Docs update tracker

Updates from: 02/07/2024 06:08:26

Category	Microsoft Docs article	Related commit history on GitHub	Change details
business-premium	M365bp Protect Against Malware Cyberthreats	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protect-against-malware-cyberthreats.md	To assign preset security policies, follow these steps: > [!TIP] > To learn more about assigning preset security policies, see the following articles: > -> - [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](../security/office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users) +> - [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](../security/office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users) > - [Recommended settings for email and collaboration content](../security/office-365-security/recommended-settings-for-eop-and-office365.md) (Microsoft 365 Business Premium includes Exchange Online Protection and Microsoft Defender for Office 365 Plan 1) ## 2. Turn on Microsoft Defender for Business
frontline	Browser Join	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/browser-join.md	- highpri - m365initiative-meetings - m365-virtual-appointments -+ description: Learn about the join experience for Teams Virtual Appointments on browsers. appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 02/01/2023 Last updated : 02/06/2024 # Manage the join experience for Teams Virtual Appointments on browsers Currently, browser join is available for appointments that are scheduled through ## Set up browser join -### Appointments scheduled through the Virtual Appointments app or the Bookings app +### Appointments scheduled through the Virtual Appointments app Schedulers in your organization can turn on this feature for specific appointment types and for scheduled individual appointments. After this feature is turned on, the confirmation email or SMS text thatΓÇÖs sen #### Turn on browser join for an appointment type -1. Do one of the following: - 1. In the Virtual Appointments app, go to the Manage tab > Appointment types, and then under Scheduled, select an appointment type. - 1. In the Bookings app, go to Settings > Appointment types, and then under Scheduled, select an appointment type. +1. In the Virtual Appointments app, go to the Manage tab > Services, and then under Scheduled, select an appointment type. + 1. Turn on Have attendees join from a web browser. Doing this enables browser join for all appointments of this type. :::image type="content" source="media/browser-join-appointment-type.png" alt-text="Screenshot of the Have attendees join from a browser setting for appointment types." lightbox="media/browser-join-appointment-type.png"::: #### Turn on browser join for an individual appointment -On the Bookings schedule tab of the Virtual Appointments app or in the Bookings app, select New booking, and then turn on Have attendees join from a browser. +On the Schedule tab of the Virtual Appointments app, select New appointment, and then turn on Have attendees join from a browser. :::image type="content" source="media/browser-join-bookings-form.png" alt-text="Screenshot of the Have attendees join from a browser setting on the new booking form." lightbox="media/browser-join-bookings-form.png":::
frontline	Ehr Admin Epic	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-admin-epic.md	appliesto: - Microsoft Teams - Microsoft 365 for frontline workers-+ description: Learn how to integrate the Teams EHR connector to enable healthcare providers in your organization to conduct virtual appointments with patients or other providers in Teams directly from the Epic EHR system. Last updated 03/30/2023
frontline	Ehr Admin Oracle Health	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-admin-oracle-health.md	appliesto: - Microsoft Teams - Microsoft 365 for frontline workers-+ description: Learn how to integrate the Teams EHR connector to enable healthcare providers in your organization to conduct virtual appointments with patients or other providers in Teams directly from the Oracle Health EHR system. Last updated 03/30/2023
frontline	Ehr Connector Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-connector-report.md	appliesto: - Microsoft Teams - Microsoft 365 for frontline workers-+ description: Learn how to use the Teams EHR connector Virtual Appointments report in the Microsoft Teams admin center to get an overview of EHR-integrated virtual appointment usage in your organization. Last updated 12/16/2022
frontline	Ehr Connector Troubleshoot Setup Configuration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-connector-troubleshoot-setup-configuration.md	appliesto: - Microsoft Teams - Microsoft 365 for frontline workers-+ description: Use this guidance to help you troubleshoot common setup and configuration issues for the Teams Electronic Health Record (EHR) connector. Last updated 04/21/2023
frontline	Virtual Appointments App	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-app.md	- m365initiative-meetings - m365-virtual-appointments - teams-1p-app-admin -+ description: Get an overview of how to use the Virtual Appointments app in Teams to schedule, manage, conduct and view analytics on virtual appointments in your organization. appliesto: - Microsoft Teams
frontline	Virtual Appointments	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments.md	Title: Virtual Appointments with Microsoft Teams -+ audience: admin
lti	Browser Cookies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/browser-cookies.md	Previously updated : 08/28/2023 Last updated : 02/06/2024 audience: admin - tier2 - ContentEnagagementFY24 ms.localizationpriority: medium -description: Learn how to allow cookies for LMS URLs in Edge, Chrome, and Firefox, and Safari browsers. +description: Learn how to allow cookies for LMS (Learning Management System) URLs in Edge, Chrome, and Firefox, and Safari browsers. # Allow cookies for LMS URLs in your browser -Third-party browser cookies are needed to complete the LTI 1.3 handshake according to IMS Global standards. Therefore, when launching the LTI tool from a Learning Management System (LMS), the browser setting must allow third-party cookies for the LMS URL. +Learning Management Systems (LMS) need third-party browser cookies to complete the LTI 1.3 handshake, according to IMS Global standards. This means your browser settings need to allow third-party cookies for the LMS URL when you're launching an LTI tool. For more information on Microsoft's LTI capabilities, see [Integrating Microsoft products with your Learning Management System](index.md). Here are the steps to allow the cookies in your browser. 1. Turn on Allow sites to save and read cookie data (recommended). 1. Make sure Block third-party cookies is turned off. -If you must keep third-party cookies blocked: +If you need to keep third-party cookies blocked: 1. In the Edge Settings window, select Cookies and site permissions > Cookies and data stored > Manage and delete cookies and site data. 1. Under Allow, select Add to add the domain URL of the LMS platform. - 1. For example, if the LMS platform is hosted at `https://contoso.com`, then that URL must be added under Allow. + 1. For example, if the LMS platform is hosted at `https://contoso.com`, then that URL needs to be added in the Allow section. ![Screenshot of Microsoft Edge cookie settings page](media/edge-cookies.png) If you must keep third-party cookies blocked: 1. In the Chrome Settings window, select the Privacy and security tab and then Third-party cookies. 1. Select the option for Allow third-party cookies. -If you must keep third-party cookies blocked: +If you need to keep third-party cookies blocked: 1. Under Customized behaviors, select Add. 1. Add the domain URL of the LMS platform. - 1. For instance, if the LMS platform is hosted at `https://contoso.com`, then that URL must be used. + 1. For instance, if the LMS platform is hosted at `https://contoso.com`, then that URL needs to be used. ![Screenshot of Google Chrome cookie settings page](media/chrome-cookies.png) If you must keep third-party cookies blocked: 1. In the Firefox Settings window, select the Privacy & Security tab. 1. Under Cookies and Site Data, select Manage Exceptions. 1. In the Address of website text box, enter the URL of the LMS platform. - 1. For instance, if the LMS platform is hosted at `https://contoso.com`, then that URL must be used. + 1. For instance, if the LMS platform is hosted at `https://contoso.com`, then that URL needs to be used. 1. Select Allow to allow cookies for the website. 1. Select Save Changes. If you must keep third-party cookies blocked: ## Allow cookies for LMS URLs in Safari -1. Select Preferences > Privacy. -1. Clear the Prevent cross-site tracking checkbox. +1. In Settings you select the Safari app. +1. Go to the Privacy & Security section. +1. Turn off the option for Prevent cross-site tracking. > [!NOTE] -> In you can't change the settings yourself because your browser is managed by your organization, reach out to your IT department. - +> If you can't change the settings yourself because your browser is managed by your organization, reach out to your IT department to let them know what you need.
security	Defender Endpoint Demonstration Block At First Sight Bafs	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-block-at-first-sight-bafs.md	- Title: Microsoft Defender for Endpoint Block at First Sight (BAFS) demonstration -description: A demonstration that shows how Block at First Sight detects and blocks new malware within seconds. -keywords: Microsoft Defender for Endpoint, cloud-delivered protection, detect malware, block malware, demonstration -search.product: eADQiWindows 10XVcnh - -ms.sitesec: library -ms.pagetype: security ------ m365-security-- tier2-- demo-- Previously updated : 10/21/2022-- -# Block at First Sight (BAFS) demonstration - -Applies to: --- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)-- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)- -Block at First Sight, is a feature of Microsoft Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. You can test that it is working as expected by downloading a fake malware file. - -## Scenario requirements and setup --- Windows 11, Windows 10 Anniversary update (1607) or later-- Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2 with the new unified Defender for Endpoint client. --- Cloud protection is enabled-- You can [download and use the Powershell script](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/) to enable this setting and others- - > [!NOTE] - > You should see your browser ask to save this file in a few seconds. - -### Test BAFS - -Follow the instructions in [Block at first sight demo](https://demo.wd.microsoft.com/Page/BAFS). --- -## See also - -[Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) - -[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security	Mac Device Control Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md	Here are the properties you can use when you create the group and policy. ### Settings -> [!NOTE] -> Both Android (portableDevice) and iOS (appleDevice) are in public preview and not in general availability at the moment. - \| Property name \| Description \| Options \| \|:\|:\|:\| \| features \| Feature specific configurations \| You can set `disable` to false or true for following features: <br/>- `removableMedia`<br/>- `appleDevice`<br/>- `portableDevice`, including camera or PTP media<br/>- `bluetoothDevice`<br/><br/>The default is `true`, so if you don't configure this value, it will not apply even if you create a custom policy for `removableMedia`, because it's disabled by default. \|
security	Mac Whatsnew	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md	Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. > [!NOTE] > Microsoft Defender for Endpoint no longer supports these macOS as Apple ended support for: > - Big Sur (11) in December 2023. -> - Catalina (10.15) in December 2022. + +### Jan-2024 (Build: 101.23122.0005 \| Release version: 20.123122.5.0) + +\| Build: \| 101.23122.0005 \| +\|--\|--\| +\| Release version: \| 20.123122.5.0 \| +\| Engine version: \| 1.1.23100.2010 \| +\| Signature version: \| 1.403.3022.0 \| + +##### What's new + +- [[device control](mac-device-control-overview.md)] Fixes for Bluetooth devices support +- Bug and performance fixes ### Dec-2023 (Build: 101.23102.0020 \| Release version: 20.123102.20.0) \| Build: \| 101.23102.0020 \| -\|--\|-\| +\|--\|--\| \| Release version: \| 20.123102.20.0 \| \| Engine version: \| 1.1.23090.2005 \| \| Signature version: \| 1.401.1729.0 \|
security	Defender Vulnerability Management Faq	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-faq.md	Microsoft Defender Vulnerability Management is available via two 2. For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers looking for a risk-based vulnerability management solution, Microsoft Defender Vulnerability Management Standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. To sign up for the free 90-day trial, see [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone). +### Do I need to assign Defender Vulnerability Management licenses to users in my organization as instructed in the admin center? + +Currently, there's no need to assign the new Defender Vulnerability Management license to users. Licenses will be applied automatically after a customer signs up for the free trial. + ### Is Defender Vulnerability Management available as part of Defender for Endpoint Plan 2? If the customer has Defender for Endpoint Plan 2 they have the core vulnerability management capabilities. Defender Vulnerability Management is a separate solution from Defender for Endpoint (not included in Defender for Endpoint Plan 2) and is available as an add-on. For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 custo Once a customer is onboarded on to the free-trial experience, Defender Vulnerability Management features are turned on by default at the tenant level for all users within the organization. -### Do I need to assign Defender Vulnerability Management trial licenses to users in my organization as instructed in the admin center? - -Currently, there's no need to assign the new Defender Vulnerability Management license to users. Licenses will be applied automatically after a customer signs up for the free trial. - ### If a customer is in public preview, what will happen to their premium capabilities if I don't sign up for a free trial? The new capabilities will be available only to customers who onboard a trial. Customers who haven't onboarded will lose access to these capabilities. Blocked applications will be immediately unblocked. Security baseline profiles may be stored for a short additional time before being deleted.
security	Eval Defender Office 365 Pilot	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md	For example, an EOP condition for pilot evaluations could be applied if the reci Likewise, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are members of a defined Defender for Office 365 Standard Protection group and then managed by adding / removing accounts via the group. -For complete instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](../office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). +For complete instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](../office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). ### Configure custom protection policies
security	Advanced Delivery Policy Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-delivery-policy-configure.md	Messages that are identified by the advanced delivery policy aren't security thr - View-Only Organization Management in Exchange Online RBAC. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -<a name='use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy'></a> - ## Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use <https://security.microsoft.com/advanceddelivery>. Back on the SecOps mailbox tab, the SecOps mailbox entries that you configur - The Email column contains the email address for each entry. - To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. -<a name='use-the-microsoft-365-defender-portal-to-modify-or-remove-secops-mailboxes-in-the-advanced-delivery-policy'></a> - ## Use the Microsoft Defender portal to modify or remove SecOps mailboxes in the advanced delivery policy 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use <https://security.microsoft.com/advanceddelivery>. Back on the SecOps mailbox tab, the SecOps mailbox entries that you configur 2. On the SecOps mailbox tab, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit. -3. In Edit SecOps mailboxes flyout that opens, add or remove mailboxes as described in Step 3 in the [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section. +3. In Edit SecOps mailboxes flyout that opens, add or remove mailboxes as described in Step 3 in the [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section. To remove all mailboxes, select remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to each value until there are no more mailboxes selected. Back on the SecOps mailbox tab, the SecOps mailbox entries that you configur Back on the SecOps mailbox tab, the SecOps mailbox entries that you configured are displayed. If you removed all entries, the list is empty. -<a name='use-the-microsoft-365-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy'></a> - ## Use the Microsoft Defender portal to configure third-party phishing simulations in the advanced delivery policy To configure a third-party phishing simulation, you need to provide the following information: Back on the Phishing simulation tab, the third-party phishing simulation ent - The Date column shows when the entry was created. - To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. -<a name='use-the-microsoft-365-defender-portal-to-modify-or-remove-third-party-phishing-simulations-in-the-advanced-delivery-policy'></a> - ## Use the Microsoft Defender portal to modify or remove third-party phishing simulations in the advanced delivery policy 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use <https://security.microsoft.com/advanceddelivery>. Back on the Phishing simulation tab, the third-party phishing simulation ent 2. On the Phishing simulation tab, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit. -3. In the Edit third-party phishing simulation flyout that opens, add or remove entries for Domain, Sending IP, and Simulation URLs as described in Step 3 in the [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section. +3. In the Edit third-party phishing simulation flyout that opens, add or remove entries for Domain, Sending IP, and Simulation URLs as described in Step 3 in the [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section. To remove all entries, select remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to each value until there are no more domains, IPs, or URLs selected.
security	Anti Malware Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-policies-configure.md	You can configure anti-malware policies in the Microsoft Defender portal or in P > [!TIP] > Settings in the default or custom anti-malware policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md). -<a name='use-the-microsoft-365-defender-portal-to-create-anti-malware-policies'></a> - ## Use the Microsoft Defender portal to create anti-malware policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-Malware in the Policies section. To go directly to the Anti-malware page, use <https://security.microsoft.com/antimalwarev2>. You can configure anti-malware policies in the Microsoft Defender portal or in P - Quarantine policy: Select the quarantine policy that applies to messages that are quarantined as malware. By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections. For more information about this quarantine policy, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). > [!TIP] - > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). + > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). > > Users can't release their own messages that were quarantined as malware by anti-malware policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages. You can configure anti-malware policies in the Microsoft Defender portal or in P Back on the Anti-malware page, the new policy is listed. -<a name='use-the-microsoft-365-defender-portal-to-view-anti-malware-policy-details'></a> - ## Use the Microsoft Defender portal to view anti-malware policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-Malware in the Policies section. Or, to go directly to the Anti-malware page, use <https://security.microsoft.com/antimalwarev2>. On the Anti-malware page, the following properties are displayed in the list - Status: Values are: - Always on for the default anti-malware policy. - On or Off for other anti-malware policies.-- Priority: For more information, see the [Set the priority of custom anti-malware policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-malware-policies) section. +- Priority: For more information, see the [Set the priority of custom anti-malware policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-anti-malware-policies) section. To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. Select a policy by clicking anywhere in the row other than the check box next to > [!TIP] > To see details about other anti-malware policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. -<a name='use-the-microsoft-365-defender-portal-to-take-action-on-anti-malware-policies'></a> - ## Use the Microsoft Defender portal to take action on anti-malware policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-Malware in the Policies section. To go directly to the Anti-malware page, use <https://security.microsoft.com/antimalwarev2>. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Em The actions are described in the following subsections. -<a name='use-the-microsoft-365-defender-portal-to-modify-anti-malware-policies'></a> - ### Use the Microsoft Defender portal to modify anti-malware policies -After you select the default anti-malware policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create anti-malware policies](#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies) section earlier in this article. +After you select the default anti-malware policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create anti-malware policies](#use-the-microsoft-defender-portal-to-create-anti-malware-policies) section earlier in this article. For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy. For the anti-malware policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: View preset security policies in the details flyout to go to the Preset security policies page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies. -<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-anti-malware-policies'></a> - ### Use the Microsoft Defender portal to enable or disable custom anti-malware policies You can't disable the default anti-malware policy (it's always enabled). After you select a disabled custom anti-malware policy (the Status value is On the Anti-malware page, the Status value of the policy is now On or Off. -<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-malware-policies'></a> - ### Use the Microsoft Defender portal to set the priority of custom anti-malware policies Anti-malware policies are processed in the order that they're displayed on the Anti-malware page: -- The anti-malware policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). +- The anti-malware policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). - The anti-malware policy named Standard Preset Security Policy that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom anti-malware policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). When you're finished in the policy details flyout, select Close. Back on the Anti-malware page, the order of the policy in the list matches the updated Priority value. -<a name='use-the-microsoft-365-defender-portal-to-remove-custom-anti-malware-policies'></a> - ### Use the Microsoft Defender portal to remove custom anti-malware policies You can't remove the default anti-malware policy or the anti-malware policies named Standard Preset Security Policy and Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md).
security	Anti Malware Protection About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection-about.md	Anti-malware policies control the configurable settings and notification options ### Recipient filters in anti-malware policies -In custom anti-malware policies and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions: +In custom anti-malware policies and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions: - Users - Groups These settings aren't configured in the default anti-malware policy by default, ### Priority of anti-malware policies -If they're [turned on](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), the Standard and Strict preset security policies are applied before any custom anti-malware policies or the default policy (Strict is always first). If you create multiple custom anti-malware policies, you can specify the order that they're applied. Policy processing stops after the first policy is applied (the highest priority policy for that recipient). +If they're [turned on](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), the Standard and Strict preset security policies are applied before any custom anti-malware policies or the default policy (Strict is always first). If you create multiple custom anti-malware policies, you can specify the order that they're applied. Policy processing stops after the first policy is applied (the highest priority policy for that recipient). For more information about the order of precedence and how multiple policies are evaluated, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md) and [Order of precedence for preset security policies and other policies](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies).
security	Anti Phishing Mdo Impersonation Insight	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-mdo-impersonation-insight.md	Admins can use the impersonation insight in the Microsoft Defender portal to qui - Global Reader - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the Global Administrator, Security Administrator, Security Reader, or Global Reader roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -- You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection isn't enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md) and [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). +- You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection isn't enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md) and [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). - For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms). -<a name='open-the-impersonation-insight-in-the-microsoft-365-defender-portal'></a> - ## Open the impersonation insight in the Microsoft Defender portal In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-phishing in the Policies section. Or, to go directly to the Anti-phishing page, use <https://security.microsoft.com/antiphishing>.
security	Anti Phishing Policies Eop Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure.md	For anti-phishing policy procedures in organizations with Microsoft Defender for - Allow up to 30 minutes for a new or updated policy to be applied. -<a name='use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies'></a> - ## Use the Microsoft Defender portal to create anti-phishing policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-phishing in the Policies section. To go directly to the Anti-phishing page, use <https://security.microsoft.com/antiphishing>. For anti-phishing policy procedures in organizations with Microsoft Defender for Back on the Anti-phishing page, the new policy is listed. -<a name='use-the-microsoft-365-defender-portal-to-view-anti-phishing-policy-details'></a> - ## Use the Microsoft Defender portal to view anti-phishing policy details In the Microsoft Defender portal, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-phishing in the Policies section. Or, to go directly to the Anti-phishing page, use <https://security.microsoft.com/antiphishing>. On the Anti-phishing page, the following properties are displayed in the lis - Status: Values are: - Always on for the default anti-phishing policy. - On or Off for other anti-spam policies.-- Priority: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section. +- Priority: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section. To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. Select a policy by clicking anywhere in the row other than the check box next to > [!TIP] > To see details about other anti-phishing policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. -<a name='use-the-microsoft-365-defender-portal-to-take-action-on-anti-phishing-policies'></a> - ## Use the Microsoft Defender portal to take action on anti-phishing policies 1. In the Microsoft Defender portal, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-phishing in the Policies section. Or, to go directly to the Anti-phishing page, use <https://security.microsoft.com/antiphishing>. Select a policy by clicking anywhere in the row other than the check box next to The actions are described in the following subsections. -<a name='use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies'></a> - ### Use the Microsoft Defender portal to modify anti-phishing policies -After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article. +After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-defender-portal-to-create-anti-phishing-policies) section earlier in this article. For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy. For the anti-phishing policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: View preset security policies in the details flyout to go to the Preset security policies page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies. -<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-anti-phishing-policies'></a> - ### Use the Microsoft Defender portal to enable or disable custom anti-phishing policies You can't disable the default anti-phishing policy (it's always enabled). After you select a disabled custom anti-phishing policy (the Status value is On the Anti-phishing page, the Status value of the policy is now On or Off. -<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies'></a> - ### Use the Microsoft Defender portal to set the priority of custom anti-phishing policies Anti-phishing policies are processed in the order that they're displayed on the Anti-phishing page: -- The anti-phishing policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). +- The anti-phishing policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). - The anti-phishing policy named Standard Preset Security Policy that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom anti-phishing policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). When you're finished in the policy details flyout, select Close. Back on the Anti-phishing page, the order of the policy in the list matches the updated Priority value. -<a name='use-the-microsoft-365-defender-portal-to-remove-custom-anti-phishing-policies'></a> - ### Use the Microsoft Defender portal to remove custom anti-phishing policies You can't remove the default anti-phishing policy or the anti-phishing policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with [preset security policies](preset-security-policies.md).
security	Anti Phishing Policies Mdo Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure.md	For anti-phishing policy procedures in organizations without Defender for Office - Allow up to 30 minutes for a new or updated policy to be applied. -<a name='use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies'></a> - ## Use the Microsoft Defender portal to create anti-phishing policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-phishing in the Policies section. To go directly to the Anti-phishing page, use <https://security.microsoft.com/antiphishing>. For anti-phishing policy procedures in organizations without Defender for Office Back on the Anti-phishing page, the new policy is listed. -<a name='use-the-microsoft-365-defender-portal-to-view-anti-phishing-policy-details'></a> - ## Use the Microsoft Defender portal to view anti-phishing policy details In the Microsoft Defender portal, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-phishing in the Policies section. Or, to go directly to the Anti-phishing page, use <https://security.microsoft.com/antiphishing>. On the Anti-phishing page, the following properties are displayed in the lis - Status: Values are: - Always on for the default anti-phishing policy. - On or Off for other anti-spam policies.-- Priority: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section. +- Priority: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section. To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter to filter the policies by Time range (creation date) or Status. Select a policy by clicking anywhere in the row other than the check box next to > [!TIP] > To see details about other anti-phishing policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. -<a name='use-the-microsoft-365-defender-portal-to-take-action-on-anti-phishing-policies'></a> - ## Use the Microsoft Defender portal to take action on anti-phishing policies 1. In the Microsoft Defender portal, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-phishing in the Policies section. Or, to go directly to the Anti-phishing page, use <https://security.microsoft.com/antiphishing>. Select a policy by clicking anywhere in the row other than the check box next to The actions are described in the following subsections. -<a name='use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies'></a> - ### Use the Microsoft Defender portal to modify anti-phishing policies -After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article. +After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-defender-portal-to-create-anti-phishing-policies) section earlier in this article. For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy. For the anti-phishing policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: View preset security policies in the details flyout to go to the Preset security policies page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies. -<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-anti-phishing-policies'></a> - ### Use the Microsoft Defender portal to enable or disable custom anti-phishing policies You can't disable the default anti-phishing policy (it's always enabled). After you select a disabled custom anti-phishing policy (the Status value is On the Anti-phishing page, the Status value of the policy is now On or Off. -<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies'></a> - ### Use the Microsoft Defender portal to set the priority of custom anti-phishing policies Anti-phishing policies are processed in the order that they're displayed on the Anti-phishing page: -- The anti-phishing policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). +- The anti-phishing policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). - The anti-phishing policy named Standard Preset Security Policy that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom anti-phishing policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). When you're finished in the policy details flyout, select Close. Back on the Anti-phishing page, the order of the policy in the list matches the updated Priority value. -<a name='use-the-microsoft-365-defender-portal-to-remove-custom-anti-phishing-policies'></a> - ### Use the Microsoft Defender portal to remove custom anti-phishing policies You can't remove the default anti-phishing policy or the anti-phishing policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with [preset security policies](preset-security-policies.md).
security	Anti Phishing Protection Tuning	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-tuning.md	You can also use the [configuration analyzer](configuration-analyzer-for-securit - For messages that end up in quarantine by mistake (false positives), or for messages that are allowed through (false negatives), we recommend that you search for those messages in [Threat Explorer and real-time detections](threat-explorer-about.md). You can search by sender, recipient, or message ID. After you locate the message, go to details by clicking on the subject. For a quarantined message, look to see what the "detection technology" was so that you can use the appropriate method to override. For an allowed message, look to see which policy allowed the message. -- Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as _phishing_ in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), [entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list), and the [Spoof detections report](reports-email-security.md#spoof-detections-report). After you review allowed and blocked spoofed senders and make any necessary overrides, you can confidently [configure spoof intelligence in anti-phishing policies](anti-phishing-policies-about.md#spoof-settings) to Quarantine suspicious messages instead of delivering them to the user's Junk Email folder. +- Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as _phishing_ in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), [entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-defender-portal-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list), and the [Spoof detections report](reports-email-security.md#spoof-detections-report). After you review allowed and blocked spoofed senders and make any necessary overrides, you can confidently [configure spoof intelligence in anti-phishing policies](anti-phishing-policies-about.md#spoof-settings) to Quarantine suspicious messages instead of delivering them to the user's Junk Email folder. - In Defender for Office 365, you can also use the Impersonation insight page at <https://security.microsoft.com/impersonationinsight> to track user impersonation or domain impersonation detections. For more information, see [Impersonation insight in Defender for Office 365](anti-phishing-mdo-impersonation-insight.md).
security	Anti Spam Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md	You can configure anti-spam policies in the Microsoft Defender portal or in Powe - End-user spam notifications in anti-spam policies are replaced by _quarantine notifications_ in quarantine policies. Quarantine notifications contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts). For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). -<a name='use-the-microsoft-365-defender-portal-to-create-anti-spam-policies'></a> - ## Use the Microsoft Defender portal to create anti-spam policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use <https://security.microsoft.com/antispam>. You can configure anti-spam policies in the Microsoft Defender portal or in Powe Back on the Anti-spam policies page, the new policy is listed. -<a name='use-the-microsoft-365-defender-portal-to-view-anti-spam-policy-details'></a> - ## Use the Microsoft Defender portal to view anti-spam policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use <https://security.microsoft.com/antispam>. On the Anti-spam policies page, the following properties are displayed in th - Status: Values are: - Always on for the default anti-spam policy (for example, Anti-spam inbound policy (Default)). - On or Off for other anti-spam policies.-- Priority: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-spam-policies) section. +- Priority: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-anti-spam-policies) section. - Type: One of the following values for anti-spam policies: - Protection templates for anti-spam policies that are associated with the Standard and Strict [preset security policies](preset-security-policies.md). - Custom anti-spam policy Select an anti-spam policy by clicking anywhere in the row other than the check > [!TIP] > To see details about other anti-spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. -<a name='use-the-microsoft-365-defender-portal-to-take-action-on-anti-spam-policies'></a> - ## Use the Microsoft Defender portal to take action on anti-spam policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use <https://security.microsoft.com/antispam>. On the Anti-spam policies page, select the anti-spam policy from the list by The actions are described in the following subsections. -<a name='use-the-microsoft-365-defender-portal-to-modify-anti-spam-policies'></a> - ### Use the Microsoft Defender portal to modify anti-spam policies -After you select the default anti-spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article. +After you select the default anti-spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create anti-spam policies](#use-the-microsoft-defender-portal-to-create-anti-spam-policies) section earlier in this article. For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy. For the anti-spam policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: View preset security policies in the details flyout to go to the Preset security policies page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies. -<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-anti-spam-policies'></a> - ### Use the Microsoft Defender portal to enable or disable anti-spam policies You can't disable the default anti-spam policy (it's always enabled). When you're finished in the policy details flyout, select Close. On the Anti-spam policies page, the Status value of the policy is now On or Off. -<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-spam-policies'></a> - ### Use the Microsoft Defender portal to set the priority of custom anti-spam policies Anti-spam policies are processed in the order that they're displayed on the Anti-spam policies page: -- The anti-spam policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). +- The anti-spam policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). - The anti-spam policy named Standard Preset Security Policy that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom anti-spam policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). When you're finished in the policy details flyout, select Close. Back on the Anti-spam policies page, the order of the policy in the list matches the updated Priority value. -<a name='use-the-microsoft-365-defender-portal-to-remove-custom-anti-spam-policies'></a> - ### Use the Microsoft Defender portal to remove custom anti-spam policies You can't remove the default anti-spam policy or the anti-spam policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with [preset security policies](preset-security-policies.md). In Exchange Online PowerShell, the difference between spam filter policies and s - In PowerShell, you modify the settings in the spam filter policy and the spam filter rule separately. - When you remove a spam filter policy from PowerShell, the corresponding spam filter rule isn't automatically removed, and vice versa. -A significant setting that's available only in PowerShell is the _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting are explained in the [Create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article. +A significant setting that's available only in PowerShell is the _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting are explained in the [Create anti-spam policies](#use-the-microsoft-defender-portal-to-create-anti-spam-policies) section earlier in this article. ### Use PowerShell to create anti-spam policies Creating an anti-spam policy in PowerShell is a two-step process: 2. Create the spam filter rule that specifies the spam filter policy that the rule applies to. > [!NOTE] -> - You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy. > +> - You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy. > - You can configure the following settings on new spam filter policies in PowerShell that aren't available in the Microsoft Defender portal until after you create the policy: -> -> - Create the new policy as disabled (_Enabled_ `$false` on the New-HostedContentFilterRule cmdlet). -> -> - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the New-HostedContentFilterRule cmdlet). -> +> - Create the new policy as disabled (_Enabled_ `$false` on the New-HostedContentFilterRule cmdlet). +> - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the New-HostedContentFilterRule cmdlet). > - A new spam filter policy that you create in PowerShell isn't visible in the Microsoft Defender portal until you assign the policy to a spam filter rule. #### Step 1: Use PowerShell to create a spam filter policy
security	Anti Spam Protection About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection-about.md	Anti-spam policies control the configurable settings for spam filtering. The imp ### Recipient filters in anti-spam policies -In [custom anti-spam policies](anti-spam-policies-configure.md) and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions: +In [custom anti-spam policies](anti-spam-policies-configure.md) and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions: - Users - Groups The functionality of these lists has been largely replaced by: ### Priority of anti-spam policies -If they're [turned on](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), the Standard and Strict preset security policies are applied before any custom anti-spam policies or the default policy (Strict is always first). If you create multiple custom anti-spam policies, you can specify the order that they're applied. Policy processing stops after the first policy is applied (the highest priority policy for that recipient). +If they're [turned on](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), the Standard and Strict preset security policies are applied before any custom anti-spam policies or the default policy (Strict is always first). If you create multiple custom anti-spam policies, you can specify the order that they're applied. Policy processing stops after the first policy is applied (the highest priority policy for that recipient). For more information about the order of precedence and how multiple policies are evaluated, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md) and [Order of precedence for preset security policies and other policies](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies).
security	Anti Spoofing Spoof Intelligence	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence.md	The rest of this article explains how to use the spoof intelligence insight in t - For our recommended settings for spoof intelligence, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings). -<a name='find-the-spoof-intelligence-insight-in-the-microsoft-365-defender-portal'></a> - ## Find the spoof intelligence insight in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>.
security	Campaigns	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md	A campaign might be short-lived, or could span several days, weeks, or months wi - Security Reader - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the Global Administrator, Security Administrator, or Security Reader roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -<a name='campaigns-page-in-the-microsoft-365-defender-portal'></a> - ## Campaigns page in the Microsoft Defender portal To open the Campaigns page in the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Campaigns. Or, to go directly to the Campaigns page, use <https://security.microsoft.com/campaigns>.
security	Configuration Analyzer For Security Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md	The configuration analyzer also checks the following non-policy settings: - [Exchange Online permissions](/Exchange/permissions-exo/permissions-exo): Membership in the View-Only Organization Management role group gives read-only access to the configuration analyzer. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -<a name='use-the-configuration-analyzer-in-the-microsoft-365-defender-portal'></a> - ## Use the configuration analyzer in the Microsoft Defender portal In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Configuration analyzer in the Templated policies section. To go directly to the Configuration analyzer page, use <https://security.microsoft.com/configurationAnalyzer>.
security	Connection Filter Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connection-filter-policies-configure.md	This article describes how to configure the default connection filter policy in - The IP Allow List and the IP Block List each support a maximum of 1273 entries, where an entry is a single IP address, an IP address range, or a Classless InterDomain Routing (CIDR) IP. -<a name='use-the-microsoft-365-defender-portal-to-modify-the-default-connection-filter-policy'></a> - ## Use the Microsoft Defender portal to modify the default connection filter policy 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use <https://security.microsoft.com/antispam>. This article describes how to configure the default connection filter policy in 4. Back on the policy details flyout, select Close. -<a name='use-the-microsoft-365-defender-portal-to-view-the-default-connection-filter-policy'></a> - ## Use the Microsoft Defender portal to view the default connection filter policy In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use <https://security.microsoft.com/antispam>.
security	Connectors Remove Blocked	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-remove-blocked.md	For more information about compromised _user accounts_ and how to remove them fr - Before you follow the procedures in this article to remove a connector from the Restricted entities page, be sure to follow the required steps to regain control of the connector as described in [Respond to a compromised connector](connectors-detect-respond-to-compromise.md). -<a name='remove-a-connector-from-the-restricted-entities-page-in-the-microsoft-365-defender-portal'></a> - ## Remove a connector from the Restricted entities page in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Review \> Restricted entities. Or, to go directly to the Restricted entities page, use <https://security.microsoft.com/restrictedentities>.
security	Detect And Remediate Illicit Consent Grants	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md	If you have one or more instances of the IOCs listed above, you need to do furth You can do this for your users with either the Microsoft Entra admin center, or PowerShell or have your users individually enumerate their application access. -<a name='steps-for-using-the-azure-active-directory-portal'></a> - ### Steps for using the Microsoft Entra admin center You can look up the applications to which any individual user has granted permissions by using the Microsoft Entra admin center at <https://portal.azure.com>.
security	Email Authentication Dkim Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-dkim-configure.md	This article lists the steps to use DomainKeys Identified Mail (DKIM) with Micro In this article: - [How DKIM works better than SPF alone to prevent malicious spoofing](#how-dkim-works-better-than-spf-alone-to-prevent-malicious-spoofing)-- [Steps to Create, enable and disable DKIM from Microsoft Defender portal](#steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal) +- [Steps to Create, enable and disable DKIM from Microsoft Defender portal](#steps-to-create-enable-and-disable-dkim-from-microsoft-defender-portal) - [Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys](#steps-to-manually-upgrade-your-1024-bit-keys-to-2048-bit-dkim-encryption-keys) - [Steps to manually set up DKIM using PowerShell](#steps-to-manually-set-up-dkim-using-powershell) - [Error: No DKIM keys saved for this domain](#error-no-dkim-keys-saved-for-this-domain) In this example, if you had only published an SPF TXT record for your domain, th > [!TIP] > DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the d= field in the header. The verifying domain, or recipient's domain, then uses the d= field to look up the public key from DNS, and authenticate the message. If the message is verified, the DKIM check passes. -<a name='steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal'></a> - ## Steps to Create, enable and disable DKIM from Microsoft Defender portal All the accepted domains of your tenant will be shown in the Microsoft Defender portal under the DKIM page. If you do not see it, add your accepted domain from [domains page](/microsoft-365/admin/setup/add-domain#add-a-domain).
security	Mdo About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-about.md	For email threats that are identified after the fact, Zero-hour autopurge (ZAP) Defender for Office 365 safeguards organizations against malicious threats by providing admins and SecOps teams a wide range of capabilities. Users, admins, and SecOps personnel benefit from these features from the beginning of the organization. For example: -- [Preset security policies can configure everything for you](preset-security-policies.md): The protection policies included in Standard and Strict preset security policies contain our recommended settings. All you need to do is decide who gets the protection (by user, group, domain, or all recipients) and specify the entries and optional exceptions for user and domain impersonation protection. For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). +- [Preset security policies can configure everything for you](preset-security-policies.md): The protection policies included in Standard and Strict preset security policies contain our recommended settings. All you need to do is decide who gets the protection (by user, group, domain, or all recipients) and specify the entries and optional exceptions for user and domain impersonation protection. For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). - [Threat protection policies](#defender-for-office-365-protection-policies): Define threat-protection policies so admins can set the right level of protection for the organization. Anti-phishing policies with spoofing and impersonation protection are included i [Safe Attachments](safe-attachments-about.md) provides zero-day protection for email by checking message attachments for malicious content in addition to the regular malware scanning in EOP. Safe Attachments opens all attachments in virtual environment to see what happens (a process known as _detonation_). If no suspicious activity is detected, the message is delivered to the mailbox. -Safe Attachments protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions. +Safe Attachments protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions. Safe Attachments policies are also included in the Standard and Strict preset security policies, and you can create custom policies as needed. Safe Attachments policies are also included in the Standard and Strict preset se [Safe Links](safe-links-about.md) provides time-of-click verification of URLs in email messages, supported Office files, and Microsoft Teams. Protection is ongoing and applies across your messaging and Office environment. Links are scanned for each click. Benign links remain accessible, but malicious links are dynamically blocked. -Safe Links protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions. +Safe Links protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions. Safe Links policies are also included in the Standard and Strict preset security policies, and you can create custom policies as needed.
security	Mdo Portal Permissions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-portal-permissions.md	Defender for Office 365 permissions in the Microsoft Defender portal includes de :::image type="content" source="../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png" alt-text="The relationship of a role group to its roles and members" lightbox="../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png"::: -<a name='roles-and-role-groups-in-the-microsoft-365-defender-portal'></a> - ## Roles and role groups in the Microsoft Defender portal On the Permissions page in the Defender portal at <https://security.microsoft.com/securitypermissions>, the following types of roles and role groups are available: On the Permissions page in the Defender portal at <https://security.microsof :::image type="content" source="../../media/m365-sc-permissions-and-roles-page.png" alt-text="The Permissions & roles page in the Microsoft Defender portal" lightbox="../../media/m365-sc-permissions-and-roles-page.png"::: -<a name='azure-ad-roles-in-the-microsoft-365-defender-portal'></a> - -<a name='microsoft-entra-roles-in-the-microsoft-365-defender-portal'></a> - ### Microsoft Entra roles in the Microsoft Defender portal Microsoft Entra roles that are described in this section are available in the [Defender portal](https://security.microsoft.com) \> Permissions \> Microsoft Entra ID \> Roles or directly at <https://security.microsoft.com/aadpermissions>. For more information, see [View and assign administrator roles in Microsoft Entr \|Attack Simulation Administrator\|Create and manage all aspects of [attack simulation](attack-simulation-training-simulations.md) creation, launch/scheduling of a simulation, and the review of simulation results. For more information, see [Attack Simulation Administrator](/azure/active-directory/roles/permissions-reference#attack-simulation-administrator).\| \|Attack Payload Author\|Create attack payloads but not actually launch or schedule them. For more information, see [Attack Payload Author](/azure/active-directory/roles/permissions-reference#attack-payload-author).\| -<a name='email--collaboration-roles-in-the-microsoft-365-defender-portal'></a> - ### Email & collaboration roles in the Microsoft Defender portal The same role groups and roles are available in the Defender portal and in the Purview compliance portal: For complete information about these role groups, see [Roles and role groups in The following actions are available for Email & collaboration role groups in the Defender portal: -- [Create role groups](#create-email--collaboration-role-groups-in-the-microsoft-365-defender-portal)-- [Copy role groups](#copy-email--collaboration-role-groups-in-the-microsoft-365-defender-portal)-- [Modify role group membership](#modify-email--collaboration-role-group-membership-in-the-microsoft-365-defender-portal)-- [Modify role assignments](#modify-email--collaboration-role-group-role-assignments-in-the-microsoft-365-defender-portal) (custom role groups only)-- [Remove role groups](#remove-email--collaboration-role-groups-in-the-microsoft-365-defender-portal) (custom role groups only)- -<a name='create-email--collaboration-role-groups-in-the-microsoft-365-defender-portal'></a> +- [Create role groups](#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) +- [Copy role groups](#copy-email--collaboration-role-groups-in-the-microsoft-defender-portal) +- [Modify role group membership](#modify-email--collaboration-role-group-membership-in-the-microsoft-defender-portal) +- [Modify role assignments](#modify-email--collaboration-role-group-role-assignments-in-the-microsoft-defender-portal) (custom role groups only) +- [Remove role groups](#remove-email--collaboration-role-groups-in-the-microsoft-defender-portal) (custom role groups only) #### Create Email & collaboration role groups in the Microsoft Defender portal The following actions are available for Email & collaboration role groups in the Back on the Permissions page, the new role group is listed. -<a name='copy-email--collaboration-role-groups-in-the-microsoft-365-defender-portal'></a> - #### Copy Email & collaboration role groups in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Permissions \> Email & collaboration roles \> Roles. Or, to go directly to the Permissions page, use <https://security.microsoft.com/emailandcollabpermissions>. Back on the Permissions page, the new role group is listed. 3. In the role group details flyout that opens, select Copy role group at the top of the flyout. -The new role group wizard opens as previously described for [creating a new role group](#create-email--collaboration-role-groups-in-the-microsoft-365-defender-portal). +The new role group wizard opens as previously described for [creating a new role group](#create-email--collaboration-role-groups-in-the-microsoft-defender-portal). The default name of the new role group is Copy of \<original role group name\>, but you can change it. The roles and members are populated with the values from the role you're copying, but you can change them. -<a name='modify-email--collaboration-role-group-membership-in-the-microsoft-365-defender-portal'></a> - #### Modify Email & collaboration role group membership in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Permissions \> Email & collaboration roles \> Roles. Or, to go directly to the Permissions page, use <https://security.microsoft.com/emailandcollabpermissions>. The roles and members are populated with the values from the role you're copying When you're finished in the original Choose members flyout, select Done. -7. Back on the Choose members tab of the wizard, select Save. +6. Back on the Choose members tab of the wizard, select Save. -8. Back on the role group details flyout, select Done. - -<a name='modify-email--collaboration-role-group-role-assignments-in-the-microsoft-365-defender-portal'></a> +7. Back on the role group details flyout, select Done. #### Modify Email & collaboration role group role assignments in the Microsoft Defender portal The roles and members are populated with the values from the role you're copying When you're finished in the original Choose roles flyout, select Done. -7. Back on the Choose roles tab of the wizard, select Save. - -8. Back on the role group details flyout, select Done. +6. Back on the Choose roles tab of the wizard, select Save. -<a name='remove-email--collaboration-role-groups-in-the-microsoft-365-defender-portal'></a> +7. Back on the role group details flyout, select Done. #### Remove Email & collaboration role groups in the Microsoft Defender portal
security	Mdo Sec Ops Guide	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md	For a video about this information, see <https://youtu.be/eQanpq9N1Ps>. ## Daily activities -<a name='monitor-the-microsoft-365-defender-incidents-queue'></a> - ### Monitor the Microsoft Defender XDR Incidents queue The Incidents page in the Microsoft Defender portal at <https://security.microsoft.com/incidents-queue> (also known as the _Incidents queue_) allows you to manage and monitor events from the following sources in Defender for Office 365: The following permissions (roles and role groups) are available in Defender for - Data Investigator - eDiscovery Manager - To assign this role to a new or existing custom role group, see [Email & collaboration roles in the Microsoft Defender portal](mdo-portal-permissions.md#email--collaboration-roles-in-the-microsoft-365-defender-portal). + To assign this role to a new or existing custom role group, see [Email & collaboration roles in the Microsoft Defender portal](mdo-portal-permissions.md#email--collaboration-roles-in-the-microsoft-defender-portal). - Search and Purge role (Email & collaboration): Approve the deletion of malicious messages as recommended by AIR or take manual action on messages in hunting experiences like Threat Explorer. The following permissions (roles and role groups) are available in Defender for - Data Investigator - Organization Management - To assign this role to a new or existing custom role group, see [Email & collaboration roles in the Microsoft Defender portal](mdo-portal-permissions.md#email--collaboration-roles-in-the-microsoft-365-defender-portal). + To assign this role to a new or existing custom role group, see [Email & collaboration roles in the Microsoft Defender portal](mdo-portal-permissions.md#email--collaboration-roles-in-the-microsoft-defender-portal). - Tenant AllowBlockList Manager (Exchange Online): Manage allow and block entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). Blocking URLs, files (using file hash) or senders is a useful response action to take when investigating malicious email that was delivered.
