+This article only applies to commercial customers who buy or activate products or services directly from Microsoft.

+Unless you're using [S/MIME for Outlook](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook), encryption that's applied by sensitivity labels to documents, emails, and meeting invites all use the Azure Rights Management service (Azure RMS) from Azure Information Protection. This protection solution uses encryption, identity, and authorization policies. To learn more, see [What is Azure Rights Management?](/azure/information-protection/what-is-azure-rms) from the Azure Information Protection documentation.

+For example, a user types **@contoso.com** (or **contoso.com**) and grants read access. Because Contoso Corporation owns the contoso.com domain, all users in that domain and all other domains that the organization owns in Azure Active Directory will be granted read access.

+> [!NOTE]

+> When you specify these values, don't surround them with quotation marks.

+It's important to let users know that access isn't restricted to just the users in the domain specified. For example, **@sales.contoso.com** wouldn't restrict access to users in just the sales subdomain, but also grant access to users in the marketing.contoso.com domain, and even users with a disjoint namespace in the same Azure Active Directory tenant.

+> [!NOTE]

+> Data outside of the selected range may be included if the user was previously included in an alert.

+User activity data is available for reporting approximately 48 hours after the activity occurred. For example, to review user activity data for December 1st, you'll need to make sure at least 48 hours have elapsed before creating the report (you'd create a report on December 3rd at the earliest).

+Role-based access control (RBAC) grants access to resources or information based on user roles. Access to customer tenant data and settings in Lighthouse is restricted to specific roles from the Cloud Solution Provider (CSP) program. To set up RBAC roles in Lighthouse, we recommend using granular delegated admin privileges (GDAP) to implement granular assignments for users. Delegated admin privileges (DAP) is still required for the tenant to onboard successfully, but GDAP-only customers will soon be able to onboard without a dependency on DAP. GDAP permissions take precedence when DAP and GDAP coexist for a customer.

+MSP technicians may also access Lighthouse by using Admin Agent or Helpdesk Agent roles via delegated admin privileges (DAP).

+## Delegated admin privileges (DAP)

+## Granular delegated admin privileges (GDAP)

+Either granular delegated admin privileges (GDAP) plus an indirect reseller relationship or a delegated admin privileges (DAP) relationship is required to onboard customers to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups. Customers with GDAP-only relationships (without indirect reseller relationships) currently can't onboard to Lighthouse, but will be able to onboard in a future release.<br><br>

+Delegated access to customer tenants is required for Managed Service Providers (MSPs) to use Microsoft 365 Lighthouse. Granular delegated admin privileges (GDAP) give MSPs a high level of control and flexibility by providing customer access through [Azure Active Directory (Azure AD) built-in roles](/azure/active-directory/roles/permissions-reference). Assigning the least privileged roles by task through GDAP to MSP technicians reduces security risk for both MSPs and customers. For more information on least privileged roles by task, see [Least-privileged roles - Partner Center](/partner-center/gdap-least-privileged-roles-by-task) and [Least privileged roles by task in Azure Active Directory](/azure/active-directory/roles/delegate-by-task). For more information on setting up a GDAP relationship with a customer tenant, see [Obtain granular admin permissions to manage a customer's service - Partner Center.](/partner-center/gdap-obtain-admin-permissions-to-manage-customer)

+## Delegated admin privileges (DAP) in Lighthouse

+| Partner tenant member who meets *both* of the following requirements: <ul><li>Has at least one Azure AD role assigned with the following property set:<br>**microsoft.office365.serviceHealth/allEntities/allTasks**<br>(For a complete list of Azure AD roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).)</li><li>Has at least one DAP role assigned (Admin Agent or Helpdesk Agent)</li></ul> | View service health information. |

+ > Either granular delegated admin privileges (GDAP) or a delegated admin privileges (DAP) relationship is required to onboard customers to Lighthouse. An indirect reseller relationship is no longer required to onboard to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups.

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to set up granular delegated admin privileges (GDAP) for your customers."

+You can now set up all your customers with granular delegated admin privileges (GDAP) through Microsoft 365 Lighthouse, regardless of their licenses or size. Lighthouse lets you quickly transition your organization to GDAP and begin the journey to least-privilege for your delegated access to customers. By setting up your organization with GDAP for the customer tenants you manage, users in your organization have the permissions necessary to do their work while keeping customer tenants secure.

+- Filter tenants by status, delegated admin privilege (DAP), and tags.

+Either granular delegated admin privileges (GDAP) plus an indirect reseller relationship or a delegated admin privileges (DAP) relationship is required to onboard customers to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups. Coming soon, customers with GDAP-only relationships (without indirect reseller relationships) will be able to onboard to Lighthouse.<br><br>

+### Capability to set up granular delegated admin privileges (GDAP)

+You can now establish GDAP relationships with multiple reseller customers at once from within Microsoft 365 Lighthouse and assign users in the partner tenant to security groups with various roles and levels of permissions. To do this, you'll create reusable templates based on tiers of support for your customers and for various groups of technicians. You'll see recommended roles for each tier of support during this process. Once created, these templates can then be reapplied as needed to new customers. This functionality allows you to quickly establish GDAP with your customers by using a least-privileged approach for users as a replacement for delegated admin privileges (DAP).

+We've changed our onboarding requirements to allow you to onboard Microsoft 365 E5 customers to Microsoft 365 Lighthouse. The expanded list of licenses that Microsoft 365 Lighthouse supports for onboarding includes Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Microsoft Defender for Business, and Windows 365 for Business. Customers who have at least one of any of these licenses, meet the requirements for delegated access privileges, and don't exceed the maximum number of licensed users can be managed in Microsoft 365 Lighthouse.

+We've updated the **Tenants** page to list the Managed Service Provider (MSP)'s delegated access type (None, DAP, GDAP, or Both DAP & GDAP) per customer under the **Delegated access** column. We've also added a new column titled **Your roles** that lists the DAP and GDAP roles per customer for a signed-in user. These two enhancements to the **Tenants** page will make it easier for MSP technicians to understand which types of delegated admin privileges are available for each customer and which delegated roles have explicitly been granted to them.

