From 0c7a3688386cfe3a470e1a770f04582a893f0926 Mon Sep 17 00:00:00 2001
From: jcaparas <macapara@microsoft.com>
Date: Tue, 15 Aug 2023 11:09:46 -0700
Subject: [PATCH 1/7] remove symbol store

---
 ...configure-network-connections-microsoft-defender-antivirus.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md b/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
index 6280b157b27..79fd6bd8868 100644
--- a/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
+++ b/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
@@ -62,7 +62,6 @@ Make sure that there are no firewall or network filtering rules denying access t
 |Security intelligence updates Alternate Download Location (ADL)<br/>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).|`*.download.microsoft.com`<br/>`*.download.windowsupdate.com` (Port 80 is required)<br/>`go.microsoft.com` (Port 80 is required)<br/>`https://www.microsoft.com/security/encyclopedia/adlpackages.aspx` <br/>`https://definitionupdates.microsoft.com/download/DefinitionUpdates/`<br/>`https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
 |Malware submission storage<br/>This is an upload location for files submitted to Microsoft via the Submission form or automatic sample submission.|`ussus1eastprod.blob.core.windows.net`<br/>`ussus2eastprod.blob.core.windows.net`<br/>`ussus3eastprod.blob.core.windows.net`<br/>`ussus4eastprod.blob.core.windows.net`<br/>`wsus1eastprod.blob.core.windows.net`<br/>`wsus2eastprod.blob.core.windows.net`<br/>`ussus1westprod.blob.core.windows.net`<br/>`ussus2westprod.blob.core.windows.net`<br/>`ussus3westprod.blob.core.windows.net`<br/>`ussus4westprod.blob.core.windows.net`<br/>`wsus1westprod.blob.core.windows.net`<br/>`wsus2westprod.blob.core.windows.net`<br/>`usseu1northprod.blob.core.windows.net`<br/>`wseu1northprod.blob.core.windows.net`<br/>`usseu1westprod.blob.core.windows.net`<br/>`wseu1westprod.blob.core.windows.net`<br/>`ussuk1southprod.blob.core.windows.net`<br/>`wsuk1southprod.blob.core.windows.net`<br/>`ussuk1westprod.blob.core.windows.net`<br/>`wsuk1westprod.blob.core.windows.net`|
 |Certificate Revocation List (CRL)<br/>Windows use this list while creating the SSL connection to MAPS for updating the CRL.|`http://www.microsoft.com/pkiops/crl/`<br/>`http://www.microsoft.com/pkiops/certs`<br/>`http://crl.microsoft.com/pki/crl/products`<br/>`http://www.microsoft.com/pki/certs`|
-|Symbol Store <p>Microsoft Defender Antivirus uses the Symbol Store to restore certain critical files during the remediation flows.|`https://msdl.microsoft.com/download/symbols`|
 |Universal GDPR Client<br/>Windows use this client to send the client diagnostic data.<br/><br/>Microsoft Defender Antivirus uses General Data Protection Regulation for product quality, and monitoring purposes.|The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:<br/>`vortex-win.data.microsoft.com`<br/>`settings-win.data.microsoft.com`|
 
 ## Validate connections between your network and the cloud

From e7d5b64b4107a585b2d30b32ee76de2879ae1516 Mon Sep 17 00:00:00 2001
From: Chuck Edmonson <33042436+chuckedmonson@users.noreply.github.com>
Date: Tue, 15 Aug 2023 11:44:56 -0700
Subject: [PATCH 2/7] brand update

---
 microsoft-365/syntex/adoption-getstarted.md      | 2 +-
 microsoft-365/syntex/esignature-send-requests.md | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/microsoft-365/syntex/adoption-getstarted.md b/microsoft-365/syntex/adoption-getstarted.md
index c10cb0059b9..0e929845331 100644
--- a/microsoft-365/syntex/adoption-getstarted.md
+++ b/microsoft-365/syntex/adoption-getstarted.md
@@ -70,7 +70,7 @@ Determine who in your organization will build and manage the models. The followi
 
 | SharePoint/Knowledge admin | Power Platform admin | Knowledge manager | Model owner |
 |:-------|:-------|:-------|:-------|
-| AAD role| AAD role | AAD role | Champions |
+| Microsoft Entra role| Microsoft Entra role | Microsoft Entra role | Champions |
 | Configure structured document processing and freeform document processing models | Configure Dataverse environment | Gather use cases | Gather business use cases |
 | Manage content centers and permissions| Purchase and allocate AIB credits | Establish best practices and review model analytics | Create and apply models |
 
diff --git a/microsoft-365/syntex/esignature-send-requests.md b/microsoft-365/syntex/esignature-send-requests.md
index ebd58a843ce..528df56e885 100644
--- a/microsoft-365/syntex/esignature-send-requests.md
+++ b/microsoft-365/syntex/esignature-send-requests.md
@@ -75,7 +75,7 @@ Syntex eSignature is an extension of SharePoint document storage and management
 
 - The document is stored in a library or folder that has unique permissions or sharing settings. This event might override the default settings of the SharePoint site or tenant and either allow or block certain users from initiating or accessing an eSignature request with that document.
 
-- Azure Active Directory collaboration settings restrict document sharing to specific individuals. This event limits who the requests can be sent to.
+- Microsoft Entra ID collaboration settings restrict document sharing to specific individuals. This event limits who the requests can be sent to.
 
 ### Cancel a signature request
 
@@ -228,7 +228,7 @@ Before a signature request is sent and at the completion of the request, certain
 To avoid potential issues, you should check the status and settings of their documents before starting a signature request. Ensure that there are sufficient permissions and roles to access and share the documents with their intended recipients.
 