security	Mdo Support Teams About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-support-teams-about.md	In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams pro Instructions to configure ZAP for Teams protection are in the next section. -- Teams messages in quarantine: As with email messages that are identified as malware or high confidence phishing, only admins are able to manage Teams messages that are quarantined by ZAP for Teams by default. For more information, see [Manage quarantined Teams messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages). +- Teams messages in quarantine: As with email messages that are identified as malware or high confidence phishing, only admins are able to manage Teams messages that are quarantined by ZAP for Teams by default. For more information, see [Manage quarantined Teams messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages). - The Teams Message Entity Panel is a single place to store all Teams message metadata for immediate SecOps review. Any threats coming from Teams chats, group chats, meeting chats, and other channels can be found in one place as soon as they're assessed. For more information, see [Teams Message Entity Panel for Microsoft Teams](teams-message-entity-panel.md). In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams pro - Quarantine policies section: You can select the existing quarantine policy to use for messages that are quarantined by ZAP for Teams protection as Malware or High confidence phishing. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). > [!NOTE] - > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware or high confidence phishing, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). + > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware or high confidence phishing, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). - Exclude these participants section: Specify the Users, Groups, or Domains to exclude from ZAP for Teams protection. Exclusions matter for message _recipients_, not message _senders_. For more information, see [Zero-hour auto purge (ZAP) in Microsoft Teams](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams). For detailed syntax and parameter information, see [Set-TeamsProtectionPolicyRul ## See also - [Microsoft Teams](/microsoftteams/teams-overview)-- [Managing Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages) +- [Managing Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages) - [Get started using Attack simulation training in Defender for Office 365](attack-simulation-training-get-started.md)
security	Migrate To Defender For Office 365 Onboard	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md	If your organization has a security response team, now is the time to begin inte If your organization has purchased Microsoft Defender for Office 365 Plan 2, they should begin familiarizing themselves with and using features such as Threat Explorer, Advanced Hunting, and Incidents. For relevant trainings, see <https://aka.ms/mdoninja>. -If your security response team collects and analyzes unfiltered messages, you can configure a SecOps mailbox to receive these unfiltered messages. For instructions, see [Configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy). +If your security response team collects and analyzes unfiltered messages, you can configure a SecOps mailbox to receive these unfiltered messages. For instructions, see [Configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy). ### SIEM/SOAR
security	Migrate To Defender For Office 365 Prepare	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-prepare.md	Microsoft is working with the industry to support the Authenticated Received Cha ## Account for any active phishing simulations -If you have active third-party phishing simulations, you need to prevent the messages, links, and attachments from being identified as phishing by Defender for Office 365. For more information, see [Configure third-party phishing simulations in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-365-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy). +If you have active third-party phishing simulations, you need to prevent the messages, links, and attachments from being identified as phishing by Defender for Office 365. For more information, see [Configure third-party phishing simulations in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy). ## Define spam and bulk user experiences
security	Outbound Spam Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md	You can configure outbound spam policies in the Microsoft Defender portal or in - The default [alert policies](/purview/alert-policies#threat-management-alert-policies) named Email sending limit exceeded, Suspicious email sending patterns detected, and User restricted from sending email already send email notifications to members of the TenantAdmins (Global admins) group about unusual outbound email activity and blocked users due to outbound spam. For more information, see [Verify the alert settings for restricted users](outbound-spam-restore-restricted-users.md#verify-the-alert-settings-for-restricted-users). We recommend that you use these alert policies instead of the notification options in outbound spam policies. -<a name='use-the-microsoft-365-defender-portal-to-create-outbound-spam-policies'></a> - ## Use the Microsoft Defender portal to create outbound spam policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use <https://security.microsoft.com/antispam>. You can configure outbound spam policies in the Microsoft Defender portal or in Back on the Anti-spam policies page, the new policy is listed. -<a name='use-the-microsoft-365-defender-portal-to-view-outbound-spam-policy-details'></a> - ## Use the Microsoft Defender portal to view outbound spam policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use <https://security.microsoft.com/antispam>. On the Anti-spam policies page, the following properties are displayed in th - Status: Values are: - Always on for the default outbound spam policy (for example, Anti-spam outbound policy (Default)). - On or Off for other outbound spam policies.-- Priority: For more information, see the [Set the priority of custom outbound spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-outbound-spam-policies) section. +- Priority: For more information, see the [Set the priority of custom outbound spam policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-outbound-spam-policies) section. - Type: One of the following values for outbound spam policies: - Custom outbound spam policy - Blank for the default outbound spam policy (for example, Anti-spam outbound policy (Default)). Select an outbound spam policy by clicking anywhere in the row other than the ch > [!TIP] > To see details about other outbound spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. -<a name='use-the-microsoft-365-defender-portal-to-take-action-on-outbound-spam-policies'></a> - ## Use the Microsoft Defender portal to take action on outbound spam policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use <https://security.microsoft.com/antispam>. On the Anti-spam policies page, select the outbound spam policy from the lis The actions are described in the following subsections. -<a name='use-the-microsoft-365-defender-portal-to-modify-outbound-spam-policies'></a> - ### Use the Microsoft Defender portal to modify outbound spam policies -After you select the default outbound spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create outbound spam policies](#use-the-microsoft-365-defender-portal-to-create-outbound-spam-policies) section earlier in this article. +After you select the default outbound spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create outbound spam policies](#use-the-microsoft-defender-portal-to-create-outbound-spam-policies) section earlier in this article. For the default policy, you can't modify the name of the policy, and there are no sender filters to configure (the policy applies to all senders). But, you can modify all other settings in the policy. -<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-outbound-spam-policies'></a> - ### Use the Microsoft Defender portal to enable or disable custom outbound spam policies You can't disable the default outbound spam policy (it's always enabled). When you're finished in the policy details flyout, select Close. On the Anti-spam policies page, the Status value of the policy is now On or Off. -<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-outbound-spam-policies'></a> - ### Use the Microsoft Defender portal to set the priority of custom outbound spam policies Outbound spam policies are processed in the order that they're displayed on the Anti-spam policies page: When you're finished in the policy details flyout, select Close. Back on the Anti-spam policies page, the order of the policy in the list matches the updated Priority value. -<a name='use-the-microsoft-365-defender-portal-to-remove-custom-outbound-spam-policies'></a> - ### Use the Microsoft Defender portal to remove custom outbound spam policies You can't remove the default outbound spam policy.
security	Outbound Spam Restore Restricted Users	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-restore-restricted-users.md	For more information about compromised _connectors_ and how to remove them from - A sender exceeding the outbound email limits is an indicator of a compromised account. Before you follow the procedures in this article to remove a user from the Restricted entities page, be sure to follow the required steps to regain control of the account as described in [Responding to a compromised email account in Office 365](responding-to-a-compromised-email-account.md). -<a name='remove-a-user-from-the-restricted-entities-page-in-the-microsoft-365-defender-portal'></a> - ## Remove a user from the Restricted entities page in the Microsoft Defender portal In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Review \> Restricted entities. Or, to go directly to the Restricted entities page, use <https://security.microsoft.com/restrictedentities>.
security	Pim In Mdo Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/pim-in-mdo-configure.md	In the Microsoft Defender portal, create a custom role group that contains the p 3. Name your group to reflect its purpose such as 'Search and Purge PIM'. 4. Don't add members, simply save the group and move on to the next part! -<a name='create-the-security-group-in-azure-ad-for-elevated-permissions'></a> - ### Create the security group in Microsoft Entra ID for elevated permissions 1. Browse back to the [Microsoft Entra Admin Center](https://aad.portal.azure.com/) and navigate to Microsoft Entra ID > Groups > New Group.
security	Preset Security Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md	The rest of this article how to configure preset security policies. - _Read-only access to preset security policies_: Membership in the Global Reader role group. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the Global Administrator, Security Administrator, or Global Reader roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -<a name='use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users'></a> - ## Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Preset Security Policies in the Templated policies section. Or, to go directly to the Preset security policies page, use <https://security.microsoft.com/presetSecurityPolicies>. The rest of this article how to configure preset security policies. Click in the Add domains box, enter a domain value, press the ENTER key or select the value that's displayed below the box. To remove a domain from the box and start over, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the domain. When you're ready to add the domain, select Add. Repeat this step as many times as necessary. - The domains you added are listed on the page. To remove the domain, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. + The domains you added are listed on the page. To remove the domain, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. The domains you added are listed on the page. To remove a domain, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: next to the entry. The rest of this article how to configure preset security policies. 10. On the Standard protection updated or Strict protection updated page, select Done. -<a name='use-the-microsoft-365-defender-portal-to-modify-the-assignments-of-standard-and-strict-preset-security-policies'></a> - ## Use the Microsoft Defender portal to modify the assignments of Standard and Strict preset security policies -The steps to modify the assignment of the Standard protection or Strict protection preset security policy are the same as when you initially [assigned the preset security policies to users](#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). +The steps to modify the assignment of the Standard protection or Strict protection preset security policy are the same as when you initially [assigned the preset security policies to users](#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). To disable the Standard protection or Strict protection preset security policies while still preserving the existing conditions and exceptions, slide the toggle to :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::. To enable the policies, slide the toggle to :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::. -<a name='use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy'></a> - ## Use the Microsoft Defender portal to add exclusions to the Built-in protection preset security policy > [!TIP]
security	Priority Accounts Turn On Priority Account Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection.md	This article describes how to confirm that priority account protection is turned - The Priority account tag is a type of _user tag_. You can create custom user tags to differentiate specific groups of users in reporting and other features. For more information about user tags, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). -<a name='review-or-turn-on-priority-account-protection-in-the-microsoft-365-defender-portal'></a> - ## Review or turn on priority account protection in the Microsoft Defender portal > [!NOTE]
security	Quarantine About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-about.md	_Quarantine policies_ define what users are able to do or not do to quarantined The default quarantine policies that are assigned to protection feature verdicts enforce the historical capabilities that users get for their quarantined messages (messages where they're a recipient). For more information, see the table in [Find and release quarantined messages as a user in EOP](quarantine-end-user.md). For example, only admins can work with messages that were quarantined as malware or high confidence phishing. By default, users can work with their messages that were quarantined as spam, bulk, phishing, spoof, user impersonation, domain impersonation, or mailbox intelligence. -Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). +Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). > [!NOTE] > Users can't release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high-confidence phishing messages.
