Why choose Microsoft 365 Business Premium?

Productivity and
security

denisebmsft

Contents
Create a communications site 5
Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Infographic: Create a Communications site infographic . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Set it up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Admin settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Next mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Use Microsoft Teams for collaboration 6

Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Set it up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Admin settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Microsoft 365 Business Premium – productivity and cybersecurity for small business 8
Cybersecurity playbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Set up Microsoft 365 Business Premium 9

Sign up for Microsoft 365 Business Premium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Sign up on your own . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Work with a Microsoft partner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Set up Microsoft 365 Business Premium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Guided setup process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The guided setup process, step by step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Work with a Microsoft partner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Employee quick setup guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Set up Microsoft 365 for Campaigns 11

Get Microsoft 365 for Campaigns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
What does Microsoft 365 for Campaigns include? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
What does it cost, who needs it, and what is the commitment? . . . . . . . . . . . . . . . . . . . . . . 12
How do I qualify for special pricing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Before you begin your setup process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Sign in to Microsoft 365 for Campaigns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
How your staff will sign in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Customize your sign-in page with a privacy and consent notice . . . . . . . . . . . . . . . . . . . . . . 13
Customize the text on your sign-in page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Visual guide: Help protect yourself and your campaign from digital threats . . . . . . . . . . . . . . . 13
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Protect yourself against phishing and other attacks 13

Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Reduce spam mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Report it . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Avoid phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1
 Make sure your emails look legitimate to others . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Share this infographic with your users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Collaborate and share securely 14

Device groups and categories in Microsoft 365 Business Premium 15

Working with device groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Create a device group in the Microsoft 365 Defender portal . . . . . . . . . . . . . . . . . . . . . . . . 15
Create a device category in Intune . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Create dynamic device groups in Azure Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 16
How categories are used when enrolling devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
View the categories of devices that you manage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Change the category of a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

View device status in Microsoft Defender for Business 17

See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Admin roles for Intune in the Microsoft 365 admin center 17

About roles-based access control in Intune . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Microsoft Intune built-in roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Microsoft Intune custom roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
How to assign a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Delegated administration for Microsoft Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Related content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Secure managed and unmanaged devices 20

Managed devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Unmanaged devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Maintain your environment 21

Tenant administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Microsoft 365 Business Premium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
General tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Users, groups, and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Email and calendars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Subscriptions and billing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Defender for Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
General tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Users, groups, and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Subscriptions and billing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Security administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Microsoft 365 Business Premium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Defender for Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Security operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Microsoft 365 Business Premium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Daily tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Weekly tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Monthly tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Tasks to perform as needed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Remediation actions in Microsoft 365 Business Premium . . . . . . . . . . . . . . . . . . . . . . . 32
Defender for Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Daily tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Weekly tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Monthly tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Tasks to perform as needed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Remediation actions in Defender for Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

2
 See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

What’s new in Microsoft 365 Business Premium and Microsoft Defender for Business 37
July 2023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
March 2023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
January 2023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
November 2022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
July 2022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
May 2022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
March 2022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

MFA for users 39

Use the Outlook app on your devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Onboard enrolled devices to Microsoft Defender for Business 39

Use automatic onboarding for Windows devices that are already enrolled in Intune . . . . . . . . . . . 40
Use a local script to onboard Windows and Mac devices to Defender for Business . . . . . . . . . . . . 40
Onboard mobile devices using the Microsoft Defender app . . . . . . . . . . . . . . . . . . . . . . . . . 40
Use Intune to enroll devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
What about servers? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Run a detection test on a Windows device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Onboard devices gradually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Offboard a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Protect your administrator accounts 42

Create other admin accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Create an emergency admin account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Create a user account for yourself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Protect admin accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Additional recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Protect against malware and other cyberthreats 43

1. Review and apply preset security policies for email and collaboration . . . . . . . . . . . . . . . . . 44
What are preset security policies? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Policy order of priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
How do I assign preset security policies to users? . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2. Turn on Microsoft Defender for Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3. Adjust sharing settings for SharePoint and OneDrive files and folders . . . . . . . . . . . . . . . . . 46
4. Set up and review your alert policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
View your alert policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
How to view alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5. Manage calendar sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6. Create additional security policies for email and collaboration (if needed) . . . . . . . . . . . . . . . 47
Next objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Secure managed devices with Microsoft 365 Business Premium 48

Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Review remediation actions in the Microsoft 365 Defender portal 48

How to use your Action center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Types of remediation actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Review detected threats 49

Actions you can take . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
View and manage threat detections in the Microsoft 365 Defender portal . . . . . . . . . . . . . . . . . 50
Manage threat detections in Microsoft Intune . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
How to submit a file for malware analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3
Security incident management 51

Boost your security protection 51

Set up information protection capabilities in Microsoft 365 Business Premium 51

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Use Compliance Manager to get started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Use sensitivity labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Set up your DLP policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Set up unmanaged (BYOD) devices 53

Fortify your environment with Microsoft 365 Business Premium 53

Overview of threat protection by Microsoft Defender Antivirus 53

What happens when a non-Microsoft antivirus solution is used? . . . . . . . . . . . . . . . . . . . . . . 54
What to expect when threats are detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Related content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Trial user guide: Microsoft 365 Business Premium 55

Set up the Microsoft 365 Business Premium trial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Add a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Onboard and protect devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Use Microsoft 365 Apps on devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Start using the Microsoft 365 Defender portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Turn on multi-factor authentication 56

Security defaults 56
Security defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
To enable security defaults (or confirm they’re already enabled) . . . . . . . . . . . . . . . . . . . 57

Conditional Access 57
Conditional Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Upgrade Windows devices to Windows 10 or 11 Pro 58

Use Windows Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Upgrade your device using the Microsoft Software Download site . . . . . . . . . . . . . . . . . . . . . 58
Create installation media from the Microsoft Software Download site . . . . . . . . . . . . . . . . . . . 58
Purchase Windows 10 or 11 Pro to upgrade from Windows 10 or 11 Home . . . . . . . . . . . . . . . . 58
See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Use email securely 59

Encrypt or label your sensitive email in Microsoft 365 59

Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Set it up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Admin settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Automatically encrypt email messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Brand your encryption messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Next mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Install Microsoft 365 Apps on your devices 60

Watch: Install Microsoft 365 Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Set up mobile devices for Microsoft 365 Business Premium users . . . . . . . . . . . . . . . . . . . . . 60
iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

4
Protect unmanaged computers with Microsoft 365 Business Premium 62
Windows 10 or 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Windows 10 or 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Turn on device encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Protect your device with Windows Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Turn on Windows Defender Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Next mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Use FileVault to encrypt your Mac disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Protect your Mac from malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Turn on firewall protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Next mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

View and edit device protection policies 63

About the default device protection policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Working with device policies in the Microsoft 365 Defender portal . . . . . . . . . . . . . . . . . . . . 64
View existing device protection policies in Microsoft 365 Defender . . . . . . . . . . . . . . . . . 64
Edit an existing device protection policy in Microsoft 365 Defender . . . . . . . . . . . . . . . . . 64
Create a new device protection policy in Microsoft 365 Defender . . . . . . . . . . . . . . . . . . 65
Working with device policies in the Microsoft Intune admin center . . . . . . . . . . . . . . . . . . . . 65
Create policies in Intune . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Duplicate a policy in Intune . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Edit a policy in Intune . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Manage conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Microsoft 365 for business security best practices 67

Top 10 ways to secure your business data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
More information about Microsoft 365 for business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Set up meetings with Microsoft Teams 70

Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Schedule a meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Join a meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Share files and videos in a safe environment 71

Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Set up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Why should I choose Microsoft 365 Business Premium? 72

Video: Top 5 benefits of Microsoft 365 Business Premium . . . . . . . . . . . . . . . . . . . . . . . . . 72
Resources to train everyone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Download the digital threats guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Create a communications site

A great way to communicate priorities, share strategy documents, and highlight upcoming events is to use a
communications site in SharePoint, and that’s what this mission is all about. Communications sites are for
sharing things broadly across your whole business or campaign — it’s your internal strategy site and tactical
room.

Best practices
Include the following elements in a Communications site:
1. Add your logo and colors as a header image and theme.

5
Diagram of a SharePoint Communications page with space for common elements that a campaign would need.

Figure 1: Diagram of a SharePoint Communications page with space for common elements that a campaign
would need.

2. Lead with your strategy, message, important documents, a directory, and FAQ in a Hero web part.
3. Include a CEO or candidate statement to the team in a Text web part.
4. Add events to an Events web part so everyone can see what’s coming up.
5. Add photos that people can use or share to an Image gallery web part.

Infographic: Create a Communications site infographic

The following links for PowerPoint and PDF can be downloaded and printed in tabloid format (also known as
ledger, 11 x 17, or A3).
Image for communications site infographic.
PDF | PowerPoint

Set it up
1. Sign in to https://Office.com.
2. In the top-left corner of the page, select the app launcher icon and then select the SharePoint tile. If you
don’t see the SharePoint tile, click the Sites tile or All if SharePoint isn’t visible.
3. At the top of the SharePoint home page, click + Create site and choose the Communication site
option.
Learn all about Communications sites and how to create a communication site in SharePoint Online.

Admin settings
If you don’t see the + Create site link, self-service site creation might not be available in Microsoft 365. To
create a team site, contact the person administering Microsoft 365 in your organization. If you’re a Microsoft 365
admin, see Manage site creation in SharePoint Online to enable self-service site creation for your organization or
Manage sites in the new SharePoint admin center to create a site from the SharePoint admin center.

Next mission
Congratulations — you’ve completed the mission! Now, immediately turn your focus toward protecting the
managed devices for the entire org!

Use Microsoft Teams for collaboration

Microsoft Teams is a collaboration app that helps members of the org use any device to stay organized and have
conversations. You can use Microsoft Teams to have immediate conversations with members of your staff or
guests outside your organization. You can also make phone calls, host meetings, and share files.

Best practices
1. Create private teams for sensitive information.
2. Create an org-wide team for communication with everyone across your organization.
3. Create teams for specific projects and apply the right amount of protection based on who should be
included.
4. Create specific teams for communication with external partners to keep them separate from anything
sensitive for your business.
For example, a business, legal firm, or healthcare practice might create the following teams:

6
 Diagram of a Microsoft Teams window with three separate teams to allow for secure communication and
collaboration within a business.

Figure 2: Diagram of a Microsoft Teams window with three separate teams to allow for secure communication
and collaboration within a business.
Diagram of a Microsoft Teams window with three separate teams to allow for secure communication and
collaboration within a campaign.

Figure 3: Diagram of a Microsoft Teams window with three separate teams to allow for secure communication
and collaboration within a campaign.

1. A business-, firm-, or practice-wide team: This is for everyone to use for day-to-day communications
and work across your business. You can use this team to post announcements or share information of
interest for your whole firm or practice.
2. Individual teams: Set up teams for smaller groups to collaborate about their day to day work.
3. An external communications team or teams: Coordinate with your vendors, partners, or clients
without allowing them into anything sensitive. Set up different channels for specific groups.
And campaigns could create the following teams to communicate and collaborate securely:
1. A campaign Leads team: Set this up as a private team so that only your key campaign members can
access it and discuss potentially sensitive concerns.
2. A general campaign team: This is for everyone to use for day to day communications and work.
Individuals, groups, or committees can set up channels in this team to do their work. For example, the
event planning people can set up a channel to chat and coordinate logistics for campaign events.
3. A partners team: Coordinate with your vendors, partners, or volunteers without allowing them into
anything sensitive.
When you create a team, here’s what else gets created:
• A new Microsoft 365 group
• A SharePoint Online site and document library to store team files
• An Exchange Online shared mailbox and calendar
• A OneNote notebook
• Ties into other Office 365 apps such as Planner and Power BI
Inside Microsoft Teams, you can find:
1. Teams: Find channels to belong to or create your own. Inside channels you can hold on-the-spot meetings,
have conversations, and share files.
2. Meetings: See everything you’ve got lined up for the day or week. Or, schedule a meeting. This calendar
syncs with your Outlook calendar.
3. Calls: In some cases, if your organization has it set up, you can call anyone from Microsoft Teams, even if
they’re not using Microsoft Teams.
4. Activity: Catch up on all your unread messages, @mentions, replies, and more.
Use the command box at the top to search for specific items or people, take quick actions, and launch apps.

Set it up
Create a private team for just the business owner and managers, or campaign manager and candidate like this.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RWeqWA]
Create an organization-wide team that everyone in the business or campaign can use to communicate and share
files.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE2GCG9]
Create a team that you share with guests outside your organization, such as for advertising or finances.

7
 [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FQMp]
Learn more about Microsoft Teams at Microsoft Teams technical documentation

Admin settings
[!NOTE] You must be an admin to create an organization-wide team. For more information, see
What is an Admin in Microsoft 365?.

Next objective
Once you complete this objective, you need to securely set up meetings.

Microsoft 365 Business Premium – productivity and cybersecurity

for small business
Microsoft 365 Business Premium-—with its world class productivity and cybersecurity capabilities—-is a wise
choice for small and medium-sized businesses. Designed for small and medium-sized businesses (up to 300 users),
Microsoft 365 Business Premium helps safeguard your data, devices, and information.
You are your organization’s first and best defense against hackers and cyberattackers, including random
individuals, organized crime, or highly sophisticated nation states. The task before you is this: let Microsoft 365
Business Premium help secure your organization’s future! Approach this task by taking on the following six
missions:
:::image type=“content” source=“media/sixmissions.png” alt-text=“Diagram listing your six missions.”:::

What to do How to do it
Fortify your environment (Tasks your admin 1. Sign in and set up your environment.
completes.) Complete the basic setup process for Microsoft 365
Business Premium (or Microsoft 365 for Campaigns).
Add users, assign licenses, and configure your domain
to work with Microsoft 365. Get a quick setup guide
to share with employees.2. Boost your security
protection. Set up critical front-line security
measures to prevent cyberattacks. Set up multi-factor
authentication (MFA), protect your admin accounts,
and protect against malware and other threats. Get
an overview of how to secure unmanaged and managed
devices, and set up your information protection
capabilities.
Train your team.(Tasks everyone does.) 3. Set up unmanaged (BYOD) devices. Set up
all the unmanaged (“bring your own device,” also
referred to as BYOD) devices so they’re used more
safely as part of your ecosystem.4. Use email
securely. Know what to watch for in your email, and
train everyone on the necessary steps to protect
yourself and others from attacks.5. Collaborate and
share securely. Share files with others and
collaborate more securely by using Microsoft Teams,
SharePoint, and OneDrive.
Safeguard managed devices. (Tasks your admin or 6. Set up and secure managed devices. Enroll
security team does.) and secure computers, tablets, and phones so they can
protected from threats.

Completing all six missions is the most effective way to thwart hackers, protect against ransomware, and help
ensure your organization’s future is safeguarded with the best cybersecurity defenses.
Let’s get started!

8
Cybersecurity playbook
The guidance in these missions is based upon the Zero Trust security model, and is summarized in a downloadable
Cybersecurity playbook.
:::image type=“content” source=“media/m365bp-cyber-security-playbook.png” alt-text=“Cybersecurity play-
book. Download this guide.”:::

Next steps
Proceed to Fortify your environment.

Set up Microsoft 365 Business Premium

This article describes how to get Microsoft 365 Business Premium, complete the basic setup process, and proceed
to your next steps.
[!TIP] If you’re looking for Microsoft 365 for Campaigns, see How to get Microsoft 365 for Campaigns.

Sign up for Microsoft 365 Business Premium

When you’re ready to sign up for Microsoft 365 Business Premium, you have several options. You can:
• Try or buy Microsoft 365 Business Premium on your own; or
• Work with a Microsoft partner.

Sign up on your own

1. Visit the Microsoft 365 Business Premium product page.
2. Choose to try or buy your subscription. See Try or buy a Microsoft 365 for business subscription. On the
Microsoft 365 Products site, choose Microsoft 365 Business Premium.
3. After you have signed up for Microsoft 365 Business Premium, you’ll receive an email with a link to sign in
and get started. Proceed to Set up Microsoft 365 Business Premium.

Work with a Microsoft partner

Microsoft has a list of solution providers who are authorized to sell offerings, including Microsoft 365 Business
Premium. If you’re not already working with a solution provider, you can find one by following these steps:
1. Go to the Browse Partners.
2. In the Filters pane, specify search criteria, such as:
• Your location
• Your organization’s size
• Focus areas, such as Security and/or Threat Protection
• Services, such as Licensing or Managed Services (MSP)
As soon as you select one or more criteria, the list of partners updates.
3. Review the list of results. Select a provider to learn more about their expertise and the services they
provide.

Set up Microsoft 365 Business Premium

To complete the basic setup process, you can choose from several options available:
• Start with the guided setup experience for basic setup and configuration, and then proceed to set up your
security protection; or
• Work with a Microsoft partner who can help you get everything set up and configured.

9
Guided setup process
Microsoft 365 Business Premium includes a guided setup process, as shown in the following video:
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE471FJ]

The guided setup process, step by step

1. As a global administrator, go to the Microsoft 365 admin center and sign in. By default, you’ll see the
simplified view, as shown in the following image:
:::image type=“content” source=“media/m365bp-simplifiedview.png” alt-text=“Screenshot showing the
simplified view of the Microsoft 365 admin center.”lightbox=“media/m365bp-simplifiedview.png”:::
2. In the upper right corner, select Dashboard view so that your admin center resembles the following
image. Then select Go to guided setup.
:::image type=“content” source=“media/m365bp-dashboardview.png” alt-text=“Screenshot of the dash-
board view of the Microsoft 365 admin center.”lightbox=“media/m365bp-dashboardview.png”:::
3. To install your Microsoft 365 Apps (Office), select the download button, and then follow the prompts.
Alternately, you can skip this step for now and install your apps later. Then select Continue.
:::image type=“content” source=“media/m365bp-installoffice.png” alt-text=“Screenshot of the Install
Office download button.”lightbox=“media/m365bp-installoffice.png”:::
4. To add your organization’s domain (recommended) or to use your default .onmicrosoft.com domain,
select an option and then follow the prompts. Then select Use this domain.
:::image type=“content” source=“media/m365bp-adddomain.png” alt-text=“Screenshot showing the option
to add a domain.”lightbox=“media/m365bp-adddomain.png”:::
[!TIP] To get help with this task, see Add a domain to Microsoft 365.
5. To add a user, fill in the user’s first name, last name, and user name, and then select Add users and
assign licenses. Alternately, you can select View all users to go to your active users page, where you
can view, add, and manage users.
:::image type=“content” source=“media/m365bp-addusers.png” alt-text=“Screenshot showing the Add
Users and Assign Licenses page.”lightbox=“media/m365bp-addusers.png”:::
[!TIP] We recommend adding your administrators and members of your security team now. To
get help with this task, see Add users and assign licenses at the same time.
6. If you added your domain in step 4, you can now connect your domain to Microsoft 365. To get help with
this task, see Change nameservers to set up Microsoft 365 with any domain registrar.
When you’re finished with the basic setup process, you’ll see Setup is complete, where you can tell us how
setup went and then go to your Microsoft 365 admin center.
:::image type=“content” source=“media/m365bp-setupcomplete.png” alt-text=“Screenshot of the Setup is
Complete confirmation screen.”lightbox=“media/m365bp-setupcomplete.png”:::
[!IMPORTANT] At this point, basic setup is complete, but you still need to set up and configure
your security settings.

