Merge branch 'master' into dcr-config

Author: amyblais

source/administration-guide/comply/compliance-export.rst

@@ -4,7 +4,7 @@ Compliance export
 .. include:: ../../_static/badges/ent-plus.rst
   :start-after: :nosearch:
 
-Mattermost Enterprise customers can archive history or transfer message data to third-party systems for auditing and compliance purposes with compliance exports. Supported integrations include `Actiance Vantage <#actiance-xml>`__, `Global Relay <#global-relay-eml>`__, and `Proofpoint <#proofpoint>`__. 
+Mattermost Enterprise customers can archive history or transfer message data to third-party systems for auditing and compliance purposes with compliance exports. Supported integrations include `Smarsh (Actiance) Vantage <#actiance-xml>`__, `Global Relay <#global-relay-eml>`__, and `Proofpoint <#proofpoint>`__. 
 
 From Mattermost v10.5, compliance exports include performance improvements for large daily data sets with changes affecting output formats, system performance, and logic. Compliance exports provide compliance teams complete information to reconstruct the state of a channel, and to determine who had visibility on an initial message, or when the message was edited or deleted. Compliance teams can track a message by its MessageId as it is edited or deleted, and across batches and exports periods.
 
@@ -23,7 +23,7 @@ Exports include information on channel member history at the time the message wa
 Set up guide
 ------------
 
-Use the following guides to configure exports for `CSV <#csv>`__, `Actiance XML <#actiance-xml>`__, `Global Relay EML <#global-relay-eml>`__, or `Proofpoint <#proofpoint>`__.
+Use the following guides to configure exports for `CSV <#csv>`__, `Smarsh / Actiance XML <#actiance-xml>`__, `Global Relay EML <#global-relay-eml>`__, or `Proofpoint <#proofpoint>`__.
 
 .. note::
 
@@ -85,8 +85,9 @@ CSV
 
    For a sample CSV output, `download a CSV export file here <https://github.com/mattermost/docs/blob/master/source/samples/csv_export.zip>`__.
 
-Actiance XML
+Actiance XML 
 ~~~~~~~~~~~~
+Actiance XML is the supported format for the 'Smarsh Vantage product <https://central.smarsh.com/s/product/vantage>`_.
 
 1. Go to **System Console > Compliance > Compliance Export**.
 2. Set **Enable Compliance Exports** to **true**.  

source/administration-guide/configure/site-configuration-settings.rst

@@ -0,0 +1,110 @@
+Enable Content Flagging
+========================
+
+.. include:: ../../../_static/badges/entry-adv.rst
+  :start-after: :nosearch:
+
+Content flagging helps prevent accidental data spillage and helps system administrators respond quickly to potential leaks without disrupting collaboration. Enabling this feature empowers Mattermost users to report messages that may contain sensitive, regulated, or inappropriate information, and enables designated content reviewers to assess and take appropriate action by removing or dismissing flagged messages.
+
+By making every team member a first line of defense against sensitive-data exposure, content flagging strengthens mission-critical, secure deployments and supports compliance with organizational and regulatory data-handling standards.
+
+Before you begin
+----------------
+
+You must be a System Admin in Mattermost. You need to identify who will be content reviewers for flagged messages, and you need to decide whether flagged messages should be hidden from users in Mattermost while under review.
+
+Enable
+-------
+
+Content flagging isn't enabled by default. To enable content flagging:
+
+1. Go to **System Console > Site Configuration > Content Flagging**. 
+2. Set **Enable content flagging** to **True**.
+
+Alternatively, you can configure content flagging via the :ref:`config.json file or through environment variables <administration-guide/configure/site-configuration-settings:content flagging>`.
+
+Configure
+---------
+
+1. Under **Content Reviewers**, define who should review flagged content:
+
+   - **Same reviewers for all teams**: Set to **True** to apply one global reviewer list across all teams, or **False** to configure reviewers per team.
+   - **Reviewers**: Start typing to search for users to assign as content reviewers.
+
+   .. important::
+
+      Choose reviewers carefully. Assigning reviewer roles grants access to potentially sensitive information and may expose data from private channels.
+
+      - A global reviewer can view flagged messages from all teams and channels, including private channels they’re not a member of.
+      - Team-specific reviewers can view flagged messages from their assigned teams, including private channels within those teams they're not members of.
+
+   - **Additional reviewers**: Optionally include:
+
+     - **System Administrators**: System admins receive flagged messages for all teams they are part of.
+     - **Team Administrators**: Team admins receive flagged messages for their respective teams.
+
+2. Under **Notification Settings**, specify who receives updates at each stage of the flagging workflow when content is flagged or reviewed:
+
+   - **Notify when content is flagged**: Reviewer(s), Author.
+   - **Notify when a reviewer is assigned**: Reviewer(s).
+   - **Notify when content is removed**: Reviewer(s), Author, Reporter.
+   - **Notify on dismissal**: Reviewer(s), Author, Reporter.
+
+   All notifications are sent via the **content-review** bot as direct messages.
+
+3. Under **Additional Settings**, configure how the flagging workflow behaves:
+
+   - **Reasons for flagging**: Define the preset categories that appear in the flagging dialog for users (for example: **Inappropriate content**, **Sensitive data**, **Security concern**, **Harassment or abuse**, **Spam or phishing**).
+   - **Require reporters to add comment**: Set to **True** to require users to add a short explanation when flagging a message.
+   - **Require reviewers to add comment**: Set to **True** to require reviewers to add a comment when resolving a flag.
+   - **Hide message from channel while it is being reviewed**: Set to **True** to automatically hide flagged messages from the channel until reviews are complete. If a root post is flagged, the entire thread is hidden.
+
+.. tip::
+   We recommend enabling **Hide message from channel while it is being reviewed** and require comments from both reporters and reviewers to maintain transparency, accountability, and an auditable record of actions.
+
+Monitor flagged messages
+------------------------
+
+When :doc:`a user flags a message </end-user-guide/collaborate/flag-messages>`, the **content-review** bot sends a direct message to all content reviewers.
+
+Direct messages from the **content-review** bot is a centralized moderation queue, where reviewers can view, assign, and act on flagged messages without leaving Mattermost. Reviewers can use it to monitor potential data spills, coordinate response, and maintain an auditable record of review activity.
+
+Each flagged message appears as a card-formatted message that includes:
+
+- **Flagged by**: The user who reported the message.
+- **Status**: The current state of the review. All flagged content starts in **Pending** status.
+- **Reason**: The reason selected by the reporter (for example, **Sensitive data**, **Inappropriate content**).
+- **Message preview**: A snippet of the flagged message, including the author, timestamp, and original channel.
+- **Reviewer**: The user currently assigned to review the message (initially **Unassigned**).
+- **Channel**: The name of the channel where the message was originally posted.
+- **Team**: The team context for the flagged message.
+- **Comment**: Any reporter-provided context.
+- **Post ID**: The system identifier for the original message for auditing purposes.
+
+Reviewers can select **View details** to take action as follows:
+
+- Assign a **Reviewer** responsible for reviewing the flagged message.
+- **Remove message**: Permanently delete the flagged message from its original channel for all users. The status of the flagged message changes to **Removed**.
+- **Keep message**: Dismiss the flag and restore the message if it was hidden. The status of the flagged message changes to **Retained**.
+- **Add a comment**: Record the reason for the decision when required.
+
+Once an action is taken, the **Status** field updates automatically. The **content-review** bot sends follow-up notifications to the reporter, author, and other reviewers based on how content flagging is configured.
+
+Deleted messages
+~~~~~~~~~~~~~~~~
+
+When a reviewer permanently removes a flagged message, the message and all associated data are deleted from the database and can't be recovered, including:
+
+- Message content and properties: The text of the message and any associated post properties.
+- File metadata: Information about files attached to the message (e.g., file names, IDs, and links to storage).
+- File metadata from edit history: Information about files attached to earlier versions of the message.
+- Edit history: All previous versions of the message and their timestamps.
+- Uploaded files: The actual files stored in Mattermost’s file storage (local, S3, etc.).
+- Priority data: Any message priority or importance settings.
+- Acknowledgements: Records of users who acknowledged the message.
+- Reminders: Any reminders created for the message.
+
+Best practice recommendations
+-----------------------------
+
+Before rolling out content flagging organization-wide, we recommend communicating that the feature protects both users and the organization from accidental data spillage. Start with a pilot team to validate reviewer notifications and workflows, integrate the process with existing data-handling or incident-response playbooks, and require reporter and reviewer comments to ensure every decision is transparent and auditable.

source/administration-guide/manage/admin/content-flagging.rst

@@ -34,6 +34,6 @@ This error occurs when:
 To resolve this error, system administrators can:
 
 - :ref:`Deactivate users <administration-guide/configure/user-management-configuration-settings:deactivate users>` to reduce the active user count below the license limit.
-- Contact `Mattermost Sales <https://mattermost.com/contact-sales/>`_ to discuss license options.
+- Contact `Mattermost Sales <https://mattermost.com/contact-sales/>`_ to request an updated license that increases the number of licensed users.
 
 `Book a live demo <https://mattermost.com/request-demo/>`_  or `talk to a Mattermost expert <https://mattermost.com/contact-sales/>`_ to explore tailored solutions for your organization's secure collaboration needs. Or try Mattermost yourself with a `1-hour preview <https://mattermost.com/sign-up/>`_ for instant access to a live sandbox environment.

source/administration-guide/manage/admin/error-codes.rst

@@ -16,6 +16,7 @@ Whether you’re setting up email notifications, optimizing search capabilities,
     Set up Mattermost Agents </administration-guide/configure/agents-admin-guide>
     Install Mattermost Boards </administration-guide/configure/install-boards>
     Manage user attributes </administration-guide/manage/admin/user-attributes>
+    Enable content flagging </administration-guide/manage/admin/content-flagging>
     Environment variables </administration-guide/configure/environment-variables>
     Customize the server </administration-guide/manage/admin/customize-branding>
     SMTP email setup </administration-guide/configure/smtp-email>

source/administration-guide/manage/admin/server-configuration.rst

@@ -19,7 +19,7 @@ Step 1: Register an application in Azure Portal
 
 1. Log in to the `Azure Portal <https://portal.azure.com/>`_ with the account that relates to the Azure Active Directory tenant where you want to register the application. You can confirm the tenant in the top right corner of the portal.
 
-2. In the left-hand navigation pane, select the **Azure Active Directory service**, then select **App registrations > New registration**.
+2. In the left-hand navigation pane, select the **Microsoft EntraID**, then toward the bottom select **Add application registrations**.
 
 3. Give your new registration a **Name**.
 
@@ -36,19 +36,27 @@ Once the App Registration has been created, you can configure it further. See th
 Step 2: Generate a new client secret in Azure Portal
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-1. In the Azure Portal, select **Certificates and Secrets** from the menu, then select the button to generate a **New Client secret**. 
+1. From the overview page of the newly created **Registered App**, select **Certificates and Secrets** from the menu, then select the button to generate a **New Client secret**. 
 
-2. Provide a description, define the expiry for the token, then select **Add**.
+.. image:: /images/AzureApp_Client_Secret_Setup.png
 
-3. In Azure Portal, select **Overview** from the menu, then copy and paste both the Application (client) ID and the Directory (tenant) ID to a temporary location. You will enter these values as an **Application ID** and as part of an **Auth Endpoint** and **Token Endpoint** URL in the Mattermost System Console.
+2. Provide a description, define the expiry for the token, then select **Add**.
 
 .. image:: /images/AzureApp_Client_Secret_Expiry.png
 
+3. Store the **value** of the new secret somewhere secure.
+
+4. In Azure Portal, select **Overview** from the menu, then copy and paste both the Application (client) ID and the Directory (tenant) ID to a temporary location. You will enter these values as an **Application ID** and as part of an **Auth Endpoint** and **Token Endpoint** URL in the Mattermost System Console.
+
 .. image:: /images/AzureApp_App_Directory_IDsv2.png
 
+5. Grant admin concent for the configured permissions under **App Registrations > <Your App> > Manage > API Permissions**
+
+.. image:: /images/AzureApp_App_Directory_Grant_Admin_Consent.png
+
+
 Step 3: Configure Mattermost for Entra ID SSO
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
 1. Log in to Mattermost, then go to **System Console > Authentication > OpenID Connect**.
 
 2. Select **Entra ID** as the service provider.

source/administration-guide/onboard/sso-entraid.rst

@@ -1,13 +1,15 @@
 Configure SAML with Microsoft Entra ID
 ========================================
 
-.. note::
+.. include:: ../../_static/badges/all-commercial.rst
+  :start-after: :nosearch:
 
-  This documentation covers configuring Entra ID for **SAML** authentication. If you need to configure Entra ID for **OpenID Connect** authentication instead, see the :doc:`Entra ID Single Sign-On </administration-guide/onboard/sso-entraid>` documentation.
+This page provides guidance on configuring SAML with Microsoft Entra ID for Mattermost. 
 
-The following process provides steps to configure SAML with Microsoft Entra ID for Mattermost.
-
-See the encryption options documentation for details on what :ref:`encryption methods <deployment-guide/encryption-options:saml encryption support>` Mattermost supports for SAML.
+.. tip::
+  
+  - Need to configure Entra ID for **OpenID Connect** authentication instead? See the :doc:`Entra ID Single Sign-On </administration-guide/onboard/sso-entraid>` documentation for details.
+  - See the encryption options documentation for details on what :ref:`encryption methods <deployment-guide/encryption-options:saml encryption support>` Mattermost supports for SAML.
 
 .. include:: sso-saml-before-you-begin.rst
 	:start-after: :nosearch: