-description: "Set up Microsoft Defender for Office 365 and safeguard sensitive data against phishing, malware, and other threats."

-Check out [Microsoft 365 small business help](https://go.microsoft.com/fwlink/?linkid=2197659) on YouTube.

-This article helps you increase the protection in your Microsoft 365 subscription to protect against phishing, malware, and other threats. These recommendations are appropriate for organizations with an increased need for security, like law offices and health care clinics.

-Before you begin, check your Office 365 Secure Score. Office 365 Secure Score analyzes your organization's security based on your regular activities and security settings, and assigns a score. Begin by taking note of your current score. To increase your score, complete the actions recommended in this article. The goal isn't to achieve the maximum score, but to be aware of opportunities to protect your environment that don't negatively affect productivity for your users.

-For more information, see [Microsoft Secure Score](../../security/defender/microsoft-secure-score.md).

-## Watch: Raise the level of protection against malware in mail

-Your Office 365 or Microsoft 365 environment includes protection against malware. You can increase this protection by blocking attachments with file types that are commonly used for malware.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4OA7Z?autoplay=false]

-1. From the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, choose **Show more**, **Admin centers**, and then **Security**.

-1. Go to **Email & collaboration** \> **Policies & rules** \> **Threat policies**.

-1. From the policies available, choose **Anti-malware**.

-To increase malware protection in email:

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-malware** in the **Policies** section.

-1. On the **Anti-malware** page, double-click on **Default (Default)**. A flyout appears.

-1. Select **Edit protection settings** at the bottom of the flyout.

-1. under **Protection settings**, select the checkbox next to **Enable the common attachments filter**. The file types that are blocked are listed directly below this control. Make sure that you add these file types:

- `ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif`

- To add or delete file types, select **Customize file types** at the end of the list.

-1. Select **Save.**

-For more information, see [Anti-malware protection in EOP](../../security/office-365-security/anti-malware-protection-about.md).

-## Watch: Protect against ransomware

-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198018).

-Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom," usually in the form of cryptocurrencies like Bitcoin, in exchange for access to data.

-To protect against ransomware, create one or more mail flow rules to block file extensions that are commonly used for ransomware. (You added these rules in the [Watch: Raise the level of protection against malware in mail](#watch-raise-the-level-of-protection-against-malware-in-mail) step.) You can also warn users who receive these attachments in email.

-In addition to the files that you blocked in the previous step, it's a good practice to create a rule to warn users before opening Office file attachments that include macros. Ransomware can be hidden inside macros, so warn users not to open these files from people they don't know.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWrWGt?autoplay=false]

-1. From the admin center at [https://admin.microsoft.com](https://admin.microsoft.com), choose **Exchange** under **Admin centers**.

-1. From the menu on the left, choose **mail flow**.

-

-1. On the rules tab, choose the arrow next to the plus (+) symbol, and then choose **Create a new rule**.

-1. On the **new rule** page, enter a name for your rule, scroll to the bottom, and then choose **More options**.

-To create a mail transport rule:

-1. Go to the admin center at <https://admin.microsoft.com>, and choose **Admin centers** \> **Exchange**.

-2. In the **mail flow** category, select **rules**.

-3. Select **+**, and then select **Create a new rule**.

-4. Select **More options** at the bottom of the dialog box to see the full set of options.

-5. Apply the settings in the following table for the rule. Use the default values for the rest of the settings, unless you want to change them.

-6. Select **Save**.

-|Setting|Warn users before opening attachments of Office files|

-|||

-|Name|Anti-ransomware rule: warn users|

-|Apply this rule if . . .|Any attachment . . . file extension matches . . .|

-|Specify words or phrases|Add these file types: <br/> dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm|

-|Do the following . . .|Notify the recipient with a message|

-|Provide message text|Do not open these types of files from people you do not know because they might contain macros with malicious code.|

-For more information, see:

-## Stop auto-forwarding for email

-Hackers who gain access to a user's mailbox can steal mail by setting the mailbox to automatically forward email. This can happen even without the user's awareness. To prevent this from happening, configure a mail flow rule.

-To create a mail transport rule, follow these steps:

-1. In the Microsoft 365 admin center, select **Admin centers** \> **Exchange**.

-2. In the **mail flow** category, select **rules**.

-3. Select **+**, and then select **Create a new rule**.

-4. To see all the options, select **More options** at the bottom of the dialog box.

-5. Apply the settings in the following table. Use the default values for the rest of the settings, unless you want to change them.

-6. Select **Save**.

-|Setting|Warn users before opening attachments of Office files|

-|||

-|Name|Prevent auto forwarding of email to external domains|

-|Apply this rule if ...|The sender . . . is external/internal . . . Inside the organization|

-|Add condition|The message properties . . . include the message type . . . Auto-forward|

-|Do the following ...|Block the message . . . reject the message and include an explanation.|

-|Provide message text|Auto-forwarding email outside this organization is prevented for security reasons.|

-## Watch: Protect your email from phishing attacks

-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198014).

-If you've configured one or more custom domains for your Office 365 or Microsoft 365 environment, you can configure targeted anti-phishing protection. Anti-phishing protection, part of Microsoft Defender for Office 365, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you haven't configured a custom domain, you don't need to do this.

-We recommend that you get started with this protection by creating a policy to protect your most important users and your custom domain.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWvt9r?autoplay=false]

-1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>.

-2. Go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-3. On the **Anti-phishing** page, select **+ Create**. A wizard launches that steps you through defining your anti-phishing policy.

-4. Specify the name, description, and settings for your policy as recommended in the following table. For more details, see [Learn about anti-phishing policy in Microsoft Defender for Office 365 options](../../security/office-365-security/anti-phishing-policies-about.md).

-5. After you've reviewed your settings, choose **Create this policy** or **Save**, as appropriate.

-|Setting or option|Recommended setting|

-|||

-|Name|Domain and most valuable campaign staff|

-|Description|Ensure most important staff and our domain are not being impersonated.|

-|Add users to protect|Select **+ Add a condition, The recipient is**. Type user names or enter the email address of the candidate, campaign manager, and other important staff members. You can add up to 20 internal and external addresses that you want to protect from impersonation.|

-|Add domains to protect|Select **+ Add a condition, The recipient domain is**. Enter the custom domain associated with your Microsoft 365 subscription, if you defined one. You can enter more than one domain.|

-|Choose actions|If email is sent by an impersonated user: Choose **Redirect message to another email address**, and then type the email address of the security administrator; for example, *Alice<span><span>@contoso.com*. If email is sent by an impersonated domain: Choose **Quarantine message**.|

-|Mailbox intelligence|By default, mailbox intelligence is selected when you create a new anti-phishing policy. Leave this setting **On** for best results.|

-|Add trusted senders and domains|Here you can add your own domain, or any other trusted domains.|

-|Applied to|Select **The recipient domain is**. Under **Any of these**, select **Choose**. Select **+ Add**. Select the check box next to the name of the domain, for example, *contoso.<span><span>com*, in the list, and then select **Add**. Select **Done**.|

-## Watch: Protect against malicious attachments and files with Safe Attachments

-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198019).

-People regularly send, receive, and share attachments, such as documents, presentations, spreadsheets, and more. It's not always easy to tell whether an attachment is safe or malicious just by looking at an email message. Microsoft Defender for Office 365, formerly called Microsoft 365 ATP, or Advanced Threat Protection, includes Safe Attachment protection, but this protection is not turned on by default. We recommend that you create a new rule to begin using this protection. This protection extends to files in SharePoint, OneDrive, and Microsoft Teams.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWtn3I?autoplay=false]

-1. Go to the [admin center](https://admin.microsoft.com), and select **Setup**.

-1. Scroll down to **Increase protection from advanced threats**. Select **View**, **Manage**, and then **ATP safe attachments**.

-1. Select your safe attachments rule, and then choose the **Edit** icon.

-1. Select **settings**, and then verify that Block is selected.

-1. Scroll down. Choose **Enable redirect**, and enter your email address or the address of the person you want to review the blocked attachments.

-1. Select **applied to**, and then select your domain name.

-1. Choose any additional domains you own (such as your onmicrosoft.com domain) that you would like the rule applied to. Select **add**, and then **OK**.

-1. Select **Save**.

-Your ATP safe attachments rule has been updated. Now that protection is in place, you won't be able to open a malicious file from Outlook, OneDrive, SharePoint, or Teams. Affected files will have red shields next to them. If someone attempts to open a blocked file, they'll receive a warning message.

-After your policy has been in place for a while, visit the Reports page to see what has been scanned.

-1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, and sign in with your admin account.

-2. Go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-malware** in the **Policies** section.

-3. Select **+ Create** to create a new policy.

-4. Apply the settings in the following table.

-5. After you have reviewed your settings, select **Create this policy** or **Save**, as appropriate.