+### Granular delegated admin privileges (GDAP) roles

+Microsoft 365 Lighthouse now includes the capability for MSPs to use granular delegated admin privileges (GDAP) roles. With the latest update, MSPs can leverage GDAP by assigning roles to their technicians to enforce the principle of least privilege access in Microsoft 365 Lighthouse. This capability reduces the risks inherent in the broad permissions of the delegated admin privileges (DAP) role of the Admin Agent by enabling granular controls on the customers' data and settings that each technician will be able to work with.

+We've changed our onboarding requirements to allow existing customer tenants with advisor relationships to be onboarded to Microsoft 365 Lighthouse. Customers with both reseller and advisor contracts are now eligible to be in Microsoft 365 Lighthouse if they meet the requirements for delegated access privileges, have the required licenses, and don't exceed the maximum user count.

+Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management software information'

+Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management software information'

+Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management software information'

+Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management software information'

+ Title: Microsoft Defender Antivirus security intelligence and product updates

+# Microsoft Defender Antivirus security intelligence and product updates

+Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (also called the *Microsoft Advanced Protection Service*, or MAPS) and periodically downloads dynamic security intelligence updates to provide more protection. These dynamic updates don't take the place of regular security intelligence updates via security intelligence update KB2267602.

+Microsoft Defender Antivirus requires monthly updates (KB4052623) known as *platform updates*.

+- [Microsoft Configuration Manager](/configmgr/sum/understand/software-updates-introduction)

+- The usual methods you use to deploy Microsoft and Windows updates to endpoints in your network.

+> - If you're looking for a list of Microsoft Defender processes, **[download the mde-urls workbook](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaef).

+After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).

+- **Security and Critical Updates servicing phase** - When running the latest platform version, you're eligible to receive both Security and Critical updates to the anti-malware platform.

+\* Technical support continues to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.

+|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power that 's especially useful for mobile devices and virtual machines. |

+| [Microsoft Defender for Endpoint update for EDR Sensor](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac) | You can update the EDR sensor (MsSense.exe) that's included in the new Microsoft Defender for Endpoint unified solution package released in 2021. |

+ Title: Microsoft Defender Antivirus updates - Previous versions for technical upgrade support

+description: Understand the type of technical support offered for previous versions of Microsoft Defender Antivirus

+keywords: minimum requirements, licensing, comparison table

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier1

+search.appverid: met150

+# Microsoft Defender Antivirus updates - Previous versions for technical upgrade support only

+Microsoft regularly releases [security intelligence updates and product updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md). It's important to keep Microsoft Defender Antivirus up to date. When a new package version is released, support for the previous two versions is reduced to technical support only. Versions that are older than the previous two versions are listed in this article and are provided for technical upgrade support only.

+## September-2022 (Platform: 4.18.2209.7 | Engine: 1.1.19700.3)

+- Security intelligence update version: **1.377.8.0**

+- Release date: **October 10, 2022**

+- Platform: **4.18.2209.7**

+- Engine: **1.1.19700.3**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improved processing of Defender fallback order on Server SKU

+- Fixed Defender updates during OOBE process

+- Fixed Trusted Installer security descriptor vulnerability

+- Fixed [Microsoft Defender Antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md) visibility

+- Fixed output of fallback order of the PowerShell cmdlet

+- Fixed Defender Platform update failure on Server Core 2019 SKUs

+- Improved hardening support for Defender disablement configurations on Server SKUs

+- Improved Defender configuration logics for [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) on servers

+- Improved WARN mode for [ASR rule](attack-surface-reduction-rules-reference.md)

+- Improved certificate handling of OSX

+- Improved logging for scanning FilesStash location

+- Beginning with platform version 4.18.2208.0 and later: If a server has been [onboarded to Microsoft Defender for Endpoint](onboard-configure.md#onboard-devices-to-the-service), the "Turn off Windows Defender" [group policy setting](configure-endpoints-gp.md#update-endpoint-protection-configuration) will no longer completely disable Windows Defender Antivirus on Windows Server 2012 R2 and later operating systems. Instead, it is either ignored (if [ForceDefenderPassiveMode](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) is configured explicitly) or it places Microsoft Defender Antivirus into [passive mode](microsoft-defender-antivirus-windows.md#comparing-active-mode-passive-mode-and-disabled-mode) (if `ForceDefenderPassiveMode` isn't configured). Moreover, [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode via changing `ForceDefenderPassiveMode` to `0`, but not to passive mode. These changes apply only to servers onboarded to Microsoft Defender for Endpoint. For more information, please refer to [Microsoft Defender Antivirus compatibility with other security products](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions)

+### Known Issues

+- Some customers might have received platform updates 4.18.2209.2 from preview. It can cause the service to get stuck at the start state after the update.

+## August-2022 (Platform: 4.18.2207.7 | Engine: 1.1.19600.3)

+- Security intelligence update version: **1.373.1647.0**

+- Release date: **September 6, 2022**

+- Platform: **4.18.2207.7**

+- Engine: **1.1.19600.3**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Starting with platform version 4.18.2207.7, the default behavior of dynamic signature expiration reporting changes to reduce potential 2011 event notification flooding. See: **Event ID: 2011** in [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md)

+- Fixed Unified agent installer issues on WS2012R2 Server and Windows Server 2016

+- Fixed remediation issue for custom detection

+- Fixed Race condition related to behavior monitoring

+- Resolved multiple deadlock scenarios in Defender dlls

+- Improved frequency of Windows toasts notification for ASR rules

+### Known Issues

+- None

+## July-2022 (Platform: 4.18.2207.5 | Engine: 1.1.19500.2)

+- Security intelligence update version: **1.373.219.0**

+- Release date: **August 15, 2022**

+- Platform: **4.18.2207.5**

+- Engine: **1.1.19500.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Performance improvement for [hybrid sleep](/windows-hardware/customize/power-settings/sleep-settings-hybrid-sleep) delay when Microsoft Defender Antivirus is active

+- Fixed client detection behavior related to custom [certificate blocking indicators of compromise](indicator-certificates.md)

+- Performance improvement for [AntiMalware Scan Interface (AMSI)](/windows/win32/amsi/antimalware-scan-interface-portal) caching

+- Improved detection and remediation for [Microsoft Visual Basic for Applications](/office/vba/language/concepts/getting-started/64-bit-visual-basic-for-applications-overview) (VBA) related macros

+- Improved processing of AMSI exclusions

+- Fixed deadlock detection in Host Intrusion Prevention System (HIPS) rule processing. (For more information about HIPS and Defender for Endpoint, see [Migrating from a third-party HIPS to ASR rules](migrating-asr-rules.md).)

+- Fixed memory leak where `MsMpEng.exe` was consuming private bytes. (If high CPU usage is also an issue, see [High CPU usage due to Microsoft Defender Antivirus](troubleshooting-mode-scenarios.md))

+- Fixed deadlock with [behavior monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)

+- Improved trust validation

+- Fixed engine crash issue on legacy operating platforms

+- Performance Analyzer v3 updates: Added top path support, scan skip information, and OnDemand scan support. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).

+- Defender performance improvements during file copy operations

+- Added improvements for [troubleshooting mode](enable-troubleshooting-mode.md)

+- Added fix for Defender WINEVT channels across update/restarts. (For more information about WINEVT, see [Windows Event Log](/windows/win32/api/_wes/).)

+- Added fix for [Defender WMI management](use-wmi-microsoft-defender-antivirus.md) bug during startup/updates

+- Added fix for duplicated 2010/2011 in the [Windows Event Viewer Operational events](troubleshoot-microsoft-defender-antivirus.md)

+- Added support for [Defender for Endpoint](microsoft-defender-endpoint.md) stack processes token hardening

+### Known Issues

+- Customers deploying platform update 4.18.2207.5 might experience lagging network performance that could impact applications.

+## May-2022 (Platform: 4.18.2205.7 | Engine: 1.1.19300.2)

+- Security intelligence update version: **1.369.88.0**

+- Released: **June 22, 2022**

+- Platform: **4.18.2205.7**

+- Engine: **1.1.19300.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Added fix for ETW channel configuration for updates

+- Added support for contextual exclusions allowing more specific exclusion targeting

+- Fixed context maximum size

+- Added fix for [ASR LSASS detection](attack-surface-reduction-rules-reference.md)

+- Added fix to SHSetKnownFolder for rule exclusion logic

+- Added AMSI disk usage limits for The History Store

+- Added fix for Defender service refusing to accept signature updates

+### Known issues

+- None

+## March-2022 *UPDATE* (Platform: 4.18.2203.5 | Engine: 1.1.19200.5)

+*Customers who applied the March 2022 Microsoft Defender engine update (**1.1.19100.5**) might have encountered high resource utilization (CPU and/or memory). Microsoft has released an update (**1.1.19200.5**) that resolves the bugs introduced in the earlier version. Customers are recommended to update to at least this new engine build of Antivirus Engine (**1.1.19200.5**). To ensure any performance issues are fully fixed, it's recommended to reboot machines after applying update.*

+- Security intelligence update version: **1.363.817.0**

+- Released: **April 22, 2022**

+- Platform: **4.18.2203.5**

+- Engine: **1.1.19200.5**

+- Support phase: **Technical upgrade support (only)**

+## What's new

+- Resolves issues with high resource utilization (CPU and/or memory) related to the earlier March 2022 Microsoft Defender engine update (1.1.19100.5)

+### Known issues

+- None

+## March-2022 (Platform: 4.18.2203.5 | Engine: 1.1.19100.5)

+- Security intelligence update version: **1.361.1449.0**

+- Released: **April 7, 2022**

+- Platform: **4.18.2203.5**

+- Engine: **1.1.19100.5**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Added fix for an [attack surface reduction rule](attack-surface-reduction.md) that blocked an Outlook add-in

+- Added fix for [behavior monitoring](configure-protection-features-microsoft-defender-antivirus.md) performance issue related to short live processes

+- Added fix for [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) exclusion

+- Improved [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) capabilities

+- Added a fix for [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) getting disabled in some cases when using `SharedSignaturesPath` config. For more information about the `SharedSignaturesPath` parameter, see [Set-MpPreference](/powershell/module/defender/set-mppreference).

+### Known issues

+- Potential for high resource utilization (CPU and/or memory). See the Platform 4.18.2203.5 and Engine 1.1.19200.5 update for March 2022.

+## February-2022 (Platform: 4.18.2202.4 | Engine: 1.1.19000.8)

+- Security intelligence update version: **1.361.14.0**

+- Released: **March 14, 2022**

+- Platform: **4.18.2202.4**

+- Engine: **1.1.19000.8**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improvements to detection and behavior monitoring logic

+- Fixed false positive triggering attack surface reduction detections

+- Added fix resulting in better fidelity of EDR and Advanced Hunting detection alerts

+- Defender no longer supports custom notifications on toast pop ups. Modified GPO/Intune/SCCM and docs to reflect this change.

+- Improvements to capture both information and copy of files written to removable storage. To learn more, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](device-control-removable-storage-access-control.md).

+- Improved traffic output when SmartScreen service is unreachable

+- Connectivity improvements for customers using proxies with authentication requirements

+- Fixed VDI device update bug for network FileShares

+- EDR in block mode now supports granular device targeting with new CSPs. See [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md).

+### Known issues

+- None

+## January-2022 (Platform: 4.18.2201.10 | Engine: 1.1.18900.2)

+- Security intelligence update version: **1.357.8.0**

+- Released: **February 9, 2022**

+- Platform: **4.18.2201.10**

+- Engine: **1.1.18900.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Behavior monitoring improvements in filtering performance

+- Hardening to TrustedInstaller

+- Tamper protection improvements

+- Replaced `ScanScheduleTime` with new `ScanScheduleOffest` cmdlet in [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy configures the number of minutes after midnight to perform a scheduled scan.

+- Added the `-ServiceHealthReportInterval` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy configures the time interval (in minutes) to perform a scheduled scan.

+- Added the `AllowSwitchToAsyncInspection` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy enables a performance optimization that allows synchronously inspected network flows to switch to async inspection once they've been checked and validated.

+- Performance Analyzer v2 updates: Remote PowerShell and PowerShell 7.x support added. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).

+- Fixed potential duplicate packet bug in Microsoft Defender Antivirus network inspection system driver.

+### Known issues

+- None

+## November-2021 (Platform: 4.18.2111.5 | Engine: 1.1.18800.4)

+- Security intelligence update version: **1.355.2.0**

+- Released: **December 9th, 2021**

+- Platform: **4.18.2111.5**

+- Engine: **1.1.18800.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improved CPU usage efficiency of certain intensive scenarios on Exchange servers

+- Added new device control status fields under Get-MpComputerStatus in Defender PowerShell module. For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md).

+- Fixed bug in which `SharedSignatureRoot` value couldn't be removed when set with PowerShell

+- Fixed bug in which [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) failed to be enabled, even though Microsoft Defender for Endpoint indicated that tamper protection was turned on

+- Added supportability and bug fixes to performance analyzer for Microsoft Defender Antivirus tool. For more information, see [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).

+ - PowerShell ISE support added for `New-MpPerformanceRecording`

+ - Fixed bug errors for `Get-MpPerformanceReport -TopFilesPerProcess`

+ - Fixed performance recording session leak when using `New-MpPerformanceRecording` in PowerShell 7.x, remote sessions, and PowerShell ISE

+### Known issues

+- None

+## October-2021 (Platform: 4.18.2110.6 | Engine: 1.1.18700.4)

+- Security intelligence update version: **1.353.3.0**

+- Released: **October 28th, 2021**

+- Platform: **4.18.2110.6**

+- Engine: **1.1.18700.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improvements to file transfer protocol (FTP) network traffic coverage

+- Fix to reduce Microsoft Defender CPU usage in Exchange Server running on Windows Server 2016

+- Fix for scan interruptions

+- Fix for alerts on blocked tampering attempts not appearing in Security Center

+- Improvements to tamper resilience in Microsoft Defender service

+### Known issues

+- None

+## September-2021 (Platform: 4.18.2109.6 | Engine: 1.1.18600.4)

+- Security intelligence update version: **1.351.7.0**

+- Released: **October 7th, 2021**

+- Platform: **4.18.2109.6**

+- Engine: **1.1.18600.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- New delay ring for Microsoft Defender Antivirus engine and platform updates. Devices that opt into this ring receives updates with a 48-hour delay. The new delay ring is suggested for critical environments only. See [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md).

+- Improvements to Microsoft Defender update gradual rollout process

+### Known issues

+- None

+## August-2021 (Platform: 4.18.2108.7 | Engine: 1.1.18500.10)

+- Security intelligence update version: **1.349.22.0**

+- Released: **September 2, 2021**

+- Platform: **4.18.2108.7**

+- Engine: **1.1.18500.10**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improvements to the behavior monitoring engine

+- Released new [performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)

+- Microsoft Defender Antivirus hardened against loading malicious DLLs

+- Microsoft Defender Antivirus hardened against the TrustedInstaller bypass

+- Extending file change notifications to include more data for Human-Operated Ransomware (HumOR)

+### Known issues

+- None

+## July-2021 (Platform: 4.18.2107.4 | Engine: 1.1.18400.4)

+- Security intelligence update version: **1.345.13.0**

+- Released: **August 5, 2021**

+- Platform: **4.18.2107.4**

+- Engine: **1.1.18400.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Device control support added for Windows Portable Devices

+- Potentially unwanted applications (PUA) protection is turned on by default for consumers (See [Block potentially unwanted applications with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).)

+- Scheduled scans for Group Policy Object managed systems adhere to user configured scan time

+- Improvements to the behavior monitoring engine

+### Known issues

+- None

+## June-2021 (Platform: 4.18.2106.5 | Engine: 1.1.18300.4)

+- Security intelligence update version: **1.343.17.0**

+- Released: **June 28, 2021**

+- Platform: **4.18.2106.5**

+- Engine: **1.1.18300.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- New controls for managing the gradual rollout process of Microsoft Defender updates. See [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md).

+- Improvement to the behavior monitoring engine

+- Improvements to the rollout of antimalware definitions

+- Extended Microsoft Edge network event inspections

+### Known issues

+- None

+## May-2021 (Platform: 4.18.2105.4 | Engine: 1.1.18200.4)

+- Security intelligence update version: **1.341.8.0**

+- Released: **June 3, 2021**

+- Platform: **4.18.2105.4**

+- Engine: **1.1.18200.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improvements to [behavior monitoring](client-behavioral-blocking.md)

+- Fixed [network protection](network-protection.md) notification filtering feature

+### Known issues

+- None

+## April-2021 (Platform: 4.18.2104.14 | Engine: 1.1.18100.5)

+- Security intelligence update version: **1.337.2.0**

+- Released: **April 26, 2021** (Engine: 1.1.18100.6 released May 5, 2021)

+- Platform: **4.18.2104.14**

+- Engine: **1.1.18100.5**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- More behavior monitoring logic

+- Improved kernel mode key logger detection

+- Added new controls to manage the gradual rollout process for [Microsoft Defender updates](manage-gradual-rollout.md)

+### Known issues

+- None

+## March-2021 (Platform: 4.18.2103.7 | Engine: 1.1.18000.5)

+- Security intelligence update version: **1.335.36.0**

+- Released: **April 2, 2021**

+- Platform: **4.18.2103.7**

+- Engine: **1.1.18000.5**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improvement to the Behavior Monitoring engine

+- Expanded network brute-force-attack mitigations

+- More failed tampering attempt event generation when [Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled

+### Known issues

+- None

+## February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)

+- Security intelligence update version: **1.333.7.0**

+- Released: **March 9, 2021**

+- Platform: **4.18.2102.3**

+- Engine: **1.1.17900.7**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improved service recovery through [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)

+- Extend tamper protection scope

+### Known issues

+- None

+## January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)

+- Security intelligence update version: **1.327.1854.0**

+- Released: **February 2, 2021**

+- Platform: **4.18.2101.9**

+- Engine: **1.1.17800.5**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Shellcode exploit detection improvements

+- Increased visibility for credential stealing attempts

+- Improvements in antitampering features in Microsoft Defender Antivirus services

+- Improved support for ARM x64 emulation

+- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection

+### Known issues

+- None

+## November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4)

+- Security intelligence update version: **1.327.1854.0**

+- Released: **December 03, 2020**

+- Platform: **4.18.2011.6**

+- Engine: **1.1.17700.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improved [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) status support logging

+### Known issues

+- None

+## October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)

+- Security intelligence update version: **1.327.7.0**

+- Released: **October 29, 2020**

+- Platform: **4.18.2010.7**

+- Engine: **1.1.17600.5**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- New descriptions for special threat categories

+- Improved emulation capabilities

+- Improved host address allow/block capabilities

+- New option in Defender CSP to Ignore merging of local user exclusions

+### Known issues

+- None

+## September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)

+- Security intelligence update version: **1.325.10.0**

+- Released: **October 01, 2020**

+- Platform: **4.18.2009.7**

+- Engine: **1.1.17500.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Admin permissions are required to restore files in quarantine

+- XML formatted events are now supported

+- CSP support for ignoring exclusion merges

+- New management interfaces for:

+ - UDP Inspection

+ - Network Protection on Server 2019

+ - IP Address exclusions for Network Protection

+- Improved visibility into TPM measurements

+- Improved Office VBA module scanning

+### Known issues

+- None

+## August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)

+- Security intelligence update version: **1.323.9.0**

+- Released: **August 27, 2020**

+- Platform: **4.18.2008.9**

+- Engine: **1.1.17400.5**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Add more telemetry events

+- Improved scan event telemetry

+- Improved behavior monitoring for memory scans

+- Improved macro streams scanning

+- Added `AMRunningMode` to Get-MpComputerStatus PowerShell cmdlet

+- [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.

+### Known issues

+- None

+## July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)

+- Security intelligence update version: **1.321.30.0**

+- Released: **July 28, 2020**

+- Platform: **4.18.2007.8**

+- Engine: **1.1.17300.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improved telemetry for BITS

+- Improved Authenticode code signing certificate validation

+### Known issues

+- None

+## June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)

+- Security intelligence update version: **1.319.20.0**

+- Released: **June 22, 2020**

+- Platform: **4.18.2006.10**

+- Engine: **1.1.17200.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Possibility to specify the [location of the support logs](./collect-diagnostic-data.md)

+- Skipping aggressive catchup scan in Passive mode.

+- Allow Defender to update on metered connections

+- Fixed performance tuning when caching is disabled

+- Fixed registry query

+- Fixed scantime randomization in ADMX

+### Known issues

+- None

+## May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)

+- Security intelligence update version: **1.317.20.0**

+- Released: **May 26, 2020**

+- Platform: **4.18.2005.4**

+- Engine: **1.1.17100.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improved logging for scan events

+- Improved user mode crash handling.

+- Added event tracing for Tamper protection

+- Fixed AMSI Sample submission

+- Fixed AMSI Cloud blocking

+- Fixed Security update install log

+### Known issues

+- None

+## April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)

+- Security intelligence update version: **1.315.12.0**

+- Released: **April 30, 2020**

+- Platform: **4.18.2004.6**

+- Engine: **1.1.17000.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- WDfilter improvements

+- Add more actionable event data to attack surface reduction detection events

+- Fixed version information in diagnostic data and WMI

+- Fixed incorrect platform version in UI after platform update

+- Dynamic URL intel for Fileless threat protection

+- UEFI scan capability

+- Extend logging for updates

+### Known issues

+- None

+## March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)

+- Security intelligence update version: **1.313.8.0**

+- Released: **March 24, 2020**

+- Platform: **4.18.2003.8**

+- Engine: **1.1.16900.4**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- CPU Throttling option added to [MpCmdRun](./command-line-arguments-microsoft-defender-antivirus.md)

+- Improve diagnostic capability

+- reduce Security intelligence timeout (5 min)

+- Extend AMSI engine internal log capability

+- Improve notification for process blocking

+### Known issues

+- [**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.

+## February-2020 (Platform: - | Engine: 1.1.16800.2)

+- Security intelligence update version: **1.311.4.0**

+- Released: **February 25, 2020**

+- Platform/Client: **-**

+- Engine: **1.1.16800.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- None

+### Known issues

+- None

+## January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)

+- Security intelligence update version: **1.309.32.0**

+- Released: **January 30, 2020**

+- Platform/Client: **4.18.2001.10**

+- Engine: **1.1.16700.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Fixed BSOD on WS2016 with Exchange

+- Support platform updates when TMP is redirected to network path

+- Platform and engine versions are added to [WDSI](https://www.microsoft.com/en-us/wdsi/defenderupdates) <!-- The preceding URL must include "/en-us" -->

+- extend Emergency signature update to [passive mode](./microsoft-defender-antivirus-compatibility.md)

+- Fix 4.18.1911.3 hang

+### Known issues

+- [**Fixed**] devices utilizing [modern standby mode](/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.

+> [!IMPORTANT]

+> This update is:

+> - needed by RS1 devices running lower version of the platform to support SHA2;

+> - has a reboot flag for systems that have hanging issues;

+> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability;

+> - is categorized as an update due to the reboot requirement; and

+> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).

