+- Usage Summary Reports reader (with no user details): By design, this role has read access to user, groups, and other settings by default in the Microsoft 365 admin center, as the role is based on Microsoft Entra.

+2. From the **Overview** page, select **Exchange** \> **Email activity**.

+You can get a view into your user's email activity by looking at the **Activity** and **Users** charts.

+The **Activity** chart enables you to understand the trend of the amount of email activity going on in your organization. You can understand the split of email send, email read, email received, meeting created, or meeting interacted activities.

+The **User** chart enables you to understand the trend of the number of unique users who are generating the email activities. You can look at the trend of users performing email sending, email reading, email receiving, meeting creating, or meeting interacting activities.

+On the Activity chart, the Y axis is the count of activity of the type email sent, email received, email read, meeting created, and meeting interacted.

+On the Users activity chart, the Y axis is the user's performing activity of the type email sent, email received, email read, meeting created, or meeting interacted.

+The X axis on both charts is the selected date range for this specific report.

+You can also export the report data into an Excel .csv file, by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis.

+In the Microsoft 365 admin center, go to **Reports** > **Usage > Copilot for Microsoft 365**.

+Organizational messages enable IT admins to deliver clear, actionable messages in-product and in a targeted way, while maintaining user-level privacy. Organizational messages in Adoption Score use targeted in-product notifications to advise on Microsoft 365 recommended practices based on Adoption Score insights. Users can be reminded to use products that have recently been deployed, encouraged to try a product on a different surface, or to recommend new ways of working, such as using @mentions to improve response rates in communications. Templated messages are delivered to users in their flow of work through surfaces including Outlook, Excel, PowerPoint, Word, and new Teams. Authorized professionals can use the organizational messages wizard in Adoption Score to choose from up to three templated message types, define when and how often a message can be displayed, and exclude groups or priority accounts from receiving the message.

+## Getting started

+|Can I find out the exact date a change is available in my organization?|Unfortunately, we can't tell you the exact date a change is made to your organization. In our Message center post, we give as much information as we can on the timing of the release, based on our confidence level. We're working on improvements to get better with that level of detail.|

+|How can I ensure data privacy notifications are received by the right contacts in my organization?|As a global admin you receive data privacy messages for your organization. Additionally, you can assign the Message Center Privacy reader role to people who should see data privacy messages. Other admin roles with access to Message Center cannot view data privacy messages. <br/><br/>For more info, see [Preferences](#preferences) in this article.|

+ For each new and updated feature announcement in Message center, the **Status for your org** field provides a release status to help you track when a feature is available in your tenant.

+- Apps and service usage.

+- **Medium** - These are posts about changes in your organization, which don't need immediate action. Examples are nonbreaking changes or new features for a service, which is being used by your organization, an early announcement for an upcoming breaking feature change, retirement

+- **Low** - These are posts about changes that need monitoring. They are related to low impact apps and services in your organization. Examples would be a feature update for an app or service, which isn't actively used in your organization.

+If you see **Processing** for a Message center post, it means that the score is being computed for this post and should be available soon. You should try to refresh after a few minutes.

+Once you start receiving this, please tell us if a Message center post is **not relevant** to you through the [**extended feedback.**](#give-feedback-on-a-post) This feedback is important for us to improve the accuracy of the relevance recommendations.

+Use the **Service**, **Tag**, and **Message state** drop-down menus to select a filtered view of messages. For example, in this diagram, the messages are tagged with the **Admin impact** tag.

+Use the **Service**, **Tag**, and **Message state** drop-down menus to select a filtered view of messages. For example, in this diagram, the messages are tagged with the **Admin impact**.

+- Filter messages.

+ You can also choose the emails you want to get, and a weekly digest of services you select.

+Here's a quick overview of the information in each column.