-|Setting or option|Recommended setting|

-|||

-|Name|Block current and future emails with detected malware.|

-|Description|Block current and future emails and attachments with detected malware.|

-|Save attachments unknown malware response|Select **Block - Block the current and future emails and attachments with detected malware**.|

-|Redirect attachment on detection|Enable redirection (select this box) Enter the admin account or a mailbox setup for quarantine. Apply the above selection if malware scanning for attachments times out or error occurs (select this box).|

-|Applied to|The recipient domain is . . . select your domain.|

-For more information, see [Set up anti-phishing policies in Microsoft Defender for Office 365](../../security/office-365-security/anti-phishing-policies-about.md).

-## Watch: Protect against phishing attacks with Safe Links

-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198201).

-Hackers sometimes hide malicious websites in links in email or other files. Safe Links, part of Microsoft Defender for Office 365, can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Protection is defined through Safe Links policies.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWvdwy?autoplay=false]

-Microsoft Defender for Office 365, formerly called Microsoft 365 ATP, or Advanced Threat Protection, helps protect your business against malicious sites when people click links in Office apps.

-1. Go to the [admin center](https://admin.microsoft.com), and select **Setup**.

-1. Scroll down to **Increase protection from advanced threats**. Select **Manage**,and then **Safe Links**.

-1. Select **Global Settings** and in **Block the following URLs**, enter the URL that you want to block.

-We recommend that you do the following:

-To set up Safe Links, complete the following steps:

-1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, and sign in with your admin account.

-2. o to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-malware** in the **Policies** section.

-3. Select **+ Create** to create a new policy, or modify the default policy.

-To modify the default policy:

-1. Double-click the **Default** policy. A flyout appears.

-2. Select **Edit protection settings** at the bottom of the flyout.

-3. After modifying the default policy, select **Save**.

-|Setting or option|Recommended setting|

-|||

-|Name|Safe links policy for all recipients in the domain|

-|Select the action for unknown potentially malicious URLs in messages|Select **On - URLs will be rewritten and checked against a list of known malicious links when user clicks on the link**.|

-|Use Safe Attachments to scan downloadable content|Select this box.|

-|Applied to|The recipient domain is . . . select your domain.|

-For more information, see [Safe Links](../../security/office-365-security/safe-links-about.md).

-## Go to Intune admin center

-1. Sign in to [Azure portal](https://portal.azure.com/).

-2. Select **All services** and type in *Intune* in the **Search Box**.

-3. Once the results appear, select the start next to **Microsoft Intune** to make it a favorite and easy to find later.

-In addition to the admin center, you can use Intune to enroll and manage your organization's devices. For more information, see [Capabilities by enrollment method for Windows devices](/intune/enrollment/enrollment-method-capab) and [Enrollment options for devices managed by Intune](/intune/enrollment-options).

-description: "Various metrics are available on the main Bookings page, allowing you to easily track revenue and customer activity."

-# Microsoft Bookings metrics and activity tracking

-Various metrics are available on the main Bookings page, allowing you to easily track revenue and customer activity.

-| Metric | Description |

-|:|:|

-| Bookings activities | The 30-day activity period shows the last 30 days, including today. **Bookings made**, **Estimated revenue**, and **Customers booked** are all calculated. |

-| Bookings made | The number of bookings that are either taking place today or have taken place in the last 30 days. You may use this information to see if youΓÇÖre meeting your estimated sales expectations and to forecast for the next 30 days. |

-| Estimated revenue | This shows the estimated revenue that youΓÇÖve earned through Bookings and is calculated based on the price that youΓÇÖve defined for each service. This is an estimate because you may have charged a different fee at service time, the fee was set to an hourly charge, youΓÇÖve gotten tips, or a customer hasn't paid yet. For example, if your service is charging $10 per hour and the booking is 2 hours long, Bookings will only estimate $10 for that service.<br/><br/>**Important:** This is only an estimate and does not guarantee your actual revenue. |

-| Customers booked | The number of customers who have booked appointments for today and for the last 30 days.<br/><br/>**Note:** This metric shows the number of customers who have booked appointments, not the total number of appointments. For example, if one customer booked three appointments in the last 30 days and two more customers made one booking each, youΓÇÖll see three customers booked. |

-If a former employee returns to your organization, or if a new employee is hired to take on the job responsibilities of the departed employee, you can recover the contents of the inactive mailbox.

-### Scenario 2 Show policy tip as oversharing popup (preview)

-> [!IMPORTANT]

-> This is a hypothetical scenario with hypothetical values. It's only for illustrative purposes. You should substitute your own sensitive information types, sensitivity labels, distribution groups and users.

-#### Scenario 2 pre-requisites and assumptions

-This scenario uses the *Highly confidential* sensitivity label, so it requires that you have created and published sensitivity labels. To learn more, see:

-This procedure uses a hypothetical company domain at Contoso.com.

-#### Scenario 2 policy intent and mapping

-*We need to block emails to all recipients that have the ΓÇÿhighly confidentialΓÇÖ sensitivity label applied except if the recipient domain is contoso.com. We want to notify the user on send with a popup dialogue and no one can be allowed to override the block.*

-|Statement|Configuration question answered and configuration mapping|

-|||

-|"We need to block emails to all recipients..."|- **Where to monitor**: Exchange </br>- **Administrative scope**: Full directory </br>- **Action**: Restrict access or encrypt the content in Microsoft 365 locations > Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files > Block everyone |

-|"...that have the 'highly confidential' sensitivity label applied..."| - **What to monitor**: use the Custom template </br> - **Conditions for a match**: edit it to add the *highly confidential* sensitivity label|

-|"...except if..."| **Condition group configuration** - Create a nested boolean NOT condition group joined to the first conditions using a boolean AND|

-|"...the recipient domain is contoso.com."| **Condition for match**: Recipient domain is|

-|"...Notify..."|**User notifications**: enabled|

-|"...the user on send with a popup dialogue..."| **Policy tips**: selected </br> - **Show policy tip as a dialog for the end user before send**: selected|

-|"...and no one can be allowed to override the block...| **Allow overrides from M365 Services**: not selected|

-#### Steps to create policy for scenario 2

-> [!IMPORTANT]

-> For the purposes of this policy creation procedure, you'll accept the default include/exclude values and leave the policy turned off. You'll be changing these when you deploy the policy.

-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>.

-1. In the Microsoft Purview compliance portal \> left navigation \> **Solutions** \> **Data loss prevention** \> **Policies** \> **+ Create policy**.

-1. Select **Custom** from the **Categories** list.

-

-1. Select **Custom** from the **Templates** list.

-

-1. Give the policy a name.

-> [!IMPORTANT]

-> Policies cannot be renamed.

-5. Fill in a description. You can use the policy intent statement here.

-1. Select **Next**.

-1. Select **Full directory** under **Admin units**.

-1. Set the **Exchange email** location status to **On**. Set all the other location status to **Off**.

-1. Select **Next**.

-1. Accept the default values for **Include** = **All** and **Exclude** = **None**.

-

-1. The **Create or customize advanced DLP rules** option should already be selected.

-

-1. Select **Next**.

-

-1. Select **Create rule**. Name the rule and provide a description.

-1. Select **Add condition** > **Content contains** > **Add** > **Sensitivity labels** > **Highly confidential**. Choose **Add**.

-

-1. Select **Add group** > **AND** > **NOT** > **Add condition**.

-1. Select **Recipient domain is** > **contoso.com**. Choose **Add**.

-

-1. Select **Add and action** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams file.** > **Block everyone**.

-

-1. Set **User notifications** to **On**.

-

-1. Select **Policy tips** > **Show the policy tip as a dialog for the end user before send**.

-

-1. Make sure that **Allow override from M365 services** *isn't* selected.

-

-1. Choose **Save**.

-

-1. Choose **Next** > **Keep it off** > **Next** > **Submit**.

-1. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - This article presents some common policy intent scenarios that you'll map to configuration options. It also walks you through configuring those options.

-Also, you need to be aware of the following constraints of the platform:

- - In a policy: Limited by the size of the policy

- - In a tenant: 600

-At this level, an administrative unit restricted admin will only be able to pick from the administrative units that they're assigned to.

-Conditions are where you define what you want the rule to look for and context in which those items are being used. They tell the ruleΓÇöwhen you find an item that looks like *this* and is being used like *thatΓÇöit's a match and the rest of the actions in the policy should be taken on it. You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.

-#### DLP Platform Limitations for Conditions

-|Predicate | Workload | Limit | Cost of Evaluation |

-|-|-|--|--|

-|Content Contains | EXO/SPO/ODB | 125 SITs per rule | High |

-|Content is shared from Microsoft 365 | EXO/SPO/ODB | - | High |

-|Sender IP address is | EXO | Individual range length <= 128; Count <= 600 |Low|

-|Has sender overridden the policy tip |EXO | - | Low |

-|Sender is | EXO | Individual email length <= 256; Count <= 600| Medium |

-|Sender is a member of | EXO | Count <= 600 | High |

-|Sender domain is | EXO | Domain name length <= 67; Count <= 600 |Low |

-|Sender address contains words | EXO |Individual word length <= 128; Count <= 600 | Low |

-|Sender address matches patterns | EXO |Regex length <= 128 char; Count <= 600 | Low |

-|Sender AD attribute contains words | EXO | Individual word length <= 128; Count <= 600 | Medium |

-|Sender AD attribute matches patterns | EXO | Regex length <= 128 char; Count <= 600 | Medium |

-|Content of email attachment(s) can't be scanned|EXO| [Supported file types](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection) | Low |

-|Incomplete scan of email attachment content | EXO | Size > 1 MB | Low |

-|Attachment is password-protected | EXO | File types: Office files, ZIP, and 7z |Low|

-|Attachment's file extension is |EXO/SPO/ODB | Count <= 50 | High|

-|Recipient is a member of |EXO | Count <= 600 | High |

-|Recipient domain is | EXO| Domain name length <= 67; Count <= 5000 | Low |

-|Recipient is | EXO | Individual email length <= 256; Count <= 600 |Low |

-|Recipient address contains words | EXO | Individual word length <= 128; Count <= 600 | Low |

-|Recipient address matches patterns | EXO | Count <= 300 | Low|

-|Document name contains words or phrases | EXO | Individual word length <= 128; Count <=600 |Low|

-|Document Name matches patterns| EXO | Regex length <= 128 char; Count <= 300 |Low|

-|Document property is | EXO/SPO/ODB | - | Low |

-|Document size equals or is greater than | EXO | - | Low|

-|Subject contains words or phrases | EXO | Individual word length <= 128; Count <= 600| Low|

-|Header contains words or phrases | EXO | Individual word length <= 128; Count <= 600 |Low|

-|Subject or body contains words or phrases |EXO| Individual word length <= 128; Count <= 600 |Low|

-|Content character set contains words |EXO | Count <= 600 |Low|

-|Header matches patterns |EXO | Regex length <= 128 char; Count <= 300 | Low|

-|Subject matches patterns|EXO | Regex length <= 128 char; Count <= 300 | Low|

-|Subject or body matches patterns |EXO |Regex length <= 128 char; Count <= 300 | Low|

-|Message type is | EXO| - | Low|

-|Message size over | EXO | - | Low|

-|With importance | EXO | - | Low|

-|Sender AD attribute contains words |EXO| Each attribute key value pair: has Regex length <= 128 char; Count <= 600 | Medium |

-|Sender AD attribute matches patterns |EXO | Each attribute key value pair: has Regex length <= 128 char; Count <= 300 | Medium|

-|Document contains words | EXO | Individual word length <= 128; Count <= 600 | Medium|

-|Document matches patterns| EXO| Regex length <= 128 char; Count <= 300 | Medium|

-#### DLP Platform Limitations for Actions

-|Action Name | Workload | Limits |

-||||

-|Restrict access or encrypt content in Microsoft 365| EXO/SPO/ODB | |

-|Set headers | EXO | |

-|Remove header | EXO | |

-|Redirect the message to specific users | EXO| Total of 100 across all DLP rules. Cannot be DL/SG|

-|Forward the message for approval to sender's manager | EXO | Manager should be defined in AD|

-|Forward the message for approval to specific approvers |EXO | Groups aren't supported|

-|Add recipient to the **To** box | EXO | Recipient count <= 10; Cannot be DL/SG|

-|Add recipient to the **Cc** box | EXO | Recipient count <= 10; Cannot be DL/SG|

-|Add recipient to the **Bcc** box | EXO | Recipient count <= 10; Cannot be DL/SG|

-|Add the sender's manager as recipient | EXO | Manager attribute should be defined in AD|

-|Apply HTML disclaimer| EXO| |

-|Prepend subject| EXO| |

-|Apply OME| EXO | |

-|Remove OME | EXO | |

-When a user attempts an action on a sensitive item in a context that meets the conditions of a rule, you can let them know about it through user notification emails and in- context policy tip popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.

-*%%AppliedActions%% File name %%FileName%% via %%ProcessName%% isn't allowed by your organization. Select 'Allow' if you want to bypass the policy %%PolicyName%%*

-*pasting from the clipboard File Name: Contoso doc 1 via WINWORD.EXE isn't allowed by your organization. Select the 'Allow' button if you want to bypass the policy Contoso highly confidential*

-|Kind|The type of email message to search for. Possible values: <p> contacts <p> docs <p> email <p> externaldata <p> faxes <p> im <p> journals <p> meetings <p> microsoftteams (returns items from chats, meetings, and calls in Microsoft Teams) <p> notes <p> posts <p> rssfeeds <p> tasks <p> voicemail|`kind:email` <p> `kind:email OR kind:im OR kind:voicemail` <p> `kind:externaldata`|The first example returns email messages that meet the search criteria. The second example returns email messages, instant messaging conversations (including Skype for Business conversations and chats in Microsoft Teams), and voice messages that meet the search criteria. The third example returns items that were imported to mailboxes in Microsoft 365 from third-party data sources, such as Twitter, Facebook, and Cisco Jabber, that meet the search criteria. For more information, see [Archiving third-party data in Office 365](https://www.microsoft.com/?ref=go).|

- |Export only indexed items <br/> |Exported<br/> |Exported (included with the indexed items that are exported)<br/> |Not exported <br/>|

- |Export indexed and partially indexed items <br/> |Exported<br/> |Exported (included with the indexed items that are exported)<br/> |Exported (as partially indexed items)<br/>|

-In Content search and Microsoft Purview eDiscovery (Standard), you can't use a date range to exclude partially indexed items from being returned by a search query. In other words, partially indexed items that fall outside of a date range are still included as partially indexed items in the search statistics and when you export partially indexed items. In eDiscovery (Premium), you can exclude partially indexed items by using a date range in a search query.

-An inactive mailbox (which is a type of soft-deleted mailbox) is used to retain a former employee's email after they leave your organization. If another employee takes on the job responsibilities of the departed employee or if that employee returns to your organization, there are two ways that you can make the contents of the inactive mailbox available to a user:

- - The equivalent of this configuration is now rolling out in preview. For more information, see the scenario guidance to [show a policy tip as oversharing popup](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview)

-> For this scenario, Outlook calendar events are still rolling out in general availability for Windows and macOS.

-|Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)| Current Channel: Rolling to 2302+ | Rolling out: 16.70+ ^\* | Under review | Under review | Yes |

-|[Preventing oversharing as DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview)| Preview: Rolling out to [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Under review |

- If you donΓÇÖt have this information, contact Blue Yonder support. The account is created at the root enterprise level by a Blue Yonder enterprise administrator. It must have API Access, Client Admin, and Store Manager access. The account and password are required to create a connection.

- [](../media/shifts-connector-by-permission.png#lightbox)

- **Some features in this article require [Microsoft Syntex - SharePoint Advanced Management](/sharepoint/advanced-management)**

-If tamper protection is turned on for your organization, you won't be able to make changes to individual settings that are tamper protected. However, if you're managing tamper protection and devices in Intune, you can edit exclusions for Microsoft Defender Antivirus. See [Tamper protection for exclusions](manage-tamper-protection-intune.md#tamper-protection-for-exclusions).

-New functionality is rolling out now to protect Microsoft Defender Antivirus exclusions on devices that are managed by Intune. Certain conditions must be met. See [What about exclusions](prevent-changes-to-security-settings-with-tamper-protection.md#what-about-exclusions)?

-When tamper protection is turned on, tamper-protected settings can't be changed from their default value, even if you're using Intune to manage your security settings. Changes might appear to be successful in Intune, but won't actually be allowed by tamper protection. For the most current list of tamper protected settings, contact support.

-You can use a registry key to determine whether the functionality to protect Microsoft Defender Antivirus exclusions is enabled.

-1. On a Windows device open Registry Editor. (Read-only mode is fine; you won't be editing the registry key.)

-2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features` (or `HKLM\SOFTWARE\Microsoft\Windows Defender\Features`), and look for a `REG_DWORD` entry called **TPExclusions**.

- - If **TPExclusions** has a value of `1`, then all required conditions are met, and the new functionality to protect exclusions is enabled on the device. In this case, exclusions are tamper protected.

- - If **TPExclusions** has a value of `0`, then tamper protection isn't currently protecting exclusions on the device.

-> [!CAUTION]

-> Do not change the value of **TPExclusions**. Use the preceding procedure for information only. Changing the key will have no effect on whether tamper protection applies to exclusions.

- > Only admins and users who have "Manage Portal Settings" permissions can enable live response.