Work with a Microsoft partner

If you’d prefer to have a Microsoft partner help you get and set up Microsoft 365 Business Premium, follow
these steps:
1. Go to the Browse Partners page.
2. In the Filters pane, specify search criteria, such as:
• Your location
• Your organization’s size (Microsoft Customer Size)
• Focus areas, such as Security and/or Threat Protection
• Services, such as Licensing or Managed Services (MSP)
As soon as you select one or more criteria, the list of partners updates.

10
 3. Review the list of results. Select a provider to learn more about their expertise and the services they
provide.

Employee quick setup guide

:::image type=“content” source=“media/employee-setup-guide.png” alt-text=“Screenshot of employee setup
guide steps.”:::
After you have added users to your Microsoft 365 subscription, give them a link to the Employee quick setup
guide. The guide walks them through signing in, getting Microsoft 365 Apps, and saving, copying, and sharing
files.

Next objective
Proceed to Boost your security protection.

See also
• Overview of the Microsoft 365 admin center
• Business subscriptions and billing documentation
• Find a Microsoft partner or reseller

Set up Microsoft 365 for Campaigns

This article describes how to get Microsoft 365 for Campaigns (a special offering for campaigns and political
parties in the USA), and how to complete the basic setup process and proceed to next steps.

Get Microsoft 365 for Campaigns

Campaigns and political parties in the USA are eligible for special pricing for Microsoft 365 Business Premium.
Currently this special pricing is available to:
• National-level political parties in the United States, Canada, and New Zealand
• National or federal political campaigns in the United States and New Zealand
• State-level political parties in the United States
• U.S. State-wide political campaigns (eg: campaigns seeking office for governor, state legislature, or attorney
general)
[!IMPORTANT] Due to local regulations, we are unable to offer Microsoft 365 for Campaigns in
the following states at this time: CO, DE, IL, OK, WI & WY. We encourage campaigns in those
states to explore additional offerings at Microsoft 365 for business.
If your campaign or political party qualifies, Microsoft 365 for Campaigns is the least expensive plan available
through Microsoft. See Microsoft 365 for Campaigns.
[!TIP] If you’re not eligible for special pricing, Microsoft 365 Business Premium is still the most
cost-effective way obtain comprehensive security for a collaboration environment. See How to get
Microsoft 365 Business Premium.

What does Microsoft 365 for Campaigns include?

Microsoft 365 for Campaigns includes simple controls that help you and your staff work together securely:
• Protect user identity: Make sure that users are who they say they are when they sign in to send email
or to access files (multifactor authentication).
• Protect sensitive information: Protect sensitive information to monitor information that gets shared
outside your organization (data loss prevention).
• Protect mobile devices: Protect data on mobile devices (mobile app protection policy).
• Guard against malicious content: Prevent access to malicious content by scanning email attachments
(Defender for Office 365).

11
 • Protect passwords: Set passwords to never expire which is more secure and helps prevent work stoppages
(password policy).
• AccountGuard Program Access: Microsoft AccountGuard is a security service offered at no additional
cost to customers in the political space. The service is designed to inform and help these highly targeted
customers protect themselves from cybersecurity threats across their organizational and personal Microsoft
email accounts. View more information at Microsoft AccountGuard.

What does it cost, who needs it, and what is the commitment?
If your campaign qualifies for special pricing, Microsoft 365 for Campaigns costs $5 per user per month.
To protect your campaign, we recommend a license for the candidate, the campaign manager, all senior staff
who are part of the campaign or party, and usually all full-time staff. Certain volunteer employees might also
need a license. In general, assign a license to anyone in your campaign who needs protected email and devices.
There’s no minimum time commitment when you sign up for Microsoft 365 for Campaigns. You can pay monthly
for the licenses you need and stop using the service anytime.

How do I qualify for special pricing?

1. Go to aka.ms/m365forcampaigns and provide a few details about your organization. The details you
provide help us to verify that you represent a national-level political campaign or party in the United
States. There’s no commitment when you complete this form.
2. After you’ve completed the form, it takes us a few days to review your information.
3. After we’ve verified that you represent a national-level political campaign or party, you’ll receive an email
invitation from Microsoft. Your invite includes a sign-up link specific to your organization.
After you have subscribed to Microsoft 365 for Campaigns, your next step is to get everything set up.

Before you begin your setup process

Make sure that you meet the following requirements before you begin your setup process:

Requirement Description
Subscription Microsoft 365 Business Premium or Microsoft 365 for
Campaigns To start a trial or purchase your
subscription, see the following resources: - Get
Microsoft 365 Business Premium- Get Microsoft 365
for Campaigns
Permissions To complete the initial setup process, you must be a
Global Admin. Learn more about admin roles.
Browser requirements Microsoft Edge, Safari, Chrome or Firefox. Learn
more about browser requirements.
Operating systems (client) Windows: Windows 10 or 11 PromacOS: One of the
three most recent versions of macOS
Operating systems (servers) Windows Server or Linux Server (Requires an
additional license, such as Microsoft Defender for
Business servers.)

[!TIP] For more detailed information about Microsoft 365, Office, and system requirements, see
Microsoft 365 and Office Resources.

Sign in to Microsoft 365 for Campaigns

If you signed up for Microsoft 365 for Campaigns, you’re designated as the Microsoft 365 admin (also referred to
as the Global Administrator). This allows you to sign in and initiate the system.
Here’s how to sign in:
1. Find the username and password we sent to the email address you used when you signed up for Microsoft
365 for Campaigns.

12
 2. In the browser, go to the Microsoft 365 admin center.
3. Type your username and password. Select Sign in.
4. In the top right of the page, find the Preview on control. Select Preview on so you can use all the
controls described in Boost your security protection for your campaign.

How your staff will sign in

Users who have been added to your Microsoft 365 for Campaigns (or Microsoft 365 Business Premium) subscription
can sign in using the following steps:
1. Go to https://office.com.
2. Sign in using the username and password for the account. Users will have this information in the email
they receive when they are added as users. If they can’t find the email, see user didn’t receive invite email.
[!TIP] Provide your staff a link to the Employee quick setup guide for help signing in, getting
Microsoft 365 Apps, and saving, copying, and sharing files.

Customize your sign-in page with a privacy and consent notice

Your business or campaign can make it easier for law enforcement agencies to file legal charges against online
criminals by adding a privacy and consent notice to your sign-in page.
You can customize your sign-in page with your branding. You can also add text to help your users sign in, or to
point out legal requirements or restrictions for getting access to Microsoft 365 resources.

Customize the text on your sign-in page

To update the customizable elements on the sign-in page, you have to be a global admin. For specific instructions,
see add company branding article.
The elements you can update are:
• Sign-in page text (an easy place to add the privacy and consent statement)
• Sign-in page background image
• Banner logo
• Username hint
For examples of privacy and consent notices, see Appendix A in Searching and Seizing Computers and Obtaining
Electronic Evidence in Criminal Investigations.

Visual guide: Help protect yourself and your campaign from digital threats
To help your staff learn about steps to protect your campaign from cyber threats, use this downloadable guide:
Image for secure your help protect your campaign info graphic.
PDF | PowerPoint

Next objective
Proceed to set up your security protection.

Protect yourself against phishing and other attacks

In addition to the protection Microsoft 365 Business Premium offers against attacks, there are other measures
all members must take to defend the organization. Make sure everyone understands the following concepts:
• Spam or junk mail. There are many reasons you might receive junk e-mail and not all junk mail is the
same. However, you can reduce what gets through to you, and thus reduce the risks of attacks, by filtering
out junk mail.
• Phishing. A phishing scam is an email that seems legitimate but is an attempt to get your personal
information or steal your money.
• Spoofing. Scammers can also use a technique called spoofing to make it appear as if you’ve received an
email from yourself.

13
 • Malware is malicious software that can be installed on your computer, usually installed after you’ve
clicked a link or opened a document from an email. There are various types of malware (for example,
ransomware, when your computer is taken over), but you don’t want to have any of them.

Best practices
Use the following best practices to help users fend off cyberattacks through email.

Reduce spam mail

Follow these 10 tips on how to help reduce spam.

Report it
Report any phishing or other scam emails you receive. Select the message, and choose Report message on the
ribbon.
For more information, see reporting junk and phishing emails.

Avoid phishing
• Never reply to an email that asks you to send personal or account information.
• If you receive an email that looks suspicious or asks you for this type of information, never click links that
supposedly take you to a company website
• Never open any file attached to a suspicious-looking email.
• If the email appears to come from a company, contact the company’s customer service via phone or web
browser to see if the email is legitimate.
• Search the web for the email subject line followed by the word hoax to see if anyone else has reported this
scam.
Read about five common types of scams in Deal with abuse, phishing, or spoofing.

Make sure your emails look legitimate to others

Help your customers trust your communications by adding a digital signature to prove that it’s coming from
you. See Secure messages by using a digital signature.

Share this infographic with your users

Download this infographic with tips for you and the members of your campaign team or business:
:::image type=“content” source=“media/m365bp-whatuserscandotosecure.png” alt-text=“Thumbnail of down-
loadable guide.”:::
PDF | PowerPoint
Learn more about how to:
• Keep your files and communications safe with Office.
• Stay secure and private at work.

Next objective
Once you’ve completed this mission objective, learn about how to send encrypted email.

Collaborate and share securely

:::image type=“content” source=“media/mission5.png” alt-text=“Diagram with Collaborate And Share Securely
highlighted.”:::
The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files
and communications are in a protected environment and aren’t being stored in unsafe ways outside of it. Your
organization depends on protecting your data and information, which means that you want to protect your files
by all means possible. Your next mission is to set up secure file sharing and communication.
Your objectives are to:

14
 • Create Teams for collaboration.
• Set up meetings.
• Share files and videos.
• Create a communication site.
Once you’ve achieved these objectives, proceed to Set up and secure managed devices.

Device groups and categories in Microsoft 365 Business Premium

Microsoft 365 Business Premium includes endpoint protection through Microsoft Defender for Business and
Microsoft Intune. Device protection policies are applied to devices through certain collections that are called
device groups. In Intune, devices are grouped into device categories as a different way of organizing them.
This article includes the following sections:
• Working with device groups
• How to create a new device group in the Microsoft 365 Defender portal
• How to create a new device category in Intune
• How to create dynamic device groups in Azure Active Directory
• How categories are used when enrolling devices
• How to view the categories of devices that you manage
• How to change the category of a device

Working with device groups

A device group is a collection of devices that are grouped together because of certain specified criteria, such
as the operating system version. Devices that meet the criteria are included in that device group, unless you
exclude them.
With Microsoft 365 Business Premium, you have default device groups that you can use. The default device
groups include all the devices that are onboarded to Defender for Business. However, you can also create new
device groups to assign device protection policies with specific settings to certain devices.
All device groups, including your default device groups and any custom device groups that you define, are stored
in Azure Active Directory (Azure AD).

Create a device group in the Microsoft 365 Defender portal

You can create a new device group while you are in the process of creating or editing a device protection policy.
1. Go to the Microsoft 365 Defender portal and sign in.
2. In the navigation pane, choose Device configuration.
3. Take one of the following actions:
1. Select an existing policy, and then choose Edit.
2. Choose + Add to create a new policy.
[!TIP] To get help creating or editing a policy, see View or edit policies in Microsoft Defender
for Business.
4. On the General information step, review the information, edit if necessary, and then choose Next.
5. Choose Create new group.
6. Specify a name and description for the device group, and then choose Next.
7. Select the devices to include in the group, and then choose Create group.
8. On the Device groups step, review the list of device groups for the policy. If needed, remove a group
from the list. Then choose Next.
9. On the Configuration settings page, review and edit settings as needed, and then choose Next. For
more information about these settings, see Understand next-generation configuration settings in Microsoft
Defender for Business.

15
 10. On the Review your policy step, review all the settings, make any needed edits, and then choose Create
policy or Update policy.

Create a device category in Intune

Create device categories in Intune from which users must choose when they enroll a device.
1. Sign in to the Microsoft Intune admin center.
2. Choose Devices > Device categories > Create device category to add a new category.
3. On the Create device category pane, enter a name for the new category, and an optional description.
4. When you’re done, select Create. You can see the new category in the list.
Use the device category name when you create the Azure Active Directory (Azure AD) security groups. When
users enroll their devices, they are presented with a list of the categories you configured in Intune. After they
choose a category and finish enrollment, their device is added to the Active Directory security group that is
associated with it.

Create dynamic device groups in Azure Active Directory

You can also enter the Azure Active Directory (Azure AD) portal (https://portal.azure.com) from the Microsoft
365 admin center. In the Microsoft 365 admin center (https://admin.microsoft.com), choose All admin centers,
and then choose Azure Active Directory.
In the Azure AD portal, you can create dynamic groups based on the device category and device category name.
Use dynamic group rules to automatically add and remove devices. If a device’s attributes change, the system
looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added) or
no longer meets the rules requirements (is removed).
You can create a dynamic group for either devices or users, but not for both. You also can’t create a device
group based on the device owners’ attributes. Device membership rules can only reference device attributions.

How categories are used when enrolling devices

After categories and device groups are established, people who have iOS and Android devices can enroll their
devices in Intune. When they enroll their devices, they’ll choose a category from the list of categories that were
configured. People who have Windows devices can use either the Company Portal website or the Company
Portal app to select a category.
1. After enrolling the device go to the company portal and choose My Devices.
2. Select the enrolled device from the list, and then select a category.
After choosing a category, the device is automatically added to the corresponding group. If a device is already
enrolled before you configure categories, the user sees a notification about the device on the Company Portal
website. This lets the user know to select a category the next time they access the Company Portal app on
iOS/iPadOS or Android.
[!NOTE] - You can edit a device category in the Azure portal, but you must manually update any
Azure AD security groups that reference this category. - If you delete a category, devices assigned to
it display the category name Unassigned.

View the categories of devices that you manage

1. Sign in to the Microsoft Intune admin center, choose Devices > All devices.
2. In the list of devices, examine the Device category column.
3. If the Device category column isn’t shown, select Columns > Category > Apply.

Change the category of a device

1. Sign in to the Microsoft Intune admin center, choose Devices > All devices.
2. Select the category you want from the list, to see its properties.

16
Next steps
Now that you’ve completed your primary missions, take time to set up your response teams and maintain your
environment.

View device status in Microsoft Defender for Business

Microsoft Defender for Business is included with Microsoft 365 Business Premium, as of March 1, 2022. This
offering provides additional security features for devices. Learn more about Defender for Business.
You can view and monitor device health state by using Defender for Business capabilities.
:::image type=“content” source=“../media/defender-business/mdb-deviceinventory.png” alt-text=“Screenshot of
device inventory in Defender for Business”:::
1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
2. In the navigation pane, go to Assets > Devices. A list of devices that were onboarded to Defender for
Business displays.
3. Select a device to view more information and available actions.
:::image type=“content” source=“../media/defender-business/mdb-selected-device.png” alt-text=“Screenshot
showing a selected device with details and actions available”:::

See also
• View and edit device protection policies
• What is Microsoft Defender for Business?
• Best practices for securing Microsoft 365 for business plans

Admin roles for Intune in the Microsoft 365 admin center

Your Microsoft 365 or Office 365 subscription comes with a set of admin roles that you can assign to any users
in your organization using the Microsoft 365 admin center. Each admin role maps to common business functions
and gives people in your organization permissions to do specific tasks in the admin centers. Given this, these
roles are only a subset of all the roles available in the Intune admin center, which includes additional roles
specific to Intune itself.
Before adding specific Intune roles, roles must be assigned in Azure AD. To see these roles, sign in to the
Microsoft Intune admin center > Tenant administration > Roles > All roles >**. You can manage the role on
the following pages:
• Properties: The name, description, permissions, and scope tags for the role.
• Assignments: A list of role assignments defining which users have access to which users or devices. A role
can have multiple assignments, and a user can be in multiple assignments.

About roles-based access control in Intune

Roles-based access control (RBAC) helps you manage who has access to your organization’s resources and what
they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and
change. There are both built-in and custom roles, and each role has a set of permissions that determine what
users with that role can access, or change within your organization. The following information will cover both
types of roles in Intune.
To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:
• Global Administrator
• Intune Service Administrator (also known as Intune Administrator but not to be confused with
the built-in Intune Role Administrator role.)
Find more information on Azure Active Directory roles and RBAC.

17
Microsoft Intune built-in roles
Built-in roles use pre-defined rules based on common Intune scenarios. Alternatively, custom roles are built upon
rules that are strictly defined by you.
Here are the built-in roles that you can assign:

Admin role Who should be assigned this role?

Application manager Assign the Application manager role to users who
manage the application lifecycle for mobile apps,
configure policy-managed apps, and view device info
and configuration profiles.
Help desk operator Assign the help desk operator role to users who assign
apps and policies to users and devices.
Intune role administrator Assign the Intune role administrator to users who can
assign Intune permissions to other admins and can
manage custom and built in Intune roles.
Policy and profile manager Assign the policy and profile manager role to users
manage compliance policy, configuration profiles and
Apple enrollment.
Read only operator Assign the read only operator role to users who can
only view users, devices, enrollment details and
configurations.
School administrator Assign the school administrator role to users for full
access to manage Windows 10-11 and iOS devices,
apps, and configurations in Intune for Education.
Cloud PC Administrator A Cloud PC Administrator has read and write access
to all Cloud PC features located within the Cloud PC
blade.
Cloud PC Reader A Cloud PC Reader has read access to all Cloud PC
features located within the Cloud PC blade.

Microsoft Intune custom roles

You can create custom roles in Intune that include any permissions required for a specific job function. For
example, if an IT department group manages applications, policies, and configuration profiles, you can add all
those permissions together in one custom role. After creating a custom role, you can assign it to any users that
need those permissions.
As with built-in roles, in order to create, edit, or assign roles, your account must have one of the following
permissions in Azure AD:
• Global Administrator
• Intune Service Administrator (also known as Intune Administrator but not to be confused with
the built-in Intune Role Administrator role.)
To create a custom role:
1. In the Microsoft Intune admin center, choose Tenant administration > Roles > All roles > Create.
2. On the Basics page, enter a name and description for the new role, then choose Next.
3. On the Permissions page, choose the permissions you want to use with this role.
4. On the Scope (Tags) page, choose the tags for this role. When this role is assigned to a user, that user
can access resources that also have these tags. Choose Next.
5. On the Review + create page, when you’re done, choose Create. The new role is displayed in the list
on the Intune roles - All roles blade.
To copy a role:
1. In the Microsoft Intune admin center, choose Tenant administration > Roles > All roles > select
the checkbox for a role in the list > Duplicate.
2. On the Basics page, enter a name. Make sure to use a unique name.

18
 3. All the permissions and scope tags from the original role will already be selected. You can subsequently
change the duplicate role’s Name, Description, Permissions, and Scope (Tags).
4. After you’ve made all the changes that you want, choose Next to get to the Review + create page. Select
Create.
[!Note] To be able to administer Intune you must have an Intune license assigned. Alternatively, you
can allow non-licensed users to administer Intune by setting Allow access to unlicensed admins
to Yes.

