox
2/9/2022 • 4 minutes to read • Edit Online
When you convert a user's mailbox to a shared mailbox, all of the existing email and calendar is retained. Only
now it's in a shared mailbox where several people will be able to access it instead of one person. At a later date,
you can convert a shared mailbox back to a user (private) mailbox.
NOTE
It's not required to reset the user's password during mailbox conversion. However, if the password is not reset, the
original username and password continue to work after the mailbox conversion is finished.
For everything else you need to know about shared mailboxes, see About shared mailboxes and Create a shared
mailbox.
NOTE
Shared mailboxes don’t require a separate license. However, if you want to enable In-Place Archive or put an In-Place Hold
or a Litigation Hold on a shared mailbox, you must assign an Exchange Online Plan 1 with Exchange Online Archiving or
Exchange Online Plan 2 license to the mailbox.
Use the New Exchange admin center to convert a mailbox
1. Go to the Exchange admin center.
2. Select Recipients > Mailboxes .
3. Select the user mailbox. In the Mailbox tab, under More Actions , select Conver t to shared mailbox .
4. If the mailbox is smaller than 50 GB, you can remove the license from the user, and stop paying for it.
Don't delete the user's account. The shared mailbox needs it there as an anchor. If you are converting the
mailbox of an employee that is leaving your organization, you should take additional steps to make sure
that they cannot log in anymore. Please see Remove a former employee from Microsoft 365.
NOTE
It's not required to reset the user's password during mailbox conversion. However, if the password is not reset, the
original username and password continue to work after the mailbox conversion is finished.
For everything else you need to know about shared mailboxes, see About shared mailboxes and Create a shared
mailbox.
NOTE
Shared mailboxes don’t require a separate license. However, if you want to enable In-Place Archive or put an In-Place Hold
or a Litigation Hold on a shared mailbox, you must assign an Exchange Online Plan 1 with Exchange Online Archiving or
Exchange Online Plan 2 license to the mailbox.
NOTE
If you're a member of the Organization Management or Recipient Management role group, you can use the Exchange
Management Shell to change a user mailbox to a shared mailbox on-premises. For example,
Set-Mailbox -Identity [email protected] -Type Shared .
Related content
About shared mailboxes (article)
Create a shared mailbox (article)
Configure a shared mailbox (article)
Remove a license from a shared mailbox (article)
Resolve issues with shared mailboxes (article)
Remove a license from a shared mailbox
2/9/2022 • 2 minutes to read • Edit Online
Shared mailboxes usually don't require a license. Follow these instructions to remove a license from a shared
mailbox so that you can either assign it to a user or return the license so that you aren't paying for a license you
don't need.
NOTE
An Exchange Online Plan 2 license is required in the following scenarios:
The shared mailbox has more than 50 GB of storage in use.
The shared mailbox uses in-place archiving.
The shared mailbox is placed in litigation hold.
The shared mailbox has a Microsoft 365 Defender license assigned.
For step-by-step instructions on how to assign licenses, see Assign licenses to users.
NOTE
You need to remove the license from the Active users page. You can't remove the license from the Shared mailbox page
because licenses are user settings.
Related content
About shared mailboxes (article)
Create a shared mailbox (article)
Configure a shared mailbox (article)
Convert a user mailbox to a shared mailbox (article)
Resolve issues with shared mailboxes (article)
Resolve issues with shared mailboxes
2/9/2022 • 2 minutes to read • Edit Online
If you see error messages when creating or using a shared mailbox, try these possible solutions.
Related content
About shared mailboxes (article)
Create a shared mailbox (article)
Configure a shared mailbox (article)
Convert a user mailbox to a shared mailbox (article)
Remove a license from a shared mailbox (article)
Configure Focused Inbox for everyone in your
organization
2/9/2022 • 7 minutes to read • Edit Online
If you're responsible for configuring how email works for EVERYONE in a business this article is for you! It
explains how to customize it or turn it off for your business, and answers frequently asked questions.
If you would like to turn off Focused Inbox for just yourself, please see Turn off Focused Inbox.
If you want to be sure that your users receive business-specific email messages, for example, from HR or payroll,
you can configure Focused Inbox so these messages reach the Focused view. You can also control whether users
in your organization see the Focused Inbox in their mailbox.
Get-OrganizationConfig
6. Run the Get-OrganizationConfig cmdlet again and you'll see that FocusedInboxOn is set to $false,
which means it's been turned off.
To turn on Focused Inbox:
In Step 5 above, run the following cmdlet to turn Focused Inbox on.
If you're switching from Clutter to Focused Inbox, they can decide to enable it ("Try it") or dismiss the feature. If
the user has multiple (supported) clients, they can enable/disable Focused Inbox individually on each one. The
tip looks like this:
When a user decides to start using Focused Inbox, Clutter gets disabled automatically. The Clutter folder gets
converted into a standard folder, that allows the user to rename or delete it.
NOTE
The message header value text in this example is, X-MS-Exchange-Organization-BypassFocusedInbox.
Related content
Configure Clutter for your organization (article)
Configure shared mailbox settings (article)
Create signatures and disclaimers (video)
Add a user or contact to a distribution group
2/9/2022 • 2 minutes to read • Edit Online
As the admin of an organization, you may need to add one of your users or contacts to a distribution group (see
Create distribution groups in Microsoft 365. For example, you can add employees or external partners or
vendors to an email distribution group.
Next steps
Learn to send email as a distribution group in Microsoft 365.
Related content
Manage clutter for your organization (article)
Create a shared mailbox (article)
Configure Clutter for your organization
2/9/2022 • 2 minutes to read • Edit Online
TIP
Focused Inbox is going to replace Clutter. Learn more: Update on Focused Inbox and our plans for Clutter
As an admin, you may have to manage the Clutter feature in Microsoft 365. To turn the Clutter feature on/off for
users in your organization, you must use Exchange PowerShell. (Individuals can turn it on/off using these
instructions: Turn off/on Clutter in Outlook.
Check out Using PowerShell with Exchange Online and Connect to Exchange Online PowerShell for details on
using Exchange PowerShell. You need to have an account that has at least the Exchange Service administrator
role and the ability to connect to Exchange Online with PowerShell.
If you use PowerShell to bulk create your users, then you'll need to run Set-Clutter against each user's mailbox to
manage Clutter.
Related content
Use Clutter to sort low priority messages in Outlook (article)
Use Clutter to sort low priority messages in OWA (article)
Turn off Clutter in Outlook (article)
Add a domain to Microsoft 365
2/9/2022 • 4 minutes to read • Edit Online
Check the Domains FAQ if you don't find what you're looking for.
Add a domain
Follow these steps to add, set up, or continue setting up a domain.
1. Go to the admin center at https://admin.microsoft.com.
1. Go to the admin center at https://portal.partner.microsoftonline.cn.
2. Go to the Settings > Domains page.
3. Select Add domain .
4. Enter the name of the domain you want to add, then select Next .
5. Choose how you want to verify that you own the domain.
a. If your domain registrar uses Domain Connect, Microsoft will set up your records automatically by
having you sign in to your registrar and confirm the connection to Microsoft 365. You'll be returned to
the admin center and Microsoft will then automatically verify your domain.
b. You can use a TXT record to verify your domain. Select this and select Next to see instructions for how
to add this DNS record to your registrar's website. This can take up to 30 minutes to verify after you've
added the record.
c. You can add a text file to your domain's website. Select and download the .txt file from the setup
wizard, then upload the file to your website's top level folder. The path to the file should look similar to:
http://mydomain.com/ms39978200.txt . We'll confirm you own the domain by finding the file on your
website.
6. Choose how you want to make the DNS changes required for Microsoft to use your domain.
a. Choose Add the DNS records for me if your registrar supports Domain Connect, and Microsoft
will set up your records automatically by having you sign in to your registrar and confirm the
connection to Microsoft 365.
b. Choose I'll add the DNS records myself if you want to attach only specific Microsoft 365 services
to your domain or if you want to skip this for now and do this later. Choose this option if you
know exactly what you're doing.
7. If you chose to add DNS records yourself , select Next and you'll see a page with all the records that you
need to add to your registrars website to set up your domain.
If the portal doesn't recognize your registrar, you can follow these general instructions.
If you don't know the DNS hosting provider or domain registrar for your domain, see Find your domain
registrar or DNS hosting provider.
If you want to wait for later, either unselect all the services and click Continue , or in the previous domain
connection step choose More Options and select Skip this for now .
8. Select Finish - you're done!
NOTE
Make sure you disable any popup blockers in your browser before you start the setup wizard.
NOTE
You must be a Global admin or a Domain Name admin to add a domain. Creating an additional .onmicrosoft domain and
using it as your default will not do a rename for SharePoint Online. To make changes to your .onmicrosoft SharePoint
domain you would need to use the SharePoint domain rename preview (currently available to any tenant with less than
1,000 sites). If you're using Microsoft 365 mail services, removal of your initial .onmicrosoft domain is not supported.
Related content
Domains FAQ (article)
What is a domain? (article)
Buy a domain name in Microsoft 365 (article)
Add DNS records to connect your domain (article)
Change nameservers to set up Microsoft 365 with any domain registrar (article)
Buy a domain name
2/9/2022 • 2 minutes to read • Edit Online
NOTE
If your organization uses Office 365 operated by 21Vianet in China, see How to buy a domain for Office 365 operated by
21Vianet in China.
To Add, modify or remove domains you must be a Global Administrator of a business or enterprise plan.
These changes affect the whole tenant, Customized administrators or regular users won't be able to make these
changes.
Check the Domains FAQ if you don't find what you're looking for.
NOTE
When you select Buy domain , you may be redirected to your Microsoft partner's website if the tenant is
purchased/managed through a Microsoft partner.
Domain Privacy
We offer a free Domain Privacy Subscription with the purchase of a domain. This keeps your contact
information attached to the registration of your domain with ICANN private. Learn more.
Some domain registrars or DNS hosting providers do not allow creating all the DNS records required by
Microsoft 365. The following list of hosting providers supports all the needed records. If you're thinking of using
a different hosting provider, Service limitations when your hosting provider does not support SRV, CNAME, TXT,
or redirection.
After you register your domain (at a domain registrar), you sign in to Microsoft 365 as an admin and set up your
domain so you can use it with your email address and other services..
NOTE
The SharePoint Online Public Website information in this article only applies if your organization purchased Microsoft 365
prior to March 9, 2015.
Domain registrars that support all DNS records required for Microsoft 365
Oray
HiChina
east.net
BIZCN
Related content
Add a domain to Microsoft 365 (article)
Domains FAQ (article)
Update DNS records to keep your website with your current hosting provider (article)
Remove a domain
2/9/2022 • 3 minutes to read • Edit Online
Check the Domains FAQ if you don't find what you're looking for.
Are you removing your domain because you want to add it to a different Microsoft 365 subscription plan? Or do
you just want to cancel your subscription? You can change your plan or subscription or cancel your subscription.
Step 1: Move users to another domain
Move users
1. Go to the admin center.
1. Go to the admin center.
2. Select Users > Active users .
3. Select the boxes next to the names of all the users you want to move.
4. At the top of the page, and then choose Change domains .
5. In the Change domains pane, select a different domain.
You'll need to do this for yourself, too, if you're on the domain that you want to remove. When you edit the
domain for your account, you'll have to log out and log back in using the new domain you chose to continue.
Move yourself
1. Go to the admin center.
1. Go to the admin center.
2. Go to Users > Active Users , and select your account from the list.
3. On the Account tab, select Manage username , and then choose a different domain.
4. At the top, select your account name, then select Sign Out .
5. Sign in with the new domain and your same password.
You can also use PowerShell to move users to another domain. See Set-MsolUserPrincipalName for more
information. To set the default domain, use Set-MsolDomain.
Step 2: Move groups to another domain
1. In the admin center, go to the Groups > Groups page.
1. In the admin center, go to the Groups > Groups page.
2. Select the group name, and then on the General tab under Email address, Primar y , select Edit .
3. Use the drop-down list to choose another domain.
4. Select Save , then Close . Repeat this process for any groups or distribution lists associated with the
domain that you want to remove.
Step 3: Remove the old domain
1. In the admin center, go to the Settings > Domains page.
1. In the admin center, go to the Setup > Domains page.
2. On the Domains page, select the domain that you want to remove.
3. In the right pane, select Remove .
4. Follow any additional prompts, and then select Close .
Still not working? Your domain might need to be manually removed. Give us a call and we'll help you take care
of it!
NOTE
You can't remove the ".partner.onmschina.cn" domain from your account. When you remove a domain, user accounts will
revert back to the ".partner.onmschina.cn" address as the Primary SMTP/UserprincipalName.
Still not working? Your domain might need to be manually removed. Give us a call and we'll help you take care
of it!
Related content
Domains FAQ (article)
Switch to a different Microsoft 365 for business plan (article)
Cancel your subscription (article)
Transfer a domain from Microsoft to another host
2/9/2022 • 2 minutes to read • Edit Online
You can't transfer a Microsoft 365 domain to another registrar for 60 days after you purchase the domain from
Microsoft.
NOTE
A Whoisquery shows a Microsoft purchased domain registrar as Wild West Domains LLC. However, only Microsoft should
be contacted regarding your Microsoft 365 purchased domain.
Follow these steps to get a code at Microsoft 365, and then go to the other domain registrar website to set up
transferring your domain name to the new registrar.
Transfer a domain
1. In the admin center, go to Settings > Domains .
2. On the Domains page, select the Microsoft 365 domain that you want to transfer to another domain
registrar, and then select Check health .
3. At the top of the page, select Transfer domain .
4. On the Choose where to transfer your domain page, select A different registrar , and then click
Next .
5. On the Unlock domain transfer page, select Unlock transfer for < your domain > , and then select
Next .
6. Check your domain transfer contact information, and then select Next .
7. Copy the authorization code and wait about 30 minutes for your domain transfer status to change to
Unlocked for transfer on the Registration tab before you proceed with next steps.
8. Go to the website of the domain registrar you want to manage your domain name going forward. Follow
directions for transferring a domain (search for help on their website). This usually means paying transfer
fees and giving the Authcode to the new registrar so they can initiate the transfer. Microsoft will email
you to confirm we’ve received the transfer request, and the domain will transfer within 5 days.
You can find the authorization code Registration tab on the Domains page in Microsoft 365.
TIP
.uk domains require a different procedure. Contact Microsoft Support and request an IPS Tag change to match
the registrar you want to manage your domain going forward. Once the tag changes, the domain immediately
transfers to the new registrar. You will then need to work with the new registrar to complete the transfer, likely
paying transfer fees and adding the transferred domain to your account with your new registrar.
9. After the transfer is complete, you'll renew your domain at the new domain registrar.
10. To finish the process, go back to the Domains page in the admin center, and then select Complete
domain transfer . This will mark the domain as no longer purchased from Microsoft 365, and will
disable the domain subscription. It will not remove the domain from the tenant, and will not affect
existing users and mailboxes on the domain.
NOTE
Microsoft 365 purchased domains are not eligible for nameserver changes or transferring the domain between Microsoft
365 organizations. If either of these are required, the domain registration must be transferred to another registrar.
Pilot Microsoft 365 from my custom domain
2/9/2022 • 7 minutes to read • Edit Online
You can pilot Microsoft 365 with these requirements and limitations:
Your current email provider must provide email forwarding.
You must manage your Microsoft 365 DNS records at your DNS hosting provider, rather than have
Microsoft 365 manage these records for you.
To learn more, see Add DNS records to connect your domain.
Free/busy information for users on the other email server is not available.
Admins can't administer all user accounts from a single location.
Users might not be able to use Microsoft 365 spam filtering.
This is recommended for a very small number of users and only applies to the use of email for a pilot.
1. In the Exchange admin center navigation pane, select Protection , and then select Connection filter .
2. In the IP Allow list , select + , and add the mail server IP address for your current email provider.
Step 5: Create user accounts and set the primary reply-to address
1. In the Microsoft 365 admin center left navigation, select Users > Active users .
2. Create two test accounts by adding two existing users.
For each account, select + Add a user , and fill out the required information, including the password
method you want to test.
To ensure a user's email stays the same, the User name field must match the user's current email
address.
3. Choose the appropriate license, click Next , and then click Finish adding .
4. Next to User name , select your custom domain name from the drop-down list.
5. Select Create > Close .
Step 6: **Configure mail to flow from Microsoft 365 or Office 365 to Email server
There are two steps for this:
1. Configure your Microsoft 365 or Office 365 environment.
2. Set up a connector from Microsoft 365 or Office 365 to your email server.
1. Configure your Microsoft 365 or Office 365 environment
Make sure you have completed the following in Microsoft 365 or Office 365:
1. To set up connectors, you need permissions assigned before you can begin. To check what permissions
you need, see the Microsoft 365 and Office 365 connectors entry in the Feature permissions in Exchange
Online topic.
2. If you want EOP or Exchange Online to relay email from your email servers to the Internet, either:
Use a certificate configured with a subject name that matches an accepted domain in Microsoft 365 or
Office 365. We recommend that your certificate's common name or subject alternative name matches
the primary SMTP domain for your organization. For details, see Prerequisites for your on-premises
email environment.
-OR-
Make sure that all your organization sender domains and subdomains are configured as accepted
domains in Microsoft 365 or Office 365.
For more information about defining accepted domains, see Manage accepted domains in Exchange
Online and Enable mail flow for subdomains in Exchange Online.
3. Decide whether you want to use mail flow rules (also known as transport rules) or domain names to
deliver mail from Microsoft 365 or Office 365 to your email servers. Most businesses choose to deliver
mail for all accepted domains. For more information, see Scenario: Conditional mail routing in Exchange
Online.
NOTE
You can set up mail flow rules as described in Mail flow rule actions in Exchange Online. For example, you might want to
use mail flow rules with connectors if your mail is currently directed via distribution lists to multiple sites.
2. Set up a connector from Microsoft 365 or Office 365 to your email server
To create a connector in Microsoft 365 or Office 365, select Admin > Exchange to go to the Exchange admin
center. Next, select mail flow > Connectors .
Set up connectors using the wizard.
To start the wizard, click the plus symbol + . On the first screen, choose From Office 365 and To Your
Organization Mail server.
Click Next , and follow the instructions in the wizard. Click the Help or Learn More links if you need more
information. The wizard will guide you through setup. At the end, make sure your connector validates. If the
connector does not validate, double-click the message displayed to get more information, and see Validate
connectors for help resolving issues.
Step 7: Update DNS records at your DNS hosting provider
Sign in to your DNS hosting provider's website, and follow the instructions at Add DNS records to connect your
domain.
Make the following two exceptions:
Do not create a new MX record or change your existing MX record.
If you already have a Sender Policy Framework (SPF) record for your previous email provider, instead of
creating a new SPF (TXT) record for Exchange Online, add "include:spf.protection.outlook.com" to the
current TXT record.
For example, "v=spf1 mx include:adatum.com include:spf.protection.outlook.com ~all".
If you don't have an SPF record, modify the one recommended by Microsoft 365 to include the domain
for your current email provider, and add spf.protection.outlook.com. This authorizes outgoing messages
from both email systems.
Step 8: Set up email forwarding at your current provider
At your current email provider, set up forwarding for your users email accounts to your onmicrosoft.com
domain:
Forward User A mailbox to [email protected]
Forward User B mailbox to [email protected]
When you complete this step, all email sent to [email protected] and [email protected] is
available in Microsoft 365.
NOTE
Contact your current email provider for the exact steps to set up email forwarding.
You don't need to keep a copy of messages at the current email provider.
Most providers forward email by leaving the Reply-to address of the sender intact so that replies go to the original
sender.
Check the Domains FAQ if you don't find what you're looking for.
Follow these instructions to add and set up your domain in Microsoft 365 so your services like email and Teams
will use your own domain name. To do this, you'll verify your domain, and then change your domain's
nameservers to Microsoft 365 so the correct DNS records can be set up for you. Follow these steps if the
following statements describe your situation:
You have your own domain and want to set it up to work with Microsoft 365.
You want Microsoft 365 to manage your DNS records for you. (If you prefer, you can manage your own
DNS records.)
Before you use your domain with Microsoft 365, we have to make sure that you own it. Your ability to log in to
your account at your domain registrar and create the DNS record proves to Microsoft 365 that you own the
domain.
NOTE
This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you
like.
Find the area on your DNS hosting provider's website where you can create a new record
1. Sign in to your DNS hosting provider's website.
2. Choose your domain.
3. Find the page where you can edit DNS records for your domain.
Create the record
Depending on whether you are creating a TXT record or an MX record, do one of the following:
If you create a TXT record, use these values:
REC O RD T Y P E A L IA S O R H O ST N A M E VA L UE TTL
REC O RD T Y P E A L IA S O R H O ST N A M E VA L UE TTL
TXT Do one of the following: MS=ms XXXXXXXX Set this value to 1 hour or
Type @ or leave the field Note: This is an to the equivalent in minutes
empty or type your domain example. Use your ( 60 ), seconds ( 3600 ),
name. specific Destination etc.
Note : Different DNS or Points to Address
hosts have different value here, from the
requirements for this table in Microsoft 365.
field. How do I find this?
A L IA S O R H O ST
REC O RD T Y P E NAME VA L UE P RIO RIT Y TTL
NOTE
Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change
you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after
adding DNS records, see Troubleshoot issues after changing your domain name or DNS records.
TIP
It's best to add all four records, but if your registrar only supports two, add ns1.bdm.microsoftonline.com and
ns2.bdm.microsoftonline.com .
When you change your domain's NS records to point to the Microsoft 365 nameservers, all the services that are
currently associated with your domain are affected. If you skipped any steps of the wizard, such as adding email
addresses, or if you're using your domain for blogs, shopping carts, or other services, there are additional steps
that are required. Otherwise this change could result in service downtime, such as lack of email access or your
current website being inaccessible.
1. Find the area on the domain registrar's website where you can edit the nameservers for your domain.
2. Create two nameserver records, or edit the existing nameserver records to match the following values:
First nameserver: ns1.dns.partner.microsoftonline.cn
Second nameserver: ns2.dns.partner.microsoftonline.cn
TIP
You should use at least two nameserver records. If there are any other nameservers listed, you can either delete
them, or change them to ns3.dns.par tner.microsoftonline.cn and ns4.dns.par tner.microsoftonline.cn .
When you change your domain's NS records to point to the Office 365 operated by 21Vianet nameservers, all
the services that are currently associated with your domain are affected. If you skipped any steps of the wizard,
such as adding email addresses, or if you're using your domain for blogs, shopping carts, or other services,
there are additional steps that are required. Otherwise this change could result in service downtime, such as lack
of email access or your current website being inaccessible.
For example, here are some additional steps that might be required for email and website hosting:
Move all email addresses that use your domain to Microsoft 365 before you change your NS records.
Want to add a domain that's currently used with a website address, like https://www.fourthcoffee.com ?
You can take below steps while you add the domain to keep its website hosted where the site is hosted
now so people can still get to the website after you change the domain's NS records to point to Microsoft
365.
1. In the admin center, go to the Settings > Domains page.
2. On the Domains page, select a domain.
3. On the domain details page, select the DNS records tab.
4. Select Add record .
5. In the Add a custom DNS record pane, from the Type dropdown list, select A (Address) .
6. In the Host name or Alias box, type @ .
7. In the IP Address box, type the static IP address for the website where it's currently hosted. For example,
172.16.140.1.
IMPORTANT
This must be a static IP address for the website, not a dynamic IP address. To make sure you can get a static IP
address for your public website, check with the site that hosts your website.
8. If you want to change the TTL setting for the record, select a new length of time from the TTL dropdown
list. Otherwise, continue to step 9.
9. Select Save .
In addition, you can create a CNAME record to help customers find your website.
1. Select Add record .
2. In the Add a custom DNS record pane, from the Type dropdown list, select CNAME (Alias) .
3. In the Host name or Alias box, type www .
4. In the Points to address box, type the fully qualified domain name (FQDN) for your website. For example,
contoso.5om .
5. If you want to change the TTL setting for the record, select a new length of time from the TTL dropdown list.
Otherwise, continue to step 6.
6. Select Save .
After the nameserver records are updated to point to Microsoft, your domain setup is complete. Email is routed
to Microsoft, and traffic to your website address continues to go to your current website host.`
NOTE
Your nameserver record updates may take up to several hours to update across the Internet's DNS system. Then your
Microsoft email and other services will be all set to work with your domain.
Related content
Add DNS records to connect your domain (article)
Find and fix issues after adding your domain or DNS records (article)
Manage domains (link page)
Add DNS records to connect your domain
2/9/2022 • 6 minutes to read • Edit Online
If you purchased a domain from a third-party hosting provider, you can connect it to Microsoft 365 by updating
the DNS records in your registrar’s account.
At the end of these steps, your domain will stay registered with the host that you purchased the domain from,
but Microsoft 365 can use it for your email addresses (like [email protected]) and other services.
If you don't add a domain, people in your organization will use the onmicrosoft.com domain for their email
addresses until you do. It's important to add your domain before you add users, so you don't have to set them
up twice.
Check the Domains FAQ if you don't find what you're looking for below.
If your hosting provider doesn't allow setting this field to @ , leave it blank. Use this approach only when your
hosting provider has separate fields for the Service and Protocol values. Otherwise, see the Service and Protocol
notes below.
Se r v i c e a n d P r o t o c o l
If your hosting provider doesn't provide these fields for SRV records, you must specify the Ser vice and
Protocol values in the record's Name field. (Note: Depending on your hosting provider, the Name field might
be called something else, like: Host , Hostname , or Subdomain .) To add these values, you create a single string,
separating the values with a dot.
Example: _sip._tls
P r i o r i t y, W e i g h t , a n d P o r t
If your hosting provider doesn't provide these fields for SRV records, you must specify them in the record's
Target field. (Note: Depending on your hosting provider, the Target field might be called something else, like:
Content , IP Address , or Target Host .)