-ms.pagetype: security

-ms.sitesec: library

-If you're using [version 2006 of Configuration Manager](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows 10 Enterprise multi-session, Windows 11, Windows 11 Enterprise multi-session, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Intune admin center, and then deliver endpoint security configuration policies to on-premises collections & devices.

-> [!NOTE]

-> The procedure can be used to extend tamper protection to devices running Windows 10, Windows 10 Enterprise multi-session, Windows 11, Windows 11 Enterprise multi-session, Windows Server 2019, and Windows Server 2022. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. For Windows Server 2012 R2 running the modern, unified solution [version 2203 of Configuration Manager](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2203) is required.

-3. Deploy the policy to your device collection.

-## Need help with this method?

-See the following resources:

-ms.pagetype: security

-ms.sitesec: library

-If you're a home user, or you aren't subject to settings managed by a security team, you can use the Windows Security app to manage tamper protection. You must have appropriate admin permissions on your device to do change security settings, such as tamper protection.

-Here's what you see in the Windows Security app:

-[Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) helps protect your security settings from being disabled or changed. If your organization uses [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), you manage tamper protection for your organization in the [Intune admin center](https://endpoint.microsoft.com). With Intune, you can enable tamper protection on some, but not all devices. You can also tamper protect exclusions that are defined for Microsoft Defender Antivirus.

-Tamper protection is part of anti-tampering capabilities that include [standard protection attack surface reduction rules](attack-surface-reduction-rules-reference.md).

-> If you're using Microsoft Intune to manage Defender for Endpoint settings, we recommend setting [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp#configurationdisablelocaladminmerge) to true on devices.

-> When tamper protection is turned on, tamper protected settings cannot be changed from their default value. Changes might appear to be successful in Intune, but will not actually be allowed by tamper protection. For the most current list of tamper protected settings, contact support.

-> If your devices are not enrolled in Microsoft Defender for Endpoint, tamper protection will show as **Not Applicable** until the onboarding process completes.

- - **TamperProtection (Device): Enable**

-3. Assign the profile to one or more groups.

-## How to tell if a Windows device is managed by Intune

-You can use a registry key to confirm whether a Windows device is managed by Intune, or co-managed by Intune and Configuration Manager.

-1. On a Windows device open Registry Editor. (Read-only mode is fine; you won't be editing the registry key.)

-2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender` (or `HKLM\SOFTWARE\Microsoft\Windows Defender`), and look for a `REG_DWORD` entry called **ManagedDefenderProductType**.

- - If **ManagedDefenderProductType** has a value of `6`, then the device is managed by Intune.

- - If **ManagedDefenderProductType** has a value of `7`, then the device is [co-managed](/mem/configmgr/comanage/overview) by Intune and Configuration Manager.

-> [!CAUTION]

-> Do not change the value of **ManagedDefenderProductType**. Use the preceding procedure for information only. Changing the key will have no effect on how the device is managed.

-## Tamper protection for exclusions

-If your organization has [exclusions defined for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md), tamper protection will protect those exclusions, provided all of the following conditions are met:

-> For more detailed information about exclusions, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).

-### How to determine whether the functionality to protect exclusions is enabled on a Windows device

- - If **ManagedDefenderProductType** has a value of `7`, then the device is co-managed, such as by Intune and Configuration Manager.

-3. To confirm that tamper protection is deployed and that exclusions are tamper protected, go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features` (or `HKLM\SOFTWARE\Microsoft\Windows Defender\Features`), and look for the `REG_DWORD` entries that are listed in the following table:

- | REG_DWORD | Value | What it means |

- |:|:|:|

- | **TamperProtection** | 5 | Tamper protection is deployed to the device. |

- | **TamperProtectionSource** | 64 | Tamper protection is managed by Intune. |

- | **TPExclusions** | 1 | Required conditions are met, and the new functionality to protect exclusions is enabled on the device. In this case, exclusions are tamper protected. |

- | **TPExclusions** | 0 | Tamper protection isn't currently protecting exclusions on the device. |

-> Do not change the value of the registry keys. Use the preceding procedure for information only. Changing keys will have no effect on whether tamper protection applies to exclusions.

-> [!TIP]

-> If you're looking for Antivirus related information for other platforms, see:

-> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

-> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

-> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

-> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

-> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

-> - [Configure Defender for Endpoint on Android features](android-configure.md)

-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

-ms.pagetype: security

-ms.sitesec: library

-[Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) helps protect your security settings from being disabled or changed. Tamper protection is part of anti-tampering capabilities that include [standard protection attack surface reduction rules](attack-surface-reduction-rules-reference.md). Tamper protection is an important part of your security strategy, as it helps prevent important security settings from being disabled or turned off.

-You can turn tamper protection on (or off) tenant wide by using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).

-

- - Windows 11

- - Windows 11 Enterprise multi-session

- - Windows 10

- - Windows 10 Enterprise multi-session

- - Windows Server 2022

- - Windows Server 2019

- - Windows Server, version 1803 or later

- - Windows Server 2016

- - Windows Server 2012 R2

-For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).

-> When tamper protection is enabled via the Microsoft 365 Defender portal, cloud-delivered protection is required, so that the enabled state of tamper protection can be controlled.

-> Starting with the November 2021 update (platform version `4.18.2111.5`), if cloud-delivered protection is not turned on for a device and tamper protection is turned on in the Microsoft 365 Defender portal, then cloud-delivered protection will be automatically turned on for that device along with tamper protection.

-Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features, such as antivirus protection, on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities.

-When tamper protection is turned on, tamper protected settings cannot be changed from their default values.

-Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team. (See [How do I configure or manage tamper protection](#how-do-i-configure-or-manage-tamper-protection)?)

-Tamper protection is also available for Mac. For more information, see [Protect macOS security settings with tamper protection](tamperprotection-macos.md).

-> [!IMPORTANT]

-> Built-in protection includes turning tamper protection on by default. To learn more about built-in protection, see:

-## How do I configure or manage tamper protection?

-You can use Microsoft Intune and other methods to configure or manage tamper protection, as listed in the following table:

-| Method | Description |

-|:|:|

-| The [Microsoft 365 Defender portal](https://security.microsoft.com) | Turn tamper protection on (or off), tenant wide. Note that this method won't override settings managed in Microsoft Intune. <br/><br/>For more information, see [Manage tamper protection for your organization using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md). |

-| The [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) | Turn tamper protection on (or off), tenant wide, or all or some devices. Using this method, you can also [tamper protect exclusions](manage-tamper-protection-intune.md#tamper-protection-for-exclusions) for Microsoft Defender Antivirus. <br/><br/>For more information, see [Manage tamper protection for your organization using Intune](manage-tamper-protection-intune.md). |

-| Configuration Manager | Turn tamper protection on or off by using Configuration Manager (with tenant attach). Note that this method won't override settings managed in Intune. <br/><br/>For more information, see [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md). |

-| Windows Security app | Turn tamper protection on (or off) on an individual device that is not managed by a security team (such as devices for home use). Note that this method won't override settings managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations. <br/><br/>For more information, see [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md). |

-> [!IMPORTANT]

-> When tamper protection is turned on, tamper-protected settings cannot be changed from their default values. It might appear that changes made were successful, but changes are not actually allowed by tamper protection.

-## What about exclusions?

-Under certain conditions, tamper protection will protect exclusions that are defined for Microsoft Defender Antivirus. For more information, see [Tamper protection for exclusions](manage-tamper-protection-intune.md#tamper-protection-for-exclusions).

-## Are you using Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809?

-> [!IMPORTANT]

-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-|`DeviceSubtype` | `string` | Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute |

-|`SensorHealthState` | `string` | Indicates health of the deviceΓÇÖs EDR sensor, if onboarded to Microsoft Defender For Endpoint |

-| `IsExcluded`| `bool` | Determines if the device is currently excluded from Microsoft Defender for Vulnerability Management experiences |

-|`ExclusionReason` | `string` | Indicates the reason for device exclusion |

-| `AssetValue`| `string` | Indicates the value of a device as assigned by the user |

-| `ExposureLevel` | `string` | Indicates the exposure level of a device |

-The `DeviceInfo` table provides device information based on periodic reports or signals (heartbeats) from a device. Complete reports are sent every hour and every time a change happens to a previous heartbeat.

-> [!IMPORTANT]

-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-| `NetworkAdapterVendor` | `string` | Name of the manufacturer or vendor of the network adapter |

-Microsoft 365 Defender supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for a registered AAD application representing the specific SIEM solution or connector installed in your environment.

-There are two primary models to ingest security information:

-1. Ingesting Microsoft 365 Defender incidents and their contained alerts from a REST API in Azure.

-2. Ingesting streaming event data either through Azure Event Hubs or Azure Storage Accounts.

-Microsoft 365 Defender currently supports the following SIEM solution integrations:

-Use the Splunk Add-on for Microsoft Cloud Services to ingest events from Azure Event Hubs.

