Merge branch 'main' into camillepack-ai

Author: camillepack

microsoft-365/backup/backup-overview.md

@@ -71,9 +71,9 @@ To summarize, applications built on top of the Microsoft 365 Backup Storage plat
 
 Microsoft 365 Backup provides ultra-fast backup and restore capabilities by creating backups within the protected services’ data boundaries.
 
-Microsoft 365 Backup not only provides uniquely fast recovery from common business continuity and disaster recovery (BCDR) scenarios like ransomware or accidental/malicious employee content overwrite/deletion. More BCDR scenario protections are also built directly into the service. For example, OneDrive, SharePoint, and Exchange Online have a proprietary architecture design for resiliency with replicated copies of customer data to failover to live active copies seamlessly without the need for end customer intervention.
+Microsoft 365 Backup not only provides uniquely fast recovery from common business continuity and disaster recovery (BCDR) scenarios like ransomware or accidental or malicious employee content overwrite or deletion. More BCDR scenario protections are also built directly into the service. For example, OneDrive, SharePoint, and Exchange Online have a proprietary architecture design for resiliency with replicated copies of customer data to failover to live active copies seamlessly without the need for end customer intervention.
 
-Our backups are protected from malicious overwrites because OneDrive, SharePoint, and Exchange use Append-Only backup storage. This means that SharePoint can only add new content blobs and can never change old ones until they're permanently deleted. The Exchange items are backed up in an immutable manner and can't be accessed by a client process (such as Outlook, OWA, or MFCMAPI). This process ensures that items can't be changed after an initial save, protecting against attackers that try to corrupt old versions. For more information about the built-in service and data resiliency, see [SharePoint and OneDrive data resiliency in Microsoft 365](/compliance/assurance/assurance-sharepoint-onedrive-data-resiliency) and [Exchange Online data resiliency in Microsoft 365](/compliance/assurance/assurance-exchange-data-resiliency).
+Our backups are protected from malicious overwrites because OneDrive, SharePoint, and Exchange use Append-Only backup storage. This means that SharePoint can only add new content blobs and can never change old ones until they're permanently deleted. The Exchange items are backed up in a similar append-only manner and can't be accessed by a client process (such as Outlook, OWA, or MFCMAPI). This process ensures that items can't be changed after an initial save, protecting against attackers that try to corrupt old versions. For more information about the built-in service and data resiliency, see [SharePoint and OneDrive data resiliency in Microsoft 365](/compliance/assurance/assurance-sharepoint-onedrive-data-resiliency) and [Exchange Online data resiliency in Microsoft 365](/compliance/assurance/assurance-exchange-data-resiliency).
 
 Key architectural takeaways:
 
@@ -96,6 +96,7 @@ Restore points are physically created in the service as soon as the policy is co
 #### Restoration performance
 
 Restoration performance correlates with your recovery time objective, or the time it takes for you to restore a healthy state of your data and recover from a data destruction event.
+
 For full OneDrive account and SharePoint site restores, the fastest recovery happens when choosing in-place restore rather a new URL restore. Additionally, choosing one of the recommended express restore points presented in the restore workflow user interface yields the quickest recovery results.
 
 All restore points and restores to new URLs are relatively fast, but same URL restores using a recommended express restore point will typically yield better results. The Exchange Online restore workflow doesn't have or require the "faster" restore points.
@@ -110,22 +111,61 @@ The following table summarizes expected performance for a normally distributed t
 |1,000+     |Up to 250 protection units per hour       |4 hours         |
 |1,000+|Up to 250 protection units/hour<br>Up to 2 TB/hour*         |250+ protection units/hour<br>Up to 2 TB/hour*         |
 
-<sup>Restore performance notes:</sup>
+<sup>**Important Restore performance notes:**</sup>
 
 <sup>*Single protection unit OneDrive and SharePoint restores using express restore points can take on average between 10 minutes and 120 minutes, depending on site size.</sup> <sup>For mailboxes, restore times typically fall in the 200 - 300 item/minute range.</sup>
 
-<sup>*1,000+ protection unit restore speeds published here are based on internal benchmarking where SharePoint sites have an average of 12GB of stored content per site, Exchange Online mailboxes have an average of 26K items and an aggregate size of 10 GB.  Those bulk recoveries use the in-place restore option, which is typical for large scale attack recovery scenarios. Actual times will depend on the number and size of the items in each site/mailbox.</sup> 
+<sup>*1,000+ protection unit restore speeds published here are based on internal benchmarking where SharePoint sites have an average of 12GB of stored content per site, Exchange Online mailboxes have an average of 26K items and an aggregate size of 10 GB.  Those bulk recoveries use the in-place restore option, which is typical for large scale attack recovery scenarios. Actual times will depend on the number and size of the items in each site/mailbox.</sup>
 
 ## Pay-as-you-go billing
 
 Microsoft 365 Backup is a pay-as-you-go offering that charges based on consumption, unlike traditional user-based licenses.
 