 - Data loss prevention (DLP) policies
-- Azure Active Directory collaboration settings
+- Microsoft Entra ID collaboration settings
 - SharePoint sharing settings and policies
 - User permissions and document access
 

From 850ba42759355bab45439cac76e4e8726d71e7ca Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 15 Aug 2023 13:41:52 -0700
Subject: [PATCH 3/7] Learn Editor: Update enable-controlled-folders.md

---
 .../enable-controlled-folders.md              | 23 ++++++++++---------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/microsoft-365/security/defender-endpoint/enable-controlled-folders.md b/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
index 92b3809a4ed..861ae50c7fb 100644
--- a/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
+++ b/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
@@ -1,6 +1,5 @@
 ---
 title: Enable controlled folder access
-keywords: Controlled folder access, windows 10, windows 11, windows defender, ransomware, protect, files, folders, enable, turn on, use
 description: Learn how to protect your important files by enabling Controlled folder access
 ms.service: microsoft-365-security
 ms.topic: conceptual
@@ -15,7 +14,7 @@ ms.collection:
 - m365-security
 - tier3
 search.appverid: met150
-ms.date: 05/17/2023
+ms.date: 08/15/2023
 ---
 
 # Enable controlled folder access
@@ -44,7 +43,8 @@ You can enable controlled folder access by using any of these methods:
 - [Group Policy](#group-policy)
 - [PowerShell](#powershell)
 
-[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the device.
+> [!TIP]
+> Try using [audit mode](evaluate-controlled-folder-access.md) at first so you can see how the feature works and review events without impacting normal device usage in your organization.
 
 Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
 
@@ -78,20 +78,20 @@ For more information about disabling local list merging, see [Prevent or allow u
 
 4. Name the policy and add a description. Select **Next**.
 
-5. Scroll down to the bottom, select the **Enable Controlled Folder Access** drop-down, and choose **Enable**.
+5. Scroll down, and in the **Enable Controlled Folder Access** drop-down, select an option, such as **Audit Mode**. 
 
-6. Select **Controlled Folder Access Protected Folders** and add the folders that need to be protected.
+   We recommend enabling controlled folder access in audit mode first to see how it'll work in your organization. You can set it to another mode, such as **Enabled**, later.
 
-7. Select **Controlled Folder Access Allowed Applications** and add the apps that have access to protected folders.
+6. To optionally add folders that should be protected, select **Controlled Folder Access Protected Folders** and then add folders. Files in these folders can't be modified or deleted by untrusted applications. Keep in mind that your default system folders are automatically protected. You can view the list of default system folders in the Windows Security app on a Windows device. To learn more about this setting, see [Policy CSP - Defender: ControlledFolderAccessProtectedFolders](/windows/client-management/mdm/policy-csp-defender?#controlledfolderaccessprotectedfolders).
 
-8. Select **Exclude files and paths from attack surface reduction rules** and add the files and paths that need to be excluded from attack surface reduction rules.
+7. To optionally add applications that should be trusted, select **Controlled Folder Access Allowed Applications** and then add the apps can access protected folders. Microsoft Defender Antivirus automatically determines which applications should be trusted. Only use this setting to specify additional applications. To learn more about this setting, see [Policy CSP - Defender: ControlledFolderAccessAllowedApplications](/windows/client-management/mdm/policy-csp-defender#controlledfolderaccessallowedapplications).
 
-9. Select the profile **Assignments**, assign to **All Users & All Devices**, and select **Save**.
+8. Select the profile **Assignments**, assign to **All Users & All Devices**, and select **Save**.
 
-10. Select **Next** to save each open blade and then **Create**.
+9. Select **Next** to save each open blade and then **Create**.
 
-    > [!NOTE]
-    > Wildcards are supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+> [!NOTE]
+> Wildcards are supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
 
 ## Mobile Device Management (MDM)
 
@@ -154,3 +154,4 @@ Use `Disabled` to turn off the feature.
 - [Customize controlled folder access](customize-controlled-folders.md)
 - [Evaluate Microsoft Defender for Endpoint](evaluate-mde.md)
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
+

From d3ca74af3a140c8429cd8878cda50c81f796aaa3 Mon Sep 17 00:00:00 2001
From: Thomas Raya <v-thraya@microsoft.com>
Date: Tue, 15 Aug 2023 13:55:18 -0700
Subject: [PATCH 4/7] Update performance-tuning-using-baselines-and-history.md

---
 .../performance-tuning-using-baselines-and-history.md         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/microsoft-365/enterprise/performance-tuning-using-baselines-and-history.md b/microsoft-365/enterprise/performance-tuning-using-baselines-and-history.md
index edada7904d1..7f067e878a8 100644
--- a/microsoft-365/enterprise/performance-tuning-using-baselines-and-history.md
+++ b/microsoft-365/enterprise/performance-tuning-using-baselines-and-history.md
@@ -3,7 +3,7 @@ title: "Office 365 performance tuning using baselines and performance history"
 ms.author: tracyp
 author: MSFTTracyP
 manager: dansimp
-ms.date: 07/08/2021
+ms.date: 08/15/2023
 audience: Admin
 ms.topic: conceptual
 ms.service: microsoft-365-enterprise
@@ -327,4 +327,4 @@ To tackle a performance problem,  *right now*, you need to be taking a trace at
   
 ## See also
 
-[Managing Office 365 endpoints](https://support.office.com/article/99cab9d4-ef59-4207-9f2b-3728eb46bf9a)
\ No newline at end of file
+[Managing Office 365 endpoints](https://support.office.com/article/99cab9d4-ef59-4207-9f2b-3728eb46bf9a)

From f356a263a227cf9238d4cf5d8055d3b1a529cf84 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 15 Aug 2023 14:11:10 -0700
Subject: [PATCH 5/7] Learn Editor: Update
 defender-endpoint-subscription-settings.md

---
 .../defender-endpoint-subscription-settings.md       | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md b/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md
index d54cd3c1cbd..5ff5dd1eead 100644
--- a/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md
+++ b/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md
@@ -1,14 +1,13 @@
 ---
 title: Manage your Microsoft Defender for Endpoint subscription settings across client devices (preview!)
 description: Learn about your options for managing your Defender for Endpoint subscription settings. Choose Plan 1, Plan 2, or mixed mode.
-keywords: Defender for Endpoint, choose plan 1, choose plan 2, mixed mode, device tag, endpoint protection, endpoint security, device security, cybersecurity
 search.appverid: MET150  
 author: denisebmsft
 ms.author: deniseb
 manager: dansimp 
 audience: ITPro
 ms.topic: overview
-ms.date: 03/06/2023
+ms.date: 08/05/2023
 ms.service: microsoft-365-security
 ms.subservice: mde
 ms.localizationpriority: medium
@@ -113,6 +112,7 @@ For example, suppose that you want to use a tag called `VIP` for all the devices
 
    If you chose to apply Defender for Endpoint Plan 1 to all devices, proceed to [Validate that devices are receiving only Defender for Endpoint Plan 1 capabilities](#validate-that-a-device-is-receiving-only-defender-for-endpoint-plan-1-capabilities).
 