-Use the new IBM QRadar Microsoft 365 Defender Device Support Module (DSM) that calls the [Microsoft 365 Defender Streaming API](streaming-api.md) that allows ingesting streaming event data from Microsoft 365 Defender products via Event Hubs or Azure Storage Account. For more information on supported event types, see [Supported event types](supported-event-types.md).

-> [!IMPORTANT]

-> You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

- > [!NOTE]

- > [!NOTE]

- > [!NOTE]

-> [!NOTE]

-> For the Microsoft 365 Defender security portal to start enforcing the permissions and assignments configured in your new or imported roles, you'll need to activate the new Microsoft 365 Defender RBAC model. For more information, see [Activate Microsoft 365 Defender RBAC](activate-defender-rbac.md).

-You can also manage custom detections that apply to data from specific Microsoft 365 Defender solutions if you have permissions for them. If you only have manage permissions for Microsoft 365 Defender for Office, for instance, you can create custom detections using `Email` tables but not `Identity` tables.

-### 1. Prepare the query

-> [!IMPORTANT]

-> To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.

-#### Required columns in the query results

- - `DeviceId`

- - `DeviceName`

- - `RemoteDeviceName`

- - `RecipientEmailAddress`

- - `SenderFromAddress` (envelope sender or Return-Path address)

- - `SenderMailFromAddress` (sender address displayed by email client)

- - `RecipientObjectId`

- - `AccountObjectId`

- - `AccountSid`

- - `AccountUpn`

- - `InitiatingProcessAccountSid`

- - `InitiatingProcessAccountUpn`

- - `InitiatingProcessAccountObjectId`

-> [!NOTE]

-> Support for additional entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).

-### 2. Create new rule and provide alert details

-> [!TIP]

-> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.

-Near real-time detections are supported for the following tables:

-> [!NOTE]

-### 3. Choose the impacted entities

-### 4. Specify actions

-#### Actions on devices

-Both the Disable user and Force password reset options require the user SID, which are in the columns `AccountSid`, `InitiatingProcessAccountSid`, `RequestAccountSid`, and `OnPremSid`.

-### 5. Set the rule scope

-### 6. Review and turn on the rule

-> [!IMPORTANT]

-> Custom detections should be regularly reviewed for efficiency and effectiveness. To make sure you are creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in [Manage existing custom detection rules](#manage-existing-custom-detection-rules).

->

-> You maintain control over the broadness or specificity of your custom detections so any false alerts generated by custom detections might indicate a need to modify certain parameters of the rules.

-## Manage existing custom detection rules

-> [!TIP]

-In the rule details screen (**Hunting** \> **Custom detections** \> **[Rule name]**), go to **Triggered alerts**, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:

-In the rule details screen (**Hunting** \> **Custom detections** \> **[Rule name]**), go to **Triggered actions**, which lists the actions taken based on matches to the rule.

-> [!TIP]

-> To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.

-> [!NOTE]

-> Some columns in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).

-> [!IMPORTANT]

-> You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

-> [!NOTE]

-> After editing an imported role, the changes made in Microsoft 365 Defender RBAC will not be reflected back in the individual product RBAC model.

-> [!NOTE]

-> After deleting an imported role, the role won't be deleted from the individual product RBAC model. If needed, you can re-import it to the Microsoft 365 Defender RBAC list of roles.

-This article outlines the process to enable and pilot Microsoft Defender for Endpoint. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md), and you've [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).

-|Step|Description|

-|||

-|[Step 1. Review architecture requirements and key concepts](eval-defender-endpoint-architecture.md)|Understand the Defender for Endpoint architecture and the capabilities available to you.|

-|[Step 2. Enable the evaluation environment](eval-defender-endpoint-enable-eval.md)|Follow the steps to set up the evaluation environment.|

-|[Step 3. Set up the pilot](eval-defender-endpoint-pilot.md)|Verify your pilot group, run simulations, and become familiar with key features and dashboards.|

-The following diagram illustrates the baseline architecture for Defender for Identity.

-| Reports | Defender for Identity reports allow you to schedule or immediately generate and download reports that provide system and entity status information. You can create reports about system health, security alerts, and potential lateral movement paths detected in your environment. | [Microsoft Defender for Identity Reports](/defender-for-identity/reports) |

-Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)

-Use the following steps to set up your Microsoft Defender for Identity environment.

-Sign in to the Defender for Identity portal to create your instance and then connect this instance to your Active Directory environment.

-|Step|Description|More information|

-||||

-|1|Create the Defender for Identity instance|[Quickstart: Create your Microsoft Defender for Identity instance](/defender-for-identity/install-step1)|

-|2|Connect the Defender for Identity instance to your Active Directory forest|[Quickstart: Connect to your Active Directory Forest](/defender-for-identity/install-step2)|

-|Step|Description|More information|

-||||

-|1|Determine how many Microsoft Defender for Identity sensors you need.|[Plan capacity for Microsoft Defender for Identity](/defender-for-identity/capacity-planning)|

-|2|Download the sensor setup package|[Quickstart: Download the Microsoft Defender for Identity sensor setup package](/defender-for-identity/install-step3)|

-|3|Install the Defender for Identity sensor|[Quickstart: Install the Microsoft Defender for Identity sensor](/defender-for-identity/install-step4)|

-|4|Configure the sensor|[Configure Microsoft Defender for Identity sensor settings](/defender-for-identity/install-step5)|

-|Step|Description|More information|

-||||

-|1|Configure Windows event log collection|[Configure Windows Event collection](/defender-for-identity/configure-windows-event-collection)|

-|2|Configure Internet proxy settings|[Configure endpoint proxy and Internet connectivity settings for your Microsoft Defender for Identity Sensor](/defender-for-identity/configure-proxy)|

-Microsoft Defender for Identity lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Service account.

-For instructions on how to do this, see [Configure Microsoft Defender for Identity to make remote calls to SAM](/defender-for-identity/install-step8-samr).

-> [!NOTE]

-> If you are brand new to security analysis and incident response, see the [Respond to your first incident walkthrough](first-incident-overview.md) to get a guided tour of a typical process of analysis, remediation, and post-incident review.

-4. Select **Open incident page** to get more information about the incident.

-> Before we walk you through this simulation, watch the following video to get familiar with what automated self-healing is, where to find it in the portal, and how it can help in your security operations:

-|Step|Description|

-|1. [Simulate attacks](eval-defender-investigate-respond-simulate-attack.md)|Simulate attacks on your evaluation environment and use the Microsoft 365 Defender portal to perform incident response.|

-|2. [Try incident response capabilities](eval-defender-investigate-respond-additional.md)|Try additional incident response features and capabilities in Microsoft 365 Defender.|

-## Navigation you may need

-Before enabling Microsoft Defender for Cloud Apps, be sure you understand the architecture and can meet the requirements.

-### Discovering cloud apps

-In this illustration, there are two methods that can be used to monitor network traffic and discover cloud apps that are being used by your organization.

-### Managing cloud apps

-After you discover cloud apps and analyze how these apps are used by your organization, you can begin managing cloud apps that you choose.

-### Applying session controls to cloud apps

-Microsoft Defender for Cloud Apps serves as a reverse proxy, providing proxy access to sanctioned cloud apps. This provision allows Defender for Cloud Apps to apply session controls that you configure.

-### Integrating with Azure AD with Conditional Access App Control

-You might already have SaaS apps added to your Azure AD tenant to enforce multi-factor authentication and other conditional access policies. Microsoft Defender for Cloud Apps natively integrates with Azure AD. All you have to do is configure a policy in Azure AD to use Conditional Access App Control in Defender for Cloud Apps. This routes network traffic for these managed SaaS apps through Defender for Cloud Apps as a proxy, which allows Defender for Cloud Apps to monitor this traffic and to apply session controls.

-### Protecting your organization from hackers

-It's worth repeating this illustration from the overview to this Microsoft 365 Defender evaluation and pilot guide.

-| Defender for Cloud Apps Dashboard | Presents an overview of the most important information about your organization and gives links to deeper investigation. | [Working with the dashboard](/cloud-app-security/daily-activities-to-protect-your-cloud-environment) |

-| Cloud Discovery Dashboard | Cloud Discovery analyzes your traffic logs and is designed to give more insight into how cloud apps are being used in your organization as well as give alerts and risk levels. | [Working with discovered apps](/cloud-app-security/discovered-apps) |

-These options are included in [Step 2. Enable the evaluation environment](eval-defender-mcas-enable-eval.md).

-You can integrate Microsoft Defender for Cloud Apps with your generic SIEM server or with Microsoft Sentinel to enable centralized monitoring of alerts and activities from connected apps.

- - m365solution-evalutatemtp

-This article outlines the process to enable and pilot Microsoft Defender for Cloud Apps alongside Microsoft 365 Defender. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md) and you have [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).