+## November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)

+- Security intelligence update version: **1.307.13.0**

+- Released: **December 7, 2019**

+- Platform: **4.18.1911.3**

+- Engine: **1.1.17000.7**

+- Support phase: **No support**

+### What's new

+- Fixed MpCmdRun tracing level

+- Fixed WDFilter version info

+- Improve notifications (PUA)

+- add MRT logs to support files

+### Known issues

+- When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version.

+The columns `NetworkMessageId` and `RecipientEmailAddress` must be present in the query output to apply actions to email messages.

+- [Exchange Online Protection](eop-about.md)

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups:

+ - **Organization Management**

+ - **Security Administrator**

+ - **Security Reader**

+ - **Global Reader**

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Security Reader**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- For our recommended settings for anti-phishing policies, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Allow or block spoofed senders or turn on or turn off spoof intelligence_: Membership in one of the following role groups:

+ - **Organization Management**

+ - **Security Administrator** <u>and</u> **View-Only Configuration** or **View-Only Organization Management**.

+ - _Read-only access to the spoof intelligence insight_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- For our recommended settings for anti-phishing policies, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): You need membership in one of the following roles:

+ - **Global Administrator**

+ - **Security Administrator**

+ - **Attack Simulation Administrators**^\*: Create and manage all aspects of attack simulation campaigns.

+ - **Attack Payload Author**^\*: Create attack payloads that an admin can initiate later.

+ ^\* Adding users to this role in [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md) is currently unsupported.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md):

+ - _Use the configuration analyzer and update the affected security policies_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to the configuration analyzer_: Membership in the **Global Reader** or **Security Reader** role groups.

+ - [Exchange Online RBAC](/Exchange/permissions-exo/permissions-exo): Membership in the **View-Only Organization Management** role group gives read-only access to the configuration analyzer.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gies users the required permissions _and_ permissions for other features in Microsoft 365.

+Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use _connection filtering_ and the default connection filter policy to identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are:

+- **IP Block List**: Block all incoming messages from the source email servers that you specify by IP address or IP address range. The incoming messages are rejected, are not marked as spam, and no other filtering occurs. For more information about how the IP Block List should fit into your overall blocked senders strategy, see [Create block sender lists in EOP](create-block-sender-lists-in-office-365.md).

+- **Safe list**: The _safe list_ is a dynamic allow list in the Microsoft datacenter that requires no customer configuration. Microsoft identifies these trusted email sources from subscriptions to various third-party lists. You enable or disable the use of the safe list; you can't configure the source email servers on the safe list. Spam filtering is skipped on incoming messages from the email servers on the safe list.

+This article describes how to configure the default connection filter policy in the Microsoft 365 Microsoft 365 Defender portal or in Exchange Online PowerShell. For more information about how EOP uses connection filtering is part of your organization's overall anti-spam settings, see [Anti-spam protection](anti-spam-protection-about.md).

+>

+> IPv6 ranges are not supported.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Modify policies_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- The IP Allow List takes precedence over the IP Block List (an address on both lists isn't blocked).

+ - **Always allow messages from the following IP addresses or address range**: This setting is the IP Allow list. Click in the box, enter a value, and then press Enter or select the complete value that's displayed below the box. Valid values are

+ To add the IP address or address range, enter the value in the box and then click **Add** . To remove an entry, select the entry in **Allowed IP Address** and then click **Remove** . When you're finished, click **Save**.

+ - **Always block messages from the following IP addresses or address range**: This setting is the IP Block List. Enter a single IP, IP range, or CIDR IP in the box as previously described in the **Always allow messages from the following IP addresses or address range** setting.

+- To _overwrite_ any existing entries with the values you specify, use the following syntax: `IPAddressOrRange1,IPAddressOrRange2,...,IPAddressOrRangeN`.

+- To _add or remove_ IP addresses or address ranges without affecting other existing entries, use the following syntax: `@{Add="IPAddressOrRange1","IPAddressOrRange2",...,"IPAddressOrRangeN";Remove="IPAddressOrRange3","IPAddressOrRange4",...,"IPAddressOrRangeN"}`.

+As described earlier in this article, you can only use a CIDR IP with the network mask /24 to /32 in the IP Allow List. To skip spam filtering on messages from source email servers in the /1 to /23 range, you need to use Exchange mail flow rules (also known as transport rules). But, we recommend that you don't use the mail flow rule method, because the messages will be blocked if an IP address in the /1 to /23 CIDR IP range appears on any of Microsoft's proprietary or third-party block lists.

+Typically, adding an IP address or address range to the IP Allow List means you trust all incoming messages from that email source. What if that source sends email from multiple domains, and you want to skip spam filtering for some of those domains, but not others? You can use the IP Allow List in combination with a mail flow rule.

+For example, the source email server 192.168.1.25 sends email from the domains contoso.com, fabrikam.com, and tailspintoys.com, but you only want to skip spam filtering for messages from senders in fabrikam.com:

+- An IP address in your IP Allow List is also configured in an on-premises, IP-based inbound connector in _any_ tenant in Microsoft 365 (let's call this Tenant A), **and** Tenant A and the EOP server that first encounters the message both happen to be in _the same_ Active Directory forest in the Microsoft datacenters. In this scenario, **IPV:CAL** _is_ added to the message's [anti-spam message headers](message-headers-eop-mdo.md) (indicating the message bypassed spam filtering), but the message is still subject to spam filtering.

+- Your tenant that contains the IP Allow List and the EOP server that first encounters the message both happen to be in *different* Active Directory forests in the Microsoft datacenters. In this scenario, **IPV:CAL** *isn't* added to the message headers, so the message is still subject to spam filtering.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Remove connectors from the Restricted entities portal_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to the Restricted entities portal_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Configure preset security policies_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to preset security policies_: Membership in the **Global Reader** role group.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **Security Data / email quarantine (manage)** (management via PowerShell). Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Take action on quarantined messages for all users_: Membership in the **Organization Management**, **Security Administrator**, or **Quarantine Administrator** role groups.

+ - _Submit messages from quarantine to Microsoft_: Membership in the **Security Administrator** role group.

