Updates from: 03/18/2022 02:36:41
Category Microsoft Docs article Related commit history on GitHub Change details
admin Activity Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/activity-reports.md
Depending on your subscription, here are the available reports in all environmen
|[Office activations](microsoft-office-activations-ww.md)|Yes|Yes|Yes|Yes|Yes| |[Active Users](active-users-ww.md)|Yes|Yes|Yes|Yes|Yes| |[Microsoft 365 groups](office-365-groups-ww.md)|Yes|Yes|Yes|Yes|Yes|
-|[Microsoft 365 Apps usage](microsoft365-apps-usage-ww.md)|Yes|Yes|No[^1]|No[^1]|No[^1]|
+|[Microsoft 365 Apps usage](microsoft365-apps-usage-ww.md)|Yes|Yes|No[^1]|No[^1]|Yes
|[OneDrive for Business user activity](onedrive-for-business-activity-ww.md)|Yes|Yes|Yes|Yes|Yes| |[OneDrive for Business usage](onedrive-for-business-usage-ww.md)|Yes|Yes|Yes|Yes|Yes| |[SharePoint site usage](sharepoint-site-usage-ww.md)|Yes|Yes|Yes|Yes|Yes|
compliance Compliance Easy Trials Compliance Manager Assessment Playbook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials-compliance-manager-assessment-playbook.md
audience: Admin-+ ms.localizationpriority: high
compliance Compliance Easy Trials Compliance Playbook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials-compliance-playbook.md
audience: Admin-+ ms.localizationpriority: high
compliance Compliance Easy Trials https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials.md
audience: Admin-+ ms.localizationpriority: high
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
For technical details about how retention works for Teams, including what elemen
- Although you can select the option to start the retention period when items were last modified, the value of **When items were created** is always used. For messages that are edited, a copy of the original message is saved with its original timestamp to identify when this pre-edited message was created, and the post-edited message has a newer timestamp. -- When you select **Edit** for the **Teams channel messages** location, you might see Microsoft 365 groups that aren't also teams. Don't select these groups.- - When you select **Edit** for the Teams chats location, you might see guests and non-mailbox users. Retention policies aren't designed for these users, so don't select them.
compliance Document Metadata Fields In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-metadata-fields-in-Advanced-eDiscovery.md
The following table lists the metadata fields for documents in a review set in a
|Teams Announcement Title|TeamsAnnouncementTitle|TeamsAnnouncementTitle|Title from a [teams announcement](https://support.microsoft.com/office/send-an-announcement-to-a-channel-8f244ea6-235a-4dcc-9143-9c5b801b4992).| |||Converted_file_path|The path of the converted export file. For internal Microsoft use only.| |Custodian|Custodian|Custodian|Name of the custodian the item was associated with.|
-|Date|Date|Date|Date is a computed field that depends on the file type.<p>Email: Sent date<br>Email attachments: Last modified date of the document;if not available, the parent's Sent date<br>Embedded documents: Last modified date of the document; if not available, the parent's last modified date<br>SPO documents (includes modern attachments): SharePoint Last modified date; if not available, the documents last modified date<br>Non-Office 365 documents: Last modified date<br>Meetings: Meeting start date<br>VoiceMail: Sent date<br>IM: Sent date<br>Teams: Sent date|
+|Date|Date|Date|Date is a computed field that depends on the file type.<p>**Email**: Sent date<br>**Email attachments**: Last modified date of the document; if not available, the parent's sent date<br>**Embedded documents**: Last modified date of the document; if not available, the parent's last modified date<br>**SPO documents (includes modern attachments)**: Last modified date of the document; if not available, SharePoint last modified date<br>**Non-Office 365 documents**: Last modified date<br>**Meetings**: Meeting start date<br>**VoiceMail**: Sent date<br>**IM**: Sent date<br>**Teams**: Sent date|
|Document comments|DocComments|Doc_comments|Comments from the document metadata.| |Document company||Doc_company|Company from the document metadata.| |Document date created|CreatedTime|Doc_date_created|Create date from document metadata.|
compliance Plan For Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/plan-for-security-and-compliance.md
Last updated audience: Admin-+ ms.localizationpriority: medium search.appverid:
compliance Protect Access To Data And Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/protect-access-to-data-and-services.md
Last updated 4/17/2018 audience: Admin-+ ms.localizationpriority: medium search.appverid:
compliance Set Up Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-encryption.md
Last updated 4/2/2018 audience: Admin-+ ms.localizationpriority: medium search.appverid:
compliance Terms Conditions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/terms-conditions.md
audience: Admin-+ ms.localizationpriority: high
contentunderstanding Apply A Sensitivity Label To A Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/apply-a-sensitivity-label-to-a-model.md
You can easily apply a [sensitivity label](../compliance/sensitivity-labels.md)
Sensitivity labels let you apply encryption to the documents that your models identify. For example, you want your model to not only identify any financial documents that contain bank account numbers or credit card numbers that are uploaded to your document library, but also to apply a sensitivity label that's configured with encryption settings to restrict who can access that content and how it can be used. SharePoint Syntex models honor the [label order](../compliance/apply-sensitivity-label-automatically.md#how-multiple-conditions-are-evaluated-when-they-apply-to-more-than-one-label) rules and also do not overwrite an existing label that was manually applied by a user to the file.
-You can apply a pre-existing sensitivity label to your model through your model settings on your model's home page. The label must already be published to be available for selection from model settings.
+You can apply a pre-existing sensitivity label to your model through your model settings on your model's home page. The label must already be published to be available for selection from model settings. Labels apply to Office files for Word (.docx), PowerPoint (.pptx), and Excel (.xlsx).
> [!Important] > For sensitivity labels to be available to apply to your document understanding models, they need to be [created and published in the Microsoft 365 Compliance Center](../admin/security-and-compliance/set-up-compliance.md).
enterprise Address Space Calculator For Azure Gateway Subnets https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/address-space-calculator-for-azure-gateway-subnets.md
Last updated 01/07/2021 audience: ITPro-+ ms.localizationpriority: medium
enterprise Cloud Adoption Test Lab Guides Tlgs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-adoption-test-lab-guides-tlgs.md
Last updated 11/14/2019 audience: ITPro-+ ms.localizationpriority: medium search.appverid:
enterprise Create Sharepoint Sites And Add Users With Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/create-sharepoint-sites-and-add-users-with-powershell.md
audience: Admin-+ ms.localizationpriority: medium search.appverid:
enterprise Getting Started With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/getting-started-with-microsoft-365-powershell.md
Last updated 07/17/2020 audience: ITPro-+ ms.localizationpriority: medium
enterprise Hybrid Solutions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/hybrid-solutions.md
Last updated 09/30/2020 audience: ITPro-+ ms.localizationpriority: medium search.appverid:
enterprise Integrated Apps And Azure Ads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/integrated-apps-and-azure-ads.md
audience: Admin-+ ms.localizationpriority: medium f1.keywords:
enterprise M365 Enterprise Test Lab Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-enterprise-test-lab-guides.md
Last updated 11/20/2019 audience: ITPro-+ ms.localizationpriority: medium
enterprise Manage Microsoft 365 With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-with-microsoft-365-powershell.md
audience: Admin-+ ms.localizationpriority: medium search.appverid:
enterprise Manage Microsoft 365 With Windows Powershell For Delegated Access Permissions Dap P https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-with-windows-powershell-for-delegated-access-permissions-dap-p.md
audience: Admin-+ ms.localizationpriority: medium search.appverid:
enterprise Manage Sharepoint Online With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-sharepoint-online-with-microsoft-365-powershell.md
Last updated 07/17/2020 audience: Admin-+ ms.localizationpriority: medium search.appverid:
enterprise Manage Sharepoint Site Groups With Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-sharepoint-site-groups-with-powershell.md
Last updated 12/17/2019 audience: Admin-+ ms.localizationpriority: medium search.appverid:
enterprise Manage Sharepoint Users And Groups With Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-sharepoint-users-and-groups-with-powershell.md
Last updated 07/17/2020 audience: Admin-+ ms.localizationpriority: medium search.appverid:
description: In this article, learn how to use PowerShell for Microsoft 365 to m
*This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.*
-If you are a SharePoint Online administrator who works with large lists of user accounts or groups and wants an easier way to manage them, you can use PowerShell for Microsoft 365.
+If you're a SharePoint Online administrator who works with large lists of user accounts or groups and wants an easier way to manage them, you can use PowerShell for Microsoft 365.
-Before you begin, the procedures in this topic require you to connect to SharePoint Online. For instructions, see [Connect to SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online)
+Before you begin, the procedures in this article require you to connect to SharePoint Online. For instructions, see [Connect to SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online)
## Get a list of sites, groups, and users
New-SPOSiteGroup -Group $group -PermissionLevels $level -Site https://$tenant.sh
## Remove users from a group
-Sometimes you have to remove a user from a site or even all sites. Perhaps the employee moves from one division to another or leaves the company. You can do this for one employee easily in the UI, but this is not easily done when you have to move a complete division from one site to another.
+Sometimes you have to remove a user from a site or even all sites. Perhaps the employee moves from one division to another or leaves the company. You can do this for one employee easily in the UI, but this isn't easily done when you have to move a complete division from one site to another.
However by using the SharePoint Online Management Shell and CSV files, this is fast and easy. In this task, you'll use Windows PowerShell to remove a user from a site collection security group. Then you'll use a CSV file and remove lots of users from different sites.
-We'll be using the 'Remove-SPOUser' cmdlet to remove a single Microsoft 365 user from a site collection group just so we can see the command syntax. Here is how the syntax looks:
+We'll be using the 'Remove-SPOUser' cmdlet to remove a single Microsoft 365 user from a site collection group so we can see the command syntax. Here's how the syntax looks:
```powershell $tenant = "<tenant name, such as litwareinc for litwareinc.com>"
$group = "Auditors"
Remove-SPOUser -LoginName $user@$tenant.com -Site https://$tenant.sharepoint.com/sites/$site -Group $group ```
-Suppose we wanted to remove Bobby from all the groups he is currently in. Here is how we would do that:
+Suppose we wanted to remove Bobby from all the groups he's currently in. Here's how we would do that:
```powershell $tenant = "contoso"
Get-SPOSite | ForEach {Get-SPOSiteGroup ΓÇôSite $_.Url} | ForEach {Remove-SPOUse
## Automate management of large lists of users and groups
-To add a large number of accounts to SharePoint sites and give them permissions, you can use the Microsoft 365 admin center, individual PowerShell commands, or PowerShell an a CSV file. Of these choices, the CSV file is the fastest way to automate this task.
+To add a large number of accounts to SharePoint sites and give them permissions, you can use the Microsoft 365 admin center, individual PowerShell commands, or PowerShell and a CSV file. Of these choices, the CSV file is the fastest way to automate this task.
The basic process is to create a CSV file that has headers (columns) that correspond to the parameters that the Windows PowerShell script needs. You can easily create such a list in Excel and then export it as a CSV file. Then, you use a Windows PowerShell script to iterate through records (rows) in the CSV file, adding the users to groups and the groups to sites.
-For example, let's create a CSV file to define a group of site collections, groups, and permissions. Next, we will create a CSV file to populate the groups with users. Finally, we will create and run a simple Windows PowerShell script that creates and populates the groups.
+For example, let's create a CSV file to define a group of site collections, groups, and permissions. Next, we'll create a CSV file to populate the groups with users. Finally, we'll create and run a Windows PowerShell script that creates and populates the groups.
The first CSV file will add one or more groups to one or more site collections and will have this structure:
Item:
https://tenant.sharepoint.com/sites/site,group,level ```
-Here is an example file:
+Here's an example file:
```powershell Site,Group,PermissionLevels
Item:
group,login,https://tenant.sharepoint.com/sites/site ```
-Here is an example file:
+Here's an example file:
```powershell Group,LoginName,Site
Import-Csv C:\O365Admin\GroupsAndPermissions.csv | ForEach {New-SPOSiteGroup -Gr
Import-Csv C:\O365Admin\Users.csv | ForEach {Add-SPOUser -Group $_.Group ΓÇôLoginName $_.LoginName -Site $_.Site} ```
-The script imports the CSV file contents and uses the values in the columns to populate the parameters of the **New-SPOSiteGroup** and **Add-SPOUser** commands. In our example, we are saving this to theO365Admin folder on drive C, but you can save it wherever you want.
+The script imports the CSV file contents and uses the values in the columns to populate the parameters of the **New-SPOSiteGroup** and **Add-SPOUser** commands. In our example, we're saving this file to the O365Admin folder on drive C, but you can save it wherever you want.
-Now, let's remove a bunch of people for several groups in different sites using the same CSV file. Here is an example command:
+Now, let's remove a bunch of people for several groups in different sites using the same CSV file. Here's an example command:
```powershell Import-Csv C:\O365Admin\Users.csv | ForEach {Remove-SPOUser -LoginName $_.LoginName -Site $_.Site -Group $_.Group}
Import-Csv C:\O365Admin\Users.csv | ForEach {Remove-SPOUser -LoginName $_.LoginN
## Generate user reports
-You might want to get a simple report for a few sites and display the users for those sites, their permission level, and other properties. This is how the syntax looks:
+You might want to get a report for a few sites and display the users for those sites, their permission level, and other properties. This is how the syntax looks:
```powershell $tenant = "<tenant name, such as litwareinc for litwareinc.com>"
$site = "<site name>"
Get-SPOUser -Site https://$tenant.sharepoint.com/sites/$site | select * | Format-table -Wrap -AutoSize | Out-File c\UsersReport.txt -Force -Width 360 -Append ```
-This will grab the data for these three sites and write them to a text file on your local drive. Note that the parameter ΓÇôAppend will add new content to an existing file.
+This will grab the data for these three sites and write them to a text file on your local drive. The parameter ΓÇôAppend will add new content to an existing file.
For example, let's run a report on the ContosoTest, TeamSite01, and Project01 sites for the Contoso1 tenant:
$site = "Project01"
Get-SPOUser -Site https://$tenant.sharepoint.com/sites/$site | Format-Table -Wrap -AutoSize | Out-File c:\UsersReport.txt -Force -Width 360 -Append ```
-Note that we had to change only the **$site** variable. The **$tenant** variable keeps its value through all three runs of the command.
+We had to change only the **$site** variable. The **$tenant** variable keeps its value through all three runs of the command.
However, what if you wanted to do this for every site? You can do this without having to type all those websites by using this command:
enterprise Manage User Accounts And Licenses With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-user-accounts-and-licenses-with-microsoft-365-powershell.md
Last updated 11/13/2020 audience: ITPro-+ ms.localizationpriority: medium
enterprise Microsoft 365 Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-endpoints.md
audience: ITPro-+ ms.localizationpriority: medium search.appverid:
enterprise Microsoft 365 Powershell Community Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-powershell-community-resources.md
Last updated 07/17/2020 audience: ITPro-+ ms.localizationpriority: medium
enterprise Set Up Network For Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/set-up-network-for-microsoft-365.md
Last updated 11/19/2019 audience: ITPro-+ ms.localizationpriority: medium search.appverid:
enterprise Skype For Business Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/skype-for-business-online.md
Last updated 6/29/2018 audience: Admin-+ ms.localizationpriority: medium f1.keywords:
enterprise Use Powershell For Email Migration To Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-powershell-for-email-migration-to-microsoft-365.md
Last updated 07/17/2020 audience: Admin-+ ms.localizationpriority: medium search.appverid:
enterprise Use Windows Powershell To Create Reports In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-windows-powershell-to-create-reports-in-microsoft-365.md
Last updated 07/17/2020 audience: ITPro-+ ms.localizationpriority: medium
security Eval Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-overview.md
ms.technology: m365d
- Microsoft 365 Defender
-# How this article series works
+## How this article series works
This series of articles is designed to step you through the entire process of setting up a trial XDR environment, *end-to-end*, so you can evaluate the features and capabilities of Microsoft 365 Defender and even promote the evaluation environment straight to production when and if you're ready.
If you're new to thinking about XDR, you can scan these 7 linked articles to get
- [How to create the environment](eval-create-eval-environment.md) - Set up or learn about each technology of this Microsoft XDR
- - [Microsoft Defender for Identity](eval-defender-identity-overview.md)
- - [Microsoft Defender for Office](eval-defender-office-365-overview.md)
- - [Microsoft Defender for Endpoint](eval-defender-endpoint-overview.md)
- - [Microsoft Defender for Cloud Apps](eval-defender-mcas-overview.md)
+ - [Microsoft Defender for Identity](eval-defender-identity-overview.md)
+ - [Microsoft Defender for Office](eval-defender-office-365-overview.md)
+ - [Microsoft Defender for Endpoint](eval-defender-endpoint-overview.md)
+ - [Microsoft Defender for Cloud Apps](eval-defender-mcas-overview.md)
- [How to investigate and respond using this XDR](eval-defender-investigate-respond.md) - [Promote the trial environment to production](eval-defender-promote-to-production.md)
In the illustration:
### Microsoft 365 Defender components secure devices, identity, data, and applications
-Microsoft 365 Defender is made up of these security technologies, operating in tandem. You don't need all of these components to benefit from the capabilities of XDR and Microsoft 365 Defender. You will realize gains and efficiencies through using one or two as well.
+Microsoft 365 Defender is made up of these security technologies, operating in tandem. You don't need all of these components to benefit from the capabilities of XDR and Microsoft 365 Defender. You will realize gains and efficiencies through using one or two as well.
-|Component |Description |Reference material |
-||||
-|Microsoft Defender for Identity | Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. | [What is Microsoft Defender for Identity?](/defender-for-identity/what-is) |
-|Exchange Online Protection | Exchange Online Protection is the native cloud-based SMTP relay and filtering service that helps protect your organization against spam and malware. | [Exchange Online Protection (EOP) overview - Office 365](../office-365-security/overview.md) |
-|Microsoft Defender for Office 365 | Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. | [Microsoft Defender for Office 365 - Office 365](../office-365-security/overview.md) |
-|Microsoft Defender for Endpoint | Microsoft Defender for Endpoint is a unified platform for device protection, post-breach detection, automated investigation, and recommended response. | [Microsoft Defender for Endpoint - Windows security](../defender-endpoint/microsoft-defender-endpoint.md) |
-|Microsoft Defender for Cloud Apps | Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps. | [What is Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security) |
+|Component|Description|Reference material|
+||||
+|Microsoft Defender for Identity|Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.|[What is Microsoft Defender for Identity?](/defender-for-identity/what-is)|
+|Exchange Online Protection|Exchange Online Protection is the native cloud-based SMTP relay and filtering service that helps protect your organization against spam and malware.|[Exchange Online Protection (EOP) overview - Office 365](../office-365-security/overview.md)|
+|Microsoft Defender for Office 365|Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools.|[Microsoft Defender for Office 365 - Office 365](../office-365-security/overview.md)|
+|Microsoft Defender for Endpoint|Microsoft Defender for Endpoint is a unified platform for device protection, post-breach detection, automated investigation, and recommended response.|[Microsoft Defender for Endpoint - Windows security](../defender-endpoint/microsoft-defender-endpoint.md)|
+|Microsoft Defender for Cloud Apps|Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.|[What is Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security)|
|Azure AD Identity Protection|Azure AD Identity Protection evaluates risk data from billions of sign-in attempts and uses this data to evaluate the risk of each sign-in to your environment. This data is used by Azure AD to allow or prevent account access, depending on how Conditional Access policies are configured. Azure AD Identity Protection is licensed separately from Microsoft 365 Defender. It is included with Azure Active Directory Premium P2.|[What is Identity Protection?](/azure/active-directory/identity-protection/overview-identity-protection)|
-| | | |
+||||
## Microsoft 365 Defender architecture
In this illustration:
- Microsoft Defender for Identity gathers signals from servers running Active Directory Federated Services (AD FS) and on-premises Active Directory Domain Services (AD DS). It uses these signals to protect your hybrid identity environment, including protecting against hackers that use compromised accounts to move laterally across workstations in the on-premises environment. - Microsoft Defender for Endpoint gathers signals from and protects devices used by your organization. - Microsoft Defender for Cloud Apps gathers signals from your organization's use of cloud apps and protects data flowing between your environment and these apps, including both sanctioned and unsanctioned cloud apps.-- Azure AD Identity Protection evaluates risk data from billions of sign-in attempts and uses this data to evaluate the risk of each sign-in to your environment. This data is used by Azure AD to allow or prevent account access, depending on how Conditional Access policies are configured. Azure AD Identity Protection is licensed separately from Microsoft 365 Defender. It is included with Azure Active Directory Premium P2.
+- Azure AD Identity Protection evaluates risk data from billions of sign-in attempts and uses this data to evaluate the risk of each sign-in to your environment. This data is used by Azure AD to allow or prevent account access, depending on how Conditional Access policies are configured. Azure AD Identity Protection is licensed separately from Microsoft 365 Defender. It is included with Azure Active Directory Premium P2.
## Microsoft SIEM and SOAR can use data from Microsoft 365 Defender
Microsoft recommends enabling the components of Microsoft 365 in the order illus
The following table describes this illustration.
-| |Step |Description |
-||||
-|1 | [Create the evaluation environment](eval-create-eval-environment.md) |This step ensures you have the trial license for Microsoft 365 Defender. |
-|2 | [Enable Defender for Identity](eval-defender-identity-overview.md) | Review the architecture requirements, enable the evaluation, and walk through tutorials for identifying and remediating different attack types. |
-|3 | [Enable Defender for Office 365 ](eval-defender-office-365-overview.md) | Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. This component includes Exchange Online Protection and so you will actually evaluate *both* here. |
-|4 | [Enable Defender for Endpoint ](eval-defender-endpoint-overview.md) | Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. |
-|5 | [Enable Microsoft Defender for Cloud Apps](eval-defender-mcas-overview.md) | Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. |
-|6 | [Investigate and respond to threats](eval-defender-investigate-respond.md) | Simulate an attack and begin using incident response capabilities. |
-|7 | [Promote the trial to production](eval-defender-promote-to-production.md) | Promote the Microsoft 365 components to production one-by-one. |
-| | | |
+|Step|Link|Description|
+||||
+|1|[Create the evaluation environment](eval-create-eval-environment.md)|This step ensures you have the trial license for Microsoft 365 Defender.|
+|2|[Enable Defender for Identity](eval-defender-identity-overview.md)|Review the architecture requirements, enable the evaluation, and walk through tutorials for identifying and remediating different attack types.|
+|3|[Enable Defender for Office 365](eval-defender-office-365-overview.md)|Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. This component includes Exchange Online Protection and so you will actually evaluate *both* here.|
+|4|[Enable Defender for Endpoint](eval-defender-endpoint-overview.md)|Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment.|
+|5|[Enable Microsoft Defender for Cloud Apps](eval-defender-mcas-overview.md)|Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment.|
+|6|[Investigate and respond to threats](eval-defender-investigate-respond.md)|Simulate an attack and begin using incident response capabilities.|
+|7|[Promote the trial to production](eval-defender-promote-to-production.md)|Promote the Microsoft 365 components to production one-by-one.|
+||||
This is a commonly recommended order designed to leverage the value of the capabilities quickly based on how much effort is typically required to deploy and configure the capabilities. For example, Defender for Office 365 can be configured in less time than it takes to enroll devices in Defender for Endpoint. Of course, you should prioritize the components to meet your business needs, and can enable these in a different order.
security Microsoft 365 Security Mdo Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-mdo-redirection.md
- Title: Redirecting accounts from Office 365 Security and Compliance Center to the new Microsoft 365 Defender
-description: How to redirect from the Defender for Office 365 to Microsoft 365 Defender.
-keywords: Microsoft 365 Defender, Getting started with Microsoft 365 Defender, security center redirection
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
----
- - M365-security-compliance
--- admindeeplinkDEFENDER-- admindeeplinkEXCHANGE--
-# Redirecting accounts from Office 365 Security and Compliance Center to Microsoft 365 Defender
--
-**Applies to:**
--- Microsoft 365 Defender-- Defender for Office 365-
-This article explains how to route accounts to Microsoft 365 Defender by enabling automatic redirection from the former Office 365 Security and Compliance Center (protection.office.com), to Microsoft 365 Defender (security.microsoft.com).
-
-## What to expect
-
-Once automatic redirection is enabled and active, users accessing the security-related capabilities in Office 365 Security and Compliance (protection.office.com), will be automatically routed to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>.
-
-Learn more about what's changed: [Microsoft Defender for Office 365 in Microsoft 365 Defender](microsoft-365-security-center-mdo.md).
-
-With automatic redirection turned on, users will be routed to Microsoft 365 Defender when they use security capabilities in the Office 365 Security and Compliance Center.
-
-These include capabilities in the Threat Management section, Alerts (View Alerts and Alert Policies), and the Threat Management dashboard and reports. Items in the Office 365 Security and Compliance Center that are not related to security are not redirected to Microsoft 365 Defender.
-
-Compliance-related items can be found in the Microsoft 365 compliance center, and mail-flow related items can be found in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
-
-All other capabilities, whether compliance-related or capabilities that serve both are not affected by redirection.
-
-### Set up portal redirection
-
-As of the beginning of Oct 2021, portal redirection is now done automatically, or by default. However, if it needs to be disabled temporarily, those steps will follow.
-
-<!--To start routing accounts to Microsoft 365 Defender at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">security.microsoft.com</a>:
-
-1. Make sure you're a global administrator or have security administrator permissions in Azure Active directory.
-2. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>.
-3. Go to **Settings** > **Email & collaboration** > **Portal redirection**.
-4. Toggle the Automatic redirection setting to **On**.
-5. Click **Enable** to apply automatic redirection to Microsoft 365 Defender.
-
-> [!NOTE]
-> After redirection is enabled, accounts in active sessions while this setting is applied will not be ejected from their session and will only be routed to Microsoft 365 Defender after ending their current session and signing back in again.-->
-
-## Can I go back to using the former portal?
-
-If something isn't working for you or if there's anything you're unable to complete through Microsoft 365 Defender, we want to hear about it using the portal feedback option. If you've encountered any issues with redirection, please let us know.
-
-To revert to the former portal:
-
-1. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a> as a global administrator or using and account with security administrator permissions in Azure Active directory.
-
-2. Go to **Settings** > **Email & collaboration** > **Portal redirection**.
-
-3. Toggle the Automatic redirection setting to **Off**.
-
-4. Click **Disable** & share feedback when prompted.
-
-This setting can be enabled again at any time.
-
-## Related information
-- [Microsoft 365 Defender overview](microsoft-365-defender.md)-- [Microsoft Defender for Endpoint in Microsoft 365 Defender](microsoft-365-security-center-mde.md)-- [Microsoft delivers unified SIEM and XDR to modernize security operations](https://www.microsoft.com/security/blog/?p=91813) -- [XDR versus SIEM infographic](https://afrait.com/blog/xdr-versus-siem/) -- [`The New Defender`](https://afrait.com/blog/the-new-defender/) -- [About Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) -- [Microsoft security portals and admin centers](portals.md)
security About Defender For Office 365 Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/about-defender-for-office-365-trial.md
Microsoft Defender for Office 365 safeguards your organization against malicious
A Microsoft Defender for Office 365 trial is an easy way to try out the capabilities of Defender for Office 365 Plan 2 for free, after only a few clicks. These high level capabilities are described in the following table:
-<br>
-
-****
- |Feature|Description| ||| |[Exclusive settings in anti-phishing policies](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)|Get user impersonation protection, domain impersonation protection, mailbox intelligence, and advanced phishing thresholds.|
A Microsoft Defender for Office 365 trial is an easy way to try out the capabili
|[Campaign Views](campaigns.md)<sup>\*</sup>|Investigate and respond to large-scale malicious email activity.| |[Reports using Defender for Office 365 capabilities](view-reports-for-mdo.md)|View reports including threat protection status, URL threat protection, mail latency, and more.| |[Priority account protection](/microsoft-365/admin/setup/priority-accounts)<sup>\*</sup>|Users that you identify as Priority accounts are tagged in alerts, reports, and investigations so they stand out. You can also use the Priority tag in filters.|
-|
<sup>\*</sup> This feature is exclusive to Defender for Office 365 Plan 2.
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
For other ways to submit email messages, URLs, and attachments to Microsoft, see
- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>. -- To submit messages and files to Microsoft, you need to be a member of one of the following role groups:
+- To submit messages and files to Microsoft, you need to have one of following roles:
- **Security Administrator** or **Security Reader** in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
- Note that membership in this role group is required to [View user submissions to the custom mailbox](#view-user-submissions-to-microsoft) as described later in this article.
+ Note that one of these roles is required to [View user submissions to the custom mailbox](#view-user-submissions-to-microsoft) as described later in this article.
- Admins can submit messages as old as 30 days if it is still available in the mailbox and not purged by the user or another admin.
security Advanced Spam Filtering Asf Options https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-spam-filtering-asf-options.md
For each ASF setting, the following options are available in anti-spam policies:
The following **Increase spam score** ASF settings set the spam confidence level (SCL) of detected messages to 5 or 6, which corresponds to a **Spam** filter verdict and the corresponding action in anti-spam policies.
-<br>
-
-****
- |Anti-spam policy setting|Description|X-header added| |||| |**Image links to remote websites** <p> *IncreaseScoreWithImageLinks*|Messages that contain `<Img>` HTML tag links to remote sites (for example, using http) are marked as spam.|`X-CustomSpam: Image links to remote sites`| |**Numeric IP address in URL** <p> *IncreaseScoreWithNumericIps*|Messages that contain numeric-based URLs (typically, IP addresses) are marked as spam.|`X-CustomSpam: Numeric IP in URL`| |**URL redirect to other port** <p> *IncreaseScoreWithRedirectToOtherPort*|Message that contain hyperlinks that redirect to TCP ports other than 80 (HTTP), 8080 (alternate HTTP), or 443 (HTTPS) are marked as spam.|`X-CustomSpam: URL redirect to other port`| |**Links to .biz or .info websites** <p> *IncreaseScoreWithBizOrInfoUrls*|Messages that contain `.biz` or `.info` links in the body of the message are marked as spam.|`X-CustomSpam: URL to .biz or .info websites`|
-|
## Mark as spam settings The following **Mark as spam** ASF settings set the SCL of detected messages to 9, which corresponds to a **High confidence spam** filter verdict and the corresponding action in anti-spam policies.
-<br>
-
-****
- |Anti-spam policy setting|Description|X-header added| |||| |**Empty messages** <p> *MarkAsSpamEmptyMessages*|Messages with no subject, no content in the message body, and no attachments are marked as high confidence spam.|`X-CustomSpam: Empty Message`|
The following **Mark as spam** ASF settings set the SCL of detected messages to
|**Object tags in HTML** <p> *MarkAsSpamObjectTagsInHtml*|Messages that contain `<object>` HTML tags are marked as high confidence spam. <p> This tag allows plug-ins or applications to run in an HTML window.|`X-CustomSpam: Object tag in html`| |**Sensitive words** <p> *MarkAsSpamSensitiveWordList*|Microsoft maintains a dynamic but non-editable list of words that are associated with potentially offensive messages. <p> Messages that contain words from the sensitive word list in the subject or message body are marked as high confidence spam.|`X-CustomSpam: Sensitive word in subject/body`| |**SPF record: hard fail** <p> *MarkAsSpamSpfRecordHardFail*|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF Record Fail`|
-|
The following **Mark as spam** ASF settings set the SCL of detected messages to 6, which corresponds to a **Spam** filter verdict and the corresponding action in anti-spam policies.
-<br>
-
-****
- |Anti-spam policy setting|Description|X-header added| |||| |**Sender ID filtering hard fail** <p> *MarkAsSpamFromAddressAuthFail*|Messages that hard fail a conditional Sender ID check are marked as spam. <p> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF From Record Fail`| |**Backscatter** <p> *MarkAsSpamNdrBackscatter*|*Backscatter* is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](backscatter-messages-and-eop.md). <p> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered, and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route *outbound* email through EOP.</li></ul> <p> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs will be delivered to the original message sender. Some, but not all, backscatter is marked as spam. By definition, backscatter can only be delivered to the spoofed sender, not to the original sender.</li></ul> <p> Test mode is not available for this setting.|`X-CustomSpam: Backscatter NDR`|
-|
security Air Custom Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-custom-reporting.md
With [Microsoft Defender for Office 365](defender-for-office-365.md), you get [d
|[Get started with Office 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis)|The Office 365 Management API uses Azure AD to provide authentication services for your application to access Microsoft 365 data. Follow the steps in this article to set this up.| |[Office 365 Management Activity API reference](/office/office-365-management-api/office-365-management-activity-api-reference)|You can use the Office 365 Management Activity API to retrieve information about user, admin, system, and policy actions and events from Microsoft 365 and Azure AD activity logs. Read this article to learn more about how this works.| |[Office 365 Management Activity API schema](/office/office-365-management-api/office-365-management-activity-api-schema)|Get an overview of the [Common schema](/office/office-365-management-api/office-365-management-activity-api-schema#common-schema) and the [Defender for Office 365 and threat investigation and response schema](/office/office-365-management-api/office-365-management-activity-api-schema#office-365-advanced-threat-protection-and-threat-investigation-and-response-schema) to learn about specific kinds of data available through the Office 365 Management Activity API.|
-|
## See also
security Air Report False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-report-false-positives-negatives.md
In most cases, if a remediation action was taken on an email message, email atta
With Threat Explorer, your security operations team can find an email affected by an action and potentially undo the action.