+
 ---
 
 ## Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities
@@ -124,11 +124,13 @@ After you have assigned Defender for Endpoint Plan 1 capabilities to some or all
 2. Select a device that is tagged with `License MDE P1`. You should see that Defender for Endpoint Plan 1 is assigned to the device.
 
 > [!NOTE]
-> Devices that are assigned Defender for Endpoint Plan 1 capabilities will not have vulnerabilities or security recommendations listed.
+> Devices that are assigned Defender for Endpoint Plan 1 capabilities don't have any vulnerabilities or security recommendations listed.
 
 ## Review license usage
 
-The license usage report is estimated based on sign-in activities on the device. To reduce management overhead, there will not be a requirement for device-to-user mapping and assignment. Instead, the license report will provide a utilization estimation that is calculated based on the utilization seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices.
+The license usage report is estimated based on sign-in activities on the device. Defender for Endpoint Plan 2 licenses are per user, and each user can have up to five concurrent, onboarded devices. To laern more about license terms, see [Microsoft Licensing](https://www.microsoft.com/en-us/licensing/default).  
+
+To reduce management overhead, there's no requirement for device-to-user mapping and assignment. Instead, the license report provides a utilization estimation that is calculated based on device usage seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices.
 
 > [!IMPORTANT]
 > To access license information, you must have one of the following roles assigned in Azure Active Directory (Azure AD):
@@ -150,4 +152,6 @@ The license usage report is estimated based on sign-in activities on the device.
 - [Get started with Microsoft Security (trial offers)](https://www.microsoft.com/security/business/get-started/start-free-trial)
 - [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Business](../defender-business/mdb-overview.md) (endpoint protection for small and medium-sized businesses)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
+

From c409ec6b9dc33ad8b425926f33ec7fe6e7715baf Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 15 Aug 2023 14:17:36 -0700
Subject: [PATCH 6/7] Update defender-endpoint-subscription-settings.md

---
 .../defender-endpoint-subscription-settings.md                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md b/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md
index 5ff5dd1eead..8e2ff6684b7 100644
--- a/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md
+++ b/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md
@@ -128,7 +128,7 @@ After you have assigned Defender for Endpoint Plan 1 capabilities to some or all
 
 ## Review license usage
 
-The license usage report is estimated based on sign-in activities on the device. Defender for Endpoint Plan 2 licenses are per user, and each user can have up to five concurrent, onboarded devices. To laern more about license terms, see [Microsoft Licensing](https://www.microsoft.com/en-us/licensing/default).  
+The license usage report is estimated based on sign-in activities on the device. Defender for Endpoint Plan 2 licenses are per user, and each user can have up to five concurrent, onboarded devices. To learn more about license terms, see [Microsoft Licensing](https://www.microsoft.com/en-us/licensing/default).  
 
 To reduce management overhead, there's no requirement for device-to-user mapping and assignment. Instead, the license report provides a utilization estimation that is calculated based on device usage seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices.
 

From 04a2315e2de8ddba4a0e2db4ec1b0ead7dab05f9 Mon Sep 17 00:00:00 2001
From: Chris Davis <chris.davis@microsoft.com>
Date: Tue, 15 Aug 2023 14:59:21 -0700
Subject: [PATCH 7/7] compliance to purview link updates 1

---
 microsoft-365/security/office-365-security/air-about.md   | 8 ++++----
 .../office-365-security/air-remediation-actions.md        | 2 +-
 .../office-365-security/air-view-investigation-results.md | 2 +-
 .../office-365-security/attack-simulation-training-faq.md | 2 +-
 .../office-365-security/azure-ip-protection-features.md   | 2 +-
 .../connectors-detect-respond-to-compromise.md            | 2 +-
 .../office-365-security/connectors-remove-blocked.md      | 4 ++--
 .../defender-for-office-365-whats-new.md                  | 2 +-
 .../detect-and-remediate-illicit-consent-grants.md        | 6 +++---
 microsoft-365/security/office-365-security/eop-about.md   | 4 ++--
 .../office-365-security/identity-access-prerequisites.md  | 2 +-
 .../investigate-malicious-email-that-was-delivered.md     | 2 +-
 .../office-365-security/mdo-portal-permissions.md         | 2 +-
 .../security/office-365-security/mdo-sec-ops-guide.md     | 2 +-
 .../mdo-sec-ops-manage-incidents-and-alerts.md            | 2 +-
 .../migrate-to-defender-for-office-365-onboard.md         | 2 +-
 .../outbound-spam-policies-configure.md                   | 6 +++---
 .../office-365-security/outbound-spam-protection-about.md | 2 +-
 .../priority-accounts-security-recommendations.md         | 4 ++--
 .../office-365-security/protect-against-threats.md        | 6 +++---
 .../security/office-365-security/quarantine-policies.md   | 2 +-
 .../recommended-settings-for-eop-and-office365.md         | 2 +-
 ...moving-user-from-restricted-users-portal-after-spam.md | 4 ++--
 23 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/microsoft-365/security/office-365-security/air-about.md b/microsoft-365/security/office-365-security/air-about.md
index 275ca3403df..4e2dd001e17 100644
--- a/microsoft-365/security/office-365-security/air-about.md
+++ b/microsoft-365/security/office-365-security/air-about.md
@@ -75,17 +75,17 @@ During and after each automated investigation, your security operations team can
 
 AIR capabilities are included in [Microsoft Defender for Office 365](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2), provided your policies and alerts are configured. Need some help? Follow the guidance in [Protect against threats](protect-against-threats.md) to set up or configure the following protection settings:
 
-- [Verify audit logging is turned on](../../compliance/audit-log-enable-disable.md)
+- [Verify audit logging is turned on](/purview/audit-log-enable-disable)
 - [Anti-malware protection](protect-against-threats.md#part-1---anti-malware-protection-in-eop)
 - [Anti-phishing protection](../office-365-security/protect-against-threats.md#part-2---anti-phishing-protection-in-eop-and-defender-for-office-365)
 - [Anti-spam protection](protect-against-threats.md#part-3---anti-spam-protection-in-eop)
 - [Safe Links and Safe Attachments](protect-against-threats.md#part-4---protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365)
 
-In addition, make sure to [review your organization's alert policies](../../compliance/alert-policies.md), especially the [default policies in the Threat management category](../../compliance/alert-policies.md#default-alert-policies).
+In addition, make sure to [review your organization's alert policies](/purview/alert-policies), especially the [default policies in the Threat management category](/purview/alert-policies#default-alert-policies).
 