How to assign a role

You can assign a built-in or custom role to an Intune user. To create, edit, or assign roles, your account must
have one of the following permissions in Azure AD:
• Global Administrator
• Intune Service Administrator (also known as Intune Administrator but not to be confused with
the built-in Intune Role Administrator role.)
1. In the Microsoft Intune admin center, choose Tenant administration > Roles > All roles.
2. Choose the built-in role you want to assign > Assignments > + Assign.
3. On the Basics page, enter an Assignment name and optional Assignment description, and then choose
Next.
4. On the Admin Groups page, select the group that contains the user you want to give the permissions to.
Choose Next.
5. On the Scope (Groups) page, choose a group containing the users and devices that the member above
will be allowed to manage. You also have the option to choose all users or all devices. Choose Next.
[!Note] The All users and All devices are Intune virtual groups and not Azure Active Directory
(Azure AD) security groups. As a result, for Scope (Groups) assignment purposes you cannot use
them as parents of Azure AD security groups. If you need both All users and All devices and
specific Azure AD security groups for Scope (Groups) assignments, you must add them separately
with separate assignments. Otherwise, even if the Scope (Groups) assignment for a role is set to All
Users the admin in this role won’t have access to specific Azure AD user groups. For Azure AD
security groups, nesting is supported.
6. On the Scope (Tags) page, choose tags where this role assignment will be applied. Choose Next.
7. On the Review + Create page, when you’re done, choose Create. The new assignment is displayed in
the list of assignments.
[!Note] When you create scope groups and assign a scope tag, you can only target groups that are
listed in the Scope (Groups) of your role assignment.

Delegated administration for Microsoft Partners

If you’re working with a Microsoft partner, you can assign them admin roles. They, in turn, can assign users in
your company - or their company - admin roles. You might want them to do this, for example, if they’re setting
up and managing your online organization for you.
A partner can assign these roles:
• Full administration, which has privileges equivalent to a global admin, except for managing multi-factor
authentication through the Partner Center.
• Limited administration, which has privileges equivalent to a helpdesk admin.
Before the partner can assign these roles to users, you must add the partner as a delegated admin to your
account. This process is initiated by an authorized partner. The partner sends you an email to ask you if you
want to give them permission to act as a delegated admin. For instructions, see Authorize or remove partner
relationships.

19
Related content
About Microsoft 365 admin roles (article)
Assign admin roles (article)
Activity reports in the Microsoft 365 admin center (article)

Secure managed and unmanaged devices

An important part of your security strategy is protecting the devices your employees use to access company
data. Such devices include computers, tablets, and phones. Your organization’s IT or security team, along with
device users, can take steps to protect data and managed or unmanaged devices.
• Managed devices are typically company-owned devices that are usually set up and configured by your
company’s IT or security team.
• Unmanaged devices, also referred to as bring-your-own devices, or BYOD, tend to be personally owned
devices that employees set up and use. Unmanaged devices can be onboarded and protected just like
managed devices. Or, if you prefer, users can take steps to protect their BYOD devices themselves.

Managed devices
To protect managed devices, your organization’s IT or security team can:
• Use Windows Autopilot to get a user’s Windows device ready for first use. With Autopilot you
can install business critical apps, apply policies, and enable features like BitLocker before the device is
given to a user. You can also use Autopilot to reset reset, repurpose, and recover Windows devices. To
learn more, see Windows Autopilot.
• Upgrade Windows devices from previous versions of Windows to Windows 10 Pro or
Windows 11 Pro. Before onboarding, Windows client devices should be running Windows 10 Pro or
Enterprise, or Windows 11 Pro or Enterprise. If your organization has Windows devices running Windows
7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles
you to upgrade those devices at no additional cost. To learn more, see Upgrade Windows devices to
Windows 10 or 11 Pro.

• Onboard devices and protect them with mobile threat defense capabilities. Microsoft Defender
for Business is included with Microsoft 365 Business Premium. It includes advanced protection from
ransomware, malware, phishing, and other threats. If you prefer to use Microsoft Intune instead, you can
use Intune to enroll and manage devices. To learn more, see Onboard devices to Microsoft Defender for
Business.
• View and monitor device health in the Microsoft 365 Defender portal (https://security.microso
ft.com). You can view details, such as health state and exposure level for all onboarded devices. You can
also take actions, such as running an antivirus scan or starting an automated investigation on a device
that has detected threats or vulnerabilities. To learn more, see Monitor onboarded devices and Review
detected threats.
For their part in protecting managed devices, users can:
• Use the Microsoft Authenticator app to sign in. The Microsoft Authenticator app works with
all accounts that use multi-factor authentication (MFA). To learn more, see Download and install the
Microsoft Authenticator app.
• Join their devices to your organization’s network. Users can follow a process to register their device,
set up MFA, and complete the sign-in process using their account. To learn more, see Join your work
device to your work or school network.
• Make sure antivirus/antimalware software is installed and up to date on all devices. Once
devices are onboarded, antivirus, antimalware, and other threat protection capabilities are configured for
those devices. Users are prompted to install updates as they come in. To learn more, see See Keep your
PC up to date.
To learn more about protecting managed devices, see Set up and secure managed devices.

Unmanaged devices
To protect unmanaged devices, such as BYOD devices, your organization’s IT or security team can:

20
 • Encourage users to keep their antivirus protection turned on and up to date. Devices should
have the latest technology and features needed to protect against new malware and attack techniques.
Microsoft regularly releases security intelligence updates and product updates. To learn more, see Microsoft
Defender Antivirus security intelligence and product updates.
• Consider onboarding unmanaged devices and protecting them with mobile threat defense
capabilities. Or, if you prefer to use Microsoft Intune, you can use Intune to enroll and manage devices.
To learn more, see Onboard devices to Microsoft Defender for Business.
• View and monitor device health in the Microsoft 365 Defender portal (https://security.micro
soft.com). After devices are onboarded to Defender for Business (or Intune), you can view details, such
as health state and exposure level for onboarded devices. You can also take actions, such as running an
antivirus scan or starting an automated investigation on a device that has detected threats or vulnerabilities.
To learn more, see Monitor onboarded devices and Review detected threats.
For their part in protecting unmanaged devices, users can:
• Turn on encryption and firewall protection. Disk encryption protects data when devices are lost or
stolen. Firewall protection helps protect devices from unwanted contact initiated by other computers when
you’re connected to the Internet or a network. To learn more, see Protect unmanaged Windows PCs and
Macs in Microsoft 365 Business Premium.
• Make sure antivirus/antimalware software is installed and up to date on all devices. To learn
more, see Stay protected with Windows Security.
• Keep their devices up to date with operating system and application updates. To learn more,
see Keep your PC up to date.
• Consider allowing their devices to be managed by your security team. Microsoft 365 Business
Premium includes advanced protection from ransomware, malware, phishing, and other threats. To learn
more, select the Managed devices tab (in this article).
To learn more about protecting unmanaged devices, see Set up unmanaged (BYOD) devices.

Next steps
• Set up information protection capabilities
• Set up BYOD devices or Set up and secure managed devices
• Use email securely
• Collaborate and share securely

Maintain your environment

After you have set up and configured Microsoft 365 Business Premium or Microsoft Defender for Business
(standalone), your next step is to prepare a plan for maintenance and operations. You can use this article as a
guide to prepare your plan.
• Microsoft 365 administration (also referred to as tenant administration) includes tasks that your
administrators (also referred to as admins) perform, such as adding or removing users, resetting passwords,
resetting devices to factory settings, and more. These kinds of tasks (and more!) are listed in Tenant
administration.
• Security administration includes tasks that your security administrators (also referred to as security
admins) perform, such as defining or editing security policies, onboarding or offboarding devices, and more.
These kinds of tasks are listed in Security administration.
• Security operations (also referred to as SecOps) includes tasks that your security team performs, such
as reviewing and addressing detected threats, running antivirus scans on devices, starting automated
investigations, and more. These kinds of tasks are listed in Security operations.
In each section, select the tab that corresponds to your subscription.

Tenant administration
Microsoft 365 Business Premium
Maintaining your Microsoft 365 Business Premium environment includes managing user accounts, managing
devices, and keeping things up to date and working correctly. Use this article as an admin guide for your

21
organization.
Many admin tasks can be performed in the Microsoft 365 admin center (https://admin.microsoft.com), although
some tasks, such as adding/removing devices, can be performed in other portals (such as the Microsoft 365
Defender portal or the Microsoft Intune admin center).
If you’re new to Microsoft 365, take a moment to get an Overview of the Microsoft 365 admin center.

General tasks

Task Resources to learn more

Get started using the Microsoft 365 admin center
Learn about new features in the Microsoft 365 admin
center
Find out about new product updates and features so
you can help prepare users
View usage reports to see how people are using
Microsoft 365
Open a technical support ticket
Overview of the Microsoft 365 admin center
What’s new in the Microsoft 365 admin center
Stay on top of Microsoft 365 product and feature
changes
Microsoft 365 Reports in the admin center
Get support for Microsoft 365 for business

Users, groups, and passwords

Task Resources to learn more

Add a new user Add a new employee to Microsoft 365
Assign licenses to users Assign Microsoft 365 licenses to users in the Microsoft
365 admin center Assign Microsoft 365 licenses to user
accounts by using PowerShell
Assign admin roles to people who need admin Assign admin roles in the Microsoft 365 admin center
permissions Assign admin roles to Microsoft 365 user accounts
with PowerShell
Remove licenses from users Unassign Microsoft 365 licenses from users in the
Microsoft 365 admin centerRemove Microsoft 365
licenses from user accounts with PowerShell
Turn pronouns on or off Turn pronouns on or off for your organization in the
Microsoft 365 admin center
Determine whether to allow guest access to groups for Guest users in Microsoft 365 admin center
their whole organization or for individual groups
Remove a user account when someone leaves your Overview: Remove a former employee and secure data
organization
Reset passwords for user accounts Reset passwords in Microsoft 365 for business

Email and calendars

Task Resources to learn more

Migrate email and contacts from Gmail or another
email provider to Microsoft 365
Add an email signature, legal disclaimer, or disclosure
statement to email messages that come in or go out
Set up, edit, or delete a security group
Add users to a distribution group
Set up a shared mailbox so people can monitor and
send email from a common email addresses, like
info@contoso.com
Migrate email and contacts to Microsoft 365
Create organization-wide signatures and disclaimers
Create, edit, or delete a security group in the
Microsoft 365 admin center
Add a user or contact to a Microsoft 365 distribution
group
Create a shared mailbox

22
Devices

Task Resources to learn more

Use Windows Autopilot to set up and pre-configure
new devices or to to reset, repurpose, and recover
devices
View current status of and manage devices
Onboard devices to Defender for Business
Offboard devices from Defender for Business
Manage devices with Intune
Overview of Windows Autopilot
Manage devices in Microsoft Defender for Business
Onboard devices to Defender for Business
Offboard a device from Defender for Business
What does device management with Intune
mean?Manage your devices and control device features
in Microsoft Intune

Domains

Task Resources to learn more

Add a domain (like contoso.com) to your Microsoft Add a domain to Microsoft 365
365 subscription
Buy a domain Buy a domain name
Remove a domain Remove a domain

Subscriptions and billing

Task Resources to learn more

View your bill or invoice View your Microsoft 365 for business subscription bill
or invoice
Manage your payment methods Manage payment methods
Change the frequency of your payments Change your Microsoft 365 subscription billing
frequency
Change your billing address Change your Microsoft 365 for business billing
addresses

Defender for Business

Maintaining your Defender for Business environment includes managing user accounts, managing devices, and
keeping things up to date and working correctly. Use this article as an admin guide for your organization.
Many admin tasks can be performed in the Microsoft 365 admin center (https://admin.microsoft.com), although
some tasks, such as adding/removing devices, can be performed in other portals (such as the Microsoft 365
Defender portal or the Microsoft Intune admin center).
If you’re new to Microsoft 365, take a moment to get an Overview of the Microsoft 365 admin center.

General tasks

Task Resources to learn more

Get started using the Microsoft 365 admin center
Learn about new features in the Microsoft 365 admin
center
Find out about new product updates and features so
you can help prepare users
View usage reports to see how people are using
Microsoft 365
Open a technical support ticket
Overview of the Microsoft 365 admin center
What’s new in the Microsoft 365 admin center
Stay on top of Microsoft 365 product and feature
changes
Microsoft 365 Reports in the admin center
Get support for Microsoft 365 for business

23
Users, groups, and passwords

Task Resources to learn more

Add a new user Add a new employee to Microsoft 365
Assign licenses to users Assign Microsoft 365 licenses to users in the Microsoft
365 admin center Assign Microsoft 365 licenses to user
accounts by using PowerShell
Assign admin roles to people who need admin Assign admin roles in the Microsoft 365 admin center
permissions Assign admin roles to Microsoft 365 user accounts
with PowerShell
Remove licenses from users Unassign Microsoft 365 licenses from users in the
Microsoft 365 admin centerRemove Microsoft 365
licenses from user accounts with PowerShell
Remove a user account when someone leaves your Overview: Remove a former employee and secure data
organization
Reset passwords for user accounts Reset passwords in Microsoft 365 for business

Devices

Task Resources to learn more

View current status of and manage devices
Onboard devices to Defender for Business
Offboard devices from Defender for Business
Manage devices with Intune
Manage devices in Defender for Business
Onboard devices to Defender for Business
Offboard a device from Defender for Business
What does device management with Intune
mean?Manage your devices and control device features
in Microsoft Intune

Subscriptions and billing

Task Resources to learn more

View your bill or invoice View your Microsoft 365 for business subscription bill
or invoice
Manage your payment methods Manage payment methods
Change the frequency of your payments Change your Microsoft 365 subscription billing
frequency
Change your billing address Change your Microsoft 365 for business billing
addresses
Upgrade your subscription Try or buy Microsoft 365 Business Premium
Add Microsoft Intune to your subscription(for Get an overview of Intune Microsoft Intune Plans and
additional security capabilities) Pricing
Try Defender for Office 365 (to protect email and Try Microsoft Defender for Office 365
collaboration content)

Security administration
Microsoft 365 Business Premium
Security administrators (also referred to as security admins) perform various tasks, such as:
• Defining or editing security policies
• Onboarding or offboarding devices
• Taking steps to protect high-risk user accounts or devices
The following table lists common tasks that security admins typically perform, with links to more detailed
information.

24
Task
Manage false positives/negatives
Strengthen your security posture
Adjust security policies
Analyze admin submissions
25
Description
A false positive is an entity, such as a file or a process
that was detected and identified as malicious even
though the entity isn’t actually a threat. A false
negative is an entity that wasn’t detected as a threat,
even though it actually is malicious. False
positives/negatives can occur with any threat
protection solution, including Microsoft Defender for
Office 365 and Microsoft Defender for Business, which
are both included in Microsoft 365 Business Premium.
Fortunately, steps can be taken to address and reduce
these kinds of issues. For false positives/negatives on
devices, see Address false positives/negatives in
Microsoft Defender for Endpoint.For false
positives/negatives in email, see the following articles:
- How to handle malicious emails that are delivered to
recipients (False Negatives), using Microsoft Defender
for Office 365- How to handle Legitimate emails
getting blocked (False Positive), using Microsoft
Defender for Office 365
Defender for Business includes a vulnerability
management dashboard that provides you with
exposure score and enables you to view information
about exposed devices and see relevant security
recommendations. You can use your Defender
Vulnerability Management dashboard to reduce
exposure and improve your organization’s security
posture. See the following articles:- Use your
vulnerability management dashboard in Microsoft
Defender for Business- Dashboard insights
Reports are available so that you can view information
about detected threats, device status, and more.
Sometimes it’s necessary to adjust your security
policies. For example, you might apply strict
protection to some user accounts or devices, and
standard protection to others. See the following
articles: - For device protection: View or edit policies
in Microsoft Defender for Business - For email
protection: Recommended settings for EOP and
Microsoft Defender for Office 365 security
Sometimes it’s necessary to submit entities, such as
email messages, URLs, or attachments to Microsoft for
further analysis. Reporting items can help reduce the
occurrence of false positives/negatives and improve
threat detection accuracy. See the following articles: -
Use the Submissions page to submit suspected spam,
phish, URLs, legitimate email getting blocked, and
email attachments to Microsoft- Admin review for user
reported messages
Task Description
Protect priority user accounts Not all user accounts have access to the same company
information. Some accounts have access to sensitive
information, such as financial data, product
development information, partner access to critical
build systems, and more. If compromised, accounts
that have access to highly confidential information
pose a serious threat. We call these types of accounts
priority accounts. Priority accounts include (but aren’t
limited to) CEOs, CISOs, CFOs, infrastructure admin
accounts, build system accounts, and more.See the
following articles: - Protect your administrator
accounts - Security recommendations for priority
accounts in Microsoft 365
Protect high-risk devices The overall risk assessment of a device is based on a
combination of factors, such as the types and severity
of active alerts on the device. As your security team
resolves active alerts, approves remediation activities,
and suppresses subsequent alerts, the risk level
decreases. See Manage devices in Microsoft Defender
for Business.
Onboard or offboard devices As devices are replaced or retired, new devices are
purchased, or your business needs change, you can
onboard or offboard devices from Defender for
Business. See the following articles: - Onboard devices
to Microsoft Defender for Business - Offboard a device
from Microsoft Defender for Business

Defender for Business

Security administrators (also referred to as security admins) perform various tasks, such as:
• Defining or editing security policies
• Onboarding or offboarding devices
• Taking steps to protect high-risk user accounts or devices
The following table lists common tasks that security admins typically perform, with links to more detailed
information.

Task Description
Manage false positives/negatives A false positive is an entity, such as a file or a process
that was detected and identified as malicious even
though the entity isn’t actually a threat. A false
negative is an entity that wasn’t detected as a threat,
even though it actually is malicious. False
positives/negatives can occur with any threat
protection solution, including Defender for Business.
Fortunately, steps can be taken to address and reduce
these kinds of issues. See Address false
positives/negatives in Microsoft Defender for
Endpoint.

26
Task Description
Strengthen your security posture Defender for Business includes a vulnerability
management dashboard that provides you with
exposure score and enables you to view information
about exposed devices and see relevant security
recommendations. You can use your Defender
Vulnerability Management dashboard to reduce
exposure and improve your organization’s security
posture. See the following articles:- Use your
vulnerability management dashboard in Defender for
Business- Dashboard insights
Adjust security policies Reports are available so that you can view information
about detected threats, device status, and more.
Sometimes it’s necessary to adjust your security
policies. For example, you might apply strict
protection to some user accounts or devices, and
standard protection to others. See View or edit
policies in Defender for Business.
Protect high-risk devices The overall risk assessment of a device is based on a
combination of factors, such as the types and severity
of active alerts on the device. As your security team
resolves active alerts, approves remediation activities,
and suppresses subsequent alerts, the risk level
decreases. See Manage devices in Defender for
Business.
Onboard or offboard devices As devices are replaced or retired, new devices are
purchased, or your business needs change, you can
onboard or offboard devices from Defender for
Business. See the following articles: - Onboard devices
to Defender for Business - Offboard a device from
Defender for Business

Security operations
Microsoft 365 Business Premium
If you’re new to Microsoft 365 Business Premium, or if your business doesn’t have a security operations guide
in place yet, use this article as a starting point. If you do already have a security operations guide, review it
against the recommendations in this article.
You can use this guidance to make decisions about security incident priorities and tasks your security team will
perform in the Microsoft Defender portal (https://security.microsoft.com).

