+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+# Set up Outlook for Microsoft 365 for business email

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+| Viva Goals (self-service trials only) | CFQ7TTC0PW0V | Yes |

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+|Name|Description|Severity|Automated investigation|Subscription|

+|||::|::||

+|Name|Description|Severity|Automated investigation|Required subscription|

+||||::||

+|Name|Description|Severity|Automated investigation|Required subscription|

+|||::|::||

+|Name|Description|Severity|Automated investigation|Required subscription|

+|||::|::||

+|**Admin submission result completed**|Generates an alert when an [Admin Submission](../security/office-365-security/submissions-admin.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. These alerts are meant to remind you to [review the results of previous submissions](https://compliance.microsoft.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact.|Informational|No|E1/F1, E3/F3, or E5|

+|**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation.|Informational|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

+|**Admin triggered user compromise investigation**|Generates an alert when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer), which shows the related manual triggering of an investigation on an email. This alert notifies your organization that the user compromise investigation was started. The alert provides information about who triggered it and includes a link to the investigation.|Medium|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

+|**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Microsoft Purview portal. An alert is triggered when the following content search activities are performed: A content search is started, the results of a content search are exported, a content search report is exported. Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. For more information about content search activities, see [Search for eDiscovery activities in the audit log](ediscovery-search-for-activities-in-the-audit-log.md#ediscovery-activities).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|

+|**Graders disagreement with Tenant Allow/Block List entry**|Generates an alert when Microsoft determines that the admin submission corresponding to an allow entry in the Tenant Allow/Block List is found to be malicious. This event is triggered as soon as the submission has been analyzed by Microsoft. The allow entry will continue to exist for its stipulated duration. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list-about.md).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|

+|**Malware campaign detected after delivery**┬╣|Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes.|High|No|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

+|**Malware campaign detected and blocked**┬╣|Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization. If this event occurs, the infected messages are blocked by Microsoft and not delivered to mailboxes.|Low|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

+|**Malware campaign detected in SharePoint and OneDrive**┬╣|Generates an alert when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization.|High|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

+|**New transport rule removing antispam header**|A new mail flow rule (transport rule) to remove anti-spam header was detected. This alert might indicate that a spam campaign using a mailbox in the organization is currently underway.|Medium|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

+|**Phish delivered due to an ETR override**┬▓|Generates an alert when Microsoft detects an Exchange transport rule (also known as a mail flow rule) that allowed delivery of a high confidence phishing message to a mailbox. For more information about Exchange Transport Rules (Mail flow rules), see [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|

+|**Phish delivered due to an IP allow policy**┬▓|Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox. For more information about the IP allow policy (connection filtering), see [Configure the default connection filter policy - Office 365](../security/office-365-security/connection-filter-policies-configure.md).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|

+|**Phish not zapped because ZAP is disabled**┬▓|Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.|Informational|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

+|**Remediation action taken by admin on emails or URL or sender**|**Note**: This alert policy has been replaced by the **Administrative action submitted by an Administrator** alert policy. This alert policy will eventually go away, so we recommend disabling this alert policy and using **Administrative action submitted by an Administrator** instead. This alert is triggered when an admin takes remediation action on the selected entity|Informational|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|

+|**Removed an entry in Tenant Allow/Block List**|Generates an alert when an allow entry in the Tenant Allow/Block List is learned from by filtering system and removed. This event is triggered when the allow entry for the affected domain or email address, file, or URL (_entity_) is removed. You no longer need the affected allow entry. Email messages that contain the affected entities will be delivered to the Inbox if nothing else in the message is determined to be bad. URLs and files will be allowed at time of click. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list-about.md).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|

+|**Suspicious inbound connector and transport rule created to remove sender email headers**|A suspicious inbound connector and mail flow rule (transport rule) were created to remove headers that identify the true source addresses of message senders. This alert might indicate that a spam campaign using a mailbox in the organization is currently underway.|Medium|No|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

+|**Suspicious email transport rule detected**|A suspicious mail flow rule (transport rule) was created to forward any email in the organization to an attacker-owned mailbox.|Medium|No|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

+|**Suspicious pattern of inbound connector creation**|A suspicious pattern of inbound connector creation was detected. This behavior might suggest that an attacker set malicious inbound connectors to allow anonymous relay through the organization's Exchange server.|Medium|No|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

+|**Suspicious email-sending pattern from new Exchange inbound connector**.|A suspicious email-sending pattern from a new Exchange inbound connector was detected. This behavior might suggest that an attacker set a malicious inbound connector to allow anonymous relay through the organization's Exchange server.|Medium|No|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|

+|**Tenant Allow/Block List entry is about to expire**|Generates an alert when an allow entry or block entry in the Tenant Allow/Block List entry is about to be removed. This event is triggered 7 days before the expiration date, which is based on when the entry was created or last updated. For both allow entries and block entries, you can extend the expiration date. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list-about.md).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|

+|**Unusual increase in email reported as phish**┬╣|Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2).|Medium|No|E5/G5 or Defender for Office 365 P2 add-on subscription|

+┬╣ This alert policy is in the process of being deprecated based on customer feedback as a false positive. To retain the functionality of this alert policy, you can create a custom alert policy with the same settings.

+┬▓ This alert policy is part of the replacement functionality for the **Phish delivered due to tenant or user override** and **User impersonation phish delivered to inbox/folder** alert policies that were removed based on user feedback. For more information about anti-phishing in Office 365, see [Anti-phishing policies](../security/office-365-security/anti-phishing-policies-about.md).

+Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and then select **Incidents & alerts** \> **Alerts**. Alternatively, you can go directly to <https://security.microsoft.com/alerts>.

+> For emails that you auto-apply by identifying sensitive information, all mailboxes are automatically included, which includes mailboxes from Microsoft 365 groups. By default, the **Exchange mailboxes** location isn't selected for adaptive scopes when you have this configuration. Even if you can select the location, retention labels won't apply to the Exchange items.

+> Although group mailboxes would usually be included by selecting the **Microsoft 365 Group mailboxes & sites** location, for this specific policy configuration, the groups location includes only SharePoint sites connected to a Microsoft 365 group.

+When you export the results of an audit log search from the Microsoft Purview compliance portal, you can download all the results that meet your search criteria. You do this by selecting **Export results** \> **Download all results** on the **Audit log search** page. For more information, see [Search the audit log](audit-log-search.md).

+When your export all results for an audit log search, the raw data from the unified audit log is copied to a comma-separated value (CSV) file that is downloaded to your local computer. This file contains additional information from each audit record in a column named **AuditData**. This column contains a multi-value property for multiple properties from the audit log record. Each of the **property: value** pairs in this multi-value property are separated by a comma.

+The following table describes the properties that are included (depending on the service in which an event occurs) in the multi-property **AuditData** column. The **Office 365 service that has this property** column indicates the service and type of activity (user or admin) that includes the property. For more detailed information about these properties or about properties that may not be listed in this article, see [Management Activity API Schema](/office/office-365-management-api/office-365-management-activity-api-schema).

+| CurrentProtectionType | A complex property type containing fields to describe the current protection status of a document. Includes the following: <br/><br> **ProtectionType**: Enumerates the type of protection applied to the document. These values and their meanings apply: *0* (no protection), *1* (template-based protection), *2* (don't forward, for email), *3* (encrypt only), and *4* (custom, user configured protection) <br/> **Owner**: The email address of the user that configured protection. <br/> **TemplateId**: When the *ProtectionType* is set to *1* (template), this field contains the GUID of the template applied to the document. When the value of *ProtectionType* doesn't equal *1*, this field is blank. <br/> **DocumentEncrypted**: Boolean flag indicating if any type of encryption is applied to the document. Values are *True* or *False*.| All |

+|Members|Lists the users that have been added or removed from a team. The following values indicate the Role type assigned to the user. <br/><br/> **1** - Indicates the Owner role.<br/> **2** - Indicates the Member role.<br/> **3** - Indicates the Guest role. <br/><br/>The Members property also includes the name of your organization, and the member's email address.|Microsoft Teams|