 ## Integrated partner solutions
 
-We partner with many independent software vendors (ISVs) to provide differentiated versions of their applications integrated with the Microsoft 365 Backup Storage platform—all providing the same underlying performance value proposition for your Microsoft 365 data.
+We partner with many independent software publishers to provide differentiated versions of their applications integrated with the Microsoft 365 Backup Storage platform—all providing the same underlying performance value proposition for your Microsoft 365 data.
 
 For a partner application, operation of the Microsoft 365 Backup tool will be managed and paid for entirely through the partner's application. Those applications have the ability to provide a single pane of glass for all of your data estates that require backups, and they might provide more enhanced experiences or workflows.
 
 ## Multi-geo environments
 
 Microsoft 365 Backup supports the backup of sites and user accounts from both the central and satellite locations.
+
+## Append-only vs. immutable storage overview
+
+### Key points
+
+1. Immutability is formally defined as storage that can't be altered, deleted, or overwritten for a specified period of time.
+
+2. Microsoft 365 Backup follows that definition except for disallowing deletion. Backup uses append-only storage to prevent nondeletion modifications or alterations of existing restore point data. This protects against service or malware overwrites of the backup data.
+
+3. Deletion of the backups isn't blocked, giving customers the option to offboard if needed or desired. There are a couple of defenses against undesired deletions built into the tool to approximate full immutability without some of the related drawbacks (for example, lack of GDPR control). These additional features include:
+
+    a. A fixed 90-day existing backup recovery [grace period](/microsoft-365/backup/backup-offboarding), similar to a soft-delete recycle bin within the Backup tool, that allows the customer to recover their backups up to 90 days after offboarding.
+
+    b. Retention and deletion policies (for example, from Purview) don't affect the backup retention period, which remains fully isolated from those policies.
+
+    c. A multi-admin email notification feature (coming later this year) that will automatically notify a preset group of admins if a potentially harmful action is taken on the Backup tool.
+
+### Deeper storage architectural Look
+
+Microsoft 365 Backup Storage is built on top of standard OneDrive and SharePoint infrastructure; and on top of standard Exchange Online infrastructure. Given that, Microsoft 365 Backup Storage inherits some useful implementation benefits.
+
+One of those benefits is built in append-only storage of the backups.
+
+#### OneDrive SharePoint content modification protection
+
+The service isn't capable of modifying existing copies of the backups because content backups are stored on append-only Azure blobs. Read more about [append-only resiliency](/compliance/assurance/assurance-sharepoint-onedrive-data-resiliency). As a result, our service can only create new copies of the primary data in the backups, aligning to a new restore point corresponding to a new point in time. This is at the core of our append-only functionality.
+
+#### OneDrive SharePoint metadata modification protection
+
+Metadata for OneDrive and SharePoint is stored in Azure SQL databases. The Microsoft 365 Backup tool uses a combination of the built-in Azure SQL point-in-time restore functionality and Azure Blob, to which serialized copies of the SQL DBs are periodically snapshotted.
+
+In both cases, modifications to the database result in new and nonmodifiable point in time copies of the data. Once copied to blob, the immutability explanation from the prior section applies to those Blob-stored DB copies as well. Read more about [OneDrive and SharePoint metadata resiliency](/compliance/assurance/assurance-sharepoint-onedrive-data-resiliency).
+
+#### Exchange Online item modification protection
+
+Exchange Online Backup technology creates point-in-time copies of modified and deleted mailbox items. These backup copies, once created, aren't modifiable by the service. A new copy is taken based on changes to the primary data at scheduled restore point frequency targets.
+
+Review the [Microsoft 365 service terms](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+

microsoft-365/backup/backup-restore-data.md

@@ -239,7 +239,6 @@ Microsoft 365 Backup supports the backup and restoration of any site and user ac
 > After a multi-geo move, a OneDrive account and SharePoint site will only be able to restore to the weekly restore points until an enhancement is deployed (enhancement coming soon).
 