To add these values, create a single string, separating the values with spaces and sometimes ending with a dot
(check with your provider if you are unsure). The values must be included in this order: Priority, Weight, Port,
Target.
Example 1: 100 1 443 sipdir.online.lync.com.
Example 2: 100 1 443 sipdir.online.lync.com
Related content
Change nameservers to set up Microsoft 365 with any domain registrar (article)
Find and fix issues after adding your domain or DNS records (article)
Manage domains (link page)
Find and fix issues after adding your domain or
DNS records
2/9/2022 • 3 minutes to read • Edit Online
Check the Domains FAQ if you don't find what you're looking for.
Getting your domain set up to work with Microsoft 365 can be challenging. The DNS system is nitpicky to work
with, and the DNS setup for your domain affects important business activities, like email!
NOTE
You can check for problems with your domain by checking its status. Go to Setup > Domains and view the notifications
in the Status column. If you see an issue, select the three dots (more actions), and then choose Check health . The pane
that opens will describe any issues occurring with your domain.
Everyone's email got switched to Microsoft 365 and you only wanted
YOUR email to switch?
When you add your domain to Microsoft 365, typically your domain's MX record is updated (by you or
Microsoft 365) to point to Microsoft 365, and ALL email sent to that domain will start coming to Microsoft 365.
Make sure you've created mailboxes in Microsoft 365 for everyone who has email on your domain BEFORE you
change the MX record.
What if you don't want to move email for everyone on your domain to Microsoft 365? You can take steps to
pilot Microsoft 365 with just a few email addresses instead.
TIP
Got your DNS set up correctly, but mail doesn't work in Outlook on your desktop? Check out the different mail flow
scenarios you can have with Microsoft 365 to make sure you've got things set up correctly for your business. Or get more
troubleshooting help with email here: Fix Outlook problems.
Related content
Troubleshoot: Audit data on verified domain change (article)
Domains FAQ (article)
Microsoft 365 Reports in the admin center
2/9/2022 • 4 minutes to read • Edit Online
You can easily see how people in your business are using Microsoft 365 services. For example, you can identify
who is using a service a lot and reaching quotas, or who may not need a Microsoft 365 license at all. Perpetual
license model will not be included in the reports.
Reports are available for the last 7 days, 30 days, 90 days, and 180 days. Data won't exist for all reporting
periods right away. The reports become available within 48 hours.
O F F IC E 365
O P ERAT ED B Y
REP O RT P UB L IC GC C GC C - H IGH DO D 21VIA N ET
[^1]: The report is in plan to be released in the future. The Microsoft 365 Roadmap will be updated before the
release. [^2]: The service is not available in the environment so no plan to release the report.
If you want to unhide user-level information when you're generating your reports, a global administrator can
quickly make that change in the admin center.
Reports provide information about your organization’s usage data. By default, reports display information with
identifiable names for users, groups, and sites. Starting September 1, 2021, we are hiding user information by
default for all reports as part of our ongoing commitment to help companies support their local privacy laws.
Global administrators can revert this change for their tenant and show identifiable user information if their
organization's privacy practices allow it. It can be achieved in the Microsoft 365 admin center by following these
steps:
1. In the admin center, go to the Settings > Org Settings > Ser vices page.
2. Select Repor ts .
3. Uncheck the statement Display concealed user, group, and site names in all repor ts , and then
save your changes.
It'll take a few minutes for these changes to take effect on the reports in the reports dashboard. This setting also
applies to the Microsoft 365 usage reports in Microsoft Graph and Power BI and the usage reports in Microsoft
Teams Admin center. Showing identifiable user information is a logged event in the Microsoft 365 compliance
center audit log.
Productivity Score supports the journey to digital transformation with insights about how your organization
uses Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and
technology experience measurements and can be compared to benchmarks from organizations similar in size to
yours.
It provides:
Metrics to help you see where you are on your digital transformation journey.
Insights about the data to help you identify opportunities to improve productivity and satisfaction in your
organization.
Recommended actions you can take to help your organization use Microsoft 365 products efficiently.
We provide metrics, insights, and recommendations in two areas:
People experiences: Quantifies how the organization works using Microsoft 365 categories like content
collaboration, mobility, communication, meetings, and teamwork.
For each of the mentioned categories, we look at public research to identify some best practices and
associated benefits in the form of organizational effectiveness. For example, Forrester research has
shown that when people collaborate and share content in the cloud (instead of emailing attachments),
they can save up to 100 minutes a week. Furthermore, we quantify the use of these best practices in your
organization to help you see where you are on your digital transformation journey.
Technology experiences: Your organization depends on reliable and well-performing technology, as
well as the efficient use of Microsoft 365. Endpoint analytics helps you understand how your organization
can be impacted by performance and health issues with your hardware and software. Microsoft 365 apps
health helps you understand whether the devices in your organization are running Microsoft 365 apps on
recommended channels.
NOTE
A license to Workplace Analytics is not required to get the Productivity Score features.
Productivity Score is only available in the Microsoft 365 admin center and can only be accessed by IT
professionals who have one of the following roles:
Global admin
Exchange admins
SharePoint admin
Skype for Business admin
Teams admin
Global Reader
Reports Reader
Usage Summary Reports Reader
NOTE
Only an IT professional with the Global Administrator role can sign up or opt in a tenant for Productivity Score.
The role-based access control model for Productivity Score helps organizations further digital transformation
efforts with Microsoft 365 by providing the flexibility to assign roles to IT professionals within an organization.
Microsoft is committed to protecting individual privacy. This privacy document explains the controls we provide
you, as your organization's IT administrator, to ensure that the information is actionable while not compromising
the trust you place in Microsoft.
You can access the experience from Microsoft 365 Admin home under Repor ts > Productivity Score .
NOTE
Microsoft uses internal data to determine the industry that an organization maps to. Tenants under a parent organization
get mapped to the same industry as the parent organization. Organizations cannot view or modify industry mappings.
The endpoint analytics peer benchmark includes targets for device startup performance and recommended
software configuration based on aggregated median values across all tenants.
For network connectivity, the recommended benchmark is 80 points.
The Score breakdown section provides a breakdown of your Productivity Score with benchmarks by people
and technology experience areas.
Score history displays how your score in each category has changed in the past six months.
The People experiences and Technology experiences areas contain the primary insights for the categories
in those areas. You can select each category to see deeper insights.
NOTE
Users also have the option to get productivity insights from the MyAnalytics dashboard.
Related content
Monitor Microsoft 365 activity by using reports (article)
Enable Microsoft 365 usage analytics (article)
[Overview of the Microsoft 365 admin center](Overview of the Microsoft 365 admin center](../admin-
overview/admin-center-overview.md) (video)
Content collaboration – People experiences
2/9/2022 • 10 minutes to read • Edit Online
Productivity Score provides insights into your organization's digital transformation journey through its use of
Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and
technology experience measurements and can be compared to benchmarks from organizations similar to yours.
The content collaboration category is part of the people experiences measurements. To learn more, check out
the Productivity Score overview and read Microsoft's Privacy Statement.
Prerequisites
To get started with Content collaboration insights, people in your organization need to be licensed for:
OneDrive for Business
SharePoint
Exchange Online
For more information, see assign licenses to users.
After people have been active in the above products at least once in the last 28 days, you will start to see the
insights.
NOTE
On April 22, 2021, we changed how the collaborators metric is calculated. This affects the primary insight, the file
collaboration insight, and the way the content collaboration score is measured. This change helps reduce noise in the data
from non-human agents (or bots) from Microsoft and other third-party applications, resulting in a more accurate and
actionable score.
Primary insight
Microsoft OneDrive for Business and SharePoint help people to easily create, read, and discover their individual
and shared content in Microsoft 365 from across devices and applications. They also allow people to securely
share and collaborate on content. The primary insight contains information from everyone who can use
OneDrive for Business and SharePoint. Additionally it breaks down the details about how many people read,
create, and collaborate on content stored in OneDrive for Business and SharePoint.
Types considered for this information include Word, Excel, PowerPoint, OneNote, and PDF files.
1. Header : Shows the percentage of people in your org who have access to OneDrive or SharePoint who
are collaborating on content.
2. Body: Provides more information on how the behaviors of reading and creating files online are linked to
collaborating on files.
3. Visualization (current state):
Horizontal bars where the blue-colored portions represent the percentage of people enabled for
file collaboration through OneDrive or SharePoint who have been readers, creators, or
collaborators on online files in the last 28 days.
They're defined as follows:
Readers: People who access or download online files in OneDrive or SharePoint.
Creators: People who create, modify, upload, sync, check in, copy, or move online OneDrive or
SharePoint files.
Collaborators: People who collaborate with online files by using OneDrive or SharePoint. Two
people are collaborators if one of them reads or edits an online Office app or PDF after the other
person has created or modified it, within a 28-day window.
NOTE
The files considered in the visualization are Word, Excel, PowerPoint, OneNote, or PDF files that are online
and saved to OneDrive or SharePoint.
Scoring framework
The content collaboration score for your organization measures at an aggregate (organization) level whether
people are consistently reading, creating, or collaborating on online Office files such as Word, Excel, PowerPoint,
OneNote, or PDFs, or in OneDrive or SharePoint.
Scores are not provided at the individual user level.
Related content
Microsoft 365 apps health – Technology experiences (article)
Communication – People experiences (article)
Meetings – People experiences (article)
Mobility – People experiences (article)
Privacy controls for Productivity Score (article)
Teamwork – People experiences (article)
Communication – People experiences
2/9/2022 • 7 minutes to read • Edit Online
Productivity Score supports the journey to digital transformation with insights about how your organization
uses Microsoft 365 and the technology experiences that support it. Your organization’s score reflects people and
technology experience measurements and can be compared to benchmarks from organizations similar in size to
yours. The communication category is part of the people experiences measures. To learn more, check out the
Productivity Score overview and read Microsoft's Privacy Statement.
Prerequisites
To get started with Communication insights, people in your organization need to be licensed for:
Microsoft Teams
Yammer
Exchange Online
For more information, see assign licenses to users.
After people have been active in the above products at least once in the last 28 days, you will start to see the
insights.
Scoring model
The communication score for your organization measures at an aggregate (organization) level whether people
are consistently communicating using multiple modes among email, chat, and community posts over a 28-day
window.
Scores are not provided at the individual user level.
Related content
Microsoft 365 apps health – Technology experiences (article)
Content collaboration – People experiences (article)
Meetings – People experiences (article)
Mobility – People experiences (article)
Privacy controls for Productivity Score (article)
Teamwork – People experiences (article)
Mobility – People experiences
2/9/2022 • 6 minutes to read • Edit Online
Productivity Score provides insights into your organization's digital transformation journey through its use of
Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and
technology experience measurements and can be compared to benchmarks from organizations similar to yours.
The mobility category is part of the people experiences measures. To learn more, check out the Productivity
Score overview and read Microsoft's Privacy Statement.
Prerequisites
To get started with Mobility insights, people in your organization need to be licensed for:
Microsoft Teams
Exchange Online
Word
Excel
PowerPoint
OneNote
For more information, see assign licenses to users.
After people have been active in the above products at least once in the last 28 days, you will start to see the
insights.
This chart shows the trend-line, where the numerator is the number of people who have used apps, over the last
180 days. Each data point on the line chart is an aggregate of activity for the last 28 days. Each data point
provides a count of all people in your org using an application across at least two platforms in the last 28 days
for each date on the x-axis.
Scoring framework
The mobility score for your organization measures at an organization (aggregate) level whether people are
using Microsoft 365 Apps - Outlook, Teams, Word, Excel, PowerPoint, OneNote, Yammer, and Skype - across the
different platforms - desktop, web, and mobile.
The scores are not provided at the individual user level.
Explore how your org works across platforms and locations
We also provide you with information that helps you gain visibility into how people in your organization work
across platforms. These additional metrics do not directly contribute to your Productivity Score, but help you
create an action plan as part of your digital transformation.
Use of Outlook across platforms
1. Header : Shows the percentage of people active on Outlook who are using Outlook on multiple platforms.
2. Body: Provides information about the value of using Outlook on mobile devices to help stay connected from
anywhere on email.
3. Visualization: Shows the percentage of people who are active on Outlook and are using either one or more
than one platform:
Multiple platforms:
Numerator: The number of people who have used Outlook on at least two platforms from
desktop, mobile, or web in the last 28 days.
Denominator: The number of people who have used Outlook at least once in the last 28 days.
Desktop only:
Numerator: The number of people who have used Outlook on only a desktop platform in the
last 28 days.
Denominator: The number of people who have used Outlook at least once in the last 28 days
Web only:
Numerator: The number of people who have used Outlook on only a web platform in the last
28 days.
Denominator: The number of people who have used Outlook at least once in the last 28 days.
Mobile only:
Numerator: Number of people who have used Outlook on only a mobile platform in the last 28
days.
*Denominator: Number of people who have used Outlook at least once in the last 28 days.
Use of Teams across platforms
1. Header : Shows what percentage of people who are active on Microsoft Teams are using it on multiple
platforms.
2. Body: Provides information about the value of using Teams on mobile devices to help people stay up to date
on messages while working from any location.
3. Visualization: Shows the percentage of people active on Microsoft Teams who are using it on either a single
platform, or multiple ones:
Multiple platforms:
Numerator: The number of people who have used Teams in the last 28 days on 2 or more of
the following platforms: desktop, mobile, or web.
Denominator: The number of people who have used Microsoft Teams at least once in the last
28 days.
Desktop only:
Numerator: The number of people who have used Microsoft Teams only on a desktop platform
in the last 28 days
Denominator: The number of people who have used Teams at least once in the last 28 days
Web only:
Numerator: The number of people who have used Microsoft Teams only on a web platform in
the last 28 days
Denominator: The number of people who have used Microsoft Teams at least once in the last
28 days
Mobile only:
Numerator: The number of people who have used Microsoft Teams only on a mobile platform
in the last 28 days
Denominator: The number of people who have used Teams at least once in the last 28 days
Use of Microsoft 365 Apps across platforms
1. Header : Shows the percentage of people active on Microsoft 365 Apps (Word, Excel, PowerPoint, and
OneNote) on multiple platforms.
2. Body: Provides information about the value of providing people in your organization the flexibility to access
their files from anywhere.
3. Visualization: The grouped vertical is meant to represent the number of people who are using each of the
apps considered–Word, Excel, PowerPoint, and OneNote — across single or multiple platforms. For each of
these applications, bars represent the following:
Multiple platforms: The number of users active on an app across at least two platforms in the last
28 days.
Desktop only: The number of users active on app on only the desktop platform in the last 28 days.
Web only: The number of users active on app on only the web platform in the last 28 days.
Mobile only: The number of users active on app on only mobile platform in the last 28 days.
Remote work
1. Header : Shows the percentage of people working only from home or location outside of their company's
network.
2. Body: Highlights the importance of facilitating remote work for people without access to your organization's
physical offices.
3. Visualization: Shows trend-line for daily percentage of people who only work remotely as well as daily
percentage of people who also work onsite. Users are considered onsite if they perform at least three hours
of activity in Microsoft 365 Apps in a day.
Related content
Microsoft 365 apps health – Technology experiences (article)
Communication – People experiences (article)
Content collaboration – People experiences (article)
Meetings – People experiences (article)
Privacy controls for Productivity Score (article)
Teamwork – People experiences (article)
Teamwork – People experiences
2/9/2022 • 8 minutes to read • Edit Online
Productivity Score provides insights into your organization's digital transformation journey through its use of
Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and
technology experience measurements and can be compared to benchmarks from organizations similar to yours.
The teamwork category is part of the measurements that falls under people experiences. To learn more, check
out the Productivity Score overview and read Microsoft's Privacy Statement.
Prerequisites
To get started with teamwork insights, people in your organization need to be licensed for:
Microsoft Teams
SharePoint
Exchange Online
For more information, see assign licenses to users.
After people have been active in the above products at least once in the last 28 days, you will start to see the
insights.
1. Header : Shows a detailed breakdown across the different types of teamwork being measured.
2. Body: Provides information on the value of working in shared workspaces to help teams be more effective.
3. Visualization: The visualization shows the extent to which people who are communicating or interacting
with content are doing so in shared workspaces, as follows:
Sending email : The colored portion and the fraction represent the percentage of people sending
email to group mailboxes. The fraction is comprised of:
Numerator: People sending emails to group mailboxes in the last 28 days.
Denominator: People sending emails in the last 28 days. This is the same group of people who
are marked as sending email in the primary insight of communication productivity score.
Sending messages : The colored portion and the fraction represent the percentage of people
sending messages in channels in Microsoft Teams. The fraction is comprised of:
Numerator: People sending channel messages within the last 28 days.
Denominator: People sending chat or channel messages in the last 28 days. This is the same
group of people who are marked as sending messages in Microsoft Teams in the primary
insight of the communication category in Productivity Score.
Creating content : The colored portion and the fraction represent the percentage of people reading
or creating content on Microsoft 365 SharePoint team sites.
Numerator: Number of people reading or creating content on Microsoft 365 group connected
team sites.
Denominator: Number of people with access to SharePoint, who read or created content of any
kind in OneDrive or SharePoint sites in the last 28 days.
4. View related content: Select this link to view help content.
Breakdown of workspace engagement by size and age
1. Header : Shows the categorization of engagement in workspaces, broken out by size for the number of
members in the workspace, and the workspace age in months.
2. Body: Provides information about the value of encouraging people in your organization to keep only the
workspaces that are needed to promote more effective teamwork.
3. Visualization: The engagement breakdown is shown in the form of a heat-map across two dimensions.
Size of workspace: Workspaces are broken down into three categories based on the number of
members: 2-10 people, 11-100 people, and over 100 people. The "All" category includes all size
categories.
Age of workspace: Workspaces are categorized by the number of months since the workspace
was first created. The "All" category includes all age categories.
Each cell in the chart has a number and color based on the percentage of engaged workspaces
that belong in that category. The workspace categories are based on the age and size shown in the
intersection of that cell. For example, if the cell at the intersection of 11-100 people and 4-12
months has a value of 52%, it means that 52% of the workspaces with 11-100 members that are
between 4-12 months old, have some form of engagement. The percentage is calculated as:
Numerator : Workspaces that have engagement in the form of communication (email and
channel messages) or content interaction in the last 28 days
Denominator : all workspaces that are available in your org for the last 28 days
4. View related content: Select this link to view help content.
Breakdown of workspaces by level of engagement
1. Header : Provides a breakdown of workspaces broken out by level of engagement, using group email,
channel messages, and content interaction.
2. Body: Provides information on the value of consistent engagement in the shared workspaces to help make
them more effective at teamwork.
3. Visualization: Provides a view of the workspaces in your organization based on the intensity of
engagement per week. The view includes distributions for different activity types measured within
teamwork, in addition to any engagement, which covers the following categories:
Group email: Percent of workspaces that have no days/1 day/2-3 days/4+ days of group email
activity per week over the last 28 days.
Channel messages: Percent of workspaces that have no days/1 day/2-3 days/4+ days of channel
messages per week over the last 28 days.
Content reading or creation: Percent of workspaces that have no days/1 day/2-3 days/4+ days of
reading or creating content per week over the last 28 days.
4. View related content: Select this link to view help content.
Use of teams within Microsoft Teams
1. Header : Shows the number of shared workspaces that have a Microsoft Teams team associated with
them.
2. Body: Provides information about the value of having a Microsoft Teams team attached to the shared
workspaces, to help make people associated with them more effective at teamwork.
3. Visualization: The colored part of the donut chart reflects the percentage of workspaces that have a
Microsoft Teams team attached to them. The percentage is calculated as follows:
Numerator: The number of shared workspaces in your organization that had a Microsoft Teams
team associated with them in the last 28 days
Denominator: The number of shared workspaces in your org in the last 28 days
The number in the center of the donut chart represents the total number of shared workspaces
that have a Microsoft Teams team associated with them.
4. View related content: Select this link to view help content.
Related content
Microsoft 365 apps health – Technology experiences (article)
Communication – People experiences (article)
Content collaboration – People experiences (article)
Meetings – People experiences (article)
Mobility – People experiences (article)
Privacy controls for Productivity Score (article)
Meetings – People experiences
2/9/2022 • 7 minutes to read • Edit Online
Productivity Score provides insights into your organization's digital transformation journey through its use of
Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and
technology experience measurements and can be compared to benchmarks from organizations similar to yours.
The meetings category is part of the people experiences measures. To learn more, check out the Productivity
Score overview and read Microsoft's Privacy Statement.
Prerequisites
To get started with Meetings insights, people in your organization need to be licensed for:
Microsoft Teams
For more information, see assign licenses to users.
After people have been active in Teams at least once in the last 28 days, you will start to see the insights.
1. Header : Shows the percentage of online meetings on Microsoft Teams held in the past 28 days that had
video or screen sharing during the meeting.
2. Body: Provides more information on how following best practices for engagement during a meeting,
such as use of video or screen sharing, can make meetings more effective.
3. Visualization (current state):
In this horizontal bar chart, the blue (colored) portion represents the percentage shown in the header
The fraction (numerator/denominator) is used for calculating the percentage shown in the header
Numerator: The number of online Microsoft Teams meetings including people from your
organization who have used video or screen sharing.
Denominator: The number of online Microsoft Teams meetings including people from your
organization that were held in the last 28 days.
The peer benchmark value of the key metric is also shown as a percentage.
4. Link to resources: Select this link to view help content.
Trend visualization of the primary insight
The following chart shows the trend-lines of both the numerator and the denominator of the key metric from
the primary insight. In other words, it shows the number of online Microsoft Teams meetings with best practices,
such as video or screen sharing, and the total number of online Microsoft Teams meetings held over the last 180
days. Each data point on the line chart is an aggregate of activity for the last 28 days.
Scoring framework
The meetings score for your organization measures the degree to which online Microsoft Teams meetings in
your organization followed best practices in the last 28 days. It is weighted based on the number of people in
your org attending the meetings and the meetings' duration.
NOTE
the scheduled meetings include all meetings that appeared on people's calendars. The instant meetings include
calls, including both 1:1 and group calls, as well as meetings started using the "Meet now" feature in Microsoft
Teams channels.
Related content
Microsoft 365 apps health – Technology experiences (article)
Communication – People experiences (article)
Content collaboration – People experiences (article)
Mobility – People experiences (article)
Privacy controls for Productivity Score (article)
Teamwork – People experiences (article)
Microsoft 365 Apps health – technology experiences
2/9/2022 • 4 minutes to read • Edit Online
Productivity Score provides insights into your organization's digital transformation journey through its use of
Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and
technology experience measurements and can be compared to benchmarks from organizations similar to yours.
The apps health category is part of the measurements that falls under technology experiences. To learn more,
check out the Productivity Score overview and read Microsoft's Privacy Statement.
Information considered for this include Microsoft 365 apps channel, build, and version that is running on the
device.
1. Header : Shows percentage of devices on recommended update channel
2. Body: Provides more information on how running the devices on recommended update channel will help
getting latest update and running current versions on devices.
3. Visualization (current state):
Horizontal bars where the blue-colored portions represent the percentage of devices running
recommended updated channel.
Highlight the (numerator/denominator) of the fraction used to calculate the percentage expressed in
horizontal bars.
Peer Benchmark value for devices running on recommended updated channel is also shown as a
percentage.
Trend visualization of the primary insight
The following chart shows the number of devices in the recommended update channel over the last 180 days.
The data point on the line chart is an aggregate of activity for the last 28 days.
Scoring framework
The Microsoft 365 apps health score measures whether devices are running Microsoft 365 apps on
recommended channel and on latest versions.
1. Header : Highlights the percentage of devices on the Current Channel are running supported versions of
Microsoft 365 Apps
2. Body: Provides information about the value of devices running Microsoft 365 apps on recommended
channel.
3. Visualization: The breakdown in the visualization represents the extent to what percentage of devices on
latest and supported versions of Microsoft 365 apps across different channel), as follows:
Suppor ted versions: The blue bar represents the percentage of devices running on supported
version of Microsoft 365 apps.
Latest releases: The teal color bar represents percentage of devices on latest releases.
4. Learn more: Select this link to view help content.
Devices running latest and supported versions
1. Header : Highlights the percentage of devices running supported versions and devices running the most
recent versions.
2. Body: Provides information about the value running devices on recommended channels and
supported/latest versions.
3. Visualization: The breakdown in the visualization is meant to represent the extent to show how many
devices running supported versions and most recent versions of Microsoft 365 apps):
Suppor ted versions: The blue (colored) portion of the bar and the fraction
(numerator/denominator) on the bar represents the percentage of devices running supported version
of Microsoft 365 apps.
Numerator: The number of devices on supported versions of Microsoft 365 apps within the last
28 days
Denominator: The number of devices using Microsoft 365 apps within the last 28 days
Most recent versions: The teal (colored) portion of the bar and the fraction
(numerator/denominator) on the bar represents the percentage of devices running recent versions of
Microsoft 365 apps.
Numerator: The number of devices on recent versions of Microsoft 365 apps within the last 28
days
Denominator: The number of devices using Microsoft 365 apps within the last 28 days
4. Learn more: Select this link to view help content.
Trend visualization of the devices
This chart shows the trend-line of the devices running supported versions and latest versions of Microsoft 365
apps over the last 180 days.
Related content
Communication – People experiences (article)
Content collaboration – People experiences (article)
Meetings – People experiences (article)
Mobility – People experiences (article)
Privacy controls for Productivity Score (article)
Teamwork – People experiences (article)
Change your organization's address, technical
contact, and more
2/9/2022 • 3 minutes to read • Edit Online
You can make changes to your organization profile, such as your organization name, address, phone, and
technical contact. You must be a global admin to update this information.
