Merge branch 'main' into M365-Endpoints

Author: dstrome

.github/workflows/M365Endpoints.yml

@@ -0,0 +1,167 @@
+name: (Scheduled) Stale branch removal
+
+permissions:
+  contents: write
+
+on:
+  # Commenting out schedule in MAX-CPUB-Test because it's actually running and impacting the production repo. If the workflow needs to be updated here
+  # and put into production, remove this comment and uncomment the schedule.
+  #schedule:
+  #- cron: "0 */6 * * *"
+
+  workflow_dispatch:
+
+
+jobs:
+
+    stale-branch:
+        name: Removal stale branches
+        runs-on: ubuntu-latest
+        steps:  
+          - name: Process branches
+            shell: pwsh
+            env: 
+                SkipBranchList: '[
+                        "live",
+                        "main",
+                        "repo_sync_working_branch",
+                        "asdf"
+                    ]'
+                PayloadJson: ${{ toJSON(github) }}
+                AccessToken: ${{ secrets.GITHUB_TOKEN }}
+            run: |
+
+                # Get GitHub data
+                $GitHubData = $env:PayloadJson | ConvertFrom-Json -Depth 50
+                $AccessToken = $env:AccessToken
+                $SkipBranchList = $env:SkipBranchList | ConvertFrom-Json
+
+
+                # WARNING - Setting $MaxAheadDefault to anything other than 0 means that the workflow will delete branches with changes not in default branch. 
+                # !!! > 0 WILL RESULT IN DATA LOSS !!!
+                $MaxAheadDefault = 0   # This is the maximum number of commits a branch can be ahead of default branch.
+                $AllowDataLoss = $False # This flag must be set to $True to allow branches with commits not in default branch to be deleted.
+                # !!! > 0 WILL RESULT IN DATA LOSS !!!
+
+                $MaxDaysBehind = 90
+                $DateLimit = (Get-Date).AddDays(-$MaxDaysBehind)
+
+                # Create github HTTP authentication header
+                $UserAgent = "officedocs"
+                $GitHubHeaders = @{}
+                $GitHubHeaders.Add("Authorization","token $($AccessToken)")
+                $GitHubHeaders.Add("User-Agent", $UserAgent)
+
+                $RepoUrl = $GitHubData.event.repository.url
+                $RepoData = Invoke-RestMethod -Headers $GitHubHeaders -Uri $RepoUrl -Method GET
+
+                $BranchesUrl = $RepoData.branches_url.Replace("{/branch}", "")
+
+                $DefaultBranch = $RepoData.default_branch
+                $SyncBranch = "repo-sync-working-branch"
+                $CompareUrl = $RepoData.compare_url.Replace("{base}...{head}", "$DefaultBranch...")
+            
+                $Branches = Invoke-RestMethod -Headers $GitHubHeaders -Uri $BranchesUrl  -Method GET -FollowRelLink -MaximumFollowRelLink 50 -ResponseHeadersVariable ResponseHeaders
+
+                $ReportBranchList = @()
+                
+                ForEach ($Page in $Branches) {
+
+                    ForEach ($Branch in $Page) {
+
+                        $AheadBy = $BehindBy = $LastCommitDate = $CompareData = $Null
+                        $ProtectedBranch = $True
+
+                        $BranchName = $Branch.name
+                        $CommitsUrl = $RepoData.commits_url.Replace("{/sha}", "?sha=$BranchName&per_page=1&page=1")
+
+                        Write-Host "`nBranch name: $BranchName"
+
+                        If ($SkipBranchList -contains $BranchName) {
+                            Write-Host "      Skipped. Branch is on the branch skip list."
+                            continue
+                        }
+
+                        # $BranchData = Invoke-RestMethod -Headers $GitHubHeaders -Uri "$branchesurl/$BranchName" -Method GET -ResponseHeadersVariable ResponseHeaders
+                        # $ProtectedBranch = $BranchData.protected
+                        $ProtectedBranch = $Branch.protected
+
+                        Write-Host "   Protected: $ProtectedBranch."
+
+                        If ($ProtectedBranch) {
+                            Write-Host "      Skipped. Branch is protected."
+                            continue
+                        }
+
+                        $LastCommitDate = (Invoke-RestMethod -Headers $GitHubHeaders -uri $CommitsUrl).commit.committer.date
+
+                        Write-Host "   Last commit date: $LastCommitDate."
+
+                        If ($LastCommitDate -ge $DateLimit) {
+                            Write-Host "      Skipped. Last commit date is after $DateLimit."
+                            continue
+                        }
+
+                        $CompareData = Invoke-RestMethod -Headers $GitHubHeaders -Uri "$CompareUrl$BranchName" -Method GET -ResponseHeadersVariable ResponseHeaders
+
+                        $BehindBy = $CompareData.behind_by
+                        $AheadBy = $CompareData.ahead_by
+
+                        Write-Host "   Ahead of $DefaultBranch by: $AheadBy `n   Behind by: $BehindBy."
+
+                        If ($AheadBy -gt $MaxAheadDefault) {
+                            Write-Host "      Skipped. Branch exceeds `"ahead by`" limit of $MaxAheadDefault."
+
+                            $ReportBranchList += ">>> Branch watch list <<< $BranchName exceeds maximum age but has outstanding commits that exceed maximum Ahead By limit. Branch protected: $ProtectedBranch. Ahead by: $AheadBy. Behind by $BehindBy. Days since last commit: $($($(Get-Date) - $LastCommitDate).Days)."
+
+                            continue
+                        }
+
+
+                        If ($AheadBy -eq 0) {
+                        
+                            Write-Host "      Delete branch $BranchName"
+
+                            $BranchDeleteUrl = $RepoData.url + "/git/refs/heads/$BranchName"
+                            Invoke-RestMethod -Headers $GitHubHeaders -Uri $BranchDeleteUrl -Method DELETE -ResponseHeadersVariable ResponseHeaders | Out-Null
+
+                            $ReportBranchList += "$BranchName deleted. Branch protected: $ProtectedBranch. Ahead by: $AheadBy. Behind by $BehindBy. Days since last commit: $($($(Get-Date) - $LastCommitDate).Days). "
+
+                            $DeleteBranchCount++
+
+                        } Else {
+                        
+                            If ($AllowDataLoss) {
+                            
+                                Write-Host "      Delete branch $BranchName with data loss"
+
+                                $ReportBranchList += "!!! DATA LOSS !!! $BranchName deleted. Branch protected: $ProtectedBranch. Ahead by: $AheadBy. Behind by $BehindBy. Days since last commit: $($($(Get-Date) - $LastCommitDate).Days). "
+
+                                $DeleteBranchCount++
+                            
+                            } Else {
+                            
+                                Write-Host "      Branch $BranchName was marked for deletion with data loss but data loss flag is disabled."
+
+                                $ReportBranchList += "*** DATA LOSS BLOCKED *** $BranchName was marked for deletion with data loss but the data loss flag is disabled. Branch protected: $ProtectedBranch. Ahead by: $AheadBy. Behind by $BehindBy. Days since last commit: $($($(Get-Date) - $LastCommitDate).Days)."
+                            
+                            }
+                        
+                        }
+   
+
+                        
+                    }
+
+
+                }
+
+                Write-Host "`n`n`n"
+
+                $ReportBranchList = $ReportBranchList | Sort-Object
+
+                ForEach ($Item in $ReportBranchList) {
+                    
+                    Write-Host $Item
+
+                }