-<br>
-
-****
- |Scenario|Undo Options|Learn more| |||| |An email message was routed to a user's Junk Email folder|<ul><li>Move the message to the user's Deleted Items folder</li><li>Move the message to the user's Inbox</li><li>Delete the message</li></ul>|[Find and investigate malicious email that was delivered in Office 365](investigate-malicious-email-that-was-delivered.md)| |An email message or a file was quarantined|<ul><li>Release the email or file</li><li> Delete the email or file</li></ul>|[Manage quarantined messages as an admin](manage-quarantined-messages-and-files.md)|
-|
### Undo an action in the Action center
security Air View Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-view-investigation-results.md
When an [automated investigation](office-365-air.md) occurs in [Microsoft Defend
The investigation status indicates the progress of the analysis and actions. As the investigation runs, status changes to indicate whether threats were found, and whether actions have been approved.
-<br>
-
-****
- |Status|Description| ||| |**Starting**|The investigation has been triggered and waiting to start running.|
The investigation status indicates the progress of the analysis and actions. As
|**Failed**|At least one investigation analyzer ran into a problem where it could not complete properly. <p> **NOTE** If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. View the investigation details.| |**Queued By Throttling**|An investigation is being held in a queue. When other investigations complete, queued investigations begin. Throttling helps avoid poor service performance. <p> **TIP**: Pending actions can limit how many new investigations can run. Make sure to [approve (or reject) pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions).| |**Terminated By Throttling**|If an investigation is held in the queue too long, it stops. <p> **TIP**: You can [start an investigation from Threat Explorer](automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).|
-|
## View details of an investigation
security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/alerts.md
Last updated audience: Admin-+ ms.localizationpriority: medium search.appverid: - MOE150
Alerts are available in the Microsoft 365 Defender portal at <https://security.m
The following table describes the tools that are available on the **Alerts** page.
-<br>
-
-****
- |Tool|Description| ||| |[Manage alerts](../../compliance/create-activity-alerts.md)|Use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. Activity alerts are similar to searching the audit log for events, except that you'll be sent an email message when an event that you've created an alert for occurs.| |[Manage advanced alerts](/cloud-app-security/what-is-cloud-app-security)|Use the **Manage advanced alerts** feature of Microsoft Defender for Cloud Apps to set up policies that can alert you to suspicious and anomalous activity in Microsoft 365. After you're alerted, you can investigate situations that are potentially problematic and, if needed, take action to address security issues.|
-|
security Anti Spam And Anti Malware Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-and-anti-malware-protection.md
EOP has built-in inbound and outbound malware filtering to help protect your org
The following table contains links to topics that explain how anti-malware protection works in EOP, and how you can fine-tune your anti-malware configuration settings to best meet the needs of your organization.
-<br>
-
-****
- |Topic|Description| ||| |[Anti-malware protection in EOP](anti-malware-protection.md)|Provides overview information about how the service offers multi-layered malware protection that's designed to catch all known malware traveling to or from your organization.|
The following table contains links to topics that explain how anti-malware prote
|[Configure anti-malware policies in EOP](configure-anti-malware-policies.md)|Describes how to configure the default company-wide anti-malware policy, as well as create custom anti-malware policies that you can apply to specified users, groups, or domains in your organization.| |[Recover from a ransomware attack](recover-from-ransomware.md)|| |[Virus detection in SharePoint Online](virus-detection-in-spo.md)|
-|
## Anti-spam protection in EOP The following table contains links to topics that explain how anti-spam protection works in EOP, and how you can fine-tune your anti-spam configuration settings to best meet the needs of your organization.
-<br>
-
-****
- |Topic|Description| ||| |[Anti-spam protection in EOP](anti-spam-protection.md)|Provides overview information about the main anti-spam protection features included in the service.|
The following table contains links to topics that explain how anti-spam protecti
|[Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md)|Learn about the organization settings and mailbox-specific settings that determine whether mail is moved into the Junk Email folder.| |[Use mail flow rules to set the spam confidence level (SCL) in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl)|Learn how to use mail flow rules (also known as transport rules) to set the SCL in messages before spam filtering.| |[Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md)|Learn about the ASF settings that are available in anti-spam policies.|
-|
### Outbound spam protection in Exchange Online The following table contains links to topics that explain how outbound spam protection works for Exchange Online mailboxes.
-<br>
-
-****
- |Topic|Description| ||| |[Outbound spam protection in EOP](outbound-spam-controls.md)|| |[Configure outbound spam filtering in EOP](configure-the-outbound-spam-policy.md)|Shows how to configure outbound spam policies, which contain settings that help make sure your users don't send spam through the service.| |[High-risk delivery pool for outbound messages](high-risk-delivery-pool-for-outbound-messages.md)|| |[Remove blocked users from the Restricted Users portal in Office 365](removing-user-from-restricted-users-portal-after-spam.md)||
-|
## Common protection technologies The following table contains links to topics that explain settings that are common to anti-malware and anti-spam protection.
-<br>
-
-****
- |Topic|Description| ||| |[Anti-spam message headers](anti-spam-message-headers.md)|Describes the anti-spam fields placed in Internet headers, which can help provide administrators with information about the message and about how it was processed.|
The following table contains links to topics that explain settings that are comm
|[Zero-hour auto purge (ZAP) - protection against spam and malware](zero-hour-auto-purge.md)|| |[Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md)|| |[Use the delist portal to remove yourself from the Microsoft 365 blocked senders list](use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md)||
-|
security Anti Spam Message Headers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-message-headers.md
The individual fields and values are described in the following table.
|`SFV:SPM`|The message was marked as spam by spam filtering.| |`SRV:BULK`|The message was identified as bulk email by spam filtering and the bulk complaint level (BCL) threshold. When the _MarkAsSpamBulkMail_ parameter is `On` (it's on by default), a bulk email message is marked as spam (SCL 6). For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).| |`X-CustomSpam: [ASFOption]`|The message matched an Advanced Spam Filter (ASF) setting. To see the X-header value for each ASF setting, see [Advanced Spam Filter (ASF) settings](advanced-spam-filtering-asf-options.md).|
-|
## X-Microsoft-Antispam message header fields
The following table describes useful fields in the **X-Microsoft-Antispam** mess
|Field|Description| ||| |`BCL`|The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (and is therefore more likely to be spam). For more information, see [Bulk complaint level (BCL)](bulk-complaint-level-values.md).|
-|
## Authentication-results message header
The following table describes the fields and possible values for each email auth
|`reason`|The reason the composite authentication passed or failed. The value is a 3-digit code. For example: <ul><li>**000**: The message failed explicit authentication (`compauth=fail`). For example, the message received a DMARC fail with an action of quarantine or reject.</li><li>**001**: The message failed implicit authentication (`compauth=fail`). This means that the sending domain did not have email authentication records published, or if they did, they had a weaker failure policy (SPF soft fail or neutral, DMARC policy of `p=none`).</li><li>**002**: The organization has a policy for the sender/domain pair that is explicitly prohibited from sending spoofed email. This setting is manually set by an admin.</li><li>**010**: The message failed DMARC with an action of reject or quarantine, and the sending domain is one of your organization's accepted-domains (this is part of self-to-self, or intra-org, spoofing).</li><li>**1xx** or **7xx**: The message passed authentication (`compauth=pass`). The last two digits are internal codes used by Microsoft 365.</li><li>**2xx**: The message soft-passed implicit authentication (`compauth=softpass`). The last two digits are internal codes used by Microsoft 365.</li><li>**3xx**: The message was not checked for composite authentication (`compauth=none`).</li><li>**4xx** or **9xx**: The message bypassed composite authentication (`compauth=none`). The last two digits are internal codes used by Microsoft 365.</li><li>**6xx**: The message failed implicit email authentication, and the sending domain is one of your organization's accepted domains (this is part of self-to-self or intra-org spoofing).</li></ul>| |`smtp.mailfrom`|The domain of the `5321.MailFrom` address (also known as the MAIL FROM address, P1 sender, or envelope sender). This is the email address that's used for non-delivery reports (also known as NDRs or bounce messages).| |`spf`|Describes the results of the SPF check for the message. Possible values include: <ul><li>`pass (IP address)`: The SPF check for the message passed and includes the sender's IP address. The client is authorized to send or relay email on behalf of the sender's domain.</li><li>`fail (IP address)`: The SPF check for the message failed and includes the sender's IP address. This is sometimes called _hard fail_.</li><li>`softfail (reason)`: The SPF record designated the host as not being allowed to send, but is in transition.</li><li>`neutral`: The SPF record explicitly states that it does not assert whether the IP address is authorized to send.</li><li>`none`: The domain doesn't have an SPF record or the SPF record doesn't evaluate to a result.</li><li>`temperror`: A temporary error has occurred. For example, a DNS error. The same check later might succeed.</li><li>`permerror`: A permanent error has occurred. For example, the domain has a badly formatted SPF record.</li></ul>|
-|
security Bulk Complaint Level Values https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/bulk-complaint-level-values.md
The BCL thresholds are described in the following table.
|1, 2, 3|The message is from a bulk sender that generates few complaints.| |4, 5, 6, 7<sup>\*</sup>|The message is from a bulk sender that generates a mixed number of complaints.| |8, 9|The message is from a bulk sender that generates a high number of complaints.|
-|
<sup>\*</sup> This is the default threshold value that's used in anti-spam policies.
security Configure Junk Email Settings On Exo Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes.md
Admins can use Exchange Online PowerShell to configure entries in the safelist c
The safelist collection on a mailbox includes the Safe Senders list, the Safe Recipients list, and the Blocked Senders list. By default, users can configure the safelist collection on their own mailbox in Outlook or Outlook on the web. Administrators can use the corresponding parameters on the **Set-MailboxJunkEmailConfiguration** cmdlet to configure the safelist collection on a user's mailbox. These parameters are described in the following table.
-<br>
-
-****
- |Parameter on Set-MailboxJunkEmailConfiguration|Outlook on the web setting| ||| |_BlockedSendersAndDomains_|**Move email from these senders or domains to my Junk Email folder**| |_ContactsTrusted_|**Trust email from my contacts**| |_TrustedListsOnly_|**Only trust email from addresses in my Safe senders and domains list and Safe mailing lists**| |_TrustedSendersAndDomains_<sup>\*</sup>|**Don't move email from these senders to my Junk Email folder**|
-|
<sup>\*</sup> **Notes**:
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
When you're finished, click **Done**.
+ > [!NOTE]
+ > The maximum number of sender and domain entries is 1024.
+ - **Enable mailbox intelligence**: The default value is on (selected), and we recommend that you leave it on. To turn it off, clear the check box. - **Enable intelligence based impersonation protection**: This setting is available only if **Enable mailbox intelligence** is on (selected). This setting allows mailbox intelligence to take action on messages that are identified as impersonation attempts. You specify the action to take in the **If mailbox intelligence detects an impersonated user** setting on the next page.
security Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365.md
Microsoft Defender for Office 365 Plan 2 includes best-of-class [threat investig
To access Microsoft Defender for Office 365 features, you must be assigned an appropriate role. The following table includes some examples:
-<br>
-
-****
- |Role or role group|Resources to learn more| ||| |global administrator (Organization Management)|You can assign this role in Azure Active Directory or in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).|
security External Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/external-email-forwarding.md
As an admin, you might have already configured other controls to allow or block
When one setting allows external forwarding, but another setting blocks external forwarding, the block typically wins. Examples are described in the following table:
-<br>
-
-****
- |Scenario|Result| ||| |<ul><li>You configure remote domain settings to allow automatic forwarding.</li><li>Automatic forwarding in the outbound spam filter policy is set to **Off**.</li></ul>|Automatically forwarded messages to recipients in the affected domains are blocked.| |<ul><li>You configure remote domain settings to allow automatic forwarding.</li><li>Automatic forwarding in the outbound spam filter policy is set to **Automatic - System-controlled**.</li></ul>|Automatically forwarded messages to recipients in the affected domains are blocked. <p> As described earlier, **Automatic - System-controlled** used to mean **On**, but the setting has changed over time to mean **Off** in all organizations. <p> For absolute clarity, you should configure your outbound spam filter policy to **On** or **Off**.| |<ul><li>Automatic forwarding in the outbound spam filter policy is set to **On**</li><li>You use mail flow rules or remote domains to block automatically forwarded email.</li></ul>|Automatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.|
-|
You can use this behavior (for example) to allow automatic forwarding in outbound spam filter policies, but use remote domains to control the external domains that users can forward messages to.
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
As an ordinary user (not an admin), the **default** capabilities that are available to you as a recipient of a quarantined message are described in the following table:
-<br>
-
-****
- |Quarantine reason|View|Release|Delete| ||::|::|::| |**Anti-spam policies**||||
As an ordinary user (not an admin), the **default** capabilities that are availa
|Safe Attachments for SharePoint, OneDrive, and Microsoft Teams that quarantines malicious files as malware.|||| |**Mail flow rules (transport rules)**|||| |Mail flow rules that quarantine email messages.||||
-|
_Quarantine policies_ define what users are allowed to do to quarantined messages based on the why the message was quarantined in [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities as described in the previous table. Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users in supported features. For more information, see [Quarantine policies](quarantine-policies.md).
security Help And Support For Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/help-and-support-for-eop.md
Microsoft provides local or toll-free telephone numbers for product support arou
|Spain|Toll-free: 900 814 197 <br> Local: 912 718 160|Same| |United Kingdom|Toll-free: 0800 032 6417 <br> Local: 0203 450 6455|Same| |United States|Toll-free: 1-877-913-2707|Toll-free: 1-800-865-9408|
-|
## For more information about EOP documentation
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
There are two major factors that determine which policy is applied to a message:
For example, consider the following anti-phishing policies in Microsoft Defender for Office 365 **that apply to the same users**, and a message that's identified as both user impersonation and spoofing:
-<br>
-
-****
- |Policy name|Priority|User impersonation|Anti-spoofing| ||||| |Policy A|1|On|Off| |Policy B|2|Off|On|
-|
1. The message is marked and treated as spoof, because spoofing has a higher priority (4) than user impersonation (5). 2. Policy A is applied to the users because it has a higher priority than Policy B.
security Identity Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
To give you time to accomplish these tasks, we recommend implementing the starti
||[Define device compliance policies](#define-device-compliance-policies)|One policy for each platform.|Microsoft 365 E3 or E5| ||[Require compliant PCs and mobile devices](#require-compliant-pcs-and-mobile-devices)|Enforces Intune management for both PCs (Windows or macOS) and phones or tablets (iOS, iPadOS, or Android).|Microsoft 365 E3 or E5| |**Specialized security**|[*Always* require MFA](#assigning-policies-to-groups-and-users)||Microsoft 365 E3 or E5|
-|
## Assigning policies to groups and users
In the **Assignments** section:
|Cloud apps or actions|**Cloud apps > Include**|**Select apps**: Select the apps you want this policy to apply to. For example, select Exchange Online.|| |Conditions|||Configure conditions that are specific to your environment and needs.| ||Sign-in risk||See the guidance in the following table.|
-|
### Sign-in risk condition settings
Apply the risk level settings based on the protection level you are targeting.
|Starting point|High, medium|Check both.| |Enterprise|High, medium, low|Check all three.| |Specialized security||Leave all options unchecked to always enforce MFA.|
-|
In the **Access controls** section:
In the **Access controls** section:
|Grant|**Grant access**||Select| |||**Require Multi-factor authentication**|Check| ||**Require all the selected controls**||Select|
-|
Choose **Select** to save the **Grant** settings.