 ## Which alert policies trigger automated investigations?
 
-Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](../../compliance/alert-policies.md#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 Defender portal, and how they're generated:
+Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](/purview/alert-policies#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 Defender portal, and how they're generated:
 
 |Alert|Severity|How the alert is generated|
 |---|---|---|
@@ -101,7 +101,7 @@ Microsoft 365 provides many built-in alert policies that help identify Exchange
 |Admin triggered user compromise investigation|**Medium**|This alert is generated when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer.  This alert notifies your organization that the user compromise investigation was started.|
 
 > [!TIP]
-> To learn more about alert policies or edit the default settings, see [Alert policies in the Microsoft Purview compliance portal](../../compliance/alert-policies.md).
+> To learn more about alert policies or edit the default settings, see [Alert policies in the Microsoft Purview compliance portal](/purview/alert-policies).
 
 ## Required permissions to use AIR capabilities
 
diff --git a/microsoft-365/security/office-365-security/air-remediation-actions.md b/microsoft-365/security/office-365-security/air-remediation-actions.md
index 787764ad2e0..9ad5fa3a139 100644
--- a/microsoft-365/security/office-365-security/air-remediation-actions.md
+++ b/microsoft-365/security/office-365-security/air-remediation-actions.md
@@ -58,7 +58,7 @@ Microsoft Defender for Office 365 includes remediation actions to address variou
 |User|A user is sending malware/phish|Automated investigation doesn't result in a specific pending action. <p> The user might be reporting malware/phish, or someone could be [spoofing the user](anti-phishing-protection-spoofing-about.md) as part of an attack. Use [Threat Explorer](threat-explorer-about.md) to view and handle email containing [malware](threat-explorer-views.md#malware) or [phish](threat-explorer-views.md#phish).|
 |User|Email forwarding <br> (Mailbox forwarding rules are configured, chch could be used for data exfiltration.)|Remove forwarding rule <p> Use the [Autofowarded messages report](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report) to view specific details about forwarded email.|
 |User|Email delegation rules <br> (A user's account has delegations set up.)|Remove delegation rule <p> If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) who's getting the delegation permission.|
-|User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](../../compliance/dlp-learn-about-dlp.md) |Automated investigation doesn't result in a specific pending action. <p> [Get started with Activity Explorer](../../compliance/data-classification-activity-explorer.md#get-started-with-activity-explorer).|
+|User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](/purview/dlp-learn-about-dlp) |Automated investigation doesn't result in a specific pending action. <p> [Get started with Activity Explorer](/purview/data-classification-activity-explorer#get-started-with-activity-explorer).|
 |User|Anomalous email sending <br> (A user recently sent more email than during the previous 7-10 days.)|Automated investigation doesn't result in a specific pending action. <p> Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use the [New users forwarding email insight in the EAC](/exchange/monitoring/mail-flow-insights/mfi-new-users-forwarding-email-insight) and [Outbound message report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-inbound-messages-and-outbound-messages-reports) to determine what's going on and take action.|
 
 ## Next steps
diff --git a/microsoft-365/security/office-365-security/air-view-investigation-results.md b/microsoft-365/security/office-365-security/air-view-investigation-results.md
index 135528ee314..cf4f96c0de8 100644
--- a/microsoft-365/security/office-365-security/air-view-investigation-results.md
+++ b/microsoft-365/security/office-365-security/air-view-investigation-results.md
@@ -41,7 +41,7 @@ The investigation status indicates the progress of the analysis and actions. As
 |**Starting**|The investigation has been triggered and waiting to start running.|
 |**Running**|The investigation process has started and is underway. This state also occurs when [pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions) are approved.|
 |**No Threats Found**|The investigation has finished and no threats (user account, email message, URL, or file) were identified. <p> **TIP**: If you suspect something was missed (such as a false negative), you can take action using [Threat Explorer](threat-explorer-about.md).|
-|**Partially Investigated**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Partially Investigated** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <ul><li>A [data loss prevention](../../compliance/dlp-learn-about-dlp.md) event</li><li>An email sending anomaly</li><li>Sent malware</li><li>Sent phish</li></ul> <br/> **Note**: This **Partially Investigated** status used to be labeled as **Threats Found**. <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer-about.md)|
+|**Partially Investigated**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Partially Investigated** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <ul><li>A [data loss prevention](/purview/dlp-learn-about-dlp) event</li><li>An email sending anomaly</li><li>Sent malware</li><li>Sent phish</li></ul> <br/> **Note**: This **Partially Investigated** status used to be labeled as **Threats Found**. <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer-about.md)|
 |**Terminated By System**|The investigation stopped. An investigation can stop for several reasons: <ul><li>The investigation's pending actions expired. Pending actions time out after awaiting approval for one week</li><li>There are too many actions. For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation halts</li></ul> <br/> **TIP**: If an investigation halts before actions were taken, try using [Threat Explorer](threat-explorer-about.md) to find and address threats.|
 |**Pending Action**|The investigation has found a threat, such as a malicious email, a malicious URL, or a risky mailbox setting, and an action to remediate that threat is [awaiting approval](air-review-approve-pending-completed-actions.md). <p> The **Pending Action** state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. View investigation details to see if other items are still pending completion.|
 |**Remediated**|The investigation finished and all remediation actions were approved (noted as fully remediated). <p> **NOTE**: Approved remediation actions can have errors that prevent the actions from being taken. Regardless of whether remediation actions are successfully completed, the investigation status doesn't change. View investigation details.|
diff --git a/microsoft-365/security/office-365-security/attack-simulation-training-faq.md b/microsoft-365/security/office-365-security/attack-simulation-training-faq.md
index 1b5c4cd77d8..99afd9c9ac1 100644
--- a/microsoft-365/security/office-365-security/attack-simulation-training-faq.md
+++ b/microsoft-365/security/office-365-security/attack-simulation-training-faq.md
@@ -86,7 +86,7 @@ Audit logging is required by Attack simulation training so events can be capture
 - Reporting data isn't available across all reports. The reports appear empty.
 - Training assignments are blocked, because data isn't available.
 