To change the address associated with your bill or subscription, see Change your billing addresses for Microsoft
365 for business.
Name The name entered here is what users will see on the
following pages:
Sign-in page: If your users have set up other Microsoft
accounts with their business or school email address, they
may see the organization name on the sign-in page. This
helps them distinguish between their work or school account
and their other accounts, so they can identify which one to
use when they sign in.
Organization profile link and page: The link to your
organization's profile displays the organization name.
Yammer navigation: In Yammer, the left navigation uses the
organization name as the name of the home Yammer
network.
OneDrive sync client: The organization name is shown in File
Explorer on Windows and Finder on Mac, the file paths, the
OneDrive activity center, the tooltip of the OneDrive cloud
icon, and the OneDrive settings window. Currently, updating
the organization name does not update it for configured
clients.
MS Teams: Organization Switcher in Teams displays the
organization Name
Address, City, State/Province, Postal code The address entered here is what you will see on your bill,
under Sold To: The Sold To address on your bill is the same
as your organization address on your profile page (see
Understand your bill or invoice for Microsoft 365 for
business.
Phone This is the primary number for your company. It's usually the
number of your company headquarters.
Technical contact This is the email address for the primary technical person
who administers your Microsoft 365 subscription. This is the
person who will receive communications about Microsoft
365 service status.
Preferred language The preferred language determines the language for all
communications that are sent from Microsoft to your
organization. When you sign up, this setting determines the
language used by SharePoint Online, which your users see
on your team site. If you change the language preference
setting after you sign up, all future communications are sent
in the most recent language selected.
NOTE: The language used by SharePoint Online can't be
changed.
Related content
Send email from a different address (article)
Change a user name and email address (article)
Configure email forwarding in Microsoft 365 (article)
Update your admin phone number and email
address
2/9/2022 • 2 minutes to read • Edit Online
This article explains how you, the admin, can change your business phone and email address in Microsoft 365.
If you're looking for how to change your company's profile information, such as company name and address,
company phone number, and technical contact information, see Change your organization's address, technical
contact email, and other information.
For more information about changing user contact information or removing former employees, see Related
content.
IMPORTANT
The alternate email address and the mobile phone number are needed for resetting your admin password (not
your computer admin password).
Related content
Change a user name and email address (video)
Add a new employee (video)
Remove a former employee (video)
Access and back up a former user's data (article)
Add custom tiles to the app launcher
2/9/2022 • 2 minutes to read • Edit Online
In Microsoft 365, you can quickly and easily get to your email, calendars, documents, and apps using the App
launcher (learn more). These are apps you get with Microsoft 365 as well as custom apps that you add from the
SharePoint Store or Azure AD.
You can add your own custom tiles to the app launcher that point to SharePoint sites, external sites, legacy apps,
and more. The custom tile appears under the app launcher's All apps, but you can pin it to the Home apps and
instruct your users to do the same. This makes it easy to find the relevant sites, apps, and resources to do your
job. In the below example, a custom tile called "Contoso Portal" is used to access an organization's SharePoint
intranet site.
TIP
If you're creating a tile for a SharePoint site, navigate to that site, copy the URL, and paste it here. The URL of your
default team site looks like this: https://<company_name>.sharepoint.com
6. Enter a URL of the image for the tile. The image appears on the My apps page and app launcher.
TIP
The image should be 60x60 pixels and be available to everyone in your organization without requiring
authentication.
7. Enter a Description for the tile. You see this when you select the tile on the My apps page and select App
details .
8. Select Save changes to create the custom tile.
Your custom tile will appear within the next 24 hours in the app launcher on the All tab for you and your
users.
NOTE
If you don't see the custom tile created in the previous steps, make sure you have an Exchange Online mailbox
assigned to you and you've signed into your mailbox at least once. These steps are required for custom tiles in
Microsoft 365.
Next steps
To customize the look and feel of Microsoft 365 to match your organization's brand, see Customize the
Microsoft 365 theme.
Related content
Pin apps to your users' app launcher (article)
Upgrade your Microsoft 365 for business users to the latest Office client (article)
Manage add-ins in the admin center (article)
Pin apps to your users' app launcher
2/9/2022 • 2 minutes to read • Edit Online
You can use controls in the Azure Active Directory portal to pin up to three apps to Office.com and the app
launcher for all the users in your organization. You can also organize groups of applications. Any app you add
can later be unpinned by the user at any time. To pin an app for your users, you must be a Cloud application
administrator, or Application administrator in Azure Active Directory, or a Global administrator in Office 365. For
more information about admin roles, see Azure AD built-in roles and admin roles in Microsoft 365.
For more information about the app launcher and Office.com, see meet the app launcher and updates to
office.com and the-Office 365 app launcher blog article.
NOTE
The user interface will indicate if you need need to purchase additional Azure AD licenses to use this feature. For more
information see Azure Active Directory pricing.
1. In Azure Active Director y , choose Enterprise applications > New application on the top of the All
applications page.
2. On the Add an application page, choose Non-galler y application or Create your own application if
you are in the preview version of Azure Active Directory.
3. Type a name for the application and then assign user in the Users and groups tab.
4. Use the Proper ties tab to upload an icon for the app.
5. To assign a URL to the app, in the Single sign-on tab, choose Linked and then enter a URL.
6. Choose Save .
Upgrade steps
The steps below will guide you through the process of upgrading your users to the latest Office desktop client.
We recommend you read through these steps before beginning the upgrade process.
TIP
If you have users in your organization running older versions of Windows on their PCs or laptops, we recommend
upgrading to Windows 10. Windows 7 has reached end of support. Read Support for Windows 7 ends in January 2020
for more info.
Check out the Windows 10 system requirements to see if you can upgrade their operating systems.
Check application compatibility
To ensure a successful upgrade, we recommend identifying your Office applications--including VBA scripts,
macros, third-party add-ins, and complex documents and spreadsheets--and assessing their compatibility with
the latest version of Office.
For example, if you're using third-party add-ins with your current Office install, contact the manufacture to make
sure they're compatible with the latest version of Office.
TIP
If you run into issues while uninstalling Office, you can use the Microsoft Support and Recovery Assistant tool to help you
remove Office: Download and run the Microsoft Support and Recovery Assistant.
TIP
If you don't want your users installing Office themselves, see Manage software download settings in Office 365. You can
use the Office Deployment Tool to download the Office software to your local network and then deploy Office by using
the software deployment method you typically use.
Test and deploy Microsoft 365 Apps by partners in
the Integrated apps portal
2/9/2022 • 18 minutes to read • Edit Online
The Microsoft 365 admin center gives you the flexibility to deploy single store apps, custom business line of
apps and Microsoft 365 partner apps from a single location. The location can be accessed in the Microsoft
Admin center settings, in Integrated apps. The ability to find, test, and fully deploy purchased and licensed apps
by Microsoft partners from the Integrated apps portal provides the convenience and benefits your organization
requires to keep business services updated regularly and running efficiently.
For additional information about purchasing and licensing Microsoft 365 apps from partners for your
organization, see Manage and deploy Microsoft 365 Apps from the Microsoft 365 admin center.
For more info on how partners create these apps, see How to plan a SaaS offer for the commercial marketplace
The Integrated apps portal is only accessible to global admins and available to world-wide customers only. This
feature is not available in sovereign and government clouds.
The Integrated apps portal displays a list of apps, which includes single apps and Microsoft 365 apps from
partners which are deployed your organization. Only web apps, SPFx apps, Office add-ins and Teams apps are
listed. For web apps, you can see two kinds of apps.
SaaS apps that are available in appsource.microsoft.com, and can be deployed by admins giving consent on
behalf of the organization.
SAML gallery apps that are linked with office add-ins.
NOTE
If an app was previously deployed from somewhere other than the Integrated Apps portal, the Deployment Type is
Custom.
Unsupported scenarios
You won't be able to deploy a single store app or Microsoft 365 Apps by partner from Integrated apps portal for
the following scenarios.
The same add-in is linked to more than one SaaS offer.
The SaaS offer is linked to add-ins, but it does not integrate with Microsoft Graph and no AAD App ID is
provided.
The SaaS offer is linked to add-ins, but AAD App ID provided for Microsoft Graph integration is shared across
multiple SaaS offers.
NOTE
MSI versions of Outlook show admin-installed add-ins in the appropriate Outlook ribbon, not the "My add-ins"
section.
Version 15.0.4937.1000 or later of Office Professional Plus 2013 (MSI) or Office Standard 2013 (MSI).
Version 16.0.9318.1000 or later of Office 2016 for Mac.
Version 2.75.0 or later of Outlook mobile for iOS.
Version 2.2.145 or later of Outlook mobile for Android.
Exchange Online requirements
Microsoft Exchange stores the add-in manifests within your organization's tenant. The admin deploying add-ins
and the users receiving those add-ins must be on a version of Exchange Online that supports OAuth
authentication.
Check with your organization's Exchange admin to find out which configuration is in use. OAuth connectivity per
user can be verified by using theTest-OAuthConnectivityPowerShell cmdlet.
User and group assignments
The deployment of add-in is currently supported to the majority of groups supported by Azure Active Directory,
including Microsoft 365 groups, distribution lists, and security groups. Deployment supports users in top-level
groups or groups without parent groups, but not users in nested groups or groups that have parent groups.
NOTE
Non-mail enabled security groups are not currently supported.
In the following example, Sandra, Sheila, and the Sales Department group are assigned to an add-in. Because
the West Coast Sales Department is a nested group, Bert and Fred aren't assigned to an add-in.
Find out if a group contains nested groups
The easiest way to detect if a group contains nested groups is to view the group contact card within Outlook. If
you enter the group name within theTo field of an email and then select the group name when it resolves, it will
show you if it contains users or nested groups. In the example below, theMembers tab of the Outlook contact
card for the Test Group shows no users and only two sub groups.
You can do the opposite query by resolving the group to see if it's a member of any group. In the example
below, you can see under theMembership tab of the Outlook contact card that Sub Group 1 is a member of the
Test Group.
Note that you can use the Azure Active Directory Graph API to run queries to find the list of groups within a
group. For more information, seeOperations on groups | Graph API reference.
NOTE
Users might need to relaunch Office to view the add-in icon on the app ribbon. Outlook add-ins can take up to 24 hours
to appear on app ribbons.
It's good practice to inform users and groups that the deployed add-in is available. Consider sending an email
that describes when and how to use the add-in. Include or link to help content or FAQs that might help users if
they have problems with the add-in.
NOTE
For Word, Excel and PowerPoint use aSharePoint App Catalogto deploy add-ins to users in an on-premises environment
with no connection to Microsoft 365 and/or support for SharePoint add-ins required. For Outlook use Exchange control
panel to deploy in an on-premises environment without a connection to Microsoft 365.
Add-in states
An add-in can be in either theOn orOff state.
Active Admin uploaded the add-in and Users and groups assigned to the add-
assigned it to users or groups. in see it in the relevant clients.
Turned off Admin turned off the add-in. Users and groups assigned to the add-
in no longer have access to it.
If the add-in state is changed to
Active, the users and groups will have
access to it again.
Deleted Admin deleted the add-in. Users and groups assigned the add-in
no longer have access to it.
Consider deleting an add-in if no one is using it anymore. For example, turning off an add-in might make sense
if an add-in is used only during specific times of the year.
Delete an add-in
You can also delete an add-in that was deployed.
1. In the admin center, select Settings , then select Integrated apps .
2. Select any row to display the management pane.
3. Select the Configuration tab.
4. Select the add-in that you want to delete and then select Remove .
NOTE
If the add-in has been deployed by another admin, then the Remove button will be disabled. Only the admin who has
deployed the app or a global admin can delete the add-in.
Centralized Deployment is the recommended and most feature-rich way for most customers to deploy Office
add-ins to users and groups within your organization. If you're an admin, use this guidance to determine if your
organization and users meet the requirements so that you can use Centralized Deployment.
Centralized Deployment provides the following benefits:
An admin can deploy and assign an add-in directly to a user, to multiple users via a group, or to everyone
in the organization (see Admin requirement section for information).
When the relevant Office application starts, the add-in automatically downloads. If the add-in supports
add-in commands, the add-in automatically appears in the ribbon within the Office application.
Add-ins no longer appear for users if the admin turns off or deletes the add-in, or if the user is removed
from Azure Active Directory or from a group that the add-in is assigned to.
Centralized Deployment supports three desktop platforms Windows, Mac and Online Office apps. Centralized
Deployment also supports iOS and Android (Outlook Mobile Add-ins Only).
It can take up to 24 hours for an add-in to show up for client for all users.
NOTE
An Exchange admin can deploy an add-in only if the App Registrations property is set to true in Azure Active Directory
admin center as shown in the following image:
Import-Module O365CompatibilityChecker
Invoke-CompatibilityCheck
NOTE
Depending on the number of users in your tenant, the checker could complete in minutes or hours.
When the tool finishes running, it produces an output file in comma-separated (.csv) format. The file is saved to
the current working director y by default. The output file contains the following information:
User Name
User ID (User's email address)
Centralized Deployment ready - If the remaining items are true
Office plan - The plan of Office they are licensed for
Office Activated - If they have activated Office
Supported Mailbox - If they are on an OAuth-enabled mailbox
NOTE
Multifactor authentication is not supported when using the Central Deployment PowerShell module. The module only
works with Basic authentication.
NOTE
Non-mail enabled security groups are not currently supported.
Centralized Deployment supports assignments to individual users, groups, and everyone in the tenant.
Centralized Deployment supports users in top-level groups or groups without parent groups, but not users in
nested groups or groups that have parent groups.
Take a look at the following example where Sandra, Sheila, and the Sales Department group are assigned to an
add-in. Because the West Coast Sales Department is a nested group, Bert and Fred aren't assigned to an add-in.
Find out if a group contains nested groups
The easiest way to detect if a group contains nested groups is to view the group contact card within Outlook. If
you enter the group name within the To field of an email and then select the group name when it resolves, it will
show you if it contains users or nested groups. In the example below, the Members tab of the Outlook contact
card for the Test Group shows no users and only two sub groups.
You can do the opposite query by resolving the group to see if it's a member of any group. In the example
below, you can see under the Membership tab of the Outlook contact card that Sub Group 1 is a member of
the Test Group.
Alternately, you can use the Azure Active Directory Graph API to run queries to find the list of groups within a
group. For more information, see Operations on groups | Graph API reference.
Contacting Microsoft for support
If you or your users encounter problems loading the add-in while using Office apps for the web (Word, Excel,
etc.), which were centrally deployed, you may need to contact Microsoft support (learn how. Provide the
following information about your Microsoft 365 environment in the support ticket.
P L AT F O RM DEB UG IN F O RM AT IO N
Related content
Deploy add-ins in the admin center (article)
Manage add-ins in the admin center (article)
Centralized Deployment FAQ (article)
Upgrade your Microsoft 365 for business users to the latest Office client (article)
Deploy add-ins in the admin center
2/9/2022 • 6 minutes to read • Edit Online
Office add-ins help you personalize your documents and streamline the way you access information on the web
(see Start using your Office Add-in). As an admin, you can deploy Office add-ins for the users in your
organization by using the Centralized Deployment feature in the Microsoft 365 admin center. Centralized
Deployment is the recommended and most feature-rich way for most admins to deploy add-ins to users and
groups within an organization.
For more information on how to determine if your organization can support Centralized Deployment, see
Determine if Centralized Deployment of add-ins works for your organization.
To learn more about managing add-ins after deployment, see Manage add-ins in the admin center
NOTE
For Word, Excel and PowerPoint use a SharePoint App Catalog to deploy add-ins to users in an on-premises environment
with no connection to Microsoft 365 and/or support for SharePoint add-ins required. For Outlook use Exchange control
panel to deploy in an on-premises environment without a connection to Microsoft 365.
NOTE
You can also deploy add-ins in the admin center through Integrated Apps. Integrated Apps is visible to Global and
Exchange administrators. If you don't see the above steps, go to the Centralized Deployment section by going to
Settings > Integrated apps . On the top of the Integrated apps page, choose Add-ins .
NOTE
With the Office Store option, updates and enhancements are automatically deployed to users.
5. On the next page, select Ever yone , Specific users/groups , or Just me to specify who the add-in is
deployed to. Use the Search box to find specific users or groups.
NOTE
To learn about other states that apply to an add-in, see Add-in states.
6. Select Deploy .
7. A green tick appears when the add-in is deployed. Follow the on-page instructions to test the add-in.
NOTE
Users might need to relaunch Office to view the add-in icon on the app ribbon. Outlook add-ins can take up to
24 hours to appear on app ribbons.
8. When finished, select Next . If you've deployed to just yourself, you can select Change who has access
to add-in to deploy to more users.
If you've deployed the add-in to other members of your organization, follow the instructions to announce
the deployment of the add-in.
It's good practice to inform users and groups that the deployed add-in is available. Consider sending an
email that describes when and how to use the add-in. Include or link to Help content or FAQs that might
help users if they have problems with the add-in.
Considerations when assigning an add-in to users and groups
Global admins and Exchange admins can assign an add-in to everyone or to specific users and groups. Each
option has implications:
Ever yone This option assigns the add-in to every user in the organization. Use this option sparingly and
only for add-ins that are truly universal to your organization.
Users If you assign an add-in to an individual user, and then deploy the add-in to a new user, you must
first add the new user.
Groups If you assign an add-in to a group, users who are added to the group are automatically assigned
the add-in. When a user is removed from a group, the user loses access to the add-in. In either case, no
additional action is required from the admin.
Just me If you assign an add-in to just yourself, the add-in is assigned to only your account, which is
ideal for testing the add-in.
The right option for your organization depends on your configuration. However, we recommend making
assignments by using groups. As an admin, you might find it easier to manage add-ins by using groups and
controlling the membership of those groups rather than assigning individual users each time. In some
situations, you might want to restrict access to a small set of users by making assignments to specific users by
assigning users manually.
NOTE
Admin does not need to remove a LOB Add-in for doing an update. In the Add-ins section, Admin can simply click
on the LOB Add-in and choose the Update Button in the bottom right corner. Update will work only if the
version of the new add-in is greater than that of the existing add-in.
Office Store add-in: When an admin selected an add-in from the Office Store, if an add-in updates in
the Office Store, the add-in will update later in Centralized Deployment. The next time the relevant Office
applications start, the add-in will update. The web application can change at any time.
Related content
Manage add-ins in the admin center (article)
Build your first Word task pane add-in (article
Minors and acquiring add-ins from the store (article)
Use Centralized Deployment PowerShell cmdlets to manage add-ins (article)
Troubleshoot: User not seeing add-ins (article)
Manage add-ins in the admin center
2/9/2022 • 3 minutes to read • Edit Online
Office add-ins help you personalize your documents and streamline the way you access information on the web.
See Start using your Office add-in.
After an admin deploys add-ins for users in an organization, the admin can turn add-ins off or on, edit, delete,
and manage access to the add-ins.
For more information about installing add-ins from the admin center, see Deploy add-ins in the admin center.
Add-in states
An add-in can be in either the On or Off state.
Active Admin uploaded the add-in and Users and groups assigned to the add-
assigned it to users or groups. in see it in the relevant clients.
Turned off Admin turned off the add-in. Users and groups assigned to the add-
in no longer have access to it.
If the add-in state is changed to
Active, the users and groups will have
access to it again.
Deleted Admin deleted the add-in. Users and groups assigned the add-in
no longer have access to it.
Consider deleting an add-in if no one is using it anymore. For example, turning off an add-in might make sense
if an add-in is used only during specific times of the year.
Delete an add-in
You can also delete an add-in that was deployed.
1. In the admin center, go to the Settings > Integrated apps page.
2. Select the deployed add-in and then select the Configuration tab.
3. In the Configuration pane, go to Advanced Settings > Add-ins .
4. Select the add-in from the list again.
5. Choose Remove Add-In . Remove the Add-in button on the bottom right corner.
6. Validate your selections, and choose Remove .
Prevent add-in downloads by turning off the Office Store across all
clients (Except Outlook)
NOTE
Outlook add-in installation is managed by a different process.
As an organization you may wish to prevent the download of new Office add-ins from the Office Store. This can
be used in conjunction with Centralized Deployment to ensure that only organization-approved add-ins are
deployed to users within your organization.
To turn off add-in acquisition
1. In the admin center, go to the Settings > Org settings page.
2. Select User owned apps and ser vices .
3. Clear the option to let users access the Office store.
This will prevent all users from acquiring the following add-ins from the store.
Add-ins for Word, Excel, and PowerPoint 2016 from:
Windows
Mac
Office
Acquisitions starting within AppSource
Add-ins within Microsoft 365
A user who tries to access the store will see the following message: Sorr y, Microsoft 365 has been
configured to prevent individual acquisition of Office Store add-ins.
Support for turning off the Office Store is available in the following versions:
Windows: 16.0.9001 - Currently available.
Mac: 16.10.18011401 - Currently available.
iOS: 2.9.18010804 - Currently available.
The web - Currently available.
This does not prevent an administrator from using Centralized Deployment to assign an add-in from the Office
Store.
NOTE
Add-ins such as Visio Data Visualizer, Bing Maps, and People Graph will still show up in the ribbon, even if an admin has
disabled the Store. To remove these links, administrators must disable the Store through Group Policy Object (GPO).
To prevent a user from signing in with a Microsoft account, you can restrict logon to use only the organizational
account. For more information, see Identity, authentication, and authorization in Office 2016.
NOTE
Preventing users from accessing the office store will also prevent them from Sideloading Office Add-ins for testing from a
network share.
If the deployed add-in doesn't support add-in commands or if you want to view all deployed add-ins, you can
view them via My Add-ins .
In Word 2016, Excel 2016, or PowerPoint 2016
1. Select Inser t > My Add-ins .
2. Select the Admin Managed tab in the Office Add-ins window.
3. Double-click the add-in you deployed earlier (in this example, Citations ).
In Outlook
1. On the Home ribbon, select Get Add-ins .
Related content
Minors and acquiring add-ins from the Microsoft Store
Manage Industry news
2/9/2022 • 3 minutes to read • Edit Online
NOTE
Bing news & Industry updates are available only for en-US at this time.
To provide your users with up-to-date news headlines about your industry and info from your organization, use
the News service to enable a customized news feed for your organization. You can also enable a daily Industry
Updates email, and manage settings for the Bing homepage and Microsoft Edge new tab page.
They can also see company, industry, and internal news or personalized work information on their Microsoft
Edge new tab page.
News settings
As an admin, you control the News feed settings for your organization, including the selected industry and the
Bing homepage, the Microsoft Edge new tab page (Starting with the release of Edge 87), and the email
experiences.
1. In the Microsoft 365 admin center, go to Settings > Org settings > Ser vices > News .
2. In the News panel, click the General tab.
3. In the Industr y list, select your organization's industries. This determines the general news that appears
in your organization news feed. Microsoft may pre-select an industry using information from your
account. You can remove or add industries by updating the Industr y list.
4. In the Topics field, enter topics that you want see news articles about. Your users can't change these
topics.
5. You can block articles containing keywords in the Exclude content field. For example, to avoid articles
containing the keyword “bake” from showing up in the news feed, add the keyword “bake” in the
Exclude content field. Avoid including general terms (the, it, and, etc.); they can block relevant content
from appearing in your enterprise news feeds.
6. Select Save . It may take up to 24 hours for changes to appear.
Related content
Microsoft Search
Manage your data and service
Manage Office Scripts settings
2/9/2022 • 3 minutes to read • Edit Online
Office Scripts allows users to automate tasks by recording, editing, and running scripts in Excel on the web.
Office Scripts works with Power Automate, and users run scripts on workbooks by using the Excel Online
(Business) connector. Microsoft 365 admins can manage Office Scripts settings from the Microsoft 365 admin
center.
NOTE
If you later turn off script sharing for your organization, users will still be able to run previously-shared scripts.
6. Specify which users with access to Office Scripts can share their scripts:
To allow all users with access to Office Scripts to share their scripts, leave Ever yone (the default)
selected.
To allow only members of a specific group with access to Office Scripts to share their scripts, select
Specific group , and then enter the name or email alias of the group to add it to the allow list. You
may add only one group to the allow list, and it must be one of the following types:
Microsoft 365 group
Distribution group
Security group
Mail-enabled security group
To learn more about the different types of groups, see Compare groups.
7. To allow users to run their Office Scripts inside Power Automate flows, select Let users with access to
Office Scripts run their scripts with Power Automate . This allows users to add flow steps with the
Excel Online (Business) Connector's Run script option.
To allow all users with access to Office Scripts to use their scripts in flows, leave Ever yone (the
default) selected.
To allow only members of a specific group with access to Office Scripts to use their scripts in flows,
select Specific group , and then enter the name or email alias of the group to add it to the allow
list. You may add only one group to the allow list, and it must be one of the following types:
Microsoft 365 group
Distribution group
Security group
Mail-enabled security group
To learn more about the different types of groups, see Compare groups.
To learn more about using Office Scripts with Power Automate, see Run Office Scripts with Power
Automate.
8. Select Save .
It can take up to 48 hours for changes to Office Scripts settings to take effect.
Next steps
Because Office Scripts works with Power Automate, we recommend that you review your existing data loss
prevention (DLP) policies to ensure your organization's data remains protected while users use Office Scripts.
For more information, see Data loss prevention (DLP) policies.
Related content
Office Scripts technical documentation (link page)
Introduction to Office Scripts in Excel (article)
Sharing Office Scripts in Excel for the Web (article)
Record, edit, and create Office Scripts in Excel on the web (article)
Find your partner or reseller
2/9/2022 • 2 minutes to read • Edit Online
As an admin, you can work with a partner to purchase, activate, and renew Microsoft 365 subscriptions through
a Microsoft Open Volume Licensing program.
