Merge pull request #15514 from MicrosoftDocs/main

Publish main to live, Tuesday 3:30PM PDT, 09/03

Teams/security-remove-external-chat.md

@@ -21,23 +21,23 @@ appliesto:
 
 As a tenant administrator, you can use the new [RemoveAllAccessForUser](/graph/api/chat-removeallaccessforuser) Graph API to remove an externally initiated chat from your user’s view. 
 
-Microsoft Teams admins might need to remove user chats created by people outside of your organization.  For example, one of your users might have received a chat request from someone outside of your company. That chat could contain inappropriate or malicious content, and, as an admin, you can remove that chat to help protect your user.
+Microsoft Teams admins might need to remove user chats created by people outside of your organization. For example, one of your users received a chat request from someone outside of your company. That chat could contain inappropriate or malicious content, and, as an admin, you can remove that chat to help protect your user.
 
 To use the RemoveAllAccessForUser Graph API, you need to provide three parameters: the **tenantId**, the **userId**, and the **chatsId/threadId**. The **tenantId** is the unique identifier of your Teams tenant. The **userId** is the unique identifier of your user that you want to remove the chat for. The **chatsId/threadId** is the unique identifier of the Teams chat thread that you want to remove your user from. 
 
 You can obtain these three parameters from the new Unified Audit Log (UAL) events that are generated when an external user communicates with a user in your tenant. The UAL events contain information about the sender, the recipient, the chat thread, and the message. You can use the UAL events to identify the chat thread that you want to revoke access from, and then extract the **tenantId**, the **userId**, and the **chatsId/threadId** from the event details. 
 
 ## Steps to use the RemoveAllAccessForUser Graph API
 
-- Step 1: Search for the [UAL events](/purview/audit-teams-audit-log-events) that match your criteria. If you want to find all events where a user was added to a chat, you can use the “MemberAdded” event in your search query. 
+- Step 1: Search for the [UAL events](/purview/audit-teams-audit-log-events) that match your criteria. If you want to find all events where a user was added to a chat, you can use the "MemberAdded" event in your search query.
 - Step 2: Extract the **tenantId**, the **userId**, and the **chatsId/threadId** from the UAL event details 
 - Step 3: Call the RemoveAllAccessForUser Graph API with the desired parameters 
 
-### Step 1: Search for the UAL events that match your criteria 
+### Step 1: Search for UAL events 
 
-To search for the UAL events that match your criteria, you can use the Search-UnifiedAuditLog graph API, or you can use the audit log search feature in the Microsoft Purview compliance portal. The rest of this document assumes you're using the interactive version in the Microsoft Purview compliance portal. Use the following steps: 
+To search for specific UAL events, you can use the Search-UnifiedAuditLog graph API, or you can use the audit log search feature in the Microsoft Purview compliance portal. The following instructions use the Microsoft Purview compliance portal. Perform the following steps: 
 
-1. Sign in to https://compliance.microsoft.com as a global administrator or an audit log administrator. 
+1. Sign in to https://compliance.microsoft.com as an audit log administrator. 
 2. In the left navigation, select **Audit**.
 3. On the Audit log search page, specify the following criteria:
 
@@ -46,20 +46,20 @@ To search for the UAL events that match your criteria, you can use the Search-Un
  - Date range: Select a date range that covers the time period when the external user communicated with the user in your tenant.
 (optional) Users: Enter the UPN of the user in your tenant who you are interested in.
 
-4. Select **Search**. This queues a search to run in the background. 
+4. Select **Search**. This command queues a search to run in the background. 
 
 Once complete, review the search results and identify the UAL events that involve the chat and user that you're interested in (Step 3 below). 
 
 ### Step 2: Extract the tenantId, the userId, and the chatsId/threadId from the UAL event details 
 
-To extract the **tenantId**, the **userId**, and the **chatsId/threadId** from the UAL event details, you can use the **OrganizationId**, **UserKey**, and **ChatThreadId** fields of the event. If you searched for the **MemberAdded** event, you might see events where your users were added to an external chat and also where your users added an external user to a chat. You'll want to find the events where your user in your tenant is in the **Members** detail section (this indicates that this is the user that was added—see figure 2 below).  To do this, follow these steps: 
+To extract the **tenantId**, the **userId**, and the **chatsId/threadId** from the UAL event details, you can use the **OrganizationId**, **UserKey**, and **ChatThreadId** fields of the event. If you searched for the **MemberAdded** event, you might see events where your users were added to an external chat and also where your users added an external user to a chat. Find the events where your user in your tenant is in the **Members** detail section (indicates that this is the user that was added—see figure 2 below). To do this, follow these steps: 
 
