MicrosoftDocs
diff --git a/‎microsoft-365/lighthouse/TOC.yml‎
Lines changed: 8 additions & 0 deletions b/‎microsoft-365/lighthouse/TOC.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎microsoft-365/lighthouse/m365-lighthouse-alerts-overview.md‎
Lines changed: 88 additions & 0 deletions b/‎microsoft-365/lighthouse/m365-lighthouse-alerts-overview.md‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎microsoft-365/lighthouse/m365-lighthouse-create-manage-alert-rules.md‎
Lines changed: 75 additions & 0 deletions b/‎microsoft-365/lighthouse/m365-lighthouse-create-manage-alert-rules.md‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎microsoft-365/lighthouse/m365-lighthouse-manage-mfa.md‎
Lines changed: 61 additions & 26 deletions b/‎microsoft-365/lighthouse/m365-lighthouse-manage-mfa.md‎
Lines changed: 61 additions & 26 deletions
@@ -48,6 +48,12 @@
       href: m365-lighthouse-reinstate-task.md
     - name: Manage tenants using deployment insights
       href: m365-lighthouse-manage-tenants-using-deployment-insights.md
+- name: Manage alerts
+  items: 
+    - name: Overview of the Alerts page
+      href: m365-lighthouse-alerts-overview.md
+    - name: Create and manage alert rules
+      href: m365-lighthouse-create-manage-alert-rules.md
 - name: Manage tenants
   items: 
     - name: Overview of the Tenants page
@@ -62,6 +68,8 @@
   items:
     - name: Overview of the Users page
       href: m365-lighthouse-users-page-overview.md
+    - name: Overview of the Multifactor authentication page
+      href: m365-lighthouse-mfa-overview.md
     - name: Block user sign-in
       href: m365-lighthouse-block-user-signin.md
     - name: Block sign-in for shared mailbox accounts
 