Not sure if Open Volume Licensing is for you? Check out the Microsoft Open Programs overview.
Find contact information for a partner you've worked with in the past
NOTE
In some cases, you can find information in the Microsoft 365 admin center for partners you've worked with in the past.
Keep in mind that this information may be out of date. As a best practice, we recommend contacting the person or
department responsible for purchasing in your organization to find out which partner you should work with.
More resources
Microsoft Volume Licensing Service Center training and resources
For Microsoft par tners
Help for partners
Set up the Standard or Targeted release options
2/9/2022 • 4 minutes to read • Edit Online
IMPORTANT
The Microsoft 365 updates described in this article apply to Microsoft 365, SharePoint Online, and Exchange Online.
These release options are targeted, best effort ways to release changes to Microsoft 365 but cannot be guaranteed at all
times or for all updates. They do not apply to Microsoft 365 Apps, Skype for Business, Microsoft Teams, and related
services. For information about release options for Microsoft 365 Apps, see Overview of update channels for Microsoft
365 Apps.
With Microsoft 365, you receive new product updates and features as they become available instead of doing
costly updates every few years. You can manage how your organization receives these updates. For example,
you can sign up for an early release so that your organization receives updates first. You can designate that only
certain individuals receive the updates. Or, you can remain on the default release schedule and receive the
updates later. This article explains the different release options and how you can use them for your organization.
For significant updates, customers are initially notified by the Microsoft 365 Roadmap. As an update gets closer
to rolling out, it is communicated through your Microsoft 365 Message center.
NOTE
You need a Microsoft 365 or Azure AD account to access your Message center through the admin center. Microsoft 365
home plan users do not have an admin center.
Standard release
This is the default option where you and your users receive the latest updates when they're released broadly to
all customers.
A good practice is to leave the majority of users in Standard release and IT Pros and power users in Targeted
release to evaluate new features and prepare teams to support business users and executives.
NOTE
If you switch from targeted release back to standard release track, your users may lose access to features that haven't
reached standard release yet.
Targeted release
With this option, you and your users can be the first to see the latest updates and help shape the product by
providing early feedback. You can choose to have individuals or the entire organization receive updates early.
IMPORTANT
Large or complex updates may take longer than others so that no users are adversely affected. There is no guarantee
on the exact timeline of a release.
Targeted release is not currently available for customers with either the Office 365 GCC plan or the Office 365 GCC
High and DoD plan.
IMPORTANT
It can take up to 24 hours for the below changes to take effect in Microsoft 365. If you opt out of targeted release after
enabling it, your users may lose access to features that haven't reached the scheduled release yet.
1. In the admin center, go to the Settings > Org Setting , and under the Organization profile tab, choose
Release preferences .
2. To disable targeted release, select Standard release , then select Save changes .
3. To enable targeted release for all users in your organization, select Targeted release for ever yone ,
then select Save changes .
4. To enable targeted release for some people in your organization, select Targeted release for selected
users , then select Save changes .
5. Choose Select users to add users one at a time, or Upload users to add them in bulk.
6. When you're done adding users, select Save changes .
Next steps
Discover how to manage messages in your Microsoft 365 Message center to get notifications about upcoming
Microsoft 365 updates and releases.
Related content
Join the Office Insider Program (article)
Manage which Office features appear in What's
New
2/9/2022 • 2 minutes to read • Edit Online
When an important Office feature is released, users will get a message about it when they choose Help >
What's New in their Office app on Windows.
You can control which of these feature messages your users are shown by using the What's new in Office
feature in the Microsoft 365 admin center. If you decide to hide a feature message to your users, you can always
come back later and decide to show it to them.
NOTE
Hiding a feature message from your users doesn't disable the feature in the Office app.
You must be assigned either the Global admin role or the Office apps admin role to use the What's new in Office
feature.
NOTE
If a feature is available in multiple Office apps, setting the feature to Hidden hides the feature message in all of those
Office apps.
All feature messages are shown to users by default. This is the default status for all features, and the status only
changes if you have chosen to hide or show a feature message.
You can also get to the What's new in Office feature from the Microsoft 365 Apps admin center
(https://config.office.com). The feature is found under Customization > What's New Management .
List of features
You can filter which features appear on the Manage which Office features appear in What's New page.
You can filter by channel, application, or status, or by some combination of them.
New features appear on the page based on the following schedule:
C H A N N EL DAT E TA K E A C T IO N
Monthly Enterprise First of the month Two weeks before the major release
that brings new features
Semi-Annual Enterprise (Preview) Sept 1 and March 1 2 weeks before the major release that
brings new features
Semi-Annual Enterprise Jan 1 and July 1 2 weeks before the major release that
brings new features
For more information about when new versions are released to each update channel, see Update history for
Microsoft 365 Apps (listed by date).
Add the "What's new in Office" card to the admin center home page
1. On the Microsoft 365 admin page, choose Add card on top of the page
2. Locate Manage which Office features appear in What's New in the list and choose it.
3. Once the card is on your home page, you can choose What's new in Office to show or hide the features for
your organization.
Related articles
Office What's New management is now generally available
Microsoft 365 usage analytics
2/9/2022 • 11 minutes to read • Edit Online
Use Microsoft 365 usage analytics within Power BI to gain insights on how your organization is adopting the
various services within Microsoft 365. You can visualize and analyze Microsoft 365 usage data, create custom
reports and share the insights within your organization. You can also gain insights into how specific regions or
departments are using Microsoft 365.
Microsoft 365 usage analytics gives you access to a pre-built dashboard that provides a cross-product view of
the last 12 months and contains a number of pre-built reports. Each report provides you with specific usage
insights. User-specific information is available for the last full calendar month.
The data model that powers the template app includes user attributes from Active Directory, enabling the ability
to pivot in certain reports. The following Active Directory attributes are included: location, department, and
organization.
See Enable Microsoft 365 usage analytics to start collecting data.
Microsoft 365 usage analytics contains a number of reports detailed in the following sections.
You can access detailed reports for each area by selecting the data tables. You can view all pre-built reports by
selecting the tabs at the bottom of the site. For more detailed instructions, read Navigating and utilizing the
reports and Customizing the reports.
Executive summary
The executive summary is a high-level, at-a-glance view of Microsoft 365 for Business adoption, usage, mobility,
communication, collaboration, and storage reports, and is meant for business decision makers. It provides a
view into how some individual services are being used, based on all the users who have been enabled and those
who are active. All values of the month shown on the report refer to the latest complete month.
This summary lets you quickly understand usage patterns in Office and how and where your employees are
collaborating.
Overview
The Microsoft 365 overview report contains the following reports. You can view them by choosing the tab on
top of the report page. All values of the month shown on the top section of the report refer to the latest
complete month.
Adoption – Offers an all-up summary of adoption trends. Use the reports in this section to learn how
your users have adopted Microsoft 365, as well as how overall usage of the individual services has
changed month over month. You can see how may users are enabled, how many people in your
organization are actively using Microsoft 365, how many are returning users, and how many are using
the product for the first time.
Usage – Offers a drill-down view into the volume of active users and the key activities for each product
for the last 12 months. Use the reports in this section to learn how people in your organization are using
Microsoft 365.
Communication – You can see at a glance whether people in your organization prefer to stay in touch
by using Teams, Yammer, email, or Skype calls. You can observe if there are shifts in patterns in the use of
communication tools among your employees.
Collaboration – See how people in your organization use OneDrive and SharePoint to store documents
and collaborate with each other, and how these trends evolve month over month. You can also see how
many users shared documents internally or externally and how many users used SharePoint sites or
OneDrive accounts, broken out by owners and other collaborators.
Storage – Use this report to track cloud storage for mailboxes, OneDrive, and SharePoint sites.
Mobility – Track which clients and devices people use to connect to email, Teams, Skype, or Yammer.
Product usage
This report contains a separate report for each Microsoft 365 service, including Exchange, Microsoft 365 groups,
OneDrive, SharePoint, Skype, Teams, and Yammer. Each report contains total enabled vs. total active user reports,
counts of entities such as mailboxes, sites, groups, and accounts, as well as activity type reports where
appropriate. All values of the month shown on the top section of the report refer to the latest complete month.
User activity
User activity reports are available for certain individual services. These reports provide user-level detail usage
data joined with Active Directory attributes. In addition, the Department Adoption report lets you slice by Active
Directory attributes so that you can see active users across all individual services. All metrics are aggregated for
the latest complete month. To view the content date, navigate to the table page and select UserActivity table
where the value under TimeFrame provides the reporting period.
NOTE
Global Reader and Usage Summary Reports Reader don't have the permission to view the user activity reports.
FAQ
Is this template app going to be available through purchase or will it be free?
It is not free, you will need a Power BI Pro license. For details see prerequisites for installing, customizing, and
distributing a template app.
To share the dashboards with others, please see more at Share dashboards and reports.
Who can connect to Microsoft 365 usage analytics?
You have to be either a Global admin , Exchange admin , Skype for Business admin , SharePoint admin ,
Global reader , Repor t reader , Usage Summar y Repor ts Reader in order to establish the connection to
the template app. See About admin roles for more information. Note: Global Reader and Usage Summar y
Repor ts Reader only allow access to tenant level aggregates in Microsoft 365 usage analytics and they don't
have the permission to view the user activity reports.
Who can customize the usage analytics reports?
Only the user who made the initial connection to the template app can customize the reports or create new
reports in the Power BI web interface. See Customizing the reports in Microsoft 365 usage analytics for
instructions.
Can I only customize the reports from the Power BI web interface?
In addition to customizing the reports from the Power BI web interface, users can also use Power BI Desktop to
connect directly to the Microsoft 365 reporting service to build their own reports.
How can I get the pbit file that this dashboard is associated with?
You can access to the pbit file from the Microsoft Download center.
Who can view the dashboards and reports?
If you connected to the template app, you can share it with anybody by using the sharing functionality. Power BI
licensing requires that both the user sharing and the user with whom a dashboard is shared have Power BI Pro
or Power BI Premium.
Can anyone share the dashboard, or does it have to be the person who connected to the dashboard?
When sharing the dashboard, you can either allow users to re-share the dashboard with others or not. You can
set this option at the time of sharing.
Is it possible to work on and customize the same template app with a group of people?
Yes. To enable a group of admins to work together on the same template app, you can leverage the app
workspace functionality of Power BI, for more information, see How should I collaborate and share dashboards
and reports?
For which timeframe is data available?
The majority of the reports display data for the previous 12 months. However, some of the charts may show less
history since the data collection for different products and reports were started at different times and thus data
for the full 12 months might not be available. All the reports will eventually build up to 12 months of history.
Reports that show user level details show data for the previous complete month.
What data is included in the template app?
The data in the template app currently covers the same set of activity metrics available in the Activity Reports. As
reports are added to the activity reports, they will be added to the template app in a future release.
How does the data in the template app differ from the data in the usage reports?
The underlying data you see in the template app matches the data you see in the activity reports in the
Microsoft 365 admin center. The key differences are that in the admin center data is available for the last
7/30/90/180 days while the template app presents data on a monthly basis for up to 12 months.
In addition, user level details in the template app are only available for the last complete month for users who
were assigned a product license and performed an activity.
When should I use the template app and when the usage reports?
The Activity Reports are a good starting point to understand usage and adoption of Microsoft 365. The template
app combines the Microsoft 365 usage data and your organization’s Active Directory information and enables
admins to analyze the data set using the visual analytics capabilities of Power BI. This enables admins to not just
visualize and analyze Microsoft 365 usage data, but also slice it by Active Directory properties such as
departments, location etc. They can also create custom reports and share the insights within their organization.
How often is the data refreshed?
When you connect to the template app for the first time, it will automatically populate with your data for the
previous 12 months. After that, the template app data will refresh weekly. Customers can choose to modify the
refresh schedule if their use of this data demands a different update rhythm.
The back-end Microsoft 365 service will refresh data on a daily basis and provides data that is between 5-8 days
latent from the current date.
The Content date column in each dataset represents the freshness date of the data in the template app.
How is an active user defined?
The definition of active user is the same as the definition of active user in the activity reports.
What SharePoint site collections are included in the SharePoint reports?
The current version of the template app includes file activity from SharePoint team sites and SharePoint group
sites.
Which groups are included in the Microsoft 365 Groups usage report?
The current version of the template app includes usage from Outlook groups, Yammer groups, and SharePoint
groups. It does not include groups related to Microsoft Teams or Planner.
When will an updated version of the template app become available?
Major changes to the template app will be released twice a year which may include new reports or new data.
Minor changes to the reports may be released on a more frequent basis.
Is it possible to integrate the data from the template app into existing solutions?
The data in the template app can be retrieved through the Microsoft 365 APIs (in preview). When they ship to
production they will be merged within the Microsoft Graph reporting APIs.
Are there plans to expand the template app to show usage data from other Microsoft products?
This is considered for future improvements. Check the Microsoft 365 Roadmap for updates.
How can I pivot by company information in Active Directory?
Company information is included one of the Active Directory fields in the template app and you can see it as a
pre-built filter in the Product User activity reports. It is available as column in the UserState table.
Is it possible to bring in additional fields from Active Directory?
Additional customization on this data is possible by connecting to the Microsoft Graph reporting APIs to pull
additional fields from Azure Active Directory and join to the dataset.
Is it possible to aggregate the information in the template app across multiple subscriptions?
At this time, the template app is for a single subscription, as it is associated with the credentials that was used to
initially connect to it.
Is it possible to see usage by plan (i.e. E1, E3)?
In the template app, usage is represented at the per product level. Data about the various subscriptions that are
assigned to users are provided, however it is not possible to correlate user activity to the subscription assigned
to user.
Is it possible to integrate other data sets into the template app?
You can use Power BI Desktop to connect to the Microsoft 365 APIs (in preview) to bring additional data sources
to combine with the template app data.
For more information see the Customize document.
Is it possible to see the "Top Users" reports for a specific timeframe?
All user level reports present aggregated data for the previous month.
Will the template app be localized?
This is currently not on the roadmap.
I have a specific question about the data I'm seeing for my organization. Who can I reach out to?
You can use the feedback button in the admin center activity overview page, or you can open a support case(Get
support to get help with the template app.
How can partners access the data?
If a partner has delegated admin rights, he or she can connect to the template app on behalf of their customer.
Can I hide identifiable information such as user, group, and site names in reports?
Yes, see Make the collected data anonymous.
Related content
Enable Microsoft 365 usage analytics (article)
Navigate and utilize the reports in Microsoft 365 usage analytics (article)
Microsoft 365 Reports in the admin center (video)
Enable Microsoft 365 usage analytics
2/9/2022 • 3 minutes to read • Edit Online
To enable Microsoft 365 usage analytics in a Microsoft 365 US Government Community Cloud (GCC) tenant, see
Connect to Microsoft 365 Government Community Cloud (GCC) data with Usage Analytics.
Get Power BI
If you don't already have Power BI, you can sign up for Power BI Pro. Select Tr y free to sign up for a trial, or Buy
now to get Power BI Pro.
You can also expand Products to buy a version of Power BI.
NOTE
You need a Power BI Pro license to install, customize, and distribute a template app. For more information, please see
Prerequisites.
To share your data, both you and the people who you share the data with, need a Power BI Pro license, or the
content needs to be in a workspace in a Power BI premium service.
NOTE
The data for the "User Activity" tab is only refreshed after the fifteenth day of the current month and the first day of
the next month, so it will remain empty initially until the first refresh is completed.
8. After the template app is instantiated the Microsoft 365 usage analytics dashboard will be available in
Power BI on the web. The initial loading of the dashboard will take between 2 to 30 minutes.
Tenant level aggregates will be available in all reports after opting in. User-level details will only become
available around the 5th of the next calendar month after opting in . This will impact all reports under
User Activity (See Navigate and utilize the reports in Microsoft 365 usage analytics for tips on how to view and
use these reports).
Make the collected data anonymous
Reports provide information about your organization’s usage data. By default, reports display information with
identifiable names for users, groups, and sites. Starting September 1, 2021, we are hiding user information by
default for all reports as part of our ongoing commitment to help companies support their local privacy laws.
Global administrators can revert this change for their tenant and show identifiable user information if their
organization's privacy practices allow it. It can be achieved in the Microsoft 365 admin center by following these
steps:
1. In the admin center, go to the Settings > Org Settings > Ser vices page.
2. Select Repor ts .
3. Uncheck the statement In all repor ts, display de-identified names for users, groups, and sites ,
and then save your changes.
It'll take a few minutes for these changes to take effect. Showing identifiable user information is a logged event
in the Microsoft 365 compliance center audit log.
Related content
About usage analytics (article)
Get the latest version of usage analytics (article)
Navigate and utilize the reports in Microsoft 365 usage analytics (article)
Get the latest version of Microsoft 365 usage
analytics
2/9/2022 • 2 minutes to read • Edit Online
The template app may be refreshed with new data or new visualizations several times per year. Your existing
instance will continue to work, but if you would like to get the latest version, a new instance must be created and
any customizations must be applied to the new instance. See Enable Microsoft 365 usage analytics.
Navigate and utilize the reports in Microsoft 365
usage analytics
2/9/2022 • 2 minutes to read • Edit Online
The dashboard provides you with a quick overview of the main usage and adoption metrics. By selecting the
top-level metrics, you can access reports that provide more details and insights. Each report tab contains data
visualizations specific to an aspect of usage and adoption for your organization. The data collected is explained
in the title of each report and a tile appears that contains further information about the visualizations on the
report tab that you are viewing.
To get started with your reports, here are some tips:
Use the navigation tabs on the left or on a related metric on the Executive Summar y page to navigate
to each top-level report.
Use the navigation tabs at the top of each top-level report to navigate to different reports within that
level.
Many reports contain a slicer where you can filter on the product, AAD attribute, or activity that you want
to view. These can be either single-select or multi-select.
Hover over data points to view a callout that contains details.
The user who has instantiated the template app will have the ability to customize the report to their needs. To
customize the template app:
Select Edit repor t at the top of the report.
To share your reports, just select the share button at the top of the page.
To learn how to customize the reports, see Customizing the reports in Microsoft 365 usage analytics.
You can find lots of additional information in the Power BI help documentation:
Power BI basic concepts
Learn about dashboard, datasets, reports, and other Power BI concepts.
Get started with Power BI
Learn the basic functionality in Power BI. Find links to how to use Power BI Desktop.
Share dashboards and reports
Learn how to share reports with your colleagues or people outside your organization. You can also share
the report or a filtered version of the report.
Active user in Microsoft 365 usage reports
2/9/2022 • 2 minutes to read • Edit Online
Exchange Online Any user who has performed any of No calendar information is
the following actions: Mark as read, represented, this will be added in an
send messages, create appointments, upcoming update.
send meeting requests, accept (as
tentative) or decline meeting requests,
cancel meetings.
SharePoint Online Any user who has interacted with a file The active user metric for SharePoint
by creating, modifying, viewing, Online in the Microsoft 365 Usage
deleting, sharing internally or Analytics template app only reflect
externally, or synchronizing to clients users who did file activity against a
on any site or viewed a page on any SharePoint Team site or a Group site.
site. The template app will be updated to
synchronize the definition to the same
as that on the usage reports in the
admin center.
OneDrive for Business Any user who has interacted with a file
by creating, modifying, viewing,
deleting, sharing internally or
externally, or synchronizing to clients.
Microsoft 365 Groups Any group member that has mailbox This definition will be enhanced with
activity (if a message has been sent to group site file activity and Yammer
the group) group activity (file activity on group
site and message posted to Yammer
group associated with the group.) This
data is currently not available in the
Microsoft 365 Usage Analytics
template app
P RO DUC T DEF IN IT IO N O F A N A C T IVE USER N OT ES
Adoption Metrics
Microsoft 365 usage analytics contains additional adoption metrics related to active users to show adoption of
the products over time. These metrics are valid for the month, year, and product selected and are defined as
follows.
MoMReturningUsers Number of users active in the month that were also active in
the preceding month.
FirstTimeUsers Number of users active in the month that had never used
the service before.
MoMReturningUsers, FirstTimeUsers, & CumulativeActiveUsers were reset starting January 1st 2018 with the
inclusion of Microsoft Teams.
Customize the reports in Microsoft 365 usage
analytics
2/9/2022 • 4 minutes to read • Edit Online
Microsoft 365 usage analytics provides a dashboard in Power BI that offers insights into how users adopt and
use Microsoft 365. The dashboard is just a starting point to interact with the usage data. The reports can be
customized for more personalized insights.
You can also use the Power BI desktop to further customize your reports by connecting them to other data
sources to gain richer insights about your business.
2. Enter the edit mode by choosing the Edit button on the top through the button.
4. In the bottom right, choose any of the bar-charts showing the count of users activating based on the OS
such as Android, iOS, Mac, etc.
5. In the Visualizations area to the right, in order to remove Mac Count from the visual, select the X next
to it.
Create a new visual
The following example shows how to create a new visual to track new Yammer users on monthly basis.
1. Go to the Product Usage report using the left nav and select the Yammer tab.
5. Select the bottom right of that visualization and drag to make it larger.
6. In the Fields area to the right, expand the Calendar table.
7. Drag MonthName to the fields area, directly below the Axis heading in the Visualizations area.
12. Just below the list of visualizations, choose the Format icon .
13. Expand Title and change the Title Text value to First-Time Yammer Users by Month .
14. Change the Text Size value to 12 .
15. Change the title of the new page by editing the name of the page on bottom right.
16. Save out the report by Clicking on Reading View on top and then Save .
3. Enter your Microsoft 365 (organization or school) admin credentials to authenticate to Microsoft 365
when prompted.
See the FAQ for more information about who is allowed to access the Microsoft 365 Adoption template
app reports.
4. Once the connection is authorized, you will see the Navigator window that shows the datasets available
to connect to.
Select all and choose Load .
This will download the data into your Power BI Desktop. Save this file and then you can start creating the
reports you need.
Use the following procedures to connect to your data with the Microsoft 365 Usage Analytics report in a
Microsoft 365 Government Community Cloud (GCC) tenant.
NOTE
These instructions are specifically for Microsoft 365 GCC tenants.
Step 1: Make you organization’s data available for the Microsoft 365
Usage Analytics report
1. In the Microsoft 365 admin center, expand the navigation menu, select Repor ts , then select Usage .
2. On the Usage Repor ts page, in the Microsoft 365 Usage Analytics section, select Get Star ted .
3. Under Enable Power BI for usage analytics , select Make organizational usage data available to
Microsoft usage analytics for Power BI , and then select Save .
This will start a process to make your organizations data accessible for this report, and you will see a
message stating that We’re getting your data ready for Microsoft 365 usage analytics . Note that
this process can take 24 hours to complete.
4. When your organizations data is ready, refreshing the page will show a message stating that your data is
now available, and will also provide your tenant ID number. You will need to use the tenant ID in a later
step when you attempt to connect to your tenant data.
IMPORTANT
When your data is available, do not select Go to Power BI , which will take you to the Power BI Marketplace. The
template app for this report required by GCC tenants is not available in the Power BI Marketplace.
NOTE
Currently, a template app for the Microsoft 365 Usage Analytics report is not available for GCC tenants in the Power BI
Marketplace.
3. When loading completes, your report will display, and you will see an executive summary of your data.
4. Save your changes to the report.
5. Select Publish in the Power BI Desktop menu to publish the report to the Power BI Online service where
it can be viewed. This requires either a Power BI Pro license or Power BI Premium capacity. As part of the
publish process, you will need to select a destination to publish to an available workspace in the Power BI
Online Service.
Related content
About usage analytics
Get the latest version of usage analytics
Navigate and utilize the reports in Microsoft 365 usage analytics
Microsoft 365 usage analytics data model
2/9/2022 • 19 minutes to read • Edit Online
NOTE
For more information, see Working with Microsoft 365 usage reports in Microsoft Graph.
This API provides information about the monthly trend of usage of the various Microsoft 365 services. For the
exact data returned by the API refer to the table in the following section.
Tenant Product Usage Contains monthly totals of enabled, Contains monthly aggregated data for
active users, month-over-month a rolling 12-month period including
retained users, first-time users, and the the current partial month.
cumulative active users.
Tenant Product Activity Contains monthly totals of activities Contains monthly aggregated data for
and active user count for various a rolling 12-month period including
activities within the products. the current partial month.
See active user definition for
information about the activities within
a product that are returned in this
data table.
Tenant Office Licenses Contains data about number of Contains end-of-month state data for
Microsoft Office subscriptions assigned a rolling 12-month period including
to users the current partial month.
Tenant Mailbox Usage Contains data about the user's Contains end-of-month state data for
mailbox, for total mailbox count and a rolling 12-month period including
how storage is used. the current partial month.
Tenant Client Usage Contains data about the number of Contains monthly aggregated data for
users actively using specific a rolling 12-month period including
client/devices to connect to Exchange the current partial month.
Online, Skype for Business and
Yammer.
Tenant SharePoint Online Usage Contains data about the SharePoint Contains end-of-month state data for
sites, covering Team or Groups sites a rolling 12-month period including
such as total number of sites, number the current partial month.
of documents on site, file count by
activity type and storage used.
TA B L E N A M E IN F O RM AT IO N IN T H E TA B L E DAT E RA N GE
Tenant OneDrive for Business Usage Contains data about the OneDrive Contains end-of-month state data for
accounts such as number of accounts, a rolling 12-month period including
number of documents across the current partial month.
OneDrives, storage used, file count by
activity type.
Tenant Microsoft 365 Groups Usage Contains data about Microsoft 365 Contains end-of-month state data for
Groups usage including Mailbox, a rolling 12-month period including
SharePoint, and Yammer. the current partial month.
Tenant Office Activation Contains data about number of Office Contains end-of-month state data for
subscription activations, count of a rolling 12-month period including
activation per device the current partial month.