In the **Assignments** section:
||Exclude|**Users and groups**: Select your Conditional Access exception group; service accounts (app identities).|Membership should be modified on an as-needed, temporary basis.| |Cloud apps or actions|**Cloud apps > Include**|**Select apps**: Select the apps corresponding to the clients that do not support modern authentication.|| |Conditions|**Client apps**|Choose **Yes** for **Configure** <p> Clear the check marks for **Browser** and **Mobile apps and desktop clients**||
-|
In the **Access controls** section:
In the **Access controls** section:
||||| |Grant|**Block access**||Select| ||**Require all the selected controls**||Select|
-|
Choose **Select** to save the **Grant** settings.
In the **Assignments** section:
||||| |Users|Include|**All users**|Select| |User risk|**High**||Select|
-|
In the second **Assignments** section:
In the second **Assignments** section:
||||| |Access|**Allow access**||Select| |||**Require password change**|Check|
-|
Choose **Done** to save the **Access** settings.
Using the principles outlined in [Zero Trust identity and device access configur
|Starting point|[Level 2 enhanced data protection](/mem/intune/apps/app-protection-framework#level-2-enterprise-enhanced-data-protection)|The policy settings enforced in level 2 include all the policy settings recommended for level 1 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 1.| |Enterprise|[Level 2 enhanced data protection](/mem/intune/apps/app-protection-framework#level-2-enterprise-enhanced-data-protection)|The policy settings enforced in level 2 include all the policy settings recommended for level 1 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 1.| |Specialized security|[Level 3 enterprise high data protection](/mem/intune/apps/app-protection-framework#level-3-enterprise-high-data-protection)|The policy settings enforced in level 3 include all the policy settings recommended for level 1 and 2 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 2.|
-|
To create a new app protection policy for each platform (iOS and Android) within Microsoft Endpoint Manager using the data protection framework settings, you can:
For **Device health > Windows Health Attestation Service evaluation rules**, see
|Require BitLocker|Require|Select| |Require Secure Boot to be enabled on the device|Require|Select| |Require code integrity|Require|Select|
-|
For **Device properties**, specify appropriate values for operating system versions based on your IT and security policies.
For **System security**, see this table.
||Microsoft Defender Antimalware minimum version||Type <p> Only supported for Windows 10 desktop. Microsoft recommends versions no more than five behind from the most recent version.| ||Microsoft Defender Antimalware signature up to date|Require|Select| ||Real-time protection|Require|Select <p> Only supported for Windows 10 and later desktop|
-|
#### Microsoft Defender for Endpoint |Type|Properties|Value|Action| ||||| |Microsoft Defender for Endpoint rules in the Microsoft Endpoint Manager admin center|[Require the device to be at or under the machine-risk score](/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level)|Medium|Select|
-|
<!-- ## Require compliant PCs (but not compliant phones and tablets)
security Identity Access Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md
The following table details the prerequisite features and their configuration th
|[Enable Azure Active Directory Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection). Azure AD Identity Protection enables you to detect potential vulnerabilities affecting your organization's identities and configure an automated remediation policy to low, medium, and high sign-in risk and user risk.||Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on| |**Enable modern authentication** for [Exchange Online](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online) and for [Skype for Business Online](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx). Modern authentication is a prerequisite for using MFA. Modern authentication is enabled by default for Office 2016 and 2019 clients, SharePoint, and OneDrive for Business.||Microsoft 365 E3 or E5| |[Enable continuous access evaluation](microsoft-365-continuous-access-evaluation.md) for Azure AD. Continuous access evaluation proactively terminates active user sessions and enforces tenant policy changes in near real-time.||Microsoft 365 E3 or E5|
-|
## Recommended client configurations
The following email clients support modern authentication and Conditional Access
|**Android**|Outlook for Android|[Latest](https://play.google.com/store/apps/details?id=com.microsoft.office.outlook&hl=en)| |**macOS**|Outlook|2019 and 2016| |**Linux**|Not supported||
-|
### Recommended client platforms when securing documents
The following clients are recommended when a secure documents policy has been ap
|iOS|Supported|Supported|Supported|Supported|N/A| |macOS|Supported|Supported|N/A|N/A|Not supported| |Linux|Not supported|Not supported|Not supported|Not supported|Not supported|
-|
### Microsoft 365 client support
security Install App Guard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/install-app-guard.md
Office supports the following policies to enable you to configure the capabiliti
|Turn off camera and microphone access for documents opened in Application Guard for Office|Enabling this policy will remove Office access to the camera and microphone inside Application Guard for Office.| |Restrict printing from documents opened in Application Guard for Office|Enabling this policy will limit the printers that a user can print to from a file opened in Application Guard for Office. For example, you can use this policy to restrict users to only print to PDF.| |Prevent users from removing Application Guard for Office protection on files|Enabling this policy will remove the option (within the Office application experience) to disable Application Guard for Office protection or to open a file outside Application Guard for Office. <p> **Note:** Users can still bypass this policy by manually removing the mark-of-the-web property from the file or by moving a document to a Trusted location.|
-|
> [!NOTE] > The following policies will require the user to sign out and sign in again to Windows to take effect:
security Investigate Malicious Email That Was Delivered https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
Make sure that the following requirements are met:
To perform certain actions, such as viewing message headers or downloading email message content, you must have the *Preview* role added to another appropriate role group. The following table clarifies required roles and permissions.
-<br>
-
-****
- |Activity|Role group|Preview role needed?| |||| |Use Threat Explorer (and Real-time detections) to analyze threats|Global Administrator <p> Security Administrator <p> Security Reader|No| |Use Threat Explorer (and Real-time detections) to view headers for email messages as well as preview and download quarantined email messages|Global Administrator <p> Security Administrator <p> Security Reader|No| |Use Threat Explorer to view headers, preview email (only in the email entity page) and download email messages delivered to mailboxes|Global Administrator <p> Security Administrator <p> Security Reader <p> Preview|Yes|
-|
> [!NOTE] > **Preview** is a role, not a role group. The Preview role must be added to an existing role group or a new role group in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
security Microsoft 365 Continuous Access Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-continuous-access-evaluation.md
Conditional Access policy evaluation occurs when the user account is no longer c
The following Microsoft 365 services currently support continuous access evaluation by listening to events from Azure AD.
-<br>
-
-****
- |Enforcement type|Exchange|SharePoint|Teams| ||||| |**Critical events:**||||
The following Microsoft 365 services currently support continuous access evaluat
|User risk|Supported|Not supported|Not supported| |**Conditional Access policy evaluation:**|||| |IP address location policy|Supported|Supported\*|Supported|
-|
\* SharePoint Office web browser access supports instant IP policy enforcement by enabling strict mode. Without strict mode, access token lifetime is one hour.
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
Azure AD provides a full suite of identity management capabilities. We recommend
|[Azure AD Identity Protection](/azure/active-directory/identity-protection/overview)|Enables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply Conditional Access policies for multi-factor authentication. This guidance also includes a Conditional Access policy that requires users to change their password if high-risk activity is detected for their account.|Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Azure AD Premium P2 licenses| |[Self-service password reset (SSPR)](/azure/active-directory/authentication/concept-sspr-howitworks)|Allow your users to reset their passwords securely and without help-desk intervention, by providing verification of multiple authentication methods that the administrator can control.|Microsoft 365 E3 or E5| |[Azure AD password protection](/azure/active-directory/authentication/concept-password-ban-bad)|Detect and block known weak passwords and their variants and additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in an Azure AD tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.|Microsoft 365 E3 or E5|
-|
Here are the components of Zero Trust identity and device access, including Intune and Azure AD objects, settings, and subservices.
The following table summarizes our recommendations for using these capabilities
|**Enforce password change**|For high-risk users|For high-risk users|For high-risk users| |**Enforce Intune application protection**|Yes|Yes|Yes| |**Enforce Intune enrollment for organization-owned device**|Require a compliant or domain-joined PC, but allow bring-your-own devices (BYOD) phones and tablets|Require a compliant or domain-joined device|Require a compliant or domain-joined device|
-|
## Device ownership
security Migrate To Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365.md
The process of migrating from a third-party protection service to Defender for O
|[Prepare for your migration](migrate-to-defender-for-office-365-prepare.md)|<ol><li>[Inventory the settings at your existing protection service](migrate-to-defender-for-office-365-prepare.md#inventory-the-settings-at-your-existing-protection-service)</li><li>[Check your existing protection configuration in Microsoft 365](migrate-to-defender-for-office-365-prepare.md#check-your-existing-protection-configuration-in-microsoft-365)</li><li>[Check your mail routing configuration](migrate-to-defender-for-office-365-prepare.md#check-your-mail-routing-configuration)</li><li>[Move features that modify messages into Microsoft 365](migrate-to-defender-for-office-365-prepare.md#move-features-that-modify-messages-into-microsoft-365)</li><li>[Define spam and bulk user experiences](migrate-to-defender-for-office-365-prepare.md#define-spam-and-bulk-user-experiences)</li><li>[Identify and designate priority accounts](migrate-to-defender-for-office-365-prepare.md#identify-and-designate-priority-accounts)</li></ol>| |[Set up Defender for Office 365](migrate-to-defender-for-office-365-setup.md)|<ol><li>[Create distribution groups for pilot users](migrate-to-defender-for-office-365-setup.md#step-1-create-distribution-groups-for-pilot-users)</li><li>[Configure user submission for user message reporting](migrate-to-defender-for-office-365-setup.md#step-2-configure-user-submission-for-user-message-reporting)</li><li>[Maintain or create the SCL=-1 mail flow rule](migrate-to-defender-for-office-365-setup.md#step-3-maintain-or-create-the-scl-1-mail-flow-rule)</li><li>[Configure Enhanced Filtering for Connectors](migrate-to-defender-for-office-365-setup.md#step-4-configure-enhanced-filtering-for-connectors)</li><li>[Create pilot protection policies](migrate-to-defender-for-office-365-setup.md#step-5-create-pilot-protection-policies)</li></ol>| |[Onboard to Defender for Office 365](migrate-to-defender-for-office-365-onboard.md)|<ol><li>[Begin onboarding Security Teams](migrate-to-defender-for-office-365-onboard.md#step-1-begin-onboarding-security-teams)</li><li>[(Optional) Exempt pilot users from filtering by your existing protection service](migrate-to-defender-for-office-365-onboard.md#step-2-optional-exempt-pilot-users-from-filtering-by-your-existing-protection-service)</li><li>[Tune spoof intelligence](migrate-to-defender-for-office-365-onboard.md#step-3-tune-spoof-intelligence)</li><li>[Tune impersonation protection and mailbox intelligence](migrate-to-defender-for-office-365-onboard.md#step-4-tune-impersonation-protection-and-mailbox-intelligence)</li><li>[Use data from user submissions to measure and adjust](migrate-to-defender-for-office-365-onboard.md#step-5-use-data-from-user-submissions-to-measure-and-adjust)</li><li>[(Optional) Add more users to your pilot and iterate](migrate-to-defender-for-office-365-onboard.md#step-6-optional-add-more-users-to-your-pilot-and-iterate)</li><li>[Extend Microsoft 365 protection to all users and turn off the SCL=-1 mail flow rule](migrate-to-defender-for-office-365-onboard.md#step-7-extend-microsoft-365-protection-to-all-users-and-turn-off-the-scl-1-mail-flow-rule)</li><li>[Switch your MX records](migrate-to-defender-for-office-365-onboard.md#step-8-switch-your-mx-records)</li></ol>|
-|
## Next step
security Monitor For Leaks Of Personal Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data.md
More information:
Alert when a file containing a credit card number is shared from an approved cloud app.
-<br>
-
-****
- |Control|Settings| ||| |Policy type|File policy|
Alert when a file containing a credit card number is shared from an approved clo
|Content inspection|Includes files that match a present expression: All countries: Finance: Credit card number <p> Don't require relevant context: unchecked (this setting will match keywords as well as regex) <p> Includes files with at least 1 match <p> Unmask the last 4 characters of the violation: checked| |Alerts|Create an alert for each matching file: checked <p> Daily alert limit: 1000 <p> Select an alert as email: checked <p> To: infosec@contoso.com| |Governance|Microsoft OneDrive for Business <p> Make private: check Remove External Users <p> All other settings: unchecked <p> Microsoft SharePoint Online <p> Make private: check Remove External Users <p> All other settings: unchecked|
-|
Similar policies:
Notes:
- Box monitoring requires a connector be configured using the API Connector SDK. - This policy requires capabilities that are currently in private preview.
-<br>
-
-****
- |Control|Settings| ||| |Policy type|Activity policy|
Notes:
|Filter settings|Activity type = Upload File <p> App = Microsoft OneDrive for Business and Box <p> Classification Label (currently in private preview): Azure Information Protection = Customer Data, Human ResourcesΓÇöSalary Data, Human ResourcesΓÇöEmployee Data| |Alerts|Create an alert: checked <p> Daily alert limit: 1000 <p> Select an alert as email: checked <p> To: infosec@contoso.com| |Governance|All apps <p> Put user in quarantine: check <p> All other settings: unchecked <p> Office 365 <p> Put user in quarantine: check <p> All other settings: unchecked|
-|
Similar policies:
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
In addition, make sure to [review your organization's alert policies](../../comp
Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](../../compliance/alert-policies.md#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 Defender portal, and how they're generated:
-<br>
-
-****
- |Alert|Severity|How the alert is generated| |||| |A potentially malicious URL click was detected|**High**|This alert is generated when any of the following occurs: <ul><li>A user protected by [Safe Links](safe-links.md) in your organization clicks a malicious link</li><li>Verdict changes for URLs are identified by Microsoft Defender for Office 365</li><li>Users override Safe Links warning pages (based on your organization's [Safe Links policy](set-up-safe-links-policies.md).</li></ul> <p> For more information on events that trigger this alert, see [Set up Safe Links policies](set-up-safe-links-policies.md).|
Microsoft 365 provides many built-in alert policies that help identify Exchange
|Email messages containing phish URLs are removed after delivery|**Informational**|This alert is generated when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [ZAP](zero-hour-auto-purge.md).| |Suspicious email sending patterns are detected|**Medium**|This alert is generated when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. The alert is an early warning for behavior that might indicate that the account is compromised, but not severe enough to restrict the user. <p> Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](responding-to-a-compromised-email-account.md).| |A user is restricted from sending email|**High**|This alert is generated when someone in your organization is restricted from sending outbound mail. This alert typically results when an [email account is compromised](responding-to-a-compromised-email-account.md). <p> For more information about restricted users, see [Remove blocked users from the Restricted Users portal in Microsoft 365](removing-user-from-restricted-users-portal-after-spam.md).|
-|
> [!TIP] > To learn more about alert policies or edit the default settings, see [Alert policies in the Microsoft 365 compliance center](../../compliance/alert-policies.md).
Microsoft 365 provides many built-in alert policies that help identify Exchange
Permissions are granted through certain roles, such as those that are described in the following table:
-<br>
-
-****
- |Task|Role(s) required| ||| |Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <p> These roles can be assigned in [Azure Active Directory](/azure/active-directory/roles/permissions-reference) or in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).|
The new and improved Microsoft 365 Defender portal <https://security.microsoft.c
The following table lists changes and improvements coming to AIR in Microsoft Defender for Office 365.