@@ -0,0 +1,88 @@
+---
+title: "Overview of the Alerts page in Microsoft 365 Lighthouse"
+f1.keywords: NOCSH
+ms.author: sharik
+author: SKjerland
+manager: scotv
+ms.reviewer: algreer
+ms.date: 06/30/2023
+audience: Admin
+ms.topic: article
+ms.service: microsoft-365-lighthouse
+ms.localizationpriority: medium
+ms.collection:
+- Tier1
+- scotvorg
+- M365-subscription-management
+- Adm_O365
+ms.custom:
+- AdminSurgePortfolib
+- M365-Lighthouse                         
+search.appverid: MET150
+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to view alerts in Lighthouse."
+---
+
+# Overview of the Alerts page in Microsoft 365 Lighthouse
+
+As an MSP provider, you need to monitor and respond to the security issues of your customers efficiently and effectively. Microsoft 365 Lighthouse introduces alerts, a powerful tool that gives you a consolidated view of all the high priority detections and alerts across your customers. You can see a prioritized list of the most urgent issues that require your attention and take immediate action to resolve them. You can also enable push alerts to your existing support systems and flows, so you never miss a critical alert that needs your intervention.
+
+To help you get started, Lighthouse provides a default set of alerting rules based on best practices and recommendations. You can use these rules as they are or modify them according to your preferences and needs. You can also create rules from scratch for more control and flexibility.
+
+## Alerts tab
+
+The **Alerts** tab provides a consolidated view of potential security issues across all your customers. The tab contains two sections:
+
+- **Alert resolution rate** – a graph that displays historical information about alerts and their status over time.
+
+- **Alert report** – a table of current alerts that can be filtered by alert type, severity, status, and assigned to.
+
+From the table, you can select any alert to see more detailed information, including:
+
+- Alert description
+- Affected tenant(s)
+- Rule that triggered the alert
+- Alert type
+- Time stamp (First detected, last updated)
+- Impacted entity
+
+You can update the severity and status of the alert and assign the alert to a specific user to resolve. From the **Comments and history** tab, you have a complete history of the alert. You can also add additional comments to the alert as needed.
+
+### Alert Types
+
+Lighthouse defines six alert types.
+
+- Non-compliant
+- Device without antivirus protection
+- Variance detection
+- Risky user
+- Security incident
+- Active threat on device
+
+The **Alerts** tab also includes the following options:
+
+- **Export:** Select to export alert data to an Excel comma-separated values (.csv) file.
+- **Refresh:** Select to retrieve the most current alert data.
+- **Search:** Enter keywords to locate a specific alert in the list.
+
+:::image type="content" source="../media/m365-lighthouse-alerts-overview/m365-lighthouse-alerts-tab.png" alt-text="Screenshot of the Alerts tab in Lighthouse." lightbox="../media/m365-lighthouse-alerts-overview/m365-lighthouse-alerts-tab.png":::
+
+## Alert rules tab
+
+The **Alert rules** tab lets you create and edit alert rules. Lighthouse provides six default alert rules that are automatically applied to all customers. You can edit existing rules or create your own custom rules. Select **Create alert rule**, and Lighthouse will guide you step by step in creating your first alert rule.
+
+The Alert rules tab also includes the following options:
+
+- **Create alert rule:** Select to create a new alert.
+- **Edit alert rule:** Select to edit an existing alert rule.
+- **Delete:** Select to delete an alert rule from the list.
+- **Search:** Enter keywords to locate a specific alert rule in the list.
+
+:::image type="content" source="../media/m365-lighthouse-alerts-overview/m365-lighthouse-alerts-rules-tab.png" alt-text="Screenshot of alerts rules tab." lightbox="../media/m365-lighthouse-alerts-overview/m365-lighthouse-alerts-rules-tab.png":::
+
+## Related content
+
+[Create and manage alert rules](m365-lighthouse-alerts-overview.md) (article)\
+[Overview of the Threat management page in Microsoft 365 Lighthouse](m365-lighthouse-threat-management-page-overview.md) (article)\
+[Mitigate threats in Microsoft 365 Lighthouse with Microsoft Defender Antivirus](m365-lighthouse-mitigate-threats.md) (article)\
+[Overview of the Device security page in Microsoft 365 Lighthouse](m365-lighthouse-device-security-overview.md) (article)\
+[Overview of the Vulnerability management page in Microsoft 365 Lighthouse](m365-lighthouse-vulnerability-management-page-overview.md) (article)
@@ -0,0 +1,75 @@
+---
+title: "Create and manage alert rules in Microsoft 365 Lighthouse"
+f1.keywords: NOCSH
+ms.author: sharik
+author: SKjerland
+manager: scotv
+ms.reviewer: algreer
+ms.date: 06/30/2023
+audience: Admin
+ms.topic: article
+ms.service: microsoft-365-lighthouse
+ms.localizationpriority: medium
+ms.collection:
+- Tier1
+- scotvorg
+- M365-subscription-management
+- Adm_O365
+ms.custom:
+- AdminSurgePortfolib
+- M365-Lighthouse                         
+search.appverid: MET150
+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to create alert rules."
+---
+
+# Create and manage alert rules in Microsoft 365 Lighthouse
+
+Alert rules allow you to configure high priority alerts from various data sources, such as Risky Users, Microsoft Defender for Business, Microsoft Defender Antivirus, Device Compliance, and more. Lighthouse supports the creation of six alert types:
+
+- Non-compliant
+- Device without antivirus protection
+- Variance detection
+- Risky user
+- Security incident
+- Active threat on device
+
+## Before you begin
+
+You must be a Global Administrator to create and manage alert rules.
+
+## Create a new alert rule
+
+1. In the left navigation pane in Lighthouse, select **Alerts**.
+2. On the **Alerts** page, select **Alerts rules** tab.
+3. Select **Create alert rule**. The alert rules wizard opens.
+4. From the **Set up the basics** page, configure the following basic information:
+    1. Name of the alert
+    2. Alert type
+    3. Description of the alert
+5. Select **Next**.
+6. From the **Settings** page, configure alert settings. The number of settings vary based on the alert type you choose.
+7. Select **Next**.
+8. From the **Tenants** page, select which tenants to monitor.
+9. From the **Recipients** page, select who should receive email notification when this alert is triggered. You can send notifications to users, security groups, or ticketing system.
+10. Review the information and then select **Create alert rule**.
+
+## Edit an existing alert rule
+
+1. In the left navigation pane in Lighthouse, select **Alerts**.
+2. On the **Alerts** page, select **Alerts rules** tab.
+3. From the list, select an alert rule you want to edit.
+4. Select **Edit alert rule**. The alert rules wizard opens.
+5. Step through each page and edit any settings as needed.
+6. Review your changes and then select **Edit alert rule**.
+
+## Delete an alert rule
+
+1. In the left navigation pane in Lighthouse, select **Alerts**.
+2. On the **Alerts** page, select **Alerts rules** tab.
+3. From the list, select an alert rule you want to delete.
+4. Select **Delete**.
+5. In the confirmation window, select **Delete**.
+
+## Related content
+
+[Overview of the Alerts page in Microsoft 365 Lighthouse](m365-lighthouse-alerts-overview.md) (article)
@@ -5,7 +5,7 @@ ms.author: sharik
 author: SKjerland
 manager: scotv
 ms.reviewer: ragovind
-ms.date: 10/20/2021
+ms.date: 06/30/2023
 audience: Admin
 ms.topic: article
 ms.service: microsoft-365-lighthouse
@@ -24,57 +24,92 @@ description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
 
 # Manage multifactor authentication in Microsoft 365 Lighthouse
 
-Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) helps safeguard access to data and applications, providing another layer of security by using a second form of authentication. The Multifactor Authentication page provides detailed information on the status of MFA enablement across your tenants. Select any tenant in the list to see more details for that tenant, including which Conditional Access policies requiring MFA are already configured and which users haven't yet registered for MFA.
+Microsoft 365 Lighthouse allows you to manage multifactor authentication (MFA) settings across all tenants. The Multifactor Authentication page provides detailed information on the status of MFA enablement and the ability to take action on specific users.
 
-For small- and medium-sized business (SMB) customers, Microsoft recommends enabling [security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) at a minimum. For more complex scenarios, you can use [Conditional Access](/azure/active-directory/conditional-access/overview) to configure specific policies.
+For small- and medium-sized business (SMB) customers, Microsoft recommends enabling [security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) at a minimum. For more complex scenarios, you can use [Conditional Access](/azure/active-directory/conditional-access/overview) to configure specific policies.
 
 ## Before you begin
 
-The following conditions must be met before a tenant will appear in the list:
+The customer tenant must be active within Microsoft 365 Lighthouse. To determine if a tenant is active, see [Microsoft 365 Lighthouse tenant list overview](m365-lighthouse-tenant-list-overview.md).
 
-- The customer tenant must have an Azure AD Premium license for each user. For more information on which licenses support MFA, see [Features and licenses for Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/concept-mfa-licensing).
+## Notify users who aren't registered for MFA
 
-- The customer tenant must be active within Microsoft 365 Lighthouse. To learn how to determine if a tenant is active, see [Microsoft 365 Lighthouse tenant list overview](/microsoft-365/lighthouse/m365-lighthouse-tenant-list-overview).
+1. In the left navigation pane in Lighthouse, select **Users** \> **Multifactor authentication**.
 
-## Enable MFA for a tenant
+2. Select the tenant that contains the user(s) that you want to notify.
 
-1. In the left navigation pane in Lighthouse, select **Users** > **Multifactor authentication**.
+3. Select **Users not registered for MFA** tab.
 
-2. On the **Multifactor Authentication** page, look for a tenant currently not using MFA, and then select that tenant to open the tenant details pane.
+4. Select the tenant containing the user(s) you want to notify.
 
-3. On the **MFA enablement** tab, under **MFA with Security defaults**, select **Enable Security defaults**.
+5. Select **Create email**.
 
-4. Select **Save changes**.
+    Your default email application creates a sample email addressed to each selected user.
 
-To enable MFA through Conditional Access, see [Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/tutorial-enable-azure-mfa).
+6. Edit the notification email if needed.
 
-## Notify users who aren't registered for MFA
+7. Send the email.
 
-1. In the left navigation pane in Lighthouse, select **Users** > **Multifactor authentication**.
+> [!TIP]
+> Select the **Admin**, **Guest**, or **Members** counts to filter the list by type. If any user accounts in the list are emergency access or service accounts for which you don't want to require MFA, select those user accounts and then select **Exclude users**. The excluded user accounts will no longer appear in the list of users not registered for MFA.
 
-2. On the **Multifactor Authentication** page, look for tenants with users not registered for MFA, and then select the tenant to open the tenant details pane.
+> [!NOTE]
+> Lighthouse opens your default email client and prepopulates the email message with instructions to register for MFA. All the selected users will be included on the BCC line. If you prefer to individually email users, you can select the email icon next to the username.
+> 
+> If you want to use a different email account, you can export the list of users to a file. You can also download sample email templates you can customize with your company branding.
+
+## Exclude users from MFA registration
+
+1. In the left navigation pane in Lighthouse, select **Users \> Multifactor authentication**.
+
+2. Select the tenant containing the user(s) you want to exclude.
 
 3. Select **Users not registered for MFA** tab.
 
-4. Select all other users in the list who need to register for MFA, and then select **Create email**.
+4. Select the user(s) that you want to exclude.
 