 ## Considerations when using restore
-
 - OneDrive and Sharepoint
 
     - Site search is case-sensitive and is a prefix-type search.
@@ -273,7 +272,7 @@ Microsoft 365 Backup supports the backup and restoration of any site and user ac
     - If the parent folder of an item has been deleted, the item will be restored to a newly created folder named *Recovered Items YYYY-MM-DD, HH:MM*.
 
 - All
-
+    - Restore session history is retained for 366 days.
     - Abusive restore actions aren't permitted. You should limit restores for testing purposes to no more than twice a month per protection unit. Restores for real recovery purposes aren't limited.
 
     - The restore point frequency dictates the points in time from which you can recover a prior state of your data. Restore points start being generated when you create the backup policy for a given OneDrive account, SharePoint Site, or Exchange Online mailbox. For Exchange Online, restore points are available for 10 minutes for the entire year. For OneDrive and SharePoint, the available restore points are available for 10 minutes for up to 2 weeks prior, and weekly for 2 to 52 weeks prior. Based on the defined and currently invariable backup frequency setting previously described, the following example highlights what is possible.

microsoft-365/backup/backup-view-edit-policies.md

@@ -26,6 +26,13 @@ A policy contains details of what data (SharePoint sites, Exchange mailboxes, an
 
 You can create more than one backup policy for each product (SharePoint, Exchange, and OneDrive) with a limit of 100 policies per product. This allows you to segregate your data by logical partitions such as department, geography, and so on for ease of management and administration. Note that any SharePoint site, Exchange mailbox, or OneDrive account can be part of one backup policy only.
 
+> [!NOTE]
+> You can also use PowerShell cmdlets to perform these operations by following these steps:
+> 1. Go to the [Microsoft 365 Backup Storage Graph APIs](/graph/api/backuprestoreroot-post-exchangeprotectionpolicies) documentation for the specific action you want to perform—for example, creating a SharePoint policy.
+> 2. Scroll to the **Example request** section and select the **PowerShell** tab.
+> 3. Install the Microsoft.Graph.BackupRestore module as shown in the example.
+> 4. Run the provided PowerShell command in an Admin PowerShell session to execute the desired action.
+
 Select the **SharePoint**, **Exchange**, or **OneDrive** tab for steps to create a backup policy for that product.
 
 # [SharePoint](#tab/sharepoint)

microsoft-365/commerce/manage-partners.md

@@ -9,7 +9,7 @@ ms.reviewer: prlachhw, ramagane
 audience: Admin
 ms.topic: how-to
 ms.service: microsoft-365-business
-ms.subservice: m365-commerce-marketplace
+ms.subservice: m365-commerce-management
 ms.localizationpriority: medium
 ms.collection:
 - Tier1

microsoft-365/enterprise/advanced-data-residency.md

@@ -55,7 +55,7 @@ The following workloads are included in ADR. For more information, see:
 
 The Advanced Data Residency ("ADR") add-on is intended for Microsoft 365 enterprise customers who have comprehensive data residency requirements. To be eligible to purchase ADR, customers must meet the following prerequisites:
 
-- The _Tenant_ _Default Geography_ must be one of the countries or regions included in the _Local Region Geography_: Australia, Brazil, Canada, France, Germany, India, Israel, Italy, Japan, Mexico, New Zealand, Norway, Poland, Qatar, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, United Arab Emirates, and United Kingdom.
+- The _Tenant_ _Default Geography_ must be one of the countries or regions included in the _Local Region Geography_: Australia, Brazil, Canada, France, Germany, India, Indonesia, Israel, Italy, Japan, Malaysia, Mexico, New Zealand, Norway, Poland, Qatar, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, United Arab Emirates, and United Kingdom.
 - Customers must have licenses for one or more of the following products:
   - Microsoft 365 F1, F3, E3, or E5 (including SKUs without Microsoft Teams)
   - Office 365 F3, E1, E3, or E5 (including SKUs without Microsoft Teams)

