Updates from: 02/07/2024 06:08:26
Category Microsoft Docs article Related commit history on GitHub Change details
business-premium M365bp Protect Against Malware Cyberthreats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protect-against-malware-cyberthreats.md
To assign preset security policies, follow these steps:
> [!TIP] > To learn more about assigning preset security policies, see the following articles: >
-> - [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](../security/office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)
+> - [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](../security/office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)
> - [Recommended settings for email and collaboration content](../security/office-365-security/recommended-settings-for-eop-and-office365.md) (Microsoft 365 Business Premium includes Exchange Online Protection and Microsoft Defender for Office 365 Plan 1) ## 2. Turn on Microsoft Defender for Business
frontline Browser Join https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/browser-join.md
- highpri - m365initiative-meetings - m365-virtual-appointments -+ description: Learn about the join experience for Teams Virtual Appointments on browsers. appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 02/01/2023 Last updated : 02/06/2024 # Manage the join experience for Teams Virtual Appointments on browsers
Currently, browser join is available for appointments that are scheduled through
## Set up browser join
-### Appointments scheduled through the Virtual Appointments app or the Bookings app
+### Appointments scheduled through the Virtual Appointments app
Schedulers in your organization can turn on this feature for specific appointment types and for scheduled individual appointments.
After this feature is turned on, the confirmation email or SMS text thatΓÇÖs sen
#### Turn on browser join for an appointment type
-1. Do one of the following:
- 1. In the Virtual Appointments app, go to the **Manage** tab > **Appointment types**, and then under **Scheduled**, select an appointment type.
- 1. In the Bookings app, go to **Settings** > **Appointment types**, and then under **Scheduled**, select an appointment type.
+1. In the Virtual Appointments app, go to the **Manage** tab > **Services**, and then under **Scheduled**, select an appointment type.
+ 1. Turn on **Have attendees join from a web browser**. Doing this enables browser join for all appointments of this type. :::image type="content" source="media/browser-join-appointment-type.png" alt-text="Screenshot of the Have attendees join from a browser setting for appointment types." lightbox="media/browser-join-appointment-type.png"::: #### Turn on browser join for an individual appointment
-On the **Bookings schedule** tab of the Virtual Appointments app or in the Bookings app, select **New booking**, and then turn on **Have attendees join from a browser**.
+On the **Schedule** tab of the Virtual Appointments app, select **New appointment**, and then turn on **Have attendees join from a browser**.
:::image type="content" source="media/browser-join-bookings-form.png" alt-text="Screenshot of the Have attendees join from a browser setting on the new booking form." lightbox="media/browser-join-bookings-form.png":::
frontline Ehr Admin Epic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-admin-epic.md
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers-+ description: Learn how to integrate the Teams EHR connector to enable healthcare providers in your organization to conduct virtual appointments with patients or other providers in Teams directly from the Epic EHR system. Last updated 03/30/2023
frontline Ehr Admin Oracle Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-admin-oracle-health.md
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers-+ description: Learn how to integrate the Teams EHR connector to enable healthcare providers in your organization to conduct virtual appointments with patients or other providers in Teams directly from the Oracle Health EHR system. Last updated 03/30/2023
frontline Ehr Connector Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-connector-report.md
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers-+ description: Learn how to use the Teams EHR connector Virtual Appointments report in the Microsoft Teams admin center to get an overview of EHR-integrated virtual appointment usage in your organization. Last updated 12/16/2022
frontline Ehr Connector Troubleshoot Setup Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-connector-troubleshoot-setup-configuration.md
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers-+ description: Use this guidance to help you troubleshoot common setup and configuration issues for the Teams Electronic Health Record (EHR) connector. Last updated 04/21/2023
frontline Virtual Appointments App https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-app.md
- m365initiative-meetings - m365-virtual-appointments - teams-1p-app-admin -+ description: Get an overview of how to use the Virtual Appointments app in Teams to schedule, manage, conduct and view analytics on virtual appointments in your organization. appliesto: - Microsoft Teams
frontline Virtual Appointments https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments.md
Title: Virtual Appointments with Microsoft Teams
-+ audience: admin
lti Browser Cookies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/browser-cookies.md
Previously updated : 08/28/2023 Last updated : 02/06/2024 audience: admin
- tier2 - ContentEnagagementFY24 ms.localizationpriority: medium
-description: Learn how to allow cookies for LMS URLs in Edge, Chrome, and Firefox, and Safari browsers.
+description: Learn how to allow cookies for LMS (Learning Management System) URLs in Edge, Chrome, and Firefox, and Safari browsers.
# Allow cookies for LMS URLs in your browser
-Third-party browser cookies are needed to complete the LTI 1.3 handshake according to IMS Global standards. Therefore, when launching the LTI tool from a Learning Management System (LMS), the browser setting must allow third-party cookies for the LMS URL.
+Learning Management Systems (LMS) need third-party browser cookies to complete the LTI 1.3 handshake, according to IMS Global standards. This means your browser settings need to allow third-party cookies for the LMS URL when you're launching an LTI tool.
For more information on Microsoft's LTI capabilities, see [Integrating Microsoft products with your Learning Management System](index.md).
Here are the steps to allow the cookies in your browser.
1. Turn on **Allow sites to save and read cookie data (recommended)**. 1. Make sure **Block third-party cookies** is turned off.
-If you must keep third-party cookies blocked:
+If you need to keep third-party cookies blocked:
1. In the Edge **Settings** window, select **Cookies and site permissions** > **Cookies and data stored** > **Manage and delete cookies and site data**. 1. Under **Allow**, select **Add** to add the domain URL of the LMS platform.
- 1. For example, if the LMS platform is hosted at `https://contoso.com`, then that URL must be added under **Allow**.
+ 1. For example, if the LMS platform is hosted at `https://contoso.com`, then that URL needs to be added in the **Allow** section.
![Screenshot of Microsoft Edge cookie settings page](media/edge-cookies.png)
If you must keep third-party cookies blocked:
1. In the Chrome **Settings** window, select the **Privacy and security** tab and then **Third-party cookies**. 1. Select the option for **Allow third-party cookies**.
-If you must keep third-party cookies blocked:
+If you need to keep third-party cookies blocked:
1. Under **Customized behaviors**, select **Add**. 1. Add the domain URL of the LMS platform.
- 1. For instance, if the LMS platform is hosted at `https://contoso.com`, then that URL must be used.
+ 1. For instance, if the LMS platform is hosted at `https://contoso.com`, then that URL needs to be used.
![Screenshot of Google Chrome cookie settings page](media/chrome-cookies.png)
If you must keep third-party cookies blocked:
1. In the Firefox **Settings** window, select the **Privacy & Security** tab. 1. Under **Cookies and Site Data**, select **Manage Exceptions**. 1. In the **Address of website** text box, enter the URL of the LMS platform.
- 1. For instance, if the LMS platform is hosted at `https://contoso.com`, then that URL must be used.
+ 1. For instance, if the LMS platform is hosted at `https://contoso.com`, then that URL needs to be used.
1. Select **Allow** to allow cookies for the website. 1. Select **Save Changes**.
If you must keep third-party cookies blocked:
## Allow cookies for LMS URLs in Safari
-1. Select **Preferences** > **Privacy**.
-1. Clear the **Prevent cross-site tracking** checkbox.
+1. In *Settings* you select the Safari app.
+1. Go to the **Privacy & Security** section.
+1. Turn off the option for **Prevent cross-site tracking**.
> [!NOTE]
-> In you can't change the settings yourself because your browser is managed by your organization, reach out to your IT department.
-
+> If you can't change the settings yourself because your browser is managed by your organization, reach out to your IT department to let them know what you need.
security Defender Endpoint Demonstration Block At First Sight Bafs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-block-at-first-sight-bafs.md
- Title: Microsoft Defender for Endpoint Block at First Sight (BAFS) demonstration
-description: A demonstration that shows how Block at First Sight detects and blocks new malware within seconds.
-keywords: Microsoft Defender for Endpoint, cloud-delivered protection, detect malware, block malware, demonstration
-search.product: eADQiWindows 10XVcnh
-
-ms.sitesec: library
-ms.pagetype: security
------ m365-security-- tier2-- demo-- Previously updated : 10/21/2022--
-# Block at First Sight (BAFS) demonstration
-
-**Applies to:**
--- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)-- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)-
-Block at First Sight, is a feature of Microsoft Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. You can test that it is working as expected by downloading a fake malware file.
-
-## Scenario requirements and setup
--- Windows 11, Windows 10 Anniversary update (1607) or later-- Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2 with the new unified Defender for Endpoint client. --- Cloud protection is enabled-- You can [download and use the Powershell script](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/) to enable this setting and others-
- > [!NOTE]
- > You should see your browser ask to save this file in a few seconds.
-
-### Test BAFS
-
-Follow the instructions in [Block at first sight demo](https://demo.wd.microsoft.com/Page/BAFS).
---
-## See also
-
-[Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
-
-[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
Here are the properties you can use when you create the group and policy.
### Settings
-> [!NOTE]
-> Both Android (portableDevice) and iOS (appleDevice) are in public preview and not in general availability at the moment.
- | Property name | Description | Options | |:|:|:| | features | Feature specific configurations | You can set `disable` to false or true for following features: <br/>- `removableMedia`<br/>- `appleDevice`<br/>- `portableDevice`, including camera or PTP media<br/>- `bluetoothDevice`<br/><br/>The default is `true`, so if you don't configure this value, it will not apply even if you create a custom policy for `removableMedia`, because it's disabled by default. |
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release.
> [!NOTE] > Microsoft Defender for Endpoint no longer supports these macOS as Apple ended support for: > - Big Sur (11) in December 2023.
-> - Catalina (10.15) in December 2022.
+
+### Jan-2024 (Build: 101.23122.0005 | Release version: 20.123122.5.0)
+
+| Build: | **101.23122.0005** |
+|--|--|
+| Release version: | **20.123122.5.0** |
+| Engine version: | **1.1.23100.2010** |
+| Signature version: | **1.403.3022.0** |
+
+##### What's new
+
+- [[device control](mac-device-control-overview.md)] Fixes for Bluetooth devices support
+- Bug and performance fixes
### Dec-2023 (Build: 101.23102.0020 | Release version: 20.123102.20.0) | Build: | **101.23102.0020** |
-|--|-|
+|--|--|
| Release version: | **20.123102.20.0** | | Engine version: | **1.1.23090.2005** | | Signature version: | **1.401.1729.0** |
security Defender Vulnerability Management Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-faq.md
Microsoft Defender Vulnerability Management is available via two
2. For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers looking for a risk-based vulnerability management solution, Microsoft Defender Vulnerability Management Standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. To sign up for the free 90-day trial, see [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).
+### Do I need to assign Defender Vulnerability Management licenses to users in my organization as instructed in the admin center?
+
+Currently, there's no need to assign the new Defender Vulnerability Management license to users. Licenses will be applied automatically after a customer signs up for the free trial.
+ ### Is Defender Vulnerability Management available as part of Defender for Endpoint Plan 2? If the customer has Defender for Endpoint Plan 2 they have the core vulnerability management capabilities. Defender Vulnerability Management is a separate solution from Defender for Endpoint (not included in Defender for Endpoint Plan 2) and is available as an add-on.
For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 custo
Once a customer is onboarded on to the free-trial experience, Defender Vulnerability Management features are turned on by default at the tenant level for all users within the organization.
-### Do I need to assign Defender Vulnerability Management trial licenses to users in my organization as instructed in the admin center?
-
-Currently, there's no need to assign the new Defender Vulnerability Management license to users. Licenses will be applied automatically after a customer signs up for the free trial.
- ### If a customer is in public preview, what will happen to their premium capabilities if I don't sign up for a free trial? The new capabilities will be available only to customers who onboard a trial. Customers who haven't onboarded will lose access to these capabilities. Blocked applications will be immediately unblocked. Security baseline profiles may be stored for a short additional time before being deleted.
security Eval Defender Office 365 Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md
For example, an EOP condition for pilot evaluations could be applied if the reci
Likewise, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are *members* of a defined *Defender for Office 365 Standard Protection* group and then managed by adding / removing accounts via the group.
-For complete instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](../office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
+For complete instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](../office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
### Configure custom protection policies
security Advanced Delivery Policy Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-delivery-policy-configure.md
Messages that are identified by the advanced delivery policy aren't security thr
- **View-Only Organization Management** in Exchange Online RBAC. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
-<a name='use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy'></a>
- ## Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section. Or, to go directly to the **Advanced delivery** page, use <https://security.microsoft.com/advanceddelivery>.
Back on the **SecOps mailbox** tab, the SecOps mailbox entries that you configur
- The **Email** column contains the email address for each entry. - To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
-<a name='use-the-microsoft-365-defender-portal-to-modify-or-remove-secops-mailboxes-in-the-advanced-delivery-policy'></a>
- ## Use the Microsoft Defender portal to modify or remove SecOps mailboxes in the advanced delivery policy 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section. Or, to go directly to the **Advanced delivery** page, use <https://security.microsoft.com/advanceddelivery>.
Back on the **SecOps mailbox** tab, the SecOps mailbox entries that you configur
2. On the **SecOps mailbox** tab, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
-3. In **Edit SecOps mailboxes** flyout that opens, add or remove mailboxes as described in Step 3 in the [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section.
+3. In **Edit SecOps mailboxes** flyout that opens, add or remove mailboxes as described in Step 3 in the [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section.
To remove all mailboxes, select remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to each value until there are no more mailboxes selected.
Back on the **SecOps mailbox** tab, the SecOps mailbox entries that you configur
Back on the **SecOps mailbox** tab, the SecOps mailbox entries that you configured are displayed. If you removed all entries, the list is empty.
-<a name='use-the-microsoft-365-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy'></a>
- ## Use the Microsoft Defender portal to configure third-party phishing simulations in the advanced delivery policy To configure a third-party phishing simulation, you need to provide the following information:
Back on the **Phishing simulation** tab, the third-party phishing simulation ent
- The **Date** column shows when the entry was created. - To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
-<a name='use-the-microsoft-365-defender-portal-to-modify-or-remove-third-party-phishing-simulations-in-the-advanced-delivery-policy'></a>
- ## Use the Microsoft Defender portal to modify or remove third-party phishing simulations in the advanced delivery policy 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section. Or, to go directly to the **Advanced delivery** page, use <https://security.microsoft.com/advanceddelivery>.
Back on the **Phishing simulation** tab, the third-party phishing simulation ent
2. On the **Phishing simulation** tab, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
-3. In the **Edit third-party phishing simulation** flyout that opens, add or remove entries for **Domain**, **Sending IP**, and **Simulation URLs** as described in Step 3 in the [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section.
+3. In the **Edit third-party phishing simulation** flyout that opens, add or remove entries for **Domain**, **Sending IP**, and **Simulation URLs** as described in Step 3 in the [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section.
To remove all entries, select remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to each value until there are no more domains, IPs, or URLs selected.
security Anti Malware Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-policies-configure.md
You can configure anti-malware policies in the Microsoft Defender portal or in P
> [!TIP] > Settings in the default or custom anti-malware policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-<a name='use-the-microsoft-365-defender-portal-to-create-anti-malware-policies'></a>
- ## Use the Microsoft Defender portal to create anti-malware policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
You can configure anti-malware policies in the Microsoft Defender portal or in P
- **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined as malware. By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections. For more information about this quarantine policy, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). > [!TIP]
- > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+ > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
> > Users can't release their own messages that were quarantined as malware by anti-malware policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages.
You can configure anti-malware policies in the Microsoft Defender portal or in P
Back on the **Anti-malware** page, the new policy is listed.
-<a name='use-the-microsoft-365-defender-portal-to-view-anti-malware-policy-details'></a>
- ## Use the Microsoft Defender portal to view anti-malware policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. Or, to go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
On the **Anti-malware** page, the following properties are displayed in the list
- **Status**: Values are: - **Always on** for the default anti-malware policy. - **On** or **Off** for other anti-malware policies.-- **Priority**: For more information, see the [Set the priority of custom anti-malware policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-malware-policies) section.
+- **Priority**: For more information, see the [Set the priority of custom anti-malware policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-anti-malware-policies) section.
To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
Select a policy by clicking anywhere in the row other than the check box next to
> [!TIP] > To see details about other anti-malware policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
-<a name='use-the-microsoft-365-defender-portal-to-take-action-on-anti-malware-policies'></a>
- ## Use the Microsoft Defender portal to take action on anti-malware policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Em
The actions are described in the following subsections.
-<a name='use-the-microsoft-365-defender-portal-to-modify-anti-malware-policies'></a>
- ### Use the Microsoft Defender portal to modify anti-malware policies
-After you select the default anti-malware policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-malware policies](#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies) section earlier in this article.
+After you select the default anti-malware policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-malware policies](#use-the-microsoft-defender-portal-to-create-anti-malware-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy. For the anti-malware policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
-<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-anti-malware-policies'></a>
- ### Use the Microsoft Defender portal to enable or disable custom anti-malware policies You can't disable the default anti-malware policy (it's always enabled).
After you select a disabled custom anti-malware policy (the **Status** value is
On the **Anti-malware** page, the **Status** value of the policy is now **On** or **Off**.
-<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-malware-policies'></a>
- ### Use the Microsoft Defender portal to set the priority of custom anti-malware policies Anti-malware policies are processed in the order that they're displayed on the **Anti-malware** page: -- The anti-malware policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The anti-malware policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
- The anti-malware policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom anti-malware policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest).
When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-malware** page, the order of the policy in the list matches the updated **Priority** value.
-<a name='use-the-microsoft-365-defender-portal-to-remove-custom-anti-malware-policies'></a>
- ### Use the Microsoft Defender portal to remove custom anti-malware policies You can't remove the default anti-malware policy or the anti-malware policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md).
security Anti Malware Protection About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection-about.md
Anti-malware policies control the configurable settings and notification options
### Recipient filters in anti-malware policies
-In custom anti-malware policies and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions:
+In custom anti-malware policies and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions:
- **Users** - **Groups**
These settings aren't configured in the default anti-malware policy by default,
### Priority of anti-malware policies
-If they're [turned on](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), the Standard and Strict preset security policies are applied before any custom anti-malware policies or the default policy (Strict is always first). If you create multiple custom anti-malware policies, you can specify the order that they're applied. Policy processing stops after the first policy is applied (the highest priority policy for that recipient).
+If they're [turned on](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), the Standard and Strict preset security policies are applied before any custom anti-malware policies or the default policy (Strict is always first). If you create multiple custom anti-malware policies, you can specify the order that they're applied. Policy processing stops after the first policy is applied (the highest priority policy for that recipient).
For more information about the order of precedence and how multiple policies are evaluated, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md) and [Order of precedence for preset security policies and other policies](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies).
security Anti Phishing Mdo Impersonation Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-mdo-impersonation-insight.md
Admins can use the impersonation insight in the Microsoft Defender portal to qui
- **Global Reader** - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Security Reader**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -- You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection isn't enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md) and [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
+- You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection isn't enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md) and [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
- For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms).
-<a name='open-the-impersonation-insight-in-the-microsoft-365-defender-portal'></a>
- ## Open the impersonation insight in the Microsoft Defender portal In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. Or, to go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
security Anti Phishing Policies Eop Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure.md
For anti-phishing policy procedures in organizations with Microsoft Defender for
- Allow up to 30 minutes for a new or updated policy to be applied.
-<a name='use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies'></a>
- ## Use the Microsoft Defender portal to create anti-phishing policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
For anti-phishing policy procedures in organizations with Microsoft Defender for
Back on the **Anti-phishing** page, the new policy is listed.
-<a name='use-the-microsoft-365-defender-portal-to-view-anti-phishing-policy-details'></a>
- ## Use the Microsoft Defender portal to view anti-phishing policy details In the Microsoft Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. Or, to go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
On the **Anti-phishing** page, the following properties are displayed in the lis
- **Status**: Values are: - **Always on** for the default anti-phishing policy. - **On** or **Off** for other anti-spam policies.-- **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section.
+- **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section.
To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
Select a policy by clicking anywhere in the row other than the check box next to
> [!TIP] > To see details about other anti-phishing policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
-<a name='use-the-microsoft-365-defender-portal-to-take-action-on-anti-phishing-policies'></a>
- ## Use the Microsoft Defender portal to take action on anti-phishing policies 1. In the Microsoft Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. Or, to go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
Select a policy by clicking anywhere in the row other than the check box next to
The actions are described in the following subsections.
-<a name='use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies'></a>
- ### Use the Microsoft Defender portal to modify anti-phishing policies
-After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
+After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy. For the anti-phishing policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
-<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-anti-phishing-policies'></a>
- ### Use the Microsoft Defender portal to enable or disable custom anti-phishing policies You can't disable the default anti-phishing policy (it's always enabled).
After you select a disabled custom anti-phishing policy (the **Status** value is
On the **Anti-phishing** page, the **Status** value of the policy is now **On** or **Off**.
-<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies'></a>
- ### Use the Microsoft Defender portal to set the priority of custom anti-phishing policies Anti-phishing policies are processed in the order that they're displayed on the **Anti-phishing** page: -- The anti-phishing policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The anti-phishing policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
- The anti-phishing policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom anti-phishing policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest).
When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-phishing** page, the order of the policy in the list matches the updated **Priority** value.
-<a name='use-the-microsoft-365-defender-portal-to-remove-custom-anti-phishing-policies'></a>
- ### Use the Microsoft Defender portal to remove custom anti-phishing policies You can't remove the default anti-phishing policy or the anti-phishing policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md).
security Anti Phishing Policies Mdo Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure.md
For anti-phishing policy procedures in organizations without Defender for Office
- Allow up to 30 minutes for a new or updated policy to be applied.
-<a name='use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies'></a>
- ## Use the Microsoft Defender portal to create anti-phishing policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
For anti-phishing policy procedures in organizations without Defender for Office
Back on the **Anti-phishing** page, the new policy is listed.
-<a name='use-the-microsoft-365-defender-portal-to-view-anti-phishing-policy-details'></a>
- ## Use the Microsoft Defender portal to view anti-phishing policy details In the Microsoft Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. Or, to go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
On the **Anti-phishing** page, the following properties are displayed in the lis
- **Status**: Values are: - **Always on** for the default anti-phishing policy. - **On** or **Off** for other anti-spam policies.-- **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section.
+- **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section.
To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the policies by **Time range** (creation date) or **Status**.
Select a policy by clicking anywhere in the row other than the check box next to
> [!TIP] > To see details about other anti-phishing policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
-<a name='use-the-microsoft-365-defender-portal-to-take-action-on-anti-phishing-policies'></a>
- ## Use the Microsoft Defender portal to take action on anti-phishing policies 1. In the Microsoft Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. Or, to go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
Select a policy by clicking anywhere in the row other than the check box next to
The actions are described in the following subsections.
-<a name='use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies'></a>
- ### Use the Microsoft Defender portal to modify anti-phishing policies
-After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
+After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy. For the anti-phishing policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
-<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-anti-phishing-policies'></a>
- ### Use the Microsoft Defender portal to enable or disable custom anti-phishing policies You can't disable the default anti-phishing policy (it's always enabled).
After you select a disabled custom anti-phishing policy (the **Status** value is
On the **Anti-phishing** page, the **Status** value of the policy is now **On** or **Off**.
-<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies'></a>
- ### Use the Microsoft Defender portal to set the priority of custom anti-phishing policies Anti-phishing policies are processed in the order that they're displayed on the **Anti-phishing** page: -- The anti-phishing policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The anti-phishing policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
- The anti-phishing policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom anti-phishing policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest).
When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-phishing** page, the order of the policy in the list matches the updated **Priority** value.
-<a name='use-the-microsoft-365-defender-portal-to-remove-custom-anti-phishing-policies'></a>
- ### Use the Microsoft Defender portal to remove custom anti-phishing policies You can't remove the default anti-phishing policy or the anti-phishing policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md).
security Anti Phishing Protection Tuning https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-tuning.md
You can also use the [configuration analyzer](configuration-analyzer-for-securit
- For messages that end up in quarantine by mistake (false positives), or for messages that are allowed through (false negatives), we recommend that you search for those messages in [Threat Explorer and real-time detections](threat-explorer-about.md). You can search by sender, recipient, or message ID. After you locate the message, go to details by clicking on the subject. For a quarantined message, look to see what the "detection technology" was so that you can use the appropriate method to override. For an allowed message, look to see which policy allowed the message. -- Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as _phishing_ in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), [entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list), and the [Spoof detections report](reports-email-security.md#spoof-detections-report). After you review allowed and blocked spoofed senders and make any necessary overrides, you can confidently [configure spoof intelligence in anti-phishing policies](anti-phishing-policies-about.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder.
+- Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as _phishing_ in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), [entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-defender-portal-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list), and the [Spoof detections report](reports-email-security.md#spoof-detections-report). After you review allowed and blocked spoofed senders and make any necessary overrides, you can confidently [configure spoof intelligence in anti-phishing policies](anti-phishing-policies-about.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder.
- In Defender for Office 365, you can also use the **Impersonation insight** page at <https://security.microsoft.com/impersonationinsight> to track user impersonation or domain impersonation detections. For more information, see [Impersonation insight in Defender for Office 365](anti-phishing-mdo-impersonation-insight.md).
security Anti Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md
You can configure anti-spam policies in the Microsoft Defender portal or in Powe
- End-user spam notifications in anti-spam policies are replaced by _quarantine notifications_ in quarantine policies. Quarantine notifications contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts). For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
-<a name='use-the-microsoft-365-defender-portal-to-create-anti-spam-policies'></a>
- ## Use the Microsoft Defender portal to create anti-spam policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
You can configure anti-spam policies in the Microsoft Defender portal or in Powe
Back on the **Anti-spam policies** page, the new policy is listed.
-<a name='use-the-microsoft-365-defender-portal-to-view-anti-spam-policy-details'></a>
- ## Use the Microsoft Defender portal to view anti-spam policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
On the **Anti-spam policies** page, the following properties are displayed in th
- **Status**: Values are: - **Always on** for the default anti-spam policy (for example, **Anti-spam inbound policy (Default)**). - **On** or **Off** for other anti-spam policies.-- **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-spam-policies) section.
+- **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-anti-spam-policies) section.
- **Type**: One of the following values for anti-spam policies: - **Protection templates** for anti-spam policies that are associated with the Standard and Strict [preset security policies](preset-security-policies.md). - **Custom anti-spam policy**
Select an anti-spam policy by clicking anywhere in the row other than the check
> [!TIP] > To see details about other anti-spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
-<a name='use-the-microsoft-365-defender-portal-to-take-action-on-anti-spam-policies'></a>
- ## Use the Microsoft Defender portal to take action on anti-spam policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
On the **Anti-spam policies** page, select the anti-spam policy from the list by
The actions are described in the following subsections.
-<a name='use-the-microsoft-365-defender-portal-to-modify-anti-spam-policies'></a>
- ### Use the Microsoft Defender portal to modify anti-spam policies
-After you select the default anti-spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article.
+After you select the default anti-spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-spam policies](#use-the-microsoft-defender-portal-to-create-anti-spam-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy. For the anti-spam policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
-<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-anti-spam-policies'></a>
- ### Use the Microsoft Defender portal to enable or disable anti-spam policies You can't disable the default anti-spam policy (it's always enabled).
When you're finished in the policy details flyout, select **Close**.
On the **Anti-spam policies** page, the **Status** value of the policy is now **On** or **Off**.
-<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-spam-policies'></a>
- ### Use the Microsoft Defender portal to set the priority of custom anti-spam policies Anti-spam policies are processed in the order that they're displayed on the **Anti-spam policies** page: -- The anti-spam policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The anti-spam policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
- The anti-spam policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom anti-spam policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest).
When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-spam policies** page, the order of the policy in the list matches the updated **Priority** value.
-<a name='use-the-microsoft-365-defender-portal-to-remove-custom-anti-spam-policies'></a>
- ### Use the Microsoft Defender portal to remove custom anti-spam policies You can't remove the default anti-spam policy or the anti-spam policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md).