+|ModifiedProperties (Name, NewValue, OldValue)|The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified (for example, the Site Admin group) the new value of the modified property (such the user who was added as a site admin, and the previous value of the modified object).|All (admin activity)|

+| PreviousProtectionType | A complex property type containing fields to describe the previous protection status of a document. Includes the following: <br/><br> **ProtectionType**: Enumerates the type of protection applied to the document. These values and their meanings apply: *0* (no protection), *1* (template-based protection), *2* (don't forward, for email), *3* (encrypt only), and *4* (custom, user configured protection) <br/> **Owner**: The email address of the user that configured protection. <br/> **TemplateId**: When the *ProtectionType* is set to *1* (template), this field contains the GUID of the template applied to the document. When the value of *ProtectionType* doesn't equal *1*, this field is blank. <br/> **DocumentEncrypted**: Boolean flag indicating if any type of encryption is applied to the document. Values are *True* or *False*.| All |

+| ProtectionEventType | Enumerates how the protection was changed by the operation being audited. The following values and meanings apply: <br/><br/> **0** - Indicates unchanged. <br/> **1** - Indicates added. <br/> **2** - Indicates changed. <br/> **3** - Indicates removed. | All |

+|SecurityComplianceCenterEventType|Indicates that the activity was a compliance portal event. All compliance portal activities will have a value of **0** for this property.|Security & Compliance Center|

+|Target|The user that the action (identified in the **Operation** property) was performed on. For example, if a guest is added to SharePoint or a Microsoft Team, that user would be listed in this property.|Azure Active Directory|

+2. On the search results page, select **Export**.

+ 

+|Microsoft Defender for Identity (MDI)|MicrosoftDefenderForIdentityAudit|

+ 1. **Start date** and **End date**: The last seven days are selected by default. Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC). The maximum date range that you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.

+- **Date**: The date and time (in UTC) when the event occurred.

+ 

+ 

+- **Audit search tool in the Microsoft Purview compliance portal**. Use the Audit log search tool in the compliance portal to search for audit records. You can search for specific activities, for activities performed by specific users, and activities that occurred with a date range.

+3. On the **Audit** page, configure the search using the following conditions on the **Search** tab.

+ 1. **Date and time range**. Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC). The last seven days are selected by default.

+- Investigate why there was a successful sign-in by a user outside your organization

+## Investigate why there was a successful sign-in by a user outside your organization

+This behavior is by design. Azure Active Directory (Azure AD), the directory service, allows something called *pass-through authentication* when an external user tries to access a SharePoint site or a OneDrive location in your organization. When the external user tries to do this, they're prompted to enter their credentials. Azure AD uses the credentials to authenticate the user, meaning only Azure AD verifies that the user is who they say they are. The indication of the successful sign-in in the audit record is the result of Azure AD authenticating the user. The successful sign-in doesn't mean that the user was able to access any resources or perform any other actions in your organization. It only indicates that the user was authenticated by Azure AD. In order for a pass-through user to access SharePoint or OneDrive resources, a user in your organization would have to explicitly share a resource with the external user by sending them a sharing invitation or anonymous sharing link.

+ c. The **ApplicationId** property identifies the application that triggered the sign-in request. The value of 00000003-0000-0ff1-ce00-000000000000 displayed in the ApplicationId property in this audit record indicates SharePoint Online. OneDrive for Business also has this same ApplicationId.

+ e. The **RecordType** value of **15** indicates that the audited activity (UserLoggedIn) is a Secure Token Service (STS) sign-in event in Azure AD.

+ 

+ Title: "Free trial of Microsoft Purview compliance solutions"

+The Microsoft Purview solutions trial is a free and easy way to try [capabilities of Microsoft Purview risk and compliance solutions](purview-compliance.md). After a quick setup taking only a couple of minutes, the features of the Microsoft E5 license package are available for you to use for up to 90 days.

+Microsoft 365 E3, Office 365 E3, and Enterprise Mobility and Security E3 customers who don't already have a Microsoft E5 license package are eligible for the Purview solutions trial. The trial isn't available for Microsoft 365 Government customers.

