-description: 'In this overview article, learn about the main features that come with Microsoft Defender Threat Intelligence (Defender TI).'

-# What is Microsoft Defender Threat Intelligence (Defender TI)?

-description: "Details of new Meetings insights score - people experiences Adoption Score."

-> [!Note]

-> [!NOTE]

-> We display your company name in the Microsoft 365 admin center. This is where you manage users, licenses and other features and services. We also include it in any internal SharePoint site URLs.

-3. On the **Confirmation details** page, we'll give you some more info about your subscription. You can now go to the Microsoft 365 admin center to add users, install Office apps, invite your team to use Microsoft 365 and more. We'll also send you an email with set up steps.

-||**Option 1** ΓÇô Sign in with Outlook, Hotmail, Yahoo, Gmail or other email account [(Simplified Sign-up)](#terms-of-service-update-for-simplified-sign-up-mode)|**Option 2** ΓÇô Add a business domain and create a new business email account |

-|:--|:--|:--|

-|Available apps and services <br/> |Use Word for the web, Excel for the web, PowerPoint for the web, Teams for the web and Access for the web. OneDrive and SharePoint desktop app are included. This set of apps is best for very small businesses who don't need branded email immediately, or who already use branded email from a different provider and do not intend to switch to use Microsoft Exchange. YouΓÇÖll use Outlook with your existing email account (be it outlook.com, Hotmail, Yahoo, Gmail or other). <br/> |Use Word for the web, Excel for the web, PowerPoint for the web, Teams for the web and Access for the web. OneDrive and SharePoint desktop app are included. Microsoft 365 Business Basic with Option 2 also lets you access a wide range of additional

-|Required knowledge <br/> |LetΓÇÖs you get started without technical know-how. <br/> |Requires you to buy a domain, or to own a domain. You may need technical knowledge to prove ownership of the domain. <br/> |

-|Data handling <br/> |Available under the Supplement to the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180702) and is best for businesses that want some remote work and collaboration tools and are comfortable with Microsoft acting as controller for your data under the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=521839). Subscribers to services using this option will not have access to an individualΓÇÖs user content or data until a domain is attached. Subscribers should evaluate data ownership and intellectual property rights considerations based on their needs. For example, if you are working collaboratively with other users on a document stored in their account, they may choose to make those documents inaccessible to you. As such, you should evaluate data ownership and intellectual property rights considerations accordingly. Separately, users may choose not to transfer documents in their Simplified Sign-Up account to your Domain Account subscription, even after you invite them to do so. This means their documents may also not be accessible to you even if you add a domain account later <br/> |Available under the [Microsoft Online Subscription Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180430) and is best for businesses that need Microsoft to act as a processor for their data under Microsoft's [Data Protection Addendum](https://go.microsoft.com/fwlink/p/?linkid=2180314) and need our full suite of remote work and collaboration tools. Subscribers who are in regulated industries or seek more control, both over the use of the services by your employees and over processing of related data by Microsoft, should choose Option 2 and attach a domain and sign up under the Domain Account enterprise-level agreement. <br/> |

-Remember this option doesn't provide branded email, admin control for use of the services by other users, or industry specific compliance support. Subscribers don't have any access or control over other usersΓÇÖ (employees) usage or documents under this option Users may choose not to transfer data created in storage such as OneDrive/Teams to your upgraded, enterprise-level domain account should you not choose option 2 immediately.

-With this option, youΓÇÖll be able to use Microsoft 365 Exchange as your professional, branded email provider. All your users will have a shared domain email address. For example, their username, followed by @contoso.com. You and your users sign into Microsoft 365 with this new email address. When you follow this process (add a domain and create new business email accounts), youΓÇÖll get access to all the features provided in Microsoft 365 Business Basic. For steps on how to buy or add a domain, see [Set up Microsoft 365 Business Basic](../setup/setup-business-basic.md).

-Should you choose not to accept the updated terms for Simplified Sign Up or to add a business domain, your subscription will not automatically renew, and at the end of your current subscription contract, you will lose access to the Office apps. Your OneDrive data will be retained for 90 days for you to make copies of it, and then it will be deleted.

-If you choose to use a domain you already own, you can use it for your email address with Microsoft 365. As part of sign up process, we ask you to verify the domain so you can send emails via Microsoft 365. This confirms that you are the owner of the domain that is sending emails with that identity, which enhances security and prevents fraudulent activity.

-> Provide your staff a link to the [Employee quick setup guide](../admin/setup/employee-quick-setup.md) for help signing in, getting Office apps, and saving, copying, and sharing files.

- **No Office apps in your plan?** Follow the steps below, but skip the sections for installing apps. Use the [Online versions of Office](https://support.microsoft.com/office/91a4ec74-67fe-4a84-a268-f6bdf3da1804) instead.

-|Install Office apps onto your computer. <br/><br/> |When you sign in, the home page has a link to download and install apps like Word and Outlook. Select **Install Office**. For instructions, see [How to install Office](https://support.microsoft.com/office/4414eaaf-0478-48be-9c42-23adc4716658). <br/> |

-|Set up your email in Outlook 2016 . <br/> |Once Office apps are installed on your computer, set up your email. For instructions, see [How to set up Outlook](https://support.microsoft.com/office/6e27792a-9267-4aa4-8bb6-c84ef146101b). <br/> |

-Now that you're protected by the Microsoft 365 Business Premium Office apps, your next mission is to set up secure file sharing and communication. The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it. Your organization depends on protecting your data and information, which means that you want to protect your files by all means possible.

-description: "Learn about the various device states in the Device actions list in Admin home in Microsoft 365 for business."

-# Device states in Microsoft 365 for business

-This article applies to Microsoft 365 Business Premium.

-> [!NOTE]

-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../security/defender-business/mdb-overview.md).

-Devices in the **Device actions** list (Admin home \> **Device actions**) can have the following states.

-

-

-|**Status**|**Description**|

-|:--|:--|

-|Managed by Intune |Managed by Microsoft 365 Business Premium. |

-|Retire pending |Microsoft 365 Business Premium is getting ready to remove company data from the device. |

-|Retire in progress |Microsoft 365 Business Premium is currently removing company data from the device. |

-|Retire failed | Remove company data action failed. |

-|Retire canceled |Retire action was canceled. |

-|Wipe pending |Waiting for factory reset to start. |

-|Wipe in progress |Factory reset has been issued. |

-|Wipe failed |Couldn't do factory reset. |

-|Wipe canceled |Factory wipe was canceled. |

-|Unhealthy |An action is pending (or in progress), but the device hasn't checked in for 30+ days. |

-|Delete pending |Delete action is pending. |

-|Discovered |Microsoft 365 Business Premium has detected the device. |

-

-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)

-# Install Office apps on all devices

-Okay, you've set up Microsoft 365 Business Premium, and now you can require users to install individual Office applications on their Mac, PC, or mobile devices. This is something your users should do to be part of the front lines and help protect the org against attack.

-## Watch: Install Office apps

-For all members of the organization, the Microsoft Office apps can be found on the **Start** menu. If you don't see them, each user must install them.

-3. The Office apps are installed. The process might take several minutes. When it completes, select **Close**.

-Use the following instructions to install Office on an iPhone or an Android phone. After you follow these steps, your work files created in Office apps will be protected by Microsoft 365 for business.

-The example is for Outlook, but applies to any other Office apps you want to install.

-Watch a short video on how to set up Office apps on iOS devices with Microsoft 365 for business.<br><br>

-|Require a PIN or fingerprint to access Office apps | Require PIN to access <br/> This also sets: <br/> **Allow simple PIN** to **Yes** <br/> **Pin Length** to 4 <br/> **Allow fingerprint instead of PIN** to **Yes** <br/> **Disable app PIN when device PIN is managed** to **No** |

-|Require users to sign in again after Office apps have been idle for (this is disabled if PIN isn't required) | Recheck the access requirements after (minutes) <br/> This also sets: <br/> **Timeout** is set to minutes <br/> This is same number of minutes you set in Microsoft 365 Business. <br/> **Offline grace period** is set to 720 minutes by default |

-|Allow users to copy content from Office apps into personal apps | Restrict cut, copy, and paste with other apps <br/> If the Microsoft 365 Business Premium option is set to **On**, then these three options are also set to **All Apps** in Intune: <br/> **Allow app to transfer data to other apps** <br/> **Allow app to receive data from other apps** <br/> **Restrict cut, copy, and paste with other apps** <br/> If the Microsoft 365 Business option is set to **On**, then all the Intune options are set to: <br/> **Allow app to transfer data to other apps** is set to **Policy managed apps** <br/> **Allow app to receive data from other apps** is set to **All Apps** <br/> **Restrict cut, copy, and paste with other apps** is set to **Policy Managed apps with Paste-In** |

-Proceed to [install Office applications](m365bp-install-office-apps.md).

-description: "Learn how to automatically install the 32-bit Office apps on Windows computers and keep them updated in Microsoft 365 Business Premium."

-# Prepare to automatically install Office apps to client computers

-Use Microsoft 365 Business Premium to automatically install the 32-bit Office apps on Windows computers and keep them current with updates.

-|Existing Click-to-Run 32-bit version of Office and Click-to-Run 32-bit or 64-bit standalone Office apps (for example, Visio, Project) |None |Standalone apps aren't affected. Suite is upgraded to Click-to-Run 32-bit version of Office 2016 |

-|Existing Click-to-Run 32-bit version of Office and any 32-bit or 64-bit (except 2016) MSI standalone Office apps |None |Standalone apps aren't affected. Suite is upgraded to Click-to-Run 32-bit version of Office 2016 |

-|Any existing Click-to-Run 64-bit version of Office |Uninstall the 64-bit Office apps, if it's OK to replace them with 32-bit Office apps |If Office 64-bit apps are removed, the Click-to-Run 32-bit version of Office 2016 is installed |

-|Existing MSI install of Office 2013 (or earlier) and/or standalone Office apps |None |Click-to-Run 32-bit version of Office 2016 with the pre-existing MSI Office install (and standalone apps) exist side-by-side |

-Use admin accounts only for Microsoft 365 administration. Admins should have a separate user account for their regular use of Office apps, and only use their administrative account when necessary to manage accounts and devices, and while working on other admin functions. It's also a good idea to remove the Microsoft 365 license from your admin accounts so you don't have to pay for extra licenses.

-Sensitivity labels are available in Office apps (such as Outlook, Word, Excel, and PowerPoint). Examples of labels include:

-> After you have added users, give them a link to the [Employee quick setup guide](../admin/setup/employee-quick-setup.md). The guide walks them through signing in, getting Office apps, and saving, copying, and sharing files.

- - Protection for productivity apps, such as [SharePoint](/sharepoint/introduction), [OneDrive](/onedrive/one-drive-quickstart-small-business), [Office apps](/deployoffice/about-microsoft-365-apps), and [Microsoft Teams](/microsoftteams/teams-overview).

- - Choose if you'd like to enable classifiers. Classifiers can detect inappropriate language and images sent or received in the body of email messages or other types of text. You can choose the following built-in classifiers: *Threat*, *Profanity*, *Targeted harassment*, *Adult images*, *Racy images*, and *Gory images*.

-[Built-in trainable and global classifiers](/microsoft-365/compliance/classifier-learn-about) scan sent or received messages across all communication channels in your organization for different types of compliance issues. Classifiers use a combination of artificial intelligence and keywords to identify language in messages likely to violate anti-harassment policies.

-Communication compliance uses built-in trainable and global classifiers to scan communications for terms, images, and sentiment for the following types of language and content:

-description: "This article describes the steps to create and configure the required Azure resources and then provides the steps for setting up Customer Key."

-You can control whether sensitive files protected by your policies can be uploaded to specific service domains from Microsoft Edge.

-If the list mode is set to **Block**, then user won't be able to upload sensitive items to those domains. When an upload action is blocked because an item matches a DLP policy, DLP will either generate a warning or block the upload of the sensitive item.

-If the list mode is set to **Allow**, then users will be able to upload sensitive items ***only*** to those domains, and upload access to all other domains isn't allowed.

-Use the FQDN format of the service domain without the ending `.`

-Investigating risky user activities is an important first step in minimizing insider risks for your organization. These risks may be activities that generate alerts from insider risk management policies, or risks from activities that are detected by policies but don't immediately create an insider risk management alert for users. You can investigate these types of activities by using the **User activity reports (preview)** or with the **Alert dashboard**.

-## User activity reports (preview)

-#### Configure forensic evidence (optional)

-See the [Get started with insider risk management forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure) article for step-by-step guidance to configure forensic evidence for your organization.

-Having visual context is crucial for security teams during forensic investigations to get better insights into potentially risky security-related user activities. With customizable event triggers and built-in user privacy protection controls, Forensic evidence enables customizable visual activity capturing across devices to help your organization better mitigate, understand, and respond to potential data risks like unauthorized data exfiltration of sensitive data. You set the right policies for your organization, including what risky events are the highest priority for capturing forensic evidence, what data is most sensitive, and whether users are notified when forensic capturing is activated. Forensic evidence capturing is off by default and policy creation requires dual authorization.

-Quickly investigate all activities for a selected user with [User activity reports (preview)](insider-risk-management-activities.md#user-activity-reports-preview). These reports allow investigators in your organization to examine activities for specific users for a defined time period without having to assign them temporarily or explicitly to an insider risk management policy. After examining activities for a user, investigators can dismiss individual activities as benign, share or email a link to the report with other investigators, or choose to assign the user temporarily or explicitly to an insider risk management policy.

-description: Whether it be adding new solutions to the compliance center, updating existing features based on your feedback, or rolling out fresh and updated documentation, Microsoft 365 helps you stay on top of the ever-changing compliance landscape. Find out what we've been up to this month.

-Whether it be adding new solutions to the [Microsoft Purview compliance portal](microsoft-365-compliance-center.md), updating existing features based on your feedback, or rolling out fresh and updated documentation, Microsoft 365 helps you stay on top of the ever-changing compliance landscape. Take a look below to see whatΓÇÖs new in Microsoft Purview today.

-### Data Loss Prevention

-## April 2022

-### Communication compliance

-### Compliance Manager

-### Compliance offerings & service assurance

-### Data lifecycle management and records management

-### Data Loss Prevention

- - [Learn about endpoint DLP](endpoint-dlp-learn-about.md)

- - [Configure endpoint data loss prevention settings](dlp-configure-endpoint-settings.md)

- - [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md)

- - [Data Loss Prevention policy reference](dlp-policy-reference.md)

- - [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)

-### Device Onboarding

- - [Onboard macOS devices in to Microsoft 365 overview](device-onboarding-macos-overview.md)

- - [Onboard and offboard macOS devices into Compliance solutions using Intune for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-intune-mde.md)

- - [Onboard and offboard macOS devices into Microsoft Purview solutions using Intune](device-onboarding-offboarding-macos-intune.md)

- - [Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-jamfpro-mde.md)

- - [Onboard and offboard macOS devices into Microsoft Purview solutions using JAMF Pro](device-onboarding-offboarding-macos-jamfpro.md)

-### Information barriers

-### Microsoft Priva

- - [Privacy Risk Management policies](/privacy/priva/risk-management-policies) - added significant details about policy setup and management that apply to all policies; added links to new pages for each of the three policy types.

- - [Data overexposure policies](/privacy/priva/risk-management-policy-data-overexposure) - articulates the need and uses for the policy; explains default settings for out-of-box creation and detailed instructions for customizing settings.

- - [Data transfer policies](/privacy/priva/risk-management-policy-data-transfer) - highlights new condition for the policy to detect transfers outside of the org; articulates the need and uses for the policy; explains default settings for out-of-box creation and detailed instructions for customizing settings.

- - [Data minimization policies](/privacy/priva/risk-management-policy-data-minimization) - articulates the need and uses for the policy; explains default settings for out-of-box creation and detailed instructions for customizing settings.

- - [Investigate and remediate alerts](/privacy/priva/risk-management-alerts) - added clarifying details and formatting changes to improve readability.

- - [User notifications](/privacy/priva/risk-management-notifications) - added info on the functionality for previewing and customizing email notification content.

-### Sensitive Information Types

-### Sensitivity labels

-## March 2022

-### Communication compliance

-### Compliance Manager

-### Data classification

-### Data lifecycle management and records management

-### Data Loss Prevention

-### Information protection

-### Insider risk management

-### Microsoft Priva

-### Sensitivity labels

- - Support for shared channels, currently in preview. If a team has any shared channels, they automatically inherit sensitivity label settings from their parent team, and that label can't be removed or replaced with a different label.

- - Support for templates, previously listed as [not supported with Teams Graph APIs and PowerShell cmdlets]( /microsoftteams/sensitivity-labels#limitations).

-description: Learn about scenarios you can easily implement for the frontline workers in your organization with these downloadable posters.

-Use these scenario overviews to start envisioning what your organization can do with Microsoft 365 for frontline workers, then follow the links to find out how to implement these scenarios. You can download these posters in PDF or Visio format and customize them for your organization.

-|State | Mode| Numeric value |

-|:|:|:|

-| AuditMode | = Audit Mode | 2 |

-| Enabled | = Block mode | 1 |

-| Disabled | = Off | 0 |d

-```powershell

-Set-MpPreference -EnableNetworkProtection Enabled

-```

-| [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) | All of the Defender for Endpoint Plan 1 capabilities, plus:<ul><li>[Device discovery](device-discovery.md)</li><li>[Device inventory](machines-view-overview.md)</li><li>[Core Defender Vulnerability Management capabilities](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md)</li><li>[Threat Analytics](threat-analytics.md)</li><li>[Automated investigation and response](automated-investigations.md)</li><li>[Advanced hunting](advanced-hunting-overview.md)</li><li>[Endpoint detection and response](overview-endpoint-detection-response.md)</li><li>[Microsoft Threat Experts](microsoft-threat-experts.md)</li><li>Support for [Windows](configure-endpoints.md) (client and server) and [non-Windows platforms](configure-endpoints-non-windows.md) (macOS, iOS, Android, and Linux)</li></ul> |

-1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**.

-2. In the **Group Policy Management Editor** go to **Computer configuration**.

-3. Click **Administrative templates**.

-7. Click **OK**.

-Use the following cmdlet to enable the feature. You'll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:

-4. You can choose to configure additional settings if you wish.

-You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy.

-4. Click **OK**.

-3. Navigate through the nested menus to **SOFTWARE** \> **Policies** \> **Microsoft** \> **Windows Defender** \> **Windows Defender Exploit Guard** \> **Network Protection**.

-3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Windows Defender Exploit Guard** \> **Network protection**.

- - In Settings page, select Use configuration designer and add **WebProtection** as the key and value type as **Boolean**.

-After installation, the `HTTPS_PROXY` environment variable must be defined in the Defender for Endpoint service file. To do this, run `sudo systemctl edit --full mdatp.service`.

-> Red Hat Enterprise Linux 6.X and CentOS 6.X don't support **systemctl**. To configure statuc proxy for MDE, use **mdatp config proxy set --value http://address:port**. This method works for all other Linux distributions as well.

-> To enable the **Allow installation of devices that match any of these device instance IDs** policy setting to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting.

- - For 6.10: 2.6.32.754.2.1.el6.x86_64 to 2.6.32-754.47.1:

- > The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: 'BF102A79626C88FE58B5BE3034640835F96F54230292486716D72F515875966C'

-> - The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from the above link is: '6FEB44EF2D9FEB8C8093A016FAB2B5F3ED580931008066BF134E8B1E04CAB222'

-The image and the table below lists the changes in navigation between Microsoft Defender for Cloud Apps and Microsoft 365 Defender.

-> [!NOTE]

-> Some pages have not yet been migrated and should be accessed from the Defender for Cloud Apps portal.

-> :::image type="content" source="../../media/defender-cloud-apps-m365-defender.png" alt-text="The new locations in the Microsoft 365 Defender portal" lightbox="../../media/defender-cloud-apps-m365-defender.png":::

-| Files | remaining in Defender for Cloud Apps portal |

-| Security configuration | remaining in Defender for Cloud Apps portal |

-| Connected apps | remaining in Defender for Cloud Apps portal |

-> [!NOTE]

-> The new Defender for Cloud Apps experience in the Microsoft 365 Defender portal is currently available for all users detailed in [Manage admin access](/defender-cloud-apps/manage-admins), except for:

->

-> - **App/Instance admin**, **User group admin**, **Cloud Discovery global admin**, and **Cloud Discovery report admin**, as defined in [Built-in admin roles in Defender for Cloud Apps](/defender-cloud-apps/manage-admins#built-in-admin-roles-in-defender-for-cloud-apps).

-> - User privacy groups as defined in [Activity privacy](/defender-cloud-apps/activity-privacy)

-description: Admins can learn how to allow or block emails and spoofed sender entries in the Tenant Allow/Block List in the Security portal.

-# Allow or block emails using the Tenant Allow/Block List

-> Microsoft does not allow you to create allow entries directly as it leads to creation of allows that are not needed, thus exposing the customer's tenant to malicious emails which might otherwise have been filtered by the system.

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP offers multiple ways of blocking email from unwanted senders. These options include Outlook Blocked Senders, blocked sender lists or blocked domain lists in anti-spam policies, Exchange mail flow rules (also known as transport rules), and the IP Block List (connection filtering). Collectively, you can think of these options as _blocked sender lists_.

-The best method to block senders varies on the scope of impact. For a single user, the right solution could be Outlook Blocked Senders. For many users, one of the other options would be more appropriate. The following options are ranked by both impact scope and breadth. The list goes from narrow to broad, but _read the specifics_ for full recommendations.

-1. Outlook Blocked Senders (the Blocked Senders list that's stored in each mailbox)

-2. Blocked sender lists or blocked domain lists (anti-spam policies)

-3. Mail flow rules

-4. The IP Block List (connection filtering)

-> While you can use organization-wide block settings to address false negatives (missed spam), you should also submit those messages to Microsoft for analysis. Managing false negatives by using block lists significantly increases your administrative overhead. If you use block lists to deflect missed spam, you need to keep the topic [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md) at the ready.

-In contrast, you also have several options to always allow email from specific sources using _safe sender lists_. For more information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md).

-If you need to block messages that are sent to specific users or across the entire organization, you can use mail flow rules. Mail flow rules are more flexible than block sender lists or blocked sender domain lists because they can also look for keywords or other properties in the unwanted messages.

-> It's easy to create rules that are _overly_ aggressive, so it's important that you identify only the messages you want to block using very specific criteria. Also, be sure to enable auditing on the rule and test the results of the rule to ensure everything works as expected.

-If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, EOP offers multiple ways of ensuring that users will receive email from trusted senders. These options include Exchange mail flow rules (also known as transport rules), Outlook Safe Senders, the IP Allow List (connection filtering), and allowed sender lists or allowed domain lists in anti-spam policies. Collectively, you can think of these options as _safe sender lists_.

-1. Mail flow rules

-2. Outlook Safe Senders

-3. IP Allow List (connection filtering)

-4. Allowed sender lists or allowed domain lists (anti-spam policies)

-Mail flow rules allow the most flexibility to ensure that only the right messages are allowed. Allowed sender and allowed domain lists in anti-spam policies aren't as secure as the IP Allow List, because the sender's email domain is easily spoofed. But, the IP Allow List also presents a risk, because email from _any_ domain that's sent from that IP address will bypass spam filtering.

-> - Messages that are identified as malware or high confidence phishing are always quarantined, regardless of the safe sender list option that you use. For more information, see [Secure by default in Office 365](secure-by-default.md).

-> - Be careful to closely monitor _any_ exceptions that you make to spam filtering using safe sender lists.

->

-> - While you can use safe sender lists to help with false positives (good email marked as bad), you should consider the use of safe sender lists as a temporary solution that should be avoided if possible. We don't recommend managing false positives by using safe sender lists, because exceptions to spam filtering can open your organization to spoofing and other attacks. If you insist on using safe sender lists to manage false positives, you need to be vigilant and keep the topic [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md) at the ready.

->

-> - To allow a domain to send unauthenticated email (bypass anti-spoofing protection) but not bypass anti-spam and other protections, you can use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](manage-tenant-allow-block-list.md).

->

-> - EOP and Outlook inspect different message properties to determine the sender of the message. For more information, see the [Considerations for bulk email](#considerations-for-bulk-email) section later in this article.

-In contrast, you also have several options to block email from specific sources using _blocked sender lists_. For more information, see [Create block sender lists in EOP](create-block-sender-lists-in-office-365.md).

-## (Recommended) Use mail flow rules

- - **IP Allow List**: Specify the source IP address or address range in the connection filter policy.

-> This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the user's Safe Senders or Safe Domains lists don't prevent malware or high confidence phishing messages from being filtered.

-Instead of an organizational setting, users or admins can add the sender email addresses to the Safe Senders list in the mailbox. For instructions, see [Configure junk email settings on Exchange Online mailboxes in Office 365](configure-junk-email-settings-on-exo-mailboxes.md). This method is not desirable in most situations since senders will bypass parts of the filtering stack. Although you trust the sender, the sender can still be compromised and send malicious content. Itt's better when you let our filters check every message and then [report the false positive/negative to Microsoft](report-junk-email-messages-to-microsoft.md) if we got it wrong. Bypassing the filtering stack also interferes with [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).

-If you can't use mail flow rules as previously described, the next best option is to add the source email server or servers to the IP Allow List in the connection filter policy. For details, see [Configure connection filtering in EOP](configure-the-connection-filter-policy.md).

-> [!CAUTION]

-> Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the IP Allow List doesn't prevent malware or high confidence phishing messages from being filtered.

-The least desirable option is to use the allowed sender list or allowed domain list in anti-spam policies. You should avoid this option _if at all possible_ because senders bypass all spam, spoof, and phishing protection, and sender authentication (SPF, DKIM, DMARC). This method is best used for temporary testing only. The detailed steps can be found in [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md) topic.

-The maximum limit for these lists is approximately 1000 entries; although, you will only be able to enter 30 entries into the portal. You must use PowerShell to add more than 30 entries.

-> - This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the allowed senders or allowed domains lists don't prevent malware or high confidence phishing messages from being filtered.

-> - Do not use domains you own (also known as accepted domains) or popular domains (for example, microsoft.com) in allowed domain lists.

-For example, suppose that Blue Yonder Airlines has hired Margie's Travel to send out its email advertising. The message you receive in your Inbox has the following properties:

-Safe sender lists and safe domain lists in anti-spam policies in EOP inspect only the `5322.From` addresses, this is similar to Outlook Safe Senders that uses the `5322.From` address.

-> Microsoft manage the allow creation process from Submission by creating allows for those entities (domains or email addresses, spoofed senders, URLs, files) which were determined to be malicious by filters during mail flow. For example, if the sender and a URL in the message were determined to be bad, an allow entry is created for the sender, and an allow entry is created for the URL.

-Note that with **allow expiry management** (currently in private preview), if Microsoft has not learned from the allow, Microsoft will automatically extend the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again. If Microsoft does not learn within 90 calendar days from the date of allow creation, Microsoft will remove the allow.

-If Microsoft has learned from the allow, the allow will be removed and you will get an alert informing you about it.