microsoft-365/enterprise/m365-dr-overview.md

@@ -33,8 +33,8 @@ In order to promote clarity in the capability descriptions on data residency fun
 |Macro Region Geography 1 - EMEA |Data centers in Austria, Finland, France, Ireland, Italy, Netherlands, Poland, Spain, Sweden <br/> <br/> **Note:** For tenants with a default geography of Israel; data can be stored in Macro Region Geography 1 – EMEA or additional datacenters located in their default geography (i.e., Israel). |
 |Macro Region Geography 2 - Asia Pacific |Data centers in Australia, Hong Kong Special Administrative Region, Indonesia, Japan, Malaysia, New Zealand, Singapore, South Korea <br/> <br/> **Note:** For tenants with a default geography of Taiwan; data can be stored in Macro Region Geography 2 – Asia Pacific or additional datacenters located in their default geography (i.e., Taiwan). |
 |Macro Region Geography 3 - Americas |Data centers in Brazil, Chile, Mexico, United States |
-|Local Region Geography |Australia, Brazil, Canada, France, Germany, India, Indonesia, Israel, Italy, Japan, Mexico, New Zealand, Norway, Poland, Qatar, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, United Arab Emirates, United Kingdom |
-|Future Local Region Geography | Future planned data center regions: Malaysia, Austria, Chile, Denmark, Greece, Saudi Arabia |
+|Local Region Geography |Australia, Brazil, Canada, France, Germany, India, Indonesia, Israel, Italy, Japan, Malaysia, Mexico, New Zealand, Norway, Poland, Qatar, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, United Arab Emirates, United Kingdom |
+|Future Local Region Geography | Future planned data center regions: Austria, Chile, Denmark, Greece, Saudi Arabia |
 |Geography |_Local Region Geography, Future Local Region Geography_, or _Macro Region Geography_ |
 |Satellite Geography |If a customer subscribes to the Multi Geo service, then they can set policy at a user level to store customer data in other Geographies outside of the _Tenant_ _Primary Provisioned Geography_ |
 |Microsoft Entra ID |Microsoft Entra ID is the new name for [Azure Active Directory](/entra/fundamentals/new-name) |
@@ -134,9 +134,11 @@ There are three methods for ensuring that the _Tenant_ data location for a parti
 | France | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A |
 | Germany | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A |
 | India | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A |
+| Indonesia | M-A | M-A | M-A | M-A | A | A | A | A |
 | Israel | M-A | M-A | M-A | M-A | A | A | A | A |
 | Italy | M-A | M-A | M-A | M-A | A | A | A | A |
 | Japan | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A |
+| Malaysia | M-A | M-A | M-A | M-A | A | A | A | A |
 | Mexico | M-A | M-A | M-A | M-A | A | A | A | A |
 | New Zealand | M-A | M-A | M-A | M-A | A | A | A | A |
 | Norway | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A |
@@ -171,11 +173,13 @@ The following Regional Geographies can store data at rest.
 |France   |Paris, Marseille   |
 |Germany   |Frankfurt, Berlin    |
 |India  |Chennai, Mumbai, Pune    |
+|Indonesia  |Jakarta    |
 |Israel  |Tel Aviv    |
 |Italy  |Milan    |
 |Japan   |Osaka, Tokyo   |
 |South Korea  |Busan, Seoul    |
 |Spain   |Madrid    |
+|Malaysia  |Kuala Lumpur    |
 |Mexico   |Queretaro    |
 |New Zealand    |Auckland   |
 |Norway   |Oslo, Stavanger    |

microsoft-365/enterprise/o365-data-locations.md

@@ -37,7 +37,7 @@ This article helps you to understand how you can determine current data residenc
 > The **Taiwan** local data center region launched on November 1, 2024. If your organization requires the migration of your Microsoft 365 customer data to Taiwan, and data residency commitments for Taiwan, see [Advanced Data Residency](advanced-data-residency.md).
 
 > [!NOTE]
-> For tenants in Australia, Brazil, Canada, France, Germany, India, Israel, Italy, Japan, Mexico, New Zealand, Norway, Poland, Qatar, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, United Arab Emirates, and United Kingdom, more workloads are available for data residency commitments. For more information, see [Advanced Data Residency](advanced-data-residency.md).
+> For tenants in Australia, Brazil, Canada, France, Germany, India, Indonesia, Israel, Italy, Japan, Malaysia, Mexico, New Zealand, Norway, Poland, Qatar, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, United Arab Emirates, and United Kingdom, more workloads are available for data residency commitments. For more information, see [Advanced Data Residency](advanced-data-residency.md).
 
 See the following links to understand how you can determine current data residency and data residency commitments.