-<br>
-
-****
- |Item|What's changing?| ||| |**Investigations** page|The updated **Investigations** page is more consistent with what you see in [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). You'll see some general format and styling changes that align with the new, unified **Investigations** view. For example, the investigation graph has a more unified format.|
The following table lists changes and improvements coming to AIR in Microsoft De
|**Evidence** tab|A new **Evidence** tab shows the key entity findings related to actions. Actions related to each piece of evidence can be approved (or rejected) in a side pane that opens when you select a pending action.| |**Action center**|The updated **Action center** (<https://security.microsoft.com/action-center>) brings together pending and completed actions across email, devices, and identities. To learn more, see Action center. (To learn more, see [The Action center](../defender/m365d-action-center.md).)| |**Incidents** page|The **Incidents** page now correlates multiple investigations together to provide a better consolidated view of investigations. ([Learn more about Incidents](../defender/incidents-overview.md).)|
-|
## Next steps
security Office 365 Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-evaluation.md
You'll have a 30-day window with the evaluation to monitor and report on advance
The following roles are needed:
-<br>
-
-****
- |Task|Role (in Exchange Online)| ||| |Get a free trial or buy Microsoft Defender for Office 365 (Plan 2)|Billing admin role OR Global admin role|
The following roles are needed:
|Edit evaluation policy|Remote and Accepted Domains role; Security admin role| |Delete evaluation policy|Remote and Accepted Domains role; Security admin role | |View evaluation report|Security admin role OR Security reader role|
-|
### Enhanced Filtering for Connectors
security Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md
Microsoft Defender for Office 365 uses role-based access control. Permissions ar
> - [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md) > - [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference)
-<br>
-
-****
- |Activity|Roles and permissions| ||| |Use the Threat & Vulnerability Management dashboard (or the new [Security dashboard](security-dashboard.md) <p> View information about recent or current threats|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <p> These roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
Microsoft Defender for Office 365 uses role-based access control. Permissions ar
|View Incidents (also referred to as Investigations) <p> Add email messages to an incident|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <p> These roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).| |Trigger email actions in an incident <p> Find and delete suspicious email messages|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator** plus the **Search and Purge** role</li></ul> <p> The **Global Administrator** and **Security Administrator** roles can be assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <p> The **Search and Purge** role must be assigned in the **Email & collaboration roles** in the Microsoft 36 Defender portal (<https://security.microsoft.com>).| |Integrate Microsoft Defender for Office 365 Plan 2 with Microsoft Defender for Endpoint <p> Integrate Microsoft Defender for Office 365 Plan 2 with a SIEM server|Either the **Global Administrator** or the **Security Administrator** role assigned in either Azure Active Directory (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <p> **plus** <p> An appropriate role assigned in additional applications (such as [Microsoft Defender Security Center](/windows/security/threat-protection/microsoft-defender-atp/user-roles) or your SIEM server).|
-|
## Next steps
security Old Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/old-index.md
You may be accustomed to seeing these three components discussed in this way:
|EOP|Microsoft Defender for Office 365 P1|Microsoft Defender for Office 365 P2| |||| |Prevents broad, volume-based, known attacks.|Protects email and collaboration from zero-day malware, phish, and business email compromise.|Adds post-breach investigation, hunting, and response, as well as automation, and simulation (for training).|
-|
But in terms of architecture, let's start by thinking of each piece as cumulative layers of security, each with a security emphasis. More like this:
starting with **Exchange Online Protection**:
|Prevent/Detect|Investigate|Respond| |||| |Technologies include:<ul><li>spam</li><li>phish</li><li>malware</li><li>bulk mail</li><li>spoof intelligence</li><li>impersonation detection</li><li>Admin Quarantine</li><li>Admin and user submissions of False Positives and False Negatives</li><li>Allow/Block for URLs and Files</li><li>Reports</li></ul>|<li>Audit log search</li><li>Message Trace</li>|<li>Zero-hour auto purge (ZAP)</li><li>Refinement and testing of Allow and Block lists</li>|
-|
If you want to dig in to EOP, **[jump to this article](exchange-online-protection-overview.md)**.
This quick-reference will help you understand what capabilities come with each M
|Defender for Office 365 Plan 1|Defender for Office 365 Plan 2| ||| |Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing protection in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Defender for Office 365 Plan 1 capabilities <p> plus <p> Automation, investigation, remediation, and education capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack Simulator](attack-simulator.md)</li></ul>|
-|
- Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365 A5, and Microsoft 365 E5.
security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/overview.md
You may be accustomed to seeing these three components discussed in this way:
|EOP|Microsoft Defender for Office 365 P1|Microsoft Defender for Office 365 P2| |||| |Prevents broad, volume-based, known attacks.|Protects email and collaboration from zero-day malware, phish, and business email compromise.|Adds post-breach investigation, hunting, and response, as well as automation, and simulation (for training).|
-|
But in terms of architecture, let's start by thinking of each piece as cumulative layers of security, each with a security emphasis. More like this:
starting with **Exchange Online Protection**:
|Prevent/Detect|Investigate|Respond| |||| |Technologies include:<ul><li>spam</li><li>phish</li><li>malware</li><li>bulk mail</li><li>spoof intelligence</li><li>impersonation detection</li><li>Admin Quarantine</li><li>Admin and user submissions of False Positives and False Negatives</li><li>Allow/Block for URLs and Files</li><li>Reports</li></ul>|<li>Audit log search</li><li>Message Trace</li>|<li>Zero-hour auto purge (ZAP)</li><li>Refinement and testing of Allow and Block lists</li>|
-|
If you want to dig in to EOP, **[jump to this article](exchange-online-protection-overview.md)**.
security Permissions In The Security And Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md
To see how to grant access to the Security & Compliance Center, check out [Give
> [!NOTE] > To view the **Permissions** tab in the Security & Compliance Center, you need to be an admin. Specifically, you need to be assigned the **Role Management** role, and that role is assigned only to the **Organization Management** role group in the Security & Compliance Center by default. Furthermore, the **Role Management** role allows users to view, create, and modify role groups.
-<br>
-
-****
- |Role group|Description|Default roles assigned| |||| |**Attack Simulation Administrators**|Don't use this role group in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Admin|
To see how to grant access to the Security & Compliance Center, check out [Give
|**IRM Contributors**|This role group is visible, but is used by background services only.|Insider Risk Management Permanent contribution <p> Insider Risk Management Temporary contribution| |**Knowledge Administrators**|Configure knowledge, learning, assign trainings and other intelligent features.|Knowledge Admin| |**MailFlow Administrator**|Members can monitor and view mail flow insights and reports in the Security & Compliance Center. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user will not have access to Exchange admin-related tasks.|View-Only Recipients|
-|**Organization Management**<sup>1</sup>|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group.|Audit Logs <p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
+|**Organization Management**<sup>1</sup>|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance Center PowerShell](/powershell/module/exchange/get-rolegroupmember).|Audit Logs <p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
|**Privacy Management**|Manage access control for Priva in the Microsoft 365 compliance center.|Case Management <p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Admin <p> Privacy Management Analysis <p> Privacy Management Investigation <p> Privacy Management Permanent contribution <p> Privacy Management Temporary contribution <p> Privacy Management Viewer <p> Subject Rights Request Admin <p> View-Only Case| |**Privacy Management Administrators**|Administrators of privacy management solution that can create/edit policies and define global settings.|Case Management <p> Privacy Management Admin <p> View-Only Case| |**Privacy Management Analysts**|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.|Case Management <p> Data Classification List Viewer <p> Privacy Management Analysis <p> View-Only Case|
To see how to grant access to the Security & Compliance Center, check out [Give
|**Service Assurance User**|Members can access the Service assurance section in the Security & Compliance Center. Service assurance provides reports and documents that describe Microsoft's security practices for customer data that's stored in Microsoft 365. It also provides independent third-party audit reports on Microsoft 365. For more information, see [Service assurance in the Security & Compliance Center](../../compliance/service-assurance.md).|Service Assurance View| |**Subject Rights Request Administrators**|Create subject rights requests.|Case Management <p> Subject Rights Request Admin <p> View-Only Case| |**Supervisory Review**|Members can create and manage the policies that define which communications are subject to review in an organization. For more information, see [Configure communication compliance policies for your organization](../../compliance/communication-compliance-configure.md).|Supervisory Review Administrator|
-|
> [!NOTE] > <sup>1</sup> This role group doesn't assign members the permissions necessary to search the audit log or to use any reports that might include Exchange data, such as the DLP or Defender for Office 365 reports. To search the audit log or to view all reports, a user has to be assigned permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet. Global admins can search the audit log and view all reports because they're automatically added as members of the Organization Management role group in Exchange Online. For more information, see [Search the audit log in the Security & Compliance Center](../../compliance/search-the-audit-log-in-security-and-compliance.md).
Note that the following roles aren't assigned to the Organization Management rol
- Supervisory Review Administrator - Tenant AllowBlockList Manager
-<br>
-
-****
- |Role|Description|Default role group assignments| |||| |**Attack Simulator Admin**|Don't use this role in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Administrators|
Note that the following roles aren't assigned to the Organization Management rol
|**View-Only Recipients**|View information about users and groups.|Compliance Administrator <p> Compliance Data Administrator <p> Global Reader <p> MailFlow Administrator <p> Organization Management| |**View-Only Record Management**|View the configuration of the records management feature.|Compliance Administrator <p> Compliance Data Administrator <p> <p> Global Reader <p> Organization Management| |**View-Only Retention Management**|View the configuration of retention policies, retention labels, and retention label policies.|Compliance Administrator <p> Compliance Data Administrator <p> Global Administrator <p> Organization Management|
-|
security Permissions Microsoft 365 Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-microsoft-365-security-center.md
When you select a role, a details flyout that contains the description of the ro
For more information, see [View and assign administrator roles in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-manage-roles-portal).
-<br>
-
-****
- |Role|Description| ||| |**Global administrator**|Access to all administrative features in all Microsoft 365 services. Only global administrators can assign other administrator roles. For more information, see [Global Administrator / Company Administrator](/azure/active-directory/roles/permissions-reference#global-administrator--company-administrator).|
For more information, see [View and assign administrator roles in Azure Active D
|**Global reader**|The read-only version of the **Global administrator** role. View all settings and administrative information across Microsoft 365. For more information, see [Global Reader](/azure/active-directory/roles/permissions-reference#global-reader).| |**Attack simulation administrator**|Create and manage all aspects of [attack simulation](attack-simulation-training.md) creation, launch/scheduling of a simulation, and the review of simulation results. For more information, see [Attack Simulation Administrator](/azure/active-directory/roles/permissions-reference#attack-simulation-administrator).| |**Attack payload author**|Create attack payloads but not actually launch or schedule them. For more information, see [Attack Payload Author](/azure/active-directory/roles/permissions-reference#attack-payload-author).|
-|
### Email & collaboration roles in the Microsoft 365 Defender portal
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
Threat protection features are included in *all* Microsoft or Office 365 subscri
> [!TIP] > Notice that beyond the directions to turn on auditing, *steps* start anti-malware, anti-phishing, and anti-spam, which are marked as part of Office 365 Exchange Online Protection (**EOP**). This can seem odd in a Defender for Office 365 article, until you remember (**Defender for Office 365**) contains, and builds on, EOP.
-<br>
-
-****
- |Protection type|Subscription requirement| ||| |Audit logging (for reporting purposes)|[Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description)|
Threat protection features are included in *all* Microsoft or Office 365 subscri
To configure Defender for Office 365 policies, you must be assigned an appropriate role. Take a look at the table below for roles that can do these actions.
-<br>
-
-****
- |Role or role group|Where to learn more| ||| |global administrator|[About Microsoft 365 admin roles](../../admin/add-users/about-admin-roles.md)| |Security Administrator|[Azure AD built-in roles](/azure/active-directory/roles/permissions-reference#security-administrator) |Exchange Online Organization Management|[Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo)|
-|
To learn more, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
To learn more about alert policies, see [Alert policies in the Microsoft 365 com
After configuring the threat protection features, make sure to monitor how those features are working! Review and revise your policies so that they do what you need them to. Also, watch for new features and service updates that can add value.
-<br>
-
-****
- |What to do|Resources to learn more| ||| |See how threat protection features are working for your organization by viewing reports|[Email security reports](view-email-security-reports.md) <p> [Reports for Microsoft Defender for Office 365](view-reports-for-mdo.md) <p> [Threat Explorer](threat-explorer.md)| |Periodically review and revise your threat protection policies as needed|[Secure Score](../defender/microsoft-secure-score.md) <p> [Microsoft 365 threat investigation and response features](./office-365-ti.md)| |Watch for new features and service updates|[Standard and Targeted release options](../../admin/manage/release-options-in-office-365.md) <p> [Message Center](../../admin/manage/message-center.md) <p> [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=advanced%2Cthreat%2Cprotection) <p> [Service Descriptions](/office365/servicedescriptions/office-365-service-descriptions-technet-library)|
-|
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
The individual quarantine policy permissions are combined into the following pre
The individual quarantine policy permissions that are contained in the preset permission groups are described in the following table:
-<br>
-
-****
- |Permission|No access|Limited access|Full access| ||::|::|::| |**Block sender** (_PermissionToBlockSender_)||![Check mark.](../../media/checkmark.png)|![Check mark.](../../media/checkmark.png)|
The individual quarantine policy permissions that are contained in the preset pe
|**Preview** (_PermissionToPreview_)||![Check mark.](../../media/checkmark.png)|![Check mark.](../../media/checkmark.png)| |**Allow recipients to release a message from quarantine** (_PermissionToRelease_)|||![Check mark.](../../media/checkmark.png)| |**Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_)||![Check mark](../../media/checkmark.png)||
-|
The default quarantine policies, their associated permission groups, and whether quarantine notifications are enabled are described in the following table:
The _EndUserQuarantinePermissionsValue_ parameter uses a decimal value that's co
The required order and values for each individual permission are described in the following table:
-<br>
-
-****
- |Permission|Decimal value|Binary value| ||::|::| |PermissionToViewHeader<sup>\*</sup>|128|10000000|
The required order and values for each individual permission are described in th
|PermissionToRelease<sup>\*\*\*</sup>|4|00000100| |PermissionToPreview|2|00000010| |PermissionToDelete|1|00000001|
-|
<sup>\*</sup> The value 0 doesn't hide the **View message header** button in the details of the quarantined message (the button is always available).
The required order and values for each individual permission are described in th
For Limited access permissions, the required values are:
-<br>
-
-****
- |Permission|Limited access| ||:--:| |PermissionToViewHeader|0|
For Limited access permissions, the required values are:
|PermissionToDelete|1| |Binary value|00011011| |Decimal value to use|27|
-|
This example creates a new quarantine policy named LimitedAccess with quarantine notifications turned on that assigns the Limited access permissions as described in the previous table.
For detailed syntax and parameter information, see [New-QuarantinePolicy](/power
In _supported_ protection features that quarantine email messages, you can assign a quarantine policy to the available quarantine actions. Features that quarantine messages and the availability of quarantine policies are described in the following table:
-<br>
-
-****
- |Feature|Quarantine policies supported?|Default quarantine policies used| ||::|| |[Anti-spam policies](configure-your-spam-filter-policies.md): <ul><li>**Spam** (_SpamAction_)</li><li>**High confidence spam** (_HighConfidenceSpamAction_)</li><li>**Phishing** (_PhishSpamAction_)</li><li>**High confidence phishing** (_HighConfidencePhishAction_)</li><li>**Bulk** (_BulkSpamAction_)</li></ul>|Yes|<ul><li>DefaultFullAccessPolicy<sup>\*</sup> (Full access)</li><li>DefaultFullAccessPolicy<sup>\*</sup> (Full access)</li><li>DefaultFullAccessPolicy<sup>\*</sup> (Full access)</li><li>AdminOnlyAccessPolicy (No access)</li><li>DefaultFullAccessPolicy<sup>\*</sup> (Full access)</li></ul>|
In _supported_ protection features that quarantine email messages, you can assig
|[Anti-malware policies](configure-anti-malware-policies.md): All detected messages are always quarantined.|Yes|AdminOnlyAccessPolicy (No access)| |[Safe Attachments protection](safe-attachments.md): <ul><li>Email messages with attachments that are quarantined as malware by Safe Attachments policies (_Enable_ and _Action_)</li><li>Files quarantined as malware by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li></ul>|<ul><li>Yes</li><li>No</li></ul>|<ul><li>AdminOnlyAccessPolicy (No access)</li><li>n/a</li></ul>| |[Mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) with the action: **Deliver the message to the hosted quarantine** (_Quarantine_).|No|n/a|
-|
<sup>\*</sup> As [previously described in this article](#full-access-permissions-and-quarantine-notifications), your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
Anti-spam, anti-malware, and anti-phishing are EOP features that can be configur
To create and configure anti-spam policies, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
-<br>
-
-****
- |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Bulk email threshold & spam properties**|||||
To create and configure anti-spam policies, see [Configure anti-spam policies in
|Allowed sender domains <p> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <p> Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.| |Blocked senders <p> _BlockedSenders_|None|None|None|| |Blocked sender domains <p> _BlockedSenderDomains_|None|None|None||
-|
#### ASF settings in anti-spam policies The table in this section describes the Advanced Spam Filter (ASF) settings that are available in anti-spam policies. All of these settings are **Off** for both **Standard** and **Strict** levels. For more information about ASF settings, see [Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md).
-<br>
-
-****
- |Security feature name|Comment| ||| |**Image links to remote sites** (_IncreaseScoreWithImageLinks_)||
The table in this section describes the Advanced Spam Filter (ASF) settings that
|**Sender ID filtering hard fail** (_MarkAsSpamFromAddressAuthFail_)|| |**Backscatter** (_MarkAsSpamNdrBackscatter_)|| |**Test mode** (_TestModeAction_)|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](advanced-spam-filtering-asf-options.md#enable-disable-or-test-asf-settings).|
-|
#### EOP outbound spam policy settings
For more information about the default sending limits in the service, see [Sendi
> [!NOTE] > Outbound spam policies are not part of Standard or Strict preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in the default outbound spam policy or custom policies that you create.