security	Quarantine Admin Manage Messages Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md	Watch this short video to learn how to manage quarantined messages as an admin. - Quarantined messages and files are retained for a default period of time based on why they were quarantined. After the retention period expires, the messages are automatically deleted and aren't recoverable. For more information, see [Quarantine retention](quarantine-about.md#quarantine-retention). -<a name='use-the-microsoft-365-defender-portal-to-manage-quarantined-email-messages'></a> - ## Use the Microsoft Defender portal to manage quarantined email messages ### View quarantined email Back on the Email tab, the Release status value of the message is Rele #### Approve or deny release requests from users for quarantined email -Users can request the release of email messages if the quarantine policy used Allow recipients to request a message to be released from quarantine (`PermissionToRequestRelease` permission) instead of Allow recipients to release a message from quarantine (`PermissionToRelease` permission) when the message was quarantined. For more information, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). +Users can request the release of email messages if the quarantine policy used Allow recipients to request a message to be released from quarantine (`PermissionToRequestRelease` permission) instead of Allow recipients to release a message from quarantine (`PermissionToRelease` permission) when the message was quarantined. For more information, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). After a recipient requests the release of the email message, the Release status value changes to Release requested, and an admin can approve or deny the request. Admins can search the audit log to find events for messages that were deleted fr For complete instructions for audit log searches, see [Audit New Search](/purview/audit-new-search). -<a name='use-the-microsoft-365-defender-portal-to-manage-quarantined-files-in-defender-for-office-365'></a> - ## Use the Microsoft Defender portal to manage quarantined files in Defender for Office 365 > [!NOTE] When you select multiple quarantined files on the Files** tab by selecting the :::image type="content" source="../../media/quarantine-file-bulk-actions.png" alt-text="The Bulk actions dropdown list for files in quarantine" lightbox="../../media/quarantine-file-bulk-actions.png"::: -<a name='use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages'></a> - ## Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages Quarantine in Microsoft Teams is available only in organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5)
security	Quarantine Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md	You create and assign quarantine policies in the Microsoft Defender portal or in - Quarantine Administrator - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the Global Administrator, Security Administrator, or Quarantine Administrator roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -<a name='step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal'></a> - ## Step 1: Create quarantine policies in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Policies & Rules \> Threat policies \> Quarantine policy in the Rules section. Or, to go directly to the Quarantine policy page, use <https://security.microsoft.com/quarantinePolicies>. The default quarantine policies, preset permission groups, and permissions are d The rest of this step explains how to assign quarantine policies for supported filter verdicts. -<a name='assign-quarantine-policies-in-supported-policies-in-the-microsoft-365-defender-portal'></a> - ## Assign quarantine policies in supported policies in the Microsoft Defender portal > [!NOTE] For detailed syntax and parameter information, see [Set-AntiPhishPolicy](/powers 3. On the Protection settings page or flyout, view or select a quarantine policy in the Quarantine policy box. - Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). + Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). Users can't release their own messages that were quarantined as malware by anti-malware policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages. Set-SafeAttachmentPolicy -Identity "Human Resources" -QuarantineTag ContosoNoAcc For detailed syntax and parameter information, see [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy). -<a name='configure-global-quarantine-notification-settings-in-the-microsoft-365-defender-portal'></a> - ## Configure global quarantine notification settings in the Microsoft Defender portal The global settings for quarantine policies allow you to customize the quarantine notifications that are sent to recipients of quarantined messages if quarantine notifications are turned on in the quarantine policy. For more information about quarantine notifications, see [Quarantine notifications](quarantine-quarantine-notifications.md). Get-QuarantinePolicy -QuarantinePolicyType GlobalQuarantinePolicy \| Set-Quaranti For detailed syntax and parameter information, see [Set-QuarantinePolicy](/powershell/module/exchange/set-quarantinepolicy). -<a name='view-quarantine-policies-in-the-microsoft-365-defender-portal'></a> - ## View quarantine policies in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Policies & rules \> Threat policies \> Quarantine policies in the Rules section. Or, to go directly to the Quarantine policies page, use <https://security.microsoft.com/quarantinePolicies>. If you'd rather use PowerShell to view quarantine policies, do any of the follow For detailed syntax and parameter information, see [Get-HostedContentFilterPolicy](/powershell/module/exchange/get-hostedcontentfilterpolicy). -<a name='modify-quarantine-policies-in-the-microsoft-365-defender-portal'></a> - ## Modify quarantine policies in the Microsoft Defender portal You can't modify the default quarantine policies named AdminOnlyAccessPolicy, DefaultFullAccessPolicy, or DefaultFullAccessWithNotificationPolicy. You can't modify the default quarantine policies named AdminOnlyAccessPolicy, De 3. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit policy action that appears. -The policy wizard opens with the settings and values of the selected quarantine policy. The steps are virtually the same as described in the [Create quarantine policies in the Microsoft Defender portal](#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal) section. The main difference is: you can't rename an existing policy. +The policy wizard opens with the settings and values of the selected quarantine policy. The steps are virtually the same as described in the [Create quarantine policies in the Microsoft Defender portal](#step-1-create-quarantine-policies-in-the-microsoft-defender-portal) section. The main difference is: you can't rename an existing policy. ### Modify quarantine policies in PowerShell The available settings are the same as described for creating quarantine policie For detailed syntax and parameter information, see [Set-QuarantinePolicy](/powershell/module/exchange/set-quarantinepolicy). -<a name='remove-quarantine-policies-in-the-microsoft-365-defender-portal'></a> - ## Remove quarantine policies in the Microsoft Defender portal Notes:
security	Quarantine Quarantine Notifications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-quarantine-notifications.md	In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E > [!NOTE] > In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). -For [supported protection features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features), _quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined. Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). +For [supported protection features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features), _quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined. Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). Quarantine notifications aren't turned on in the default quarantine notifications named AdminOnlyAccessPolicy or DefaultFullAccessPolicy. Quarantine notifications are turned on in the following default quarantine policies: - DefaultFullAccessWithNotificationPolicy that's used in [preset security policies](preset-security-policies.md). - NotificationEnabledPolicy [if your organization has it](quarantine-policies.md#full-access-permissions-and-quarantine-notifications). -Otherwise, to turn on quarantine notifications in quarantine policies, you need to [create and configure a new quarantine policy](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). +Otherwise, to turn on quarantine notifications in quarantine policies, you need to [create and configure a new quarantine policy](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). Admins can also use the global settings in quarantine policies to customize quarantine notifications in the following ways: Admins can also use the global settings in quarantine policies to customize quar - Customize the sender and logo that's used in the notification. - Notification frequency (every four hours, daily, or weekly). -For instructions, see [Configure global quarantine notification settings](quarantine-policies.md#configure-global-quarantine-notification-settings-in-the-microsoft-365-defender-portal). +For instructions, see [Configure global quarantine notification settings](quarantine-policies.md#configure-global-quarantine-notification-settings-in-the-microsoft-defender-portal). For shared mailboxes, quarantine notifications are supported only for users who are granted FullAccess permission to the mailbox. For more information, see [Use the EAC to edit shared mailbox delegation](/Exchange/collaboration-exo/shared-mailboxes#use-the-eac-to-edit-shared-mailbox-delegation).
security	Quarantine Shared Mailbox Messages	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-shared-mailbox-messages.md	Now, automapping is no longer required for users to manage quarantined messages - In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). -- _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). +- _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). - The first user to act on the quarantined message decides the fate of the message for everyone who uses the shared mailbox. For example, if a shared mailbox is accessed by 10 users, and a user decides to delete the quarantine message, the message is deleted for all 10 users. Likewise, if a user decides to release the message, it's released to the shared mailbox and is accessible by all other users of the shared mailbox.
security	Recommended Settings For Eop And Office365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md	Wherever you select Quarantine message as the action for a spam filter verdi If you _change_ the action of a spam filtering verdict to Quarantine message when you create anti-spam policies the Defender portal, the Select quarantine policy box is blank by default. A blank value means the default quarantine policy for that spam filtering verdict is used. These default quarantine policies enforce the historical capabilities for the spam filter verdict that quarantined the message as described in the table [here](quarantine-end-user.md). When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. -Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). +Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). \|Security feature name\|Default\|Standard\|Strict\|Comment\| \|\|::\|::\|::\|\| Quarantine policies define what users are able to do to quarantined messages, an Although the Apply quarantine policy value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy┬╣ is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as spoof as described in the table [here](quarantine-end-user.md). When you later view or edit the quarantine policy settings, the quarantine policy name is shown. -Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). +Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). \|Security feature name\|Default\|Standard\|Strict\|Comment\| \|\|::\|::\|::\|\| Wherever you select Quarantine the message as the action for an impersonatio Although the Apply quarantine policy value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as impersonation as described in the table [here](quarantine-end-user.md). When you later view or edit the quarantine policy settings, the quarantine policy name is shown. -Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). +Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). \|Security feature name\|Default\|Standard\|Strict\|Comment\| \|\|::\|::\|::\|\|
security	Reports Defender For Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md	The rest of this article describes the reports that are exclusive to Defender fo > > Email security reports that don't require Defender for Office 365 are described in [View email security reports in the Microsoft Defender portal](reports-email-security.md). > -> For reports that have been deprecated or replaced, see the table in [Email security report changes in the Microsoft Defender portal](reports-email-security.md#email-security-report-changes-in-the-microsoft-365-defender-portal). +> For reports that have been deprecated or replaced, see the table in [Email security report changes in the Microsoft Defender portal](reports-email-security.md#email-security-report-changes-in-the-microsoft-defender-portal). > > Reports that are related to mail flow are now in the Exchange admin center (EAC). For more information about these reports, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports).
security	Reports Email Security	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md	The rest of this article describes the reports that are exclusive to Defender fo > > A link to these reports is available in the Defender portal at Reports \> Email & collaboration \> Email & collaboration reports \> Exchange mail flow reports, which takes you to <https://admin.exchange.microsoft.com/#/reports/mailflowreportsmain>. -<a name='email-security-report-changes-in-the-microsoft-365-defender-portal'></a> - ## Email security report changes in the Microsoft Defender portal The Exchange Online Protection (EOP) and Microsoft Defender for Office 365 reports in the Microsoft Defender portal that have been replaced, moved, or deprecated are described in the following table.
security	Safe Attachments For Spo Odfb Teams About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about.md	To learn more about the user experience when a file has been detected as malicio Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams appear in [reports for Microsoft Defender for Office 365](reports-defender-for-office-365.md) and in [Explorer (and real-time detections)](threat-explorer-about.md). -When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine, but only to admins. For more information, see [Manage quarantined files in Defender for Office 365](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-files-in-defender-for-office-365). +When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine, but only to admins. For more information, see [Manage quarantined files in Defender for Office 365](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-quarantined-files-in-defender-for-office-365). ## Keep these points in mind
security	Safe Attachments For Spo Odfb Teams Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure.md	You turn on or turn off Safe Attachments for Office 365 for SharePoint, OneDrive - Allow up to 30 minutes for the settings to take effect. -<a name='step-1-use-the-microsoft-365-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams'></a> - ## Step 1: Use the Microsoft Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat policies \> Safe Attachments in the Policies section. Or, to go directly to the Safe Attachments page, use <https://security.microsoft.com/safeattachmentv2>. Set-SPOTenant -DisallowInfectedFileDownload $true For detailed syntax and parameter information, see [Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant). -<a name='step-3-recommended-use-the-microsoft-365-defender-portal-to-create-an-alert-policy-for-detected-files'></a> - ## Step 3 (Recommended) Use the Microsoft Defender portal to create an alert policy for detected files You can create an alert policy that notifies admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alert policies, see [Alert policies in the Microsoft Defender portal](alert-policies-defender-portal.md).
security	Safe Attachments Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md	You configure Safe Attachments policies in the Microsoft Defender portal or in E - For our recommended settings for Safe Attachments policies, see [Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings). > [!TIP] - > [Exceptions to Built-in protection for Safe Attachments](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy) or settings in custom Safe Attachments policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md). + > [Exceptions to Built-in protection for Safe Attachments](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy) or settings in custom Safe Attachments policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md). - Allow up to 30 minutes for a new or updated policy to be applied. - For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms). -<a name='use-the-microsoft-365-defender-portal-to-create-safe-attachments-policies'></a> - ## Use the Microsoft Defender portal to create Safe Attachments policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Safe Attachments in the Policies section.Or, to go directly to the Safe Attachments page, use <https://security.microsoft.com/safeattachmentv2>. You configure Safe Attachments policies in the Microsoft Defender portal or in E By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections by Safe Attachments policies. For more information about this quarantine policy, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). > [!NOTE] - > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware by Safe Attachments, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). + > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware by Safe Attachments, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). > > Users can't release their own messages that were quarantined as malware by Safe Attachments policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages. You configure Safe Attachments policies in the Microsoft Defender portal or in E Back on the Safe Attachments page, the new policy is listed. -<a name='use-the-microsoft-365-defender-portal-to-view-safe-attachments-policy-details'></a> - ## Use the Microsoft Defender portal to view Safe Attachments policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Safe Attachments in the Policies section. To go directly to the Safe Attachments page, use <https://security.microsoft.com/safeattachmentv2>. On the Safe Attachments page, the following properties are displayed in the - Name - Status: Values are On or Off.-- Priority: For more information, see the [Set the priority of Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-attachments-policies) section. +- Priority: For more information, see the [Set the priority of Safe Attachments policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-safe-attachments-policies) section. To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. Select a policy by clicking anywhere in the row other than the check box next to > [!TIP] > To see details about other Safe Attachments policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. -<a name='use-the-microsoft-365-defender-portal-to-take-action-on-safe-attachments-policies'></a> - ## Use the Microsoft Defender portal to take action on Safe Attachments policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Safe Attachments in the Policies section. To go directly to the Safe Attachments page, use <https://security.microsoft.com/safeattachmentv2>. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Em The actions are described in the following subsections. -<a name='use-the-microsoft-365-defender-portal-to-modify-custom-safe-attachments-policies'></a> - ### Use the Microsoft Defender portal to modify custom Safe Attachments policies -After you select a custom Safe Attachments policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-create-safe-attachments-policies) section earlier in this article. +After you select a custom Safe Attachments policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Attachments policies](#use-the-microsoft-defender-portal-to-create-safe-attachments-policies) section earlier in this article. You can't modify the Safe Attachments policies named Standard Preset Security Policy, Strict Preset Security Policy, or Built-in protection (Microsoft) that are associated with [preset security policies](preset-security-policies.md) in the policy details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: View preset security policies in the details flyout to go to the Preset security policies page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies. -<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-safe-attachments-policies'></a> - ### Use the Microsoft Defender portal to enable or disable custom Safe Attachments policies You can't enable or disable the Safe Attachments policies named Standard Preset Security Policy, Strict Preset Security Policy, or Built-in protection (Microsoft) that are associated with [preset security policies](preset-security-policies.md) here. You enable or disable preset security policies on the Preset security policies page at <https://security.microsoft.com/presetSecurityPolicies>. After you select a disabled custom Safe Attachments policy (the Status value On the Safe Attachments page, the Status value of the policy is now On or Off. -<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-attachments-policies'></a> - ### Use the Microsoft Defender portal to set the priority of custom Safe Attachments policies Safe Attachments policies are processed in the order that they're displayed on the Safe Attachments page: -- The Safe Attachments policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). +- The Safe Attachments policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). - The Safe Attachments policy named Standard Preset Security Policy that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom Safe Attachments policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). When you're finished in the policy details flyout, select Close. Back on the Safe Attachments page, the order of the policy in the list matches the updated Priority value. -<a name='use-the-microsoft-365-defender-portal-to-remove-custom-safe-attachments-policies'></a> - ### Use the Microsoft Defender portal to remove custom Safe Attachments policies You can't remove the Safe Attachments policies named Standard Preset Security Policy, Strict Preset Security Policy, or Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md).