(Android/iOS/Mac/PC), activations by
service plan, for example, Microsoft
365 Apps for enterprise, Visio, Project.
User State Contains metadata about users, This data is about users that had a
including user display name, products license assigned during the last
assigned, location, department, title, complete month.
company. This data is about users who
were assigned a license during the last
complete month. Every user is
uniquely represented by a user ID.
User Activity Contains per-user level information This data is about users that
about activity performed by licensed performed an activity in any of the
users. services during the last complete
See active user definition for month.
information about the activities within
a product that are returned in this
data table.
Expand the following sections to see the detailed information for each data table.
Data table - User State
This table provides user level details for all users that have a license assigned to them during the last complete
month. It brings in data from the Azure Active Directory.
C O L UM N N A M E C O L UM N DESC RIP T IO N
Timeframe Month value for which this table has data for.
LocationCity City data represented in Azure Active Directory for this user.
LocationState State data represented in Azure Active Directory for this user.
Title Title data represented in Azure Active Directory for this user.
Deleted True if the user has been deleted from Microsoft 365 in that
last complete month.
DeletedDate Date when the user was deleted from Microsoft 365.
YAM_ActivationDate Date the user entered the state of being active in Yammer.
YAM_DeletionDate Date the user entered the state of being deleted in Yammer.
Timeframe Month value for which this table represents data for.
ODB_AccessedByOwner Number of sites the user interacted with that reside on their
own OneDrive for Business.
SPO_GroupFileViewedModified Number of files this user interacted with on any group site.
SPO_GroupFileSharedInternally The count of files that have been shared with users within
the organization, or with users within groups (that might
include external users).
SPO_GroupFileSharedExternally Number of files this user shared externally from any group
site.
SPO_OtherFileViewedModified Number of files with which this user interacted on any other
site.
SPO_OtherFileSynched Number of files this user synchronized from any other site.
SPO_OtherFileSharedInternally Number of files this user shared internally from any other
site, or with users within groups (that might include external
users).
SPO_OtherFileSharedExternally Number of files this user shared externally from any other
site.
SPO_OtherAccessedByOwner Number of sites the user interacted with that reside on other
site that they own.
SPO_OtherAccessedByOthers Number of sites the user interacted with that reside on other
site that another user owns.
SPO_TeamFileViewedModified Number of files with which this user interacted on any team
site.
SPO_TeamFileSynched Number of files this user synchronized from any team site.
SPO_TeamFileSharedInternally Number of files this user shared internally from any team
site, or with users within groups (that might include external
users).
SPO_TeamFileSharedExternally Number of files this user shared externally from any team
site.
NOTE
Teams_HasOtherAction means user is considered active but has a zero value for the Chat Messages, 1:1 calls, Channel
Messages, Total Meetings, and Meetings organized.
C O L UM N N A M E C O L UM N DESC RIP T IO N
Timeframe Month value. There will be one row per product per month
for the last 12 months including the current partial month.
EnabledUsers Number of users enabled to use the product for the time-
frame value, if a user was enabled for portion of the month,
they are still counted.
CumulativeActiveUsers Number of users who are enabled to use a product and have
used the product up to the timeframe month at least once
since data collection started in the new usage system.
C O L UM N N A M E C O L UM N DESC RIP T IO N
MoMReturningUsers Number of users who are active in the timeframe month and
also were active in the previous month.
FirstTimeUsers Number of users who became active in the timeframe for the
first time since data collection in the new usage system.
A user is counted as a first-time user in a particular month, if
we detect their activity for the first time since the beginning
of data collection in this new reporting system. Once
counted as a first-time user, even if this user has a large gap
in their activity they will never be counted again as a first-
time user
Content Date If timeframe shows current month, this value will represent
the latest date of the current month for which data is
available.
If Timeframe shows previous month, this value will represent
the last date of the timeframe month.
C O L UM N N A M E C O L UM N DESC RIP T IO N
Timeframe Month value. There will be one row per product per month
for the last 12 months including the current partial month.
Product Name of the product within Microsoft 365 for which usage
data is available.
ActivityCount This is the total number of actions counted for each activity
performed within the product across all active users.
Note: For SharePoint Online and OneDrive for Business
activities, this value represents the number of distinct
documents with which users interacted with.
Content Date If timeframe shows current month, this value will represent
the latest date of the current month for which data is
available.
If Timeframe shows previous month, this value will represent
the last date of the timeframe month.
IssueWarningQuota Total quota for issuing warning across all users' mailboxes.
ProhibitSendQuota Total quota for prohibit send across all user mailboxes.
ProhibitSendReceiveQuota Total quota for prohibit send receive quota across all user
mailboxes.
Content Date If timeframe shows current month, this value will represent
the latest date of the current month for which data is
available.
If Timeframe shows previous month, this value will represent
the last date of the timeframe month.
C O L UM N N A M E C O L UM N DESC RIP T IO N
Product Name of the product within Microsoft 365 for which client
usage data is available.
UserCount Number of users that used each of the clients for each
product.
Content Date If timeframe shows current month, this value will represent
the latest date of the current month for which data is
available.
If Timeframe shows previous month, this value will represent
the last date of the timeframe month.
C O L UM N N A M E C O L UM N DESC RIP T IO N
Diplansed Total storage used summed across all sites at the end of the
timeframe.
SitesWithNonOwnerActivities Number of active sites summed up for the month, where the
users other than the site owner performed a particular file
activity on sites. You can get the site owner from the
PowerShell command get-sposite . This is the person who is
responsible for the site.
Timeframe This column has the date value. Used as Many to one
relationship for Calendar table.
C O L UM N N A M E C O L UM N DESC RIP T IO N
Content Date If timeframe shows current month, this value will represent
the latest date of the current month for which data is
available.
If Timeframe shows previous month, this value will represent
the last date of the timeframe month.
C O L UM N N A M E C O L UM N DESC RIP T IO N
Timeframe This column has the date value. Used as Many to one
relationship for Calendar table.
Content Date If timeframe shows current month, this value will represent
the latest date of the current month for which data is
available.
If Timeframe shows previous month, this value will represent
the last date of the timeframe month.
C O L UM N N A M E C O L UM N DESC RIP T IO N
TimeFrame Month value. There will be one row per product per month
for the last 12 months including the current partial month.
C O L UM N N A M E C O L UM N DESC RIP T IO N
C O L UM N N A M E C O L UM N DESC RIP T IO N
TotalEnabled Number of users enabled per service plan name by the end
of the timeframe.
iOSCount Number of activations per service plan for iOS device by the
end of the timeframe.
Timeframe This column has the date value. Used as Many to one
relationship for Calendar table.
Content Date If timeframe shows current month, this value will represent
the latest date of the current month for which data is
available.
If Timeframe shows previous month, this value will represent
the last date of the timeframe month.
Troubleshooting Microsoft 365 usage analytics
2/9/2022 • 4 minutes to read • Edit Online
Explore the following list of error messages to get help with the most common issues with Microsoft 365 usage
analytics.
Refresh failed
Where you will see this message: Email from Power BI or failed status in the refresh history.
Cause: Sometimes the credentials of the user who connected to the template app are reset, and not updated in
the connection settings of the template app causing the user to see refresh failure errors.
To fix this error : In Power BI, find the dataset corresponding to the Microsoft 365 Usage Analytics template
app, select schedule refresh and provide your admin credentials.
If that doesn't work, clear the cache, and re-create the template app.
Microsoft 365 support integration with ServiceNow
configuration overview
2/9/2022 • 2 minutes to read • Edit Online
Microsoft 365 suppor t integration enables you to integrate Microsoft 365 help, support, and service health
with your ServiceNow instances. You can research Microsoft known and reported issues, resolve incidents,
complete tasks by using Microsoft recommended solutions, and, if necessary, escalate to Microsoft human-
assisted support.
For the Microsoft 365 suppor t integration app from the ServiceNow store, go to the ServiceNow Store.
Key features
These are the key features you'll get with the Microsoft 365 support integration app in your ServiceNow
instance:
Service Health Incidents: Information about known Microsoft service health incidents, including user
impact, scope, current status, and next expected update. Using machine learning, ServiceNow incidents
are matched to Microsoft service health incidents based on the short description field.
Recommended solutions: Descriptions of tasks and incidents are used to recommend precise targeted
solutions and relevant articles from Microsoft powered by machine learning. You can also use Search to
find other solutions, if needed.
Microsoft service request: Escalate issues to Microsoft support agents and receive status updates for your
case.
Prerequisites
Permissions requirements
To proceed with this guide, make sure that the following permissions are available and configured for your
environments during the whole process:
Azure Active Directory (AAD) admin who can create Azure AD Applications
ServiceNow admin
Microsoft 365 tenant admin
Configuration highlights
To set up Microsoft 365 suppor t integration :
Register applications in Microsoft Azure Active Directory (AAD) for authentication of both outbound and
inbound API calls.
Create ServiceNow entities with Microsoft Azure AD Application for both outbound and inbound data
flow.
Integrate ServiceNow instance with Microsoft support through the Microsoft 365 admin portal.
W H AT F EAT URES A RE
Q UEST IO N #1 A N SW ER Q UEST IO N #2 A N SW ER AVA IL A B L E? C O N F IGURAT IO N ST EP S
2. Go to Authentication and select Add a platform . Select the Web option and enter the redirect URL:
https://{your-servicenow-instance``}.service-now.com/oauth_redirect.do
3. Get the Application Client ID and create a Client secret and get that value.
4. [ServiceNow Admin] Set up the Outbound OAuth Provider in ServiceNow.
If the scope is not set to Global , go to Settings > Developer > Applications and switch to Global .
NOTE
This terminal command lists all active IPs of the service for Microsoft 365 support integration:
nslookup`` connector.rave.microsoft.com
NOTE
If you see the error "Read operation against 'oauth_entity' from scope 'x_mioms_m365_assis' has been refused
due to the table’s cross-scope access policy," it was caused by your table access policy. You must make sure All
application scopes > Can read is checked for the table oauth_entity.
8. [Microsoft 365 Tenant Admin] Complete the integration in the Microsoft 365 Admin Portal.
Verify the information below is correct. DO NOT select Next at this time.
9. Go to Microsoft 365 Admin Por tal > Settings > Org settings > Organization profiles .
10. Configure the support integration settings:
Select the Basic information tab > Internal suppor t tool > Ser viceNow , and enter the Outbound
App ID value in the Application ID to issue Auth Token field. This Outbound App ID is on Step 6 –
Complete the Integration, which was created in Prerequisite (Basic Authentication) step #1.
11. On the Repositories tab, select New repositor y and update it with the following settings:
Repository: The Repositor y ID value from Step 6 – Complete the Integration.
Endpoint: The Endpoint value from Step 6 – Complete the Integration.
Authentication type: Select Basic Auth .
Client ID: The Client ID value from Step 6 – Complete the Integration.
Client secret: The secret of the inbound OAuth provider that was created in Prerequisites (Basic
Authentication) step #3.
Refresh token expiry: 864000
Rest username: The User Name value from Step 6 – Complete the Integration.
Rest user password: The password of the integration user that was created in Prerequisites (Basic
Authentication) step #4.
14. [ServiceNow Admin] Test the connection After completing the previous step, click Test connection .
The Microsoft
365 support integration app will execute tests to ensure the integration is working. If there is a problem
with the configuration, an error message will explain what needs to be fixed. Otherwise, the application is
ready.
15. [OPTIONAL] [The user with role x_mioms_m365_assis.administrator link] Link Microsoft 365 Admin
account. If any user has the role x_mioms_m365_assis.administrator and is using different Microsoft 365
accounts to manage a Microsoft 365 support case, they must go to Microsoft 365 support > Link
Account to set up their Microsoft 365 admin email.
Configure Microsoft 365 support integration with
Azure AD Auth Token
2/9/2022 • 7 minutes to read • Edit Online
2. Go to Authentication and select Add a platform . Select the Web option and enter the redirect URL:
https://{your-servicenow-instance``}.service-now.com/auth_redirect.do
3. Get the Application Client ID and create a Client secret and get that value.
4. [AAD Admin] Create an Azure AD Application for Rest API under your Microsoft 365 tenant.
a. Log on to the Azure Portal with your Microsoft 365 tenant credentials and go to the App
registrations page to create a new application.
b. Select Accounts in this organizational director y only {(Microsoft-365-tenant-name}
only – Single tenant) .
5. Get the Application Client ID and create a Client secret and get that value.
6. [AAD Admin] Create an Azure AD Application for Rest User under your Microsoft 365 tenant.
a. Log on to the Azure Portal with your Microsoft 365 tenant credentials and go to the App
registrations page to create a new application.
b. Select Accounts in this organizational director y only {(Microsoft-365-tenant-name}
only – Single tenant) .
7. Get the Application Client ID and create a Client secret and get that value.
8. [ServiceNow Admin] Set up the Outbound OAuth Provider in ServiceNow.
If the scope is not set to Global , do so by navigating to Settings > Developer > Applications and
switching to Global .
11. [ServiceNow Admin] To configure the OIDC provider in ServiceNow, see the online documentation.
If the scope is not set to Global , go to Settings > Developer > Applications and switch to Global .
UserClaim: appId
UserField: User ID
15. Create a new application by selecting Configure an OIDC provider to verify ID tokens with these
values:
Name: {Tenant_Name}_application_inbound_api (example: contoso_applicaiton_inbound_api)
Client ID: The Client ID of the application created in Prerequisites (Azure AD Auth Token) step #2.
Client Secret: The App Secret of the application created in Prerequisites (Azure AD Auth Token) step
#2.
OAuth OIDC Provider Configuration: The OIDC provider created in the previous step
Redirect URL: https://{service-now-instance-name}.service-now.com/oauth\_redirect.do
NOTE
This terminal command lists all active IPs of the service for Microsoft 365 support integration:
nslookup`` connector.rave.microsoft.com
NOTE
If you see the error "Read operation against 'oauth_entity' from scope 'x_mioms_m365_assis' has been refused
due to the table’s cross-scope access policy," it was caused by your table access policy. You must make sure All
application scopes > Can read is checked for the table oauth_entity.
4. [ServiceNow Admin] Configure the environment and setup type. If this installation is on a test
environment, select the option This is a test environment. You will be able to quickly disable this option
after the setup and all of your tests are completed later. If your instance allows Basic Authentication for
inbound connections, select Yes and refer to the Basic Auth setup process. Otherwise, select No and click
Star t setup .
5. [ServiceNow Admin] Enter your Microsoft 365 tenant domain.
entity.
8. [Microsoft 365 Tenant Admin] Complete the integration.
Verify the information below is correct. DO NOT select Next at this time.
a. Go to Microsoft 365 Admin Por tal > Settings > Org settings > Organization profiles .
b. Configure the support integration settings:
Select the Basic information tab > Internal suppor t tool > Ser viceNow , and enter the Outbound
App ID value in the Application ID to issue Auth Token field. This Outbound App ID is on Step 6 –
Complete the Integration, which was created in Prerequisites (Azure AD Auth Token).
a. On the Repositories tab, select New repositor y and update it with the following settings:
Repository: The Repositor y ID value from "Step 6 – Complete the Integration".
Endpoint: The Endpoint value from "Step 6 – Complete the Integration".
Authentication type: Select AAD Auth .
Client ID: The Client ID value from Step 6 – Complete the Integration.
Client secret: The secret of the inbound OAuth provider that was created in Prerequisites (Azure
AD Auth Token) step #2.
Rest username: The User Name value from Step 6 – Complete the Integration, which is the Client
ID of the application created in Prerequisites (Azure AD Auth Token) step #3.
Rest user password: The App Secret of the application that was created in Prerequisites (Azure AD
Auth Token) step #3.
a. Go back to ServiceNow.
b. Select Next to complete the integration.
The Microsoft
365 support integration app will execute tests to ensure the integration is working. If there is a problem
with the configuration, an error message will explain what needs to be fixed. Otherwise, the application is
ready.
9. [ServiceNow Admin] Enable Microsoft support integration for an existing user.
Microsoft 365 support integration is enabled for the user with one of these roles:
x_mioms_m365_assis.insights_user
x_mioms_m365_assis.administrator
10. [OPTIONAL] [The user with role x_mioms_m365_assis.administrator link] Link Microsoft 365 admin
account.
If any user has the role x_mioms_m365_assis.administrator and is using different Microsoft 365 accounts
to manage a Microsoft 365 support case, they must go to Microsoft 365 support > Link Account to set up
their Microsoft 365 admin email.
Microsoft 365 support integration for service health
incidents and recommended solutions only
2/9/2022 • 3 minutes to read • Edit Online
This configuration doesn't allow you to create a case with Microsoft support through your ServiceNow instance.
This option provides you only with the Service Health Incident information and Recommend Solutions available
through your ServiceNow instance.
2. Go to Authentication and select Add a platform . Select the Web option and enter the redirect URL:
https://{your-servicenow-instance``}.service-now.com/auth_redirect.do
3. Get the Application Client ID and create a Client secret and get that value.
4. [ServiceNow Admin] Set up the Outbound OAuth Provider in ServiceNow.
If the scope is not set to Global , go to Settings > Developer > Applications and switch to Global .
2. [ServiceNow Admin] Go to Microsoft 365 Suppor t > Setup to open the integration workflow.
NOTE
If you see the error "Read operation against 'oauth_entity' from scope 'x_mioms_m365_assis' has been refused
due to the table’s cross-scope access policy," it was caused by your table access policy. You must make sure All
application scopes > Can read is checked for the table oauth_entity.
3. [ServiceNow Admin] Select Agree to continue.
12. On the Repositories tab, select New repositor y and update it with the following settings:
Repository: The Repositor y ID value from Step 6 – Complete the Integration.
Endpoint: The Endpoint value from Step 6 – Complete the Integration.
Authentication type: Select AAD Auth .
Client ID: A random value (example: ignored).
Rest username: A random value (example: ignored).
Rest user password: A random value (example: ignored).
13. Go back to ServiceNow.
14. Select Next to complete the integration.
15. [ServiceNow Admin] Enable Microsoft support integration for an existing user.
Microsoft 365 support integration is enabled for the user with one of these roles:
x_mioms_m365_assis.insights_user
x_mioms_m365_assis.administrator
NOTE
The user with the role x_mioms_m365_assis.insights_user can see Service Health Incidents, Recommended
Solutions. The user with the role x_mioms_m365_assis.administrator also can open a case with Microsoft 365
support. With Insights ONLY, no one should be assigned the role x_mioms_m365_assis.administrator.
Testing the ServiceNow configuration
2/9/2022 • 2 minutes to read • Edit Online
If your application requires successful communication with external systems, outline how to test the connection
to ensure a successful configuration.
Follow these steps to test the configuration of Microsoft 365 support integration:
1. Log into your ServiceNow portal as admin.
2. Open any incident.
3. Focus on the Microsoft 365 Suppor t tab and select Microsoft 365 Insights to determine if the
recommended solutions were returned successfully.
Troubleshooting Microsoft 365 support integration
with ServiceNow
2/9/2022 • 2 minutes to read • Edit Online
# P RO B L EM DIA GN O ST IC S A C T IO N
1 Can’t see Microsoft 365 suppor t Verify the current view and System
tab Logs > All with filter
x_mioms_m365_assit
4 Type the problem in search box and Check the error message on top of the
select Microsoft recommended form and System Logs > All with
solutions but get error "Please filter x_mioms_m365_assit
contact your ServiceNow admin and
ask them to complete the setup steps
for the app."
5 Type problem in search box and select Check the error message on top of the
Microsoft recommended form and System Logs > All with
solutions but get error "Please filter x_mioms_m365_assit
contact your ServiceNow admin and
ask them to complete the final set up
step for the app."
6 Select Contact Microsoft suppor t , Check the error message on top of the
but get the error "Please contact your form and System Logs > All with
ServiceNow admin and ask them to filter x_mioms_m365_assit
complete the setup steps for the app."
7 Select Contact Microsoft suppor t , Check the error message on top of the
but get the error "Please contact your form and System Logs > All with
ServiceNow admin and ask them to filter x_mioms_m365_assit
complete the final set up step for the
app."
8 Select Contact Microsoft suppor t Check the error message on top of the
but get the error "{EmailAddress} is not form and System Logs > All with
a valid Microsoft 365 admin account. filter x_mioms_m365_assit
You need Microsoft 365 admin
privileges to open a service request. In
the app, link the admin account."
# P RO B L EM DIA GN O ST IC S A C T IO N
11 Type problem in search box and select Check System Logs – Outbound
Microsoft recommended HTTP logs with filter
solutions but nothing shows up login.microsoftonline.com and
connector.rave.microsoft.com
12 Type problem in search box and select Check the error message on top of the
Microsoft recommended form and System Logs > All with
solutions but get error "Please filter x_mioms_m365_assit
contact app support."
14 Can’t see Microsoft recommended Check System Logs > All with filter
solution after reopening the incident x_mioms_m365_assit
15 Can’t see Microsoft cases when Check System Logs > All with filter
reopening the incident that was x_mioms_m365_assit
transferred to Microsoft support
16 Can’t save ticket details, get error Check the error message on top of
"Unable to save ticket details. Please form
contact App support."
Top 10 ways to secure Microsoft 365 for business
plans
2/9/2022 • 14 minutes to read • Edit Online
If you are a small or medium-size organization using one of Microsoft's business plans and your type of
organization is targeted by cybercriminals and hackers, use the guidance in this article to increase the security of
your organization. This guidance helps your organization achieve the goals described in the Harvard Kennedy
School Cybersecurity Campaign Handbook.
1 Set up multi-factor
authentication
If you have Microsoft Business Premium, the quickest way to setup security and begin collaborating safely is to
follow the guidance in this library: Microsoft 365 for smaller businesses and campaigns. This guidance was
developed in partnership with the Microsoft Defending Democracy team to protect all small business customers
against cyberthreats launched by sophisticated hackers.
Before you begin, check your Microsoft 365 Secure Score in the Microsoft 365 Defender portal. From a
centralized dashboard, you can monitor and improve the security for your Microsoft 365 identities, data, apps,
devices, and infrastructure. You are given points for configuring recommended security features, performing
security-related tasks (such as viewing reports), or addressing recommendations with a third-party application
or software. With added insights and more visibility into a broader set of Microsoft products and services, you
can feel confident reporting about your organization's security health.
B LO C K F IL E T Y P ES T H AT C O UL D
WA RN USERS B EF O RE O P EN IN G C O N TA IN RA N SO M WA RE O R OT H ER
SET T IN G AT TA C H M EN T S O F O F F IC E F IL ES M A L IC IO US C O DE
Name Anti-ransomware rule: warn users Anti-ransomware rule: block file types
Apply this rule if . . . Any attachment . . . file extension Any attachment . . . file extension
matches . . . matches . . .
Specify words or phrases Add these file types: Add these file types:
dotm, docm, xlsm, sltm, xla, xlam, xll, ade, adp, ani, bas, bat, chm, cmd, com,
pptm, potm, ppam, ppsm, sldm cpl, crt, hlp, ht, hta, inf, ins, isp, job, js,
jse, lnk, mda, mdb, mde, mdz, msc,
msi, msp, mst, pcd, reg, scr, sct, shs,
url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif
B LO C K F IL E T Y P ES T H AT C O UL D
WA RN USERS B EF O RE O P EN IN G C O N TA IN RA N SO M WA RE O R OT H ER
SET T IN G AT TA C H M EN T S O F O F F IC E F IL ES M A L IC IO US C O DE
TIP
You can also add the files you want to block to the Anti-malware list in step 4.
Apply this rule if ... The sender . . . is external/internal . . . Inside the organization
Do the following ... Block the message . . . reject the message and include an
explanation.
In Outlook.com, select Protect in the email. The default protection is Do not for ward . To change this to
encrypt, select Change Permissions > Encr ypt .
To receive encrypted email
If the recipient has Outlook 2013 or Outlook 2016 and a Microsoft email account, they'll see an alert about the
item's restricted permissions in the Reading pane. After opening the message, the recipient can view the
message just like any other.
If the recipient is using another email client or email account, such as Gmail or Yahoo, they'll see a link that lets
them either sign in to read the email message or request a one-time passcode to view the message in a web
browser. If users aren't receiving the email, have them check their Spam or Junk folder.
For more information, see Send, view, and reply to encrypted messages in Outlook for PC.
Description Ensure most important staff and our domain are not being
impersonated.
Add users to protect Select + Add a condition, The recipient is . Type user
names or enter the email address of the candidate,
campaign manager, and other important staff members. You
can add up to 20 internal and external addresses that you
want to protect from impersonation.
Add trusted senders and domains For this example, don't define any overrides.
For more information, see Set up anti-phishing policies in Defender for Office 365.
Save attachments unknown malware response Select Block - Block the current and future emails
and attachments with detected malware .
SET T IN G O R O P T IO N REC O M M EN DED SET T IN G
For more information, see Set up anti-phishing policies in Defender for Office 365.
Select the action for unknown potentially malicious URLs in Select On - URLs will be rewritten and checked
messages against a list of known malicious links when user
clicks on the link .
Apply real-time URL scanning for suspicious links and links Select this box.
that point to files
For more information, see Safe Links in Microsoft Defender for Office 365.
Related content
Multi-factor authentication for Microsoft 365 (article)
Manage and monitor priority accounts (article)
Microsoft 365 Reports in the admin center (video)
Multifactor authentication for Microsoft 365
2/9/2022 • 5 minutes to read • Edit Online
Passwords are the most common method of authenticating a sign-in to a computer or online service, but they
are also the most vulnerable. People can choose easy passwords and use the same passwords for multiple sign-
ins to different computers and services.
To provide an additional level of security for sign-ins, you must use multifactor authentication (MFA), which uses
both a password, which should be strong, and an additional verification method based on:
Something you have with you that is not easily duplicated, such as a smart phone.