In Exchange Online PowerShell, the difference between spam filter policies and s
- In PowerShell, you modify the settings in the spam filter policy and the spam filter rule separately. - When you remove a spam filter policy from PowerShell, the corresponding spam filter rule isn't automatically removed, and vice versa.
-A significant setting that's available only in PowerShell is the _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting are explained in the [Create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article.
+A significant setting that's available only in PowerShell is the _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting are explained in the [Create anti-spam policies](#use-the-microsoft-defender-portal-to-create-anti-spam-policies) section earlier in this article.
### Use PowerShell to create anti-spam policies
Creating an anti-spam policy in PowerShell is a two-step process:
2. Create the spam filter rule that specifies the spam filter policy that the rule applies to. > [!NOTE]
-> - You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy.
>
+> - You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy.
> - You can configure the following settings on new spam filter policies in PowerShell that aren't available in the Microsoft Defender portal until after you create the policy:
->
-> - Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedContentFilterRule** cmdlet).
->
-> - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedContentFilterRule** cmdlet).
->
+> - Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedContentFilterRule** cmdlet).
+> - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedContentFilterRule** cmdlet).
> - A new spam filter policy that you create in PowerShell isn't visible in the Microsoft Defender portal until you assign the policy to a spam filter rule. #### Step 1: Use PowerShell to create a spam filter policy
security Anti Spam Protection About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection-about.md
Anti-spam policies control the configurable settings for spam filtering. The imp
### Recipient filters in anti-spam policies
-In [custom anti-spam policies](anti-spam-policies-configure.md) and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions:
+In [custom anti-spam policies](anti-spam-policies-configure.md) and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions:
- **Users** - **Groups**
The functionality of these lists has been largely replaced by:
### Priority of anti-spam policies
-If they're [turned on](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), the Standard and Strict preset security policies are applied before any custom anti-spam policies or the default policy (Strict is always first). If you create multiple custom anti-spam policies, you can specify the order that they're applied. Policy processing stops after the first policy is applied (the highest priority policy for that recipient).
+If they're [turned on](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), the Standard and Strict preset security policies are applied before any custom anti-spam policies or the default policy (Strict is always first). If you create multiple custom anti-spam policies, you can specify the order that they're applied. Policy processing stops after the first policy is applied (the highest priority policy for that recipient).
For more information about the order of precedence and how multiple policies are evaluated, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md) and [Order of precedence for preset security policies and other policies](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies).
security Anti Spoofing Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence.md
The rest of this article explains how to use the spoof intelligence insight in t
- For our recommended settings for spoof intelligence, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).
-<a name='find-the-spoof-intelligence-insight-in-the-microsoft-365-defender-portal'></a>
- ## Find the spoof intelligence insight in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
security Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md
A campaign might be short-lived, or could span several days, weeks, or months wi
- **Security Reader** - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
-<a name='campaigns-page-in-the-microsoft-365-defender-portal'></a>
- ## Campaigns page in the Microsoft Defender portal To open the **Campaigns** page in the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Campaigns**. Or, to go directly to the **Campaigns** page, use <https://security.microsoft.com/campaigns>.
security Configuration Analyzer For Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md
The configuration analyzer also checks the following non-policy settings:
- [Exchange Online permissions](/Exchange/permissions-exo/permissions-exo): Membership in the **View-Only Organization Management** role group gives read-only access to the configuration analyzer. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
-<a name='use-the-configuration-analyzer-in-the-microsoft-365-defender-portal'></a>
- ## Use the configuration analyzer in the Microsoft Defender portal In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Configuration analyzer** in the **Templated policies** section. To go directly to the **Configuration analyzer** page, use <https://security.microsoft.com/configurationAnalyzer>.
security Connection Filter Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connection-filter-policies-configure.md
This article describes how to configure the default connection filter policy in
- The IP Allow List and the IP Block List each support a maximum of 1273 entries, where an entry is a single IP address, an IP address range, or a Classless InterDomain Routing (CIDR) IP.
-<a name='use-the-microsoft-365-defender-portal-to-modify-the-default-connection-filter-policy'></a>
- ## Use the Microsoft Defender portal to modify the default connection filter policy 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
This article describes how to configure the default connection filter policy in
4. Back on the policy details flyout, select **Close**.
-<a name='use-the-microsoft-365-defender-portal-to-view-the-default-connection-filter-policy'></a>
- ## Use the Microsoft Defender portal to view the default connection filter policy In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
security Connectors Remove Blocked https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-remove-blocked.md
For more information about compromised _user accounts_ and how to remove them fr
- Before you follow the procedures in this article to remove a connector from the **Restricted entities** page, be sure to follow the required steps to regain control of the connector as described in [Respond to a compromised connector](connectors-detect-respond-to-compromise.md).
-<a name='remove-a-connector-from-the-restricted-entities-page-in-the-microsoft-365-defender-portal'></a>
- ## Remove a connector from the Restricted entities page in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Restricted entities**. Or, to go directly to the **Restricted entities** page, use <https://security.microsoft.com/restrictedentities>.
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
If you have one or more instances of the IOCs listed above, you need to do furth
You can do this for your users with either the Microsoft Entra admin center, or PowerShell or have your users individually enumerate their application access.
-<a name='steps-for-using-the-azure-active-directory-portal'></a>
- ### Steps for using the Microsoft Entra admin center You can look up the applications to which any individual user has granted permissions by using the Microsoft Entra admin center at <https://portal.azure.com>.
security Email Authentication Dkim Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-dkim-configure.md
This article lists the steps to use DomainKeys Identified Mail (DKIM) with Micro
In this article: - [How DKIM works better than SPF alone to prevent malicious spoofing](#how-dkim-works-better-than-spf-alone-to-prevent-malicious-spoofing)-- [Steps to Create, enable and disable DKIM from Microsoft Defender portal](#steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal)
+- [Steps to Create, enable and disable DKIM from Microsoft Defender portal](#steps-to-create-enable-and-disable-dkim-from-microsoft-defender-portal)
- [Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys](#steps-to-manually-upgrade-your-1024-bit-keys-to-2048-bit-dkim-encryption-keys) - [Steps to manually set up DKIM using PowerShell](#steps-to-manually-set-up-dkim-using-powershell) - [Error: No DKIM keys saved for this domain](#error-no-dkim-keys-saved-for-this-domain)
In this example, if you had only published an SPF TXT record for your domain, th
> [!TIP] > DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the **d=** field in the header. The verifying domain, or recipient's domain, then uses the **d=** field to look up the public key from DNS, and authenticate the message. If the message is verified, the DKIM check passes.
-<a name='steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal'></a>
- ## Steps to Create, enable and disable DKIM from Microsoft Defender portal All the accepted domains of your tenant will be shown in the Microsoft Defender portal under the DKIM page. If you do not see it, add your accepted domain from [domains page](/microsoft-365/admin/setup/add-domain#add-a-domain).
security Mdo About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-about.md
For email threats that are identified after the fact, Zero-hour autopurge (ZAP)
Defender for Office 365 safeguards organizations against malicious threats by providing admins and SecOps teams a wide range of capabilities. Users, admins, and SecOps personnel benefit from these features from the beginning of the organization. For example: -- **[Preset security policies can configure everything for you](preset-security-policies.md)**: The protection policies included in Standard and Strict preset security policies contain our recommended settings. All you need to do is decide who gets the protection (by user, group, domain, or all recipients) and specify the entries and optional exceptions for user and domain impersonation protection. For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
+- **[Preset security policies can configure everything for you](preset-security-policies.md)**: The protection policies included in Standard and Strict preset security policies contain our recommended settings. All you need to do is decide who gets the protection (by user, group, domain, or all recipients) and specify the entries and optional exceptions for user and domain impersonation protection. For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
- **[Threat protection policies](#defender-for-office-365-protection-policies)**: Define threat-protection policies so admins can set the right level of protection for the organization.
Anti-phishing policies with spoofing and impersonation protection are included i
[Safe Attachments](safe-attachments-about.md) provides zero-day protection for email by checking message attachments for malicious content *in addition to* the regular malware scanning in EOP. Safe Attachments opens all attachments in virtual environment to see what happens (a process known as _detonation_). If no suspicious activity is detected, the message is delivered to the mailbox.
-Safe Attachments protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions.
+Safe Attachments protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions.
Safe Attachments policies are also included in the Standard and Strict preset security policies, and you can create custom policies as needed.
Safe Attachments policies are also included in the Standard and Strict preset se
[Safe Links](safe-links-about.md) provides time-of-click verification of URLs in email messages, supported Office files, and Microsoft Teams. Protection is ongoing and applies across your messaging and Office environment. Links are scanned for each click. Benign links remain accessible, but malicious links are dynamically blocked.
-Safe Links protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions.
+Safe Links protection is on by default for all recipients thanks to the [Built-in protection preset security policy](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy), but you can specify exceptions.
Safe Links policies are also included in the Standard and Strict preset security policies, and you can create custom policies as needed.
security Mdo Portal Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-portal-permissions.md
Defender for Office 365 permissions in the Microsoft Defender portal includes de
:::image type="content" source="../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png" alt-text="The relationship of a role group to its roles and members" lightbox="../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png":::
-<a name='roles-and-role-groups-in-the-microsoft-365-defender-portal'></a>
- ## Roles and role groups in the Microsoft Defender portal On the **Permissions** page in the Defender portal at <https://security.microsoft.com/securitypermissions>, the following types of roles and role groups are available:
On the **Permissions** page in the Defender portal at <https://security.microsof
:::image type="content" source="../../media/m365-sc-permissions-and-roles-page.png" alt-text="The Permissions & roles page in the Microsoft Defender portal" lightbox="../../media/m365-sc-permissions-and-roles-page.png":::
-<a name='azure-ad-roles-in-the-microsoft-365-defender-portal'></a>
-
-<a name='microsoft-entra-roles-in-the-microsoft-365-defender-portal'></a>
- ### Microsoft Entra roles in the Microsoft Defender portal Microsoft Entra roles that are described in this section are available in the [Defender portal](https://security.microsoft.com) \> **Permissions** \> **Microsoft Entra ID** \> **Roles** or directly at <https://security.microsoft.com/aadpermissions>.
For more information, see [View and assign administrator roles in Microsoft Entr
|**Attack Simulation Administrator**|Create and manage all aspects of [attack simulation](attack-simulation-training-simulations.md) creation, launch/scheduling of a simulation, and the review of simulation results. For more information, see [Attack Simulation Administrator](/azure/active-directory/roles/permissions-reference#attack-simulation-administrator).| |**Attack Payload Author**|Create attack payloads but not actually launch or schedule them. For more information, see [Attack Payload Author](/azure/active-directory/roles/permissions-reference#attack-payload-author).|
-<a name='email--collaboration-roles-in-the-microsoft-365-defender-portal'></a>
- ### Email & collaboration roles in the Microsoft Defender portal The same role groups and roles are available in the Defender portal and in the Purview compliance portal:
For complete information about these role groups, see [Roles and role groups in
The following actions are available for Email & collaboration role groups in the Defender portal: -- [Create role groups](#create-email--collaboration-role-groups-in-the-microsoft-365-defender-portal)-- [Copy role groups](#copy-email--collaboration-role-groups-in-the-microsoft-365-defender-portal)-- [Modify role group membership](#modify-email--collaboration-role-group-membership-in-the-microsoft-365-defender-portal)-- [Modify role assignments](#modify-email--collaboration-role-group-role-assignments-in-the-microsoft-365-defender-portal) (custom role groups only)-- [Remove role groups](#remove-email--collaboration-role-groups-in-the-microsoft-365-defender-portal) (custom role groups only)-
-<a name='create-email--collaboration-role-groups-in-the-microsoft-365-defender-portal'></a>
+- [Create role groups](#create-email--collaboration-role-groups-in-the-microsoft-defender-portal)
+- [Copy role groups](#copy-email--collaboration-role-groups-in-the-microsoft-defender-portal)
+- [Modify role group membership](#modify-email--collaboration-role-group-membership-in-the-microsoft-defender-portal)
+- [Modify role assignments](#modify-email--collaboration-role-group-role-assignments-in-the-microsoft-defender-portal) (custom role groups only)
+- [Remove role groups](#remove-email--collaboration-role-groups-in-the-microsoft-defender-portal) (custom role groups only)
#### Create Email & collaboration role groups in the Microsoft Defender portal
The following actions are available for Email & collaboration role groups in the
Back on the **Permissions** page, the new role group is listed.
-<a name='copy-email--collaboration-role-groups-in-the-microsoft-365-defender-portal'></a>
- #### Copy Email & collaboration role groups in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Permissions** \> **Email & collaboration roles** \> **Roles**. Or, to go directly to the **Permissions** page, use <https://security.microsoft.com/emailandcollabpermissions>.
Back on the **Permissions** page, the new role group is listed.
3. In the role group details flyout that opens, select **Copy role group** at the top of the flyout.
-The new role group wizard opens as previously described for [creating a new role group](#create-email--collaboration-role-groups-in-the-microsoft-365-defender-portal).
+The new role group wizard opens as previously described for [creating a new role group](#create-email--collaboration-role-groups-in-the-microsoft-defender-portal).
The default name of the new role group is **Copy of \<original role group name\>**, but you can change it. The roles and members are populated with the values from the role you're copying, but you can change them.
-<a name='modify-email--collaboration-role-group-membership-in-the-microsoft-365-defender-portal'></a>
- #### Modify Email & collaboration role group membership in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Permissions** \> **Email & collaboration roles** \> **Roles**. Or, to go directly to the **Permissions** page, use <https://security.microsoft.com/emailandcollabpermissions>.
The roles and members are populated with the values from the role you're copying
When you're finished in the original **Choose members** flyout, select **Done**.
-7. Back on the **Choose members** tab of the wizard, select **Save**.
+6. Back on the **Choose members** tab of the wizard, select **Save**.
-8. Back on the role group details flyout, select **Done**.
-
-<a name='modify-email--collaboration-role-group-role-assignments-in-the-microsoft-365-defender-portal'></a>
+7. Back on the role group details flyout, select **Done**.
#### Modify Email & collaboration role group role assignments in the Microsoft Defender portal
The roles and members are populated with the values from the role you're copying
When you're finished in the original **Choose roles** flyout, select **Done**.
-7. Back on the **Choose roles** tab of the wizard, select **Save**.