security	Safe Documents In E5 Plus Security About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about.md	To keep you protected, Safe Documents sends file information to the [Microsoft D File information sent by Safe Documents isn't retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours). -<a name='use-the-microsoft-365-defender-portal-to-configure-safe-documents'></a> - ## Use the Microsoft Defender portal to configure Safe Documents 1. In the Microsoft Defender portal, go to the Safe Attachments page at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Safe Attachments in the Policies section. Or, to go directly to the Safe Attachments page, use <https://security.microsoft.com/safeattachmentv2>.
security	Safe Links About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-about.md	For more information about the order of precedence and how multiple policies are Each Safe Links policy contains a Do not rewrite the following URLs list that you can use to specify URLs that aren't rewritten by Safe Links scanning. You can configure different lists in different Safe Links policies. Policy processing stops after the first (likely, the highest priority) policy is applied to the user. So, only one Do not rewrite the following URLs list is applied to a user who is included in multiple active Safe Links policies. -To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) or [Modify Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-365-defender-portal-to-modify-custom-safe-links-policies). +To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-defender-portal-to-create-safe-links-policies) or [Modify Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-defender-portal-to-modify-custom-safe-links-policies). Notes:
security	Safe Links Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md	You configure Safe Links policies in the Microsoft Defender portal or in Exchang - For our recommended settings for Safe Links policies, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). > [!TIP] - > [Exceptions to Built-in protection for Safe Links](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy) or settings in custom Safe Links policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md). + > [Exceptions to Built-in protection for Safe Links](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy) or settings in custom Safe Links policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md). - Allow up to 6 hours for a new or updated policy to be applied. - For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms). -<a name='use-the-microsoft-365-defender-portal-to-create-safe-links-policies'></a> - ## Use the Microsoft Defender portal to create Safe Links policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Safe Links in the Policies section. Or, to go directly to the Safe Links page, use <https://security.microsoft.com/safelinksv2>. You configure Safe Links policies in the Microsoft Defender portal or in Exchang Back on the Safe Links page, the new policy is listed. -<a name='use-the-microsoft-365-defender-portal-to-view-safe-links-policy-details'></a> - ## Use the Microsoft Defender portal to view Safe Links policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Safe Links in the Policies section. To go directly to the Safe Links page, use <https://security.microsoft.com/safelinksv2>. On the Safe Links page, the following properties are displayed in the list o - Name - Status: Values are On or Off.-- Priority: For more information, see the [Set the priority of Safe Links policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-links-policies) section. +- Priority: For more information, see the [Set the priority of Safe Links policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-safe-links-policies) section. To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. Select a policy by clicking anywhere in the row other than the check box next to > [!TIP] > To see details about other Safe Links policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. -<a name='use-the-microsoft-365-defender-portal-to-take-action-on-safe-links-policies'></a> - ## Use the Microsoft Defender portal to take action on Safe Links policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Safe Links in the Policies section. To go directly to the Safe Links page, use <https://security.microsoft.com/safealinksv2>. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Em The actions are described in the following subsections. -<a name='use-the-microsoft-365-defender-portal-to-modify-custom-safe-links-policies'></a> - ### Use the Microsoft Defender portal to modify custom Safe Links policies -After you select a custom Safe Links policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Links policies](#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) section earlier in this article. +After you select a custom Safe Links policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Links policies](#use-the-microsoft-defender-portal-to-create-safe-links-policies) section earlier in this article. You can't modify the Safe Links policies named Standard Preset Security Policy, Strict Preset Security Policy, or Built-in protection (Microsoft) that are associated with [preset security policies](preset-security-policies.md) in the policy details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: View preset security policies in the details flyout to go to the Preset security policies page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies. -<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-safe-links-policies'></a> - ### Use the Microsoft Defender portal to enable or disable custom Safe Links policies You can't enable or disable the Safe Links policies named Standard Preset Security Policy, Strict Preset Security Policy, or Built-in protection (Microsoft) that are associated with [preset security policies](preset-security-policies.md) here. You enable or disable preset security policies on the Preset security policies page at <https://security.microsoft.com/presetSecurityPolicies>. After you select a disabled custom Safe Links policy (the Status value is On the Safe Links page, the Status value of the policy is now On or Off. -<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-links-policies'></a> - ### Use the Microsoft Defender portal to set the priority of custom Safe Links policies Safe Links policies are processed in the order that they're displayed on the Safe Links page: -- The Safe Links policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). +- The Safe Links policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)). - The Safe Links policy named Standard Preset Security Policy that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom Safe Links policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). When you're finished in the policy details flyout, select Close. Back on the Safe Links page, the order of the policy in the list matches the updated Priority value. -<a name='use-the-microsoft-365-defender-portal-to-remove-custom-safe-links-policies'></a> - ### Use the Microsoft Defender portal to remove custom Safe Links policies You can't remove the Safe Links policies named Standard Preset Security Policy, Strict Preset Security Policy, or Built-in protection (Microsoft) that are associated with [preset security policies](preset-security-policies.md).
security	Secure By Default	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md	To put it another way: as a security service, we're acting on your behalf to pre You should only consider using overrides in the following scenarios: -- Phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. To prevent phishing simulation messages from being filtered, see [Configure third-party phishing simulations in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-365-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy).-- Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get unfiltered messages (both good and bad). Teams can then review to see if they contain malicious content. For more information, see [Configure SecOps mailboxes in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy). +- Phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. To prevent phishing simulation messages from being filtered, see [Configure third-party phishing simulations in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy). +- Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get unfiltered messages (both good and bad). Teams can then review to see if they contain malicious content. For more information, see [Configure SecOps mailboxes in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy). - Third-party filters: Secure by default applies only when the MX record for your domain points to Microsoft 365 (contoso.mail.protection.outlook.com). If the MX record for your domain points to another service or device, it's possible to override Secure by default with an Exchange mail flow rule to [bypass spam filtering](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl). When your MX record points to another service or device and you use a bypass spam filtering mail flow rule, messages detected as high confidence phishing by Microsoft 365 anti-spam filtering are delivered to the Inbox. - False positives: To temporarily allow certain messages that are still being blocked by Microsoft, use [admin submissions](submissions-admin.md#report-good-email-to-microsoft). By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire.
security	Connect Microsoft Defender For Office 365 To Microsoft Sentinel	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/connect-microsoft-defender-for-office-365-to-microsoft-sentinel.md	Take advantage of rich security information events management (SIEM) combined wi - Microsoft Sentinel [Quickstart guide](/azure/sentinel/quickstart-onboard). - Sufficient permissions (Security Administrator in M365 & Read / Write permissions in Sentinel). -<a name='add-the-microsoft-365-defender-connector'></a> - ## Add the Microsoft Defender XDR Connector 1. [Login to the Azure Portal](https://portal.azure.com) and navigate to Microsoft Sentinel \> Pick the relevant workspace to integrate with Microsoft Defender XDR. 1. On the left-hand navigation menu underneath the heading Configuration \> choose Data connectors. -1. When the page loads, search for Microsoft Defender XDR and select the Microsoft Defender XDR connector. +2. When the page loads, search for Microsoft Defender XDR and select the Microsoft Defender XDR connector. 3. On the right-hand flyout, select Open Connector Page. 4. Under the Configuration section of the page that loads, select Connect incidents & alerts, leaving Turn off all Microsoft incident creation rules for these products ticked. 5. Scroll to Microsoft Defender for Office 365 in the Connect events section of the page. Select EmailEvents, EmailUrlInfo, EmailAttachmentInfo & EmailPostDeliveryEvents then Apply Changes at the bottom of the page. (Choose tables from other Defender products if helpful and applicable, during this step.)
security	Utilize Microsoft Defender For Office 365 In Sharepoint Online	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online.md	Title: Use Microsoft Defender for Office 365 in SharePoint Online -description: The steps to ensure that you can use, and get the value from, Microsoft Defender for Office 365 in SharePoint Online and OneDrive for Business +description: The steps to ensure that you can use, and get the value from, Microsoft Defender for Office 365 in SharePoint Online and OneDrive. search.product: ms.mktglfcycl: deploy Last updated 1/31/2023 # Use Microsoft Defender for Office 365 with SharePoint Online -Microsoft SharePoint Online is a widely used user collaboration and file storage tool. The following steps help reduce the attack surface area in SharePoint Online and that help keep this collaboration tool in your organization secure. However, it's important to note there is a balance to strike between security and productivity, and not all these steps may be relevant for your organizational risk profile. Take a look, test, and maintain that balance. +Microsoft SharePoint Online is a widely used user collaboration and file storage tool. The following steps help reduce the attack surface area in SharePoint Online and that help keep this collaboration tool in your organization secure. However, it's important to note there's a balance to strike between security and productivity, and not all these steps might be relevant for your organizational risk profile. Take a look, test, and maintain that balance. -## What you'll need +## What you need - Microsoft Defender for Office 365 Plan 1 - Sufficient permissions (SharePoint administrator/security administrator). - Microsoft SharePoint Online (part of Microsoft 365).-- Five to ten minutes to perform these steps. +- Five to 10 minutes to perform these steps. ## Turn on Microsoft Defender for Office 365 in SharePoint Online -If licensed for Microsoft Defender for Office 365 (free 90-day evaluation available at aka.ms/trymdo) you can ensure seamless protection from zero day malware and time of click protection within Microsoft Teams. +If you're licensed for Microsoft Defender for Office 365 (free 90-day evaluation available at aka.ms/trymdo), you can ensure seamless protection from zero day malware and time of click protection within Microsoft Teams. -To learn more, read [Step 1: Use the Microsoft Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure#step-1-use-the-microsoft-365-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams). +To learn more, read [Step 1: Use the Microsoft Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure#step-1-use-the-microsoft-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams). 1. Sign in to the [security center's safe attachments configuration page](https://security.microsoft.com/safeattachmentv2). 1. Select Global settings.
security	Submissions Admin	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md	After a few moments, the associated allow entries appear on the Domains & addr > - When an allowed domain or email address, spoofed sender, URL, or file (_entity_) is encountered again, all filters that are associated with the entity are skipped. For email messages, all other entities are still evaluated by the filtering system before making a decision. > - During mail flow, if messages from the allowed domain or email address pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message from an allowed sender email address are delivered. > - By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages from those domains or email addresses are delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire. -> - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message. +> - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message. > - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders on the Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. ### Report good email attachments to Microsoft
security	Submissions Teams	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-teams.md	For more information about user reported message settings in the Defender portal > - The reported message remains visible to the user in the Teams client. > - Users can report the same message multiple times. > - The message sender isn't notified that messages were reported. - > - Microsoft also sends an email message notification to the user who reported the message from submissions@messaging.microsoft.com with the subject, "You have successfully reported a Teams message as a security risk." If Teams integration is turned on in the Defender portal, admins can customize some elements of the notification message in the Email notifications section on User reported settings page as described in [Customize the messages used to notify users](submissions-admin-review-user-reported-messages.md#customize-the-messages-used-to-notify-users). + > - Microsoft also sends an email message notification to the user who reported the message from `submissions@messaging.microsoft.com` with the subject, "You have successfully reported a Teams message as a security risk." If Teams integration is turned on in the Defender portal, admins can customize some elements of the notification message in the Email notifications section on User reported settings page as described in [Customize the messages used to notify users](submissions-admin-review-user-reported-messages.md#customize-the-messages-used-to-notify-users). ## What happens after a user reports a message from Teams? For more information, see [User reported settings](submissions-user-reported-mes Notes: - If you select Send the reported messages to \> My reporting mailbox only, reported messages don't go to Microsoft for analysis unless an admin manually submits the message from the User reported tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=user>. Reporting messages to Microsoft is an important part of training the service to help improve the accuracy of filtering (reduce false positives and false negatives). That's why we use Send the reported messages to \> Microsoft and my reporting mailbox as the default.-- Regardless of the Send the reported messages to setting, metadata from the reported Teams message (for example, senders, recipients, reported by, and message details) is available on the User reported tab on the Submissions page.-- Regardless of the Send the reported messages to setting, the alert policy named Teams message reported by user as a security risk generates an alert when a user reports a message in Teams by default. For more information, see [Manage alerts](/purview/alert-policies#manage-alerts). +- Regardless of the Send the reported messages to setting, the following actions occur when a user reports a Teams message: + - Metadata from the reported Teams message (for example, senders, recipients, reported by, and message details) is available on the User reported tab on the Submissions page. + - The alert policy named Teams message reported by user as a security risk generates an alert by default. For more information, see [Manage alerts](/purview/alert-policies#manage-alerts). To view the corresponding alert for a user reported message in Teams, go to the User reported tab on the Submission page, and then double-click the message to open the submission flyout. Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: More options and then select View alert.
security	Submissions User Reported Messages Custom Mailbox	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md	Delivering user reported messages to a reporting mailbox instead of directly to Before you get started, you need to use the following steps to configure Exchange Online Protection and Defender for Office 365 so user reported messages are delivered to the reporting mailbox without being filtered: -- Identify the reporting mailbox as a SecOps mailbox. For instructions, see [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy). +- Identify the reporting mailbox as a SecOps mailbox. For instructions, see [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy). > [!NOTE] > This step is especially important if you use [Attack simulation training](attack-simulation-training-get-started.md) or a third-party product to do phishing simulations. If you don't configure the reporting mailbox as a SecOps mailbox, a user reported message might trigger a training assignment by the phishing simulation product. After you verify that the reporting mailbox meets all of these requirements, use - [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell) - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) ([until October 2023](https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-client-access-rules-in-exchange-online/ba-p/3638563)) -<a name='use-the-microsoft-365-defender-portal-to-configure-user-reported-settings'></a> - ## Use the Microsoft Defender portal to configure user reported settings In the Microsoft Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User reported settings tab. To go directly to the User reported settings page, use <https://security.microsoft.com/securitysettings/userSubmission>.