+ - _Read-only access to quarantined messages for all users_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): Membership in the **Quarantine Administrator** role group. To do quarantine procedures in Exchange Online PowerShell, you also need membership in the **Hygiene Management** role group in Exchange Online RBAC.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+> This is a *protection trend report*, meaning data represents trends in a larger dataset. As a result, the data in the charts is not available in real time here, but the data in the details table is, so you may see a slight discrepancy between the two. The charts are refreshed once every four hours and contain data for the last 90 days. For detailed real-time information, see [View phishing URL and click verdict data](threat-explorer-about.md#view-phishing-url-and-click-verdict-data).

+- You need to be assigned permissions before you can view and use the reports that are described in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups:

+ - **Organization Management**

+ - **Security Administrator**

+ - **Security Reader**

+ - **Global Reader**

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365.

+If you are not seeing data in your Defender for Office 365 reports, double-check that your policies are set up correctly. Your organization must have [Safe Links policies](safe-links-policies-configure.md) and [Safe Attachments policies](set-up-safe-attachments-policies.md) defined in order for Defender for Office 365 protection to be in place. Also see [anti-spam](anti-spam-protection-about.md) and [anti-malware protection](anti-malware-protection-about.md).

+- You need to be assigned permissions before you can view and use the reports that are described in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups:

+ - **Organization Management**

+ - **Security Administrator**

+ - **Security Reader**

+ - **Global Reader**

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md) and [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Create, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups in Email & collaboration RBAC <u>and</u> membership in the **Organization Management** role group in Exchange Online RBAC.

+ - _Read-only access to policies_: Membership in one of the following role groups:

+ - **Global Reader** or **Security Reader** in Email & collaboration RBAC.

+ - **View-Only Organization Management** in Exchange Online RBAC.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Configure Safe Documents settings_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to Safe Documents settings_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md) and [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Create, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups in Email & collaboration RBAC <u>and</u> membership in the **Organization Management** role group in Exchange Online RBAC.

+ - _Read-only access to policies_: Membership in one of the following role groups:

+ - **Global Reader** or **Security Reader** in Email & collaboration RBAC.

+ - **View-Only Organization Management** in Exchange Online RBAC.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+ - **Do not rewrite URLs, do checks via SafeLinks API only**: Select this option to prevent URL wrapping and skip reputation check during mail flow. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it.

+ - **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten.**: Select this option to enable Safe Links protection for links in Teams. Note that this setting might take up to 24 hours to take effect. This setting affects time of click protection.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Configure global settings for Safe Links_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to global settings for Safe Links_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+If you want to temporarily allow certain messages that are still being blocked by Microsoft, do so using [admin submissions](submissions-admin.md#report-good-email-to-microsoft).

+- False positives: To temporarily allow certain messages that are still being blocked by Microsoft, use [admin submissions](submissions-admin.md#report-good-email-to-microsoft). By default, allow entries for domains and email addresses, files, and URLs exist for 30 days, while allow entries for spoofed senders never expire. Within those 30 days, Microsoft will learn from the allow entries or automatically extend them for you.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md) and [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Create, modify, or remove configured settings in the advanced delivery policy_: Membership in the **Security Administrator** role groups in Email & collaboration RBAC <u>and</u> membership in the **Organization Management** role group in Exchange Online RBAC.

+ - _Read-only access to the advanced delivery policy_: Membership in the **Global Reader** or **Security Reader** role groups in Email & collaboration RBAC.

+ - **View-Only Organization Management** in Exchange Online RBAC.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+1. Take the headers of a message you're concerned with and search for the **"X-Microsoft-Antispam:"** header, which contains a **BCL value**. Make a note of this number.

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+After a few moments, the block entry will appear on the **Domains & addresses** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

+After a few moments, the block entry will appear on the **Files** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

+After a few moments, the block entry will appear on the **URL** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

+After a few moments, the allow entries will appear on the **Domains & addresses**, **Spoofed senders**, **URL**, or **Files** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

+> - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.

+> - By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries or automatically extend them for you. By default, allow entries for spoofed senders never expire.

+After a few moments, the allow entry will appear on the **Files** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

+> - By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries or automatically extend them for you. By default, allow entries for spoofed senders never expire.

+> - When the file is encountered again during mail flow, [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks and all other file-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message will be delivered.

+> - During selection, all file-based filters, including [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks are overridden, allowing user access the file.

+After a few moments, the allow entry will appear on the **URL** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

+> - By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries or automatically extend them for you. By default, allow entries for spoofed senders never expire.

+> - When the URL is encountered again during mail flow, [Safe Links](safe-links-about.md) detonation or URL reputation checks, and all other URL-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message will be delivered.

+> - During selection, all URL-based filters, including [Safe Links](safe-links-about.md) detonation or URL reputation checks are overridden, allowing user access to content hosted by the URL.

+- **Files**: Email messages that contain these blocked files are blocked as *malware*. Messages contatining the blocked files are quarantined.

+- **Email attachments** and **URLs**: An allow entry is created and the entry appears on the **Files** or **URLs** tab in the Tenant Allow/Block List.

+ - If the message was blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md), an allow entry for the sender is created, and the entry appears on the **Spoofed senders** tab in the Tenant Allow Block List.

+ - If the message was blocked due to file-based filers, an allow entry for the file is created, and the entry appears on the **Files** tab in the Tenant Allow Block List.

+ - If the message was blocked due to URL-based filters, an allow entry for the URL is created, and the entry appears on the **URL** tab in the Tenant Allow Block List.

+ - If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the **Domains & addresses** tab in the Tenant Allow Block List.

+ - If the message was not blocked due to filtering, no allow entries are created anywhere.

+By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from these allow entries, messages that contain these entities will be delivered, unless something else is the message is detected as malicious. By default, allow entries for spoofed senders never expire.

+> Microsoft manages the creation of allow entries from the Submissions page. Allow entries are created for domains or email addresses, spoofed senders, files, or URLs (_entities_) that were determined to be malicious by filters during mail flow. For example, if the sender and a URL in the message are both determined to be bad, an allow entry for the sender email address and an allow entry for the URL are created.