.github/workflows/StaleBranch-Test.yml

@@ -0,0 +1,24 @@
+---
+author: MandiOhlinger
+ms.author: mandia
+manager: laurawi
+ms.reviewer: cabailey
+ms.service: microsoft-365-copilot
+ms.topic: include
+description: Create default Microsoft Purview sensitivity labels for Microsoft 365 Copilot.
+ms.date: 03/06/2025
+---
+
+1. Sign into the [Microsoft Purview portal](https://purview.microsoft.com/) as an admin in one of the groups listed at [Sensitivity labels - permissions](/purview/get-started-with-sensitivity-labels#permissions-required-to-create-and-manage-sensitivity-labels).
+
+2. Select **Solutions** > **DSPM for AI** > **Overview**.
+3. In the **Recommendations** section, select **Information Protection Policy for Sensitivity Labels**. This step creates the default labels and their policies.
+4. To see or edit the default labels, or to create your own labels, select **Information protection** > **Sensitivity labels**. You might have to select **Refresh**.
+
+When you have the default sensitivity labels:
+
+- The labels help protect your data and can affect Copilot results.
+- Your users can start manually applying published labels to their files and emails.
+- Admins can start creating policies and configuring features that automatically apply labels to files and emails.
+
+At any time, you can create your own sensitivity labels. To learn more, see [Create and configure sensitivity labels and their policies](/purview/create-sensitivity-labels).