-1. Select one of the UAL events that involve the external user that you want to revoke access from. 
-2. On the Event details pane: 
+1. Select one of the UAL events that involve the external user that you want to revoke access from.
+2. On the Event details pane:
 
- - Copy the value of the **OrganizationId** field. This is the **tenantId** of your Teams tenant. 
- - Copy the value of the **UserKey** field. This is the **userId** of the user in your tenant that was added to the chat. 
- - Copy the value of the **ChatThreatId** field. This is the **chatsId/threadId** of the Teams chat thread that the message belongs to. 
+ - Copy the value of the **OrganizationId** field. This value is the **tenantId** of your Teams tenant. 
+ - Copy the value of the **UserKey** field. This value is the **userId** of the user in your tenant that was added to the chat. 
+ - Copy the value of the **ChatThreatId** field. This value is the **chatsId/threadId** of the Teams chat thread that the message belongs to. 
 
 See the following screenshot showing an example of a Purview search result detail:
 
@@ -101,7 +101,7 @@ To authenticate the request, you need to provide a valid access token in the Aut
 If the request is successful, the response has a status code of “204 No Content” and an empty body. If the request fails, the response has an error code and a message that explains the reason for the failure. 
 
 
-There are many ways to call a Microsoft Graph API – if you're unfamiliar with how to do this, you might want to start with an interactive tool such as [Graph Explorer](/graph/graph-explorer/graph-explorer-overview).  Some admins create an app or use PowerShell to interact with Graph APIs as well. 
+There are many ways to call a Microsoft Graph API – if you're unfamiliar with the process, start with an interactive tool such as [Graph Explorer](/graph/graph-explorer/graph-explorer-overview). Some admins create an app or use PowerShell to interact with Graph APIs. 
 
 ### Sample Code
 

Teams/tmr-meeting-recording-change.md

@@ -31,7 +31,7 @@ To learn about your recording policies, see [Teams meeting recording](meeting-re
 
 ### Meetings and events
 
-For **meetings, webinars, and town halls**, by default, all recording files are saved to the organizer's OneDrive **Recordings** folder. The **`-MeetingRecordingOwnership`** parameter within the PowerShell [**CsTeamsRecordingRolloutPolicy**](/powershell/module/teams/set-csteamsrecordingrolloutpolicy) cmdlet controls whether the recording is saved to the organizer's or recording initiator's OneDrive, overriding the default storage settings. This policy applies to the following meeting and event types:
+For **meetings, webinars, and town halls**, use the per-organizer **`-MeetingRecordingOwnership`** parameter within the PowerShell [**CsTeamsRecordingRolloutPolicy**](/powershell/module/teams/set-csteamsrecordingrolloutpolicy) cmdlet to decide if the recording is saved to the organizer's or recording initiator's OneDrive. This policy applies to the following meeting and event types:
 
 - Automatically recorded meetings
 - Delegate-created meetings
@@ -43,9 +43,9 @@ For **meetings, webinars, and town halls**, by default, all recording files are
 - Town halls
 - Webinars
 
-If **`-MeetingRecordingOwnership`** is set to `RecordingInitiator`, when organizers with this policy create meetings and events, the recording saves to the OneDrive of the user who starts the recording. If the recording initiator doesn't have a OneDrive, the recording is temporarily saved to async media storage.
+If **`-MeetingRecordingOwnership`** is set to **`MeetingOrganizer`**, which is the **default value**, the recording saves to organizer's OneDrive, even if the organizer didn't attend the meeting or event. All recording files are saved to the organizer's OneDrive **Recordings** folder. Co-organizers have the same editing permissions as organizers for recording files. To understand what happens if an organizer doesn't have a OneDrive account, see the **Recording storage for organizers without OneDrive accounts** section in this article.
 
-If **`-MeetingRecordingOwnership`** is set to `MeetingOrganizer`, when organizers with this policy create meetings and events, the recording saves to organizer's OneDrive, even if the organizer didn't attend the meeting or event. Co-organizers have the same editing permissions as organizers for recording files. To understand what happens if an organizer doesn't have a OneDrive account, see the **Recording storage for organizers without OneDrive accounts** section in this article.
+If **`-MeetingRecordingOwnership`** is set to **`RecordingInitiator`**, the recording saves to the OneDrive of the user who starts the recording. If the recording initiator doesn't have a OneDrive, the recording is temporarily saved to async media storage.
 
 #### Delegate-created meetings
 
@@ -59,29 +59,31 @@ For 1-1 call and group calls, recording files go to the OneDrive account of the
 
 For **Channel meetings**, the recording is stored in the SharePoint Teams site documentation library in a folder named **Recordings**. For example: *Teams name - Channel name*/**Documents**/**Recordings**.
 