-To verify that audit logging is on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+To verify that audit logging is on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable).
 
 > [!NOTE]
 > Empty activity details can also be caused by no E5 licenses being assigned to users. Verify at least one E5 license is assigned to an active user to ensure that reporting events are captured and recorded.
diff --git a/microsoft-365/security/office-365-security/azure-ip-protection-features.md b/microsoft-365/security/office-365-security/azure-ip-protection-features.md
index 41b8b9b8933..04be2a057ab 100644
--- a/microsoft-365/security/office-365-security/azure-ip-protection-features.md
+++ b/microsoft-365/security/office-365-security/azure-ip-protection-features.md
@@ -91,4 +91,4 @@ Once this is enabled, provided you haven't opted out, you can start using the ne
 
 :::image type="content" source="../../media/599ca9e7-c05a-429e-ae8d-359f1291a3d8.png" alt-text="An OME protected message in Outlook on the web" lightbox="../../media/599ca9e7-c05a-429e-ae8d-359f1291a3d8.png":::
 
-For more information about the new enhancements, see [Office 365 Message Encryption](../../compliance/ome.md).
+For more information about the new enhancements, see [Office 365 Message Encryption](/purview/ome).
diff --git a/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md b/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md
index 8771f3c1a29..58f5e77bcdb 100644
--- a/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md
+++ b/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md
@@ -103,7 +103,7 @@ In [Microsoft Defender for Office 365 Plan 1](defender-for-office-365.md) or [Ex
 