-<br>
-
-****
- |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Set an external message limit** <p> _RecipientLimitExternalPerHour_|0|500|400|The default value 0 means use the service defaults.|
For more information about the default sending limits in the service, see [Sendi
|**Automatic forwarding rules** <p> _AutoForwardingMode_|**Automatic - System-controlled** <p> `Automatic`|**Automatic - System-controlled** <p> `Automatic`|**Automatic - System-controlled** <p> `Automatic`| |**Send a copy of outbound messages that exceed these limits to these users and groups** <p> _BccSuspiciousOutboundMail_ <p> _BccSuspiciousOutboundAdditionalRecipients_|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|We have no specific recommendation for this setting. <p> This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.| |**Notify these users and groups if a sender is blocked due to sending outbound spam** <p> _NotifyOutboundSpam_ <p> _NotifyOutboundSpamRecipients_|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|
-|
### EOP anti-malware policy settings To create and configure anti-malware policies, see [Configure anti-malware policies in EOP](configure-anti-malware-policies.md).
-<br>
-
-****
- |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Protection settings**|||||
To create and configure anti-malware policies, see [Configure anti-malware polic
|**Customize notifications for messages from external senders**||||These settings are used only if **Notify external senders when messages are quarantined as malware** or **Notify an admin about undelivered messages from external senders** is selected.| |**Subject** <p> _CustomExternalSubject_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`|| |**Message** <p> _CustomExternalBody_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
-|
### EOP anti-phishing policy settings For more information about these settings, see [Spoof settings](set-up-anti-phishing-policies.md#spoof-settings). To configure these settings, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
-<br>
-
-****
- |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
For more information about these settings, see [Spoof settings](set-up-anti-phis
|**Show first contact safety tip** <p> _EnableFirstContactSafetyTips_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).| |**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).| |**Show "via" tag** <p> _EnableViaTag_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
-|
## Microsoft Defender for Office 365 security
EOP customers get basic anti-phishing as previously described, but Defender for
For more information about this setting, see [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure this setting, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
-<br>
-
-****
- |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing email threshold** <p> _PhishThresholdLevel_|**1 - Standard** <p> `1`|**2 - Aggressive** <p> `2`|**3 - More aggressive** <p> `3`||
-|
#### Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365 For more information about these settings, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure these settings, see [Configure anti-phishing policies in Defender for Office 365](configure-mdo-anti-phishing-policies.md).
-<br>
-
-****
- |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
For more information about these settings, see [Impersonation settings in anti-p
|**Show user impersonation safety tip** <p> _EnableSimilarUsersSafetyTips_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|| |**Show domain impersonation safety tip** <p> _EnableSimilarDomainsSafetyTips_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|| |**Show user impersonation unusual characters safety tip** <p> _EnableUnusualCharactersSafetyTips_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
-|
#### EOP anti-phishing policy settings in Microsoft Defender for Office 365
These are the same settings that are available in [anti-spam policy settings in
The spoof settings are inter-related, but the **Show first contact safety tip** setting has no dependency on spoof settings.
-<br>
-
-****
- |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
The spoof settings are inter-related, but the **Show first contact safety tip**
|**Show first contact safety tip** <p> _EnableFirstContactSafetyTips_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).| |**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).| |**Show "via" tag** <p> _EnableViaTag_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
-|
### Safe Attachments settings
To configure these settings, see [Turn on Safe Attachments for SharePoint, OneDr
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/set-atppolicyforo365) cmdlet for these settings.
-<br>
-
-****
- |Security feature name|Default|Built-in protection|Comment| ||::|::|| |**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** <p> _EnableATPForSPOTeamsODB_|Off <p> `$false`|On <p> `$true`|To prevent users from downloading malicious files, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).| |**Turn on Safe Documents for Office clients** <p> _EnableSafeDocs_|Off <p> `$false`|On <p> `$true`|This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 E5 or Microsoft 365 E5 Security). For more information, see [Safe Documents in Microsoft 365 E5](safe-docs.md).| |**Allow people to click through Protected View even if Safe Documents identified the file as malicious** <p> _AllowSafeDocsOpen_|Off <p> `$false`|Off <p> `$false`|This setting is related to Safe Documents.|
-|
#### Safe Attachments policy settings
In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchang
> > The **Default in custom** column refers to the default values in new Safe Attachments policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.
-<br>
-
-****
- |Security feature name|Default in custom|Built-in protection|Standard|Strict|Comment| ||::|::|::|::|| |**Safe Attachments unknown malware response** <p> _Enable_ and _Action_|**Off** <p> `-Enable $false` and `-Action Block`|**Block** <p> `-Enable $true` and `-Action Block`|**Block** <p> `-Enable $true` and `-Action Block`|**Block** <p> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.| |**Quarantine policy** (_QuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|When you create a new Safe Attachments policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by Safe Attachments (AdminOnlyAccessPolicy). <p> Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).| |**Redirect attachment with detected attachments** : **Enable redirect** <p> _Redirect_ <p> _RedirectAddress_|Not selected and no email address specified. <p> `-Redirect $false` <p> _RedirectAddress_ is blank (`$null`)|Not selected and no email address specified. <p> `-Redirect $false` <p> _RedirectAddress_ is blank (`$null`)|Selected and specify an email address. <p> `$true` <p> an email address|Selected and specify an email address. <p> `$true` <p> an email address|Redirect messages to a security admin for review. <p> **Note**: This setting is not configured in the **Standard**, **Strict**, or **Built-in protection** preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in new Safe Attachments policies that you create.| |**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <p> _ActionOnError_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
-|
### Safe Links settings
To configure these settings, see [Configure global settings for Safe Links in De
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/set-atppolicyforo365) cmdlet for these settings.
-<br>
-
-****
- |Security feature name|Default|Built-in protection|Comment| ||::|::|| |**Block the following URLs** <p> _ExcludedUrls_|Blank <p> `$null`|Blank <p> `$null`|We have no specific recommendation for this setting. <p> For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links). |**Use Safe Links in Office 365 apps** <p> _EnableSafeLinksForO365Clients_|On <p> `$true`|On <p> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).| |**Do not track when users click protected links in Office 365 apps** <p> _TrackClicks_|On <p> `$false`|Off <p> `$true`|Turning off this setting (setting _TrackClicks_ to `$true`) tracks user clicks in supported Office 365 apps.| |**Do not let users click through to the original URL in Office 365 apps** <p> _AllowClickThrough_|On <p> `$false`|On <p> `$false`|Turning on this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL in supported Office 365 apps.|
-|
#### Safe Links policy settings
In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new
> > The **Default in custom** column refers to the default values in new Safe Links policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.
-<br>
-
-****
- |Security feature name|Default in custom|Built-in protection|Standard|Strict|Comment| ||::|::|::|::|| |**Protection settings**||||||
In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new
|**Do not rewrite the following URLs** <p> _DoNotRewriteUrls_|Not selected <p> blank|Not selected <p> blank|Not selected <p> blank|Not selected <p> blank|We have no specific recommendation for this setting. For more information, see ["Do not rewrite the following URLs" lists in Safe Links policies](safe-links.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies).| |**Notification**|||||| |**How would you like to notify your users?**|**Use the default notification text**|**Use the default notification text**|**Use the default notification text**|**Use the default notification text**|We have no specific recommendation for this setting. <p> You can select **Use custom notification text** (_CustomNotificationText_) to enter customized notification text to use. You can also select **Use Microsoft Translator for automatic localization** (_UseTranslatedNotificationText_) to translate the custom notification text into the user's language.
-|
## Related articles
security Report Junk Email Messages To Microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft.md
ms.prod: m365-security
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, both users and admins have several different methods for reporting email messages and files to Microsoft.
-<br>
-
-****
- |Method|Description| ||| |[Use the Submissions portal to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md)|The recommended reporting method for admins in organizations with Exchange Online mailboxes (not available in standalone EOP).|
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
|[Report false positives and false negatives in Outlook](report-false-positives-and-false-negatives.md)|Submit false positives (good email that was blocked or sent to junk folder) and false negatives (unwanted email or phish that was delivered to the inbox) to Exchange Online Protection (EOP) using the Report Message feature.| |[Use mail flow rules to see what users are reporting to Microsoft](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-see-what-users-are-reporting-to-microsoft)|Learn how to create a mail flow rule (also known as a transport rule) that notifies you when users report messages to Microsoft for analysis.| |[Submit malware and non-malware to Microsoft for analysis](submitting-malware-and-non-malware-to-microsoft-for-analysis.md)|Use the Microsoft Security Intelligence site to submit attachments and other files.|
-|
> [!NOTE] > Data from submissions to Microsoft resides in the Office 365 compliance boundary in North American data centers. The data is reviewed by analysts on the engineering team to help improve the effectiveness of the filters. The submission is considered feedback to help improve the filters and is kept for a period of 30 days. After which, it is deleted.
security Reporting And Message Trace In Exchange Online Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reporting-and-message-trace-in-exchange-online-protection.md
Tracks specific changes made by admins to your organization. These reports can h
The following table describes when EOP reporting and message trace data is available and for how long.
-<br>
-
-****
- |Report type|Data available for (look back period)|Latency| |||| |Mail protection summary reports|90 days|Message data aggregation is mostly complete within 24-48 hours. Some minor incremental aggregated changes may occur for up to 5 days.| |Mail protection detail reports|90 days|For detail data that's less than 7 days old, data should appear within 24 hours but may not be complete until 48 hours. Some minor incremental changes may occur for up to 5 days. <p> To view detail reports for messages that are greater than 7 days old, results may take up to a few hours.| |Message trace data|90 days|When you run a message trace for messages that are less than 7 days old, the messages should appear within 5-30 minutes.<p> When you run a message trace for messages that are greater than 7 days old, results may take up to a few hours.|
-|
> [!NOTE] > Data availability and latency is the same whether requested via the admin center or remote PowerShell.
security Reports And Insights In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance.md
In addition to highlighting problem areas, smart reports and insights include re
A wide variety of reports are available in the Security & Compliance Center. (Go to **Reports** > **Security report** to get an all-up view.) The following table lists available reports with links to learn more:
-<br>
-
-****
- |Type of information|How to get there|Where to go to learn more| |||| |**Security & Compliance Center reports** (all up) <p> Top insights and recommendations, and links to Security & Compliance reports, including data loss prevention reports, labels, email security reports, Defender for Office 365 reports, and more|In the Security & Compliance Center, go to **Reports** \> **Dashboard**|[Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md)|
security Safe Attachments https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments.md
Safe Attachments protection for email messages is controlled by Safe Attachments
The following table describes scenarios for Safe Attachments in Microsoft 365 and Office 365 organizations that include Microsoft Defender for Office 365 (in other words, lack of licensing is never an issue in the examples).
-<br>
-
-****
- |Scenario|Result| ||| |Pat's Microsoft 365 E5 organization has no Safe Attachments policies configured.|Pat is protected by Safe Attachments due to the **Built-in protection** preset security policy that applies to all recipients who are not otherwise defined in Safe Attachments policies.| |Lee's organization has a Safe Attachments policy that applies only to finance employees. Lee is a member of the sales department.|Lee and the rest of the sales department are protected by Safe Attachments due to the **Built-in protection** preset security policy that applies to all recipients who are not otherwise defined in Safe Attachments policies.| |Yesterday, an admin in Jean's organization created a Safe Attachments policy that applies to all employees. Earlier today, Jean received an email message that included an attachment.|Jean is protected by Safe Attachments due to that custom Safe Attachments policy. <p> Typically, it takes about 30 minutes for a new policy to take effect.| |Chris's organization has long-standing Safe Attachments policies for everyone in the organization. Chris receives an email that has an attachment, and then forwards the message to external recipients.|Chis is protected by Safe Attachments. <p> If the external recipients in a Microsoft 365 organization, then the forwarded messages are also protected by Safe Attachments.|
-|
Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides. For more information about datacenter geography, see [Where is your data located?](https://products.office.com/where-is-your-data-located?geo=All)
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
This article includes detailed descriptions of the following types of Safe Links
The following table describes scenarios for Safe Links in Microsoft 365 and Office 365 organizations that include Defender for Office 365 (note that lack of licensing is never an issue in the examples).
-<br>
-
-****
- |Scenario|Result| ||| |Jean is a member of the marketing department. Safe Links protection for Office 365 apps is turned on in the global settings for Safe Links, and a Safe Links policy that applies to members of the marketing department exists. Jean opens a PowerPoint presentation in an email message, and then clicks a URL in the presentation.|Jean is protected by Safe Links. <p> Jean is included in a Safe Links policy, and Safe Links protection for Office 365 apps is turned on. <p> For more information about the requirements for Safe Links protection in Office 365 apps, see the [Safe Links settings for Office 365 apps](#safe-links-settings-for-office-365-apps) section later in this article.|
The following table describes scenarios for Safe Links in Microsoft 365 and Offi
|In Pat's organization, no admins have created any Safe Links policies, but Safe Links protection for Office 365 apps is turned on. Pat opens a Word document and clicks a URL in the file.|Pat is not protected by Safe Links. <p> Although Safe Links protection for Office 365 apps is turned on globally, Pat is not included in any active Safe Links policies, so the protection can't be applied.| |In Lee's organization, `https://tailspintoys.com` is configured in the **Block the following URLs** list in the global settings for Safe Links. A Safe Links policy that includes Lee already exists. Lee receives an email message that contains the URL `https://tailspintoys.com/aboutus/trythispage`. Lee clicks the URL.|The URL might be automatically blocked for Lee; it depends on the URL entry in the list and the email client Lee used. For more information, see the ["Block the following URLs" list for Safe Links](#block-the-following-urls-list-for-safe-links) section later in this article.| |Jamie and Julia both work for contoso.com. A long time ago, admins configured Safe Links policies that apply to both of Jamie and Julia. Jamie sends an email to Julia, not knowing that the email contains a malicious URL.|Julia is protected by Safe Links **if** the Safe Links policy that applies to her is configured to apply to messages between internal recipients. For more information, see the [Safe Links settings for email messages](#safe-links-settings-for-email-messages) section later in this article.|
-|
## Safe Links settings for email messages
You configure the list of URLs in the global settings for Safe Links. For instru
Examples of the values that you can enter and their results are described in the following table:
-<br>
-
-****
- |Value|Result| ||| |`contoso.com` <p> or <p> `*contoso.com*`|Blocks the domain, subdomains, and paths. For example, `https://www.contoso.com`, `https://sub.contoso.com`, and `https://contoso.com/abc` are blocked.| |`https://contoso.com/a`|Blocks `https://contoso.com/a` but not additional subpaths like `https://contoso.com/a/b`.| |`https://contoso.com/a*`|Blocks `https://contoso.com/a` and additional subpaths like `https://contoso.com/a/b`.| |`https://toys.contoso.com*`|Blocks a subdomain (`toys` in this example) but allow clicks to other domain URLs (like `https://contoso.com` or `https://home.contoso.com`).|
-|
## "Do not rewrite the following URLs" lists in Safe Links policies
To add entries to the list in new or existing Safe Links policies, see [Create S
Examples of the values that you can enter and their results are described in the following table:
-<br>
-
-****
- |Value|Result| ||| |`contoso.com`|Allows access to `https://contoso.com` but not subdomains or paths.| |`*.contoso.com/*`|Allows access to a domain, subdomains, and paths (for example, `https://www.contoso.com`, `https://www.contoso.com`, `https://maps.contoso.com`, or `https://www.contoso.com/a`). <p> This entry is inherently better than `*contoso.com*`, because it doesn't allow potentially fraudulent sites, like `https://www.falsecontoso.com` or `https://www.false.contoso.completelyfalse.com`| |`https://contoso.com/a`|Allows access to `https://contoso.com/a`, but not subpaths like `https://contoso.com/a/b`| |`https://contoso.com/a/*`|Allows access to `https://contoso.com/a` and subpaths like `https://contoso.com/a/b`|
-|
## Warning pages from Safe Links
security Secure Email Recommended Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-email-recommended-policies.md
If you included Exchange Online and Outlook in the scope of the policies when yo
|**Enterprise**|[Require MFA when sign-in risk is *low*, *medium* or *high*](identity-access-policies.md#require-mfa-based-on-sign-in-risk)|Include Exchange Online in the assignment of cloud apps| ||[Require compliant PCs *and* mobile devices](identity-access-policies.md#require-compliant-pcs-and-mobile-devices)|Include Exchange Online in the list of cloud apps| |**Specialized security**|[*Always* require MFA](identity-access-policies.md#require-mfa-based-on-sign-in-risk)|Include Exchange Online in the assignment of cloud apps|
-|
## Block ActiveSync clients
security Security Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-dashboard.md
The Threat Management Summary widget tells you at a glance how your organization
The information you'll see in the Threat Management Summary depends on what your subscription includes. The following table describes what information is included for Office 365 E3 and Office 365 E5.