security	Submissions Users Report Message Add In Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure.md	Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use 2. In the Upload custom apps flyout that opens, select I have a URL for the manifest file. -4. In the Add from URL dialog that opens, enter one of the following URLs: +3. In the Add from URL dialog that opens, enter one of the following URLs: - Report Message: <https://ipagave.azurewebsites.net/ReportMessageManifest/ReportMessageAzure.xml> - Report Phishing: <https://ipagave.azurewebsites.net/ReportPhishingManifest/ReportPhishingAzure.xml> When you're finished, select Install. In the success dialog, select OK. -5. Back on the Add-ins page, select the add-in you installed, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit. +4. Back on the Add-ins page, select the add-in you installed, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit. -6. In the add-in properties dialog that opens, confirm or modify the following settings: +5. In the add-in properties dialog that opens, confirm or modify the following settings: - Make this add-in available to users in your organization. - Specify user defaults: Select one of the following settings: - Optional, enabled by default. Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use When you're finished, select Save. -7. To fully configure user reported message settings, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md). +6. To fully configure user reported message settings, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md). ### View and edit settings for the Report Message or Report Phishing add-ins
security	Tenant Allow Block List About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-about.md	The following list describes what happens in the Tenant Allow/Block List when yo - Email: If a message was blocked by the EOP or Defender for Office 365 filtering stack, an allow entry might be created in the Tenant Allow/Block List: - If the message was blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md), an allow entry for the sender is created, and the entry appears on the Spoofed senders tab in the Tenant Allow/Block List. - - If the message was blocked by [user (or graph) impersonation protection in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), an allow entry isn't created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message. + - If the message was blocked by [user (or graph) impersonation protection in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), an allow entry isn't created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message. - If the message was blocked due to file-based filers, an allow entry for the file is created, and the entry appears on the Files tab in the Tenant Allow/Block List. - If the message was blocked due to URL-based filters, an allow entry for the URL is created, and the entry appears on the URL tab in the Tenant Allow/Block List. - If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the Domains & addresses tab in the Tenant Allow/Block List.
security	Tenant Allow Block List Email Spoof Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure.md	Email from these blocked senders is marked as high confidence phishing and qua > > Users in the organization also can't send email to these blocked domains and addresses. The message is returned in the following non-delivery report (also known as an NDR or bounce message): `550 5.7.703 Your message can't be delivered because messages to XXX, YYY are blocked by your organization using Tenant Allow Block List.` The entire message is blocked for all internal and external recipients of the message, even if only one recipient email address or domain is defined in a block entry. -<a name='use-the-microsoft-365-defender-portal-to-create-block-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list'></a> - #### Use the Microsoft Defender portal to create block entries for domains and email addresses in the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. New-TenantAllowBlockListItems -ListType Sender -Block -Entries "test@badattacker For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems). -<a name='use-the-microsoft-365-defender-portal-to-view-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list'></a> - ### Use the Microsoft Defender portal to view entries for domains and email addresses in the Tenant Allow/Block List In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. Get-TenantAllowBlockListItems -ListType Sender -Block For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems). -<a name='use-the-microsoft-365-defender-portal-to-modify-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list'></a> - ### Use the Microsoft Defender portal to modify entries for domains and email addresses in the Tenant Allow/Block List In existing domain and email address entries, you can change the expiration date and note. Set-TenantAllowBlockListItems -ListType Sender -Entries "julia@fabrikam.com" -Ex For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems). -<a name='use-the-microsoft-365-defender-portal-to-remove-entries-for-domains-and-email-addresses-from-the-tenant-allowblock-list'></a> - ### Use the Microsoft Defender portal to remove entries for domains and email addresses from the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. To create allow entries for spoofed senders, use any of the following methods: > > Allow entries for spoofed senders never expire. -<a name='use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list'></a> - #### Use the Microsoft Defender portal to create allow entries for spoofed senders in the Tenant Allow/Block List In the Tenant Allow/Block List, you can create allow entries for spoofed senders before they're detected and blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md). To create block entries for spoofed senders, use any of the following methods: > > Block entries for spoofed senders never expire. -<a name='use-the-microsoft-365-defender-portal-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list'></a> - #### Use the Microsoft Defender portal to create block entries for spoofed senders in the Tenant Allow/Block List -The steps are nearly identical to [creating allow entries for spoofed senders](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) as previously described in this article. +The steps are nearly identical to [creating allow entries for spoofed senders](#use-the-microsoft-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) as previously described in this article. The only difference is: for the Action value in Step 4, select Block instead of Allow. New-TenantAllowBlockListSpoofItems -Identity Default -Action Block -SendingInfra For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems). -<a name='use-the-microsoft-365-defender-portal-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list'></a> - ### Use the Microsoft Defender portal to view entries for spoofed senders in the Tenant Allow/Block List In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. Verify the Spoofed senders tab is selected. On the Spoofed senders tab, you can sort the entries by clicking on an available column header. The following columns are available: - - Spoofed user - - Sending infrastructure - - Spoof type: The available values are Internal or External. - - Action: The available values are Block or Allow. +- Spoofed user +- Sending infrastructure +- Spoof type: The available values are Internal or External. +- Action: The available values are Block or Allow. To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filter flyout that opens: Get-TenantAllowBlockListSpoofItems -Action Block -SpoofType External For detailed syntax and parameter information, see [Get-TenantAllowBlockListSpoofItems](/powershell/module/exchange/get-tenantallowblocklistspoofitems). -<a name='use-the-microsoft-365-defender-portal-to-modify-entries-for-spoofed-senders-in-the-tenant-allowblock-list'></a> - ### Use the Microsoft Defender portal to modify entries for spoofed senders in the Tenant Allow/Block List When you modify an allow or block entry for spoofed senders in the Tenant Allow/Block list, you can only change the entry from Allow to Block, or vice-versa. Set-TenantAllowBlockListItems -Identity Default -Ids 3429424b-781a-53c3-17f9-c0b For detailed syntax and parameter information, see [Set-TenantAllowBlockListSpoofItems](/powershell/module/exchange/set-tenantallowblocklistspoofitems). -<a name='use-the-microsoft-365-defender-portal-to-remove-entries-for-spoofed-senders-from-the-tenant-allowblock-list'></a> - ### Use the Microsoft Defender portal to remove entries for spoofed senders from the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. You can't create allow entries in the Tenant Allow/Block List for messages that Submitting a message that was incorrectly blocked as impersonation on the Emails tab of the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=email> doesn't add the sender or domain as an allow entry in the Tenant Allow/Block List. -Instead, the domain or sender is added to the Trusted senders and domains section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message. +Instead, the domain or sender is added to the Trusted senders and domains section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message. For submission instructions for impersonation false positives, see [Report good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft).
security	Tenant Allow Block List Files Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure.md	To create block entries for files, use either of the following methods: - From the Files tab on the Tenant Allow/Block Lists page or in PowerShell as described in this section. -<a name='use-the-microsoft-365-defender-portal-to-create-block-entries-for-files-in-the-tenant-allowblock-list'></a> - ### Use the Microsoft Defender portal to create block entries for files in the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695e For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems). -<a name='use-the-microsoft-365-defender-portal-to-view-entries-for-files-in-the-tenant-allowblock-list'></a> - ## Use the Microsoft Defender portal to view entries for files in the Tenant Allow/Block List In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. Select the Files tab. On the Files tab, you can sort the entries by clicking on an available column header. The following columns are available: - - Value: The file hash. - - Action: The available values are Allow or Block. - - Modified by - - Last updated - - Remove on: The expiration date. - - Notes +- Value: The file hash. +- Action: The available values are Allow or Block. +- Modified by +- Last updated +- Remove on: The expiration date. +- Notes To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filter flyout that opens: Get-TenantAllowBlockListItems -ListType FileHash -Block For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems). -<a name='use-the-microsoft-365-defender-portal-to-modify-entries-for-files-in-the-tenant-allowblock-list'></a> - ## Use the Microsoft Defender portal to modify entries for files in the Tenant Allow/Block List In existing file entries, you can change the expiration date and note. Set-TenantAllowBlockListItems -ListType FileHash -Entries "27c5973b2451db9deeb01 For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems). -<a name='use-the-microsoft-365-defender-portal-to-remove-entries-for-files-from-the-tenant-allowblock-list'></a> - ## Use the Microsoft Defender portal to remove entries for files from the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>.
security	Tenant Allow Block List Urls Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure.md	You have the following options to create block entries for URLs: - From the URLs tab on the Tenant Allow/Block Lists page or in PowerShell as described in this section. -<a name='use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list'></a> - ### Use the Microsoft Defender portal to create block entries for URLs in the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. New-TenantAllowBlockListItems -ListType Url -Block -Entries contoso.com For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems). -<a name='use-the-microsoft-365-defender-portal-to-view-entries-for-urls-in-the-tenant-allowblock-list'></a> - ## Use the Microsoft Defender portal to view entries for URLs in the Tenant Allow/Block List In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules* \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. Get-TenantAllowBlockListItems -ListType Url -Block For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems). -<a name='use-the-microsoft-365-defender-portal-to-modify-entries-for-urls-in-the-tenant-allowblock-list'></a> - ## Use the Microsoft Defender portal to modify entries for URLs in the Tenant Allow/Block List In existing URL entries, you can change the expiration date and note. Set-TenantAllowBlockListItems -ListType Url -Entries "~contoso.com" -ExpirationD For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems). -<a name='use-the-microsoft-365-defender-portal-to-remove-entries-for-urls-from-the-tenant-allowblock-list'></a> - ## Use the Microsoft Defender portal to remove entries for URLs from the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>.
security	Tenant Wide Setup For Increased Security	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md	Specifics are up to your business. This article walks you through the manual configuration of tenant-wide settings that affect the security of your Microsoft 365 environment. Use these recommendations as a starting point. -<a name='tune-eop-and-defender-for-office-365-protection-policies-in-the-microsoft-365-defender-portal'></a> - ## Tune EOP and Defender for Office 365 protection policies in the Microsoft Defender portal The Microsoft Defender portal has capabilities for both protection and reporting. It has dashboards you can use to monitor and take action when threats arise. We recommend turning on and using the Standard and/or Strict preset security pol Custom policies are required if the business needs of your organization require policy settings that are different than or aren't defined in preset security policies. Or, if your organization requires a different user experience for quarantined messages (including notifications). For more information, see [Determine your protection policy strategy](mdo-deployment-guide.md#determine-your-protection-policy-strategy). -<a name='view-dashboards-and-reports-in-the-microsoft-365-defender-portal'></a> - ## View dashboards and reports in the Microsoft Defender portal In the Defender portal at <https://security.microsoft.com> select Reports. Or, to go directly to the Reports page, use <https://security.microsoft.com/securityreports>. To support the goals for baseline protection, configure tenant-wide sharing poli SharePoint admin center and OneDrive for Business admin center include the same settings. The settings in either admin center apply to both. -<a name='configure-settings-in-azure-active-directory'></a> - ## Configure settings in Microsoft Entra ID Be sure to visit these two areas in Microsoft Entra ID to complete tenant-wide setup for more secure environments.
security	Trial User Guide Defender For Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/trial-user-guide-defender-for-office-365.md	Defender for Office 365 enables you to investigate activities that put people in See the bigger picture with Campaign Views in Defender for Office 365, which gives you a view of the attack campaigns targeting your organization and the impact they have on your users. - [Identify campaigns](campaigns.md#what-is-a-campaign) targeting your users.-- [Visualize the scope](campaigns.md#campaigns-page-in-the-microsoft-365-defender-portal) of the attack. +- [Visualize the scope](campaigns.md#campaigns-page-in-the-microsoft-defender-portal) of the attack. - [Track user interaction](campaigns.md#campaign-details) with these messages. :::image type="content" source="../../medio-trial-playbook-campaign-details.png":::
security	Try Microsoft Defender For Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md	What's the difference between an evaluation and a trial of Defender for Office 3 Your only option is to set up an evaluation of Defender for Office 365 on the Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation>. Furthermore, the evaluation is automatically set up in Audit mode (evaluation policies). - Later, you can _convert_ to blocking mode (Standard preset security policy) using the [Convert to standard action on the Microsoft Defender for Office 365 evaluation page](#convert-to-standard-protection) or by [turning off the evaluation on the Microsoft Defender for Office 365 evaluation page](#manage-evaluation-settings) and then [configuring the Standard preset security policy](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). + Later, you can _convert_ to blocking mode (Standard preset security policy) using the [Convert to standard action on the Microsoft Defender for Office 365 evaluation page](#convert-to-standard-protection) or by [turning off the evaluation on the Microsoft Defender for Office 365 evaluation page](#manage-evaluation-settings) and then [configuring the Standard preset security policy](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). By definition, organizations with Defender for Office 365 Plan 2 don't require additional licenses to evaluate Defender for Office 365 Plan 2, so evaluations in these organizations are unlimited in duration. In the Manage MDO evaluation settings flyout that opens, the following infor - Custom domains for domain impersonation protection. - Trusted senders and domains to exclude from impersonation protection. - The steps are essentially the same as described in the Impersonation section in Step 5 at [Use the Microsoft Defender portal to create anti-phishing policies](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies). + The steps are essentially the same as described in the Impersonation section in Step 5 at [Use the Microsoft Defender portal to create anti-phishing policies](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-create-anti-phishing-policies). - If impersonation protection is configured in the anti-phishing evaluation policy, this section shows the impersonation protection settings for: - User impersonation protection For your evaluation or trial, you can switch from audit mode (evaluation pol After you select Convert to standard protection, read the information in the dialog that opens, and then select Continue. -You're taken to the Apply standard protection wizard on the Preset security policies page. The list of recipients that are included and excluded from the evaluation or trial are copied into the Standard preset security policy. For more information, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). +You're taken to the Apply standard protection wizard on the Preset security policies page. The list of recipients that are included and excluded from the evaluation or trial are copied into the Standard preset security policy. For more information, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). - The security policies in the Standard preset security policy have a higher priority than the evaluation policies, which means the policies in the Standard preset security are always applied before the evaluation policies, even if both are present and turned on. - There's no automatic way to go from blocking mode to audit mode. The manual steps are: The following permissions are required in [Microsoft Entra ID](/microsoft-365/ad - Create, modify or delete an evaluation or trial: Membership in the Security Administrator or Global Administrator roles. - View evaluation policies and reports in audit mode: Membership in the Security Administrator or Security Reader roles. -For more information about Microsoft Entra permissions in the Microsoft Defender portal, see [Microsoft Entra roles in the Microsoft Defender portal](mdo-portal-permissions.md#azure-ad-roles-in-the-microsoft-365-defender-portal) +For more information about Microsoft Entra permissions in the Microsoft Defender portal, see [Microsoft Entra roles in the Microsoft Defender portal](mdo-portal-permissions.md#microsoft-entra-roles-in-the-microsoft-defender-portal) ## Frequently asked questions
security	User Tags About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md	To see how user tags are part of the strategy to help protect high-impact user a - For information about securing _privileged accounts_ (admin accounts), see [this article](/purview/privileged-access-management). -<a name='use-the-microsoft-365-defender-portal-to-create-user-tags'></a> - ## Use the Microsoft Defender portal to create user tags 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. Or, to go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. To see how user tags are part of the strategy to help protect high-impact user a Back on the User tags page, the new tag is listed. -<a name='use-the-microsoft-365-defender-portal-to-view-user-tags'></a> - ## Use the Microsoft Defender portal to view user tags In the Microsoft Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. Or, to go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. On the User tags page, you can sort the entries by clicking on an available column header. The following columns are available: - - Tag: The name of the user tag. - - Applied to: The number of members - - Last modified - - Created on +- Tag: The name of the user tag. +- Applied to: The number of members +- Last modified +- Created on Use :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter to filter the user tags by Last modified date. The details flyout of the user tag contains the following information, based on To take action on user tags, see the next section. -<a name='use-the-microsoft-365-defender-portal-to-take-action-on-user-tags'></a> - ## Use the Microsoft Defender portal to take action on user tags 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. Or, to go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. To take action on user tags, see the next section. After you select the user tag, the available actions are described in the following subsections. -<a name='use-the-microsoft-365-defender-portal-to-modify-user-tags'></a> - ### Use the Microsoft Defender portal to modify user tags After you select the user tag, use either of the following methods to modify it: After you select the user tag, use either of the following methods to modify it: - On the User tags page: Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit action that appears. - In the details flyout of the selected user tag: Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit action at the top of the flyout. -The same wizard and most of the same settings are available as described in the [Use the Microsoft Defender portal to create user tags](#use-the-microsoft-365-defender-portal-to-create-user-tags) section earlier in this article, with the following exceptions: +The same wizard and most of the same settings are available as described in the [Use the Microsoft Defender portal to create user tags](#use-the-microsoft-defender-portal-to-create-user-tags) section earlier in this article, with the following exceptions: - You can't rename or change the description of the Priority account tag, so the Define tag page isn't available for the Priority account tag. - The Define tag page is available for custom tags, but you can't rename the tag; you can only change the description. -<a name='use-the-microsoft-365-defender-portal-to-remove-user-tags'></a> - ## Use the Microsoft Defender portal to remove user tags You can't remove the built-in Priority account tag.