copilot/includes/copilot-e5-e3-create-default-sensitivity-labels.md

@@ -0,0 +1,28 @@
+---
+author: MandiOhlinger
+ms.author: mandia
+manager: laurawi
+ms.reviewer: cabailey
+ms.service: microsoft-365-copilot
+ms.topic: include
+description: Enable and configure sensitivity labels for containers that affect Microsoft 365 Copilot.
+ms.date: 03/06/2025
+---
+
+Instead, the label settings can restrict access to the container. This restriction provides an extra layer of security when you use Copilot. If a user can't access the site or workspace, Copilot can't access it on behalf of that user.
+
+For example, you can set the privacy setting to **Private**, which restricts site access to only approved members in your organization. When the label is applied to the site, it replaces any previous setting and locks the site for as long as the label is applied. This feature is a more secure setting than letting anybody access the site and allowing users to change the setting. When only approved members can access the data, it helps prevent oversharing of data that Copilot might access.
+
+To configure any label settings for groups and sites, you must enable this feature in your tenant and then synchronize your labels. This configuration is a one-time configuration and uses PowerShell. To learn more, see [How to enable sensitivity labels for containers and synchronize labels](/purview/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels).
+
+You can then edit your sensitivity labels, or create new sensitivity labels specifically for groups and sites:
+
+1. For the sensitivity label scope, select **Groups & sites**. Remember, you must have already run the PowerShell commands. If you didn't, you can't select this scope.
+
+    To learn more, see [How to enable sensitivity labels for containers and synchronize labels](/purview/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels).
+
+2. Select the groupings of settings to configure. Some of the settings have backend dependencies before they can be enforced, like Conditional Access that must be already configured. The privacy setting, which is included in **Privacy and external user access settings**, doesn't have any backend dependencies.
+
+3. Configure the settings you want to use and save your changes.
+
+For more information, including details of all the available label settings that you can configure for groups and sites, see [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites).

copilot/includes/copilot-e5-e3-enable-sensitivity-labels-containers.md

@@ -6,7 +6,7 @@ f1.keywords:
 ms.author: mandia
 author: MandiOhlinger
 manager: laurawi
-ms.date: 01/15/2025
+ms.date: 03/06/2025
 ms.reviewer: cabailey, ruihu
 audience: Admin
 ms.topic: get-started
@@ -149,7 +149,13 @@ To learn more, see:
 
 - [Create and configure sensitivity labels and their policies](/purview/create-sensitivity-labels)
 
-#### 2. Publish your labels and educate your users
+#### 2. Enable and configure sensitivity labels for containers
+
+You can apply sensitivity labels to containers, like Microsoft Teams or SharePoint sites, and Microsoft Loop workspaces. Items in a container don't inherit the sensitivity label.
+
+[!INCLUDE [copilot-e5-e3-enable-sensitivity-labels-containers](./includes/copilot-e5-e3-enable-sensitivity-labels-containers.md)]
+
+#### 3. Publish your labels and educate your users
 
 1. Add your labels to a publishing policy. When they're published, users can manually apply the labels in their Office apps. The publishing policies also have settings that you need to consider, like a default label and requiring users to label their data.
 
@@ -163,11 +169,11 @@ To learn more, see:
 
 3. Monitor your labels. Select **Information protection** > **Reports**. You can see the usage of your labels.
 
-#### 3. Enable sensitivity labels for files in SharePoint and OneDrive
+#### 4. Enable sensitivity labels for files in SharePoint and OneDrive
 
 [!INCLUDE [copilot-e5-e3-enable-sensitivity-labels-sharepoint-onedrive](./includes/copilot-e5-e3-enable-sensitivity-labels-sharepoint-onedrive.md)]
 
-#### 4. Apply a sensitivity label to your SharePoint document libraries
+#### 5. Apply a sensitivity label to your SharePoint document libraries
 
 You can use a sensitivity label on your SharePoint document libraries, and make this label the default label that applies to all document libraries. This configuration is appropriate when your document libraries store files with the same level of sensitivity.
 

copilot/microsoft-365-copilot-e3-guide.md

@@ -6,7 +6,7 @@ f1.keywords:
 ms.author: mandia
 author: MandiOhlinger
 manager: laurawi
-ms.date: 01/15/2025
+ms.date: 03/06/2025
 ms.reviewer: cabailey, ruihu
 audience: Admin
 ms.topic: get-started
@@ -163,37 +163,13 @@ To learn more about sensitivity labels, see:
 
 #### 1. Create the default sensitivity labels
 
-1. Sign into the [Microsoft Purview portal](https://purview.microsoft.com/) as an admin in one of the groups listed at [Sensitivity labels - permissions](/purview/get-started-with-sensitivity-labels#permissions-required-to-create-and-manage-sensitivity-labels).
-
-2. Select **Solutions** > **DSPM for AI** > **Overview**.
-3. In the **Recommendations** section, select **Information Protection Policy for Sensitivity Labels**. This step creates the default labels and their policies.
-4. To see or edit the default labels, or to create your own labels, select **Information protection** > **Sensitivity labels**. You might have to select **Refresh**.
-
-When you have the default sensitivity labels:
-
-- The labels help protect your data and can affect Copilot results.
-- Your users can start manually applying published labels to their files and emails.
-- Admins can start creating policies and configuring features that automatically apply labels to files and emails.
+[!INCLUDE [copilot-e5-e3-create-default-sensitivity-labels](./includes/copilot-e5-e3-create-default-sensitivity-labels.md)]
 
 #### 2. Enable and configure sensitivity labels for containers
 
-The default sensitivity labels don't include settings for groups and sites, which let you apply a sensitivity label to a SharePoint or Teams site, or Microsoft Loop workspace. Items in the container don't inherit the sensitivity label. Instead, the label settings can restrict access to the container. This restriction provides an extra layer of security when you use Copilot. If a user can't access the site or workspace, Copilot can't access it on behalf of that user.
-
-For example, you can set the privacy setting to **Private**, which restricts site access to only approved members in your organization. When the label is applied to the site, it replaces any previous setting and locks the site for as long as the label is applied. This feature is a more secure setting than letting anybody access the site and allowing users to change the setting. When only approved members can access the data, it helps prevent oversharing of data that Copilot might access.
-
-To configure any label settings for groups and sites, you must enable this capability for your tenant and then synchronize your labels. This configuration is a one-time configuration. To learn more, see [How to enable sensitivity labels for containers and synchronize labels](/purview/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels).
-
-You can then edit your sensitivity labels, or create new sensitivity labels specifically for groups and sites:
-
-1. For the sensitivity label scope, select **Groups & sites**. Remember, you must have already run the PowerShell commands. If you didn't, you can't select this scope.
-
-    To learn more, see [How to enable sensitivity labels for containers and synchronize labels](/purview/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels).
-
-2. Select the groupings of settings to configure. Some of the settings have backend dependencies before they can be enforced, like Conditional Access that must be already configured. The privacy setting, which is included in **Privacy and external user access settings**, doesn't have any backend dependencies.
-
-3. Configure the settings you want to use and save your changes.
+The default sensitivity labels don't include settings for groups and sites, which let you apply a sensitivity label to a SharePoint or Teams site, or Microsoft Loop workspace. Items in a container don't inherit the sensitivity label.
 
-For more information, including details of all the available label settings that you can configure for groups and sites, see [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites).
+[!INCLUDE [copilot-e5-e3-enable-sensitivity-labels-containers](./includes/copilot-e5-e3-enable-sensitivity-labels-containers.md)]
 
 #### 3. Publish your labels and educate your users