-<br>
-
-****
- |Office 365 E3|Office 365 E5| ||| |Malware messages blocked<br>Phishing messages blocked<br>Messages reported by users<br><br><br><br>|Malware messages blocked<br>Phishing messages blocked<br>Messages reported by users<br>Zero-day malware blocked<br>Advanced phishing messages detected<br>Malicious URLs blocked|
-|
To view or access the Threat Management Summary widget, you must have permissions to view Defender for Office 365 reports. To learn more, see [What permissions are needed to view the Defender for Office 365 reports?](view-reports-for-mdo.md#what-permissions-are-needed-to-view-the-defender-for-office-365-reports).
The Threat Protection Status widget shows threat protection effectiveness with a
The details depend on whether your Microsoft 365 subscription includes [Exchange Online Protection](exchange-online-protection-overview.md) (EOP) with or without [Microsoft Defender for Office 365](defender-for-office-365.md).
-<br>
-
-****
- |If your subscription includes...|You'll see these details| ||| |EOP but not Microsoft Defender for Office 365|Malicious email that was detected and blocked by EOP.<p> See [Threat Protection Status report (EOP)](view-email-security-reports.md#threat-protection-status-report).| |Microsoft Defender for Office 365|Malicious content and malicious email detected and blocked by EOP and Defender for Office 365 <p> Aggregated count of unique email messages with malicious content blocked by the anti-malware engine, [zero-hour auto purge](zero-hour-auto-purge.md), and Defender for Office 365 features (including [Safe Links](safe-links.md), [Safe Attachments](safe-attachments.md), and [Anti-phishing in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)). <p> See [Threat protection status report](view-reports-for-mdo.md#threat-protection-status-report).|
-|
To view or access the Threat Protection Status widget, you must have permissions to view Defender for Office 365 reports. To learn more, see [What permissions are needed to view the Defender for Office 365 reports?](view-reports-for-mdo.md#what-permissions-are-needed-to-view-the-defender-for-office-365-reports)
The Global Weekly Threat Detections widget shows how many threats were detected
The metrics are calculated as described in the following table:
-<br>
-
-****
- |Metric|How it's calculated| ||| |Messages scanned|Number of email messages scanned multiplied by the number of recipients| |Threats stopped|Number of email messages identified as containing malware multiplied by the number of recipients| |Blocked by [Defender for Office 365](defender-for-office-365.md)|Number of email messages blocked by Defender for Office 365 multiplied by the number of recipients| |Removed after delivery|Number of messages removed by [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md) multiplied by the number of recipients|
-|
## Malware
security Security Recommendations For Priority Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts.md
Microsoft 365 and Microsoft Defender for Office 365 contain several key features
![Summary of the security recommendations in icon form.](../../media/security-recommendations-for-priority-users.png)
-<br>
-
-****
- |Task|All Office 365 Enterprise plans|Microsoft 365 E3|Microsoft 365 E5| ||::|::|::| |[Increase sign-in security for priority accounts](#increase-sign-in-security-for-priority-accounts)|![Included.](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included.](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included.](../../media/d238e041-6854-4a78-9141-049224df0795.png)|
Microsoft 365 and Microsoft Defender for Office 365 contain several key features
|[Apply user tags to priority accounts](#apply-user-tags-to-priority-accounts)|||![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)| |[Monitor priority accounts in alerts, reports, and detections](#monitor-priority-accounts-in-alerts-reports-and-detections)|||![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)| |[Train users](#train-users)|![Included.](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|
-|
> [!NOTE] > For information about securing _privileged accounts_ (admin accounts), see [this topic](/azure/architecture/framework/security/critical-impact-accounts).
You can also create custom tags to further identify and classify your priority a
After you secure and tag your priority users, you can use the available reports, alerts, and investigations in EOP and Defender for Office 365 to quickly identify incidents or detections that involve priority accounts. The features that support user tags are described in the following table.
-<br>
-
-****
- |Feature|Description| ||| |Alerts|The user tags of affected users are visible and available as filters on the **Alerts** page in the Microsoft 365 Defender portal. For more information, see [Viewing alerts](../../compliance/alert-policies.md#viewing-alerts).|
After you secure and tag your priority users, you can use the available reports,
|Campaign Views|User tags are one of many filterable properties in Campaign Views in Microsoft Defender for Office 365 Plan 2. For more information, see [Campaign Views](campaigns.md).| |Threat protection status report|In virtually all of the views and detail tables in the **Threat protection status report**, you can filter the results by **priority accounts**. For more information, see [Threat protection status report](view-email-security-reports.md#threat-protection-status-report).| |Email issues for priority accounts report|The **Email issues for priority accounts** report in the Exchange admin center (EAC) contains information about undelivered and delayed messages for **priority accounts**. For more information, see [Email issues for priority accounts report](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report).|
-|
## Train users
The Harvard Kennedy School [Cybersecurity Campaign Handbook](https://www.belferc
Microsoft 365 provides the following resources to help inform users in your organization:
-<br>
-
-****
- |Concept|Resources|Description| |||| |Microsoft 365|[Customizable learning pathways](/office365/customlearning/)|These resources can help you put together training for users in your organization.|
security Security Roadmap https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-roadmap.md
These roadmap recommendations are staged across three phases in a logical order
|30 days|Rapid configuration: <ul><li>Basic admin protections.</li><li>Logging and analytics.</li><li>Basic identity protections.</li></ul> <p> Tenant configuration. <p> Prepare stakeholders.| |90 days|Advanced protections: <ul><li>Admin accounts.</li><li>Data and user accounts.</li></ul> <p> Visibility into compliance, threat, and user needs. <p> Adapt and implement default policies and protections.| |Beyond|Adjust and refine key policies and controls. <p> Extend protections to on-premises dependencies. <p> Integrate with business and security processes (legal, insider threat, etc.).|
-|
## 30 days ΓÇö powerful quick wins <a name="Thirdaydays"> </a>
These tasks can be accomplished quickly and have low impact to users.
|Threat protection|[Connect Microsoft 365 to Microsoft Defender for Cloud Apps](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security) to start monitoring using the default threat detection policies for anomalous behaviors. It takes seven days to build a baseline for anomaly detection. <p> Implement protection for admin accounts:<ul><li>Use dedicated admin accounts for admin activity.</li><li>Enforce multi-factor authentication (MFA) for admin accounts.</li><li>Use a [highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure) for admin activity.</li></ul>| |Identity and access management|<ul><li>[Enable Azure Active Directory Identity Protection](/azure/active-directory/active-directory-identityprotection-enable).</li><li>For federated identity environments, enforce account security (password length, age, complexity, etc.).</li></ul>| |Information protection|Review example information protection recommendations. Information protection requires coordination across your organization. Get started with these resources:<ul><li>[Office 365 Information Protection for GDPR](/compliance/regulatory/gdpr)</li><li>[Configure Teams with three tiers of protection](../../solutions/configure-teams-three-tiers-protection.md) (includes sharing, classification, data loss prevention, and Azure Information Protection)</li></ul>|
-|
## 90 days ΓÇö enhanced protections <a name="Ninetydays"> </a>
These tasks take a bit more time to plan and implement but greatly increase your
|Threat protection|Implement enhanced protections for admin accounts: <ul><li>Configure [Privileged Access Workstations](/security/compass/privileged-access-devices) (PAWs) for admin activity.</li><li>Configure [Azure AD Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure).</li><li>Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Defender for Cloud Apps, and other services, including AD FS. The audit log stores data for only 90 days. Capturing this data in SIEM tool allows you to store data for a longer period.</li></ul>| |Identity and access management|<ul><li>Enable and enforce MFA for all users.</li><li>Implement a set of [conditional access and related policies](microsoft-365-policies-configurations.md).</li></ul>| |Information protection| Adapt and implement information protection policies. These resources include examples: <ul><li>[Office 365 Information Protection for GDPR](/compliance/regulatory/gdpr)</li><li>[Configure Teams with three tiers of protection](../../solutions/configure-teams-three-tiers-protection.md)</li></ul> <p> Use data loss prevention policies and monitoring tools in Microsoft 365 for data stored in Microsoft 365 (instead of Defender for Cloud Apps). <p> Use Defender for Cloud Apps with Microsoft 365 for advanced alerting features (other than data loss prevention).|
-|
## Beyond <a name="Beyond"> </a>
These are important security measures that build on previous work.
|Threat protection|<ul><li>Implement [Secure Privileged Access](/windows-server/identity/securing-privileged-access/securing-privileged-access) (SPA) for identity components on premises (AD, AD FS).</li><li>Use Defender for Cloud Apps to monitor for insider threats.</li><li>Discover shadow IT SaaS usage by using Defender for Cloud Apps.</li></ul>| |Identity and access management|<ul><li>Refine policies and operational processes.</li><li>Use Azure AD Identity Protection to identify insider threats.</li></ul>| |Information protection|Refine information protection policies: <ul><li>Microsoft 365 and Office 365 sensitivity labels and data loss prevention (DLP), or Azure Information Protection.</li><li>Defender for Cloud Apps policies and alerts.</li></ul>|
-|
Also see: [How to mitigate rapid cyberattacks such as Petya and WannaCrypt](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/21/how-to-mitigate-rapid-cyberattacks-such-as-petya-and-wannacrypt/).
security Sending Mail To Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/sending-mail-to-office-365.md
If you're not a customer, but are trying to send mail to someone in who is, you'
|How to fix problems reaching customers at Microsoft 365 through email. Best practices for sending bulk mail to Microsoft 365 recipients.|[Troubleshooting mail sent to Office 365](troubleshooting-mail-sent-to-office-365.md)| |How Microsoft 365 prevents junk email, including phishing and spoofing email, from being sent to our customers.|[Anti-spam protection in Microsoft 365](anti-spam-protection.md)| |How you, an administrator sending email to Microsoft 365 customers, can avoid having email blocked by adhering to our anti-spam policies. This is the legal stuff you need to know.|[Reference: Policies, practices, and guidelines](reference-policies-practices-and-guidelines.md)|
-|
security Services For Non Customers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/services-for-non-customers.md
This overview provides information about benefits we provide to your organizatio
|[Microsoft support](#microsoft-support)|Provides self-help and escalation support for delivery issues.| |[Anti-Spam IP Delist Portal](#anti-spam-ip-delist-portal)|A tool to submit IP delist request. Before submitting this request it is the sender's responsibility to ensure that any further mail originating from the IP in question is not abusive or malicious.| |[Abuse and spam reporting for junk email originating from Exchange Online](#abuse-and-spam-reporting-for-junk-email-originating-from-exchange-online)|Keeps spam and other unwanted mail from being sent from Exchange Online and cluttering up the internet and your mail system.|
-|
## Microsoft support
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
Examples of Microsoft Defender for Office 365 organizations include:
The high-level differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365 are described in the following table:
-<br>
-
-****
- |Feature|Anti-phishing policies in EOP|Anti-phishing policies in Defender for Office 365| ||::|::| |Automatically created default policy|![Check mark.](../../media/checkmark.png)|![Check mark.](../../media/checkmark.png)|
The high-level differences between anti-phishing policies in EOP and anti-phishi
|First contact safety tip|![Check mark.](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)| |Impersonation settings||![Check mark](../../media/checkmark.png)| |Advanced phishing thresholds||![Check mark](../../media/checkmark.png)|
-|
<sup>\*</sup> In the default policy, the policy name, and description are read-only (the description is blank), and you can't specify who the policy applies to (the default policy applies to all recipients).
security Sharepoint File Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/sharepoint-file-access-policies.md
The following table lists the policies you either need to review and update or c
||[SharePoint access control policy](#sharepoint-access-control-policies): Allow browser-only access to specific SharePoint sites from unmanaged devices.|This prevents editing and downloading of files. Use PowerShell to specify sites.| |**Specialized security**|[*Always* require MFA](identity-access-policies.md#require-mfa-based-on-sign-in-risk)|Include SharePoint in the assignment of cloud apps.| ||[SharePoint access control policy](#use-app-enforced-restrictions-in-sharepoint): Block access to specific SharePoint sites from unmanaged devices.|Use PowerShell to specify sites.|
-|
## Use app-enforced restrictions in SharePoint
security Spam Confidence Levels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/spam-confidence-levels.md
What the SCL means and the default actions that are taken on messages are descri
|0, 1|Spam filtering determined the message was not spam.|Deliver the message to the recipients' inbox.| |5, 6|Spam filtering marked the message as **Spam**|Deliver the message to the recipients' Junk Email folder.| |9|Spam filtering marked the message as **High confidence spam**|Deliver the message to the recipients' Junk Email folder.|
-|
You'll notice that SCL 2, 3, 4, 7, and 8 aren't used by spam filtering.
security Teams Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/teams-access-policies.md
This table lists the policies that need to be revisited and links to each policy
||[Define device compliance policies](identity-access-policies.md#define-device-compliance-policies)|Include Teams and dependent services in this policy.| ||[Require compliant PCs *and* mobile devices](identity-access-policies.md#require-compliant-pcs-and-mobile-devices)|Include Teams and dependent services in this policy.| |**Specialized security**|[*Always* require MFA](identity-access-policies.md#require-mfa-based-on-sign-in-risk)|Regardless of user identity, MFA will be used by your organization. Include Teams and dependent services in this policy. |
-|
## Teams dependent services architecture
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
Office 365 Secure Score analyzes your organization's security based on your regu
The Microsoft 365 Defender portal includes capabilities that protect your environment. It also includes reports and dashboards you can use to monitor and take action. Some areas come with default policy configurations. Some areas do not include default policies or rules. Visit these policies under **Email & collaboration** \> **Policies & rules** \> **Threat policies** to tune threat management settings for a more secure environment.
-<br>
-
-****
- |Area|Default policy?|Recommendation| |||| |**Anti-phishing**|Yes|Configure the default anti-phishing policy as described here: [Configure anti-phishing protection settings in EOP and Defender for Office 365](protect-against-threats.md#part-2anti-phishing-protection-in-eop-and-defender-for-office-365). <p> More information: <ul><li>[Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md)</li><li>[Recommended anti-phishing policy settings in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365)</li><li> [Impersonation insight](impersonation-insight.md)</li><li>[Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)</li><li>[Manage the Tenant Allow/Block List](tenant-allow-block-list.md).</li></ul>|
The Microsoft 365 Defender portal includes capabilities that protect your enviro
|**Safe Links in Microsoft Defender for Office 365**|No|Configure the global settings for Safe Links and create a Safe Links policy as described here: [Configure Safe Links settings in Microsoft Defender for Office 365](protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365). <p> More information: <ul><li>[Recommended Safe Links settings](recommended-settings-for-eop-and-office365.md#safe-links-settings)</li><li>[Set up Safe Links policies](set-up-safe-links-policies.md)</li><li>[Safe Links in Microsoft Defender for Office 365](safe-links.md)</li><li>[Configure global settings for Safe Links in Microsoft Defender for Office 365](configure-global-settings-for-safe-links.md)</li></ul>| |**Anti-spam (mail filtering)**|Yes|Configure the default anti-spam policy as described here: [Configure anti-spam protection settings in EOP](protect-against-threats.md#part-3anti-spam-protection-in-eop) <p> More information: <ul><li>[Recommended anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings)</li><li>[Anti-spam protection in EOP](anti-spam-protection.md)</li><li>[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)</li></ul>| |***Email Authentication***|Yes|Email authentication uses DNS records to add verifiable information to email messages about the message source and sender. Microsoft 365 automatically configures email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also configure email authentication for custom domains. Three authentication methods are used: <ul><li>Sender Policy Framework (or SPF).</li><ul><li>For setup, see [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md).</li></ul> <li>DomainKeys Identified Mail (DKIM).</li><ul><li>See [Use DKIM to validate outbound email sent from your custom domain](use-dkim-to-validate-outbound-email.md).</li><li>After you've configured DKIM, enable it in the Microsoft 365 Defender portal.</li></ul><li>Domain-based Message Authentication, Reporting, and Conformance (DMARC).</li><ul><li>For DMARC setup [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).</li></ul></ul>|
-|
> [!NOTE] > For non-standard deployments of SPF, hybrid deployments, and troubleshooting: [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](how-office-365-uses-spf-to-prevent-spoofing.md).