-
-8. Back on the role group details flyout, select **Done**.
+6. Back on the **Choose roles** tab of the wizard, select **Save**.
-<a name='remove-email--collaboration-role-groups-in-the-microsoft-365-defender-portal'></a>
+7. Back on the role group details flyout, select **Done**.
#### Remove Email & collaboration role groups in the Microsoft Defender portal
security Mdo Sec Ops Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md
For a video about this information, see <https://youtu.be/eQanpq9N1Ps>.
## Daily activities
-<a name='monitor-the-microsoft-365-defender-incidents-queue'></a>
- ### Monitor the Microsoft Defender XDR Incidents queue The **Incidents** page in the Microsoft Defender portal at <https://security.microsoft.com/incidents-queue> (also known as the _Incidents queue_) allows you to manage and monitor events from the following sources in Defender for Office 365:
The following permissions (roles and role groups) are available in Defender for
- Data Investigator - eDiscovery Manager
- To assign this role to a new or existing custom role group, see [Email & collaboration roles in the Microsoft Defender portal](mdo-portal-permissions.md#email--collaboration-roles-in-the-microsoft-365-defender-portal).
+ To assign this role to a new or existing custom role group, see [Email & collaboration roles in the Microsoft Defender portal](mdo-portal-permissions.md#email--collaboration-roles-in-the-microsoft-defender-portal).
- **Search and Purge** role (Email & collaboration): Approve the deletion of malicious messages as recommended by AIR or take manual action on messages in hunting experiences like Threat Explorer.
The following permissions (roles and role groups) are available in Defender for
- Data Investigator - Organization Management
- To assign this role to a new or existing custom role group, see [Email & collaboration roles in the Microsoft Defender portal](mdo-portal-permissions.md#email--collaboration-roles-in-the-microsoft-365-defender-portal).
+ To assign this role to a new or existing custom role group, see [Email & collaboration roles in the Microsoft Defender portal](mdo-portal-permissions.md#email--collaboration-roles-in-the-microsoft-defender-portal).
- **Tenant AllowBlockList Manager** (Exchange Online): Manage allow and block entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). Blocking URLs, files (using file hash) or senders is a useful response action to take when investigating malicious email that was delivered.
security Mdo Support Teams About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-support-teams-about.md
In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams pro
Instructions to configure ZAP for Teams protection are in the next section. -- **Teams messages in quarantine**: As with email messages that are identified as malware or high confidence phishing, only admins are able to manage Teams messages that are quarantined by ZAP for Teams by default. For more information, see [Manage quarantined Teams messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages).
+- **Teams messages in quarantine**: As with email messages that are identified as malware or high confidence phishing, only admins are able to manage Teams messages that are quarantined by ZAP for Teams by default. For more information, see [Manage quarantined Teams messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages).
- The **Teams Message Entity Panel** is a single place to store all Teams message metadata for immediate SecOps review. Any threats coming from Teams chats, group chats, meeting chats, and other channels can be found in one place as soon as they're assessed. For more information, see [Teams Message Entity Panel for Microsoft Teams](teams-message-entity-panel.md).
In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams pro
- **Quarantine policies** section: You can select the existing quarantine policy to use for messages that are quarantined by ZAP for Teams protection as **Malware** or **High confidence phishing**. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). > [!NOTE]
- > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware or high confidence phishing, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+ > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware or high confidence phishing, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
- **Exclude these participants** section: Specify the **Users**, **Groups**, or **Domains** to exclude from ZAP for Teams protection. Exclusions matter for message _recipients_, not message _senders_. For more information, see [Zero-hour auto purge (ZAP) in Microsoft Teams](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams).
For detailed syntax and parameter information, see [Set-TeamsProtectionPolicyRul
## See also - [Microsoft Teams](/microsoftteams/teams-overview)-- [Managing Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages)
+- [Managing Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages)
- [Get started using Attack simulation training in Defender for Office 365](attack-simulation-training-get-started.md)
security Migrate To Defender For Office 365 Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md
If your organization has a security response team, now is the time to begin inte
If your organization has purchased Microsoft Defender for Office 365 Plan 2, they should begin familiarizing themselves with and using features such as Threat Explorer, Advanced Hunting, and Incidents. For relevant trainings, see <https://aka.ms/mdoninja>.
-If your security response team collects and analyzes unfiltered messages, you can configure a SecOps mailbox to receive these unfiltered messages. For instructions, see [Configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
+If your security response team collects and analyzes unfiltered messages, you can configure a SecOps mailbox to receive these unfiltered messages. For instructions, see [Configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
### SIEM/SOAR
security Migrate To Defender For Office 365 Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-prepare.md
Microsoft is working with the industry to support the Authenticated Received Cha
## Account for any active phishing simulations
-If you have active third-party phishing simulations, you need to prevent the messages, links, and attachments from being identified as phishing by Defender for Office 365. For more information, see [Configure third-party phishing simulations in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-365-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy).
+If you have active third-party phishing simulations, you need to prevent the messages, links, and attachments from being identified as phishing by Defender for Office 365. For more information, see [Configure third-party phishing simulations in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy).
## Define spam and bulk user experiences
security Outbound Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
You can configure outbound spam policies in the Microsoft Defender portal or in
- The default [alert policies](/purview/alert-policies#threat-management-alert-policies) named **Email sending limit exceeded**, **Suspicious email sending patterns detected**, and **User restricted from sending email** already send email notifications to members of the **TenantAdmins** (**Global admins**) group about unusual outbound email activity and blocked users due to outbound spam. For more information, see [Verify the alert settings for restricted users](outbound-spam-restore-restricted-users.md#verify-the-alert-settings-for-restricted-users). We recommend that you use these alert policies instead of the notification options in outbound spam policies.
-<a name='use-the-microsoft-365-defender-portal-to-create-outbound-spam-policies'></a>
- ## Use the Microsoft Defender portal to create outbound spam policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
You can configure outbound spam policies in the Microsoft Defender portal or in
Back on the **Anti-spam policies** page, the new policy is listed.
-<a name='use-the-microsoft-365-defender-portal-to-view-outbound-spam-policy-details'></a>
- ## Use the Microsoft Defender portal to view outbound spam policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
On the **Anti-spam policies** page, the following properties are displayed in th
- **Status**: Values are: - **Always on** for the default outbound spam policy (for example, **Anti-spam outbound policy (Default)**). - **On** or **Off** for other outbound spam policies.-- **Priority**: For more information, see the [Set the priority of custom outbound spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-outbound-spam-policies) section.
+- **Priority**: For more information, see the [Set the priority of custom outbound spam policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-outbound-spam-policies) section.
- **Type**: One of the following values for outbound spam policies: - **Custom outbound spam policy** - Blank for the default outbound spam policy (for example, **Anti-spam outbound policy (Default)**).
Select an outbound spam policy by clicking anywhere in the row other than the ch
> [!TIP] > To see details about other outbound spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
-<a name='use-the-microsoft-365-defender-portal-to-take-action-on-outbound-spam-policies'></a>
- ## Use the Microsoft Defender portal to take action on outbound spam policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
On the **Anti-spam policies** page, select the outbound spam policy from the lis
The actions are described in the following subsections.
-<a name='use-the-microsoft-365-defender-portal-to-modify-outbound-spam-policies'></a>
- ### Use the Microsoft Defender portal to modify outbound spam policies
-After you select the default outbound spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create outbound spam policies](#use-the-microsoft-365-defender-portal-to-create-outbound-spam-policies) section earlier in this article.
+After you select the default outbound spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create outbound spam policies](#use-the-microsoft-defender-portal-to-create-outbound-spam-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no sender filters to configure (the policy applies to all senders). But, you can modify all other settings in the policy.
-<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-outbound-spam-policies'></a>
- ### Use the Microsoft Defender portal to enable or disable custom outbound spam policies You can't disable the default outbound spam policy (it's always enabled).
When you're finished in the policy details flyout, select **Close**.
On the **Anti-spam policies** page, the **Status** value of the policy is now **On** or **Off**.
-<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-outbound-spam-policies'></a>
- ### Use the Microsoft Defender portal to set the priority of custom outbound spam policies Outbound spam policies are processed in the order that they're displayed on the **Anti-spam policies** page:
When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-spam policies** page, the order of the policy in the list matches the updated **Priority** value.
-<a name='use-the-microsoft-365-defender-portal-to-remove-custom-outbound-spam-policies'></a>
- ### Use the Microsoft Defender portal to remove custom outbound spam policies You can't remove the default outbound spam policy.
security Outbound Spam Restore Restricted Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-restore-restricted-users.md
For more information about compromised _connectors_ and how to remove them from
- A sender exceeding the outbound email limits is an indicator of a compromised account. Before you follow the procedures in this article to remove a user from the **Restricted entities** page, be sure to follow the required steps to regain control of the account as described in [Responding to a compromised email account in Office 365](responding-to-a-compromised-email-account.md).
-<a name='remove-a-user-from-the-restricted-entities-page-in-the-microsoft-365-defender-portal'></a>
- ## Remove a user from the Restricted entities page in the Microsoft Defender portal In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Restricted entities**. Or, to go directly to the **Restricted entities** page, use <https://security.microsoft.com/restrictedentities>.
security Pim In Mdo Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/pim-in-mdo-configure.md
In the Microsoft Defender portal, create a custom role group that contains the p
3. Name your group to reflect its purpose such as 'Search and Purge PIM'. 4. Don't add members, simply save the group and move on to the next part!
-<a name='create-the-security-group-in-azure-ad-for-elevated-permissions'></a>
- ### Create the security group in Microsoft Entra ID for elevated permissions 1. Browse back to the [Microsoft Entra Admin Center](https://aad.portal.azure.com/) and navigate to **Microsoft Entra ID** > **Groups** > **New Group**.
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
The rest of this article how to configure preset security policies.
- _Read-only access to preset security policies_: Membership in the **Global Reader** role group. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
-<a name='use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users'></a>
- ## Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Preset Security Policies** in the **Templated policies** section. Or, to go directly to the **Preset security policies** page, use <https://security.microsoft.com/presetSecurityPolicies>.
The rest of this article how to configure preset security policies.
Click in the **Add domains** box, enter a domain value, press the ENTER key or select the value that's displayed below the box. To remove a domain from the box and start over, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the domain. When you're ready to add the domain, select **Add**. Repeat this step as many times as necessary.
- The domains you added are listed on the page. To remove the domain, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ The domains you added are listed on the page. To remove the domain, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
The domains you added are listed on the page. To remove a domain, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: next to the entry.
The rest of this article how to configure preset security policies.
10. On the **Standard protection updated** or **Strict protection updated** page, select **Done**.
-<a name='use-the-microsoft-365-defender-portal-to-modify-the-assignments-of-standard-and-strict-preset-security-policies'></a>
- ## Use the Microsoft Defender portal to modify the assignments of Standard and Strict preset security policies
-The steps to modify the assignment of the **Standard protection** or **Strict protection** preset security policy are the same as when you initially [assigned the preset security policies to users](#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
+The steps to modify the assignment of the **Standard protection** or **Strict protection** preset security policy are the same as when you initially [assigned the preset security policies to users](#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
To disable the **Standard protection** or **Strict protection** preset security policies while still preserving the existing conditions and exceptions, slide the toggle to :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::. To enable the policies, slide the toggle to :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
-<a name='use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy'></a>
- ## Use the Microsoft Defender portal to add exclusions to the Built-in protection preset security policy > [!TIP]
security Priority Accounts Turn On Priority Account Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection.md
This article describes how to confirm that priority account protection is turned
- The Priority account tag is a type of _user tag_. You can create custom user tags to differentiate specific groups of users in reporting and other features. For more information about user tags, see [User tags in Microsoft Defender for Office 365](user-tags-about.md).
-<a name='review-or-turn-on-priority-account-protection-in-the-microsoft-365-defender-portal'></a>
- ## Review or turn on priority account protection in the Microsoft Defender portal > [!NOTE]
security Quarantine About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-about.md
_Quarantine policies_ define what users are able to do or not do to quarantined
The default quarantine policies that are assigned to protection feature verdicts enforce the historical capabilities that users get for their quarantined messages (messages where they're a recipient). For more information, see the table in [Find and release quarantined messages as a user in EOP](quarantine-end-user.md). For example, only admins can work with messages that were quarantined as malware or high confidence phishing. By default, users can work with their messages that were quarantined as spam, bulk, phishing, spoof, user impersonation, domain impersonation, or mailbox intelligence.
-Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
> [!NOTE] > Users can't release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high-confidence phishing messages.
security Quarantine Admin Manage Messages Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md
Watch this short video to learn how to manage quarantined messages as an admin.
- Quarantined messages and files are retained for a default period of time based on why they were quarantined. After the retention period expires, the messages are automatically deleted and aren't recoverable. For more information, see [Quarantine retention](quarantine-about.md#quarantine-retention).
-<a name='use-the-microsoft-365-defender-portal-to-manage-quarantined-email-messages'></a>
- ## Use the Microsoft Defender portal to manage quarantined email messages ### View quarantined email
Back on the **Email** tab, the **Release status** value of the message is **Rele
#### Approve or deny release requests from users for quarantined email
-Users can request the release of email messages if the quarantine policy used **Allow recipients to request a message to be released from quarantine** (`PermissionToRequestRelease` permission) instead of **Allow recipients to release a message from quarantine** (`PermissionToRelease` permission) when the message was quarantined. For more information, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+Users can request the release of email messages if the quarantine policy used **Allow recipients to request a message to be released from quarantine** (`PermissionToRequestRelease` permission) instead of **Allow recipients to release a message from quarantine** (`PermissionToRelease` permission) when the message was quarantined. For more information, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
After a recipient requests the release of the email message, the **Release status** value changes to **Release requested**, and an admin can approve or deny the request.
Admins can search the audit log to find events for messages that were deleted fr
For complete instructions for audit log searches, see [Audit New Search](/purview/audit-new-search).