+As part of the trial setup, 300 Microsoft 365 E5 compliance licenses are automatically applied to your organization. The licenses are active for 90 days. You may want to refer to [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance) for licensing details for each solution.

+The Purview solutions trial includes the solutions listed below.

+> [!NOTE]

+> Certain Purview features may appear in other Microsoft products for which a license is needed. Refer to each Purview solution's licensing details at [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).

+- **Microsoft 365 Group mailboxes & sites**

+You can control whether sensitive files that are protected by your policies can be uploaded to specific service domains.

+You can add maximum 50 websites into one group and can create maximum 20 groups.

+You can add maximum 50 printers into one group and can create maximum 20 groups.

+You can add maximum 50 removable storages into one group and can create maximum 20 groups.

+> When a user is detected as a potential high impact user, this information is highlighted in the alert header in the **User details** page. The user details also include a summary with the reasons the user has been detected as such. To learn more about setting policy indicators for potential high impact users, see [Insider risk management settings](insider-risk-management-settings.md#policy-indicators).

+- **Modify your insider risk settings**: Insider risk settings include a wide variety of configuration options that can impact the volume and types of alerts you'll receive. These include settings for [policy indicators](insider-risk-management-settings.md#policy-indicators), [indicator thresholds](insider-risk-management-settings.md#indicator-level-settings), and [policy timeframes](insider-risk-management-settings.md#policy-timeframes). Consider configuring [intelligent detections](insider-risk-management-settings.md#intelligent-detections) options to exclude specific file types and sensitive info types, trainable classifiers, define minimum thresholds before activity alerts are reported by your policies, and change the alert volume configuration to a lower setting. You can also take advantage of real-time analytics (preview) to [see the effects of customizing thresholds settings before pushing your policies live](insider-risk-management-settings.md#indicator-level-settings).

+- **Use automated insider risk features to help discover the highest risk activities**. Insider risk management [sequence detection](insider-risk-management-policies.md#sequence-detection-preview) and [cumulative exfiltration detection](insider-risk-management-policies.md#cumulative-exfiltration-detection-preview) features can help you quickly discover harder to find risks in your organization. Consider fine-tuning your [risk score boosters](insider-risk-management-settings.md#policy-indicators), [file activity detection](insider-risk-management-settings.md#file-activity-detection), [domains](insider-risk-management-settings.md#domains), and the minimum [indicator threshold settings](insider-risk-management-settings.md#indicator-level-settings) for your policies.

+ - [Sensitive info type exclusion](insider-risk-management-settings.md#sensitive-info-type-exclusions-preview)

+20. On the **Policy indicators** page, you'll see the [indicators](insider-risk-management-settings.md#policy-indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. Select the indicators you want to apply to the policy.

+20. On the **Policy indicators** page, you'll see the [indicators](insider-risk-management-settings.md#policy-indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. Select the indicators you want to apply to the policy.

+- [Indicators](#policy-indicators)

+## Policy indicators

+### File path exclusions

+By defining file paths to exclude, user activities that map to specific indicators and that occur in these file path locations won't generate policy alerts. Some examples are copying or moving files to a system folder or network share path. You can enter up to 500 file paths for exclusion.

+To add file paths to exclude, complete the following steps:

+1. In the compliance portal, navigate to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **File path exclusion** section, select **Add file paths to exclude**.

+3. On the **Add a file path** pane, enter an exact network share or device path to exclude from risk scoring. You can also use * and *([0-9]) to denote specific and wildcard folders and subfolders to be excluded. For more information, see the following examples:

+ - **\\\\ms.temp\LocalFolder\ or C:\temp**: Excludes files directly under the folder and all subfolders for every file path starting with the entered prefix.

+ - **\public\local\\**: Excludes files from every file path containing entered value. Matches with 'C:\Users\Public\local\\', 'C:\Users\User1\Public\local\', and '\\\\ms.temp\Public\local'.

+ - **C:\Users\\\*\Desktop**: C:\Users\\\*\Desktop: Wildcards are supported. Matches with 'C:\Users\user1\Desktop' and 'C:\Users\user2\Desktop'.