 #### Investigate and validate connector-related activity
 
-In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), replace \<StartDate\> and \<EndDate\> with your values, and then run the following command to find and validate admin-related connector activity in the audit log. For more information, see [Use a PowerShell script to search the audit log](/compliance/audit-log-search-script).
+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), replace \<StartDate\> and \<EndDate\> with your values, and then run the following command to find and validate admin-related connector activity in the audit log. For more information, see [Use a PowerShell script to search the audit log](/purview/audit-log-search-script).
 
 ```powershell
 Search-UnifiedAuditLog -StartDate "<ExDateTime>" -EndDate "<ExDateTime>" -Operations "New-InboundConnector","Set-InboundConnector","Remove-InboundConnector
diff --git a/microsoft-365/security/office-365-security/connectors-remove-blocked.md b/microsoft-365/security/office-365-security/connectors-remove-blocked.md
index 519f114e4c6..c108488d60b 100644
--- a/microsoft-365/security/office-365-security/connectors-remove-blocked.md
+++ b/microsoft-365/security/office-365-security/connectors-remove-blocked.md
@@ -82,10 +82,10 @@ For more information about compromised _user accounts_ and how to remove them fr
 
 ## Verify the alert settings for restricted connectors
 
-The default alert policy named **Suspicious connector activity** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
+The default alert policy named **Suspicious connector activity** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](/purview/alert-policies).
 
 > [!IMPORTANT]
-> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable).
 
 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. Or, to go directly to the **Alert policy** page, use <https://security.microsoft.com/alertpoliciesv2>.
 
diff --git a/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md b/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md
index 528849764c7..935c9dbb42e 100644
--- a/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md
+++ b/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md
@@ -185,7 +185,7 @@ For more information on what's new with other Microsoft Defender security produc
   - User restricted from sharing forms and collecting responses
   - Form blocked due to potential phishing attempt
   - Form flagged and confirmed as phishing
-  - [New alert policies for ZAP](../../compliance/new-defender-alert-policies.md)
+  - [New alert policies for ZAP](/purview/new-defender-alert-policies)
 - Microsoft Defender for Office 365 alerts is now integrated into Microsoft 365 Defender - [Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue](../defender/investigate-alerts.md)
 - [User Tags](user-tags-about.md) are now integrated into Microsoft Defender for Office 365 alerting experiences, including: the alerts queue and details in Office 365 Security & Compliance, and scoping custom alert policies to user tags to create targeted alert policies.
   - Tags are also available in the unified alerts queue in the Microsoft 365 Defender portal (Microsoft Defender for Office 365 Plan 2)
diff --git a/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md b/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
index 3ab39cc25a4..aee615891e1 100644
--- a/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
+++ b/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
@@ -61,7 +61,7 @@ You need to search the **audit log** to find signs, also called Indicators of Co
 >
 > It can take from 30 minutes up to 24 hours for the corresponding audit log entry to be displayed in the search results after an event occurs.
 >
-> The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. For more information, see [Audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md).
+> The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. For more information, see [Audit log](/purview/audit-log-search).
 >
 > If this value is true, it indicates that someone with Global Administrator access may have granted broad access to data. If this is unexpected, take steps to [confirm an attack](#how-to-confirm-an-attack).
 
@@ -132,10 +132,10 @@ The script produces one file named Permissions.csv. Follow these steps to look f
 
 ## Determine the scope of the attack
 
-After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender portal](../../compliance/search-the-audit-log-in-security-and-compliance.md).
+After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender portal](/purview/audit-log-search).
 
 > [!IMPORTANT]
-> [Mailbox auditing](../../compliance/audit-mailboxes.md) and [Activity auditing for admins and users](../../compliance/audit-log-enable-disable.md) must have been enabled prior to the attack for you to get this information.
+> [Mailbox auditing](/purview/audit-mailboxes) and [Activity auditing for admins and users](/purview/audit-log-enable-disable) must have been enabled prior to the attack for you to get this information.
 
 ## How to stop and remediate an illicit consent grant attack
 
diff --git a/microsoft-365/security/office-365-security/eop-about.md b/microsoft-365/security/office-365-security/eop-about.md
index 414d594ca1a..ef096b2b118 100644
--- a/microsoft-365/security/office-365-security/eop-about.md
+++ b/microsoft-365/security/office-365-security/eop-about.md
@@ -110,7 +110,7 @@ For information about requirements, important limits, and feature availability a
 |Mail flow reports|[Mail flow reports in the Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports)|
 |Mail flow insights|[Mail flow insights in the Exchange admin center](/exchange/monitoring/mail-flow-insights/mail-flow-insights)|
 |Auditing reports|[Auditing reports in the Exchange admin center](/exchange/security-and-compliance/exchange-auditing-reports/exchange-auditing-reports)|
-|Alert policies|[Alert policies](../../compliance/alert-policies.md)|
+|Alert policies|[Alert policies](/purview/alert-policies)|
 |**Service Level Agreements (SLAs) and support**||
 |Spam effectiveness SLA|\> 99%|
 |False positive ratio SLA|\< 1:250,000|
@@ -120,5 +120,5 @@ For information about requirements, important limits, and feature availability a
 |**Other features**||
 |A geo-redundant global network of servers|EOP runs on a worldwide network of datacenters that are designed to help provide the best availability. For more information, see the [EOP datacenters](#eop-datacenters) section earlier in this article.|
 |Message queuing when the on-premises server can't accept mail|Messages in deferral remain in our queues for one day. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see [EOP queued, deferred, and bounced messages FAQ](mail-flow-delivery-faq.yml).|
-|Office 365 Message Encryption available as an add-on|For more information, see [Encryption in Office 365](../../compliance/encryption.md).|
+|Office 365 Message Encryption available as an add-on|For more information, see [Encryption in Office 365](/purview/encryption).|
 |||
diff --git a/microsoft-365/security/office-365-security/identity-access-prerequisites.md b/microsoft-365/security/office-365-security/identity-access-prerequisites.md
index d60206db688..02eb508509d 100644
--- a/microsoft-365/security/office-365-security/identity-access-prerequisites.md
+++ b/microsoft-365/security/office-365-security/identity-access-prerequisites.md
@@ -115,7 +115,7 @@ For editions of Microsoft 365 or Office 365 that do not support Conditional Acce
 Here are some additional recommendations:
 
 - Use [Azure AD Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-getting-started) to reduce the number of persistent administrative accounts.
-- [Use privileged access management](../../compliance/privileged-access-management-overview.md) to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.
+- [Use privileged access management](/purview/privileged-access-management) to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.
 - Create and use separate accounts that are assigned [Microsoft 365 administrator roles](../../admin/add-users/about-admin-roles.md) *only for administration*. Admins should have their own user account for regular non-administrative use and only use an administrative account when necessary to complete a task associated with their role or job function.
 - Follow [best practices](/azure/active-directory/roles/best-practices) for securing privileged accounts in Azure AD.
 
diff --git a/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md b/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
index 4e479bc68a2..12ed0a5d104 100644
--- a/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
+++ b/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
@@ -43,7 +43,7 @@ Make sure that the following requirements are met:
 
 - Your organization has [Microsoft Defender for Office 365](defender-for-office-365.md) and [licenses are assigned to users](../../admin/manage/assign-licenses-to-users.md).
 
-- [Audit logging](../../compliance/audit-log-enable-disable.md) is turned on for your organization (it's on by default).
+- [Audit logging](/purview/audit-log-enable-disable) is turned on for your organization (it's on by default).
 
 - Your organization has policies defined for anti-spam, anti-malware, anti-phishing, and so on. See [Protect against threats in Office 365](protect-against-threats.md).
 
diff --git a/microsoft-365/security/office-365-security/mdo-portal-permissions.md b/microsoft-365/security/office-365-security/mdo-portal-permissions.md
index 47de2b00215..700a2728042 100644
--- a/microsoft-365/security/office-365-security/mdo-portal-permissions.md
+++ b/microsoft-365/security/office-365-security/mdo-portal-permissions.md