-<a name='use-the-microsoft-365-defender-portal-to-manage-quarantined-files-in-defender-for-office-365'></a>
- ## Use the Microsoft Defender portal to manage quarantined files in Defender for Office 365 > [!NOTE]
When you select multiple quarantined files on the **Files** tab by selecting the
:::image type="content" source="../../media/quarantine-file-bulk-actions.png" alt-text="The Bulk actions dropdown list for files in quarantine" lightbox="../../media/quarantine-file-bulk-actions.png":::
-<a name='use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages'></a>
- ## Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages Quarantine in Microsoft Teams is available only in organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5)
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
You create and assign quarantine policies in the Microsoft Defender portal or in
- **Quarantine Administrator** - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Quarantine Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
-<a name='step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal'></a>
- ## Step 1: Create quarantine policies in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & Rules** \> **Threat policies** \> **Quarantine policy** in the **Rules** section. Or, to go directly to the **Quarantine policy** page, use <https://security.microsoft.com/quarantinePolicies>.
The default quarantine policies, preset permission groups, and permissions are d
The rest of this step explains how to assign quarantine policies for supported filter verdicts.
-<a name='assign-quarantine-policies-in-supported-policies-in-the-microsoft-365-defender-portal'></a>
- ## Assign quarantine policies in supported policies in the Microsoft Defender portal > [!NOTE]
For detailed syntax and parameter information, see [Set-AntiPhishPolicy](/powers
3. On the **Protection settings** page or flyout, view or select a quarantine policy in the **Quarantine policy** box.
- Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+ Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
Users can't release their own messages that were quarantined as malware by anti-malware policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages.
Set-SafeAttachmentPolicy -Identity "Human Resources" -QuarantineTag ContosoNoAcc
For detailed syntax and parameter information, see [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy).
-<a name='configure-global-quarantine-notification-settings-in-the-microsoft-365-defender-portal'></a>
- ## Configure global quarantine notification settings in the Microsoft Defender portal The global settings for quarantine policies allow you to customize the quarantine notifications that are sent to recipients of quarantined messages if quarantine notifications are turned on in the quarantine policy. For more information about quarantine notifications, see [Quarantine notifications](quarantine-quarantine-notifications.md).
Get-QuarantinePolicy -QuarantinePolicyType GlobalQuarantinePolicy | Set-Quaranti
For detailed syntax and parameter information, see [Set-QuarantinePolicy](/powershell/module/exchange/set-quarantinepolicy).
-<a name='view-quarantine-policies-in-the-microsoft-365-defender-portal'></a>
- ## View quarantine policies in the Microsoft Defender portal 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
If you'd rather use PowerShell to view quarantine policies, do any of the follow
For detailed syntax and parameter information, see [Get-HostedContentFilterPolicy](/powershell/module/exchange/get-hostedcontentfilterpolicy).
-<a name='modify-quarantine-policies-in-the-microsoft-365-defender-portal'></a>
- ## Modify quarantine policies in the Microsoft Defender portal You can't modify the default quarantine policies named AdminOnlyAccessPolicy, DefaultFullAccessPolicy, or DefaultFullAccessWithNotificationPolicy.
You can't modify the default quarantine policies named AdminOnlyAccessPolicy, De
3. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit policy** action that appears.
-The policy wizard opens with the settings and values of the selected quarantine policy. The steps are virtually the same as described in the [Create quarantine policies in the Microsoft Defender portal](#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal) section. The main difference is: you can't rename an existing policy.
+The policy wizard opens with the settings and values of the selected quarantine policy. The steps are virtually the same as described in the [Create quarantine policies in the Microsoft Defender portal](#step-1-create-quarantine-policies-in-the-microsoft-defender-portal) section. The main difference is: you can't rename an existing policy.
### Modify quarantine policies in PowerShell
The available settings are the same as described for creating quarantine policie
For detailed syntax and parameter information, see [Set-QuarantinePolicy](/powershell/module/exchange/set-quarantinepolicy).
-<a name='remove-quarantine-policies-in-the-microsoft-365-defender-portal'></a>
- ## Remove quarantine policies in the Microsoft Defender portal **Notes**:
security Quarantine Quarantine Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-quarantine-notifications.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
> [!NOTE] > In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC).
-For [supported protection features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features), _quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined. Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+For [supported protection features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features), _quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined. Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
Quarantine notifications aren't turned on in the default quarantine notifications named AdminOnlyAccessPolicy or DefaultFullAccessPolicy. Quarantine notifications are turned on in the following default quarantine policies: - **DefaultFullAccessWithNotificationPolicy** that's used in [preset security policies](preset-security-policies.md). - **NotificationEnabledPolicy** [if your organization has it](quarantine-policies.md#full-access-permissions-and-quarantine-notifications).
-Otherwise, to turn on quarantine notifications in quarantine policies, you need to [create and configure a new quarantine policy](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+Otherwise, to turn on quarantine notifications in quarantine policies, you need to [create and configure a new quarantine policy](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
Admins can also use the global settings in quarantine policies to customize quarantine notifications in the following ways:
Admins can also use the global settings in quarantine policies to customize quar
- Customize the sender and logo that's used in the notification. - Notification frequency (every four hours, daily, or weekly).
-For instructions, see [Configure global quarantine notification settings](quarantine-policies.md#configure-global-quarantine-notification-settings-in-the-microsoft-365-defender-portal).
+For instructions, see [Configure global quarantine notification settings](quarantine-policies.md#configure-global-quarantine-notification-settings-in-the-microsoft-defender-portal).
For shared mailboxes, quarantine notifications are supported only for users who are granted FullAccess permission to the mailbox. For more information, see [Use the EAC to edit shared mailbox delegation](/Exchange/collaboration-exo/shared-mailboxes#use-the-eac-to-edit-shared-mailbox-delegation).
security Quarantine Shared Mailbox Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-shared-mailbox-messages.md
Now, automapping is no longer required for users to manage quarantined messages
- In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). -- _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+- _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
- The first user to act on the quarantined message decides the fate of the message for everyone who uses the shared mailbox. For example, if a shared mailbox is accessed by 10 users, and a user decides to delete the quarantine message, the message is deleted for all 10 users. Likewise, if a user decides to release the message, it's released to the shared mailbox and is accessible by all other users of the shared mailbox.
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
Wherever you select **Quarantine message** as the action for a spam filter verdi
If you _change_ the action of a spam filtering verdict to **Quarantine message** when you create anti-spam policies the Defender portal, the **Select quarantine policy** box is blank by default. A blank value means the default quarantine policy for that spam filtering verdict is used. These default quarantine policies enforce the historical capabilities for the spam filter verdict that quarantined the message as described in the table [here](quarantine-end-user.md). When you later view or edit the anti-spam policy settings, the quarantine policy name is shown.
-Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
Quarantine policies define what users are able to do to quarantined messages, an
Although the **Apply quarantine policy** value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy┬╣ is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as spoof as described in the table [here](quarantine-end-user.md). When you later view or edit the quarantine policy settings, the quarantine policy name is shown.
-Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
Wherever you select **Quarantine the message** as the action for an impersonatio
Although the **Apply quarantine policy** value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as impersonation as described in the table [here](quarantine-end-user.md). When you later view or edit the quarantine policy settings, the quarantine policy name is shown.
-Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
security Reports Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md
The rest of this article describes the reports that are exclusive to Defender fo
> > Email security reports that don't require Defender for Office 365 are described in [View email security reports in the Microsoft Defender portal](reports-email-security.md). >
-> For reports that have been deprecated or replaced, see the table in [Email security report changes in the Microsoft Defender portal](reports-email-security.md#email-security-report-changes-in-the-microsoft-365-defender-portal).
+> For reports that have been deprecated or replaced, see the table in [Email security report changes in the Microsoft Defender portal](reports-email-security.md#email-security-report-changes-in-the-microsoft-defender-portal).
> > Reports that are related to mail flow are now in the Exchange admin center (EAC). For more information about these reports, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports).
security Reports Email Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md
The rest of this article describes the reports that are exclusive to Defender fo
> > A link to these reports is available in the Defender portal at **Reports** \> **Email & collaboration** \> **Email & collaboration reports** \> **Exchange mail flow reports**, which takes you to <https://admin.exchange.microsoft.com/#/reports/mailflowreportsmain>.
-<a name='email-security-report-changes-in-the-microsoft-365-defender-portal'></a>
- ## Email security report changes in the Microsoft Defender portal The Exchange Online Protection (EOP) and Microsoft Defender for Office 365 reports in the Microsoft Defender portal that have been replaced, moved, or deprecated are described in the following table.
security Safe Attachments For Spo Odfb Teams About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about.md
To learn more about the user experience when a file has been detected as malicio
Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams appear in [reports for Microsoft Defender for Office 365](reports-defender-for-office-365.md) and in [Explorer (and real-time detections)](threat-explorer-about.md).
-When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine, but only to admins. For more information, see [Manage quarantined files in Defender for Office 365](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-files-in-defender-for-office-365).
+When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine, but only to admins. For more information, see [Manage quarantined files in Defender for Office 365](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-quarantined-files-in-defender-for-office-365).
## Keep these points in mind
security Safe Attachments For Spo Odfb Teams Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure.md
You turn on or turn off Safe Attachments for Office 365 for SharePoint, OneDrive
- Allow up to 30 minutes for the settings to take effect.
-<a name='step-1-use-the-microsoft-365-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams'></a>
- ## Step 1: Use the Microsoft Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
Set-SPOTenant -DisallowInfectedFileDownload $true
For detailed syntax and parameter information, see [Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant).
-<a name='step-3-recommended-use-the-microsoft-365-defender-portal-to-create-an-alert-policy-for-detected-files'></a>
- ## Step 3 (Recommended) Use the Microsoft Defender portal to create an alert policy for detected files You can create an alert policy that notifies admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alert policies, see [Alert policies in the Microsoft Defender portal](alert-policies-defender-portal.md).
security Safe Attachments Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md
You configure Safe Attachments policies in the Microsoft Defender portal or in E
- For our recommended settings for Safe Attachments policies, see [Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings). > [!TIP]
- > [Exceptions to Built-in protection for Safe Attachments](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy) or settings in custom Safe Attachments policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
+ > [Exceptions to Built-in protection for Safe Attachments](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy) or settings in custom Safe Attachments policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
- Allow up to 30 minutes for a new or updated policy to be applied. - For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms).
-<a name='use-the-microsoft-365-defender-portal-to-create-safe-attachments-policies'></a>
- ## Use the Microsoft Defender portal to create Safe Attachments policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
You configure Safe Attachments policies in the Microsoft Defender portal or in E
By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections by Safe Attachments policies. For more information about this quarantine policy, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). > [!NOTE]
- > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware by Safe Attachments, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+ > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware by Safe Attachments, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).
> > Users can't release their own messages that were quarantined as malware by Safe Attachments policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages.
You configure Safe Attachments policies in the Microsoft Defender portal or in E
Back on the **Safe Attachments** page, the new policy is listed.
-<a name='use-the-microsoft-365-defender-portal-to-view-safe-attachments-policy-details'></a>
- ## Use the Microsoft Defender portal to view Safe Attachments policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
On the **Safe Attachments** page, the following properties are displayed in the
- **Name** - **Status**: Values are **On** or **Off**.-- **Priority**: For more information, see the [Set the priority of Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-attachments-policies) section.
+- **Priority**: For more information, see the [Set the priority of Safe Attachments policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-safe-attachments-policies) section.
To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
Select a policy by clicking anywhere in the row other than the check box next to
> [!TIP] > To see details about other Safe Attachments policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
-<a name='use-the-microsoft-365-defender-portal-to-take-action-on-safe-attachments-policies'></a>
- ## Use the Microsoft Defender portal to take action on Safe Attachments policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Em
The actions are described in the following subsections.
-<a name='use-the-microsoft-365-defender-portal-to-modify-custom-safe-attachments-policies'></a>
- ### Use the Microsoft Defender portal to modify custom Safe Attachments policies
-After you select a custom Safe Attachments policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-create-safe-attachments-policies) section earlier in this article.
+After you select a custom Safe Attachments policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Attachments policies](#use-the-microsoft-defender-portal-to-create-safe-attachments-policies) section earlier in this article.
You can't modify the Safe Attachments policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md) in the policy details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
-<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-safe-attachments-policies'></a>
- ### Use the Microsoft Defender portal to enable or disable custom Safe Attachments policies You can't enable or disable the Safe Attachments policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md) here. You enable or disable preset security policies on the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies>.
After you select a disabled custom Safe Attachments policy (the **Status** value
On the **Safe Attachments** page, the **Status** value of the policy is now **On** or **Off**.
-<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-attachments-policies'></a>
- ### Use the Microsoft Defender portal to set the priority of custom Safe Attachments policies Safe Attachments policies are processed in the order that they're displayed on the **Safe Attachments** page: -- The Safe Attachments policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The Safe Attachments policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
- The Safe Attachments policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom Safe Attachments policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest).
When you're finished in the policy details flyout, select **Close**.
Back on the **Safe Attachments** page, the order of the policy in the list matches the updated **Priority** value.
-<a name='use-the-microsoft-365-defender-portal-to-remove-custom-safe-attachments-policies'></a>
- ### Use the Microsoft Defender portal to remove custom Safe Attachments policies You can't remove the Safe Attachments policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md).
security Safe Documents In E5 Plus Security About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about.md
To keep you protected, Safe Documents sends file information to the [Microsoft D
File information sent by Safe Documents isn't retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).
-<a name='use-the-microsoft-365-defender-portal-to-configure-safe-documents'></a>
- ## Use the Microsoft Defender portal to configure Safe Documents 1. In the Microsoft Defender portal, go to the **Safe Attachments** page at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
security Safe Links About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-about.md
For more information about the order of precedence and how multiple policies are
Each Safe Links policy contains a **Do not rewrite the following URLs** list that you can use to specify URLs that aren't rewritten by Safe Links scanning. You can configure different lists in different Safe Links policies. Policy processing stops after the first (likely, the highest priority) policy is applied to the user. So, only one **Do not rewrite the following URLs** list is applied to a user who is included in multiple active Safe Links policies.
-To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) or [Modify Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-365-defender-portal-to-modify-custom-safe-links-policies).
+To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-defender-portal-to-create-safe-links-policies) or [Modify Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-defender-portal-to-modify-custom-safe-links-policies).