Something you uniquely and biologically have, such as your fingerprints, face, or other biometric attribute.
The additional verification method is not employed until after the user's password has been verified. With MFA,
even if a strong user password is compromised, the attacker does not have your smart phone or your
fingerprint to complete the sign-in.
All Microsoft 365 plans Use security defaults, which require Small business
MFA for all user accounts.
You can also configure per-user
MFA on individual user accounts,
but this is not recommended.
Microsoft 365 Business Premium Use Conditional Access policies to Small business to enterprise
Microsoft 365 E3 require MFA for user accounts based
on group membership, apps, or other
Azure Active Directory (Azure AD) criteria.
Premium P1 licenses
Security defaults
Security defaults is a new feature for Microsoft 365 and Office 365 paid or trial subscriptions created after
October 21, 2019. These subscriptions have security defaults turned on, which:
Requires all of your users to use MFA with the Microsoft Authenticator app.
Blocks legacy authentication.
Users have 14 days to register for MFA with the Microsoft Authenticator app from their smart phones, which
begins from the first time they sign in after security defaults has been enabled. After 14 days have passed, the
user won't be able to sign in until MFA registration is completed.
Security defaults ensure that all organizations have a basic level of security for user sign-in that is enabled by
default. You can disable security defaults in favor of MFA with Conditional Access policies.
You enable or disable security defaults from the Proper ties pane for Azure AD in the Azure portal.
You can use security defaults with any Microsoft 365 plan.
For more information, see this overview of security defaults.
Conditional Access policies
Conditional Access policies are a set of rules that specify the conditions under which sign-ins are evaluated and
allowed. For example, you can create a Conditional Access policy that states:
If the user account name is a member of a group for users that are assigned the Exchange, user, password,
security, SharePoint, or global administrator roles, require MFA before allowing access.
This policy allows you to require MFA based on group membership, rather than trying to configure individual
user accounts for MFA when they are assigned or unassigned from these administrator roles.
You can also use Conditional Access policies for more advanced capabilities, such as requiring MFA for specific
apps or that the sign-in is done from a compliant device, such as your laptop running Windows 10.
You configure Conditional Access policies from the Security pane for Azure AD in the Azure portal.
After being enabled, the next time the user signs in, they will be prompted to register for MFA and to choose and
test the additional verification method.
Using these methods together
This table shows the results of enabling MFA with security defaults, Conditional Access policies, and per-user
account settings.
SEC O N DA RY
A UT H EN T IC AT IO N
IT EM EN A B L ED DISA B L ED M ET H O D
Security defaults Can't use Conditional Can use Conditional Access Microsoft Authenticator
Access policies policies app
Conditional Access If any are enabled, you can't If all are disabled, you can User-specified during MFA
policies enable security defaults enable security defaults registration
Legacy per-user MFA Overrides security defaults Overridden by security User-specified during MFA
(not recommended) and Conditional Access defaults and Conditional registration
policies requiring MFA at Access policies
each sign in
If security defaults are enabled, all new users are prompted for MFA registration and the use of the Microsoft
Authenticator app at their next sign-in.
Next steps
Set up MFA for Microsoft 365
Related content
Turn on multifactor authentication (video)
Turn on multifactor authentication for your phone (video)
Set up multifactor authentication
2/9/2022 • 3 minutes to read • Edit Online
Multifactor authentication means you and your employees must provide more than one way to sign in to
Microsoft 365 is one of the easiest ways to secure your business. Based on your understanding of multifactor
authentication (MFA) and its support in Microsoft 365, it's time to set it up and roll it out to your organization.
IMPORTANT
If you purchased your subscription or trial after October 21, 2019, and you're prompted for MFA when you sign in,
security defaults have been automatically enabled for your subscription.
IMPORTANT
Turn off both per-user MFA and Security defaults before you enable Conditional Access policies.
Conditional Access is available for customers who have purchased Azure AD Premium P1, or licenses that
include this, such as Microsoft 365 Business Premium, and Microsoft 365 E3. For more information, see create a
Conditional Access policy.
Risk-based conditional access is available through Azure AD Premium P2 license, or licenses that include this,
such as Microsoft 365 E5. For more information, see risk-based Conditional Access.
For more information about the Azure AD P1 and P2, see Azure Active Directory pricing.
Turn on Modern authentication for your organization
For most subscriptions modern authentication is automatically turned on, but if you purchased your
subscription before August 2017, it is likely that you will need to turn on Modern Authentication in order to get
features like Multifactor Authentication to work in Windows clients like Outlook.
1. In the Microsoft 365 admin center, in the left nav choose Settings > Org settings .
2. Under the Ser vices tab, choose Modern authentication , and in the Modern authentication pane, make
sure Enable Modern authentication is selected. Choose Save changes .
Next steps
How to register for their additional verification method
What is: Multifactor Authentication
How to sign-in after registration
How to change their additional verification method
Related content
Set up multifactor authentication (video)
Turn on multi-factor authentication for your phone
Manage and monitor priority accounts
2/9/2022 • 3 minutes to read • Edit Online
In every Microsoft 365 organization, there are people that are essential, like executives, leaders, managers, or
other users who have access to sensitive, proprietary, or high priority information.
To help your organization protect these accounts, you can now designate specific users as priority accounts and
leverage app-specific features that provide them with extra protection. In the future, more apps and features will
support priority accounts, and to start with, we've announced two capabilities: priority account protection
and premium mail flow monitoring .
Priority account protection - Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat
Protection) supports priority accounts as tags that can be used in filters in alerts, reports, and
investigations. For more information, check out User tags in Microsoft Defender for Office 365.
A natural question is, "Aren't all users a priority? Why not designate all users as priority accounts?" Yes, all
users are a priority, but priority account protection offers the following additional benefits:
Additional heuristics : Our analysis of mail flow in the Microsoft datacenters indicates that mail flow
patterns for company executives are different than the average employee. Priority account protection
offers additional heuristics that are specifically tailored to company executives that wouldn't benefit a
regular employee.
Additional visibility in repor ting : In effect, information for all users (or all affected users) is
already available in alerts, reports, and investigations. The priority accounts tag as a filter allows you
to specifically target your investigations.
Premium Mail Flow Monitoring - Healthy mail flow can be critical to business success, and delivery
delays or failures can have a negative impact on the business. You can choose a threshold for failed or
delayed emails, receive alerts when that threshold is exceeded, and view a report of email issues for
priority accounts. For more information, check out Email issues for priority accounts report in the modern
EAC
For security best practices for priority accounts, see Security recommendations for priority accounts.
When you apply priority account protection to a mailbox, you should also apply priority account protection to
users who have access to the mailbox (for example, the CEO and the CEO's executive assistant who manages the
CEO's calendar).
Add priority accounts from the Setup page
Add priority accounts from the Setup page .
1. Go to the Microsoft 365 admin center at https://admin.microsoft.com.
2. Go to Setup > Organizational knowledge , and choose View under Monitor your most impor tant
accounts .
3. Select Get Star ted or Manage .
4. On the Add Priority accounts page, in the search field, type the name or email address of the person
you want to add to the priority accounts list. You can also set your email threshold for failed or delayed
emails and get a weekly report of issues for priority accounts.
5. Select the user and choose Save .
You can also add priority accounts from the Active users page.
Add priority accounts from Active users page
Add priority accounts from the Active users page.
1. Go to the admin center at https://admin.microsoft.com.
2. Go to Users > Active users and select the three dots (more actions) at the top of the page. Select
Manage priority accounts .
3. Select Add accounts , and on the Add Priority accounts page, in the search field, type the name of the
person you want to add to the priority accounts list.
4. Select the user and choose Save .
Related topics
Using Priority Accounts in Microsoft 365
Enable Modern Authentication for Office 2013 on
Windows devices
2/9/2022 • 2 minutes to read • Edit Online
To enable modern authentication for any Windows devices that have Office 2013 installed, you need to set
specific registry keys.
To enable modern authentication for any devices running Windows (for example on laptops and tablets), that
have Microsoft Office 2013 installed, you need to set the following registry keys. The keys need to be set on
each device that you want to enable for modern authentication:
REGIST RY K EY TYPE VA L UE
HKCU\SOFTWARE\Microsoft\Office\15. REG_DWORD 1
0\Common\Identity\EnableADAL
HKCU\SOFTWARE\Microsoft\Office\15. REG_DWORD 1
0\Common\Identity\Version
Once you've set the registry keys, you can set Office 2013 devices apps to use multifactor authentication (MFA)
with Microsoft 365.
If you're currently signed-in with any of the client apps, you need to sign out and sign back in for the change to
take effect. Otherwise, the MRU and roaming settings will be unavailable until the identity is established.
REGIST RY K EY TYPE VA L UE
HKCU\SOFTWARE\Microsoft\Office\15. REG_DWORD 0
0\Common\Identity\EnableADAL
Related content
Sign in to Office 2013 with a second verification method (article)
Outlook prompts for password and doesn't use Modern Authentication to connect to Office 365 (article)
Prerequisites for protecting data on devices with
Microsoft 365 for business
2/9/2022 • 2 minutes to read • Edit Online
If you are a small or medium-size organization using one of Microsoft's business plans and your type of
organization is targeted by cybercriminals and hackers, use the guidance in this article to increase the security of
your organization. This guidance helps your organization achieve the goals described in the Harvard Kennedy
School Cybersecurity Campaign Handbook.
1 Set up multi-factor
authentication
If you have Microsoft Business Premium, the quickest way to setup security and begin collaborating safely is to
follow the guidance in this library: Microsoft 365 for smaller businesses and campaigns. This guidance was
developed in partnership with the Microsoft Defending Democracy team to protect all small business customers
against cyberthreats launched by sophisticated hackers.
Before you begin, check your Microsoft 365 Secure Score in the Microsoft 365 Defender portal. From a
centralized dashboard, you can monitor and improve the security for your Microsoft 365 identities, data, apps,
devices, and infrastructure. You are given points for configuring recommended security features, performing
security-related tasks (such as viewing reports), or addressing recommendations with a third-party application
or software. With added insights and more visibility into a broader set of Microsoft products and services, you
can feel confident reporting about your organization's security health.
B LO C K F IL E T Y P ES T H AT C O UL D
WA RN USERS B EF O RE O P EN IN G C O N TA IN RA N SO M WA RE O R OT H ER
SET T IN G AT TA C H M EN T S O F O F F IC E F IL ES M A L IC IO US C O DE
Name Anti-ransomware rule: warn users Anti-ransomware rule: block file types
Apply this rule if . . . Any attachment . . . file extension Any attachment . . . file extension
matches . . . matches . . .
Specify words or phrases Add these file types: Add these file types:
dotm, docm, xlsm, sltm, xla, xlam, xll, ade, adp, ani, bas, bat, chm, cmd, com,
pptm, potm, ppam, ppsm, sldm cpl, crt, hlp, ht, hta, inf, ins, isp, job, js,
jse, lnk, mda, mdb, mde, mdz, msc,
msi, msp, mst, pcd, reg, scr, sct, shs,
url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif
B LO C K F IL E T Y P ES T H AT C O UL D
WA RN USERS B EF O RE O P EN IN G C O N TA IN RA N SO M WA RE O R OT H ER
SET T IN G AT TA C H M EN T S O F O F F IC E F IL ES M A L IC IO US C O DE
TIP
You can also add the files you want to block to the Anti-malware list in step 4.
Apply this rule if ... The sender . . . is external/internal . . . Inside the organization
Do the following ... Block the message . . . reject the message and include an
explanation.
In Outlook.com, select Protect in the email. The default protection is Do not for ward . To change this to
encrypt, select Change Permissions > Encr ypt .
To receive encrypted email
If the recipient has Outlook 2013 or Outlook 2016 and a Microsoft email account, they'll see an alert about the
item's restricted permissions in the Reading pane. After opening the message, the recipient can view the
message just like any other.
If the recipient is using another email client or email account, such as Gmail or Yahoo, they'll see a link that lets
them either sign in to read the email message or request a one-time passcode to view the message in a web
browser. If users aren't receiving the email, have them check their Spam or Junk folder.
For more information, see Send, view, and reply to encrypted messages in Outlook for PC.
Description Ensure most important staff and our domain are not being
impersonated.
Add users to protect Select + Add a condition, The recipient is . Type user
names or enter the email address of the candidate,
campaign manager, and other important staff members. You
can add up to 20 internal and external addresses that you
want to protect from impersonation.
Add trusted senders and domains For this example, don't define any overrides.
For more information, see Set up anti-phishing policies in Defender for Office 365.
Save attachments unknown malware response Select Block - Block the current and future emails
and attachments with detected malware .
SET T IN G O R O P T IO N REC O M M EN DED SET T IN G
For more information, see Set up anti-phishing policies in Defender for Office 365.
Select the action for unknown potentially malicious URLs in Select On - URLs will be rewritten and checked
messages against a list of known malicious links when user
clicks on the link .
Apply real-time URL scanning for suspicious links and links Select this box.
that point to files
For more information, see Safe Links in Microsoft Defender for Office 365.
Related content
Multi-factor authentication for Microsoft 365 (article)
Manage and monitor priority accounts (article)
Microsoft 365 Reports in the admin center (video)
Increase threat protection
2/9/2022 • 10 minutes to read • Edit Online
This article helps you increase the protection in your Microsoft 365 subscription to protect against phishing,
malware, and other threats. These recommendations are appropriate for organizations with an increased need
for security, like law offices and health care clinics.
Before you begin, check your Office 365 Secure Score. Office 365 Secure Score analyzes your organization's
security based on your regular activities and security settings, and assigns a score. Begin by taking note of your
current score. To increase your score, complete the actions recommended in this article. The goal isn't to achieve
the maximum score, but to be aware of opportunities to protect your environment that don't negatively affect
productivity for your users.
For more information, see Microsoft Secure Score.
1. From the Microsoft 365 admin center, choose Show more , Admin centers , and then Security .
2. Go to Email & collaboration > Policies & rules > Threat policies .
3. From the policies available, choose Anti-malware .
To increase malware protection in email:
1. In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat
policies > Anti-malware in the Policies section.
2. On the Anti-malware page, double-click on Default (Default) . A flyout appears.
3. Select Edit protection settings at the bottom of the flyout.
4. under Protection settings , select the checkbox next to Enable the common attachments filter . The
file types that are blocked are listed directly below this control. Make sure that you add these file types:
ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda,
mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif
To add or delete file types, select Customize file types at the end of the list.
5. Select Save.
For more information, see Anti-malware protection in EOP.
1. From the admin center at https://admin.microsoft.com, choose Exchange under Admin centers .
2. From the menu on the left, choose mail flow .
3. On the rules tab, choose the arrow next to the plus (+) symbol, and then choose Create a new rule .
4. On the new rule page, enter a name for your rule, scroll to the bottom, and then choose More options .
To create a mail transport rule:
1. Go to the admin center at https://admin.microsoft.com, and choose Admin centers > Exchange .
2. In the mail flow category, select rules .
3. Select + , and then select Create a new rule .
4. Select More options at the bottom of the dialog box to see the full set of options.
5. Apply the settings in the following table for the rule. Use the default values for the rest of the settings,
unless you want to change them.
6. Select Save .
WA RN USERS B EF O RE O P EN IN G AT TA C H M EN T S O F O F F IC E
SET T IN G F IL ES
Provide message text Do not open these types of files from people you do not
know because they might contain macros with malicious
code.
WA RN USERS B EF O RE O P EN IN G AT TA C H M EN T S O F O F F IC E
SET T IN G F IL ES
Apply this rule if ... The sender . . . is external/internal . . . Inside the organization
Do the following ... Block the message . . . reject the message and include an
explanation.
Description Ensure most important staff and our domain are not being
impersonated.
Add users to protect Select + Add a condition, The recipient is . Type user
names or enter the email address of the candidate,
campaign manager, and other important staff members. You
can add up to 20 internal and external addresses that you
want to protect from impersonation.
Add trusted senders and domains Here you can add your own domain, or any other trusted
domains.
Save attachments unknown malware response Select Block - Block the current and future emails
and attachments with detected malware .
Redirect attachment on detection Enable redirection (select this box) Enter the admin account
or a mailbox setup for quarantine. Apply the above selection
if malware scanning for attachments times out or error
occurs (select this box).
For more information, see Set up anti-phishing policies in Microsoft Defender for Office 365.
Microsoft Defender for Office 365, formerly called Microsoft 365 ATP, or Advanced Threat Protection, helps
protect your business against malicious sites when people click links in Office apps.
1. Go to the admin center, and select Setup .
2. Scroll down to Increase protection from advanced threats . Select Manage ,and then Safe Links .
3. Select Global Settings and in Block the following URLs , enter the URL that you want to block.
We recommend that you do the following:
Modify the default policy to increase protection.
Add a new policy targeted to all recipients in your domain.
To set up Safe Links, complete the following steps:
1. Go to Microsoft 365 Defender portal, and sign in with your admin account.
2. o to Email & collaboration > Policies & rules > Threat policies > Anti-malware in the Policies
section.
3. Select + Create to create a new policy, or modify the default policy.
To modify the default policy:
1. Double-click the Default policy. A flyout appears.
2. Select Edit protection settings at the bottom of the flyout.
3. After modifying the default policy, select Save .
Select the action for unknown potentially malicious URLs in Select On - URLs will be rewritten and checked
messages against a list of known malicious links when user
clicks on the link .
Microsoft Defender Antivirus protects your Windows devices from software threats, such as viruses, malware,
and spyware.
Viruses typically spread by attaching their code to other files on your device or network and can cause
infected programs to work incorrectly.
Malware includes malicious files, applications, and code that can cause damage and disrupt normal use of
devices. Also, malware can allow unauthorized access, use system resources, steal passwords and account
information, lock you out of your computer and ask for ransom, and more.
Spyware collects data, such as web-browsing activity, and sends the data to remote servers.
To provide threat protection, Microsoft Defender Antivirus uses several methods. These methods include cloud-
delivered protection, real-time protection, and dedicated protection updates.
Cloud-delivered protection helps provide near-instant detection and blocking of new and emerging threats.
Always-on scanning uses file- and process-behavior monitoring and other techniques (also known as real-
time protection).
Dedicated protection updates are based on machine learning, human and automated big-data analysis, and
in-depth threat resistance research.
To learn more about malware and Microsoft Defender Antivirus, see the following articles:
Understanding malware & other threats
How Microsoft identifies malware and potentially unwanted applications
Next-generation protection in Windows 10
TIP
If you're using Microsoft 365, consider using Microsoft Defender Antivirus as your primary antivirus solution.
Integration can provide better protection. See Better together: Microsoft Defender Antivirus and Office 365.
Make sure to keep Microsoft Defender Antivirus up to date, even if you're using a non-Microsoft antivirus solution.
What to expect when threats are detected
When threats are detected by Microsoft Defender Antivirus, the following things happen:
Users receive notifications in Windows.
Detections are listed in the Windows Security app on the Protection histor y page.
If you've secured your Windows 10 devices and enrolled them in Intune, and your organization has 800
or fewer devices enrolled, you'll see threat detections and insights in the Microsoft 365 admin center on
the Threats and antivirus page, which you can access from the Microsoft Defender Antivirus card
on the Home page (or from the navigation pane by selecting Health > Threats & antivirus ).
If your organization has more than 800 devices enrolled in Intune, you'll be prompted to view threat
detections and insights from Microsoft Endpoint Manager instead of from the Threats and antivirus
page.
NOTE
The Microsoft Defender Antivirus card and Threats and antivirus page are being rolled out in phases, so
you may not have immediate access to them.
In most cases, users don't need to take any further action. As soon as a malicious file or program is detected on
a device, Microsoft Defender Antivirus blocks it and prevents it from running. Plus, newly detected threats are
added to the antivirus and antimalware engine so that other devices and users are protected, as well.
If there's an action a user needs to take, such as approving the removal of a malicious file, they'll see that in the
notification they receive. To learn more about actions that Microsoft Defender Antivirus takes on a user's behalf,
or actions users might need to take, see Protection History. To learn how to manage threat detections as an IT
professional/admin, see Review detected threats and take action.
To learn more about different threats, visit the Microsoft Security Intelligence Threats site, where you can
perform the following actions:
View current information about top threats.
View the latest threats for a specific region.
Search the threat encyclopedia for details about a specific threat.
Related content
Secure Windows 10 devices (article)
Evaluate Microsoft Defender Antivirus (article)
How to turn on real-time and cloud-delivered antivirus protection (article)
How to turn on and use Microsoft Defender Antivirus from the Windows Security app (article)
How to turn on Microsoft Defender Antivirus by using Group Policy (article)
How to update your antivirus definitions (article)
How to submit malware and non-malware to Microsoft for analysis (article)
Review detected threats and take action
2/9/2022 • 5 minutes to read • Edit Online
As soon as a malicious file or software is detected, Microsoft Defender Antivirus blocks it and prevents it from
running. And with cloud-delivered protection turned on, newly detected threats are added to the antivirus and
antimalware engine so that your other devices and users are protected, as well.
Microsoft Defender Antivirus detects and protects against the following kinds of threats:
Viruses, malware, and web-based threats on devices
Phishing attempts
Data theft attempts
As an IT professional/admin, you can view information about threat detections across Windows 10 devices that
are enrolled in Intune in the Microsoft 365 admin center. You'll see summary information, such as:
How many devices need antivirus protection
How many devices are not in compliance with security policies
How many threats are currently active, mitigated, or resolved
You have several options to view specific information about threat detections and devices:
The Active devices page in the Microsoft 365 admin center. See Manage threat detections on the Active
devices page in this article.
The Active threats page in the Microsoft 365 admin center. See Manage threat detections on the Active
threats page in this article.
The Antivirus page in Microsoft Endpoint Manager. See Manage threat detections in Microsoft Endpoint
Manager in this article.
To learn more, see Threats detected by Microsoft Defender Antivirus.
A C T IO N DESC RIP T IO N
Run quick scan Starts a quick antivirus scan on the device, focusing on
common locations where malware might be registered, such
as registry keys and known Windows startup folders.
Run full scan Starts a full antivirus scan on the device, focusing on
common locations where malware might be registered, and
including every file and folder on the device. Results are sent
to Microsoft Endpoint Manager.
Update antivirus Requires the device to get security intelligence updates for
antivirus and antimalware protection.
A C T IO N DESC RIP T IO N
Update signatures Requires the device to get security intelligence updates for
antivirus and antimalware protection.
TIP
For more information, see Remote actions for devices.
Your Microsoft 365 Business Premium comes with features to protect your data and devices, and help you keep
your and your customers' sensitive information secure.
Using Microsoft 365 for business to help you to mitigate and manage GDPR compliance
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an
organization should handle personal data. If your business sells to, provides services to, or employs citizens of
the European Union, then the GDPR will affect you.
As a small business admin, you are probably asking yourself "how do I get started"? This may be especially true
if your business does not handle personal data as a core business activity, or if GDPR is totally new to you.
You can get started by reviewing this article, which is aimed at helping you understand what the GDPR is, why it
came about, and how Microsoft 365 for business can help your organization comply with the GDPR.
It also includes answers to common questions about GDPR that small businesses may have, and highlights steps
a small business can take to prepare for GDPR.
IMPORTANT
The Microsoft 365 solutions and recommendations in this article are tools and resources that can help you manage and
protect your data, but are not a guarantee of GDPR compliance. It is up to you to assess your own compliance status.
Consult with your own legal and/or professional advisors when needed.
GDPR terms
You'll see some terms referred to frequently in the GDPR. It's important to understand these terms.
Consent
The GDPR states: "The processing of personal data should be designed to serve mankind." The GDPR hopes to
achieve this goal by using consent when processing personal data. That could be the simple act of asking your
customers if they want to receive email messages from your company. It also means no more opt-out check
boxes on your website when you want to use data for marketing. You must take explicit consent using a "clear
affirmative act". And, you will need to also keep records of when a consent is taken or revoked.
Data subject rights
The GDPR establishes data subject rights, which means that, with respect to their personal data, customers,
employees, business partners, clients, contractors, students, suppliers, and so forth have the right to:
Be informed about their data: You must inform individuals about your use of their data.
Have access to their data: You must give individuals access to any of their data that you hold (for
example, by using account access or in some manual manner).
Ask for data rectification: Individuals can ask you to correct inaccurate data.
Ask for data to be deleted: Also known as the 'right to erasure', this right allows an individual to
request that any of their personal data a company has collected is deleted across all systems that use it or
share it.
Request restricted processing: An individual can ask that you suppress or restrict their data. However,
it is only applicable under certain circumstances.
Have data por tability: An individual can ask for their data to be transferred to another company.
Object: An individual can object to their data being used for various uses including direct marketing.
Ask not to be subject to automated decision-making, including profiling: The GDPR has strict
rules about using data to profile people and automate decisions based on that profiling.
NOTE
The GDPR does not prescribe the use of any specific IT system, but make that the system has the appropriate level of
security. See GDRP Article 32: Security of Processing for more information.
If you store physical documents with personal data, make sure that they are not accessible by unauthorized
persons.
If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such
as the ability to help you to manage permissions to files and folders, centralized secure locations to save your
files (OneDrive or SharePoint document libraries), and data encryption when sending or retrieving your files.
Microsoft 365 features that can help
You can use Set up DLP features to help to protect your business's sensitive information. You can set up a DLP
policy that uses the GDPR template.
Step 5: Keep documentation on your data processing activities
Prepare a short document explaining what personal data you hold and for what reasons. You might be required
to make the documentation available to your national data protection authority if needed.
Such documents should include the information listed below.