@@ -42,7 +42,7 @@ You need to be member of the **Global Administrator** role in Azure AD or a memb
 >
 > In the Microsoft 365 Defender preview program, a different Microsoft Defender 365 RBAC model is also available. The permissions in this RBAC model are different from the Defender for Office 365 permissions as described in this article. For more information, see [Microsoft 365 Defender role-based access control (RBAC)](../defender/manage-rbac.md).
 >
-> For information about permissions in the Microsoft Purview compliance portal, see [Permissions in the Microsoft Purview compliance portal](../../compliance/microsoft-365-compliance-center-permissions.md).
+> For information about permissions in the Microsoft Purview compliance portal, see [Permissions in the Microsoft Purview compliance portal](/purview/microsoft-365-compliance-center-permissions).
 
 ## Relationship of members, roles, and role groups
 
diff --git a/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md b/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md
index 4b6b9172d92..cf51332ee16 100644
--- a/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md
+++ b/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md
@@ -45,7 +45,7 @@ For a video about this information, see <https://youtu.be/eQanpq9N1Ps>.
 
 The **Incidents** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/incidents-queue> (also known as the _Incidents queue_) allows you to manage and monitor events from the following sources in Defender for Office 365:
 
-- [Alerts](../../compliance/alert-policies.md#default-alert-policies).
+- [Alerts](/purview/alert-policies#default-alert-policies).
 - [Automated investigation and response (AIR)](air-about-office.md).
 
 For more information about the Incidents queue, see [Prioritize incidents in Microsoft 365 Defender](../defender/incident-queue.md).
diff --git a/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md b/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md
index 7543c84387b..99d76165f1c 100644
--- a/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md
+++ b/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md
@@ -28,7 +28,7 @@ appliesto:
 
 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
 
-An [incident](/microsoft-365/security/defender/incidents-overview) in Microsoft 365 Defender is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/microsoft-365/compliance/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft 365 Defender at <https://security.microsoft.com/incidents-queue>. We refer to this page as the _Incidents queue_.
+An [incident](/microsoft-365/security/defender/incidents-overview) in Microsoft 365 Defender is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/purview/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft 365 Defender at <https://security.microsoft.com/incidents-queue>. We refer to this page as the _Incidents queue_.
 
 Alerts are created when malicious or suspicious activity affects an entity (for example, email, users, or mailboxes). Alerts provide valuable insights about in-progress or completed attacks. However, an ongoing attack can affect multiple entities, which results in multiple alerts from different sources. Some built-in alerts automatically trigger AIR playbooks. These playbooks do a series of investigation steps to look for other impacted entities or suspicious activity.
 
diff --git a/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md b/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md
index 1f9a27059e4..a17f0bf162c 100644
--- a/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md
+++ b/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md
@@ -55,7 +55,7 @@ If your organization has a security response team, now is the time to begin inte
   - Admin management of quarantined messages is important. For instructions, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md).
   - Message trace allows you to see what happened to messages as they enter or leave Microsoft 365. For more information, see [Message trace in the modern Exchange admin center in Exchange Online](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac).
 - Identify risks that may have been let into the organization.
-- Tune and customize [alerts](../../compliance/alert-policies.md) for organizational processes.
+- Tune and customize [alerts](/purview/alert-policies) for organizational processes.
 - Manage the incident queue and remediate potential risks.
 
 If your organization has purchased Microsoft Defender for Office 365 Plan 2, they should begin familiarizing themselves with and using features such as Threat Explorer, Advanced Hunting, and Incidents. For relevant trainings, see <https://aka.ms/mdoninja>.
diff --git a/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md b/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
index b0c4b77fa06..71a82a6591d 100644
--- a/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
+++ b/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
@@ -32,7 +32,7 @@ appliesto:
 
 In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, outbound email messages that are sent through EOP are automatically checked for spam and unusual sending activity.
 
-Outbound spam from a user in your organization typically indicates a compromised account. Suspicious outbound messages are marked as spam (regardless of the spam confidence level or SCL) and are routed through the [high-risk delivery pool](outbound-spam-high-risk-delivery-pool-about.md) to help protect the reputation of the service (that is, to keep Microsoft 365 source email servers off of IP block lists). Admins are automatically notified of suspicious outbound email activity and blocked users via [alert policies](../../compliance/alert-policies.md).
+Outbound spam from a user in your organization typically indicates a compromised account. Suspicious outbound messages are marked as spam (regardless of the spam confidence level or SCL) and are routed through the [high-risk delivery pool](outbound-spam-high-risk-delivery-pool-about.md) to help protect the reputation of the service (that is, to keep Microsoft 365 source email servers off of IP block lists). Admins are automatically notified of suspicious outbound email activity and blocked users via [alert policies](/purview/alert-policies).
 
 EOP uses outbound spam policies as part of your organization's overall defense against spam. For more information, see [Anti-spam protection](anti-spam-protection-about.md).
 
@@ -54,7 +54,7 @@ You can configure outbound spam policies in the Microsoft 365 Defender portal or
 
 - For our recommended settings for outbound spam policies, see [EOP outbound spam policy settings](recommended-settings-for-eop-and-office365.md#eop-outbound-spam-policy-settings).
 
-- The default [alert policies](../../compliance/alert-policies.md) named **Email sending limit exceeded**, **Suspicious email sending patterns detected**, and **User restricted from sending email** already send email notifications to members of the **TenantAdmins** (**Global admins**) group about unusual outbound email activity and blocked users due to outbound spam. For more information, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). We recommend that you use these alert policies instead of the notification options in outbound spam policies.
+- The default [alert policies](/purview/alert-policies) named **Email sending limit exceeded**, **Suspicious email sending patterns detected**, and **User restricted from sending email** already send email notifications to members of the **TenantAdmins** (**Global admins**) group about unusual outbound email activity and blocked users due to outbound spam. For more information, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). We recommend that you use these alert policies instead of the notification options in outbound spam policies.
 
 ## Use the Microsoft 365 Defender portal to create outbound spam policies
 
@@ -149,7 +149,7 @@ You can configure outbound spam policies in the Microsoft 365 Defender portal or
      >
      > - This setting is in the process of being deprecated from outbound spam policies.
      >
-     > - The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in the **Recipient Limits** section. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).
+     > - The default [alert policy](/purview/alert-policies) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in the **Recipient Limits** section. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).
 
    When you're finished on the **Protection settings** page, select **Next**.
 
diff --git a/microsoft-365/security/office-365-security/outbound-spam-protection-about.md b/microsoft-365/security/office-365-security/outbound-spam-protection-about.md
index 10c75467568..9f7077df678 100644
--- a/microsoft-365/security/office-365-security/outbound-spam-protection-about.md
+++ b/microsoft-365/security/office-365-security/outbound-spam-protection-about.md
@@ -37,7 +37,7 @@ This article describes the controls and notifications that are designed to help
 
 ## What admins can do to control outbound spam
 
-- **Use built-in notifications**: When a user exceeds sending limits of [the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or [outbound spam policies](outbound-spam-policies-configure.md) and is restricted from sending email, the default alert policy named **User restricted from sending email** sends email notifications to members of the **TenantAdmins** (**Global admins**) group. To configure who else receives these notifications, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). Also, the default alert policies named **Email sending limit exceeded** and **Suspicious email sending patterns detected** send email notifications to members of the **TenantAdmins** (**Global admins**) group. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