Daily tasks

27
Task
Check your threat vulnerability management
dashboard
Review pending actions in the Action center
Review devices with threat detections
Learn about new incidents or alerts
28
Description
Get a snapshot of threat vulnerability by looking at
your vulnerability management dashboard, which
reflects how vulnerable your organization is to
cybersecurity threats. A high exposure score means
your devices are more vulnerable to exploitation. 1. In
the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Vulnerability management >
Dashboard.2. Take a look at your Organization
exposure score. If it’s in the acceptable or “High”
range, you can move on. If it isn’t, select Improve
score to see more details and security
recommendations to improve this score. Being aware
of your exposure score helps you to:- Quickly
understand and identify high-level takeaways about
the state of security in your organization- Detect and
respond to areas that require investigation or action to
improve the current state- Communicate with peers
and management about the impact of security efforts
As threats are detected, remediation actions come into
play. Depending on the particular threat and how
your security settings are configured, remediation
actions might be taken automatically or only upon
approval, which is why these should be monitored
regularly. Remediation actions are tracked in the
Action center.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Action center.2. Select the Pending
tab to view and approve (or reject) any pending
actions. Such actions can arise from antivirus or
antimalware protection, automated investigations,
manual response activities, or live response sessions.3.
Select the History tab to view a list of completed
actions.
When threats are detected on devices, your security
team needs to know so that any needed actions, such
as isolating a device, can be taken promptly. 1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Reports > General > Security
report.2. Scroll down to the Vulnerable devices
row. If threats were detected on devices, you’ll see
that information in this row.
As threats are detected and alerts are triggered,
incidents are created. Your company’s security team
can view and manage incidents in the Microsoft 365
Defender portal.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation menu, select Incidents. Incidents are
displayed on the page with associated alerts.2. Select
an alert to open its flyout pane, where you can learn
more about the alert.3. In the flyout, you can see the
alert title, view a list of assets (such as endpoints or
user accounts) that were affected, take available
actions, and use links to view more information and
even open the details page for the selected alert.
Task Description
Run a scan or automated investigation Your security team can initiate a scan or an
automated investigation on a device that has a high
risk level or detected threats. Depending on the
results of the scan or automated investigation,
remediation actions can occur automatically or upon
approval.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Assets > Devices.2. Select a device to
open its flyout panel, and review the information that
is displayed.- Select the ellipsis (. . . ) to open the
actions menu.- Select an action, such as Run
antivirus scan or Initiate Automated
Investigation.

Weekly tasks

Task Description
Monitor and improve your Microsoft Secure score Microsoft Secure Score is a measurement of your
organization’s security posture. Higher numbers
indicate that fewer improvement actions are needed.
By using Secure Score, you can: - Report on the
current state of your organization’s security posture.-
Improve your security posture by providing
discoverability, visibility, guidance, and control.-
Compare with benchmarks and establish key
performance indicators (KPIs).To check your score,
follow these steps:1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane choose Secure score. 2. Review and
make decisions about the remediations and actions in
order to improve your overall Microsoft secure score.

29
Task Description
Improve your secure score for devices Improve your security configuration by remediating
issues using the security recommendations list. As you
do so, your Microsoft Secure Score for Devices
improves and your organization becomes more resilient
against cybersecurity threats and vulnerabilities going
forward. It’s always worth the time it takes to review
and improve your score.To check your secure score,
follow these steps: 1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane select Secure score.2. From the
Microsoft Secure Score for Devices card in the
Defender Vulnerability Management dashboard, select
one of the categories. A list of recommendations
related to that category displays, along with
recommendations.3.Select an item on the list to
display details related to the recommendation.4. Select
Remediation options.5. Read the description to
understand the context of the issue and what to do
next. Choose a due date, add notes, and select
Export all remediation activity data to CSV so
you can attach it to an email for follow-up. A
confirmation message tells you the remediation task
has been created.6. Send a follow-up email to your IT
Administrator and allow for the time that you’ve
allotted for the remediation to propagate in the
system.7. Return to the Microsoft Secure Score for
Devices card on the dashboard. The number of
security controls recommendations has decreased as a
result of your actions.8. Select Security controls to
go back to the Security recommendations page. The
item that you addressed isn’t listed there anymore,
which results in your Microsoft secure score improving.

Monthly tasks

Task Description
Run reports Several reports are available in the Microsoft 365
Defender portal (https://security.microsoft.com).1. In
the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Reports.2. Choose a report to review.
Each report displays many pertinent categories for
that report.3. Select View details to see deeper
information for each category.4. Select the title of a
particular threat to see details specific to it.
Run a simulation tutorial It’s always a good idea to increase the security
preparedness for you and your team through training.
You can access simulation tutorials in the Microsoft
365 Defender portal. The tutorials cover several types
of cyber threats. To get started, follow these steps:1.
In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Tutorials.<2. Read the walk-through
for a tutorial you’re interested in running, and then
download the file, or copy the script needed to run the
simulation according to the instructions.

30
Task
Explore the Learning hub
Tasks to perform as needed
Task
Use the Threat analytics dashboard
31
Description
Use the Learning hub to increase your knowledge of
cybersecurity threats and how to address them. We
recommend exploring the resources that are offered,
especially in the Microsoft 365 Defender and
Endpoints sections.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane, choose Learning hub.2. Select an
area, such as Microsoft 365 Defender or
Endpoints.3. Select an item to learn more about
each concept. Note that some resources in the
Learning hub might cover functionality that isn’t
actually included in Microsoft 365 Business Premium.
For example, advanced hunting capabilities are
included in enterprise subscriptions, such as Defender
for Endpoint Plan 2 or Microsoft 365 Defender, but
not in Microsoft 365 Business Premium. Compare
security features in Microsoft 365 plans for small and
medium-sized businesses.
Description
Use the threat analytics dashboard to get an overview
of the current threat landscape by highlighting reports
that are most relevant to your organization. 1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Threat analytics to display the Threat
analytics dashboard. The dashboard summarizes the
threats into the following sections:- Latest threats
lists the most recently published or updated threat
reports, along with the number of active and resolved
alerts.- High-impact threats lists the threats that
have the highest impact to your organization. This
section lists threats with the highest number of active
and resolved alerts first.- Highest exposure lists
threats with the highest exposure levels first. The
exposure level of a threat is calculated using two
pieces of information: how severe the vulnerabilities
associated with the threat are, and how many devices
in your organization could be exploited by those
vulnerabilities.3. Select the title of the one you want
to investigate, and read the associated report.4. You
can also review the full Analyst report for more details,
or select other headings to view the related incidents,
impacted assets, and exposure and mitigations.
Task Description
Remediate an item Microsoft 365 Business Premium includes several
remediation actions. Some actions are taken
automatically, and others await approval by your
security team.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, go to Assets > Devices.2. Select a device, such
as one with a high risk level or exposure level. A
flyout pane opens and displays more information
about alerts and incidents generated for that item.3.
On the flyout, view the information that is displayed.
Select the ellipsis (. . . ) to open a menu that lists
available actions.4. Select an available action. For
example, you might choose Run antivirus scan,
which will cause Microsoft Defender Antivirus to start
a quick scan on the device. Or, you could select
Initiate Automated Investigation to trigger an
automated investigation on the device.

Remediation actions in Microsoft 365 Business Premium

The following table summarizes remediation actions that are available in Microsoft 365 Business Premium:

Source Actions
Automated investigations Quarantine a fileRemove a registry keyKill a
processStop a serviceDisable a driverRemove a
scheduled task
Manual response actions Run antivirus scanIsolate deviceAdd an indicator to
block or allow a file
Live response Collect forensic dataAnalyze a fileRun a scriptSend a
suspicious entity to Microsoft for analysisRemediate a
fileProactively hunt for threats

Defender for Business

If you’re new to Defender for Business, or if your business doesn’t have a security operations guide in place yet,
use this article as a starting point. If you do already have a security operations guide, review it against the
recommendations in this article.
You can use this guidance to make decisions about security incident priorities and tasks your security team will
perform in the Microsoft Defender portal (https://security.microsoft.com).

Daily tasks

32
Task
Check your threat vulnerability management
dashboard
Review pending actions in the Action center
Review devices with threat detections
Learn about new incidents or alerts
33
Description
Get a snapshot of threat vulnerability by looking at
your vulnerability management dashboard, which
reflects how vulnerable your organization is to
cybersecurity threats. A high exposure score means
your devices are more vulnerable to exploitation. 1. In
the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Vulnerability management >
Dashboard.2. Take a look at your Organization
exposure score. If it’s in the acceptable or “High”
range, you can move on. If it isn’t, select Improve
score to see more details and security
recommendations to improve this score. Being aware
of your exposure score helps you to:- Quickly
understand and identify high-level takeaways about
the state of security in your organization- Detect and
respond to areas that require investigation or action to
improve the current state- Communicate with peers
and management about the impact of security efforts
As threats are detected, remediation actions come into
play. Depending on the particular threat and how
your security settings are configured, remediation
actions might be taken automatically or only upon
approval, which is why these should be monitored
regularly. Remediation actions are tracked in the
Action center.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Action center.2. Select the Pending
tab to view and approve (or reject) any pending
actions. Such actions can arise from antivirus or
antimalware protection, automated investigations,
manual response activities, or live response sessions.3.
Select the History tab to view a list of completed
actions.
When threats are detected on devices, your security
team needs to know so that any needed actions, such
as isolating a device, can be taken promptly. 1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Reports > General > Security
report.2. Scroll down to the Vulnerable devices
row. If threats were detected on devices, you’ll see
that information in this row.
As threats are detected and alerts are triggered,
incidents are created. Your company’s security team
can view and manage incidents in the Microsoft 365
Defender portal.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation menu, select Incidents. Incidents are
displayed on the page with associated alerts.2. Select
an alert to open its flyout pane, where you can learn
more about the alert.3. In the flyout, you can see the
alert title, view a list of assets (such as endpoints or
user accounts) that were affected, take available
actions, and use links to view more information and
even open the details page for the selected alert.
Task Description
Run a scan or automated investigation Your security team can initiate a scan or an
automated investigation on a device that has a high
risk level or detected threats. Depending on the
results of the scan or automated investigation,
remediation actions can occur automatically or upon
approval.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Assets > Devices.2. Select a device to
open its flyout panel, and review the information that
is displayed.- Select the ellipsis (. . . ) to open the
actions menu.- Select an action, such as Run
antivirus scan or Initiate Automated
Investigation.

Weekly tasks

Task Description
Monitor and improve your security score Microsoft Secure Score is a measurement of your
organization’s security posture. Higher numbers
indicate that fewer improvement actions are needed.
By using Secure Score, you can: - Report on the
current state of your organization’s security posture.-
Improve your security posture by providing
discoverability, visibility, guidance, and control.-
Compare with benchmarks and establish key
performance indicators (KPIs).To check your score,
follow these steps:1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane choose Secure score. 2. Review and
make decisions about the remediations and actions in
order to improve your overall Microsoft secure score.

34
Task Description
Improve your secure score for devices Improve your security configuration by remediating
issues using the security recommendations list. As you
do so, your Microsoft Secure Score for Devices
improves and your organization becomes more resilient
against cybersecurity threats and vulnerabilities going
forward. It’s always worth the time it takes to review
and improve your score.To check your secure score,
follow these steps: 1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane select Secure score.2. From the
Microsoft Secure Score for Devices card in the
Defender Vulnerability Management dashboard, select
one of the categories. A list of recommendations
related to that category displays, along with
recommendations.3.Select an item on the list to
display details related to the recommendation.4. Select
Remediation options.5. Read the description to
understand the context of the issue and what to do
next. Choose a due date, add notes, and select
Export all remediation activity data to CSV so
you can attach it to an email for follow-up. A
confirmation message tells you the remediation task
has been created.6. Send a follow-up email to your IT
Administrator and allow for the time that you’ve
allotted for the remediation to propagate in the
system.7. Return to the Microsoft Secure Score for
Devices card on the dashboard. The number of
security controls recommendations has decreased as a
result of your actions.8. Select Security controls to
go back to the Security recommendations page. The
item that you addressed isn’t listed there anymore,
which results in your Microsoft secure score improving.

Monthly tasks

Task Description
Run security reports Several reports are available in the Microsoft 365
Defender portal.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane, select Reports.2. Choose a report to
review. Each report displays many pertinent
categories for that report.3. Select View details to
see deeper information for each category.4. Select the
title of a particular threat to see details specific to it.
Run a simulation tutorial It’s always a good idea to increase the security
preparedness for you and your team through training.
You can access simulation tutorials in the Microsoft
365 Defender portal. The tutorials cover several types
of cyber threats. To get started, follow these steps:1.
In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Tutorials.<2. Read the walk-through
for a tutorial you’re interested in running, and then
download the file, or copy the script needed to run the
simulation according to the instructions.

35
Task
Explore the Learning hub
Tasks to perform as needed
Task
Use the Threat analytics dashboard
36
Description
Use the Learning hub to increase your knowledge of
cybersecurity threats and how to address them. We
recommend exploring the resources that are offered,
especially in the Microsoft 365 Defender and
Endpoints sections.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane, choose Learning hub.2. Select an
area, such as Microsoft 365 Defender or
Endpoints.3. Select an item to learn more about each
concept. Note that some resources in the Learning hub
might cover functionality that isn’t actually included
in Defender for Business. For example, advanced
hunting capabilities are included in enterprise
subscriptions, such as Defender for Endpoint Plan 2 or
Microsoft 365 Defender, but not in Defender for
Business. Compare security features in Microsoft 365
plans for small and medium-sized businesses.
Description
Use the threat analytics dashboard to get an overview
of the current threat landscape by highlighting reports
that are most relevant to your organization. 1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Threat analytics to display the Threat
analytics dashboard. The dashboard summarizes the
threats into the following sections:- Latest threats
lists the most recently published or updated threat
reports, along with the number of active and resolved
alerts.- High-impact threats lists the threats that
have the highest impact to your organization. This
section lists threats with the highest number of active
and resolved alerts first.- Highest exposure lists
threats with the highest exposure levels first. The
exposure level of a threat is calculated using two
pieces of information: how severe the vulnerabilities
associated with the threat are, and how many devices
in your organization could be exploited by those
vulnerabilities.3. Select the title of the one you want
to investigate, and read the associated report.4. You
can also review the full Analyst report for more details,
or select other headings to view the related incidents,
impacted assets, and exposure and mitigations.
Task Description
Remediate an item Defender for Business includes several remediation
actions. Some actions are taken automatically, and
others await approval by your security team.1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, go to Assets > Devices.2. Select a device, such
as one with a high risk level or exposure level. A
flyout pane opens and displays more information
about alerts and incidents generated for that item.3.
On the flyout, view the information that is displayed.
Select the ellipsis (. . . ) to open a menu that lists
available actions.4. Select an available action. For
example, you might choose Run antivirus scan,
which will cause Microsoft Defender Antivirus to start
a quick scan on the device. Or, you could select
Initiate Automated Investigation to trigger an
automated investigation on the device.

Remediation actions in Defender for Business

The following table summarizes remediation actions that are available in Defender for Business:

Source Actions
Automated investigations Quarantine a fileRemove a registry keyKill a
processStop a serviceDisable a driverRemove a
scheduled task
Manual response actions Run antivirus scanIsolate deviceAdd an indicator to
block or allow a file
Live response Collect forensic dataAnalyze a fileRun a scriptSend a
suspicious entity to Microsoft for analysisRemediate a
fileProactively hunt for threats

See also
• Security incident management

• Reports in Defender for Business

• Microsoft 365 for business security best practices

What’s new in Microsoft 365 Business Premium and Microsoft De-

fender for Business
Applies to: - Microsoft 365 Business Premium - Microsoft Defender for Business
This article lists new features in the latest release of Microsoft 365 Business Premium and Microsoft Defender
for Business. Features that are currently in preview are denoted with (preview).

July 2023
[!TIP] Read all about the exciting, new capabilities releasing in July 2023 in the Tech
Community blog: New SMB security innovations from Microsoft Inspire 2023.
• Mobile threat defense is rolling out. Mobile threat defense includes operating system-level threat and
vulnerability management, web protection, and app security. It’s not generally available in Defender for
Business and Microsoft 365 Business Premium. Learn more about mobile threat defense.

37
 • Automatic attack disruption is rolling out. During an ongoing attack, automatic attack disruption
capabilities swiftly contain compromised devices to help stop lateral movement within the network and
minimize the overall impact of the attack. Automatic attack disruption is included in Defender for Business
and Microsoft 365 Business Premium. Learn more about automatic attack disruption.
• Security summary reports are rolling out. Use these reports to view threats that were prevented by
Defender for Business, Microsoft Secure Score status, and recommendations for improving security. See
Reports in Microsoft Defender for Business.
• Streaming API (preview) is now available for Defender for Business. For partners or customers
looking to build their own security operations center, the Defender for Endpoint streaming API is now in
preview for Defender for Business and Microsoft 365 Business Premium. The API supports streaming of
device file, registry, network, sign-in events and more to Azure Event Hub, Azure Storage, and Microsoft
Sentinel to support advanced hunting and attack detection. See the Microsoft 365 streaming API guide.
• Managed detection and response integration with Blackpoint Cyber. This solution is ideal for
customers who don’t have the resources to invest in an in-house security operations center and for partners
who want to augment their IT team with security experts to investigate, triage, and remediate the alerts
generated by Defender for Business and Business Premium. Learn more bout Blackpoint Cyber.
• Customizable security baselines and configuration drift reports in Microsoft 365 Lighthouse.
For Microsoft Managed Service Providers (MSPs), Microsoft 365 Lighthouse includes security baselines
to deploy a standardized set of configurations to customers’ tenants. Microsoft 365 Lighthouse now lets
MSPs customize baselines based on expertise and tailor them to customers’ unique needs. Learn more
about Microsoft 365 Lighthouse.
• New training resources for Microsoft partners. To provide step-by-step guidance for partners on
how to build services based on critical CIS cybersecurity controls, a Security Managed services kit and a
three-part digital training series are now available. See IT partner resources to help build security
services in the Tech Community blog: New SMB security innovations from Microsoft Inspire 2023.

March 2023
• Mobile threat defense (preview) is added to Defender for Business. The ability to onboard
iOS and Android devices to the standalone version of Defender for Business is now in preview! These
capabilities provide OS-level threat and vulnerability management, web protection, and app security to
help you and employees stay more secure on the go. See Mobile threat defense capabilities in Microsoft
Defender for Business.
• Monthly security summary report (preview) is added to Defender for Business (preview).
The new monthly security summary report shows how secure your organization is across identity, devices,
information, and apps. You can view threats detected (and blocked) by Defender for Business together
with your current status from Microsoft Secure Score. Recommendations to improve your security are also
provided. See Reports in Microsoft Defender for Business.
• Device exposure score is now visible in Microsoft 365 Lighthouse (preview). Microsoft Cloud
Solution Providers (CSPs) who are using Microsoft 365 Lighthouse can now view and manage device
exposure scores across customer tenants. These capabilities enable partners to discover which customers’
devices are at risk because of vulnerabilities. See Overview of the Vulnerability management page in
Microsoft 365 Lighthouse.

January 2023
• Attack surface reduction capabilities are rolling out. Attack surface reduction capabilities in
Defender for Business include attack surface reduction rules and a new attack surface reduction rules
report. Attack surface reduction rules target certain behaviors that are considered risky because they’re
commonly abused by attackers through malware. In the Microsoft 365 Defender portal (https://security.m
icrosoft.com/), you can now view a report showing detections and configuration information for attack
surface reduction rules. In the navigation pane, choose Reports, and under Endpoints, choose Attack
surface reduction rules.
• Default experience for Defender for Business when an enterprise plan is added. Defender for
Business now retains its default experience (simplified configuration and setup) even if an enterprise plan,
such as Defender for Endpoint Plan 2 or Microsoft Defender for Servers Plan 1 or 2 is added. To learn
more, see What happens if I have a mix of Microsoft endpoint security subscriptions?