-|[Set up the pilot](eval-defender-mcas-pilot.md) | Scope your deployment to certain user groups, configure Conditional Access App Control, and try out tutorials for protecting your environment. |

-> You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

-> [!NOTE]

-> As a Microsoft partner, Protiviti contributed to and provided material feedback to this article.

-> [!NOTE]

-> [!NOTE]

-> [!NOTE]

-> Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Microsoft Defender for Cloud. Microsoft 365 Defender will automatically provision in the same EU data center for customers who have provisioned Microsoft Defender for Endpoint in this manner.

-Watch this short video to learn about the Microsoft 365 Defender portal.

-Microsoft 365 Defender emphasizes *unity, clarity, and common goals*.

-> [!IMPORTANT]

-You can search across the following entities in Defender for Endpoint and Defender for Identity:

- > [!NOTE]

- > IP and URL searches are exact match and don't appear in the search results page ΓÇô they lead directly to the entity page.

-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4Bzww]

-|Search | The search bar is located at the top of the page. Suggestions are provided as you type. You can search across the following entities in Defender for Endpoint and Defender for Identity: <br><br> - **Devices** - supported for both Defender for Endpoint and Defender for Identity. You can even use search operators, for example, you can use "contains" to search for part of a host name. <br><br> - **Users** - supported for both Defender for Endpoint and Defender for Identity. <br><br> - **Files, IPs, and URLs** - same capabilities as in Defender for Endpoint. <br> NOTE: *IP and URL searches are exact match and don't appear in the search results page ΓÇô they lead directly to the entity page. <br><br> - **MDVM** - same capabilities as in Defender for Endpoint (vulnerabilities, software, and recommendations). <br><br> The enhanced search results page centralizes the results from all entities. |

-This includes redirection for direct access to the former portal via browser, including links pointing towards the former securitycenter.windows.com portal - such as links in email notifications, and links returned by SIEM API calls.

-Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied will not be ejected from their session and will only be routed to Microsoft 365 Defender after ending their current session and signing back in again.

-3. Navigate to **Settings** \> **Endpoints** \> **General** \> **Portal redirection** or [click here](https://security.microsoft.com/preferences2/portal_redirection).

-> [!IMPORTANT]

-> Enabling this setting will not terminate active user sessions. Accounts who are in an active session while this setting is applied will only be directed to Microsoft 365 Defender after ending their current session and signing in again.

-> [!NOTE]

-> You must be a global administrator or have security administrator permissions in Azure Active Directory to enable or disable this setting.

-2. Navigate to **Settings** \> **Endpoints** \> **General** \> **Portal redirection** or [open the page here](https://security.microsoft.com/preferences2/portal_redirection).

-This setting can be enabled again at any time.

-Once disabled, accounts will no longer be routed to security.microsoft.com, and you will once again have access to the former portal - securitycenter.windows.com or securitycenter.microsoft.com.

-Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied won't be ejected from their session and will only be routed to Microsoft 365 Defender after ending their current session and signing back in again.

-> [!IMPORTANT]

-> Enabling this setting will not terminate active user sessions. Accounts who are in an active session while this setting is applied will only be directed to Microsoft 365 Defender after ending their current session and signing in again.

-> [!NOTE]

-> You must be a global administrator or have security administrator permissions in Azure Active Directory to enable or disable this setting.

-2. Navigate to **Settings** > **Identities** > **General** > **Portal redirection** or [open the page here](https://security.microsoft.com/preferences2/portal_redirection).

-Once you have completed an action it can take between 24-48 hours for the changes to be reflected in your secure score.

-When you select a specific recommended action, a full page flyout appears.

-> [!NOTE]

-> If you choose to create a 'Global exception' in the Defender Vulnerability management security recommendation, the status in the Microsoft Secure Score recommended action will be updated with the exception justification. Updates may take up to 2 hours.

-> If you choose to create an 'Exception per device group' in the Defender Vulnerability manage security recommendation, Secure Score will not be updated and the recommended action will remain as 'To address'.

-Prerequisites include any licenses that are needed or actions to be completed before the recommended action is addressed. Make sure you have enough seats in your license to complete the recommended action and that those licenses are applied to the necessary users.

-Secure Score helps organizations:

-> [!NOTE]

-> Currently, the Azure Active Directory related Microsoft Secure Score recommendations are not available for customer tenants registered in the following Azure Active Directory regions:

-> [!NOTE]

-> [!IMPORTANT]

-> Security defaults include security features that provide similar security to the "sign-in risk policy" and "user risk policy" recommended actions. Instead of setting up these policies on top of the security defaults, we recommend updating their statuses to "Resolved through alternative mitigation."

- - tier1

-If you're new to Microsoft 365 Defender and Defender Experts for Hunting:

-3. The Microsoft 365 Defender quick tour will get you familiar with the security suite, where the capabilities are and how important they are. Select **Take a quick tour**.

-You can set up Microsoft 365 Defender to notify you or your staff with an email about new incidents or updates to existing incidents, including those observed by Microsoft Defender Experts. [Learn more about getting incident notifications by email](/microsoft-365/security/defender/incidents-overview#get-incident-notifications-by-email)

-Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization may face. Experts on Demand can help to:

-|Attack method|Signal source|Alternate security portals|

-||||

-|RDP brute force|Defender for Endpoint|Defender for Cloud Apps|

-|Vulnerable internet-facing system|Windows security features, Microsoft Defender for Servers|

-|Weak application settings|Defender for Cloud Apps, Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps|

-|Malicious app activity|Defender for Cloud Apps, Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps|

-|Phishing email|Defender for Office 365|

-|Password spray against Azure AD accounts|Azure AD Identity Protection via Defender for Cloud Apps|Defender for Cloud Apps|

-|Password spray against on-premises accounts|Microsoft Defender for Identity|

-|Device compromise|Defender for Endpoint|

-|Credential theft|Microsoft Defender for Identity|

-|Escalation of privilege|Microsoft Defender for Identity|

-|Spike category|Signal source|Alternate security portals|

-||||

-|Sign-ins: Numerous failed attempts, attempts to logon to multiple devices in a short period, multiple first-time logons, etc.|Azure AD Identity Protection via Defender for Cloud Apps, Microsoft Defender for Identity|Defender for Cloud Apps|

-|Recently active user account, group, machine account, app|Azure AD Identity Protection via Defender for Cloud Apps (Azure AD), Defender for Identity (Active Directory Domain Services [AD DS])|Defender for Cloud Apps|

-|Recent app activity such as data access|Apps with Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps|

-|Activity|Signal source|Alternate security portal|

-||||

-|New apps that are installed|Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps|

-|New user accounts|Azure Identity Protection|Defender for Cloud Apps|

-|Role changes|Azure Identity Protection|Defender for Cloud Apps|

-|Behavior|Signal source|

-|||

-|Malware spread to multiple devices|Defender for Endpoint|

-|Resource scanning|Defender for Endpoint, Defender for Identity|

-|Changes in mailbox forwarding rules|Defender for Office 365|

-|Data exfiltration and encryption|Defender for Office 365|

-|Attacks and incidents|Signal source|

-|||

-|Cloud identity: Password spray, numerous failed attempts, attempts to log on to multiple devices in a short period, multiple first-time logons, recently active user accounts|Azure AD Identity Protection|

-|On-premises identity (AD DS) compromise|Defender for Identity|

-|Phishing|Defender for Office 365|

-|Malicious apps|Defender for Cloud Apps or Defender for Cloud Apps with app governance add-on|

-|Endpoint (device) compromise|Defender for Endpoint|

-|IoT-capable device compromise|Defender for IoT|

-You can also use the Microsoft 365 Defender APIs to query the Microsoft 365 Defender incidents and alerts data in your tenant. A custom app can filter the data, filter it based on custom settings, and then provide a filtered list of links to alerts and incidents that you can easily select to go right to that alert or incident. See [List incidents API in Microsoft 365 Defender| Microsoft Docs](/api-list-incidents.md). You can also integrate your SIEM with Microsoft Defender, see [Integrate your SIEM tools with Microsoft 365 Defender](/configure-siem-defender.md).

- - [Ransomware-specific](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware) queries

- - [All categories](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware) of queries

- - Advanced hunting section of the [Ransomware: A pervasive and ongoing threat](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) analyst report

- - Advanced hunting section of other analyst reports

- - Processes for Tier 1 analyst scanning of incoming incidents and alerts and assignment to Tier 2 analysts for investigation.

- - Manually running advanced hunting queries and their schedule (daily, weekly, monthly).

- - Ongoing changes based on ransomware attack investigation and mitigation experiences.

- - Alerts and incidents already created by Microsoft 365 Defender

- - Pre-scanned URL-based filters for the Microsoft 365 Defender portal

- - Programmatically via the incidents API

- - New queries based on the latest threat analytics reports in the Microsoft 365 Defender portal or the [Advanced Hunting GitHub repository](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware>).