+ - **C:\Users\\\*(2)\Desktop**: Wildcards with numbers are supported. Matches with 'C:\Users\user1\user1\Desktop' and 'C:\Users\user2\Shared\Desktop'.

+4. Select **Add file paths** to exclude to configure the file path exclusions or **Close** to discard the changes.

+To delete a file path exclusion, select the file path exclusion and select **Delete**.

+### Default file path exclusions

+By default, several file paths are automatically excluded from generating policy alerts. Activities in these file paths are typically benign and could potentially increase the volume of non-actionable alerts. If needed, you can cancel the selection for these default file path exclusions to enable risk scoring for activities in these locations.

+The default file path exclusions are:

+- \Users\\\*\AppData

+- \Users\\\*\AppData\Local

+- \Users\\\*\AppData\Local\Roaming

+- \Users\\\*\AppData\Local\Local\Temp

+The wildcards in these paths denote that all folder levels between the \Users and \AppData are included in the exclusion. For example, activities in *C:\Users\Test1\AppData\Local* and *C:\Users\Test2\AppData\Local*, *C:\Users\Test3\AppData\Local* (and so on) would all be included and not scored for risk as part of the *\Users\\\*\AppData\Local* exclusion selection.

+### Sensitive info type exclusions (preview)

+After users are added to insider risk management policies, background processes are automatically evaluating user activities for [triggering indicators](insider-risk-management-settings.md#policy-indicators). After triggering indicators are present, user activities are assigned risk scores. Some of these activities may result in an insider risk alert, but some activities may not meet a minimum risk score level and an insider risk alert won't be created. The **Users dashboard** allows you to view users with these types of indicators and risk scores, as well users that have active insider risk alerts.

+- Microsoft 365 Group mailboxes & sites

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

+> If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the [Microsoft Purview compliance portal trials hub](https://compliance.microsoft.com/trialHorizontalHub?sku=ComplianceE5&ref=DocsRef). Learn details about [signing up and trial terms](/microsoft-365/compliance/compliance-easy-trials).

+2. Go to **Billing** > **Purchase services** > **Microsoft 365**.

+ To verify that Lighthouse was successfully added to your tenant, look for Microsoft 365 Lighthouse under **Billing > Your products** in the Microsoft 365 admin center.

+3. You can sort the results by clicking on an available column header. Click  **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (^\*):

+4. To filter the results, click  **Filter**. The following filters are available in the **Filters** flyout that appears:

+ - **Time received**:

+ - **Last 24 hours**

+ - **Last 7 days**

+ - **Last 14 days**

+ - **Last 30 days**

+ - **Custom**: Enter a **Start time** and **End time** (date).

+ - **Data loss prevention**

+ - **Preparing to release**

+ - **Error**

+ - **Data loss prevention rule**

+-  **Delete from quarantine**: The message is deleted and is not sent to the original recipients. How the message is deleted depends on your selections in the flyout that opens:

+ - Select **Permanently delete the message from quarantine** and then click **Delete**: The message is permanently deleted and is not recoverable.

+ - Click **Delete** only: The message is deleted, but is recoverable within 30 days.

+When you select multiple quarantined messages in the list (up to 100) by clicking in the empty check box to the left of the first column, you can take the following actions on the selected messages:

+-  **Release**: Releases messages to all recipients. In the flyout that appears, you can choose the following options, which are the same as when you release a single message:

+-  **Delete from quarantine**: The messages are deleted and are not sent to the original recipients. How the messages are deleted depends on your selections in the flyout that opens:

+ - Select **Permanently delete the message from quarantine** and then click **Delete**: The messages are permanently deleted and are not recoverable.

+ - Click **Delete** only: The messages are deleted, but they're recoverable within 30 days.

+- **... More** \>  **Submit for review**.

+- **... More** \>  **Download messages**

+-  **Delete from quarantine**: The message is deleted and is not sent to the original recipients. How the message is deleted depends on your selections in the flyout that opens:

+ - Select **Permanently delete the message from quarantine** and then click **Delete**: The message is permanently deleted and is not recoverable.

+ - Click **Delete** only: The message is deleted, but is recoverable within 30 days.