security	Zero Hour Auto Purge	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md	For messages that are identified as malware, ZAP for Teams protection blocks and ### How to see if ZAP blocked a Teams message -Currently, only admins can view and manage messages that were quarantined by ZAP for Teams protection. For more information, see [Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages). +Currently, only admins can view and manage messages that were quarantined by ZAP for Teams protection. For more information, see [Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages). ## Zero-hour auto purge (ZAP) FAQ
security	Zero Trust Identity Device Access Policies Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview.md	Microsoft 365 for enterprise is designed for large organizations to empower ever This section provides an overview of the Microsoft 365 services and capabilities that are important for Zero Trust identity and device access. -<a name='azure-ad'></a> - ### Microsoft Entra ID Microsoft Entra ID provides a full suite of identity management capabilities. We recommend using these capabilities to secure access.
security	Top Security Tasks For Remote Work	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/top-security-tasks-for-remote-work.md	All Microsoft 365 plans with cloud mailboxes include Exchange Online Protection Default settings for these EOP features are automatically assigned to all recipients via default policies. But, to bump up the EOP protection level to Microsoft's recommended Standard or Strict security settings based on observations in the datacenters, turn on and assign the Standard preset security policy (for most users) and/or the Strict preset security policy (for admins and other high-risk users). As new protection capabilities are added and as the security landscape changes, the EOP settings in preset security policies are automatically updated to our recommended settings. -For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). +For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). The differences between Standard and Strict are summarized in the table [here](office-365-security/preset-security-policies.md#policy-settings-in-preset-security-policies). The comprehensive settings for Standard and Strict EOP settings are described in the tables [here](office-365-security/recommended-settings-for-eop-and-office365.md#anti-spam-anti-malware-and-anti-phishing-protection-in-eop). Microsoft Defender for Office 365 (included with Microsoft 365 E5 and Office 365 For an overview of Defender for Office 365, including a summary of plans, see [Defender for Office 365](./office-365-security/defender-for-office-365.md). -The [Built-in protection preset security policy](office-365-security/preset-security-policies.md#profiles-in-preset-security-policies) gives Safe Links and Safe Attachments protection to all recipients by default, but you can [specify exceptions](office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy). +The [Built-in protection preset security policy](office-365-security/preset-security-policies.md#profiles-in-preset-security-policies) gives Safe Links and Safe Attachments protection to all recipients by default, but you can [specify exceptions](office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy). As in the previous section, to bump up the Defender for Office 365 protection level to Microsoft's recommended Standard or Strict security settings based on observations in the datacenters, turn on and assign the Standard preset security policy (for most users) and/or the Strict preset security policy (for admins and other high-risk users). As new protection capabilities are added and as the security landscape changes, the Defender for Office 365 settings in preset security policies are automatically updated to our recommended settings. The users that you select for Defender for Office 365 protection in preset security policies get Microsoft's recommended Standard or Strict security settings for Safe Attachments and Safe Links. You also need to add entries and optional exceptions for [user impersonation and domain impersonation protection](office-365-security/anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). -For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). +For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). The differences between Defender for Office 365 protection settings in Standard and Strict are summarized in the table [here](office-365-security/preset-security-policies.md#policy-settings-in-preset-security-policies). The comprehensive settings for Standard and Strict Defender for Office 365 protection settings are described in the tables [here](office-365-security/recommended-settings-for-eop-and-office365.md#microsoft-defender-for-office-365-security).
syntex	Backup Pricing	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/backup/backup-pricing.md	description: Learn about the charge model and pricing calculator for Microsoft 3 ## Microsoft 365 Backup charge model -The Microsoft 365 Backup service, offered through the Microsoft 365 admin center, is a [pay-as-you-go consumption-based service](../syntex-pay-as-you-go-services.md). The preview list price is $0.15/GB/mo of protected content. The size of protected content is equal to the cumulative size of the mailboxes being protected plus the size of the SharePoint sites and OneDrive accounts being protected (that is, the size of the live OneDrive accounts and SharePoint sites as display in the live sitesΓÇÖ usage reports) plus the size of any deleted/versioned content held for restore during the protection period. +The Microsoft 365 Backup service, offered through the Microsoft 365 admin center, is a [pay-as-you-go consumption-based service](../syntex-pay-as-you-go-services.md). The preview list price is $0.15/GB/month of protected content. + +### WhatΓÇÖs counted towards protected backup storage? + +Microsoft 365 Backup will charge you for content size of the following for 365 days from when it is added to backup protection: + +- Cumulative back up size of the mailboxes, SharePoint sites, and OneDrive accounts being protected. Size of OneDrive accounts and SharePoint sites are the size of the live OneDrive accounts and SharePoint sites as displayed in the live sitesΓÇÖ usage reports. Mailboxes are the size of the user's mailbox plus their online archives plus deleted items held for Backup. + +- Deleted content in userΓÇÖs Recycle Bin and second-stage Recycle Bin (also known as Site Collection Recycle Bin). + +> [!NOTE] +> Restore points or size of restores will not be charged. As an example, if you have a site under protection that is currently 1 GB for the first month, you'll be charged 1 GB of Backup usage. If you delete content in that site such that it's now only 0.5 GB, your next monthly bill will still be for 1 GB since the backup tool is retaining that deleted content for a year. After a year when the backup of that deleted content expires, the 0.5 GB being retained for backup purposes will no long be charged for Backup. > [!NOTE] -> These prices are subject to change when the product becomes generally available. A partner application integrated with Microsoft 365 Backup Storage might charge a different rate for their service. +> These prices are subject to change when the product becomes generally available. A partner application integrated with Microsoft 365 Backup storage might charge a different rate for their service. <!<Include charge model video >>
syntex	Backup Setup	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/backup/backup-setup.md	audience: admin Previously updated : 01/17/2024 Last updated : 03/06/2024 description: Learn how to set up and configure Microsoft 365 Backup and backup p > [!NOTE] > Microsoft 365 Backup (Preview) is now available worldwide in all commercial cloud environments. This preview feature is subject to change and [limitations as defined](backup-limitations.md). Before you begin, read the [Microsoft 365 Backup preview terms and conditions](backup-preview-terms.md). -Get started with Microsoft 365 Backup by following the simple three steps in the Microsoft 365 admin center. +Get started with Microsoft 365 Backup by following these simple three steps in the Microsoft 365 admin center. ![Diagram showing the three-step setup process for Microsoft 365 Backup.](../../media/content-understanding/backup-setup-diagram.png) <!<insert how-to Affirma video ΓÇô https://aka.ms/M365Backup-how-to-video> > -## Prerequisites - -### Set up pay-as-you-go billing +## Step 1: Set up pay-as-you-go billing As a first step to sign up for Microsoft 365 Backup, you should first link an Azure subscription in [Syntex pay-as-you-go](https://admin.microsoft.com/Adminportal/Home#/featureexplorer/csi/ContentUnderstanding), if you haven't already done so. Although Microsoft 365 Backup isn't part of the Syntex product suite, this offering is still using the Syntex billing setup for consistency with other Microsoft 365 pay-as-you-go offerings. To set up pay-as-you-go billing, follow the steps in [Configure Microsoft Syntex You must have Global admin or SharePoint admin permissions to access the Microsoft 365 admin center and set up Microsoft 365 Backup. -### Enable Microsoft 365 Backup +## Step 2: Turn on Microsoft 365 Backup To enable Microsoft 365 Backup, you'll need to go to the Microsoft 365 admin center. To enable Microsoft 365 Backup, you'll need to go to the Microsoft 365 admin cen 7. Review the applicable [terms of service for Microsoft 365 Backup](backup-preview-terms.md) and select Confirm. ![Screenshot of the Turn on Backup panel and the Confirm button.](../../media/content-understanding/backup-setup-turn-on.png)- +<! 8. Select Go to Microsoft 365 Backup to start setting up Microsoft 365 Backup on OneDrive, SharePoint, or Exchange. ![Screenshot of the Microsoft 365 Backup page showing SharePoint, Exchange, and OneDrive.](../../media/content-understanding/backup-setup-backup-page.png) +> -## Admin roles and backup management privileges +## Step 3: Create backup policies to protect your data -Only tenant-level admins can create and manage backups using Microsoft 365 Backup for their users. End users don't have the ability to enable backup or restores for their user account, distribution lists, mailboxes, or sites. ItΓÇÖs important to note that your admin role determines which products you can manage with Microsoft 365 Backup. In the future, we might introduce a Backup admin role that can control the entire tool. +Now that you have enabled Microsoft 365 Backup for your organization, follow through to create policies and start protecting your content. -\|Admin role \|OneDrive \|SharePoint \|Exchange \| -\|\|\|\|\| -\|Global admin \| Γ£ô \| Γ£ô \| Γ£ô \| -\|SharePoint admin \| Γ£ô \| Γ£ô \| \| -\|Exchange admin \| \| \| Γ£ô \| - -## Glossary --- Protection units ΓÇô SharePoint sites, OneDrive accounts, or Exchange Online mailboxes backed up by the Microsoft 365 Backup tool. +1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home). -- Restore point ΓÇô A prior point in time from which you can restore a version of your content and metadata. If the protection unit from a prior point in time is identical to the present state of your data, then a restore from that point will have no impact on your current data. +2. Select Settings. -- RPO ΓÇô Recovery point objective, or how close in time the most recent restore point is to an impacting event. +3. Select Microsoft 365 Backup from the list of products. -- RTO ΓÇô Recovery time objective, or how fast a restore to a prior point in time can complete. + ![Screenshot of the Microsoft 365 admin center panel showing Settings and Microsoft 365 Backup.](../../media/content-understanding/backup-setup-admin-center-panel.png) -## Set up backup policies for OneDrive, SharePoint, and Exchange +### Set up backup policies for OneDrive, SharePoint, and Exchange To use Microsoft 365 Backup for OneDrive, SharePoint, or Exchange, you need to create a backup policy for each product. A policy represents the backup plan defined by admins for protecting the Microsoft 365 data of an organization. Follow these steps to set up a backup policy for SharePoint sites using Microsof # [Exchange](#tab/exchange) -Follow these steps to set up a backup policy for Exchange mailboxes sites using Microsoft 365 Backup. Ensure that Microsoft 365 Backup is [enabled for your tenant](#enable-microsoft-365-backup). +Follow these steps to set up a backup policy for Exchange mailboxes sites using Microsoft 365 Backup. Ensure that Microsoft 365 Backup is [enabled for your tenant](#turn-on-microsoft-365-backup). 1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home). Follow these steps to set up a backup policy for Exchange mailboxes sites using ![Screenshot of the Exchange backup policy created page.](../../media/content-understanding/backup-policy-created-exchange.png) + +## Admin roles and backup management privileges + +Only tenant-level admins can create and manage backups using Microsoft 365 Backup for their users. End users don't have the ability to enable backup or restores for their user account, distribution lists, mailboxes, or sites. ItΓÇÖs important to note that your admin role determines which products you can manage with Microsoft 365 Backup. In the future, we might introduce a Backup admin role that can control the entire tool. + +\|Admin role \|OneDrive \|SharePoint \|Exchange \| +\|\|\|\|\| +\|Global admin \| Γ£ô \| Γ£ô \| Γ£ô \| +\|SharePoint admin \| Γ£ô \| Γ£ô \| \| +\|Exchange admin \| \| \| Γ£ô \| + +## Glossary + +- Protection units ΓÇô SharePoint sites, OneDrive accounts, or Exchange Online mailboxes backed up by the Microsoft 365 Backup tool. + +- Restore point ΓÇô A prior point in time from which you can restore a version of your content and metadata. If the protection unit from a prior point in time is identical to the present state of your data, then a restore from that point will have no impact on your current data. + +- RPO ΓÇô Recovery point objective, or how close in time the most recent restore point is to an impacting event. + +- RTO ΓÇô Recovery time objective, or how fast a restore to a prior point in time can complete.