**Notes**:
security Safe Links Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md
You configure Safe Links policies in the Microsoft Defender portal or in Exchang
- For our recommended settings for Safe Links policies, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). > [!TIP]
- > [Exceptions to Built-in protection for Safe Links](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy) or settings in custom Safe Links policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
+ > [Exceptions to Built-in protection for Safe Links](preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy) or settings in custom Safe Links policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
- Allow up to 6 hours for a new or updated policy to be applied. - For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms).
-<a name='use-the-microsoft-365-defender-portal-to-create-safe-links-policies'></a>
- ## Use the Microsoft Defender portal to create Safe Links policies 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. Or, to go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
You configure Safe Links policies in the Microsoft Defender portal or in Exchang
Back on the **Safe Links** page, the new policy is listed.
-<a name='use-the-microsoft-365-defender-portal-to-view-safe-links-policy-details'></a>
- ## Use the Microsoft Defender portal to view Safe Links policy details In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
On the **Safe Links** page, the following properties are displayed in the list o
- **Name** - **Status**: Values are **On** or **Off**.-- **Priority**: For more information, see the [Set the priority of Safe Links policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-links-policies) section.
+- **Priority**: For more information, see the [Set the priority of Safe Links policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-safe-links-policies) section.
To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
Select a policy by clicking anywhere in the row other than the check box next to
> [!TIP] > To see details about other Safe Links policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
-<a name='use-the-microsoft-365-defender-portal-to-take-action-on-safe-links-policies'></a>
- ## Use the Microsoft Defender portal to take action on Safe Links policies In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safealinksv2>.
In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Em
The actions are described in the following subsections.
-<a name='use-the-microsoft-365-defender-portal-to-modify-custom-safe-links-policies'></a>
- ### Use the Microsoft Defender portal to modify custom Safe Links policies
-After you select a custom Safe Links policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Links policies](#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) section earlier in this article.
+After you select a custom Safe Links policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Links policies](#use-the-microsoft-defender-portal-to-create-safe-links-policies) section earlier in this article.
You can't modify the Safe Links policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md) in the policy details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
-<a name='use-the-microsoft-365-defender-portal-to-enable-or-disable-custom-safe-links-policies'></a>
- ### Use the Microsoft Defender portal to enable or disable custom Safe Links policies You can't enable or disable the Safe Links policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md) here. You enable or disable preset security policies on the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies>.
After you select a disabled custom Safe Links policy (the **Status** value is **
On the **Safe Links** page, the **Status** value of the policy is now **On** or **Off**.
-<a name='use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-links-policies'></a>
- ### Use the Microsoft Defender portal to set the priority of custom Safe Links policies Safe Links policies are processed in the order that they're displayed on the **Safe Links** page: -- The Safe Links policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The Safe Links policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
- The Safe Links policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled). - Custom Safe Links policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest).
When you're finished in the policy details flyout, select **Close**.
Back on the **Safe Links** page, the order of the policy in the list matches the updated **Priority** value.
-<a name='use-the-microsoft-365-defender-portal-to-remove-custom-safe-links-policies'></a>
- ### Use the Microsoft Defender portal to remove custom Safe Links policies You can't remove the Safe Links policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md).
security Secure By Default https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md
To put it another way: as a security service, we're acting on your behalf to pre
You should only consider using overrides in the following scenarios: -- Phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. To prevent phishing simulation messages from being filtered, see [Configure third-party phishing simulations in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-365-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy).-- Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get unfiltered messages (both good and bad). Teams can then review to see if they contain malicious content. For more information, see [Configure SecOps mailboxes in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
+- Phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. To prevent phishing simulation messages from being filtered, see [Configure third-party phishing simulations in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy).
+- Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get unfiltered messages (both good and bad). Teams can then review to see if they contain malicious content. For more information, see [Configure SecOps mailboxes in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
- Third-party filters: Secure by default applies only when the MX record for your domain points to Microsoft 365 (contoso.mail.protection.outlook.com). If the MX record for your domain points to another service or device, it's possible to override Secure by default with an Exchange mail flow rule to [bypass spam filtering](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl). When your MX record points to another service or device and you use a bypass spam filtering mail flow rule, messages detected as high confidence phishing by Microsoft 365 anti-spam filtering are delivered to the Inbox. - False positives: To temporarily allow certain messages that are still being blocked by Microsoft, use [admin submissions](submissions-admin.md#report-good-email-to-microsoft). By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire.
security Connect Microsoft Defender For Office 365 To Microsoft Sentinel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/connect-microsoft-defender-for-office-365-to-microsoft-sentinel.md
Take advantage of rich security information events management (SIEM) combined wi
- Microsoft Sentinel [Quickstart guide](/azure/sentinel/quickstart-onboard). - Sufficient permissions (Security Administrator in M365 & Read / Write permissions in Sentinel).
-<a name='add-the-microsoft-365-defender-connector'></a>
- ## Add the Microsoft Defender XDR Connector 1. [Login to the Azure Portal](https://portal.azure.com) and navigate to **Microsoft Sentinel** \> Pick the relevant workspace to integrate with Microsoft Defender XDR. 1. On the left-hand navigation menu underneath the heading **Configuration** \> choose **Data connectors**.
-1. When the page loads, **search for** Microsoft Defender XDR **and select the Microsoft Defender XDR connector**.
+2. When the page loads, **search for** Microsoft Defender XDR **and select the Microsoft Defender XDR connector**.
3. On the right-hand flyout, select **Open Connector Page**. 4. Under the **Configuration** section of the page that loads, select **Connect incidents & alerts**, leaving Turn off all Microsoft incident creation rules for these products ticked. 5. Scroll to **Microsoft Defender for Office 365** in the **Connect events** section of the page. Select **EmailEvents, EmailUrlInfo, EmailAttachmentInfo & EmailPostDeliveryEvents** then **Apply Changes** at the bottom of the page. (Choose tables from other Defender products if helpful and applicable, during this step.)
security Utilize Microsoft Defender For Office 365 In Sharepoint Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online.md
Title: Use Microsoft Defender for Office 365 in SharePoint Online
-description: The steps to ensure that you can use, and get the value from, Microsoft Defender for Office 365 in SharePoint Online and OneDrive for Business
+description: The steps to ensure that you can use, and get the value from, Microsoft Defender for Office 365 in SharePoint Online and OneDrive.
search.product: ms.mktglfcycl: deploy
Last updated 1/31/2023
# Use Microsoft Defender for Office 365 with SharePoint Online
-Microsoft SharePoint Online is a widely used user collaboration and file storage tool. The following steps help reduce the attack surface area in SharePoint Online and that help keep this collaboration tool in your organization secure. However, it's important to note there is a balance to strike between security and productivity, and not all these steps may be relevant for your organizational risk profile. Take a look, test, and maintain that balance.
+Microsoft SharePoint Online is a widely used user collaboration and file storage tool. The following steps help reduce the attack surface area in SharePoint Online and that help keep this collaboration tool in your organization secure. However, it's important to note there's a balance to strike between security and productivity, and not all these steps might be relevant for your organizational risk profile. Take a look, test, and maintain that balance.
-## What you'll need
+## What you need
- Microsoft Defender for Office 365 Plan 1 - Sufficient permissions (SharePoint administrator/security administrator). - Microsoft SharePoint Online (part of Microsoft 365).-- Five to ten minutes to perform these steps.
+- Five to 10 minutes to perform these steps.
## Turn on Microsoft Defender for Office 365 in SharePoint Online
-If licensed for Microsoft Defender for Office 365 **(free 90-day evaluation available at aka.ms/trymdo)** you can ensure seamless protection from zero day malware and time of click protection within Microsoft Teams.
+If you're licensed for Microsoft Defender for Office 365 **(free 90-day evaluation available at aka.ms/trymdo)**, you can ensure seamless protection from zero day malware and time of click protection within Microsoft Teams.
-To learn more, read [Step 1: Use the Microsoft Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure#step-1-use-the-microsoft-365-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams).
+To learn more, read [Step 1: Use the Microsoft Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure#step-1-use-the-microsoft-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams).
1. Sign in to the [security center's safe attachments configuration page](https://security.microsoft.com/safeattachmentv2). 1. Select **Global settings**.
security Submissions Admin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md
After a few moments, the associated allow entries appear on the **Domains & addr
> - When an allowed domain or email address, spoofed sender, URL, or file (_entity_) is encountered again, all filters that are associated with the entity are skipped. For email messages, all other entities are still evaluated by the filtering system before making a decision. > - During mail flow, if messages from the allowed domain or email address pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message from an allowed sender email address are delivered. > - By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages from those domains or email addresses are delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.
-> - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.
+> - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message.
> - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. ### Report good email attachments to Microsoft
security Submissions Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-teams.md
For more information about user reported message settings in the Defender portal
> - The reported message remains visible to the user in the Teams client. > - Users can report the same message multiple times. > - The message sender isn't notified that messages were reported.
- > - Microsoft also sends an email message notification to the user who reported the message from submissions@messaging.microsoft.com with the subject, "You have successfully reported a Teams message as a security risk." If Teams integration is turned on in the Defender portal, admins can customize some elements of the notification message in the **Email notifications** section on **User reported settings** page as described in [Customize the messages used to notify users](submissions-admin-review-user-reported-messages.md#customize-the-messages-used-to-notify-users).
+ > - Microsoft also sends an email message notification to the user who reported the message from `submissions@messaging.microsoft.com` with the subject, "You have successfully reported a Teams message as a security risk." If Teams integration is turned on in the Defender portal, admins can customize some elements of the notification message in the **Email notifications** section on **User reported settings** page as described in [Customize the messages used to notify users](submissions-admin-review-user-reported-messages.md#customize-the-messages-used-to-notify-users).
## What happens after a user reports a message from Teams?
For more information, see [User reported settings](submissions-user-reported-mes
**Notes**: - If you select **Send the reported messages to** \> **My reporting mailbox only**, reported messages don't go to Microsoft for analysis unless an admin manually submits the message from the **User reported** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>. Reporting messages to Microsoft is an important part of training the service to help improve the accuracy of filtering (reduce false positives and false negatives). That's why we use **Send the reported messages to** \> **Microsoft and my reporting mailbox** as the default.-- Regardless of the **Send the reported messages to** setting, metadata from the reported Teams message (for example, senders, recipients, reported by, and message details) is available on the **User reported** tab on the **Submissions** page.-- Regardless of the **Send the reported messages to** setting, the alert policy named **Teams message reported by user as a security risk** generates an alert when a user reports a message in Teams by default. For more information, see [Manage alerts](/purview/alert-policies#manage-alerts).
+- Regardless of the **Send the reported messages to** setting, the following actions occur when a user reports a Teams message:
+ - Metadata from the reported Teams message (for example, senders, recipients, reported by, and message details) is available on the **User reported** tab on the **Submissions** page.
+ - The alert policy named **Teams message reported by user as a security risk** generates an alert by default. For more information, see [Manage alerts](/purview/alert-policies#manage-alerts).
To view the corresponding alert for a user reported message in Teams, go to the **User reported** tab on the **Submission** page, and then double-click the message to open the submission flyout. Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** and then select **View alert**.
security Submissions User Reported Messages Custom Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md
Delivering user reported messages to a reporting mailbox instead of directly to
Before you get started, you need to use the following steps to configure Exchange Online Protection and Defender for Office 365 so user reported messages are delivered to the reporting mailbox without being filtered: -- Identify the reporting mailbox as a SecOps mailbox. For instructions, see [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
+- Identify the reporting mailbox as a SecOps mailbox. For instructions, see [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
> [!NOTE] > This step is especially important if you use [Attack simulation training](attack-simulation-training-get-started.md) or a third-party product to do phishing simulations. If you don't configure the reporting mailbox as a SecOps mailbox, a user reported message might trigger a training assignment by the phishing simulation product.
After you verify that the reporting mailbox meets all of these requirements, use
- [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell) - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) ([until October 2023](https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-client-access-rules-in-exchange-online/ba-p/3638563))
-<a name='use-the-microsoft-365-defender-portal-to-configure-user-reported-settings'></a>
- ## Use the Microsoft Defender portal to configure user reported settings In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Settings** \> **Email & collaboration** \> **User reported settings** tab. To go directly to the **User reported settings** page, use <https://security.microsoft.com/securitysettings/userSubmission>.
security Submissions Users Report Message Add In Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure.md
Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use
2. In the **Upload custom apps** flyout that opens, select **I have a URL for the manifest file**.
-4. In the **Add from URL** dialog that opens, enter one of the following URLs:
+3. In the **Add from URL** dialog that opens, enter one of the following URLs:
- **Report Message**: <https://ipagave.azurewebsites.net/ReportMessageManifest/ReportMessageAzure.xml> - **Report Phishing**: <https://ipagave.azurewebsites.net/ReportPhishingManifest/ReportPhishingAzure.xml> When you're finished, select **Install**. In the success dialog, select **OK**.
-5. Back on the **Add-ins** page, select the add-in you installed, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
+4. Back on the **Add-ins** page, select the add-in you installed, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
-6. In the add-in properties dialog that opens, confirm or modify the following settings:
+5. In the add-in properties dialog that opens, confirm or modify the following settings:
- **Make this add-in available to users in your organization**. - **Specify user defaults**: Select one of the following settings: - **Optional, enabled by default**.
Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use
When you're finished, select **Save**.
-7. To fully configure user reported message settings, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md).
+6. To fully configure user reported message settings, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md).
### View and edit settings for the Report Message or Report Phishing add-ins
security Tenant Allow Block List About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-about.md
The following list describes what happens in the Tenant Allow/Block List when yo
- **Email**: If a message was blocked by the EOP or Defender for Office 365 filtering stack, an allow entry might be created in the Tenant Allow/Block List: - If the message was blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md), an allow entry for the sender is created, and the entry appears on the **Spoofed senders** tab in the Tenant Allow/Block List.
- - If the message was blocked by [user (or graph) impersonation protection in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), an allow entry isn't created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.
+ - If the message was blocked by [user (or graph) impersonation protection in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), an allow entry isn't created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message.