+> When that entity (domain or email address, URL, file) is encountered again either during mailflow or time of click, all filters associated with that entity are skipped.

+> During mail flow, if messages containing the allow entity passes the other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-authentication-about.md) and URL and file based filtering passes, a message from a sender email address in the allow entry will be delivered.

+After you add an allow entry or block entry on the Submissions page or a block entry in the Tenant Allow/Block List, the entry should start working immediately 99.999% of the time. For the rest, it could take up to 24 hours.

+An allow is created by default for a period of 30 calendar days so that Microsoft could learn from it and then remove it. With **[allow expiry management](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447)**, if Microsoft has not learned from the allow entry, Microsoft will automatically extend the expiry time of allow entries that will soon expire by another 30 days. This extension prevents legitimate email from going to junk or quarantine or legitimate URL or file from being blocked at time of click. If Microsoft does not learn within 90 calendar days from the date of the original creation of the allow entry, Microsoft will remove the allow entry. You will be kept informed throughout the process using emails.

+- For domains and email addresses, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 domain and email address entries in total).

+- For Files, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 file entries in total).

+- For URLs, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 URL entries in total).

+- By default, allow entries for **domains and email addresses**, **files** and **URLs** are created for 30 days. Microsoft will either learn from the allow entries for **domains and email addresses**, **files** and **URLs** within those 30 days, or automatically extend it for you. Once Microsoft learns, email containing these entities will be delivered to the inbox provided something else in the email is not malicious. Moreover these entities by default will open at time of click.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Add and remove entries from the Tenant Allow/Block List_: Membership in one of the following role groups:

+ - **Organization Management** or **Security Administrator** (Security admin role).

+ - **Security Operator** (Tenant AllowBlockList Manager).

+ - _Read-only access to the Tenant Allow/Block List_: Membership in one of the following role groups:

+ - **Global Reader**

+ - **Security Reader**

+ - **View-Only Configuration**

+ - **View-Only Organization Management**

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+By default, allow entries for domains and email addresses, files, and URLs exist for 30 days, while allow entries for spoofed senders never expire. Within those 30 days, Microsoft will learn from the allow entries or automatically extend the allow entries for you. Once Microsoft learns, email containing these entities will be delivered to the inbox provided something else in the email is not malicious. Moreover these entities by default will open at time of click.

+> Microsoft manages the allow creation process from Submission by creating allows for those entities (domains or email addresses, spoofed senders, URLs, or files) which were determined to be malicious by filters during mail flow. For example, if the sender and a URL in the message were determined to be bad, an allow entry is created for the sender email address, and an allow entry is created for the URL.

+> When that entity (domain or email address, URL, file) is encountered again either during mailflow or time of click, all filters associated with that entity are skipped.

+> During mail flow, if messages containing the allow entity passes the other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-authentication-about.md) and URL and file based filtering passes, a message from a sender email address in the allow entry will be delivered.

+>

+> - Currently, Graph Impersonation is not taken care from here.

+- For files, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 file entries in total).

+- By default, allow entries for **files** are created for 30 days. Microsoft will either learn from the allow entries for **files** within those 30 days, or automatically extend it for you. Once Microsoft learns, email containing these files will be delivered to the inbox provided something else in the email is not malicious. Moreover these files by default will open at time of click.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Add and remove entries from the Tenant Allow/Block List_: Membership in one of the following role groups:

+ - **Organization Management** or **Security Administrator** (Security admin role).

+ - **Security Operator** (Tenant AllowBlockList Manager).

+ - _Read-only access to the Tenant Allow/Block List_: Membership in one of the following role groups:

+ - **Global Reader**

+ - **Security Reader**

+ - **View-Only Configuration**

+ - **View-Only Organization Management**

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+By default, allow entries for files are created for 30 days. Microsoft will either learn from the allow entries for files within those 30 days, or automatically extend it for you. Once Microsoft learns, email containing these files will be delivered to the inbox provided something else in the email is not malicious. Moreover these files by default will open at time of click.

+> During mail flow, if messages containing the file pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-authentication-about.md) passes, a message containing the file in the allow entry will be delivered.

+>

+- **Block entries**: The expiration date and notes.

+> [!NOTE]

+> To allow phishing URLs that are part of third-party attack simulation training, use the [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md) to specify the URLs. Don't use the Tenant Allow/Block List.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Add and remove entries from the Tenant Allow/Block List_: Membership in one of the following role groups:

+ - **Organization Management** or **Security Administrator** (Security admin role).

+ - **Security Operator** (Tenant AllowBlockList Manager).

+ - _Read-only access to the Tenant Allow/Block List_: Membership in one of the following role groups:

+ - **Global Reader**

+ - **Security Reader**

+ - **View-Only Configuration**

+ - **View-Only Organization Management**

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- **Block entries**: The expiration date and notes.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/system (manage)** or **configuration/system (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md):

+ - _Create, modify, and delete custom user tags_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Add and remove members from the Priority Account system tag_: Membership in the **Security Administrator** and **Exchange Admin** role groups.

+ - _Add and remove members from existing custom user tags_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ > User tag management is controlled by the **Tag Reader** and **Tag Manager** roles.

+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:

+ - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.

+ - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):

+ - _Modify the spoof intelligence policy or turn on or turn off spoof intelligence_: Membership in one of the following role groups:

+ - **Organization Management**

+ - **Security Administrator** <u>and</u> **View-Only Configuration** or **View-Only Organization Management**.

+ - _Read-only access to the spoof intelligence policy_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+|Start the whiteboard from a Surface Hub or Microsoft Teams Rooms|Storage: Azure (Whiteboard files will be moved to OneDrive for Business in the future)<br><br>Owner: Meeting participant|Not applicable|In-tenant users: Can initiate, view, and collaborate<br><br>External users: Can view and collaborate during the meeting only<br><br> Shared device accounts: Can initiate, view, and collaborate during the meeting only|