-### Shared accounts
+### Shared account scheduled meetings
 
-For **shared accounts**, if the shared account has OneDrive, the recording is uploaded there. However, since shared accounts typically don’t have OneDrive, the recordings are uploaded to the organizer’s OneDrive in those cases. To understand what happens if an organizer doesn't have a OneDrive account, see the **Recording storage for organizers without OneDrive accounts** section in this article.
+For **shared accounts scheduled meetings**, if the shared account has a OneDrive, the recording is uploaded there. However, since shared accounts typically don’t have a OneDrive, the recordings are uploaded to the co-organizer’s or recording initiator's OneDrive instead. To understand what happens if an organizer doesn't have a OneDrive account, see the **Recording storage for organizers without OneDrive accounts** section in this article.
 
 For details on shared accounts, see [About shared mailboxes - Microsoft 365 admin](/microsoft-365/admin/email/about-shared-mailboxes).
 
 ### Microsoft Teams Rooms meetings
 
-For **Microsoft Teams Rooms meetings(MTR)**, when an organizer creates a meeting using the meet-now button in MTR, the room itself becomes the meeting organizer, and the recording is stored in the MTR’s OneDrive account. As a result, none of the meeting participants have full permissions to the file. If you want meeting participants to have full permissions to the recording file, avoid assigning OneDrive storage to an MTR.
+For **Microsoft Teams Rooms (MTR) meetings**, when an organizer creates a meeting using the meet-now button in MTR, the room itself becomes the meeting organizer, and the recording is stored in the MTR’s OneDrive account. However, none of the meeting participants have full permissions to the file. If you want meeting participants to have full permissions to the recording file, avoid assigning OneDrive storage to an MTR.
 
-When the MTR doesn't have a OneDrive account, the recording gets saved to the organizer's OneDrive. For details on what happens if an organizer doesn't have a OneDrive account, see the **Recording storage for organizers without OneDrive accounts** section in this article.
+When the MTR doesn't have a OneDrive account, the recording gets saved to the co-organizer's or recording initiator's OneDrive. For details on what happens if an organizer doesn't have a OneDrive account, see the **Recording storage for organizers without OneDrive accounts** section in this article.
+
+When an MTR attends a meeting that another user organizes, the MTR can't initiate the recording, but other meeting participants can.
 
 To learn more about Microsoft Teams Rooms meetings, see [Microsoft Teams Rooms (Windows)](https://support.microsoft.com/office/microsoft-teams-rooms-windows-e667f40e-5aab-40c1-bd68-611fe0002ba2).
 
 ### Recording storage for organizers without OneDrive accounts
 
 When the organizer doesn’t have a OneDrive account, here's what happens, in order, to the meeting recording:
 
-1. The recording is saved to the co-organizer's OneDrive, while the meeting or event organizer retains permissions to edit and share the recording. When there are multiple co-organizers, the recording saves to the co-organizers' OneDrive, ordered by the first number of each co-organizer's Entra object ID. To find the object IDs for users in your org, see [Locate important IDs for a user](/partner-center/account-settings/find-ids-and-domain-names#find-the-user-object-id).
+1. The recording is saved to the co-organizer's OneDrive, while the meeting or event organizer retains permissions to edit and share the recording. When there are multiple co-organizers, the recording saves to the co-organizers' OneDrive, ordered by the first letter or number of each co-organizer's Entra object ID. To find the object IDs for users in your org, see [Locate important IDs for a user](/partner-center/account-settings/find-ids-and-domain-names#find-the-user-object-id).
 
  Let's take a look at the following example with three co-organizers:
 
- :::image type="content" source="media/objectid-co-organizer-recording-small.png" alt-text="Screenshot of the object IDs for three organizers. The first organizer's object ID starts with the letter one, the second character in the second organizer's object ID is the number 5, and the second character in the third organizer's object ID is the number 3." lightbox="media/objectid-co-organizer-recording-expand.png":::
+ :::image type="content" source="media/new-objectid-co-organizer-recording-small.png" alt-text="Screenshot of the object IDs for three organizers. The first organizer's object ID starts with the letter one, the first character in the second organizer's object ID is the letter d, and the first letter in the third organizer's object ID is the letter a." lightbox="media/new-objectid-co-organizer-recording-expand.png":::
 
  In this example, the recording is saved to co-organizer 1’s OneDrive account. If co-organizer 1 doesn’t have a OneDrive account, the recording is saved to co-organizer 3’s OneDrive. If co-organizer 3 also doesn’t have a OneDrive account, the recording is then saved to co-organizer 2’s OneDrive.