- If the message was blocked due to file-based filers, an allow entry for the file is created, and the entry appears on the **Files** tab in the Tenant Allow/Block List. - If the message was blocked due to URL-based filters, an allow entry for the URL is created, and the entry appears on the **URL** tab in the Tenant Allow/Block List. - If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the **Domains & addresses** tab in the Tenant Allow/Block List.
security Tenant Allow Block List Email Spoof Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure.md
Email from these blocked senders is marked as *high confidence phishing* and qua
> > Users in the organization also can't *send* email to these blocked domains and addresses. The message is returned in the following non-delivery report (also known as an NDR or bounce message): `550 5.7.703 Your message can't be delivered because messages to XXX, YYY are blocked by your organization using Tenant Allow Block List.` The entire message is blocked for all internal and external recipients of the message, even if only one recipient email address or domain is defined in a block entry.
-<a name='use-the-microsoft-365-defender-portal-to-create-block-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list'></a>
- #### Use the Microsoft Defender portal to create block entries for domains and email addresses in the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
New-TenantAllowBlockListItems -ListType Sender -Block -Entries "test@badattacker
For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
-<a name='use-the-microsoft-365-defender-portal-to-view-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list'></a>
- ### Use the Microsoft Defender portal to view entries for domains and email addresses in the Tenant Allow/Block List In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
Get-TenantAllowBlockListItems -ListType Sender -Block
For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
-<a name='use-the-microsoft-365-defender-portal-to-modify-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list'></a>
- ### Use the Microsoft Defender portal to modify entries for domains and email addresses in the Tenant Allow/Block List In existing domain and email address entries, you can change the expiration date and note.
Set-TenantAllowBlockListItems -ListType Sender -Entries "julia@fabrikam.com" -Ex
For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).
-<a name='use-the-microsoft-365-defender-portal-to-remove-entries-for-domains-and-email-addresses-from-the-tenant-allowblock-list'></a>
- ### Use the Microsoft Defender portal to remove entries for domains and email addresses from the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
To create allow entries for *spoofed senders*, use any of the following methods:
> > Allow entries for spoofed senders never expire.
-<a name='use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list'></a>
- #### Use the Microsoft Defender portal to create allow entries for spoofed senders in the Tenant Allow/Block List In the Tenant Allow/Block List, you can create allow entries for spoofed senders before they're detected and blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md).
To create block entries for *spoofed senders*, use any of the following methods:
> > Block entries for spoofed senders never expire.
-<a name='use-the-microsoft-365-defender-portal-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list'></a>
- #### Use the Microsoft Defender portal to create block entries for spoofed senders in the Tenant Allow/Block List
-The steps are nearly identical to [creating allow entries for spoofed senders](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) as previously described in this article.
+The steps are nearly identical to [creating allow entries for spoofed senders](#use-the-microsoft-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) as previously described in this article.
The only difference is: for the **Action** value in Step 4, select **Block** instead of **Allow**.
New-TenantAllowBlockListSpoofItems -Identity Default -Action Block -SendingInfra
For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems).
-<a name='use-the-microsoft-365-defender-portal-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list'></a>
- ### Use the Microsoft Defender portal to view entries for spoofed senders in the Tenant Allow/Block List In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
Verify the **Spoofed senders** tab is selected.
On the **Spoofed senders** tab, you can sort the entries by clicking on an available column header. The following columns are available:
- - **Spoofed user**
- - **Sending infrastructure**
- - **Spoof type**: The available values are **Internal** or **External**.
- - **Action**: The available values are **Block** or **Allow**.
+- **Spoofed user**
+- **Sending infrastructure**
+- **Spoof type**: The available values are **Internal** or **External**.
+- **Action**: The available values are **Block** or **Allow**.
To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**. The following filters are available in the **Filter** flyout that opens:
Get-TenantAllowBlockListSpoofItems -Action Block -SpoofType External
For detailed syntax and parameter information, see [Get-TenantAllowBlockListSpoofItems](/powershell/module/exchange/get-tenantallowblocklistspoofitems).
-<a name='use-the-microsoft-365-defender-portal-to-modify-entries-for-spoofed-senders-in-the-tenant-allowblock-list'></a>
- ### Use the Microsoft Defender portal to modify entries for spoofed senders in the Tenant Allow/Block List When you modify an allow or block entry for spoofed senders in the Tenant Allow/Block list, you can only change the entry from **Allow** to **Block**, or vice-versa.
Set-TenantAllowBlockListItems -Identity Default -Ids 3429424b-781a-53c3-17f9-c0b
For detailed syntax and parameter information, see [Set-TenantAllowBlockListSpoofItems](/powershell/module/exchange/set-tenantallowblocklistspoofitems).
-<a name='use-the-microsoft-365-defender-portal-to-remove-entries-for-spoofed-senders-from-the-tenant-allowblock-list'></a>
- ### Use the Microsoft Defender portal to remove entries for spoofed senders from the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
You can't create allow entries in the Tenant Allow/Block List for messages that
Submitting a message that was incorrectly blocked as impersonation on the **Emails** tab of the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=email> doesn't add the sender or domain as an allow entry in the Tenant Allow/Block List.
-Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.
+Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message.
For submission instructions for impersonation false positives, see [Report good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft).
security Tenant Allow Block List Files Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure.md
To create block entries for files, use either of the following methods:
- From the **Files** tab on the **Tenant Allow/Block Lists** page or in PowerShell as described in this section.
-<a name='use-the-microsoft-365-defender-portal-to-create-block-entries-for-files-in-the-tenant-allowblock-list'></a>
- ### Use the Microsoft Defender portal to create block entries for files in the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695e
For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
-<a name='use-the-microsoft-365-defender-portal-to-view-entries-for-files-in-the-tenant-allowblock-list'></a>
- ## Use the Microsoft Defender portal to view entries for files in the Tenant Allow/Block List In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
Select the **Files** tab.
On the **Files** tab, you can sort the entries by clicking on an available column header. The following columns are available:
- - **Value**: The file hash.
- - **Action**: The available values are **Allow** or **Block**.
- - **Modified by**
- - **Last updated**
- - **Remove on**: The expiration date.
- - **Notes**
+- **Value**: The file hash.
+- **Action**: The available values are **Allow** or **Block**.
+- **Modified by**
+- **Last updated**
+- **Remove on**: The expiration date.
+- **Notes**
To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**. The following filters are available in the **Filter** flyout that opens:
Get-TenantAllowBlockListItems -ListType FileHash -Block
For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
-<a name='use-the-microsoft-365-defender-portal-to-modify-entries-for-files-in-the-tenant-allowblock-list'></a>
- ## Use the Microsoft Defender portal to modify entries for files in the Tenant Allow/Block List In existing file entries, you can change the expiration date and note.
Set-TenantAllowBlockListItems -ListType FileHash -Entries "27c5973b2451db9deeb01
For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).
-<a name='use-the-microsoft-365-defender-portal-to-remove-entries-for-files-from-the-tenant-allowblock-list'></a>
- ## Use the Microsoft Defender portal to remove entries for files from the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
security Tenant Allow Block List Urls Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure.md
You have the following options to create block entries for URLs:
- From the **URLs** tab on the **Tenant Allow/Block Lists** page or in PowerShell as described in this section.
-<a name='use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list'></a>
- ### Use the Microsoft Defender portal to create block entries for URLs in the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.
New-TenantAllowBlockListItems -ListType Url -Block -Entries *contoso.com
For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
-<a name='use-the-microsoft-365-defender-portal-to-view-entries-for-urls-in-the-tenant-allowblock-list'></a>
- ## Use the Microsoft Defender portal to view entries for URLs in the Tenant Allow/Block List In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
Get-TenantAllowBlockListItems -ListType Url -Block
For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
-<a name='use-the-microsoft-365-defender-portal-to-modify-entries-for-urls-in-the-tenant-allowblock-list'></a>
- ## Use the Microsoft Defender portal to modify entries for URLs in the Tenant Allow/Block List In existing URL entries, you can change the expiration date and note.
Set-TenantAllowBlockListItems -ListType Url -Entries "~contoso.com" -ExpirationD
For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).
-<a name='use-the-microsoft-365-defender-portal-to-remove-entries-for-urls-from-the-tenant-allowblock-list'></a>
- ## Use the Microsoft Defender portal to remove entries for URLs from the Tenant Allow/Block List 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
Specifics are up to your business.
This article walks you through the manual configuration of tenant-wide settings that affect the security of your Microsoft 365 environment. Use these recommendations as a starting point.
-<a name='tune-eop-and-defender-for-office-365-protection-policies-in-the-microsoft-365-defender-portal'></a>
- ## Tune EOP and Defender for Office 365 protection policies in the Microsoft Defender portal The Microsoft Defender portal has capabilities for both protection and reporting. It has dashboards you can use to monitor and take action when threats arise.
We recommend turning on and using the Standard and/or Strict preset security pol
Custom policies are required if the business needs of your organization require policy settings that are *different than* or *aren't defined in* preset security policies. Or, if your organization requires a different user experience for quarantined messages (including notifications). For more information, see [Determine your protection policy strategy](mdo-deployment-guide.md#determine-your-protection-policy-strategy).
-<a name='view-dashboards-and-reports-in-the-microsoft-365-defender-portal'></a>
- ## View dashboards and reports in the Microsoft Defender portal In the Defender portal at <https://security.microsoft.com> select **Reports**. Or, to go directly to the **Reports** page, use <https://security.microsoft.com/securityreports>.
To support the goals for baseline protection, configure tenant-wide sharing poli
SharePoint admin center and OneDrive for Business admin center include the same settings. The settings in either admin center apply to both.
-<a name='configure-settings-in-azure-active-directory'></a>
- ## Configure settings in Microsoft Entra ID Be sure to visit these two areas in Microsoft Entra ID to complete tenant-wide setup for more secure environments.
security Trial User Guide Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/trial-user-guide-defender-for-office-365.md
Defender for Office 365 enables you to investigate activities that put people in
See the bigger picture with Campaign Views in Defender for Office 365, which gives you a view of the attack campaigns targeting your organization and the impact they have on your users. - [Identify campaigns](campaigns.md#what-is-a-campaign) targeting your users.-- [Visualize the scope](campaigns.md#campaigns-page-in-the-microsoft-365-defender-portal) of the attack.
+- [Visualize the scope](campaigns.md#campaigns-page-in-the-microsoft-defender-portal) of the attack.
- [Track user interaction](campaigns.md#campaign-details) with these messages. :::image type="content" source="../../medio-trial-playbook-campaign-details.png":::
security Try Microsoft Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md
What's the difference between an evaluation and a trial of Defender for Office 3
Your only option is to set up an evaluation of Defender for Office 365 on the **Microsoft Defender for Office 365 evaluation** page at <https://security.microsoft.com/atpEvaluation>. Furthermore, the evaluation is automatically set up in **Audit mode** (evaluation policies).
- Later, you can _convert_ to **blocking mode** (Standard preset security policy) using the [**Convert to standard** action on the **Microsoft Defender for Office 365 evaluation** page](#convert-to-standard-protection) or by [turning off the evaluation on the **Microsoft Defender for Office 365 evaluation** page](#manage-evaluation-settings) and then [configuring the Standard preset security policy](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
+ Later, you can _convert_ to **blocking mode** (Standard preset security policy) using the [**Convert to standard** action on the **Microsoft Defender for Office 365 evaluation** page](#convert-to-standard-protection) or by [turning off the evaluation on the **Microsoft Defender for Office 365 evaluation** page](#manage-evaluation-settings) and then [configuring the Standard preset security policy](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
By definition, organizations with Defender for Office 365 Plan 2 don't require additional licenses to evaluate Defender for Office 365 Plan 2, so evaluations in these organizations are unlimited in duration.
In the **Manage MDO evaluation settings** flyout that opens, the following infor
- Custom domains for domain impersonation protection. - Trusted senders and domains to exclude from impersonation protection.
- The steps are essentially the same as described in the **Impersonation** section in Step 5 at [Use the Microsoft Defender portal to create anti-phishing policies](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies).
+ The steps are essentially the same as described in the **Impersonation** section in Step 5 at [Use the Microsoft Defender portal to create anti-phishing policies](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-create-anti-phishing-policies).
- If impersonation protection is configured in the anti-phishing evaluation policy, this section shows the impersonation protection settings for: - **User impersonation protection**
For your evaluation or trial, you can switch from **audit mode** (evaluation pol
After you select **Convert to standard protection**, read the information in the dialog that opens, and then select **Continue**.
-You're taken to the **Apply standard protection** wizard on the **Preset security policies** page. The list of recipients that are included and excluded from the evaluation or trial are copied into the Standard preset security policy. For more information, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
+You're taken to the **Apply standard protection** wizard on the **Preset security policies** page. The list of recipients that are included and excluded from the evaluation or trial are copied into the Standard preset security policy. For more information, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
- The security policies in the Standard preset security policy have a higher priority than the evaluation policies, which means the policies in the Standard preset security are always applied *before* the evaluation policies, even if both are present and turned on. - There's no automatic way to go from **blocking mode** to **audit mode**. The manual steps are:
The following permissions are required in [Microsoft Entra ID](/microsoft-365/ad
- *Create, modify or delete an evaluation or trial*: Membership in the **Security Administrator** or **Global Administrator** roles. - *View evaluation policies and reports in audit mode*: Membership in the **Security Administrator** or **Security Reader** roles.
-For more information about Microsoft Entra permissions in the Microsoft Defender portal, see [Microsoft Entra roles in the Microsoft Defender portal](mdo-portal-permissions.md#azure-ad-roles-in-the-microsoft-365-defender-portal)
+For more information about Microsoft Entra permissions in the Microsoft Defender portal, see [Microsoft Entra roles in the Microsoft Defender portal](mdo-portal-permissions.md#microsoft-entra-roles-in-the-microsoft-defender-portal)
## Frequently asked questions
security User Tags About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md
To see how user tags are part of the strategy to help protect high-impact user a
- For information about securing _privileged accounts_ (admin accounts), see [this article](/purview/privileged-access-management).
-<a name='use-the-microsoft-365-defender-portal-to-create-user-tags'></a>
- ## Use the Microsoft Defender portal to create user tags 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Settings** \> **Email & collaboration** \> **User tags**. Or, to go directly to the **User tags** page, use <https://security.microsoft.com/securitysettings/userTags>.
To see how user tags are part of the strategy to help protect high-impact user a
Back on the **User tags** page, the new tag is listed.