- - Changes to existing ones to optimize for threat identification or for better alert quality.

-> [!NOTE]

-# Set up your Microsoft 365 Defender trial in a lab environment

-This topic guides you to set up a dedicated lab environment. For information on setting up a trial in production, see the new [Evaluate and pilot Microsoft 365 Defender](eval-overview.md) guide.

-> [!NOTE]

-> If you already have an existing Office 365 or Azure Active Directory subscription, you can skip the Office 365 E5 trial tenant creation steps.

-3. Fill in your first name, last name, business phone number, company name, company size, and country or region.

-4. Choose your verification preference: through a text message or call. Click **Send Verification Code**.

-11. [Optional] Download Office apps. Click **Next** to skip this step.

-13. Choose online services. Select **Exchange** and click **Next**.

-> [!NOTE]

-> Signing up for a trial gives you 25 user licenses to use for a month. See [Try or buy a Microsoft 365 subscription](../../commerce/try-or-buy-microsoft-365.md) for details.

-2. Select **Microsoft 365 E5** and click **Start free trial**.

-> [!NOTE]

-> The analyst report also lists **generic detections** that can identify a wide-range of threats, in addition to components or behaviors specific to the tracked threat. These generic detections don't reflect in the charts.

-> [!NOTE]

-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWwJfU]

-> [!CAUTION]

-> **The preview period for the ServiceNow connector has ended**

->

-> This capability is no longer available. Thank you for your feedback and continued support while we determine next steps.

-> [!NOTE]

-|[</li></ul>

-> If your browser is being blocked by Safe Links and Safe Attachment pages, see [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2?storagetype=live).

-> [!NOTE]

-> When opening an email cluster to view it in Explorer from the email cluster details, the PhishEdu and SecOps mailbox filters will be applied in Explorer but will not be shown. If you change the Explorer filters, dates, or refresh the query within the page ΓÇô then the PhishEdu/SecOps filter exclusions will get removed and emails that match these will be shown once again. If you refresh the Explorer page using the browser refresh function, the original query filters will get re-loaded, including the PhishEdu/SecOps filters ΓÇô but removing any subsequent changes you had made.

-> You can choose to do nothing about DKIM for your custom domain too. If you don't set up DKIM for your custom domain, Microsoft 365 creates a private and public key pair, enables DKIM signing, and then configures the Microsoft 365 default policy for your custom domain.

-description: Admins can learn how long Defender for Office 365 features retain data.

-> Microsoft Defender for Office 365 comes in two different subscriptions: **Plan 1** and **Plan 2**. If you have **Threat Explorer** at <https://security.microsoft.com/threatexplorer>, you have Plan 2. Otherwise, you have **Real-time Detections** at <https://security.microsoft.com/realtimereports> as part of **Plan 1**.

->

-> Your Defender for Office 365 subscription affects the tools that are available to you, so make sure you know which subscription you have as you learn.

-|Alert metadata details (Microsoft Defender for Office alerts)|90 days.|

-|Entity metadata details (Email)|30 days.|

-|Activity alert details (audit logs)|7 days.|

-|Email entity page|30 days.|

-|Quarantine|30 days (configurable; 30 days is the maximum).|

-|Reports|90 days for aggregated data. <br/><br/> 30 days for detailed information.|

-|Submissions|30 days.|

-|Real-Time detections|30 days.|

-|Action Center|180 days. <br/><br/> Office Action Center 30 days.|

-|Advanced Hunting|30 days.|

-|AIR (Automated investigation and response)|60 days for investigations metadata. <br/><br/> 30 days for email metadata.|

-|Attack simulation training data|18 months.|

-|Campaigns|30 days.|

-|Incidents|30 days.|

-|Remediation|30 days|

-|Threat Analytics|30 days.|

-|Threat Explorer|30 days.|

-|Threat Trackers|30 days.|

-|**[Anti-malware policies](anti-malware-policies-configure.md)**|Yes (_QuarantineTag_)|

-The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 30 days:

-> 550 5.7.511 Access denied, banned sender[xxx.xxx.xxx.xxx]. To request removal from this list, forward this message to delist@microsoft.com. For more information, go to https://go.microsoft.com/fwlink/?LinkId=526653.

-In the email to request removal from this list, provide the full NDR code and IP address. Microsoft will contact you within 48 hours with the next steps.

-As an organization's security posture is constantly changing alongside the cybersecurity landscape, making security posture improvements should be a continuous process. This article provides an overview of how you can strengthen your organization's security posture using capabilities available in Microsoft 365 Defender and other Microsoft security products, such as Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management.

-To allow or block guest sharing, we'll use controls available in sensitivity labels.

-## Authentication context

-We'll use an [Azure Active Directory authentication context](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#configure-authentication-contexts) to enforce more stringent access conditions when users access SharePoint sites.

-First, add an authentication context in Azure Active Directory.

-To add an authentication context

-1. In [Azure Active Directory Conditional Access](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade), under **Manage**, click **Authentication context**.

-2. Click **New authentication context**.

-3. Type a name and description and select the **Publish to apps** check box.

- 

-4. Click **Save**.

-Next, create a conditional access policy that applies to that authentication context and that requires guests to agree to a terms of use as a condition of access.

-To create a conditional access policy

-1. In [Azure Active Directory Conditional Access](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade), click **New policy**.

-1. Type a name for the policy.

-1. On the **Users and groups** tab, choose the **Select users and groups** option, and then select the **Guest or external users** check box.

-1. Choose **B2B collaboration guest users** from the dropdown.

-1. On the **Cloud apps or actions** tab, under **Select what this policy applies to**, choose **Authentication context**, and select the check box for the authentication context that you created.

- 

-1. On the **Grant** tab, select **Require multifactor authentication**, and then click **Select**.

-1. Choose if you want to enable the policy, and then click **Create**.

-We'll point to the authentication context in the sensitivity label.

-For the highly sensitive level of protection, we'll be using a sensitivity label to classify the team. We'll also use this label to classify and encrypt individual files in the team. (It can also be used on files in other file locations such as SharePoint or OneDrive.)

-As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details.

-1. Under **Solutions**, click **Information protection**.

-1. On the **Labels** tab, click **Create a label**.

-1. Give the label a name. We suggest **Highly sensitive**, but you can choose a different name if that one is already in use.

-1. Add a display name and description, and then click **Next**.

-1. On the **Define the scope for this label page**, select **Files & emails** and **Groups & sites** and clear **Include meetings**.

-1. Click **Next**.

-1. On the **Choose protection settings for files and emails** page, select **Apply or remove encryption**, and then click **Next**.

-1. On the **Encryption** page, choose **Configure encryption settings**.

-1. Under **Assign permissions to specific users and groups**, click **Assign permissions**.

-1. Click **Add all users and groups in your organization**.

-1. If there are guests who should have permissions to decrypt files, click **Add users or groups** and add them.

-1. Click **Save**, and then click **Next**.

-1. On the **Auto-labeling for files and emails** page, click **Next**.

-1. On the **Define protection settings for groups and sites** page, select **Privacy and external user access settings** and **External sharing and Conditional Access settings** and click **Next**.

-1. On the **Define privacy and external user access settings** page, under **Privacy**, select the **Private** option.

-1. If you want to allow guest access, under **External user access**, select **Let Microsoft 365 Group owners add people outside your organization to the group as guests**.

-1. Click **Next**.

-1. On the **Define external sharing and device access settings** page, select **Control external sharing from labeled SharePoint sites**.

-1. Under **Content can be shared with**, choose **New and existing guests** if you're allowing guest access or **Only people in your organization** if not.

-1. Select **Use Azure AD Conditional Access to protect labeled SharePoint sites**.

-1. Select the **Choose an existing authentication context** option, and then select the authentication context that you created from the dropdown list.

-1. Click **Next**.

-1. On the **Auto-labeling for database columns** page, click **Next**.

-1. Click **Create label**, and then click **Done**.

-### Restrict site access to team members

-Each time you create a new team with the highly sensitive label, you need to turn on restricted site access on the associated SharePoint site. This prevents people from outside the team from accessing the site or its content. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)

-[SharePoint PowerShell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell) is required to configure restricted site access.

-If you haven't used restricted site access before, you need to turn it on for your organization. To do this, run the following command:

-```Powershell

-Set-SPOTenant -EnableRestrictedAccessControl $true

-```

-> [!NOTE]

-> If you have Microsoft 365 Multi-Geo, you must run this command for each geo-location you want to use restricted access control.

-Wait for approximately one hour before turning on restricted access control for the site.

-To restrict site access for the site connected to your team, run the following command:

-```Powershell

-Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true

-```

-### Choose a default sensitivity label for files

-We'll use the sensitivity label that we created as the default sensitivity label for the site document library that is connected to Teams. This will automatically apply the highly sensitive label to any new label-compatible files that are uploaded to the library, encrypting them. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)

-To set a default sensitivity label for a document library

-1. In Teams, navigate to the **General** channel of the team you want to update.