-> [!TIP]
-> Select the **Admin**, **Guest**, or **Members** counts to filter the list by type. If any of the user accounts in the list are emergency access accounts or service accounts for which you don't want to require MFA, select those user accounts, and then select **Exclude users**. The excluded user accounts will no longer appear in the list of users not registered for MFA.
+5. Select **Exclude users**.
+
+6. In the **Exclude users** pane, select **Save changes** to save the changes in both Lighthouse and the tenant.
 
 > [!NOTE]
-> If any shared mailbox accounts or inactive user accounts appear in the list of users not registered for MFA, we recommend that you block signin for those accounts so they'll no longer appear in this list.
+> Ensure that the **Microsoft 365 Lighthouse - MFA Exclusions** security group is excluded from the tenant’s Conditional Access policies that require MFA and from the applicable deployment tasks in the tenant’s deployment plan in Lighthouse.
+
+## Block sign-in for users not registered for MFA
 
-Lighthouse opens your default email client and prepopulates the email message with instructions to register for MFA. All the selected users will be included on the BCC line. If you prefer to individually email users, you can select the email icon next to the username.
+1. In the left navigation pane in Lighthouse, select **Users \> Multifactor authentication**.
+2. Select the tenant that contains the user(s) you want to block.
+3. Select **Users not registered for MFA** tab.
+4. Select the user(s) that you want to block.
+5. Select **Block sign-in**.
+6. In the **Manage sign-in status** pane, select **Block users from signing in**.
+7. Select **Save**.
+
+> [!NOTE]
+> Ensure If any shared mailbox accounts or inactive user accounts appear in the list of users not registered for MFA, we recommend you block sign-in for those accounts to remove them from the list.
 
-If you want to use a different email account, you can export the list of users to a file. You can also download sample email templates that you can customize with your company branding.
+Blocking a user prevents anyone from signing in as this user and is a good idea when you think their password or username may be compromised. Blocking a user immediately stops any new sign-ins for that account. The account will be automatically signed out from all Microsoft services within 60 minutes if the account is signed in. This won't stop the account from receiving mail and doesn't delete any account data.
+
+## Remove a user from the Excluded users group
+
+1. In the left navigation pane in Lighthouse, select **Users \> Multifactor authentication**.
+2. Select the tenant that contains the user(s) you want to remove.
+3. Select **Exclude users** tab.
+4. Select the user(s) that you want to remove.
+5. Select **Remove**.
+6. In the confirmation message, select **Remove**.
+
+> [!NOTE]
+> The excluded users listed in Lighthouse will reflect the current membership **Microsoft 365 Lighthouse - MFA exclusions** security group but will not confirm that the group has been excluded from the tenant’s Conditional Access policies that require MFA or from the applicable deployment tasks in the tenant’s deployment plan in Lighthouse.
 
 ## Next steps
 
-Once MFA is enabled, you can enable Azure Active Directory (Azure AD) self-service password reset (SSPR). SSPR gives users the ability to change or reset their password with no administrator or help desk involvement. For more information, see [Manage self-service password reset in Microsoft 365 Lighthouse](m365-lighthouse-manage-sspr.md).
+Once MFA is enabled, you can enable Azure Active Directory (Azure AD) self-service password reset (SSPR). SSPR allows users to change or reset passwords without administrator or help desk involvement. For more information, see Manage self-service password reset in Microsoft 365 Lighthouse. For more information, see [Manage self-service password reset in Microsoft 365 Lighthouse](m365-lighthouse-manage-sspr.md).
 
 ## Related content
 
-[Plan an Azure Active Directory Multi-Factor Authentication deployment](/azure/active-directory/authentication/howto-mfa-getstarted) (article)\
-[What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) (article)\
-[What is Conditional Access?](/azure/active-directory/conditional-access/overview) (article)\
-[Learn how to convert users from per-user MFA to Conditional Access](/azure/active-directory/authentication/howto-mfa-getstarted#convert-users-from-per-user-mfa-to-conditional-access-based-mfa) (article)
+[Overview of multifactor authentication in Lighthouse](m365-lighthouse-mfa-overview.md) (article)\
+[Plan an Azure Active Directory Multi-Factor Authentication deployment](/azure/active-directory/authentication/howto-mfa-getstarted) (article)\
+[What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) (article)\
+[What is Conditional Access?](/azure/active-directory/conditional-access/overview) (article)\
+[Learn how to convert users from per-user MFA to Conditional Access](/azure/active-directory/authentication/howto-mfa-getstarted#convert-users-from-per-user-mfa-to-conditional-access-based-mfa) (article)