IN F O RM AT IO N EXA M P L ES
IN F O RM AT IO N EXA M P L ES
The purpose of data processing Alerting customers about special offers such as providing
home delivery; paying suppliers; salary and social security
coverage for employees
The types of personal data Contact details of customers; contact details of suppliers;
employee data
The storage periods Employees’ personal data until the end of the employment
contract (and related legal obligations); customers’ personal
data until the end of the client/contractual relationship
The technical and organizational security measures to IT system solutions regularly updated; secured location;
protect the personal data access control; data encryption; data backup
Whether personal data is transferred to recipients outside Use of a processor outside the EU (for example, storage in
the EU the cloud); data location of the processor; contractual
commitments
You can find Microsoft’s contractual commitments with regard to the GDPR in the Microsoft Online Services
Data Protection Addendum, which provides Microsoft’s privacy and security commitments, data processing
terms and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing
agreement.
Step 6: Make sure your subcontractors respect the rules
If you sub-contract processing of personal data to another company, only use a service provider who
guarantees the processing in compliance with the requirements of the GDPR (for instance, security measures).
Step 7: Assign someone to oversee personal data protection
To better protect personal data, organizations might have to appoint a Data Protection Officer (DPO) .
However, you may not need to designate a Data Protection Officer if processing of personal data isn’t a core part
of your business, or if your are a small business. For example, if your business only collects data on your
customers for home delivery, you should not need to appoint a DPO. Even if you need to make use of a DPO,
these duties might be assigned to an existing employee in addition to his/her other tasks. Or you could chose to
hire an external consultant for this duty as needed.
You normally don’t need to carry out a Data Protection Impact Assessment. This is reserved for businesses that
pose more risk to personal data (for example, if they do a large-scale monitoring of a publicly accessible area,
such as video-surveillance).
If you are a small business managing employee wages and a list of clients, you typically do not need to do a
Data Protection Impact Assessment.
Next steps
To get ready for the GDPR, here are some suggestions for next steps to take:
Evaluate your GDPR program with Accountability Readiness Checklists.
Investigate Microsoft 365 for business as a solution for achieving and maintaining compliance with
GDPR.
IMPORTANT
Get legal advice appropriate for your company or organization.
Additional resources
Microsoft Trust Center overview of the GDPR
The Official Microsoft Blog: Microsoft commitment to GDPR
European Commission sites:
Data protection
2018 reform of EU data protection rules
Options for protecting your devices and app data
2/9/2022 • 2 minutes to read • Edit Online
You have several ways to secure your organizations devices and data on them with Microsoft 365 for business
and enterprise. You can use the following stand-alone plans:
Intune (a part of Microsoft Endpoint Management)
Azure Active Directory Premium plans.
Basic Mobility and Security (included in most Microsoft 365 for business and enterprise plans) Or use the
subscriptions that include some, or all of the previous standalone plans.
A Microsoft 365 Business Premium subscription, which includes security and threat protection for small
business under 300 users.
Microsoft 365 Enterprise plans that include advanced security and threat protection.
IMPORTANT
A Microsoft 365 Business Premium subscription gives you a license to modify all the Intune settings. See Introduction to
Intune to get started.
Select the Policy name you want — for example, Application policy for Android — and then choose Policy
settings .
Under Protect work files when devices are lost or stolen
Delete work files from an inactive device after Offline interval (days) before app data is wiped
Force users to save work files to OneDrive for Business Select which storage services corporate data can be saved to
Note that only OneDrive for Business is allowed
Delete work files from an inactive device after Offline interval (days) before app data is wiped
Force users to save work files to OneDrive for Business Select which storage services corporate data can be saved to
Note that only OneDrive for Business is allowed
Reset PIN when login fails this many times (this is disabled if Number of attempts before PIN reset
PIN isn't required)
Require users to sign in again after Office apps have been Recheck the access requirements after (minutes)
idle for (this is disabled if PIN isn't required) This also sets:
Timeout is set to minutes
This is same number of minutes you set in Microsoft 365
Business.
Offline grace period is set to 720 minutes by default
Deny access to work files on jailbroken or rooted devices Block managed apps from running on jailbroken or rooted
devices
Allow users to copy content from Office apps into personal Restrict cut, copy, and paste with other apps
apps If the Microsoft 365 Business Premium option is set to On ,
then these three options are also set to All Apps in Intune:
Allow app to transfer data to other apps
Allow app to receive data from other apps
Restrict cut, copy, and paste with other apps
If the Microsoft 365 Business option is set to On , then all
the Intune options are set to:
Allow app to transfer data to other apps is set to
Policy managed apps
Allow app to receive data from other apps is set to All
Apps
Restrict cut, copy, and paste with other apps is set to
Policy Managed apps with Paste-In
IMPORTANT
A Microsoft 365 Business Premium subscription gives you a license to modify only the Intune settings that map to the
settings available in Microsoft 365 Business Premium.
To explore the available settings, select the policy name you want, and then choose General, Assignments ,
Allowed apps , Exempt apps , Required settings , or Advanced settings from the left navigation pane.
W IN DO W S 10 A P P L IC AT IO N P O L IC Y SET T IN G IN T UN E SET T IN G( S)
Prevent users from copying company data to personal files. Required settings > Windows Information Protection
mode . On in Microsoft 365 Business Premium maps to:
Hide Overrides , Off in Microsoft 365 Business Premium
maps to: Off .
W IN DO W S 10 A P P L IC AT IO N P O L IC Y SET T IN G IN T UN E SET T IN G( S)
Office documents access control If this is set to On in Microsoft 365 Business Premium, then
Advanced settings > Access , Use Windows Hello for
Business as a method for signing into Windows is set
to On , with the following additional settings:
Set the minimum number of characters required for
the PIN is set to 4 .
Configure the use of uppercase letters in the
Windows Hello for Business PIN is set to Do not allow
use of upper case letters for PIN.
Configure the use of lowercase letters in the
Windows Hello for Business PIN is set to Do not allow
use of lower case letters for PIN.
Configure the use of special characters in the
Windows Hello for Business PIN is set to Do not allow
the use of special characters in PIN.
Specify the period of time (in days) that a PIN can
be used before the system requires the user to
change is set to 0 .
Specify the number of past PINs that can be
associated to a user account that can't be reused is
set to 0 .
Number of authentication failures allowed before
the device will be wiped is set to same as in Microsoft
365 Business (5 by default).
Maximum amount of time (in minutes) allowed after
the device is idle that will cause the device to
become PIN or password locked is set to same as in
Microsoft 365 Business.
Enable recovery of protected data Advanced settings > Data protection : Show the
enterprise data protection icon and Use Azure RMS
for WIP are set to On .
Protect additional company cloud locations Advanced settings > Protected domains and Cloud
resources show domains and SharePoint sites.
Files used by these apps are protected The list of protected apps is listed in Allowed apps .
Help protect PCs from viruses and other threats using Allow Real-time Monitoring = ON
Windows Defender Antivirus Allow Cloud Protection = ON
Prompt Users for Samples Submission = Send Safe samples
automatically (Default Non PII auto submit)
Help protect PCs from web-based threats in Microsoft Edge Smar tScreen in Edge Browser settings is set to
Required .
W IN DO W S 10 DEVIC E P O L IC Y SET T IN G IN T UN E SET T IN G( S)
Turn off device screen when idle for (minutes) Maximum minutes of inactivity until screen locks (minutes)
Allow users to download apps from Microsoft Store Custom URI policy
Allow users to access Cortana General > Cor tana is set to block in Intune when set to
off in Microsoft 365 Business Premium.
Allow users to receive Windows tips and advertisements Windows spotlight , all blocked if this is set to off in
from Microsoft Microsoft 365 Business Premium.
Keep Windows 10 devices up to date automatically This setting is in Microsoft Intune > Ser vice updates -
Windows 10 Update Rings , choose Update policy for
Windows 10 devices , and then Proper ties > Settings .
When the Microsoft 365 Business Premium setting is set to
On , all the following settings are set:
Ser vice branch is set to CB (CBB when this is turned off in
Microsoft 365 Business Premium).
Microsoft product updates is set to Allow .
Windows drivers is set to Allow .
Automatic update behavior is set to Auto install at
maintenance time with:
After hours star t is set to 6 AM .
Active hours end is set to 10 PM .
Quality update deferral period (days) is set to 0 .
Feature update deferral period (days) is set to 0 .
Deliver y optimization download mode is set to HTTP
blended with peering behind same NAT .
Device states
2/9/2022 • 2 minutes to read • Edit Online
9. Expand Protect additional network and cloud locations if you want to add additional domains or
SharePoint Online locations to make sure that files in all the listed apps are protected. If you need to enter
more than one item for either field, use a semicolon (;) between the items.
10. Next decide Who will get these settings? If you don't want to use the default All Users security
group, choose Change , choose the security groups who will get these settings > Select .
11. Finally, choose Add to save the policy, and assign it to devices.
Set app protection settings for Android or iOS
devices
2/9/2022 • 4 minutes to read • Edit Online
6. Next decide Who will get these settings? If you don't want to use the default All Users security
group, choose Change , choose the security groups that get these settings > Select .
7. Finally, choose Done to save the policy, and assign it to devices.
Available settings
The following tables give detailed information about settings available to protect work files on devices and the
settings that control how users access Office files from their mobile devices.
For more information, see How do protection features in Microsoft 365 Business Premium map to Intune
settings.
Settings that protect work files
The following settings are available to protect work files if a user's device is lost or stolen:
Delete work files from an inactive device after this many days If a device isn't used for the number of days that you specify
here, any work files stored on the device will be deleted
automatically.
Force users to save all work files to OneDrive for Business If this setting is On , the only available save location for work
files is OneDrive for Business.
Encrypt work files Keep this setting On so that work files are protected by
encryption. Even if the device is lost or stolen, no one can
read your company data.
Settings that control how users access Office files on mobile devices
The following settings are available to manage how users access Office work files:
Require a PIN or fingerprint to access Office apps If this setting is On users must provide another form of
authentication, in addition to their username and password,
before they can use Office apps on their mobile devices.
Reset PIN when login fails this many times To prevent an unauthorized user from randomly guessing a
PIN, the PIN will reset after the number of wrong entries
that you specify.
Require users to sign in again after Office apps have been This setting determines how long a user can be idle before
idle for they're prompted to sign in again.
Deny access to work files on jailbroken or rooted devices Clever users may have a device that is jailbroken or rooted.
This means that the user can modify the operating system,
which can make the device more subject to malware. These
devices are blocked when this setting is On .
Don't allow users to copy content from Office apps into We do allow this by default, but if the setting is On , the user
personal apps could copy information in a work file to a personal file. If the
setting is Off , the user will be unable to copy information
from a work account into a personal app or personal
account.
Validate app protection settings on Android or iOS
devices
2/9/2022 • 7 minutes to read • Edit Online
Follow the instructions in the following sections to validate app protection settings on Android or iOS devices.
Android
Check that the app protection settings are working on user devices
After you set app configurations for Android devices to protect the apps, you can follow these steps to validate
that the settings you chose work.
First, make sure that the policy applies to the app in which you're going to validate it.
1. In the Microsoft 365 Business Premium admin center, go to Policies > Edit policy .
2. Choose Application policy for Android for the settings you created at setup, or another policy you
created, and verify that it's enforced for Outlook, for example.
1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium
credentials, and enter a PIN if requested.
2. Open an email that contains an attachment and tap the down arrow icon next to the attachment's
information.
NOTE
Saving to OneDrive for Business is not enabled for Android at this time, so you can only see that saving locally is
blocked.
Validate Require user to sign in again if Office apps have been idle for a specified time
In the Edit policy pane, choose Edit next to Office documents access control , expand Manage how users
access Office files on mobile devices , and make sure that Require users to sign in again after Office
apps have been idle for is set to some number of minutes. This is 30 minutes by default.
1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium
credentials, and enter a PIN if requested.
2. You should now see Outlook's inbox. Let the Android device idle untouched for at least 30 minutes (or
some other amount of time, longer than what you specified in the policy). The device will likely dim.
3. Access Outlook on the Android device again.
4. You'll be prompted to enter your PIN before you can access Outlook again.
Validate Protect work files with encryption
In the Edit policy pane, choose Edit next to Protection against lost or stolen devices , expand Protect
work files when devices are lost or stolen , and make sure that Protect work files with encr yption is
set to On , and Force users to save all work files to OneDrive for Business is set to Off .
1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium
credentials, and enter a PIN if requested.
2. Open an email that contains a few image file attachments.
3. Tap the down arrow icon next to the attachment's info to save it.
4. You may be prompted to allow Outlook to access photos, media, and files on your device. Tap Allow .
5. At the bottom of the screen, choose to Save to Device and then open the Galler y app.
6. You should see an encrypted photo (or more, if you saved multiple image file attachments) in the list. It
may appear in the Pictures list as a gray square with a white exclamation point within a white circle in the
center of the gray square.
iOS
Check that the App protection settings are working on user devices
After you set app configurations for iOS devices to protect apps, you can follow these steps to validate that the
settings you chose work.
First, make sure that the policy applies to the app in which you're going to validate it.
1. In the Microsoft 365 Business Premium admin center, go to Policies > Edit policy .
2. Choose Application policy for iOS for the settings you created at setup, or another policy you created,
and verify that it's enforced for Outlook for example.
Validate Require a PIN to access Office apps
In the Edit policy pane, choose Edit next to Office documents access control , expand Manage how users
access Office files on mobile devices , and make sure that Require a PIN or fingerprint to access
Office apps is set to On .
1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium
credentials.
2. You'll also be prompted to enter a PIN or use a fingerprint.
Validate Reset PIN after number of failed attempts
In the Edit policy pane, choose Edit next to Office documents access control , expand Manage how users
access Office files on mobile devices , and make sure that Reset PIN after number of failed attempts is
set to some number. This is 5 by default.
1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium
credentials.
2. Enter an incorrect PIN as many times as specified by the policy. You'll see a prompt that states PIN
Attempt Limit Reached to reset the PIN.
3. Press OK . You'll be prompted to sign in with the user's Microsoft 365 Business Premium credentials, and
then required to set a new PIN.
Validate Force users to save all work files to OneDrive for Business
In the Edit policy pane, choose Edit next to Protection against lost or stolen devices , expand Protect
work files when devices are lost or stolen , and make sure that Force users to save all work files to
OneDrive for Business is set to On .
1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium
credentials, and enter a PIN if requested.
2. Open an email that contains an attachment, open the attachment and choose Save on the bottom of the
screen.
3. You should only see an option for OneDrive for Business. If not, tap Add Account and select OneDrive
for Business from the Add Storage Account screen. Provide the end user's Microsoft 365 Business
Premium to sign in when prompted.
Tap Save and select OneDrive for Business .
Validate Require user to sign in again if Office apps have been idle for a specified time
In the Edit policy pane, choose Edit next to Office documents access control , expand Manage how users
access Office files on mobile devices , and make sure that Require users to sign in again after Office
apps have been idle for is set to some number of minutes. This is 30 minutes by default.
1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium
credentials, and enter a PIN if requested.
2. You should now see Outlook's inbox. Let the iOS device untouched for at least 30 minutes (or some other
amount of time, longer than what you specified in the policy). The device will likely dim.
3. Access Outlook on the iOS device again.
4. You'll be prompted to enter your PIN before you can access Outlook again.
Validate Protect work files with encryption
In the Edit policy pane, choose Edit next to Protection against lost or stolen devices , expand Protect
work files when devices are lost or stolen , and make sure that Protect work files with encr yption is
set to On , and Force users to save all work files to OneDrive for Business is set to Off .
1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium
credentials, and enter a PIN if requested.
2. Open an email that contains a few image file attachments.
3. Tap the attachment and then tap the Save option under it.
4. Open Photos app from the home screen. You should see an encrypted photo (or more, if you saved
multiple image file attachments) saved, but encrypted.
Edit or create device protection settings for
Windows 10 PCs
2/9/2022 • 3 minutes to read • Edit Online
Available settings
By default all settings are On . The following settings are available.
For more information, see How do protection features in Microsoft 365 Premium map to Intune settings.
Help protect PCs from viruses and other threats using Requires that Windows Defender Antivirus is turned on to
Windows Defender Antivirus protect PCs from the dangers of being connected to the
internet.
Help protect PCs from web-based threats in Microsoft Edge Turns on settings in Edge that help protect users from
malicious sites and downloads.
Use rules that reduce the attack surface of devices When turned On, attack surface reduction helps block
actions and apps typically used by malware to infect devices.
This setting is only available if Windows Defender Antivirus is
set to On. See Reduce attack surfaces to learn more.
Protect folders from threats such as ransomware This setting uses controlled folder access to protect company
data from modification by suspicious or malicious apps, such
as ransomware. These types of apps are blocked from
making changes in protected folders. This setting is only
available if Windows Defender Antivirus is set to On. See
Protect folders with Controlled folder access to learn more.
Prevent network access to potentially malicious content on Use this setting to block outbound user connections to low-
the Internet reputation Internet locations that may host phishing scams,
exploits, or other malicious content. This setting is only
available if Windows Defender Antivirus is set to On . For
more information, see Protect your network.
Help protect files and folders on PCs from unauthorized Bitlocker protects data by encrypting the computer hard
access with BitLocker drives and protect against data exposure if a computer is
lost or stolen. For more information, see Bitlocker FAQ.
Allow users to download apps from Microsoft Store Lets users download and install apps from the Microsoft
Store. Apps include everything from games to productivity
tools, so we leave this setting On , but you can turn it off for
extra security.
Allow users to access Cortana Cortana can be very helpful! Cortana can turn settings on or
off for you, give directions, and make sure you're on time for
appointments, so we keep this setting On by default.
Allow users to receive Windows tips and advertisements Windows tips can be handy and help orient users when new
from Microsoft features are released.
Keep Windows 10 devices up to date automatically Makes sure that Windows 10 devices automatically receive
the latest updates.
Turn off device screen when idle for this amount of time Makes sure that company data is protected if a user is idle. A
user may be working in a public location, like a coffee shop,
and step away or be distracted for just a moment, leaving
their device vulnerable to random glances. This setting lets
you control how long the user can be idle before the screen
shuts off.
Validate device protection settings for Windows 10
PCs
2/9/2022 • 2 minutes to read • Edit Online
2. Go to Settings > Update & security > Windows Update > Advanced options and confirm that all
settings are grayed out.
3. Go to Settings > Update & security > Windows Update > Advanced options > Choose how
updates are delivered .
Confirm that you can see the message (in red) that some settings are hidden or managed by your
organization, and all the options are grayed out.
4. To open the Windows Defender Security Center, go to Settings > Update & security > Windows
Defender > click Open Windows Defender Security Center > Virus & thread protection > Virus
& threat protection settings .
5. Verify that all options are grayed out.
Related content
Microsoft 365 for business documentation and resources
Set device configurations for Windows 10 PCs
Use the step-by-step guide to add Autopilot
devices and profile
2/9/2022 • 2 minutes to read • Edit Online
You can use Windows AutoPilot to set up new Windows 10 devices for your business so they're ready for use
when you give them to your employees.
Device requirements
Devices must meet these requirements:
Windows 10, version 1703 or later
New devices that haven't been through Windows out-of-box experience
4. On the Upload .csv file with list of devices page, browse to a location where you have the prepared
.CSV file, then Open > Next . The file must have three headers:
Column A: Device Serial Number
Column B: Windows Product ID
Column C: Hardware Hash
You can get this information from your hardware vendor, or you can use the Get-WindowsAutoPilotInfo
PowerShell script to generate a CSV file.
For more information, see Device list CSV-file. You can also download a sample file on the Upload .csv
file with list of devices page.
NOTE
This script uses WMI to retrieve properties needed for a customer to register a device with Windows Autopilot. Note that
it is normal for the resulting CSV file to not collect a Windows Product ID (PKID) value since this is not required to register
a device and PKID being NULL in the output CSV is totally fine. Only the serial number and hardware hash will be
populated.
4. On the Assign a profile page, you can either pick an existing profile or create a new one. If you don't
have one yet, you'll be prompted to create one.
A profile is a collection of settings that can be applied to a single device or to a group of devices.
The default features are required and are set automatically. The default features are:
Skip Cortana, OneDrive, and OEM registration.
Create sign-in experience with your company brand.
Connect your devices to Azure Active Directory accounts, and automatically enroll them to be
managed by Microsoft 365 Business Premium.
For more information, see About AutoPilot Profile settings.
5. The other settings are Skip privacy settings and Don't allow user to become the local admin .
These are both set to Off by default.
Choose Next .
6. You're done indicates that the profile you created (or chose) will be applied to the device group you
created by uploading the list of devices. The settings will be in effect when the device users sign in next.
Choose Close .
Related content
About AutoPilot Profile settings (article)
Options for protecting your devices and app data (article)
Create and edit AutoPilot profiles
2/9/2022 • 2 minutes to read • Edit Online
Create a profile
A profile applies to a device, or a group of devices,
1. In the Microsoft 365 admin center, choose Devices > AutoPilot .
2. On the AutoPilot page, choose the Profiles tab > Create profile .
3. On the Create profile page, enter a name for the profile that helps you identify it, for example
Marketing. Turn on the setting you want, and then choose Save . For more information about AutoPilot
profile settings, see About AutoPilot Profile settings.
3. On the Add devices panel, browse to a Device list CSV file that you prepared > Save > Close .
You can get this information from your hardware vendor, or you can use the Get-WindowsAutoPilotInfo
PowerShell script to generate a CSV file.
Skip Cortana, OneDrive, and OEM registration Skips the installation of consumer apps like Cortana and
personal OneDrive. The device user can install these later as
long as the user is a local admin on the device. The original
manufacturer registration is skipped because the device will
be managed by Microsoft 365 Business Premium.
Sign in experience with your company brand If your company has a Add your company branding to
Microsoft 365 Sign In page, the device user will get that
experience when signing in.
MDM auto-enrollment with configured AAD accounts. The user identity will be managed by Azure Active Directory,
and users will sign in to Windows and Microsoft 365 with
their Microsoft 365 Business Premium credentials.
Optional settings:
Skip privacy settings (Off by default) If this option is set to On , the device user will not see the
license agreement for the device and Windows when he or
she first signs in.
Don't allow the user to become the local admin If this option is set to On , the device user will not be able to
install any personal apps, such as Cortana.
Overview of Basic Mobility and Security for
Microsoft 365
2/9/2022 • 2 minutes to read • Edit Online
You can manage and secure mobile devices when they're connected to your Microsoft 365 organization by
using Basic Mobility and Security. Mobile devices like smartphones and tablets that are used to access work
email, calendar, contacts, and documents play a big part in making sure that employees get their work done
anytime, from anywhere. So it’s critical that you help protect your organization's information when people use
devices. You can use Basic Mobility and Security to set device security policies and access rules, and to wipe
mobile devices if they’re lost or stolen.
Related content
Set up Basic Mobility and Security (article)
Enroll your mobile device using Basic Mobility and Security (article)
Manage devices enrolled in Mobile Device Management for Microsoft 365 (article)
Get details about devices managed by Basic Mobility and Security (article)
Choose between Basic Mobility and Security or
Intune
2/9/2022 • 3 minutes to read • Edit Online
Microsoft Intune is a standalone product included with certain Microsoft 365 plans, while Basic Mobility and
Security is part of the Microsoft 365 plans.
NOTE
You can't start using Basic Mobility and Security if you're already using Microsoft Intune.
For details, see Microsoft 365 and Office 365 platform service descriptions.
Differences in capabilities
Microsoft Intune and built-in Basic Mobility and Security both give you the ability to manage mobile devices in
your organization, but there are key differences in capability, described in the following table.
NOTE
You can manage users and their mobile devices using both Intune and Basic Mobility and Security in the same Microsoft
365 Business Standard organization by setting up Basic Mobility and Security first, and then adding Microsoft Intune. This
allows you to choose Basic Mobility and Security or the more feature-rich Intune solution. Assign an Intune license to
enable the Intune features.
B A SIC M O B IL IT Y A N D
F EAT URE A REA F EAT URE H IGH L IGH T S SEC URIT Y M IC RO SO F T IN T UN E
In addition to features listed in the preceding table, Basic Mobility and Security and Intune both include a set of
remote actions that send commands to devices over the internet. For example, you can remove Office data from
an employee’s device while leaving personal data in place (retire), remove Office apps from a employee's device
(wipe), or reset a device to its factory settings (full wipe).
Basic Mobility and Security remote actions include retire, wipe and full wipe. For more information on Basic
Mobility and Security actions, see capabilities of Basic Mobility and Security.
With Intune you have the following set of actions:
Autopilot reset (Windows only
Bitlocker key rotation(Windows only)
Use wipe, retire, or manually unenrolling the device
Disable activation loc(iOS only)
Fresh start(Windows only)
Full scan(Windows 10 only)
Locate device(iOS only)
Lost mode(iOS only)- Quick scan(Windows 10 only)
Remote control for Android
Remote lock
Rename device
Reset passcode Restart(Windows only)
Update Windows Defender Security Intelligence (Windows only)
Windows 10 PIN reset (Windows only)
Send custom notifications(Android, iOS, iPad OS)
Synchronize device
For more information on Intune actions, see Microsoft Intune documentation.
Capabilities of Basic Mobility and Security
2/9/2022 • 7 minutes to read • Edit Online
Basic Mobility and Security can help you secure and manage mobile devices like iPhones, iPads, Androids, and
Windows Phones used by licensed Microsoft 365 users in your organization. You can create mobile device
management policies with settings that can help control access to your organization’s Microsoft 365 email and
documents for supported mobile devices and apps. If a device is lost or stolen, you can remotely wipe the device
to remove sensitive organizational information.
NOTE
Devices already enrolled with earlier OS versions continue to function although the capabilities might change without
notice.
If people in your organization use mobile devices that aren't supported by Basic Mobility and Security, you
might want to block Exchange ActiveSync app access to Microsoft 365 email for those devices, to help make
your organization's data more secure. For steps to block Exchange ActiveSync, see Manage device access
settings in Basic Mobility and Security.