38
November 2022
• Microsoft Defender for Business servers, a new add-on for Defender for Business, is now generally
available. To learn more, see the following articles:
– How to get Microsoft Defender for Business servers
– Tech Community Blog: Server security made simple for small businesses
• License reporting (preview) in Defender for Business. A new report (rolling out in preview) enables
you to view your Defender for Business license usage. To learn more, see Reports in Microsoft Defender for
Business.

July 2022
• Microsoft Defender for Business servers (preview) is available to customers who have at least one
paid license of Microsoft 365 Business Premium or Defender for Business. See Tech Community blog:
Server protection for small business is now in preview within Microsoft Defender for Business.

May 2022
• Defender for Business (standalone) is now generally available. To learn more, see the following resources:
– Tech Community blog: Introducing Microsoft Defender for Business
– What is Microsoft Defender for Business?
– Get Microsoft Defender for Business

March 2022
• Microsoft 365 Business Premium now includes Defender for Business. To learn more, see Tech
Community blog: New security solutions to help secure small and medium businesses.

See also
What’s new in Microsoft 365 Lighthouse

MFA for users

Multi-factor authentication (MFA) provides increased security because instead of only using a password, or a
code through text, a separate app on your phone is used to verify access. This makes it difficult to hack. When
MFA is required, members of the organization can use the Microsoft Authenticator app to securely sign in on
their devices.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE2MmQR]
See more at Set up multi-factor authentication in Microsoft 365 Business Premium

Use the Outlook app on your devices

When MFA is enforced, the authenticator app serves as a second form of authentication. We also recommend
that everyone install and use the Outlook app to access their Microsoft 365 email on their devices. See Download
Microsoft Outlook for iOS and Android.

Next objective
Proceed to install Microsoft 365 Apps.

Onboard enrolled devices to Microsoft Defender for Business

Microsoft 365 Business Premium includes Microsoft Defender for Business, an endpoint security solution for small
and medium-sized businesses. Defender for Business provides next-generation protection (antivirus, antimalware,
and cloud-delivered protection), firewall protection, web content filtering, and more for your company’s devices.
Protection is applied when you onboard devices and apply security policies to those devices.
To onboard devices to Defender for Business, you can choose from several options:

39
 • Automatic onboarding for Windows devices that are already enrolled in Microsoft Intune
• A local script to onboard Windows and Mac devices to Defender for Business (for devices that are not
already enrolled in Intune)
• Onboard mobile devices using the Microsoft Defender app (Mobile threat defense capabilities are now
generally available!)
• Intune for enrolling new devices, including mobile devices (Windows, Mac, iOS, and Android) and then
apply Defender for Business policies to those devices
This article also includes:
• What about servers?
• How to run a detection test on a Windows device
• How to onboard devices gradually
• How to offboard a device if a device is replaced or someone leaves the organization
[!IMPORTANT] If something goes wrong and your onboarding process fails, see Microsoft Defender
for Business troubleshooting.

Use automatic onboarding for Windows devices that are already enrolled in Intune
You can onboard Windows client devices to Defender for Business automatically if those devices are already
enrolled in Intune. Defender for Business detects Windows client devices that are already enrolled in Intune,
and prompts you to choose whether to onboard those devices automatically. Security policies and settings in
Defender for Business are then applied to those devices. We call this process automatic onboarding.
Automatic onboarding helps get your devices protected almost immediately. Note that the automatic onboarding
option applies to Windows client devices only, if the following conditions are met:
• Your organization was already using Intune or Mobile Device Management (MDM) in Intune before you
got Defender for Business (Microsoft 365 Business Premium customers already have Microsoft Intune and
MDM).
• You already have Windows client devices enrolled in Intune.
[!TIP] If you’re prompted to use automatic onboarding, we recommend selecting the “all devices
enrolled” option. That way, when Windows devices are enrolled in Intune later on, they’ll be
onboarded to Defender for Business automatically.
To learn more about automatic onboarding, see Use the wizard to set up Microsoft Defender for Business.

Use a local script to onboard Windows and Mac devices to Defender for Business
You can use a local script to onboard Windows and Mac devices. When you run the onboarding script on a
device, it creates a trust with Azure Active Directory (if that trust doesn’t already exist), enrolls the device in
Intune (if it isn’t already enrolled), and then onboards the device to Defender for Business. You can onboard up
to 10 devices at a time using the local script.
See Onboard devices to Microsoft Defender for Business for detailed instructions.

Onboard mobile devices using the Microsoft Defender app

You can now onboard Android and iOS devices using the Microsoft Defender app. With mobile threat defense
capabilities in Defender for Business, users download the Microsoft Defender app from Google Play or the Apple
App Store, sign in, and complete onboarding steps.
For detailed instructions, see the Mobile devices tab in Onboard devices to Microsoft Defender for Business.
To learn more about mobile threat defense, see Mobile threat defense capabilities in Microsoft Defender for
Business.

Use Intune to enroll devices

To enroll a device, you can enroll it yourself, or have users sign in to the company portal app, enroll their devices,
and then install any apps that are needed.
If you were already using Intune or Mobile Device Management before you got Defender for Business, you can
continue to use Intune to onboard your organization’s devices. With Intune, you can onboard computers, tablets,
and phones, including iOS and Android devices.

40
See Device enrollment in Microsoft Intune.

What about servers?

To onboard servers, an additional license, such as Microsoft Defender for Business servers, is required. See How
to get Microsoft Defender for Business servers.

Run a detection test on a Windows device

After you’ve onboarded Windows devices to Defender for Business, you can run a detection test on a Windows
device to make sure that everything is working correctly.
1. On the Windows device, create a folder: C:\test-MDATP-test.
2. Open Command Prompt as an administrator.
3. In the Command Prompt window, run the following PowerShell command:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silent
After the command has run, the Command Prompt window closes automatically. If successful, the detection test
is marked as completed, and a new alert appears in the Microsoft 365 Defender portal (https://security.microso
ft.com) for the newly onboarded device in about ten minutes.

Onboard devices gradually

If you prefer to onboard devices in phases, which we call gradual device onboarding, follow these steps:
1. Identify a set of devices to onboard.
2. Go to the Microsoft 365 Defender portal (https://security.microsoft.com), and sign in.
3. In the navigation pane, choose Settings > Endpoints, and then under Device management, choose
Onboarding.
4. Select an operating system (such as Windows 10 and 11), and then choose an onboarding method (such
as Local script). Follow the guidance provided for the method you selected.
5. Repeat this process for each set of devices you want to onboard.
[!TIP] You don’t have to use the same onboarding package every time you onboard devices. For
example, you can use a local script to onboard some devices, and later on, you can choose another
method to onboard more devices.

Offboard a device
If you want to offboard a device, use one of the following procedures:
1. In the navigation pane, choose Settings, and then choose Endpoints.
2. Under Device management, choose Offboarding.
3. Select an operating system, such as Windows 10 and 11, and then, under Offboard a device, in the
Deployment method section, choose Local script.
4. In the confirmation screen, review the information, and then choose Download to proceed.
5. Select Download offboarding package. We recommend saving the offboarding package to a removable
drive.
6. Run the script on each device that you want to offboard. Need help with this task? See the following
resources:
• Windows devices: Offboard Windows devices using a local script
• Mac: Uninstalling on Mac
[!IMPORTANT] Offboarding a device causes the devices to stop sending data to Defender for Business.
However, data received prior to offboarding is retained for up to six (6) months.

41
 Choose Users and then Active users in the left nav.

Figure 4: Choose Users and then Active users in the left nav.

Next objective
Set up protection for your Windows devices.

Protect your administrator accounts

Because admin accounts come with elevated privileges, they’re valuable targets for cyberattackers. This article
describes:
• How to set up an another administrator account for emergencies.
• How to create an emergency admin account.
• How to create a user account for yourself.
• How to protect admin accounts.
• Additional recommendations and your next objective.
When you sign up for Microsoft 365 and enter your information, you automatically become the Global Ad-
ministrator (also referred to as the Global admin). A Global admin has the ultimate control of user accounts
and all the other settings in the Microsoft admin center (https://admin.microsoft.com), but there are many
different kinds of admin accounts with varying degrees of access. See about admin roles for information about
the different access levels for each kind of admin role.

Create other admin accounts

Use admin accounts only for Microsoft 365 administration. Admins should have a separate user account for
their regular use of Microsoft 365 Apps, and only use their administrative account when necessary to manage
accounts and devices, and while working on other admin functions. It’s also a good idea to remove the Microsoft
365 license from your admin accounts so you don’t have to pay for extra licenses.
You’ll want to set up at least one other Global admin account to give admin access to another trusted employee.
You can also create separate admin accounts for user management (this role is called User management
administrator). For more information, see about admin roles.
[!IMPORTANT] Although we recommend setting up a set of admin accounts, you’ll want to limit the
number of global admins for your organization. In addition, we recommend adhering to the concept
of least-privilege access, which means you grant access to only the data and operations needed to
perform their jobs. Learn more about the principle of least privilege.
To create more admin accounts:
1. In the Microsoft 365 admin center, choose Users > Active users in the left nav.
2. On the Active users page, select Add a user at the top of the page.
3. In the Add a user panel, enter basic information such as name and username information.
4. Enter and set up Product licenses information.
5. In Optional settings, define the role of the user, including adding Admin center access if appropriate.
:::image type=“content” source=“media/m365bp-global-admin.png” alt-text=“Define new user roles.”:::
6. Finish and review your settings and select Finish adding to confirm the details.

Create an emergency admin account

You should also create a backup account that isn’t set up with multi-factor authentication (MFA) so you
don’t accidentally lock yourself out (for example, if you lose your phone that you’re using as a second form
of verification). Make sure that the password for this account is a phrase or at least 16 characters long. This
emergency admin account is often referred to as a “break-glass account.”

42
Create a user account for yourself
If you’re an admin, you’ll need a user account for regular work tasks, such as checking mail. Name your accounts so
that you know which is which. For example, your admin credentials might be similar to Alice.Chavez@Contoso.org,
and your regular user account might be similar to Alice@Contoso.com.
To create a new user account:
1. Go to the Microsoft 365 admin center and then choose Users > Active users in the left nav.
2. On the Active users page, select Add a user at the top of the page, and on the Add a user panel,
enter the name and other information.
3. In the Product Licenses section, select the check box for Microsoft 365 Business Premium (no
administrative access).
4. In the Optional settings section, leave the default radio button selected for User (no admin center
access).
5. Finish and review your settings and select Finish adding to confirm the details.

Protect admin accounts

To protect all your admin accounts, make sure to follow these recommendations:
• Require all admin accounts to use passwordless authentication (such as Windows Hello or an authenticator
app), or MFA. To learn more about why passwordless authentication is important, see the Microsoft
Security whitepaper: Passwordless protection.
• Avoid using custom permissions for admins. Instead of granting permissions to specific users, assign
permissions through roles in Azure Active Directory (Azure AD). And, grant access to only the data and
operations needed to perform the task at hand. Learn about least-privileged roles in Azure AD.
• Use built-in roles for assigning permissions where possible. Azure role-based access control (RBAC) has
several built-in roles that you can use. Learn more about Azure AD built-in roles.

Additional recommendations
• Before using admin accounts, close out all unrelated browser sessions and apps, including personal email
accounts. You can also use in private, or incognito browser windows.
• After completing admin tasks, be sure to sign out of the browser session.

Next objective
Increase threat protection for Microsoft 365 Business Premium

Protect against malware and other cyberthreats

In this objective, you increase your threat protection with Microsoft 365 Business Premium. It’s critical to
protect your business against phishing, malware, and other threats. Use this article as a guide to walk through
the following steps:
1. Review and apply preset security policies for email and collaboration. Preset security policies can save a
lot of time in setup and configuration.
2. Turn on Microsoft Defender for Business now so that you’ll be ready to secure your organization’s managed
devices.
3. Adjust sharing settings for SharePoint and OneDrive files and folders to prevent accidental oversharing of
files.
4. Set up and review your alert policies to protect against data loss.
5. Manage calendar sharing to determine whether employees can share their calendars with external users or
manage the level of detail that can be shared.
6. Create additional security policies for email and collaboration (if needed). Preset security policies provide
strong protection; however, you can define your own custom policies to suit your company’s needs.

43
1. Review and apply preset security policies for email and collaboration
Your subscription includes preset security policies that use recommended settings for anti-spam, anti-malware,
and anti-phishing protection. By default, built-in protection is enabled; however, consider applying standard or
strict protection for increased security.
:::image type=“content” source=“media/m365bp-presetsecuritypolicies.png” alt-text=“Screenshot of preset
security policies.”:::
[!NOTE] Preset security policies are not the same thing as security defaults. Typically, you’ll be
using either security defaults or Conditional Access first, and then you’ll add your security policies.
Preset security policies simplify the process of adding your security policies. You can also create
optional custom security policies (if needed).

What are preset security policies?

Preset security policies provide protection for your email and collaboration content. These policies consist of:
• Profiles, which determine the level of protection
• Policies (such as anti-spam, anti-malware, anti-phishing, spoof settings, impersonation, Safe Attachments,
and Safe Links)
• Policy settings (such as groups, users, or domains to receive the policies and any exceptions)
The following table summarizes the levels of protection and preset policy types.

Level of protection Description

Standard protection (recommended for most Standard protection uses a baseline profile that’s
businesses) suitable for most users. Standard protection includes
anti-spam, anti-malware, anti-phishing, spoof settings,
impersonation settings, Safe Links, and Safe
Attachments policies.
Strict protection Strict protection includes the same kinds of policies as
standard protection, but with more stringent settings.
If your business must meet additional security
requirements or regulations, consider applying strict
protection to at least your priority users or high value
targets.
Built-in protection Protects against malicious links and attachments in
email. Built-in protection is enabled and applied to all
users by default.

[!TIP] You can specify the users, groups, and domains to receive preset policies, and you can define
certain exceptions, but you cannot change the preset policies themselves. If you want to use different
settings for your security policies, you can create your own custom policies to suit your company’s
needs.

Policy order of priority

If users are assigned multiple policies, an order of priority is used to apply the policies. The order of priority
works as follows:
1. Strict protection receives the highest priority and overrides all other policies.
2. Standard protection
3. Custom security policies
4. Built-in protection receives the lowest priority and is overridden by strict protection, standard protection,
and custom policies.
Strict protection overrides all other policies, and built-in protection is overridden by the other policies.
To learn more about preset security policies, see Preset security policies in EOP and Microsoft Defender for
Office 365.

44
How do I assign preset security policies to users?
[!IMPORTANT] Before you begin, make sure you have one of the following roles assigned in Exchange
Online (which is included in your subscription):
• Global Administrator
• Organization Management
• Security Administrator
To learn more, see Permissions in Exchange Online and About admin roles.
To assign preset security policies, follow these steps:
1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
2. Go to Email & Collaboration > Policies & Rules > Threat policies > Preset Security Policies
in the Templated policies section. (To go directly to the Preset security policies page, use https:
//security.microsoft.com/presetSecurityPolicies.)
3. On the Preset security policies page, in either the Standard protection or Strict protection section,
select Manage Protection Settings.
4. The Apply Standard protection or Apply Strict protection wizard starts in a flyout. On the
EOP protections apply to page, identify the internal recipients that the policies apply to (recipient
conditions):
• Users
• Groups
• Domains
Click in the appropriate box, start typing a value, and then select the value that you want from the results.
Repeat this process as many times as necessary. To remove an existing value, select the Remove icon
next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name,
etc.), but the corresponding display name is shown in the results. For users, type an asterisk (*) by itself
to see all available values.
To specify an exclusion, select the Exclude these users, groups, and domains checkbox, and then
specify users, groups, or domains to exclude.
When you’re finished, select Next.
5. On the Defender for Office 365 protections apply to page to identify the internal recipients that the
policies apply to (recipient conditions). Specify users, groups, and domains just like what you did in the
previous step.
When you’re finished, click Next.
6. On the Review and confirm your changes page, verify your selections, and then select Confirm.
[!TIP] To learn more about assigning preset security policies, see the following articles: - Use
the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users -
Recommended settings for email and collaboration content (Microsoft 365 Business Premium includes
Exchange Online Protection and Microsoft Defender for Office 365 Plan 1)

2. Turn on Microsoft Defender for Business

Microsoft 365 Business Premium includes Defender for Business, which provides advanced protection for your
organization’s devices, including client computers, tablets, and mobile phones. Server protection is also available
if you have Microsoft Defender for Business servers.
To turn on Defender for Business, you actually initiate the provisioning process.
1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
2. In the navigation bar, go to Assets > Devices. This action initiates the provisioning of Defender for
Business for your tenant. You’ll know this process has started when you see a message like what’s displayed
in the following screenshot:

45
 Default alert policies included with Microsoft 365.

Figure 5: Default alert policies included with Microsoft 365.

:::image type=“content” source=“../security/defender-business/media/mdb-hangon-provisioning.png” alt-

text=“Screenshot of the screen that indicates Defender for Business is provisioning.”:::
It might take a few hours for your tenant to finish provisioning before you can onboard devices or complete
the setup and configuration process.
3. Do one of the following steps:
• Proceed to 3. Adjust sharing settings for SharePoint and OneDrive files and folders (recommended)
and set up Defender for Business later, when you get to Mission 6: Secure managed devices with
Microsoft 365 Business Premium.
• Set up and configure Microsoft Defender for Business now, and then return to this article to complete
the remaining steps.

3. Adjust sharing settings for SharePoint and OneDrive files and folders
By default, sharing levels are set to the most permissive level for both SharePoint and OneDrive. We recommend
changing the default settings to better protect your business.
1. Go to Sharing in the SharePoint admin center, and sign in with an account that has admin permissions
for your organization.
2. Under External sharing, specify the level of sharing. (We recommend using Least permissive to
prevent external sharing.)
3. Under File and folder links, select an option (such as Specific people). Then choose whether to grant
View or Edit permissions by default for shared links (such as View).
4. Under Other settings, select the options you want to use.
5. Then choose Save.
[!TIP] To learn more about these settings, see Manage sharing settings.

4. Set up and review your alert policies

Alert policies are useful for tracking user and admin activities, potential malware threats, and data loss incidents
in your business. Your subscription includes a set of default policies, but you can also create custom ones. For
example, if you store an important file in SharePoint that you don’t want anyone to share externally, you can
create a notification that alerts you if someone does share it.
The following image shows some of the default policies that are included with Microsoft 365 Business Premium.

View your alert policies

1. Go to the Microsoft Purview compliance portal at https://compliance.microsoft.com and sign in.
2. In the navigation pane, choose Policies, and then choose Alert policies.
3. Select an individual policy to view more details or to edit the policy. The following image shows a list of
alert policies with one policy selected:
:::image type=“content” source=“media/selected-alert-policy.png” lightbox=“media/selected-alert-
policy.png” alt-text=“Screenshot of a selected alert policy.”:::
[!TIP] For more information, see alert policies.

How to view alerts

You can view your alerts in either the Microsoft 365 Defender portal or the Microsoft Purview compliance portal.

46
 Screenshot of showing external calendar sharing as not allowed.

Figure 6: Screenshot of showing external calendar sharing as not allowed.

Screenshot of calendar free/busy sharing with anyone.

Figure 7: Screenshot of calendar free/busy sharing with anyone.

Type of alert What to do

Security alert, such as when a user clicks a malicious
link, an email is reported as malware or phish, or a
device is detected as containing malware
Compliance alert, such as when a user shares sensitive
or confidential information (data loss prevention alert)
or there’s an unusual volume of external file sharing
(information governance alert)
Go to the Microsoft 365 Defender portal and under
Email & collaboration select Policies & rules >
Alert policy. Alternatively, you can go directly to
https://security.microsoft.com/alertpolicies.
Go to the Microsoft Purview compliance portal, and
then select Policies > Alert > Alert policies.