-<a name='use-the-microsoft-365-defender-portal-to-view-user-tags'></a>
- ## Use the Microsoft Defender portal to view user tags In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Settings** \> **Email & collaboration** \> **User tags**. Or, to go directly to the **User tags** page, use <https://security.microsoft.com/securitysettings/userTags>. On the **User tags** page, you can sort the entries by clicking on an available column header. The following columns are available:
- - **Tag**: The name of the user tag.
- - **Applied to**: The number of members
- - **Last modified**
- - **Created on**
+- **Tag**: The name of the user tag.
+- **Applied to**: The number of members
+- **Last modified**
+- **Created on**
Use :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the user tags by **Last modified date**.
The details flyout of the user tag contains the following information, based on
To take action on user tags, see the next section.
-<a name='use-the-microsoft-365-defender-portal-to-take-action-on-user-tags'></a>
- ## Use the Microsoft Defender portal to take action on user tags 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Settings** \> **Email & collaboration** \> **User tags**. Or, to go directly to the **User tags** page, use <https://security.microsoft.com/securitysettings/userTags>.
To take action on user tags, see the next section.
After you select the user tag, the available actions are described in the following subsections.
-<a name='use-the-microsoft-365-defender-portal-to-modify-user-tags'></a>
- ### Use the Microsoft Defender portal to modify user tags After you select the user tag, use either of the following methods to modify it:
After you select the user tag, use either of the following methods to modify it:
- **On the User tags page**: Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears. - **In the details flyout of the selected user tag**: Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action at the top of the flyout.
-The same wizard and most of the same settings are available as described in the [Use the Microsoft Defender portal to create user tags](#use-the-microsoft-365-defender-portal-to-create-user-tags) section earlier in this article, with the following exceptions:
+The same wizard and most of the same settings are available as described in the [Use the Microsoft Defender portal to create user tags](#use-the-microsoft-defender-portal-to-create-user-tags) section earlier in this article, with the following exceptions:
- You can't rename or change the description of the Priority account tag, so the **Define tag** page isn't available for the Priority account tag. - The **Define tag** page is available for custom tags, but you can't rename the tag; you can only change the description.
-<a name='use-the-microsoft-365-defender-portal-to-remove-user-tags'></a>
- ## Use the Microsoft Defender portal to remove user tags You can't remove the built-in Priority account tag.
security Zero Hour Auto Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md
For messages that are identified as malware, ZAP for Teams protection blocks and
### How to see if ZAP blocked a Teams message
-Currently, only admins can view and manage messages that were quarantined by ZAP for Teams protection. For more information, see [Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages).
+Currently, only admins can view and manage messages that were quarantined by ZAP for Teams protection. For more information, see [Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages).
## Zero-hour auto purge (ZAP) FAQ
security Zero Trust Identity Device Access Policies Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview.md
Microsoft 365 for enterprise is designed for large organizations to empower ever
This section provides an overview of the Microsoft 365 services and capabilities that are important for Zero Trust identity and device access.
-<a name='azure-ad'></a>
- ### Microsoft Entra ID Microsoft Entra ID provides a full suite of identity management capabilities. We recommend using these capabilities to secure access.
security Top Security Tasks For Remote Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/top-security-tasks-for-remote-work.md
All Microsoft 365 plans with cloud mailboxes include Exchange Online Protection
Default settings for these EOP features are automatically assigned to all recipients via default policies. But, **to bump up the EOP protection level to Microsoft's recommended Standard or Strict security settings based on observations in the datacenters, turn on and assign the Standard preset security policy (for most users) and/or the Strict preset security policy (for admins and other high-risk users)**. As new protection capabilities are added and as the security landscape changes, the EOP settings in preset security policies are automatically updated to our recommended settings.
-For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
+For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
The differences between Standard and Strict are summarized in the table [here](office-365-security/preset-security-policies.md#policy-settings-in-preset-security-policies). The comprehensive settings for Standard and Strict **EOP settings** are described in the tables [here](office-365-security/recommended-settings-for-eop-and-office365.md#anti-spam-anti-malware-and-anti-phishing-protection-in-eop).
Microsoft Defender for Office 365 (included with Microsoft 365 E5 and Office 365
For an overview of Defender for Office 365, including a summary of plans, see [Defender for Office 365](./office-365-security/defender-for-office-365.md).
-The [Built-in protection preset security policy](office-365-security/preset-security-policies.md#profiles-in-preset-security-policies) gives Safe Links and Safe Attachments protection to all recipients by default, but you can [specify exceptions](office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy).
+The [Built-in protection preset security policy](office-365-security/preset-security-policies.md#profiles-in-preset-security-policies) gives Safe Links and Safe Attachments protection to all recipients by default, but you can [specify exceptions](office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy).
As in the previous section, **to bump up the Defender for Office 365 protection level to Microsoft's recommended Standard or Strict security settings based on observations in the datacenters, turn on and assign the Standard preset security policy (for most users) and/or the Strict preset security policy (for admins and other high-risk users)**. As new protection capabilities are added and as the security landscape changes, the Defender for Office 365 settings in preset security policies are automatically updated to our recommended settings. The users that you select for **Defender for Office 365 protection** in preset security policies get Microsoft's recommended Standard or Strict security settings for Safe Attachments and Safe Links. You also need to add entries and optional exceptions for [user impersonation and domain impersonation protection](office-365-security/anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
-For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
+For instructions, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
The differences between **Defender for Office 365 protection** settings in Standard and Strict are summarized in the table [here](office-365-security/preset-security-policies.md#policy-settings-in-preset-security-policies). The comprehensive settings for Standard and Strict **Defender for Office 365 protection** settings are described in the tables [here](office-365-security/recommended-settings-for-eop-and-office365.md#microsoft-defender-for-office-365-security).
syntex Backup Pricing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/backup/backup-pricing.md
description: Learn about the charge model and pricing calculator for Microsoft 3
## Microsoft 365 Backup charge model
-The Microsoft 365 Backup service, offered through the Microsoft 365 admin center, is a [pay-as-you-go consumption-based service](../syntex-pay-as-you-go-services.md). The preview list price is $0.15/GB/mo of protected content. The size of protected content is equal to the cumulative size of the mailboxes being protected plus the size of the SharePoint sites and OneDrive accounts being protected (that is, the size of the live OneDrive accounts and SharePoint sites as display in the live sitesΓÇÖ usage reports) plus the size of any deleted/versioned content held for restore during the protection period.
+The Microsoft 365 Backup service, offered through the Microsoft 365 admin center, is a [pay-as-you-go consumption-based service](../syntex-pay-as-you-go-services.md). The preview list price is $0.15/GB/month of protected content.
+
+### WhatΓÇÖs counted towards protected backup storage?
+
+Microsoft 365 Backup will charge you for content size of the following for 365 days from when it is added to backup protection:
+
+- Cumulative back up size of the mailboxes, SharePoint sites, and OneDrive accounts being protected. Size of OneDrive accounts and SharePoint sites are the size of the live OneDrive accounts and SharePoint sites as displayed in the live sitesΓÇÖ usage reports. Mailboxes are the size of the user's mailbox plus their online archives plus deleted items held for Backup.
+
+- Deleted content in userΓÇÖs Recycle Bin and second-stage Recycle Bin (also known as Site Collection Recycle Bin).
+
+> [!NOTE]
+> Restore points or size of restores will not be charged.
As an example, if you have a site under protection that is currently 1 GB for the first month, you'll be charged 1 GB of Backup usage. If you delete content in that site such that it's now only 0.5 GB, your next monthly bill will still be for 1 GB since the backup tool is retaining that deleted content for a year. After a year when the backup of that deleted content expires, the 0.5 GB being retained for backup purposes will no long be charged for Backup. > [!NOTE]
-> These prices are subject to change when the product becomes generally available. A partner application integrated with Microsoft 365 Backup Storage might charge a different rate for their service.
+> These prices are subject to change when the product becomes generally available. A partner application integrated with Microsoft 365 Backup storage might charge a different rate for their service.
<!<Include charge model video >>
syntex Backup Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/backup/backup-setup.md
audience: admin Previously updated : 01/17/2024 Last updated : 03/06/2024
description: Learn how to set up and configure Microsoft 365 Backup and backup p
> [!NOTE] > Microsoft 365 Backup (Preview) is now available worldwide in all commercial cloud environments. This preview feature is subject to change and [limitations as defined](backup-limitations.md). Before you begin, read the [Microsoft 365 Backup preview terms and conditions](backup-preview-terms.md).
-Get started with Microsoft 365 Backup by following the simple three steps in the Microsoft 365 admin center.
+Get started with Microsoft 365 Backup by following these simple three steps in the Microsoft 365 admin center.
![Diagram showing the three-step setup process for Microsoft 365 Backup.](../../media/content-understanding/backup-setup-diagram.png) <!<insert how-to Affirma video ΓÇô https://aka.ms/M365Backup-how-to-video> >
-## Prerequisites
-
-### Set up pay-as-you-go billing
+## Step 1: Set up pay-as-you-go billing
As a first step to sign up for Microsoft 365 Backup, you should first link an Azure subscription in [Syntex pay-as-you-go](https://admin.microsoft.com/Adminportal/Home#/featureexplorer/csi/ContentUnderstanding), if you haven't already done so. Although Microsoft 365 Backup isn't part of the Syntex product suite, this offering is still using the Syntex billing setup for consistency with other Microsoft 365 pay-as-you-go offerings.
To set up pay-as-you-go billing, follow the steps in [Configure Microsoft Syntex
You must have Global admin or SharePoint admin permissions to access the Microsoft 365 admin center and set up Microsoft 365 Backup.
-### Enable Microsoft 365 Backup
+## Step 2: Turn on Microsoft 365 Backup
To enable Microsoft 365 Backup, you'll need to go to the Microsoft 365 admin center.
To enable Microsoft 365 Backup, you'll need to go to the Microsoft 365 admin cen
7. Review the applicable [terms of service for Microsoft 365 Backup](backup-preview-terms.md) and select **Confirm**. ![Screenshot of the Turn on Backup panel and the Confirm button.](../../media/content-understanding/backup-setup-turn-on.png)-
+<!
8. Select **Go to Microsoft 365 Backup** to start setting up Microsoft 365 Backup on OneDrive, SharePoint, or Exchange. ![Screenshot of the Microsoft 365 Backup page showing SharePoint, Exchange, and OneDrive.](../../media/content-understanding/backup-setup-backup-page.png)
+>
-## Admin roles and backup management privileges
+## Step 3: Create backup policies to protect your data
-Only tenant-level admins can create and manage backups using Microsoft 365 Backup for their users. End users don't have the ability to enable backup or restores for their user account, distribution lists, mailboxes, or sites. ItΓÇÖs important to note that your admin role determines which products you can manage with Microsoft 365 Backup. In the future, we might introduce a Backup admin role that can control the entire tool.
+Now that you have enabled Microsoft 365 Backup for your organization, follow through to create policies and start protecting your content.
-|Admin role |OneDrive |SharePoint |Exchange |
-|||||
-|Global admin | Γ£ô | Γ£ô | Γ£ô |
-|SharePoint admin | Γ£ô | Γ£ô | |
-|Exchange admin | | | Γ£ô |
-
-## Glossary
--- **Protection units** ΓÇô SharePoint sites, OneDrive accounts, or Exchange Online mailboxes backed up by the Microsoft 365 Backup tool.
+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).
-- **Restore point** ΓÇô A prior point in time from which you can restore a version of your content and metadata. If the protection unit from a prior point in time is identical to the present state of your data, then a restore from that point will have no impact on your current data.
+2. Select **Settings**.
-- **RPO** ΓÇô Recovery point objective, or how close in time the most recent restore point is to an impacting event.
+3. Select **Microsoft 365 Backup** from the list of products.
-- **RTO** ΓÇô Recovery time objective, or how fast a restore to a prior point in time can complete.
+ ![Screenshot of the Microsoft 365 admin center panel showing Settings and Microsoft 365 Backup.](../../media/content-understanding/backup-setup-admin-center-panel.png)
-## Set up backup policies for OneDrive, SharePoint, and Exchange
+### Set up backup policies for OneDrive, SharePoint, and Exchange
To use Microsoft 365 Backup for OneDrive, SharePoint, or Exchange, you need to create a backup policy for each product. A *policy* represents the backup plan defined by admins for protecting the Microsoft 365 data of an organization.
Follow these steps to set up a backup policy for SharePoint sites using Microsof
# [Exchange](#tab/exchange)
-Follow these steps to set up a backup policy for Exchange mailboxes sites using Microsoft 365 Backup. Ensure that Microsoft 365 Backup is [enabled for your tenant](#enable-microsoft-365-backup).
+Follow these steps to set up a backup policy for Exchange mailboxes sites using Microsoft 365 Backup. Ensure that Microsoft 365 Backup is [enabled for your tenant](#turn-on-microsoft-365-backup).
1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).
Follow these steps to set up a backup policy for Exchange mailboxes sites using
![Screenshot of the Exchange backup policy created page.](../../media/content-understanding/backup-policy-created-exchange.png) +
+## Admin roles and backup management privileges
+
+Only tenant-level admins can create and manage backups using Microsoft 365 Backup for their users. End users don't have the ability to enable backup or restores for their user account, distribution lists, mailboxes, or sites. ItΓÇÖs important to note that your admin role determines which products you can manage with Microsoft 365 Backup. In the future, we might introduce a Backup admin role that can control the entire tool.
+
+|Admin role |OneDrive |SharePoint |Exchange |
+|||||
+|Global admin | Γ£ô | Γ£ô | Γ£ô |
+|SharePoint admin | Γ£ô | Γ£ô | |
+|Exchange admin | | | Γ£ô |
+
+## Glossary
+
+- **Protection units** ΓÇô SharePoint sites, OneDrive accounts, or Exchange Online mailboxes backed up by the Microsoft 365 Backup tool.
+
+- **Restore point** ΓÇô A prior point in time from which you can restore a version of your content and metadata. If the protection unit from a prior point in time is identical to the present state of your data, then a restore from that point will have no impact on your current data.
+
+- **RPO** ΓÇô Recovery point objective, or how close in time the most recent restore point is to an impacting event.
+
+- **RTO** ΓÇô Recovery time objective, or how fast a restore to a prior point in time can complete.