-1. In the tool bar for the team, click **Files**.

-1. Click **Open in SharePoint**.

-1. In the SharePoint site, open **Settings** and then choose **Library settings**.

-1. From the **Library settings** flyout pane, select **Default sensitivity labels**, and then select the highly sensitive label from the drop-down box.

-For more details about how default library labels work, see [Configure a default sensitivity label for a SharePoint document library](/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label).

-For the sensitive level of protection, we'll be using a sensitivity label to classify the team. We'll also use this label to classify individual files in the team. (It can also be used on files in other file locations such as SharePoint or OneDrive.)

-As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details.

-1. Under **Solutions**, click **Information protection**.

-1. Click **Create a label**.

-1. Give the label a name. We suggest **Sensitive**, but you can choose a different name if that one is already in use.

-1. Add a display name and description, and then click **Next**.

-1. On the **Define the scope for this label page**, select **Files & emails** and **Groups & sites** and clear **Include meetings**.

-1. Click **Next**.

-1. On the **Choose protection settings for files and emails** page, click **Next**.

-1. On the **Auto-labeling for files and emails** page, click **Next**.

-1. On the **Define protection settings for groups and sites** page, select **Privacy and external user access settings** and **External sharing and Conditional Access settings** and click **Next**.

-1. On the **Define privacy and external user access settings** page, under **Privacy**, select the **Private** option.

-1. If you want to allow guest access, under **External user access**, select **Let Microsoft 365 Group owners add people outside your organization to the group as guests**.

-1. Click **Next**.

-1. On the **Define external sharing and device access settings** page, select **Control external sharing from labeled SharePoint sites**.

-1. Under **Content can be shared with**, choose **New and existing guests** if you're allowing guest access or **Only people in your organization** if not.

-1. Select **Use Azure AD Conditional Access to protect labeled SharePoint sites**.

-1. Choose the **Determine whether users can access SharePoint sites from unmanaged devices** option, and then choose **Allow limited, web-only access**.

-1. Click **Next**.

-1. On the **Auto-labeling for database columns** page, click **Next**.

-1. Click **Create label**, and then click **Done**.

-Each time you create a new team with the sensitive label, there are three steps to do in SharePoint:

-### Choose a default sensitivity label for files

-We'll use the sensitivity label that we created as the default sensitivity label for the site document library that is connected to Teams. This will automatically apply the highly sensitive label to any new label-compatible files that are uploaded to the library. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)

-To set a default sensitivity label for a document library

-1. In Teams, navigate to the **General** channel of the team you want to update.

-1. In the tool bar for the team, click **Files**.

-1. Click **Open in SharePoint**.

-1. In the SharePoint site, open **Settings** and then choose **Library settings**.

-1. From the **Library settings** flyout pane, select **Default sensitivity labels**, and then select the highly sensitive label from the drop-down box.

-For more details about how default library labels work, see [Configure a default sensitivity label for a SharePoint document library](/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label).

-The articles in this series provide recommendations for configuring teams in Microsoft Teams, and their associated SharePoint sites, for file protection that balances security with ease of collaboration.

-For information about creating a Teams meeting environment that meets your compliance requirements, see [Configure Teams meetings with three tiers of protection](/MicrosoftTeams/configure-meetings-three-tiers-protection).

-|Site-level conditional access|**Full access from desktop apps, mobile apps, and the web** (default).|**Full access from desktop apps, mobile apps, and the web** (default).|**Allow limited, web-only access**.|Custom conditional access policy|

-|Sensitivity labels|None|None|Sensitivity label used to classify the team and control guest sharing and unmanaged device access.|Sensitivity label used to classify the team, control guest sharing, and specify a conditional access policy. Default file label is used on files to encrypt them.|

-|Site sharing settings|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|N/A (Controlled by site-level restricted access control.)|

-|Site-level restricted access control|None|None|None|Team members only|

-The sensitive and highly sensitive tiers use sensitivity labels to help secure the team and its files. To implement these tiers, you must enable [sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md).

-While the baseline tier does not require sensitivity labels, consider creating a "general" label and then requiring that all teams be labeled. This will help ensure that users make a conscious choice about sensitivity when they create a team. If you plan to deploy the sensitive or highly sensitive tiers, we do recommend creating a "general" label that you can use for baseline teams and for files that are not sensitive. For the highly sensitive tier, we'll also specify a default sensitivity label for document libraries so that Office files and other compatible files will have that label automatically applied when they're uploaded.

-For the highly sensitive tier, we'll restrict access to the site to members of the team only. This restriction will also prevent sharing files with people outside the team.

-By default, both owners and members of the team can share files and folders with people outside the team. This may include people outside your organization, if you have allowed guest sharing. In all three tiers, we update the default sharing link type to help avoid accidental oversharing. In the highly sensitive tier, we restrict such sharing to team owners only. As noted above, in the highly sensitive tier, file access is limited to team members only.

-In the highly sensitive tier, we configure the default library sensitivity label to encrypt files to which it is applied. If you need guests to have access to these files, you must give them permissions when you create the label. External participants in shared channels can't be given permissions to sensitivity labels and can't access content encrypted by a sensitivity label.

-If you regularly collaborate with other organizations that use Azure AD, shared channels may be a good option. Shared channels appear seamlessly in the other organization's Teams client and allow external participants to use their regular user account for their organization rather than having to log in separately using a guest account.

-## Conditional access policies

-Azure AD conditional access offers many options for determining how people access Microsoft 365, including limitations based on location, risk, device compliance, and other factors. We recommend you read [What is Conditional Access?](/azure/active-directory/conditional-access/overview) and consider which additional policies might be appropriate for your organization.

-For the sensitive and highly sensitive tiers, we use sensitivity labels to restrict access to SharePoint content.

-For the sensitive tier, we'll restrict access to web-only for unmanaged devices. (Note that guests often don't have devices that are managed by your organization. If you allow guests in any of the tiers, consider what kinds of devices they'll be using to access teams and sites and set your unmanaged device policies accordingly.)

-For the highly sensitive tier, we'll use [Azure Active Directory authentication context](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#configure-authentication-contexts) with the sensitivity label to trigger a custom conditional access policy when people access the SharePoint site associate with the team.

-### Conditional access across Teams-related services

-The conditional access settings in sensitivity labels only affect SharePoint access. If you want to expand conditional access beyond SharePoint, you can [Create an Azure Active Directory conditional access policy for all apps and services in your organization](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device) instead. To configure this policy specifically for [Microsoft 365 services](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#office-365), select the **Office 365** cloud app under **Cloud apps or actions**.

-

-## Related topics

-|[ <br>Updated September 2021| The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premises</li><li>Evaluation and local onboarding</li> |

-### SharePoint

-|Training:|Collaborate with SharePoint in Microsoft 365|

-|||

-||Manage shared content with Microsoft SharePoint introduces you to the features and capabilities of SharePoint, and how it works with Microsoft 365. You'll learn about the different types of SharePoint sites, including hub sites, as well as information protection, reporting, and monitoring. You'll also learn how to use SharePoint file and folder sharing to optimize collaboration, how to share files externally, and how to manage SharePoint sites in the SharePoint admin center. This learning path can help you prepare for the Microsoft 365 Certified: Teamwork Administrator Associate certification.<p>1 hr 14 min - Learning Path - 4 Modules|

-> [!div class="nextstepaction"]

-> [Start >](/training/modules/m365-teams-sharepoint-plan-sharepoint/introduction/)

-### Information protection

-|Training:|Protect enterprise information with Microsoft 365|

-|||

-||Protecting and securing your organization's information is more challenging than ever. The Protect enterprise information with Microsoft 365 learning path discusses how to protect your sensitive information from accidental oversharing or misuse, how to discover and classify data, how to protect it with sensitivity labels, and how to both monitor and analyze your sensitive information to protect against its loss. This learning path can help you prepare for the Microsoft 365 Certified: Security Administrator Associate and Microsoft 365 Certified: Enterprise Administration Expert certifications.<p>1 hr - Learning Path - 5 Modules|

-> [!div class="nextstepaction"]

-> [Start >](/training/modules/m365-security-info-overview/introduction/)

-2. On the **Manage rules** page, you can see the rules that have been applied. You can turn on or off a rule or [create a new rule](#create-a-rule-to-move-or-copy-a-file-from-one-document-library-to-another-in-microsoft-syntex) to automate actions on a specific document library.

-## See also

-[Overview of content processing](content-processing-overview.md)

-Document libraries can have multiple move and copy rules to support moving and copying files to different destination libraries based on metadata criteria.

-## See also

-[Create a rule to move or copy a file from one document library to another](content-processing-create-rules.md)