The Microsoft 365 Defender portal includes capabilities that protect your enviro
Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on.
-<br>
-
-****
- |Dashboard|Description| ||| |Email security reports|These reports are available in Exchange Online Protection. For more information, see [View email security reports in the Microsoft 365 Defender portal](view-email-security-reports.md).| |Defender for Office 365 reports|The reports are available only in Defender for Office 365. For more information, see [View Defender for Office 365 reports in the Microsoft 365 Defender portal](view-reports-for-mdo.md).| |Mail flow reports and insights|These reports and insights are available in the Exchange admin center (EAC). For more information, see [Mail flow reports](/exchange/monitoring/mail-flow-reports/mail-flow-reports) and [Mail flow insights](/exchange/monitoring/mail-flow-insights/mail-flow-insights).| |[Threat Explorer (or real-time detections)](threat-explorer.md)|If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list.|
-|
## Configure additional Exchange Online tenant-wide settings Here are a couple of additional settings that are recommended.
-<br>
-
-****
- |Area|Recommendation| ||| |**Mail flow rules** (also known as transport rules)|Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. For more information, see [Use mail flow rules to inspect message attachments in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments). <p> See these additional topics: <ul><li>[Protect against ransomware](../../admin/security-and-compliance/secure-your-business-data.md#5-protect-against-ransomware)</li><li>[Malware and Ransomware Protection in Microsoft 365](/compliance/assurance/assurance-malware-and-ransomware-protection)</li><li>[Recover from a ransomware attack in Office 365](recover-from-ransomware.md)</li></ul> <p> Create a mail flow rule to prevent auto-forwarding of email to external domains. For more information, see [Mitigating Client External Forwarding Rules with Secure Score](/archive/blogs/office365security/mitigating-client-external-forwarding-rules-with-secure-score). <p> More information: [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)| |**Modern authentication**|Modern authentication is a prerequisite for using multi-factor authentication (MFA). MFA is recommended for securing access to cloud resources, including email. <p> See these topics: <ul><li>[Enable or disable modern authentication in Exchange Online](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online)</li><li>[Skype for Business Online: Enable your tenant for modern authentication](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx)</li></ul> <p> Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business. <p> More information: [How modern authentication works for Office 2013 and Office 2016 client apps](../../enterprise/modern-auth-for-office-2013-and-2016.md)|
-|
## Configure tenant-wide sharing policies in SharePoint admin center
SharePoint team sites configured at the baseline level allow sharing files with
To support the goals for baseline protection, configure tenant-wide sharing policies as recommended here. Sharing settings for individual sites can be more restrictive than this tenant-wide policy, but not more permissive.
-<br>
-
-****
- |Area|Includes a default policy|Recommendation| |||| |**Sharing** (SharePoint Online and OneDrive for Business)|Yes|External sharing is enabled by default. These settings are recommended: <ul><li>Allow sharing to authenticated external users and using anonymous access links (default setting).</li><li>Anonymous access links expire in this many days. Enter a number, if desired, such as 30 days.</li><li>Default link type ΓÇö select Internal (people in the organization only). Users who wish to share using anonymous links must choose this option from the sharing menu.</li></ul> <p> More information: [External sharing overview](/sharepoint/external-sharing-overview)|
-|
SharePoint admin center and OneDrive for Business admin center include the same settings. The settings in either admin center apply to both.
security Threat Explorer Views https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-views.md
When you first open Explorer (or the real-time detections report), the default v
|Microsoft Defender for Office 365 P1 paid testing Defender for Office 365 P2 trial|Threat Explorer|7| |Microsoft Defender for Office 365 P2 trial|Threat Explorer|7| |Microsoft Defender for Office 365 P2 paid|Threat Explorer|30|
-|
> [!NOTE] > We will soon be extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 to 30 days. This change is being tracked as part of roadmap item no. 70544, and is currently in a roll-out phase.
security Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md
ms.prod: m365-security
If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [necessary permissions](#required-licenses-and-permissions), you have either **Explorer** or **Real-time detections** (formerly *Real-time reports* ΓÇö [see what's new](#new-features-in-threat-explorer-and-real-time-detections)!). In the Security & Compliance Center, go to **Threat management**, and then choose **Explorer** _or_ **Real-time detections**.
-<br>
-
-****
- |With Microsoft Defender for Office 365 Plan 2, you see:|With Microsoft Defender for Office 365 Plan 1, you see:| ||| |![Threat explorer.](../../media/threatmgmt-explorer.png)|![Real-time detections](../../media/threatmgmt-realtimedetections.png)|
-|
Explorer or Real-time detections helps your security operations team investigate and respond to threats efficiently. The report resembles the following image:
How is this done? Delivery status is now broken out into two columns:
*Delivery action* is the action taken on an email due to existing policies or detections. Here are the possible actions for an email:
-<br>
-
-****
- |Delivered|Junked|Blocked|Replaced| ||||| |Email was delivered to the inbox or folder of a user, and the user can access it.|Email was sent to the user's Junk or Deleted folder, and the user can access it.|Emails that are quarantined, that failed, or were dropped. These mails are inaccessible to the user.|Email had malicious attachments replaced by .txt files that state the attachment was malicious.|
-|
Here is what the user can and can't see:
-<br>
-
-****
- |Accessible to end users|Inaccessible to end users| ||| |Delivered|Blocked| |Junked|Replaced|
-|
**Delivery location** shows the results of policies and detections that run post-delivery. It's linked to ***Delivery action***. These are the possible values:
security Trial Playbook Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/trial-playbook-defender-for-office-365.md
audience: Admin-+ ms.localizationpriority: high
security View Email Security Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md
A variety of reports are available in the Microsoft 365 Defender portal at <http
The Exchange Online Protection (EOP) and Microsoft Defender for Office 365 reports in the Microsoft 365 Defender portal that have been replaced, moved, or deprecated are described in the following table.
-<br>
-
-****
- |Deprecated report and cmdlets|New report and cmdlets|Message Center ID|Date| |||::|::| |**URL trace** <p> Get-URLTrace|[URL protection report](view-reports-for-mdo.md#url-protection-report) <p> [Get-SafeLinksAggregateReport](/powershell/module/exchange/get-safelinksaggregatereport) <br> [Get-SafeLinksDetailReport](/powershell/module/exchange/get-safelinksdetailreport)|MC239999|June 2021|
The Exchange Online Protection (EOP) and Microsoft Defender for Office 365 repor
|**Malware detected in email report** <p> Get-MailTrafficReport <br> Get-MailDetailMalwareReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <p> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250530|June 2021| |**Spam detection report** <p> Get-MailTrafficReport <br> Get-MailDetailSpamReport|[Threat protection status report: View data by Email \> Spam](#view-data-by-email--spam-and-chart-breakdown-by-detection-technology) <p> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|MC250529|October 2021| |Get-AdvancedThreatProtectionDocumentReport <p> Get-AdvancedThreatProtectionDocumentDetail|[Get-ContentMalwareMdoAggregateReport](/powershell/module/exchange/get-contentmalwaremdoaggregatereport) <p> [Get-ContentMalwareMdoDetailReport](/powershell/module/exchange/get-contentmalwaremdodetailreport)|TBA|May 2022|
-|**Exchange transport rule report** <p> Get-MailTrafficPolicyReport <br> Get-MailDetailTransportRuleReport|[Exchange transport rule report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-exchange-transport-rule-report) <p> no cmdlets|MC316157|April 2022|
+|**Exchange transport rule report** <p> [Get-MailTrafficPolicyReport](/powershell/module/exchange/get-mailtrafficpolicyreport) <br> [Get-MailDetailTransportRuleReport](/powershell/module/exchange/get-maildetailtransportrulereport)|[Exchange transport rule report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-exchange-transport-rule-report) <p> [Get-MailTrafficPolicyReport](/powershell/module/exchange/get-mailtrafficpolicyreport) <br> [Get-MailDetailTransportRuleReport](/powershell/module/exchange/get-maildetailtransportrulereport)|MC316157|April 2022|
|Get-MailTrafficTopReport|[Threat protection status report: View data by Email \> Malware](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) <p> [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <br> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport) <p> **Note**: There is no replacement for the encryption reporting capabilities in Get-MailTrafficTopReport.|MC315742|April 2022|
-|
## Compromised users report
The details table below the graph shows the following information:
- **Creation time** - **User ID** - **Action**
+- **Tags**: For more information about user tags, see [User tags](user-tags.md).
You can filter both the chart and the details table by clicking **Filter** and selecting one or more of the following values in the flyout that appears: - **Date (UTC)**: **Start date** and **End date**. - **Activity**: **Restricted** or **Suspicious**
+- **Tag**: **All** or the specified user tag (including priority accounts).
When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
The **Spoof detections** report shows information about messages that were block
The aggregate view of the report allows for 90 days of filtering, while the detail view only allows for ten days of filtering.
-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Spoof detections** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/SpoofMailReportV2>.
+To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Spoof detections** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/SpoofMailReport>.
![Spoof detections widget on the Email & collaboration reports page.](../../media/spoof-detections-widget.png)
In the details table below the chart, the following information is available:
- **Detection technology** - **Delivery status** - **Sender IP**-- **Tags**
+- **Tags**: For more information about user tags, see [User tags](user-tags.md).
If you click **Filter**, the following filters are available:
If you click **Filter**, the following filters are available:
- **All** - **Inbound** - **Outbound**-- **Tag**: **All** or the specified user tag (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Tag**: **All** or the specified user tag (including priority accounts).
- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). - **Policy type**: - **All**
In the details table below the chart, the following information is available:
- **Detection technology** - **Delivery status** - **Sender IP**-- **Tags**
+- **Tags**: For more information about user tags, see [User tags](user-tags.md).
If you click **Filter**, the following filters are available:
If you click **Filter**, the following filters are available:
- **All** - **Inbound** - **Outbound**-- **Tag**: **All** or the specified user tag (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Tag**: **All** or the specified user tag (including priority accounts).
- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). - **Policy type**: - **All**
In the details table below the chart, the following information is available:
- **Detection technology** - **Delivery Status** - **Sender IP**-- **Tags**
+- **Tags**: For more information about user tags, see [User tags](user-tags.md).
If you click **Filter**, the following filters are available:
If you click **Filter**, the following filters are available:
- **All** - **Inbound** - **Outbound**-- **Tag**: **All** or the specified user tag (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Tag**: **All** or the specified user tag (including priority accounts).
- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). - **Policy type**: - **All**
In the details table below the chart, the following information is available:
- **Detection technology** - **Delivery status** - **Sender IP**-- **Tags**
+- **Tags**: For more information about user tags, see [User tags](user-tags.md).
If you click **Filter**, the following filters are available:
If you click **Filter**, the following filters are available:
- **All** - **Inbound** - **Outbound**-- **Tag**: **All** or the specified user tag (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Tag**: **All** or the specified user tag (including priority accounts).
- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). - **Policy type**: - **All**
In the details table below the chart, the following information is available:
- **Detection technology** - **Delivery status** - **Sender IP**-- **Tags**
+- **Tags**: For more information about user tags, see [User tags](user-tags.md).
If you click **Filter**, the following filters are available:
If you click **Filter**, the following filters are available:
- **All** - **Inbound** - **Outbound**-- **Tag**: **All** or the specified user tag (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Tag**: **All** or the specified user tag (including priority accounts).
- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). - **Policy type**: - **All**
In the details table below the chart, the following information is available:
- **Recipients** - **System override** - **Sender IP**-- **Tags**
+- **Tags**: For more information about user tags, see [User tags](user-tags.md).
If you click **Filter**, the following filters are available:
If you click **Filter**, the following filters are available:
- **All** - **Inbound** - **Outbound**-- **Tag**: **All** or the specified user tag (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+- **Tag**: **All** or the specified user tag (including priority accounts).
- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). - **Policy type**: **All** - **Policy name (details table view only)**: **All**
In the details table below the chart, the following information is available:
- **Recipients** - **System override** - **Sender IP**-- **Tags**
+- **Tags**: For more information about user tags, see [User tags](user-tags.md).
If you click **Filter**, the following filters are available:
The details table below the graph shows the following information:
- **Sender** - **Reported reason** - **Rescan result**-- **Tags**
+- **Tags**: For more information about user tags, see [User tags](user-tags.md).
To submit a message to Microsoft for analysis, select the message entry from the table, click **Submit to Microsoft for analysis** and then select one of the following values from the drop down list:
security View Reports For Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-reports-for-mdo.md
The available views on the **URL protection** report page are described in the f
The **View data by URL click protection action** view shows the number of URL clicks by users in the organization and the results of the click: -- **Allowed**: The user was allowed to navigate to the URL.-- **Blocked**: The user was blocked from navigating to the URL.-- **Blocked and clicked through**: The user has chosen to continue navigating to the URL.-- **Clicked through during scan**: The user has clicked on the link before the scan was complete.
+- **Allowed**: Clicks allowed.
+- **Allowed by tenant admin**: Clicks allowed in Safe Links policies.
+- **Blocked**: Click blocked.
+- **Blocked by tenant admin**: The Clicks blocked in Safe Links policies.
+- **Blocked and clicked through**: Blocked clicks where users click through to the blocked URL.
+- **Blocked by tenant admin and clicked through**: Admin has blocked the link, but the user clicked through.
+- **Clicked through during scan**: Clicks where users click through the pending scan page to the URL.
+- **Pending scan**: Clicks on URLs that are pending a scan verdict.
A click indicates that the user has clicked through the block page to the malicious website (admins can disable click through in Safe Links policies). If you click **Filters**, you can modify the report and the details table by selecting one or more of the following values in the flyout that appears: - **Date (UTC)**: **Start date** and **End date**-- **Detection**:
+- **Action**:
- **Allowed** - **Blocked**
+ - **Allowed by tenant admin**
- **Blocked and clicked through**
+ - **Blocked by tenant admin and clicked through**
- **Clicked through during scan**
+ - **Pending scan**
- **Domains**: The URL domains listed in the report results. - **Recipients**
On the main report page, the ![Create schedule icon.](../../media/m365-cc-sc-cre
The **View data by URL click by application** view shows the number of URL clicks by apps that support Safe Links: - **Email client**-- **PowerPoint**-- **Word**-- **Excel**-- **OneNote**-- **Visio**
+- **Office document**
- **Teams**-- **Others** If you click **Filters**, you can modify the report and the details table by selecting one or more of the following values in the flyout that appears:
On the main report page, the ![Create schedule icon.](../../media/m365-cc-sc-cre
In addition to the reports described in this article, several other reports are available, as described in the following table:
-<br>
-
-****
- |Report|Topic| ||| |**Explorer** (Microsoft Defender for Office 365 Plan 2) or **real-time detections** (Microsoft Defender for Office 365 Plan 1)|[Threat Explorer (and real-time detections)](threat-explorer.md)| |Email security reports that don't require Defender for Office 365|[View email security reports in the Microsoft 365 Defender portal](view-email-security-reports.md)| |Mail flow reports in the Exchange admin center (EAC)|[Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports)|
-|
PowerShell reporting cmdlets:
-<br>
-
-****
- |Report|Topic| ||| |Top senders and recipients|[Get-MailTrafficTopReport](/powershell/module/exchange/get-mailtraffictopreport) <p> [Get-MailTrafficSummaryReport](/powershell/module/exchange/get-mailtrafficsummaryreport)|
PowerShell reporting cmdlets:
|Compromised users|[Get-CompromisedUserAggregateReport](/powershell/module/exchange/get-compromiseduseraggregatereport) <p> [Get-CompromisedUserDetailReport](/powershell/module/exchange/get-compromiseduserdetailreport)| |Mail flow status|[Get-MailflowStatusReport](/powershell/module/exchange/get-mailflowstatusreport)| |Spoofed users|[Get-SpoofMailReport](/powershell/module/exchange/get-spoofmailreport)|
-|
## What permissions are needed to view the Defender for Office 365 reports?