The following diagram shows what happens when a user with a new device signs in to an app that supports
access control with Basic Mobility and Security. The user is blocked from accessing Microsoft 365 resources in
the app until they enroll their device.
NOTE
Policies and access rules created in Basic Mobility and Security for Microsoft 365 Business Standard will override Exchange
ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is
enrolled in Basic Mobility and Security for Microsoft 365 Business Standard, any Exchange ActiveSync mobile device
mailbox policy or device access rule applied to the device will be ignored. To learn more about Exchange ActiveSync,
seeExchange ActiveSync in Exchange Online.
The following sections list the policy settings you can use to help secure and manage mobile devices that
connect to your Microsoft 365 organization resources.
Security settings
SET T IN G N A M E IO S 7. 1 A N D L AT ER A N DRO ID 5 A N D L AT ER SA M SUN G K N O X
Encryption settings
SET T IN G N A M E IO S 7. 1 A N D L AT ER A N DRO ID 5 A N D L AT ER SA M SUN G K N O X
1With Samsung Knox, you can also require encryption on storage cards.
Cloud settings
SET T IN G N A M E IO S 7. 1 A N D L AT ER A N DRO ID 5 A N D L AT ER SA M SUN G K N O X
System settings
SET T IN G N A M E IO S 7. 1 A N D L AT ER A N DRO ID 5 A N D L AT ER SA M SUN G K N O X
Application settings
SET T IN G N A M E IO S 7. 1 A N D L AT ER A N DRO ID 5 A N D L AT ER SA M SUN G K N O X
Additional settings
You can set the following additional policy settings by using Security & Compliance Center PowerShell cmdlets.
For more information, seeSecurity & Compliance Center PowerShell.
SET T IN G N A M E IO S 7. 1 A N D L AT ER A N DRO ID 5 A N D L AT ER
RegionRatings Yes No
SET T IN G N A M E IO S 7. 1 A N D L AT ER A N DRO ID 5 A N D L AT ER
MoviesRatings Yes No
TVShowsRating Yes No
AppsRatings Yes No
AllowVoiceDialing Yes No
AllowVoiceAssistant Yes No
AllowAssistantWhileLocked Yes No
AllowPassbookWhileLocked Yes No
MaxPasswordGracePeriod Yes No
PasswordQuality No Yes
SystemSecurityTLS Yes No
WLANEnabled No No
NOTE
The following settings regulating passwords only control local Windows accounts. Windows accounts provided through
join a domain or Azure Active Directory aren't affected by these settings.
System settings
Block sending diagnostic data from device.
Additional settings
You can set these additional policy settings by using PowerShell cmdlets:
AllowConvenienceLogon
UserAccountControlStatus
FirewallStatus
AutoUpdateStatus
AntiVirusStatus
AntiVirusSignatureStatus
SmartScreenEnabled
WorkFoldersSyncUrl
Related content
Overview of Basic Mobility and Security for Microsoft 365 (article)
Create device security policies in Basic Mobility and Security (article)
Set up Basic Mobility and Security
2/9/2022 • 5 minutes to read • Edit Online
The built-in Basic Mobility and Security for Microsoft 365 helps you secure and manage users' mobile devices
such as iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies,
remotely wipe a device, and view detailed device reports.
Have questions? Fora FAQ to help address common questions, see Basic Mobility and Security Frequently-asked
questions (FAQ). Be aware that you cannot use adelegated administrator account to manage Basic Mobility and
Security. For more info, see Partners: Offer delegated administration.
Device management is part of the Security & Compliance Center so you'll need to go there to kick off Basic
Mobility and Security setup.
IMPORTANT
Use a company Apple ID associated with an email account that will remain with your organization even if
the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's
time to renew the certificate.
TIP
If you're having trouble downloading the certificate, refresh your browser.
TIP
When you create a new policy, you might want to set the policy to allow access and report policy violation where a
user device isn't compliant with the policy. This allows you see how many mobile devices are impacted by the
policy without blocking access to Microsoft 365.
Before you deploy a new policy to everyone in your organization, we recommend you test it on the devices used
by a small number of users.
Also, before you deploy policies, let your organization know the potential impacts of enrolling a device in Basic
Mobility and Security. Depending on how you set up the policies, devices that don't comply with policies (non-
compliant devices) could be blocked from accessing Microsoft 365. Non-compliant devices might also have apps
installed, photos, and other personal information which, on an enrolled device, could be deleted if the device is
wiped. For more info, see Wipe a mobile device in Basic Mobility and Security.
IMPORTANT
If a user's preferred language isn't supported by the enrollment process, users might receive enrollment notification and
steps on their mobile devices in another language. Not all languages supported in Microsoft 365 are currently supported
for the enrollment process on mobile devices.
Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment
process.
Related content
Capabilities of Basic Mobility and Security (article)
Create device security policies in Basic Mobility and Security (article)
Create device security policies in Basic Mobility and
Security
2/9/2022 • 8 minutes to read • Edit Online
You can use Basic Mobility and Security to create device policies that help protect your organization information
on Microsoft 365 from unauthorized access. You can apply policies to any mobile device in your organization
where the user of the device has an applicable Microsoft 365 license and has enrolled the device in Basic
Mobility and Security.
Learn about the devices, mobile device apps, and security settings that Basic Mobility and Security supports.
See Capabilities of Basic Mobility and Security.
Create security groups that include Microsoft 365 users that you want to deploy policies to and for users that
you might want to exclude from being blocked access to Microsoft 365. We recommend that before you
deploy a new policy to your organization, you test the policy by deploying it to a small number of users. You
can create and use a security group that includes just yourself or a small number Microsoft 365 users that
can test the policy for you. To learn more about security groups, see Create, edit, or delete a security group.
To create and deploy Basic Mobility and Security policies in Microsoft 365, you need to be a Microsoft 365
global admin. For more info, see Permissions in the Security & Compliance Center.
Before you deploy policies, let your organization know the potential impacts of enrolling a device in Basic
Mobility and Security. Depending on how you set up the policies, noncompliant devices can be blocked from
accessing Microsoft 365 and data, including installed applications, photos, and personal information on an
enrolled device, and data can be deleted.
NOTE
Policies and access rules created in Basic Mobility and Security for Microsoft 365 Business Standard override Exchange
ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is
enrolled in Basic Mobility and Security for Microsoft 365 Business Standard, any Exchange ActiveSync mobile device
mailbox policy or device access rule applied to the device is ignored. To learn more about Exchange ActiveSync, see
Exchange ActiveSync in Exchange Online.
3. Select Add to add the security group that has users you want to exclude from having blocked access to
Microsoft 365. When a user has been added to this list, they can access Microsoft 365 email when they
are using an unsupported device.
4. Select the security group you want to use in the Select group panel.
5. Select the name, and then Add > Save .
6. On the Organization-wide device access settings panel, choose Save .
A N DRO ID 4 A N D
SEC URIT Y P O L IC Y L AT ER SA M SUN G K N O X IO S 6 A N D L AT ER N OT ES
What happens when you delete a policy or remove a user from the
policy?
When you delete a policy or remove a user from a group to which the policy was deployed, the policy settings,
Microsoft 365 email profile and cached emails might be removed from the user's device. See the following table
to see what is removed for the different device types.
A N DRO ID 4 A N D L AT ER ( IN C L UDIN G
W H AT 'S REM O VED IO S 6 A N D L AT ER SA M SUN G K N O X
1 If the policy was deployed with the option Email profile is managed selected, the managed email profile
and cached emails in that profile are deleted from the user device.
The policy is removed from the mobile device for each user the policy applies to the next time their device
checks in with Basic Mobility and Security. If you deploy a new policy that applies to these user devices, they are
prompted to re-enroll in Basic Mobility and Security.
You can also wipe a device either completely, or selectively wipe organizational information from the device. For
more info, see Wipe a mobile device in Basic Mobility and Security.
Related content
Overview of Basic Mobility and Security (article)
Capabilities of Basic Mobility and Security (article)
Create an APNs certificate for iOS devices
2/9/2022 • 2 minutes to read • Edit Online
To manage iOS devices such as iPads and iPhones in Basic Mobility and Security, create an APNs certificate.
1. Sign in to Microsoft 365 with your global admin account.
2. In your browser, typehttps://protection.office.com/.
3. Select Data loss prevention >Device management , and choose APNs Cer tificate for iOS devices .
4. On theApple Push Notification Certificate Settingspage, chooseNext .
5. SelectDownload your CSR fileand save the certificate signing request to somewhere on your computer
that you'll remember. Select Next .
6. On theCreate an APNs certificatepage:
a. Select Apple APNS Portal to open the Apple Push Certificates Portal.
b. Sign in with an Apple ID.
IMPORTANT
Use a company Apple ID associated with an email account that will remain with your organization even if
the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's
time to renew the certificate.
TIP
If you're having trouble downloading the certificate, refresh your browser.
7. Go back to Microsoft 365, and select Next to get to the Upload APNS cer tificate page.
8. Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.
9. Select Finish .
To complete setup, go back to theSecurity & Compliance Center>Security policies >Device
management >Manage settings .
Manage device access settings in Basic Mobility and
Security
2/9/2022 • 2 minutes to read • Edit Online
If you're using Basic Mobility and Security, there might be devices that you can't manage with Basic Mobility and
Security. If so, you should block Exchange ActiveSync app access to Microsoft 365 email for mobile devices that
aren'tsupported by Basic Mobility and Security. This helps secure your organization information across more
devices.
Use these steps:
1. Sign in to Microsoft 365 with your global admin account.
2. In your browser, type:https://protection.office.com.
IMPORTANT
If this is the first time you're using Basic Mobility and Security for Microsoft 365 Business Standard, activate it
here: Activate Basic Security and Mobility. After you've activated it, manage your devices with Office 365 Security
& Compliance.
5. SelectSave .
To learn what devices Basic Mobility and Security supports, seeCapabilities of Basic Mobility and Security.
Get details about Basic Mobility and Security
managed devices
2/9/2022 • 4 minutes to read • Edit Online
This article shows you how to use Windows PowerShell to get details about the devices in your organization
that you set up for Basic Mobility and Security.
Here's a breakdown for the device details available to you.
DETA IL W H AT TO LO O K F O R IN P O W ERSH EL L
Device is enrolled in Basic Mobility and Security. For more The value of theisManagedparameter is:
info, see Enroll your mobile device using Basic Mobility and True = device is enrolled.
Security False = device is not enrolled.
Device is compliant with yourdevice security policies. For The value of theisCompliantparameter is:
more info, see Create device security policies True = device is compliant with policies.
False = device is not compliant with policies.
NOTE
The commands and scripts in this article also return details about any devices managed byMicrosoft Intune.
$UserCredential = Get-Credential
2. In theWindows PowerShell Credential Requestdialog box, type the user name and password for your
Microsoft 365 global admin account, and then select OK .
3. Run the following command.
NOTE
You can skip this step if you’re already set up to run PowerShell scripts.
Set-ExecutionPolicy RemoteSigned
2. Save it as a Windows PowerShell script file by using the file extension.ps1; for example,Get-
MsolUserDeviceComplianceStatus.ps1.
Run the script to get device information for a single user account
1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
2. Go to the folder where you saved the script. For example, if you saved it toC:\PS-Scripts, run the following
command.
cd C:\PS-Scripts
3. Run the following command to identify the user you want to get device details for. This example gets
details for [email protected].
The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to
specify the file name and path of the CSV.
cd C:\PS-Scripts
3. Run the following command to identify the group you want to get device details for. This example gets
details for users in the FinanceStaff group.
The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to
specify the file name and path of the CSV.
Related topics
Microsoft Connect Has Been Retired
Overview of Basic Mobility and Security
Get-MsolDevice
Manage devices enrolled in Mobile Device
Management in Microsoft 365
2/9/2022 • 2 minutes to read • Edit Online
The built-in mobile device management for Microsoft 365 helps you secure and manage your users' mobile
devices like iPhones, iPads, Androids, and Windows phones. The first step is to sign in to Microsoft 365 and set
up Basic Mobility and Security. For more info, see Set up Basic Mobility and Security.
After you've set it up, the people in your organization mustenroll their devices in the service. For more info, see
Enroll your mobile device using Basic Mobility and Security.Then you can use Basic Mobility and Security to help
manage devices in your organization. For example, you can use device security policies to help limit email access
or other services, view devices reports, and remotely wipe a device. You'll typically go to theSecurity &
Compliance Center to do these tasks. For more info, see Microsoft 365 compliance center.
TO DO T H IS DO T H IS
Block unsupported devices from accessing Exchange email In the Device Management panel, select Block .
using Exchange ActiveSync
Set up device policies like password requirements and In the Device Management panel, select Device security
security settings policies >Add + . For more info, seeCreate device security
policies in Basic Mobility and Security.
View list of blocked devices In the Device Management panel, under Select a view
select Blocked .
Unblock noncompliant or unsupported device for a user or Pick one of the following to unblock devices:
group of users - Remove the user or users from the security group the
policy has been applied to. Go toMicrosoft 365 admin
center> Groups , and then selectgroup name. Select Edit
members and admins .
- Remove the security group the users are a member of from
the device policy. Go toSecurity & Compliance Center
>Security policies >Device security policies .
Selectdevice policy name, and then select Edit >
Deployment .
- Unblock all noncompliant devices for a device policy. Go
toSecurity & Compliance Center >Security
policies >Device security policies . Selectdevice policy
nameand then select Edit >Access requirements . Select
Allow access and repor t violation .
- To unblock a noncompliant or unsupported device for a
user or a group of users, go toSecurity & Compliance Center
>Security policies >Device management >Manage
device access settings . Add a security group with the
members you want to exclude from being blocked access to
Microsoft 365. For more info, see Create, edit, or delete a
security group in the Microsoft 365 admin center.
Remove users so their devices are no longer managed by To remove the user, edit the security group that has device
Basic Mobility and Security management policies for Basic Mobility and Security. For
more info, see Create, edit, or delete a security group in the
Microsoft 365 admin center.
To remove Basic Mobility and Security from all your
Microsoft 365 users, see Turn off Basic Mobility and Security.
Live (v14)
Enroll your mobile device using Basic Mobility and
Security
2/9/2022 • 2 minutes to read • Edit Online
Using your phone, tablet, and other mobile devices for work is a great way to stay informed and work on
business projects while you’re away from the office. Before you can use Microsoft 365 services with your device,
you might need to first enroll it in Basic Mobility and Security for Microsoft 365 using Microsoft Intune
Company Portal.
Organizations choose Basic Mobility and Security so that employees can use their mobile devices to securely
access work email, calendars, and documents while the business secures important data and meets their
compliance requirements.To learn more, see Overview of Basic Mobility and Security for Microsoft 365. For
more info, seeWhat information can my organization see when I enroll my device?.
IMPORTANT
When you enroll your device in Basic Mobility and Security for Microsoft 365, you might be required to set up a
password, together with allowing the option for your work organization to wipe the device. A device wipe can be
performed from the Microsoft 365 admin center, for example, to remove all data from the device if the password is
entered incorrectly too many times or if usage terms are broken.
Supported devices
Basic Mobility and Security for Microsoft 365 hosted by the Intune service works with most, but not all, mobile
devices. The following are supported with Basic Mobility and Security:
iOS 10.0or later
Android 4.4 or later
Windows 8.1 and Windows 10 (Phone and PC)
If your device is not listed above, and you need to use it with Basic Mobility and Security, contact your work or
school administrator.
TIP
If you're having trouble enrolling your device, seeTroubleshoot Basic Mobility and Security.
Set up your mobile device with Intune and Basic Mobility and Security
The Intune Company Portal enables a device to be managed by Microsoft 365 and Basic Mobility and Security.
iPhone or iPad
TIP
You won’t be able to send and receive email until you complete this step.
Go to the Apple App Store, and download and install Intune Company Portal.
To connect and configure your iOS phone or tablet with the Company portal to Office 365, see Set up iOS device
access to your company resources.
Android phone or tablet
TIP
You won’t be able to send and receive email until you complete this step.
Go to the Google Play store, and download and install Intune Company Portal.
To connect and configure your Android phone or tablet with the Company portal to Microsoft 365, see Enroll
your device with Company Portal.
Windows 8.1 and Windows 10
Go to the Microsoft Store, and download and install Intune Company Portal
To connect and configure your Windows phoneor PC with the Company portal to Microsoft 365, see Windows
device enrollment in Intune Company Portal.
Next steps
After your device is enrolled in Basic Mobility and Security, you can start using Office apps on your device to
work with email, calendar, contacts, and documents.
Privacy and security in Basic Mobility and Security
2/9/2022 • 2 minutes to read • Edit Online
Basic Mobility and Security is a cloud-based service powered by Microsoft Intune that helps you manage and
secure mobile devices in your organization. After you activate Basic Mobility and Security, you can create mobile
device management policies. These policies can then be deployed to mobile devices that have been enrolled by
licensed Microsoft 365 users in your organization.
Microsoft Intune sends information to Microsoft 365 about the compliance status of each managed device, and
then you can generate reports that show whether managed devices in your organization are compliant based
upon the policies that were set. To learn more about Microsoft's commitment to the privacy and security, see
theMicrosoft Trust Center.
Wipe a mobile device in Basic Mobility and Security
2/9/2022 • 3 minutes to read • Edit Online
You can use built-in Basic Mobility and Security for Microsoft 365 to remove only organizational information, or
to perform a factory reset to delete all information from a mobile device and restore it to factory settings.
C O N T EN T IM PA C T IO S 10 A N D L AT ER A N DRO ID 5 A N D L AT ER
To effectively turn off Basic Mobility and Security, you remove groups of people defined by security groups from
the device management policies, or remove the policies themselves.
Remove groups of users by removing user security groups from the device policies you've created.
Disable Basic Mobility and Security for everyone by removing all Basic Mobility and Security device
policies.
These options remove Basic Mobility and Security enforcement for devices in your organization. Unfortunately,
you can't simply "unprovision" Basic Mobility and Security after you've set it up.
IMPORTANT
Be aware of the impact on users' devices when you remove user security groups from policies or remove the policies
themselves. For example, email profiles and cached emails might be removed, depending on the device. For more info, see
What happens when you delete a policy or remove a user from the policy?
Remove user security groups from Basic Mobility and Security device
policies
1. In your browser type:https://protection.office.com/devicev2.
2. Select a device policy, and select Edit policy .
3. On the Deployment page, select Remove .
4. Under Groups , select a security group.
5. Select Remove , and select Save .
NOTE
For more steps to unblock devices if your organization devices are still in a blocked state, seethe blog post Removing
Access Control from Mobile Device Management for Office 365.
Troubleshoot Basic Mobility and Security
2/9/2022 • 2 minutes to read • Edit Online
If you're running into issues when you try to enroll a device in Basic Mobility and Security, try the steps here to
track down the problem. If the general steps don't fix the issue, see one of the later sections with specific steps
for your device type.
Windows RT
Make sure that your domain isset up in Microsoft 365 to work with Basic Mobility and Security. For more
info, see Set up Basic Mobility and Security.
Make sure that the user is choosingTurn On rather than choosingJoin .
Windows 10 PC
Make sure that your domain isset up in Microsoft 365 to work with Basic Mobility and Security. For more
info, see Set up Basic Mobility and Security.
Unless you have Azure Active Directory Premium, make sure that the user is choosingEnroll in Device
Management only rather than choosingConnect .
It's sometimes necessary for your users to schedule meetings with people outside your organization. To simplify
the process of finding common meeting times, Microsoft 365 enables you to make calendars available to these
people. These are people who need to see free and busy times for users in your organization, but don't have
user accounts for your Microsoft 365 organization.
You can enable calendar sharing for all users in your organization in the Microsoft 365 admin center. Once
sharing is enabled, your users can use Outlook Web App to share their calendars with anyone inside or outside
the organization. People inside the organization can view the shared calendar along with their own calendar.
People outside the organization will be sent a URL that they can use to view the calendar. Users in your
organization decide when to share and how much to share.
NOTE
If you want to share calendars with an organization that uses Exchange Server 2013 (an on-premises solution), the
Exchange administrator will need to set up an authentication relationship with the cloud. This is known as federation, and
must meet minimum software requirements. See Sharing for more information.
IMPORTANT
You must be an admin for a business subscription to use these support methods. If you're not a business admin, please
use this support page.
Start by checking the current health of your services. You can view detailed information about current and past
issues on the Service health dashboard. If you're experiencing an issue that isn't listed, you can get support in
one of the following ways:
Online support
Save time by starting your service request online. We'll help you find a solution or connect you to technical
support.
1. Go to the admin center at https://admin.microsoft.com. If you get a message that says you don't have
permission to access this page or perform this action, you aren't an admin. For more information, see
Who has admin permissions in my business?.
2. On the bottom right side of the page, select Help & suppor t .
3. Type a question or keyword into the text box. If you get a drop-down list, select the one closest to your
question, or continue typing your question, then press Enter .
4. If the results don't help, at the bottom, select Contact Suppor t .
5. Enter a description of your issue, confirm your contact number and email address, select your preferred
contact method, and then select Contact me . The expected wait time is indicated in the Contact
suppor t pane.
NOTE
If you bought your subscription through a partner, you first see the contact information for that partner.
Alternatively, select New Microsoft ser vice request at the bottom of the pane.
Phone support
Billing support is provided in English from 9 AM-5 PM (9 AM-6 PM in Australia), Monday-Friday.
Technical support is provided in English 24 hours a day, 7 days a week.
Admins, have your account details ready when you call.
NOTE
To better protect your organization, we added a PIN-based verification step to our existing phone-based verification
process. If you contact us from a number that isn't registered with your organization profile, the Microsoft support
representative sends a verification code to the registered email or phone number in your Microsoft 365 admin center
profile. You must provide this code to the support representative to grant them access to your organization’s account.
Pre-sales support
Pre-sales support for Office 365 operated by 21Vianet provides assistance on subscription features and
benefits, plan comparisons, pricing and licensing, and helps to identify the right solution to meet your business
needs. In addition, pre-sales support can help you find a Partner, and purchase and sign up for a trial. You can
call during local business hours, Monday through Friday. Pre-sales support can be accessed using the same
phone number as with technical support. For instructions, see Contact support.
Technical support
Technical support for Office 365 operated by 21Vianet subscriptions provides assistance with basic installation,
setup, and general technical usage. Some examples of these issues are listed in the following table.
SharePoint Online
Permissions and user groups
Configuration of external users
NOTE
You can learn how to contact technical support here: Contact support. Technical support does not include
troubleshooting third-party services or add-ins. Learn about finding answers from other customers in the Community.
Sev A (Critical) One or more services aren't accessible Widespread problems sending
or are unusable. Production, or receiving mail.
operations, or deployment deadlines SharePoint site down.
are severely affected, or there will be a All users can't send instant
severe impact on production or messages, join or schedule
profitability. Multiple users or services Skype for Business Meetings, or
are affected. make Skype for Business calls.
Sev C (Non-critical) The situation has minimal business How to set user password that
impact. The issue is important but never expires.
does not have a significant current User can't delete contact
service or productivity impact for the information in Exchange Online.
customer. A single user is experiencing
partial disruption, but an acceptable
workaround exists.
Sev A 2 (Critical) Initial Response: 1 hour or less. Provide solid business impact
Follow up: continues effort until statement (see the severity A
problem resolution. description and examples above);
Allocate resource to ensure continues
collaboration with 21Vianet customer
support agent for the joint
investigation and necessary
communication; Provide accurate
contact information and ensure reliable
communication throughout the service
request lifecycle.
Sev B (High) Initial Response: 1 business day or less. Provide accurate contact information
and ensure reliable communication
throughout the service request
lifecycle.
Sev C (Medium) Initial Response: 3 business day or less. Provide accurate contact information
and ensure reliable communication
throughout the service request
lifecycle.
1 If the customer cannot provide required resource or make response for collaboration with 21Vianet customer
support agent investigation in reasonable time, 21Vianet support team may lower down the severity level of a
service request.
2 Severity A is only available to customers who had signed an advanced online service agreement with 21Vianet
through a sales account manager. Severity A is available only for technical support. For billing and subscription
management support, the highest severity level is B.
Contact support
NOTE
Assisted support options are for admins of Office 365 subscribed organizations only. If you use Office 365 but you're not
an admin, you can still get support in the community forums, or by contacting your admin.
Feature availability
To view feature availability across Office 365 plans, see Office 365 Service Description.
Follow us on WeChat
Scan this QR code to follow us on WeChat and get the latest updates for Office 365 operated by 21Vianet.
Related content
Find docs and training (link page)
Employee quick setup (article)
Overview of Microsoft 365 Business Premium setup (video)
Microsoft 365 docs navigation guide
2/9/2022 • 2 minutes to read • Edit Online
This topic provides some tips and tricks for navigating the Microsoft 365 technical documentation space.
Hub page
The Microsoft 365 hub page can be found at https://aka.ms/microsoft365docs and is the entry point for finding
relevant Microsoft 365 content.
You can always navigate back to this page by selecting Microsoft 365 from the header at the top of every page
within the Microsoft 365 technical documentation set:
TOC search
On docs.microsoft.com, you can search the content in the table of contents by using the filter search box at the
top:
Version filter
The Microsoft 365 technical documentation provides content for additional products, including Office 365
Germany and Office 365 operated by 21 Vianet (China). Features can vary between these versions, and as such,
sometimes the content itself can vary.
You can use the version filter to ensure that you are seeing content for the appropriate version of Microsoft 365:
Breadcrumbs
Breadcrumbs can be found below the header and above the table of contents, and indicate where the current
article is located in the table of contents. Not only does this help set the context to what type of content you're
reading, but it also allows you to navigate back up the table of contents tree: