+ Title: "Configure authentication for Microsoft 365 support integration with ServiceNow"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier2

+- scotvorg

+- M365-subscription-management

+- Adm_TOC

+search.appverid:

+- MET150

+description: "Scoped Certified application installation and configuration guide for ServiceNow."

+# Configure authentication for Microsoft 365 support integration with ServiceNow

+## Prerequisites

+These prerequisite steps are required to set up Microsoft 365 support integration.

+### Azure Active Directory administrator

+1. \[AAD Admin\] Create Azure AD Application for Outbound under your Microsoft 365 tenant.

+ 1. Log on to the Azure Portal with your Microsoft 365 tenant credentials and go to the [App registrations page](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) to create a new application.

+ 2. Select **Accounts in this organizational directory only ({Microsoft-365-tenant-name} only ΓÇô Single tenant)** and select **Register**.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image3.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image3.png" alt-text="Select Register.":::

+1. Go to **Authentication** and select **Add a platform**. Select the **Web** option and enter the redirect URL: `https://{your-servicenow-instance``}.service-now.com/oauth_redirect.do`

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image4.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image4.png" alt-text="Select Add a platform and the redirect URL.":::

+1. Get the **Application Client ID** and create a Client secret and get that value.

+1. \[ServiceNow Admin\] Set up the Outbound OAuth Provider in ServiceNow.

+ If the scope is not set to **Global**, go to **Settings** > **Developer** > **Applications** and switch to **Global**.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image5.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image5.png" alt-text="Switch to Global.":::

+1. Go to **System OAuth** > **Application Registry**.

+1. Create a new application by using the **Connect to a third party OAuth Provider** option and entering these values:

+ - Client ID: This is the Client ID of the application created in step \#1.

+ - Client Secret: This is the Client Secret value of the application created in step \#3.

+ - Default Grant type: Client Credentials

+ - Token URL: `https://login.microsoftonline.com/{microsoft-365-tenant-name}/oauth2/token`

+ - Redirect URL: `https://{service-now-instance-name``}.service-now.com/auth_redirect.do`

+### \[OPTIONAL\] Allow the serviceΓÇÖs IP addresses to Microsoft 365 support integration

+If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by allowing the IP addresses below for both inbound and outbound API access:

+- 52.149.152.32

+- 40.83.232.243

+- 40.83.114.39

+- 13.76.138.31

+- 13.79.229.170

+- 20.105.151.142

+> [!NOTE]

+> This terminal command lists all active IPs of the service for Microsoft 365 support integration: `nslookup`` connector.rave.microsoft.com`

+## Configure the Microsoft 365 support integration application

+These steps are required to set up the integration between your ServiceNow instance and Microsoft 365 support.

+To open the Microsoft 365 support integration setup wizard, type **Microsoft 365** in the ServiceNow navigator and select **Setup**.

+### Steps performed by a ServiceNow administrator

+1. Switch the scope to Microsoft 365 support integration.

+

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image9.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image9.png" alt-text="Switch the Application to Microsoft 365 support integration.":::

+1. Go to Microsoft 365 Support > **Setup** to open the integration workflow.

+ > [!NOTE]

+ > If you see the error "Read operation against 'oauth_entity' from scope 'x_mioms_m365_assis' has been refused due to the table’s cross-scope access policy," it was caused by your table access policy. You must make sure **All application scopes > Can read** is checked for the table oauth_entity.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image10.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image10.png" alt-text="Make sure All application scopes is selected.":::

+1. Select **Agree** to continue.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-updates-agree.png" lightbox="../../media/ServiceNow-guide/servicenow-updates-agree.png" alt-text="Select Agree.":::

+1. Configure the environment and start the setup.

+ If this installation is on a test environment, select the option **This is a test environment**. You can disable this option after the setup and your tests are completed later.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-wizard-start-setup.png" lightbox="../../media/ServiceNow-guide/servicenow-wizard-start-setup.png" alt-text="Start setup.":::

+1. Enter your Microsoft 365 tenant domain.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-updates-enterdomain.png" lightbox="../../media/ServiceNow-guide/servicenow-updates-enterdomain.png" alt-text="Enter tenant domain.":::

+1. Configure authentication settings.

+ 1. Register the Azure Active Directory (AAD) app.

+ 1. After completing the instructions in the prerequisites section, select **Done**. Otherwise, follow the instructions in the wizard to create the necessary application registration in AAD.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-updates-configureauthsettings.png" lightbox="../../media/ServiceNow-guide/servicenow-updates-configureauthsettings.png" alt-text="Register the AAD app.":::

+ 1. Register the ServiceNow OAuth app.

+ 1. After completing the instructions in the prerequisites section, select the newly created OAuth application registration and select **Next**. Otherwise, follow the instructions to create the entity in ServiceNow, and then select the new application registration.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-updates-authsettingsnext.png" lightbox="../../media/ServiceNow-guide/servicenow-updates-authsettingsnext.png" alt-text="Register the ServiceNow OAuth app.":::

+### Steps performed by a Microsoft 365 administrator in the Microsoft 365 admin portal

+> [!NOTE]

+> Do not select **Test setup** before the Microsoft 365 administrator finishes performing the next steps.

+

+Verify that the following information is correct.

+

+> [!NOTE]

+> The following steps configure the Microsoft 365 support integration for ServiceNow application version 2.0.0 and later. If you've installed version 1.0.11 or earlier, you can't configure a new installation of the application.

+1. Configure the support integration settings:

+ Select the **Basic information** tab > **Internal support tool** > **ServiceNow**, and enter the **Outbound App ID** value in the **Application ID to issue Auth Token** field. This **Outbound App ID** is on Step 6 – Complete the Integration, which was created in [Prerequisite step #1](#prerequisites).

+

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image18.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image18.png" alt-text="Configure support integration settings.":::

+ - On the **Repositories** tab, select **New repository** and update it with the following settings:

+ If you have version 1.0.11 or earlier installed, you must upgrade the application to version 2.0.0 or later.

+

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-updates-editrepository.png" lightbox="../../media/ServiceNow-guide/servicenow-updates-editrepository.png" alt-text="Update the new repository.":::

+ - Repository: The **Repository ID** value from Step 6 – Complete the Integration, which was created in [Prerequisite step #1](#prerequisites).

+ Endpoint: The **Endpoint** value from Step 6 – Complete the Integration, which was created in [Prerequisite step #1](#prerequisites).

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-updates-addlsettings.png" lightbox="../../media/ServiceNow-guide/servicenow-updates-addlsettings.png" alt-text="Complete the integration by setting Repository and Endpoint.":::

+1. Select **Save**.

+### Steps performed in ServiceNow by a ServiceNow administrator.

+A ServiceNow administrator tests the connection and completes the setup.

+- To complete the setup, go back to your ServiceNow instance and select **Test setup**.

+## Test setup

+The Microsoft 365 support integration app executes tests to make sure the integration is working. If there's a problem with the configuration, an error message explains what needs to be fixed. Otherwise, the application is ready.

+## Enable Microsoft support integration for an existing user

+Microsoft 365 support integration is enabled for the user with one of these roles:

+- x_mioms_m365_assis.insights_user

+- x_mioms_m365_assis.administrator

+### \[OPTIONAL\] [The user with role x_mioms_m365_assis.administrator link] Link Microsoft 365 Admin account

+If any user has the role x_mioms_m365_assis.administrator and is using different Microsoft 365 accounts to manage a Microsoft 365 support case, they must set up their Microsoft 365 admin email by going to Microsoft 365 support > **Link Account**.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-servicehealth1.png" alt-text="ServiceNow Health Incidents description field.":::

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-recommendedsol2.png" alt-text="ServiceNow Recommended solutions description field.":::

+- Microsoft service request: Escalate issues to Microsoft support agents and receive status updates for your case.

+ :::image type="content" source="../../media/ServiceNow-guide/servicenow-overview-service-request.png" alt-text="ServiceNow service request form.":::

+- Azure Active Directory (AAD) admin who can create AAD applications

+- Create ServiceNow entities with Microsoft AAD application for both outbound and inbound data flow.

+## What features will work for your organization based on your configuration?

+Before setting up any configuration for Microsoft 365 support integration, review your answers to these questions:

+**Question \#1**: Does your ServiceNow environment allow Basic Authentication (access with ServiceNow user credential) for inbound webservice calls?

+**Question \#2**: If you have multiple tenants, do you plan to use a single tenant integrated with your ServiceNow environment for Microsoft 365 support integration?

+Depending on your answers to the questions above, this table tells you what features are available and how to set up Microsoft 365 support integration. For a description of each feature, see [Microsoft 365 support integration](https://store.servicenow.com/sn_appstore_store.do#!/store/application/6d05c93f1b7784507ddd4227cc4bcb9f).

+| **Question \#1 Answer** | **Question \#2 Answer** | **What features are available?** | **Configuration** |Steps

+|||--|-|

+| Yes | Yes/No | Service Health Incidents Recommended Solutions Microsoft service request | [Set up Microsoft 365 support integration with ServiceNow Basic Authentication](servicenow-basic-authentication-v1.md) |

+| No | Yes | Service Health Incidents Recommended Solutions Microsoft service request | [Set up Microsoft 365 support integration with AAD OAuth Token](servicenow-aad-oauth-token-v1.md) |

+| No | No | Service Health Incidents Recommended Solutions | [Set up Microsoft 365 support integration for Insights ONLY] |

+[Configure Microsoft 365 support integration with Azure AD Auth Token](servicenow-aad-oauth-token-v1.md)

+The following article applies to the Microsoft 365 support integration app with a minimum version of **2.0.0**.

+For version 1.0.11 and earlier, see [Microsoft 365 support integration overview v1](../manage/servicenow-overview-v1.md).

+Microsoft 365 support integration enables you to integrate Microsoft 365 help, support, and service health with your ServiceNow instances. You can research Microsoft known and reported issues, resolve incidents, complete tasks by using Microsoft recommended solutions, and, if necessary, escalate to Microsoft human-assisted support.

+For the Microsoft 365 support integration app, go to the [ServiceNow Store](https://store.servicenow.com/sn_appstore_store.do#!/store/application/6d05c93f1b7784507ddd4227cc4bcb9f).

+## Key features

+These are the key features you'll get with the Microsoft 365 support integration app in ServiceNow:

+- Service Health Incidents: Information about known Microsoft service health incidents, including user impact, scope, status, and next expected update. Using machine learning, ServiceNow incidents are matched to Microsoft service health incidents based on the short description field.

+To proceed with this guide, make sure that the following permissions are available and configured for your environments during the entire process:

+To set up Microsoft 365 support integration:

+- Register application in Microsoft Azure Active Directory (AAD) for authentication of both outbound and inbound API calls.

+After the Microsoft 365 support integration app has been installed, two application cross-scope accesses are created. If they're not created successfully, create them manually.

+After you've downloaded the app, go to the Microsoft 365 setup wizard in your ServiceNow environment to complete the setup process.

+To open the setup wizard, type **Microsoft 365** in the ServiceNow navigator and select **Setup**.

+- If you want to get started without setting up the Microsoft 365 support integration app, you can select the option to **Continue without any setup**. This option continues to provide basic recommended solutions.

+- To set up the application with full functionality, select **Start setup**, and then follow the instructions in [Integrate Microsoft 365 with ServiceNow Virtual Agent](../manage/servicenow-virtual-agent-integration.md).

+> The Microsoft 365 support integration app occasionally prompts users for feedback about the app. If you donΓÇÖt want users to be prompted for feedback, turn off this functionality in the app settings. For more information about Microsoft feedback policies, see [Learn about Microsoft feedback for your organization](../misc/feedback-user-control.md). To change the feedback settings, follow the steps in the installation process.

+However, if the label contains trainable classifiers as a label condition:

+- When the label conditions contain just trainable classifiers, you won't see the option to automatically create an auto-labeling policy.

+- When the label conditions contain trainable classifiers and sensitivity info types, an auto-labeling policy will be created for just the sensitive info types.

+- **Content Explorer Content Viewer** role group, and **Information Protection** and **Information Protection Investigators** role groups let you see the file's contents.

+This role lets users create, edit, and delete review set tags for cases they can access. Users will need to at least have the *Review* role and this role to [manage tags](/microsoft-365/compliance/tagging-documents#creating-and-applying-tags) during reviews.

+You can also apply a retention label to a list item, folder, or document set, and you can set a [default retention label for a document library](#applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set). Lists aren't supported in the SharePoint classic experience.

+### Sensitivity labels

+- **General availability (GA)**: Trainable classifiers for [auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange). Trainable classifiers are now available for both auto-labeling for Office apps that use label settings (known as client-side auto-labeling) and auto-labeling policies (known as service-side auto-labeling). As a result, trainable classifiers are removed from the [comparison table](apply-sensitivity-label-automatically.md#compare-auto-labeling-for-office-apps-with-auto-labeling-policies) that lists only the differences between the two auto-labeling methods.

+- If you need to, you can now [disable co-authoring for your tenant by using PowerShell](sensitivity-labels-coauthoring.md#if-you-need-to-disable-this-feature).

+> You can use the Microsoft Defender for Endpoint app along with the Approved Client app and Compliant Device (Require device to be marked as compliant) controls in Azure AD Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while setting up Conditional Access. Although Microsoft Defender for Endpoint on Android & iOS (App ID - dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it is able to report device security posture in both these grant permissions. This permission enables the flow for compliance information to Conditional Access.

+>[!NOTE]

+>The date and time for Defender Antivirus mode is currently not available.

+Network Protection on Microsoft Defender for Endpoint is now generally available. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users will also see a guided experience to connect to secure networks and change networks when they are connected to an unsecure connection.

+- Mobile phones and tablets running Android 8.0 and above. **Mobile phones running Android go and other mobile devices running Android are not currently supported.**

+- iOS device running iOS 14.0 and above. iPads are also supported.

+|Microsoft Defender Vulnerability Management (MDVM) |Vulnerability assessment of onboarded mobile devices. Visit this [page](next-gen-threat-and-vuln-mgt.md) to learn more about Microsoft Defender Vulnerability Management in Microsoft Defender for Endpoint. *Note that on iOS, vulnerability assessment of apps is in preview.*|

+|Network Protection | Protection against rogue Wi-Fi related threats and rogue certificates; ability to allow list the root CA and private root CA certificates in Intune; establish trust with endpoints.|

+defaults write com.microsoft.autoupdate2 ChannelName -string Preview

+Defender Experts for XDR augments your SOC with a combination of automation and MicrosoftΓÇÖs security analyst expertise to help you detect and respond to threats with confidence and improve your security posture. With deep product expertise powered by threat intelligence, weΓÇÖre uniquely positioned to help you:

+- **Stay ahead of emerging threats** - Our experts proactively hunt for emerging threats in your environment, informed by unparalleled threat intelligence and visibility.

+- **Proactive threat hunting** - [Microsoft Defender Experts for Hunting](../defender/defender-experts-for-hunting.md) is built-in to extend your teamΓÇÖs threat hunting capabilities and prioritize significant threats

+- **Live dashboards and reports** - Transparent view of our operations on your behalf and noise free, actionable view into what matters for you coupled with detailed analytics

+- Microsoft Defender for Endpoint P2 must be licensed for devices and users in scope for the preview and Microsoft Defender Antivirus-enabled in active mode and devices onboarded to Defender for Endpoint (required for endpoint detection and response capabilities).

+- Azure Active Directory Premium P1 must be licensed for all users and enabled (required for enabling secure service provider access).

+This service is available worldwide for our customers in our commercial public clouds. We're gradually expanding the preview to more customers. If youΓÇÖre interested to learn more, reach out to your Microsoft account team.

+| **What actions can XDR experts take during incident investigation?** | Our expert analysts can take actions based on the roles granted to them in your Microsoft 365 Defender portal. If our analysts are granted a security reader role, they can investigate and provide guided response for your SOC team to act on. If our analysts are granted a security operator role, they can also take specific remediation actions agreed upon with your SOC team. And finally, if they are granted a security administrator role, they can take higher privilege actions like managing certain settings as agreed upon with you. |

+| **Can Defender Experts for XDR help with an active compromise or vulnerability?** | No, Defender Experts do not provide Incident Response services currently. Contact your Microsoft representative to engage Microsoft Detection and Response Team (DART) for incident response assistance |

+| **How can my organization participate in the Defender Experts for XDR preview?** |We're gradually expanding the preview to more customers. Please contact your Microsoft representative to access the preview.|

+keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Microsoft Defender Experts for hunting, threat hunting and analysis, Microsoft XDR service

+Here's a list of the different Microsoft 365 Defender products and solutions:

+- [**Microsoft Defender for Endpoint**](../defender-endpoint/microsoft-defender-endpoint.md)

+- [**Microsoft Defender for Office 365**](../office-365-security/microsoft-defender-for-office-365-product-overview.md)

+- [**Microsoft Defender for Identity**](/defender-for-identity/what-is)

+- [**Microsoft Defender for Cloud Apps**](/defender-cloud-apps/what-is-defender-for-cloud-apps)

+- [**Microsoft Defender Vulnerability Management**](../defender-vulnerability-management/defender-vulnerability-management.md)

+- [**Azure Active Directory Identity Protection**](/azure/active-directory/identity-protection/overview-identity-protection)

+- [**Microsoft Data Loss Prevention**](/microsoft-365/compliance/dlp-learn-about-dlp)

+- [**App Governance**](/defender-cloud-apps/app-governance-manage-app-governance)

+Note that Azure Active Directory Identity Protection (AAD IP) is in public preview and may be substantially modified before it's commercially released. AAD IP is available to customers only if they already have Microsoft 365 Defender.

+With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.

+|[Investigation](../office-365-security/office-365-air.md#the-overall-flow-of-air) |Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.|

+## Run initial Defender readiness checks

+Through a combination of automation and human expertise, our service triages Microsoft 365 Defender incidents, prioritize them on your behalf, filters out the noise, carries out detailed investigations, and provides detailed guided response to your security operations center (SOC) teams. Alternatively, our analysts can also take a response step on your behalf.

+You'll receive detailed response playbooks via emails. You'll also be able to filter Microsoft 365 Defender portal incident view using _Defender Experts_ tags to see the current state of incidents that Defender Experts are actively investigating, or incidents that require customer action. Our analysts will also add relevant comments in Microsoft 365 Defender portalΓÇÖs **Comments & history** section so you and your SOC analysts can track the investigation progress.

+Response recommendations include, but are not limited to:

+Defender Experts for XDR also includes proactive threat hunting offered by [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md). Defender Experts for hunting was created for customers who have a robust security operations center but want Microsoft to help them proactively hunt threats using Microsoft Defender data. This proactive threat hunting service goes beyond the endpoint to hunt across endpoints, Office 365, cloud applications, and identity. Our experts will investigate anything they find, then hand off the contextual alert information along with remediation instructions, so you can quickly respond.

+- The email analysis creates queries (clusters) of emails using attributes from the original email ΓÇô sender values (IP address, sender domain) and contents (subject, cluster ID) in order to find emails that might be related.

+- Email clustering analysis counts the threats associated with the similar emails in the cluster to determine whether the emails are malicious, suspicious, or have no clear threats. If the cluster of emails matching the query has a sufficient amount of spam, normal phish, high confidence phish or malware threats, the email cluster gets that threat type applied to it.

+- The email clustering analysis also checks the latest delivery location of the original email and emails in the email clusters to help identify if the emails potentially still need removal or have already been remediated or prevented. This analysis is important because attackers morph malicious content plus security policies and protection may vary between mailboxes. This capability leads to situations where malicious content may still sit in mailboxes, even though one or more malicious emails have been prevented or detected and removed by zero-hour auto purge (ZAP).

+- Email clusters that are considered malicious due to malware, high confidence phish, malicious files, or malicious URL threats will get a pending action to soft delete the emails when the emails are still in the cloud mailbox (inbox or junk folder). If malicious emails or email clusters are only "Not In Mailbox" (blocked, quarantined, failed, soft deleted, etc.) or "On-premises/External" with none in the cloud mailbox, then no pending action will be set up to remove them.

+- If any of the email clusters are determined to be malicious, then the threat identified by the cluster will get applied back to the original email involved in the investigation. This behavior is similar to a security operations analyst using email hunting results to determine the verdict of an original email based on similar emails. This result ensures that regardless of whether an original email's URLs, files, or source email indicators are detected or not, the system can identify malicious emails that are potentially evading detection through personalization, morphing, evasion, or other attacker techniques.

+During the email clustering analysis, all clustering queries will ignore security mailboxes set up as Security Operations mailboxes in the Advanced Delivery policy. Similarly, the email clustering queries will ignore phish simulation (education) messages that are configured in the Advanced Delivery policy. Neither the SecOps nor the PhishEdu exclusion values are shown in the query to keep the clustering attributes simple and easy to read. This exclusion ensures that threat intelligence and operational mailboxes (SecOps mailboxes) and the phish simulations (PhishEdu) are ignored during threat analysis and do not get removed during any remediation.

+For email or email clusters in the **Entities** tab of an investigation, **Prevented** means that there was no malicious emails in the mailbox for this item (mail or cluster). Here is an example.

+3. During and after an automated investigation, [details and results](air-view-investigation-results.md) are available to view. Results might include [recommended actions](air-remediation-actions.md) that can be taken to respond to and remediate any existing threats that were found.

+Note: If the investigation does not result in recommended actions the automated investigation will close and the details of what was reviewed as part of the automated investigation will still be available on the investigation page.

+|Email messages containing malicious file removed after delivery|**Informational**|This alert is generated when any messages containing a malicious file are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).|

+|Email messages containing malicious URL removed after delivery|**Informational**|This alert is generated when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).|

+|Admin triggered manual investigation of email|**Informational**|This alert is generated when an admin triggers the manual investigation of an email from Threat Explorer. This alert notifies your organization that the investigation was started.|

+|Admin triggered user compromise investigation|**Medium**|This alert is generated when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. This alert notifies your organization that the user compromise investigation was started.|

+- [Get started using AIR](office-365-air.md)

+- [View pending or completed remediation actions](air-review-approve-pending-completed-actions.md)

+ > It might take up to 24 hours for all restrictions to be removed from the user.