For more information, see View alerts.

5. Manage calendar sharing

You can help people in your organization share their calendars appropriately for better collaboration. You can
manage what level of detail they can share, such as by limiting the details that are shared to free/busy times
only.
1. Go to Org settings in the Microsoft 365 admin center and sign in.
2. Choose Calendar, and choose whether people in your organization can share their calendars with people
outside who have Office 365 or Exchange, or with anyone. We recommend clearing the External sharing
option. If you choose to share calendars with anyone option, you can choose to also share free/busy
information only.
3. Choose Save changes on the bottom of the page.
The following image shows that calendar sharing is not allowed.
The following image shows the settings when calendar sharing is allowed with an email link with only
free/busy information.
If your users are allowed to share their calendars, see these instructions for how to share from Outlook on the
web.

6. Create additional security policies for email and collaboration (if needed)
The preset security policies described earlier in this article provide strong protection for most businesses. However,
you’re not limited to using preset security policies only. You can define your own custom security policies to suit
your company’s needs.
Use our quick-start guide, Protect against threats, to get started creating your own custom policies. The guidance
not only walks you through how to set up your own security policies, it also provides recommended settings to
use as a starting point for:
• Antimalware protection
• Advanced antiphishing protection
• Antispam protection
• Safe Links and Safe Attachments

Next objectives
Proceed to:
• Secure managed and unmanaged devices
• Protect all email

47
 • Collaborate and share securely

Secure managed devices with Microsoft 365 Business Premium

:::image type=“content” source=“media/mission6.png” alt-text=“Diagram with Set Up and Secure Managed
Devices highlighted.”:::
Welcome to this critical mission! Here, you’ll onboard devices to Microsoft Defender for Business and
implement protection for all the managed devices in your organization. Defender for Business capabilities, now
included in Microsoft 365 Business Premium, can help ensure that your organization’s devices are protected
from ransomware, malware, phishing, and other threats. When you’re done completing your objectives, you can
rest assured, knowing you’ve done your part to protect your organization!
[!NOTE] This article applies primarily to managed devices. Guidance for protecting unmanaged
devices is available here: Set up unmanaged (BYOD) devices.
Learn more about managed and unmanaged devices.
Your objectives are to:
• Upgrade Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro to Windows 10
or 11 Pro.
• Onboard devices to Defender for Business and apply security policies.
• Use Windows Autopilot to set up and configure new devices, or to reset, repurpose, and recover devices.
• Manage Microsoft 365 installation options for devices
Once these objectives have been achieved, your overall mission to protect your organization against cyberattacks
and other cybersecurity threats is a success! Now, make sure to set up your response teams to deal with any
situation that may arise while defending the integrity of the system. See your next steps!

Next steps
• Manage devices in Microsoft Defender for Business
• Set up a security operations process.
• Learn about security incident management.
• Learn how to maintain your environment.

Review remediation actions in the Microsoft 365 Defender portal

Okay, you’ve discovered a security breach, but what do you do? It depends on the nature of it.
Microsoft 365 Business Premium includes remediation actions. Some actions are taken automatically when
threats are detected, and other actions can be taken manually by your security team.
Examples of remediation actions include sending a file to quarantine, stopping a process from running, or
completely removing a scheduled task. All remediation actions are tracked in the Action center, which is located
at https://security.microsoft.com/action-center.
:::image type=“content” source=“../media/defender-business/mdb-actioncenter.png” alt-text=“Screenshot of the
Action Center in M365.”:::
This article describes:
• How to use the Action center.
• Types of remediation actions.

How to use your Action center

1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com), and sign in.
2. In the navigation pane, choose Action center.
3. Select the Pending tab to view and approve (or reject) any pending actions. Such actions can arise from
antivirus/antimalware protection, automated investigations, manual response activities, or live response
sessions.
4. Select the History tab to view a list of completed actions.

48
Types of remediation actions
Your subscription includes several different types of remediation actions for detected threats. These actions
include manual response actions, actions following automated investigation, and live response actions.
The following table lists remediation actions that are available:

Source Actions
Automated investigations - Quarantine a file - Remove a registry key - Kill a
process - Stop a service - Disable a driver - Remove a
scheduled task
Manual response actions - Run antivirus scan - Isolate device - Add an
indicator to block or allow a file
Live response - Collect forensic data - Analyze a file - Run a script -
Send a suspicious entity to Microsoft for analysis -
Remediate a file - Proactively hunt for threats

Review detected threats

As soon as Microsoft Defender detects a malicious file or software, Microsoft Defender blocks it and prevents it
from running. And with cloud-delivered protection turned on, newly detected threats are added to the antivirus
and antimalware engine so that your other devices and users are protected, as well.
Microsoft Defender Antivirus detects and protects against the following kinds of threats:
• Viruses, malware, and web-based threats on devices
• Phishing attempts
• Data theft attempts
As an IT professional/admin, you can view information about threat detections across Windows devices enrolled
in Intune in the Microsoft 365 admin center. You’ll see summary information, such as:
• How many devices need antivirus protection
• How many devices aren’t in compliance with security policies
• How many threats are currently active, mitigated, or resolved

Actions you can take

When you view details about specific threats or devices, you’ll see recommendations and one or more actions
you can take. The following table describes actions that you might see.

Action Description
Configure protection Your threat protection policies need to be configured.
Select the link to go to your policy configuration
page.Need help? See Manage device security with
endpoint security policies in Microsoft Intune.
Update policy Your antivirus and real-time protection policies need
to be updated or configured. Select the link to go to
the policy configuration page.Need help? See Manage
device security with endpoint security policies in
Microsoft Intune.
Run quick scan Starts a quick antivirus scan on the device, focusing
on common locations where malware might be
registered, such as registry keys and known Windows
startup folders.
Run full scan Starts a full antivirus scan on the device, focusing on
common locations where malware might be registered,
and including every file and folder on the device.
Results are sent to Microsoft Intune.
Update antivirus Requires the device to get security intelligence updates
for antivirus and antimalware protection.

49
Action Description
Restart device Forces a Windows device to restart within five
minutes.IMPORTANT: The device owner or user
isn’t automatically notified of the restart and could
lose unsaved work.

View and manage threat detections in the Microsoft 365 Defender portal
1. Go to the (Microsoft 365 Defender portal) and sign in.
2. In the navigation pane, choose Threat Analytics to see all the current threats. Threads are categorized
by threat severity and type.
3. Click on a threat to see more details about the threat.
4. In the table, you can filter the alerts according to a number of criteria.

Manage threat detections in Microsoft Intune

You can use Microsoft Intune to manage threat detections as well. First, all devices whether Windows, iOS or
Android, must be enrolled in Intune.
1. Go to the Microsoft Intune admin center at https://endpoint.microsoft.com and sign in.
2. In the navigation pane, select Endpoint security.
3. Under Manage, select Antivirus. You’ll see tabs for Summary, Unhealthy endpoints, and Active
malware.
4. Review the information on the available tabs, and then take any needed action.
For example, suppose that devices are listed on the Active malware tab. When you select a device, you’ll have
certain actions available, such as Restart, Quick Scan, Full Scan, Sync, or Update signatures. Select an
action for that device.
The following table describes the actions you might see in Microsoft Intune.

Action Description
Restart Forces a Windows device to restart within five
minutes.IMPORTANT: The device owner or user
isn’t automatically notified of the restart and could
lose unsaved work.
Quick Scan Starts a quick antivirus scan on the device, focusing
on common locations where malware might be
registered, such as registry keys and known Windows
startup folders. Results are sent to Microsoft Intune.
Full Scan Starts a full antivirus scan on the device, focusing on
common locations where malware might be registered,
and including every file and folder on the device.
Results are sent to Microsoft Intune.
Sync Requires a device to check in with Intune. When the
device checks in, the device receives any pending
actions or policies assigned to the device.
Update signatures Requires the device to get security intelligence updates
for antivirus and antimalware protection.

[!TIP] For more information, see Remote actions for devices.

How to submit a file for malware analysis

If you have a file that you think was missed or wrongly classified as malware, you can submit that file to Microsoft
for malware analysis. Users and IT admins can submit a file for analysis. Visit https://www.microsoft.com/wdsi
/filesubmission.

50
See also
Best practices for securing Microsoft 365 for business plans
Overview of Microsoft Defender for Business (Defender for Business is rolling out to Microsoft 365 Business
Premium customers, beginning March 1, 2022)

Security incident management

After you have set up and configured your security capabilities in Microsoft 365 Business Premium, your security
team can monitor and address any detected threats. As threats are detected, alerts are generated and incidents
are created. Remediation actions can come into play to help mitigate threats.
Want to see how it works? Watch this short video on a typical incident response.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Zvew]
To learn more about incident responses, see the following articles:
• Review security recommendations.
• Review detected threats and take action.
• Review remediation actions.
• Respond to a compromised email account.

Boost your security protection

:::image type=“content” source=“media/mission2.png” alt-text=“Diagram with Boost Your Security Protection
highlighted.”:::
In this mission, you boost your security defenses. You begin by enforcing multifactor authentication (MFA)
requirements through either security defaults or Conditional Access. Next, you’ll set up the different admin roles
and specific levels of security for them. Admin account access is a high-value target for potential cyberattackers.
Protecting those accounts is critical because the access and control they provide can impact your entire system.
And, you’ll protect your email content and devices.
Stay vigilant - the safety and reliability of your system relies upon you.
Your objectives are to:
1. Turn on MFA.
2. Protect your admin accounts.
3. Protect against malware and other threats.
4. Secure managed and unmanaged devices.
5. Set up information protection capabilities.

Set up information protection capabilities in Microsoft 365 Business

Premium
Your Microsoft 365 Business Premium subscription includes information protection capabilities for compliance
and privacy. These capabilities include sensitivity labels, data loss prevention (DLP), and encryption. You
can use your information protection capabilities to help protect your company’s data, and keep your and your
customers’ sensitive information more secure.
Use this article to get started with your information protection capabilities.

Before you begin

Make sure you have one of the following roles assigned in Azure Active Directory:
• Global Administrator
• Compliance Administrator
To learn more, see Get started with the roles page.

51
Use Compliance Manager to get started
:::image type=“content” source=“./media/m365bp-compliancemanager.png” alt-text=“Screenshot of Compliance
Manager in Microsoft 365 Business Premium.”:::
Microsoft 365 Business Premium includes Compliance Manager, which can help you get started setting up your
compliance features. Such features include data loss prevention, data lifecycle management, and insider risk
management, to name a few. Compliance Manager can save you time by highlighting recommendations, a
compliance score, and ways to improve your score.
Here’s how to get started:
1. Go to https://compliance.microsoft.com and sign in.
2. In the navigation pane, choose Compliance Manager.
3. On the Overview tab, review the information. Select an item or link to view more information, or to take
actions, such as configuring a data loss prevention (DLP) policy. For example, in the Solutions that
affect your score section, you might select the link in the Remaining actions column.
:::image type=“content” source=“./media/m365bp-compliancesolutions.png” alt-text=“Screenshot of Solu-
tions That Affect Your Score pane.”:::
That action takes you to the Improvement actions tab, which is filtered for the item you selected. In
this example we’re looking at DLP policies to configure.
:::image type=“content” source=“./media/m365bp-dlppoliciestoconfigure.png” alt-text=“Screenshot of
DLP policies to configure.”:::
4. On the Improvement actions tab, select an item. In our example, we’ve selected Create customized
DLP policies or personally identifiable information. A page loads that provides more information
about the policy to configure.
:::image type=“content” source=“./media/m365bp-dlppolicyinfo.png” alt-text=“Screenshot of information
about DLP policy for customer content.”:::
Follow the information on the screen to set up your DLP policy.
For more information about compliance features in Microsoft 365 for business, see Microsoft Purview documen-
tation.

Use sensitivity labels

Sensitivity labels are available in Microsoft 365 Apps (such as Outlook, Word, Excel, and PowerPoint). Examples
of labels include:
• Normal
• Personal
• Private
• Confidential
However, you can define other labels for your company as well.
Use the following articles to get started with sensitivity labels:
1. Learn about sensitivity labels.
2. Get started with sensitivity labels.
3. Create and configure sensitivity labels and their policies.
4. Show people in your company how to use sensitivity labels

Set up your DLP policies

Data loss prevention (DLP) policies are designed to help protect sensitive information by preventing people from
inappropriately sharing it with others who shouldn’t have it. With a DLP policy, you can identify, monitor, and
automatically protect sensitive items across Microsoft 365 Apps (such as Word, Excel, and PowerPoint), and in
email.
Use the following articles to get started with DLP:

52
 1. Learn about data loss prevention.
2. Get started with the default DLP policy.

Next steps
• Set up BYOD devices or Set up and secure managed devices
• Use email securely
• Collaborate and share securely

Set up unmanaged (BYOD) devices

:::image type=“content” source=“media/mission3.png” alt-text=“Diagram with Set Up Unmanaged Devices
highlighted.”:::
Every device, whether managed or unmanaged, is a possible attack avenue into your network. Fortunately, there
are steps that everyone can take to protect their devices. In this critical mission, train everyone to protect
unmanaged devices (also referred to as bring-your-own devices, or BYODs). It’s important to help everyone get
their devices protected as soon as possible.
[!NOTE] This article applies primarily to unmanaged (or BYOD) devices. Guidance for protecting
managed devices is available here: Set up and secure managed devices.
Learn more about managed and unmanaged devices.
Your objectives are to:
• Get everyone to set up MFA.
• Get Microsoft 365 Apps installed on devices.
• Protected unmanaged Windows and Mac devices.
Once you’ve achieved these objectives, proceed to Use email securely.

Fortify your environment with Microsoft 365 Business Premium

Your first critical mission is to complete your initial setup process right away. Let’s get you going!
:::image type=“content” source=“media/mission1.png” alt-text=“Diagram showing the Sign in and set up phase
highlighted.”:::
Your objective is to:
• Set up Microsoft 365 Business Premium; or
• Set up Microsoft 365 for Campaigns (if this is your subscription).
After you’ve achieved this objective, proceed to boost your security protection.

Overview of threat protection by Microsoft Defender Antivirus

Microsoft Defender Antivirus protects your Windows devices from software threats, such as viruses, malware,
and spyware.
• Viruses typically spread by attaching their code to other files on your device or network and can cause
infected programs to work incorrectly.
• Malware includes malicious files, applications, and code that can cause damage and disrupt normal use of
devices. Also, malware can allow unauthorized access, use system resources, steal passwords and account
information, lock you out of your computer and ask for ransom, and more.
• Spyware collects data, such as web-browsing activity, and sends the data to remote servers.
To provide threat protection, Microsoft Defender Antivirus uses several methods. These methods include
cloud-delivered protection, real-time protection, and dedicated protection updates.
• Cloud-delivered protection helps provide near-instant detection and blocking of new and emerging threats.
• Always-on scanning uses file- and process-behavior monitoring and other techniques (also known as real-time
protection).

53
 • Dedicated protection updates are based on machine learning, human and automated big-data analysis, and
in-depth threat resistance research.
To learn more about malware and Microsoft Defender Antivirus, see the following articles:
• Understanding malware & other threats
• How Microsoft identifies malware and potentially unwanted applications
• Next-generation protection in Windows 10

What happens when a non-Microsoft antivirus solution is used?

Microsoft Defender Antivirus is part of the operating system and is enabled on devices that are running Windows
10. However, if you’re using a non-Microsoft antivirus solution and you aren’t using Microsoft Defender for
Endpoint, then Microsoft Defender Antivirus automatically goes into disabled mode.
When in disabled mode, users and customers can still use Microsoft Defender Antivirus for scheduled or
on-demand scans to identify threats; however, Microsoft Defender Antivirus will no longer:
• be used as the default antivirus app.
• actively scan files for threats.
• remediate, or resolve, threats.
If you uninstall the non-Microsoft antivirus solution, Microsoft Defender Antivirus will automatically go into
active mode to protect your Windows devices from threats.
[!TIP] - If you’re using Microsoft 365, consider using Microsoft Defender Antivirus as your primary
antivirus solution. Integration can provide better protection. See Better together: Microsoft Defender
Antivirus and Office 365. - Make sure to keep Microsoft Defender Antivirus up to date, even if you’re
using a non-Microsoft antivirus solution.

What to expect when threats are detected

When threats are detected by Microsoft Defender Antivirus, the following things happen:
• Users receive notifications in Windows.
• Detections are listed in the Windows Security app on the Protection history page.

• If you’ve secured your Windows 10 devices and enrolled them in Intune, and your organization has 800 or
fewer devices enrolled, you’ll see threat detections and insights in the Microsoft 365 admin center on the
Threats and antivirus page, which you can access from the Microsoft Defender Antivirus card on
the Home page (or from the navigation pane by selecting Health > Threats & antivirus).
If your organization has more than 800 devices enrolled in Intune, you’ll be prompted to view threat
detections and insights from Microsoft Intune instead of from the Threats and antivirus page.
[!NOTE] The Microsoft Defender Antivirus card and Threats and antivirus page are
being rolled out in phases, so you may not have immediate access to them.
In most cases, users don’t need to take any further action. As soon as a malicious file or program is detected on
a device, Microsoft Defender Antivirus blocks it and prevents it from running. Plus, newly detected threats are
added to the antivirus and antimalware engine so that other devices and users are protected, as well.
If there’s an action a user needs to take, such as approving the removal of a malicious file, they’ll see that in
the notification they receive. To learn more about actions that Microsoft Defender Antivirus takes on a user’s
behalf, or actions users might need to take, see Protection History. To learn how to manage threat detections as
an IT professional/admin, see Review detected threats and take action.
To learn more about different threats, visit the Microsoft Security Intelligence Threats site, where you can
perform the following actions:
• View current information about top threats.
• View the latest threats for a specific region.
• Search the threat encyclopedia for details about a specific threat.

54
Related content
Secure Windows devices (article)
Evaluate Microsoft Defender Antivirus (article)
How to turn on real-time and cloud-delivered antivirus protection (article)
How to turn on and use Microsoft Defender Antivirus from the Windows Security app (article)
How to turn on Microsoft Defender Antivirus by using Group Policy (article)
How to update your antivirus definitions (article)
How to submit malware and non-malware to Microsoft for analysis (article)

Trial user guide: Microsoft 365 Business Premium

Welcome to the Microsoft Business Premium trial user guide! This guide will help you make the most of your
free trial. You can see firsthand how Microsoft 365 Business Premium increases productivity and helps safeguard
your organization with advanced security capabilities. Use this guide to set up your threat protection features,
analyze detected threats, and respond to cyberattacks.

Set up the Microsoft 365 Business Premium trial

When you start a trial or purchase Microsoft 365 Business Premium, your first step is to get everything set up.
[!TIP] Save this trial user guide to your browser favorites. When links in the trial user guide take
you away from this location, it’ll be easier to return to this guide to continue.
1. Set up your trial!
After you’ve initiated the trial and completed the setup process, it can take up to two hours for changes to
take effect.
2. Turn on Multi-Factor Authentication (MFA). You can use security defaults to get set up right away, or use
Conditional Access policies to meet more stringent requirements.
3. Use your preset security policies. These policies represent a baseline protection profile that’s suitable for
most users. Standard protection includes:
• Safe Links, Safe Attachments and Anti-Phishing policies that are scoped to the entire tenant or the
subset of users you may have chosen during the trial setup process. (Your trial subscription is for up
to 25 users.)
• Protection for productivity apps, such as SharePoint, OneDrive, Microsoft 365 Apps, and Microsoft
Teams.

Add a domain
When you try or buy Microsoft 365 Business Premium, you have the option of using a domain you own, or
buying one during the sign-up process.
[!NOTE] If you purchased a new domain when you signed up, your domain is all set up and you can
move to Add users and assign licenses. Go to the admin center(https://admin.microsoft.com).
1. From the admin center menu, choose Setup to start the wizard.
2. Select Set up email with a custom domain and then, Use a domain you already own such as
contoso.com.
3. Follow the rest of the steps in the wizard to complete the process.
[!Important] If you purchased a domain during the sign-up, you will not see the Add a domain
step here. Go to Add users instead.
4. Follow the steps in the wizard to create DNS records at any DNS hosting provider for Office 365 that
verifies you own the domain. If you know your domain host, see Add a domain to Microsoft 365.
5. If your hosting provider is GoDaddy or another host enabled with domain connect, you’ll be asked to sign
in and let Microsoft authenticate on your behalf automatically.

55
Onboard and protect devices
Microsoft 365 Business Premium includes Defender for Business, a new security solution to protect devices. See
Onboard devices to Microsoft Defender for Business.
1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
2. Go to Assets > Devices. If Defender for Business isn’t already set up, you will be prompted to run the
setup wizard.
3. Onboard devices.
4. Review your security policies.

Use Microsoft 365 Apps on devices

1. First, you’ll need to install Microsoft 365 Apps.
2. Go to https://office.com and sign in. (See Getting Started at Office.com.)
3. Create an Office document, such as a Word document.
4. Share a document with a team member.

Start using the Microsoft 365 Defender portal

1. Access the Microsoft 365 Defender portal at https://security.microsoft.com.
2. Take some time to familiarize yourself with the portal.
3. Now, assess your security posture, and see how you can improve your score.
4. Learn how to respond to a security incident.
5. Lastly, review remediation actions.

See also
• Microsoft 365 Business Premium - cybersecurity for small business
• What is Microsoft Defender for Business?

Turn on multi-factor authentication

Multi-factor authentication (MFA) is a very important first step in securing your organization. Microsoft 365
Business Premium includes the option to use security defaults or Conditional Access policies to turn on MFA for
your admins and user accounts. For most organizations, security defaults offer a good level of sign-in security.
But if your organization must meet more stringent requirements, you can use Conditional Access policies instead.
This article provides information about:
• Security defaults (suitable for most businesses)
• Conditional Access (for businesses with more stringent security requirements)
[!NOTE] You can use either security defaults or Conditional Access policies, but you can’t use both
at the same time.

Security defaults
Security defaults
Security defaults were designed to help protect your company’s user accounts from the start. When turned on,
security defaults provide secure default settings that help keep your company safe by:
• Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party
application using OATH TOTP.
• Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical
roles and tasks.
• Disabling authentication from legacy authentication clients that can’t do MFA.

56
 • Protecting admins by requiring extra authentication every time they sign in.
MFA is an important first step in securing your company, and security defaults make enabling MFA easy to
implement. If your subscription was created on or after October 22, 2019, security defaults might have been
automatically enabled for you—you should check your settings to confirm.
[!TIP] For more information about security defaults and the policies they enforce, see Security defaults
in Azure AD.

To enable security defaults (or confirm they’re already enabled)

[!IMPORTANT] You must be a Security Administrator, Conditional Access administrator, or Global
Administrator to perform this task.
1. Go to the Azure portal (https://portal.azure.com/) and sign in.
2. Under Manage Azure Active Directory, select View.
:::image type=“content” source=“../security/defender-business/media/mdb-manage-azuread.png” alt-
text=“Screenshot showing the VIew button under Manage Azure Active Directory.” lightbox=“../security/defender-
business/media/mdb-manage-azuread.png”:::
3. In the navigation pane, select Properties, and then select Manage security defaults.
:::image type=“content” source=“../security/defender-business/media/mdb-azuread-properties.png”
alt-text=“Screenshot showing Properties and Manage Security Defaults for Azure Active Directory.”
lightbox=“../security/defender-business/media/mdb-azuread-properties.png”:::
4. On the right side of the screen, in the Security defaults pane, see whether security defaults are turned on
(Enabled) or off (Disabled). To turn security defaults on, use the drop-down menu to select Enabled.
5. Save your changes.

Conditional Access
Conditional Access
If your company or business has complex security requirements or you need more granular control over your
security policies, then you should consider using Conditional Access instead of security defaults to achieve a
similar or higher security posture.
Conditional Access lets you create and define policies that react to sign-in events and request additional actions
before a user is granted access to an application or service. Conditional Access policies can be granular and
specific, empowering users to be productive wherever and whenever, but also protecting your organization.
Security defaults are available to all customers, while Conditional Access requires one of the following plans:
• Azure Active Directory Premium P1 or P2
• Microsoft 365 Business Premium
• Microsoft 365 E3 or E5
• Enterprise Mobility & Security E3 or E5
If you want to use Conditional Access to configure policies, see the following step-by-step guides:
• Require MFA for administrators
• Require MFA for Azure management
• Block legacy authentication
• Require MFA for all users
• Require Azure AD MFA registration - Requires Azure AD Identity Protection, which is part of Azure
Active Directory Premium P2
To learn more about Conditional Access, see What is Conditional Access? For more information about creating
Conditional Access policies, see Create a Conditional Access policy.
[!NOTE] If you have a plan or license that provides Conditional Access but haven’t yet created any
Conditional Access policies, you’re welcome to use security defaults. However, you’ll need to turn off
security defaults before you can use Conditional Access policies.

57
Next objective
Protect your administrator accounts in Microsoft 365 Business Premium

Upgrade Windows devices to Windows 10 or 11 Pro

If you have Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365
Business Premium subscription entitles you to upgrade those devices to Windows 10 or 11 Pro.
You can choose from several methods to upgrade:
• Use Windows Update (recommended for most users)
• Upgrade your device using the Microsoft Software Download site
• Create installation media from the Microsoft Software Download site
• Purchase Windows 10 or 11 Pro to upgrade from Windows 10 Home

Use Windows Update

This option is recommended for most users, as it uses a digital license.
[!IMPORTANT] Make sure that users are assigned a Microsoft 365 Business Premium license before
they follow this procedure.
1. On a Windows device, sign in using your account for Microsoft 365 Business Premium.
2. Go to Windows Update, and check for updates.
3. If your device isn’t running Windows 10 Pro, you’ll be prompted to upgrade. Follow the prompts to
complete your upgrade.

Upgrade your device using the Microsoft Software Download site

The Windows Update method is preferred. However, you can select this option if the device that you’re using
right now is the same device that you want to update.
1. Go to the Microsoft Software Download site.
2. On the Download Windows 10 site, select Update now to start upgrading the device to Windows 10
Pro.

Create installation media from the Microsoft Software Download site

Select this option to create Windows 10 installation media (USB flash drive or ISO file) that you’ll use to install
Windows 10 on a different device than the one you’re using right now.
1. Go to the Microsoft Software Download site.
2. Follow the instructions on how to use the tool and create your installation media.
[!NOTE] If you have Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro,
your Microsoft 365 Business Premium subscription entitles you upgrade those devices to Windows
Pro 10.

Purchase Windows 10 or 11 Pro to upgrade from Windows 10 or 11 Home

Select this option for devices that are running Windows 10 or 11 Home. Note that Microsoft 365 Business
Premium does not include free upgrade rights from Windows 10 or 11 Home to Windows 10 or 11 Pro.
1. On a Windows device, open the Microsoft Store app.
2. In the Microsoft Store app, search for Windows 10 Pro.
3. Select the option to upgrade to Windows 10/11 Pro.
4. Choose either Learn more or Install, and then follow the prompts. Note that you might need to purchase
Windows 10 Pro.

58
 Diagram of an email with callouts for labels and encryption.

Figure 8: Diagram of an email with callouts for labels and encryption.

See also
Activate Windows
Microsoft 365 for business training videos

Use email securely

:::image type=“content” source=“media/mission4.png” alt-text=“Diagram with Use email securely highlighted.”:::
As you probably already know, email can contain malicious attacks cloaked as harmless communications. Email
systems are especially vulnerable, because email is handled by everyone in the organization, and safety relies on
people making consistently good decisions with those communications. In this mission, learn how everyone in
your organization can help to keep your information safe from attackers.
Your objectives are to:
• Protect against phishing and other attacks.
• Set up encrypted email.
Once you’ve achieved these objectives, proceed to Collaborate and share securely.

Encrypt or label your sensitive email in Microsoft 365

Your data and information is important, and often, confidential. The objective here is to help protect this
sensitive information by ensuring everyone is using sensitivity labels so that email recipients treat the information
with the utmost sensitivity.

Best practices
Before individuals send email with confidential or sensitive information, they should consider turning on:
• Encryption: You can encrypt your email to protect the privacy of the information in the email. When
you encrypt an email message, it’s converted from readable plain text into scrambled cypher text. Only the
recipient who has the private key that matches the public key used to encrypt the message can decipher
the message for reading. Any recipient without the corresponding private key, however, sees indecipherable
text. Your admin can define rules to automatically encrypt messages that meet certain criteria. For
instance, your admin can create a rule that encrypts all messages sent outside your organization or all
messages that mention specific words or phrases. Any encryption rules will be applied automatically.
• Sensitivity labels: If your organization requires it, you can set up sensitivity labels that you apply to
your files and email to keep them compliant with your organization’s information protection policies. When
you set a label, the label persists with your email, even when it’s sent — for example, by appearing as a
header to your message.

Set it up
If you want to encrypt a message that doesn’t meet a pre-defined rule or your admin hasn’t set up any rules,
you can apply a variety of different encryption rules before you send the message. To send an encrypted message
from Outlook 2013 or 2016, or Outlook 2016 for Mac, select Options > Permissions, then select the protection
option you need. You can also send an encrypted message by selecting the Protect button in Outlook on the
web. For more information, see Send, view, and reply to encrypted messages in Outlook for PC.

Admin settings
You can learn all about setting up email encryption at Email encryption in Microsoft 365.

59
Automatically encrypt email messages
Admins can create mail flow rules to automatically protect email messages that are sent and received from
a campaign or business. Set up rules to encrypt any outgoing email messages, and remove encryption from
encrypted messages coming from inside your organization or from replies to encrypted messages sent from your
organization.
You create mail flow rules to encrypt email messages with Microsoft Purview Message Encryption. Define mail
flow rules for triggering message encryption by using the Exchange admin center (EAC).
1. In a web browser, using a work or school account that has been granted global administrator permissions,
sign in.
2. Choose the Admin tile.
3. In the Admin center, choose Admin centers > Exchange.
For more information, see Define mail flow rules to encrypt email messages.

Brand your encryption messages

You can also apply branding to customize the look and the text in the email messages. For more information,
see Add your organization’s brand to your encrypted messages.

Next mission
If you’ve gotten this far, you’ve successfully completed another mission, so congratulations! There’s no time
to rest on our successes, so let’s get right to setting up a safe and secure environment in which the team can
collaborate safely.

Install Microsoft 365 Apps on your devices

It’s a good idea to install the Microsoft 365 Apps on your computers, tablets, and phones. You’ll get the latest
updates, including security updates, for your apps and you’ll have the most current features.
If you’re part of your organization’s security team, you can ask users to install the Microsoft 365 Apps on their
Mac, PC, or mobile devices. This is something your users should do to be part of the front lines and help protect
the org against attack.
[!NOTE] This article applies primarily to unmanaged (or BYOD) devices. Microsoft 365 admins
can manage Microsoft 365 installation options instead. To learn more, see the following articles: -
Managed and unmanaged devices. - Manage Microsoft 365 installation options in the Microsoft 365
admin center.

Watch: Install Microsoft 365 Apps

[!VIDEO https://www.microsoft.com/videoplayer/embed/acce002c-0756-4b64-ac5d-2198ee96a9b1?autoplay=false]
For all members of the organization, the Microsoft Microsoft 365 Apps can be found on the Start menu. If you
don’t see them, each user must install them.
Have them perform the following:
1. Go to https://office.com, and sign in using your work account.
2. Select Install Office > Microsoft 365 Apps > Run , and then select Yes.
3. The Microsoft 365 Apps are installed. The process might take several minutes. When it completes, select
Close.
4. To install Microsoft Teams, go to the office.com page, and then choose Teams.
5. Get the Windows app, and then select Run. Teams displays a prompt when installation is complete.

Set up mobile devices for Microsoft 365 Business Premium users

Use the following instructions to install Office on an iPhone or an Android phone. After you follow these steps,
your work files created in Microsoft 365 Apps will be protected by Microsoft 365 for business.
The example is for Outlook, but applies to any other Microsoft 365 Apps you want to install.

60
iPhone
Watch a short video on how to set up Microsoft 365 Apps on iOS devices with Microsoft 365 for business.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RWee2n]
If you found this video helpful, check out the complete training series for small businesses and those new to
Microsoft 365.
Go to App store, and in the search field type in Microsoft Outlook.
:::image type=“content” source=“media/ios-app-store.png” alt-text=“Go to the iPhone App Store.”:::
Tap the cloud icon to install Outlook.
:::image type=“content” source=“media/install-outlook.png” alt-text=“Tap the cloud icon to install Outlook.”:::
When the installation is done, tap the Open button to open Outlook and then tap Get Started.
:::image type=“content” source=“media/get-started-outlook.png” alt-text=“Screenshot of Outlook with Get
Started button.”:::
Enter your work email address on the Add Email Account screen > Add Account, and then enter your
Microsoft 365 for business credentials > Sign in.
:::image type=“content” source=“media/sign-in-m365account.png” alt-text=“Sign in to your work account.”:::
If your organization is protecting files in apps, you’ll see a dialog stating that your organization is now protecting
the data in the app and you need to restart the app to continue to use it. Tap OK and close Outlook.
:::image type=“content” source=“media/outlook-protected.png” alt-text=“Screenshot that shows your organiza-
tion is now protecting your Outlook app.”:::
Locate Outlook on the iPhone, and restart it. When prompted, enter a PIN and verify it. Outlook on your
iPhone is now ready to be used.
:::image type=“content” source=“media/set-pin.png” alt-text=“Set a PIN to access your organization’s data.”:::
Follow these links for additional information on how to:
• Install Microsoft 365 Apps: Install Office on your PC or Mac
• Install other apps: Project, Visio, or Skype for Business

Next objective
Set up protection for unmanaged devices.

Android
Watch a video about installing Outlook and Office on Android devices.
[!VIDEO https://www.microsoft.com/videoplayer/embed/ecc2e9c0-bc7e-4f26-8b14-91d84dbcfef0]
If you found this video helpful, check out the complete training series for small businesses and those new to
Microsoft 365.
To begin setup on your Android phone, go to the Play Store.
:::image type=“content” source=“media/aos-play-store.png” alt-text=“On the Android home screen, tap Play
Store.”:::
Enter Microsoft Outlook in the Google Play search box and tap Install. Once Outlook is done installing, tap
Open.
:::image type=“content” source=“media/aos-install-outlook.png” alt-text=“Tap Open to open Outlook app.”:::
In the Outlook app, tap Get Started, then add your Microsoft 365 for business email account > Continue,
and sign in with your organization credentials.
:::image type=“content” source=“media/aos-outlook-signin.png” alt-text=“Sign in using your account for
Microsoft 365.”:::
In the dialog that states you must install the Intune Company Portal app, tap Go to store.

61
:::image type=“content” source=“media/intune-portal-app.png” alt-text=“Get the Intune Company Portal
app.”:::
In Play Store, install Intune Company Portal.
:::image type=“content” source=“media/intune-app-google-play-store.png” alt-text=“Install button for Intune
Company Portal in Google Play Store.”:::
Open Outlook again, and enter and confirm a PIN. Your Outlook app is now ready for use.
:::image type=“content” source=“media/aos-outlook-pin.png” alt-text=“Set your PIN for Outlook on Android.”:::
For additional details and information:
• Set up mobile devices: Microsoft 365 mobile setup - Help
• Set up email in Outlook: Windows or Mac
• Upgrade users to the latest Microsoft 365 Apps
For additional details and information:
• Set up mobile devices: Microsoft 365 mobile setup - Help
• Set up email in Outlook: Windows or Mac
• Upgrade users to the latest Microsoft 365 Apps
Follow these links for additional information on how to:
• Install Microsoft 365 Apps: Install Office on your PC or Mac
• Install other apps: Project, Visio, or Skype for Business

Next objective
Set up protection for unmanaged devices.

Protect unmanaged computers with Microsoft 365 Business Premium

This objective is focused on protecting unmanaged computers, such as Windows 10 or 11 computers and Mac
computers that are neither enrolled in Microsoft Intune nor onboarded to Microsoft Defender for Business. If
your business or campaign has staff who bring their own devices, such as personally owned phones, tablets, and
PCs, ask users to take certain steps to protect business information that might be on their devices.
[!NOTE] This article applies primarily to unmanaged (or BYOD) devices. Guidance for protecting
managed devices is available here: Set up and secure managed devices.
Learn more about managed and unmanaged devices.
It’s critical that you ensure users follow these guidelines so that minimum security capabilities are configured on
all the bring-your-own devices (also referred to as BYOD devices).

Windows 10 or 11
Windows 10 or 11
Turn on device encryption
Device encryption is available on a wide range of Windows devices and helps protect your data by encrypting it.
If you turn on device encryption, only authorized individuals will be able to access your device and data. See
turn on device encryption for instructions.
If device encryption isn’t available on your device, you can turn on standard BitLocker encryption instead.
(BitLocker isn’t available on Windows 10 Home edition.)

62
Protect your device with Windows Security
If you have Windows 10 or 11, you’ll get the latest antivirus protection with Windows Security. When you start
up Windows 10 for the first time, Windows Security is on and actively helping to protect your PC by scanning
for malware (malicious software), viruses, and security threats. Windows Security uses real-time protection to
scan everything you download or run on your PC.
Windows Update downloads updates for Windows Security automatically to help keep your PC safe and protect
it from threats.
If you have an earlier version of Windows and are using Microsoft Security Essentials, it’s a good idea to move
to Windows Security. For more information, see help protect my device with Windows Security.

Turn on Windows Defender Firewall

You should always run Windows Defender Firewall even if you have another firewall turned on. Turning off
Windows Defender Firewall might make your device (and your network, if you have one) more vulnerable to
unauthorized access. See Turn Windows Firewall on or off for instructions.

Next mission
Okay, mission complete! Now, let’s work on securing the email system against phishing and other attacks.

Mac
Mac
Use FileVault to encrypt your Mac disk
Disk encryption protects data when devices are lost or stolen. FileVault full-disk encryption helps prevent
unauthorized access to the information on your startup disk. See use FileVault to encrypt the startup disk on
your Mac for instructions.

Protect your Mac from malware

Microsoft recommends that you install and use reliable antivirus software on your Mac. See the following article
for a list of choices: Best Mac antivirus 2019.
You can also reduce the risk of malware by using software only from reliable sources. The settings in Security &
Privacy preferences allow you to specify the sources of software installed on your Mac. For more information,
see protect your Mac from malware.

Turn on firewall protection

Use firewall settings to protect your Mac from unwanted contact initiated by other computers when you’re
connected to the Internet or a network. Without this protection, your Mac might be more vulnerable to
unauthorized access. See about the application firewall for instructions.

Next mission
Okay, mission complete! Now, let’s work on securing email usage against phishing and other attacks.

View and edit device protection policies

In Microsoft 365 Business Premium, security settings for managed devices are configured through device
protection policies in the Microsoft 365 Defender portal or in the Microsoft Intune admin center. To help simplify
setup and configuration, there are pre-configured policies that help protect your organization’s devices as soon
as they are onboarded. You can use the default policies, edit existing policies, or create your own policies.
This guidance describes how to:
• Get an overview of your default policies
• Work with device policies in either the Microsoft 365 Defender portal or the Microsoft Intune admin center.

63
About the default device protection policies
Microsoft 365 Business Premium includes two main types of policies to protect your organization’s devices:
• Next-generation protection policies, which determine how Microsoft Defender Antivirus and other
threat protection features are configured.
• Firewall policies, which determine what network traffic is permitted to flow to and from your organization’s
devices.
These policies are part of Microsoft Defender for Business, included in your Microsoft 365 Business Premium
subscription. Information is provided for working with policies in the Microsoft 365 Defender portal or in the
Microsoft Intune admin center.

Working with device policies in the Microsoft 365 Defender portal

The following details apply to working with your policies in the Microsoft 365 Defender portal (https://security
.microsoft.com).
:::image type=“content” source=“media/m365defender.png” alt-text=“Screenshot of the Microsoft 365 Defender
portal.” lightbox=“media/m365defender.png”:::

View existing device protection policies in Microsoft 365 Defender

1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, choose
Device configuration. Policies are organized by operating system (such as Windows client) and policy
type (such as Next-generation protection and Firewall).
:::image type=“content” source=“../media/mdb-deviceconfiguration.png” lightbox=“../media/mdb-
deviceconfiguration.png” alt-text=“The Device configuration page.”:::
2. Select an operating system tab (for example, Windows clients), and then review the list of policies under
the Next-generation protection and Firewall categories.
3. To view more details about a policy, select its name. A side pane will open that provides more information
about that policy, such as which devices are protected by that policy.
:::image type=“content” source=“../media/mdb-deviceconfig-selectedpolicy.png” lightbox=“../media/mdb-
deviceconfig-selectedpolicy.png” alt-text=“Screenshot of a policy selected in the Device configuration
page..”:::

Edit an existing device protection policy in Microsoft 365 Defender

1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, choose
Device configuration. Policies are organized by operating system (such as Windows client) and policy
type (such as Next-generation protection and Firewall).
2. Select an operating system tab (for example, Windows clients), and then review the list of policies under
the Next-generation protection and Firewall categories.
3. To edit a policy, select its name, and then choose Edit.
4. On the General information tab, review the information. If necessary, you can edit the description.
Then choose Next.
5. On the Device groups tab, determine which device groups should receive this policy.
• To keep the selected device group as it is, choose Next.
• To remove a device group from the policy, select Remove.
• To set up a new device group, select Create new group, and then set up your device group. (To get
help with this task, see Device groups in Microsoft 365 Business Premium.)
• To apply the policy to another device group, select Use existing group.
After you have specified which device groups should receive the policy, choose Next.
6. On the Configuration settings tab, review the settings. If necessary, you can edit the settings for your
policy. To get help with this task, see the following articles:
• Understand next-generation configuration settings

64
 • Firewall settings
After you have specified your next-generation protection settings, choose Next.
7. On the Review your policy tab, review the general information, targeted devices, and configuration
settings.
• Make any needed changes by selecting Edit.
• When you’re ready to proceed, choose Update policy.

Create a new device protection policy in Microsoft 365 Defender

1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, choose
Device configuration. Policies are organized by operating system (such as Windows client) and policy
type (such as Next-generation protection and Firewall).
2. Select an operating system tab (for example, Windows clients), and then review the list of Next-
generation protection policies.
3. Under Next-generation protection or Firewall, select + Add.
4. On the General information tab, take the following steps:
1. Specify a name and description. This information will help you and your team identify the policy
later on.
2. Review the policy order, and edit it if necessary. (For more information, see Policy order.)
3. Choose Next.
5. On the Device groups tab, either create a new device group, or use an existing group. Policies are
assigned to devices through device groups. Here are some things to keep in mind:
• Initially, you might only have your default device group, which includes the devices people in your
organization are using to access organization data and email. You can keep and use your default
device group.
• Create a new device group to apply a policy with specific settings that are different from the default
policy.
• When you set up your device group, you specify certain criteria, such as the operating system version.
Devices that meet the criteria are included in that device group, unless you exclude them.
• All device groups, including the default and custom device groups that you define, are stored in Azure
Active Directory (Azure AD).
To learn more about device groups, see Device groups in Microsoft Defender for Business.
6. On the Configuration settings tab, specify the settings for your policy, and then choose Next. For
more information about the individual settings, see Understand next-generation configuration settings in
Microsoft Defender for Business.
7. On the Review your policy tab, review the general information, targeted devices, and configuration
settings.
• Make any needed changes by selecting Edit.
• When you’re ready to proceed, choose Create policy.

Working with device policies in the Microsoft Intune admin center

Use the following information to create and manage device policies in Intune, done through Endpoint security in
the Microsoft Intune admin center (https://intune.microsoft.com).
:::image type=“content” source=“media/intune-admin-center.png” alt-text=“Screenshot of the Intune admin
center.” lightbox=“media/intune-admin-center.png”:::

Create policies in Intune

1. In the Microsoft Intune admin center (https://intune.microsoft.com), select Endpoint security and the
type of policy you want to configure, and then select Create Policy.
2. Choose from the following policy types:
• Antivirus

65
 • Disk encryption
• Firewall
• Endpoint detection and response
• Attack surface reduction
• Account protection
3. Specify the following properties:
• Platform: Choose the platform for which you’re creating the policy. The available options depend
on the policy type you select.
• Profile: Choose from the available profiles for the platform you selected. For information about the
profiles, see the dedicated section in this article for your chosen policy type.
Then select Create.
4. On the Basics page, enter a name and description for the profile, then choose Next.
5. On the Configuration settings page, expand each group of settings, and configure the settings you want to
manage with this profile. Then select Next.
6. On the Assignments page, select the groups that will receive this profile. For more information on
assigning profiles, see Assign user and device profiles. Then select Next.
7. On the Review + create page, when you’re done, choose Create. The new profile is displayed in the list
when you select the policy type for the profile you created.

Duplicate a policy in Intune

1. In the Microsoft Intune admin center (https://intune.microsoft.com), select the policy that you want to
copy. Next, select Duplicate or select the ellipsis (. . . ) to the right of the policy and select Duplicate.
2. Provide a New name for the policy, and then select Save.

Edit a policy in Intune

1. In the Microsoft Intune admin center (https://intune.microsoft.com), select a policy, and then select
Properties.
2. Select Settings to expand a list of the configuration settings in the policy. You can’t modify the settings
from this view, but you can review how they’re configured.
3. To modify the policy, select Edit for each category where you want to make a change:
• Basics
• Assignments
• Scope tags
• Configuration settings
4. After you’ve made changes, select Save to save your edits. Edits to one category must be saved before you
can introduce edits to any additional categories.

Manage conflicts
Many of the device settings that you can manage with Endpoint security policies are also available through other
policy types in Intune. These other policy types include device configuration policies and security baselines.
Because settings can be managed through several different policy types or by multiple instances of the same
policy type, be prepared to identify and resolve policy conflicts for devices that don’t adhere to the configurations
you expect.
Security baselines can set a non-default value for a setting to comply with the recommended configuration that
baseline addresses.
Other policy types, including the endpoint security policies, set a value of Not configured by default. These
other policy types require you to explicitly configure settings in the policy.
Regardless of the policy method, managing the same setting on the same device through multiple policy types,
or through multiple instances of the same policy type can result in conflicts that should be avoided.
If you do run into policy conflicts, see Troubleshooting policies and profiles in Microsoft Intune.

66
See also
Manage endpoint security in Microsoft Intune
Best practices for securing Microsoft 365 for business plans

Next objective
Set up and manage device groups.

Microsoft 365 for business security best practices

[!TIP] This article is for small and medium-sized businesses who have up to 300 users.
If you’re looking for information for enterprise organizations, see Deploy ransomware protection
for your Microsoft 365 tenant. If you’re a Microsoft partner, see Resources for Microsoft partners
working with small and medium-sized businesses.
Microsoft 365 Business Basic, Standard, and Premium all include antiphishing, antispam, and antimalware
protection to protect your email online. Microsoft 365 Business Premium includes even more security capabilities,
such as advanced cybersecurity protection for:
• Devices, such as computers, tablets, and phones (also referred to as endpoints)
• Email & collaboration content (such as Office documents)
• Data (encryption, sensitivity labels, and Data Loss Prevention)
This article describes the top 10 ways to secure your business data with Microsoft 365 for business. For
more information about what each plan includes, see Microsoft 365 User Subscription Suites for Small and
Medium-sized Businesses.

Top 10 ways to secure your business data

:::image type=“content” source=“media/top-10-ways-to-secure-data.png” alt-text=“Diagram listing the top 10
ways to secure business data with Microsoft 365 for business” :::
The following table summarizes how to secure your data using Microsoft 365 for business.

Best practices and Microsoft 365 Business
capabilities Premium
1. Use multi-factor :::image type=“content”
authentication (MFA), source=“../media/d238e041-
also known as two-step 6854-4a78-9141-
verification. See Turn on 049224df0795.png”
multi-factor alt-text=“Included”:::
authentication.
- Security defaults :::image type=“content”
(suitable for most source=“../media/d238e041-
organizations) 6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
- Conditional Access (for :::image type=“content”
more stringent source=“../media/d238e041-
requirements) 6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
2. Set up and protect :::image type=“content”
your administrator source=“../media/d238e041-
accounts. See Protect 6854-4a78-9141-
your admin accounts. 049224df0795.png”
alt-text=“Included”:::
Microsoft 365 Business Microsoft 365 Business
Standard Basic
:::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::
:::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::
:::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::

67
Best practices and Microsoft 365 Business Microsoft 365 Business Microsoft 365 Business
capabilities Premium Standard Basic
3. Use preset security :::image type=“content” :::image type=“content” :::image type=“content”
policies to protect source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
email and 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
collaboration content. 049224df0795.png” 049224df0795.png” 049224df0795.png”
See Review and apply alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
preset security policies.
- Anti-spam, :::image type=“content” :::image type=“content” :::image type=“content”
anti-malware, and source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
anti-phishing protection 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
for email 049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Advanced anti-phishing, :::image type=“content”
spoof settings, source=“../media/d238e041-
impersonation settings, 6854-4a78-9141-
Safe Links, and Safe 049224df0795.png”
Attachments for email alt-text=“Included”:::
and Office documents
4. Protect all devices, :::image type=“content”
including personal and source=“../media/d238e041-
company devices. See 6854-4a78-9141-
Secure managed and 049224df0795.png”
unmanaged devices. alt-text=“Included”:::
- Microsoft 365 Apps :::image type=“content” :::image type=“content”
(Word, Excel, PowerPoint, source=“../media/d238e041- source=“../media/d238e041-
and more) installed on 6854-4a78-9141- 6854-4a78-9141-
users’ computers, phones, 049224df0795.png” 049224df0795.png”
and tablets alt-text=“Included”::: alt-text=“Included”:::
- Windows 10 or 11 Pro :::image type=“content”
Upgrade from Windows 7 source=“../media/d238e041-
Pro, Windows 8 Pro, or 6854-4a78-9141-
Windows 8.1 Pro 049224df0795.png”
alt-text=“Included”:::
- Advanced threat :::image type=“content”
protection for users’ source=“../media/d238e041-
computers, phones, and 6854-4a78-9141-
tablets 049224df0795.png”
alt-text=“Included”:::
5. Train everyone on :::image type=“content” :::image type=“content” :::image type=“content”
email best practices. source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
See Protect yourself 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
against phishing and 049224df0795.png” 049224df0795.png” 049224df0795.png”
other attacks. alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Anti-spam, :::image type=“content” :::image type=“content” :::image type=“content”
anti-malware, and source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
anti-phishing protection 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
for email 049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Advanced threat :::image type=“content”
protection for email and source=“../media/d238e041-
Office documents 6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
6. Use Microsoft :::image type=“content” :::image type=“content” :::image type=“content”
Teams for source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
collaboration and 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
sharing. 049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::

68
Best practices and
capabilities
- Microsoft Teams for
communication,
collaboration, and sharing
- Safe Links & Safe
Attachments with
Microsoft Teams
- Sensitivity labels for
meetings to protect
calendar items, Microsoft
Teams meetings, and chat
- Data Loss Prevention in
Microsoft Teams to
safeguard company data
7. Set sharing settings
for SharePoint and
OneDrive files and
folders.
- Safe Links and Safe
Attachments for
SharePoint and OneDrive
- Sensitivity labels to
mark items as sensitive,
confidential. etc.
- Data Loss Prevention to
safeguard company data
8. Use Microsoft 365
Apps on devices
- Outlook and
Web/mobile versions of
Microsoft 365 Apps for all
users
- Microsoft 365 Apps
installed on users’ devices
Microsoft 365 Business Microsoft 365 Business Microsoft 365 Business
Premium Standard Basic
:::image type=“content” :::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content” :::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::
:::image type=“content” :::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
:::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::
69
Best practices and
capabilities
- Employee quick setup
guide to help users get set
up and running
9. Manage calendar
sharing for your
business.
- Outlook for email and
calendars
- Data Loss Prevention to
safeguard company data
10. Maintain your
environment by
performing tasks, such asl
adding or removing users
and devices. See Maintain
your environment.
Microsoft 365 Business
Premium
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
:::image type=“content”
source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
Microsoft 365 Business Microsoft 365 Business
Standard Basic
:::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::
:::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::
:::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::
:::image type=“content” :::image type=“content”
source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::

More information about Microsoft 365 for business

• For more information about what each plan includes, see:
– Reimagine productivity with Microsoft 365 and Microsoft Teams
– Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses.
• What is Defender for Business?
• Microsoft 365 Business Premium—cybersecurity for small business
• For more details about Defender for Business and Microsoft 365 Business Premium, see Compare security
features in Microsoft 365 plans for small and medium-sized businesses
• Compare Microsoft endpoint security plans (for securing and managing devices)

Set up meetings with Microsoft Teams

Make sure members of the organization use Microsoft Teams for all meetings. Teams meetings files include
audio, video, and sharing, and because they’re online, there is always a meeting space and there’s no need for a
room with a projector! Microsoft Teams meetings are a great way to come together with your staff both inside
and outside of your organization.
Using Teams, you don’t need to be a member of the organization or even have an account to join a meeting.
You can schedule and run online meetings where you can share your screen, share files, assign tasks, and more.
Political campaigns can include staff, volunteers, or guests that are outside your organization. You can easily
meet with clients, staff or partners over Microsoft Teams, and in a secure and worry-free environment.
An illustration of two users in a meeting.
Download an infographic in PDF or PowerPoint to get a quick overview of how to join or host an online meeting
with Microsoft Teams.

70
 Diagram of a Microsoft Teams window, showing Files tab and Get link on the menu.

Figure 9: Diagram of a Microsoft Teams window, showing Files tab and Get link on the menu.

Best practices
Follow these best practices for your online meetings:
• Schedule your online meetings right in Microsoft Teams. You can choose a team and channel, and Teams
will invite the participants in that team or channel automatically.
• Need an impromptu meeting? If you’re in a one-on-one chat, choose Meet now to start a video or audio
call with the person you’re chatting with.

Schedule a meeting
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FOhP]

Join a meeting
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FYWn]
Learn more about meeting in Microsoft Teams:
[!VIDEO https://www.microsoft.com/videoplayer/embed/RWeokQ]

Next objective
After this mission objective is accomplished, learn to securely share files and videos

Share files and videos in a safe environment

Another thing to pay attention to is ensuring all members of the organization control who can view and edit
files, and that they are stored in a secure location with the proper permissions applied. Microsoft 365 Business
Premium users can use Microsoft Teams to store files, and then share the files either inside or outside of the firm,
practice or campaign. You can also send a SharePoint link. Sending a link rather than an email attachment
means you know who is viewing and modifying the files, and they can’t be viewed or modified without permission.
With files in Microsoft Teams and SharePoint, files can also be worked on and reviewed together, even tracking
changes as needed. In Teams, files are shared inside of a firm, practice, or campaign. If you need to share them
externally with people outside your organization, you can add them as guests to a team or send them a secure
SharePoint link.

Best practices
Ensure your users use these methods to share files and videos securely:
1. Store files in Microsoft Teams or SharePoint, and make sure that only the people who need access to those
files have them.
2. When you want to share, don’t attach files to an email. Instead, choose Get link from Microsoft Teams or
SharePoint and send the link in email.
3. To share a file externally, add the user as a guest to your team, or use SharePoint to get a secure link to
share just that file.
4. Use Microsoft Stream to host videos you want your campaign to see.
5. Use Microsoft Teams or SharePoint to store video files you need your team to collaborate on or share.

Set up
Members of the organization can create a team, and add guests like advertisers or financing partners to it, with
the following steps.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FQMp]
To share a secure link with a guest, without using Microsoft Teams, follow these steps.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE22Yf0]

71
To create and share videos, follow these steps.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RWrv0F]
Download an infographic in PDF or PowerPoint to get a quick overview of ways to share your files.
An illustration of sharing files with different users.

Next objective
Upon completion of this objective, create a communication site for your team.

Why should I choose Microsoft 365 Business Premium?

Microsoft 365 Business Premium is a complete productivity and security solution for small and medium-sized
businesses. It provides comprehensive cloud productivity and security and is designed especially for small and
medium-sized businesses (1-300 employees). With Microsoft 365 Business Premium, you can:
• Enable your employees to be connected and productive, whether they’re working on site or
remotely, with best-in-class collaboration tools like Microsoft Teams.
• Provide your employees with secure access to their business data and apps, and help ensure
that only authorized personnel can access confidential work data.
• Defend against sophisticated cyberthreats and safeguard your business data with advanced
protection against phishing, ransomware, and data loss.
• Manage and secure devices (Windows, Mac, iOS, and Android) that connect to your data, and help
keep those devices up to date.
Microsoft 365 Business Premium offers you one comprehensive solution for productivity and security. As an
admin or IT Pro, you have everything you need in one place for administration, billing, and 24x7 support, while
reducing cost and complexity for your business.

Video: Top 5 benefits of Microsoft 365 Business Premium

Watch the following video to see how Microsoft 365 Business Premium helps your business be more productive
and secure:
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Pq0G]
[!TIP] For more detailed information about what’s included in Microsoft 365 Business Premium, see
the Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses.

Resources to train everyone

The security recommendations provided in this guidance make it much harder for cyberattackers to gain access
to your environment. An important part of your security strategy also includes training everyone in your
organization — the people in your company who use your systems regularly. Users can be your first line of
defense. Everyone needs to know how to work productively while maintaining a more secure environment.
Resources are available to help everyone in your organization to:
• Protect devices
• Use email more securely
• Collaborate and share information more securely
Use the recommendations in this library to help your users be productive and more secure in their work.

Download the digital threats guide

Our digital threats guide describes different kinds of threats and what you and your staff can do to protect
against these threats. Download this visual guide for you and your team:
:::image type=“content” source=“media/m365bp-whatuserscandotosecure.png” alt-text=“Thumbnail of down-
loadable guide.”:::
PDF | PowerPoint

72
Next steps
1. Get either Microsoft 365 Business Premium or Microsoft 365 for Campaigns, and start the setup process.
2. Set up your security capabilities.
3. Help everyone Set up unmanaged (BYOD) devices, Use email securely, and Collaborate and share securely.
4. Set up and secure managed devices

73