+- **Use built-in notifications**: When a user exceeds sending limits of [the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or [outbound spam policies](outbound-spam-policies-configure.md) and is restricted from sending email, the default alert policy named **User restricted from sending email** sends email notifications to members of the **TenantAdmins** (**Global admins**) group. To configure who else receives these notifications, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). Also, the default alert policies named **Email sending limit exceeded** and **Suspicious email sending patterns detected** send email notifications to members of the **TenantAdmins** (**Global admins**) group. For more information about alert policies, see [Alert policies in Microsoft 365](/purview/alert-policies).
 
 - **Review spam complaints from third-party email providers**: Many email services like Outlook.com, Yahoo, and AOL provide a feedback loop where we review our messages that are identified as spam by their users. To learn more about sender support for Outlook.com, go to <https://sendersupport.olc.protection.outlook.com/pm/services.aspx>.
 
diff --git a/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md b/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md
index 4c3b7d2565a..06cad65769e 100644
--- a/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md
+++ b/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md
@@ -95,9 +95,9 @@ After you secure and tag your priority users, you can use the available reports,
 
 |Feature|Description|
 |---|---|
-|Alerts|The user tags of affected users are visible and available as filters on the **Alerts** page in the Microsoft 365 Defender portal. For more information, see [Viewing alerts](../../compliance/alert-policies.md#view-alerts).|
+|Alerts|The user tags of affected users are visible and available as filters on the **Alerts** page in the Microsoft 365 Defender portal. For more information, see [Viewing alerts](/purview/alert-policies#view-alerts).|
 |Incidents|The user tags for all correlated alerts are visible on the **Incidents** page in the Microsoft 365 Defender portal. For more information, see [Manage incidents and alerts](mdo-sec-ops-manage-incidents-and-alerts.md).|
-|Custom alert policies|You can create alert policies based on user tags in the Microsoft 365 Defender portal. For more information, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).|
+|Custom alert policies|You can create alert policies based on user tags in the Microsoft 365 Defender portal. For more information, see [Alert policies in Microsoft 365](/purview/alert-policies).|
 |Explorer <p> Real-time detections|In **Explorer** (Defender for Office 365 Plan 2) or **Real-time detections** (Defender for Office 365 Plan 1), user tags are visible in the Email grid view and the Email details flyout. User tags are also available as a filterable property. For more information, see  [Tags in Explorer](threat-explorer-about.md#tags-in-threat-explorer).|
 |Email entity page|You can filter email based on applied user tags in Microsoft 365 E5 and in Defender for Office 365 Plan 1 and Plan 2. For more information, see [Email entity page](mdo-email-entity-page.md).|
 |Campaign Views|User tags are one of many filterable properties in Campaign Views in Microsoft Defender for Office 365 Plan 2. For more information, see [Campaign Views](campaigns.md).|
diff --git a/microsoft-365/security/office-365-security/protect-against-threats.md b/microsoft-365/security/office-365-security/protect-against-threats.md
index 331c90fbae0..45f83aff519 100644
--- a/microsoft-365/security/office-365-security/protect-against-threats.md
+++ b/microsoft-365/security/office-365-security/protect-against-threats.md
@@ -72,7 +72,7 @@ To learn more, see [Permissions in the Microsoft 365 Defender portal](mdo-portal
 
 ### Turn on audit logging for reporting and investigation
 
-- Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. To view data in threat protection reports, [email security reports](reports-email-security.md), and [Explorer](threat-explorer-about.md), audit logging must be *On*. To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+- Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. To view data in threat protection reports, [email security reports](reports-email-security.md), and [Explorer](threat-explorer-about.md), audit logging must be *On*. To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable).
 
 ## Part 1 - Anti-malware protection in EOP
 
@@ -199,7 +199,7 @@ For more information about the recommended settings for Safe Attachments, see [S
    - **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**: Turn on this setting (![Toggle on.](../../media/scc-toggle-on.png)).
 
      > [!IMPORTANT]
-     > **Before you turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, verify that audit logging is turned in your organization** (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+     > **Before you turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, verify that audit logging is turned in your organization** (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable).
 
    - **Turn on Safe Documents for Office clients**: Turn on this setting (![Toggle on.](../../media/scc-toggle-on.png)). Note that this feature is available and meaningful only with the required types of licenses. For more information, see [Safe Documents in Microsoft 365 E5](safe-documents-in-e5-plus-security-about.md).
    - **Allow people to click through Protected View even if Safe Documents identified the file as malicious**: Verify this setting is turned off (![Toggle off.](../../media/scc-toggle-off.png)).
@@ -295,7 +295,7 @@ To receive notification when a file in SharePoint Online or OneDrive for Busines
 
 6. On the **Review your settings** page, review your settings, verify **Yes, turn it on right away** is selected, and then select **Finish**
 
-To learn more about alert policies, see [Alert policies in the Microsoft Purview compliance portal](../../compliance/alert-policies.md).
+To learn more about alert policies, see [Alert policies in the Microsoft Purview compliance portal](/purview/alert-policies).
 
 > [!NOTE]
 > When you're finished configuring, use these links to start workload investigations:
diff --git a/microsoft-365/security/office-365-security/quarantine-policies.md b/microsoft-365/security/office-365-security/quarantine-policies.md
index 1046c0548bf..e3f0e03c972 100644
--- a/microsoft-365/security/office-365-security/quarantine-policies.md
+++ b/microsoft-365/security/office-365-security/quarantine-policies.md
@@ -631,7 +631,7 @@ By default, the default alert policy named **User requested to release a quarant
 
 Admins can customize the email notification recipients or create a custom alert policy for more options.
 
-For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
+For more information about alert policies, see [Alert policies in Microsoft 365](/purview/alert-policies).
 
 ## Appendix
 
diff --git a/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md b/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
index be34d9271fa..f13b169483f 100644
--- a/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
+++ b/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
@@ -172,7 +172,7 @@ For more information about the default sending limits in the service, see [Sendi
 |**Restriction placed on users who reach the message limit** (_ActionWhenThresholdReached_)|**Restrict the user from sending mail until the following day** (`BlockUserForToday`)|**Restrict the user from sending mail** (`BlockUser`)|**Restrict the user from sending mail** (`BlockUser`)||
 |**Automatic forwarding rules** (_AutoForwardingMode_)|**Automatic - System-controlled** (`Automatic`)|**Automatic - System-controlled** (`Automatic`)|**Automatic - System-controlled** (`Automatic`)|
 |**Send a copy of outbound messages that exceed these limits to these users and groups** (_BccSuspiciousOutboundMail_ and _BccSuspiciousOutboundAdditionalRecipients_)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|We have no specific recommendation for this setting. <br><br> This setting works only in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.|
-|**Notify these users and groups if a sender is blocked due to sending outbound spam** (_NotifyOutboundSpam_ and _NotifyOutboundSpamRecipients_)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|
+|**Notify these users and groups if a sender is blocked due to sending outbound spam** (_NotifyOutboundSpam_ and _NotifyOutboundSpamRecipients_)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|The default [alert policy](/purview/alert-policies) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|
 
 ### EOP anti-phishing policy settings
 
diff --git a/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md b/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md
index 7ce6bef48fd..f4a49da67e1 100644
--- a/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md
+++ b/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md
@@ -94,10 +94,10 @@ In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to
 
 ## Verify the alert settings for restricted users
 
-The default alert policy named **User restricted from sending email** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
+The default alert policy named **User restricted from sending email** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](/purview/alert-policies).
 
 > [!IMPORTANT]
-> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable).
 
 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. Or, to go directly to the **Alert policy** page, use <https://security.microsoft.com/alertpoliciesv2>.