+|Check mark|Selecting the check mark in the column heading row selects all messages currently displayed. Selecting the check mark next to one or more messages lets you take action on those messages.|

+|Category| This is not shown by default, but can be specified in the **Choose columns** panel. Messages are identified by one of the following three categories: <p> **Prevent or fix issues**: Informs you of known issues affecting your organization and may require that you take action to avoid disruptions in service. Prevent or fix issues are different than Service health messages because they prompt you to be proactive to avoid issues. <p> **Plan for change**: Informs you of changes to Microsoft 365 that may require you to act to avoid disruptions in service. For example, we let you know about changes to system requirements or about features that are being removed. We try to provide at least 30 days' notice of any change that requires an admin to act to keep the service running normally. <p> **Stay informed**: Tells you about new or updated features we are turning on in your organization. announced first in the [Microsoft 365 Roadmap](https://go.microsoft.com/fwlink/?linkid=2070821). <p> May also let you know about planned maintenance in accordance with our Service Level Agreement. Planned maintenance may result in down time, where you or your users can't access Microsoft 365, a specific feature, or a service such as email or OneDrive for Business.|

+2. To share the message, enter up to two email addresses separated by a colon. You can send to individual and to group email addresses. Optionally, you can choose to receive a copy of the message in email (the message goes to your primary email address) or add a personal message to provide recipients with more context.

+Need to follow up with another admin to make sure they're aware of a change and taking action? You can generate a link to share in email or instant messaging. The person you share the link with has to have access to Message center. See [admin roles that don't have access to the Message center](message-center.md#admin-roles-that-dont-have-access-to-the-message-center) for more information.

+1. Select the message center post.

+If you see a message that doesn't pertain to you, or maybe you've already acted on it, you can archive the message. Archiving a message removes it from the Inbox. The view that you see in the Message center is specific to your user account, so archiving it from your view doesn't affect other admins. There are two ways to archive a message.

+To mark a message as a favorite, hover over the message title and you will see a **Favorite** :::image type="icon" source="../../media/favorite-star.png" border="false"::: star you can select right after the **More options** ellipses. Once you have marked messages as favorite, you can also sort and filter them.

+$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"

+| Block Win32 API calls from Office macros |Doesn't honor indicators of compromise for certificates. |

+> The script described in this article is recommended for manually onboarding devices to Defender for Endpoint. It should only be used on a limited number of devices. If you're deploying to a production environment, see [other deployment options](configure-endpoints.md), such as Intune, Group Policy, or Configuration Manager.

+# Configure exclusions for files opened by processes

+## Examples of process exclusions

+### Image name vs full path for process exclusions

+Two different types of process exclusions may be set. A process may be excluded by image name, or by full path. The image name is simply the file name of the process, without the path.

+For example, given the process `MyProcess.exe` running from `C:\MyFolder\` the full path to this process would be `C:\MyFolder\MyProcess.exe` and the image name is `MyProcess.exe`.

+Image name exclusions are much more broad - an exclusion on `MyProcess.exe` will exclude any processes with this image name, regardless of the path they are run from. So for example, if the process `MyProcess.exe` is excluded by image name, it will also be excluded if it is run from `C:\MyOtherFolder`, from removable media, et cetera. As such it is recommended that whenever possible, the full path is used.

+### Use wildcards in the process exclusion list

+The use of wildcards in the process exclusion list is different from their use in other exclusion lists. When the process exclusion is defined as an image name only, wildcard usage is not allowed. However when a full path is used, wildcards are supported and the wildcard behavior behaves as described in [File and Folder Exclusions](configure-extension-file-exclusions-microsoft-defender-antivirus.md)

+The use of environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list is also supported. Details and a full list of supported environment variables are described in [File and Folder Exclusions](configure-extension-file-exclusions-microsoft-defender-antivirus.md).

+The following table describes how the wildcards can be used in the process exclusion list, when a path is supplied:

+|Wildcard|Example use|Example matches|

+||||

+|`*` (asterisk) <p> Replaces any number of characters.|`C:\MyFolder\*`|Any file opened by `C:\MyFolder\MyProcess.exe` or `C:\MyFolder\AnotherProcess.exe`|

+| |`C:\*\*\MyProcess.exe`|Any file opened by `C:\MyFolder1\MyFolder2\MyProcess.exe` or `C:\MyFolder3\MyFolder4\MyProcess.exe`|

+| |`C:\*\MyFolder\My*.exe`|Any file opened by `C:\MyOtherFolder\MyFolder\MyProcess.exe` or `C:\AnotherFolder\MyFolder\MyOtherProcess.exe`|

+|'?' (question mark) <p> Replaces one character. |`C:\MyFolder\MyProcess??.exe`|Any file opened by `C:\MyFolder\MyProcess42.exe` or `C:\MyFolder\MyProcessAA.exe` or `C:\MyFolder\MyProcessF5.exe`|

+| Envionment Variables |`%ALLUSERSPROFILE%\MyFolder\MyProcess.exe`|Any file opened by `C:\ProgramData\MyFolder\MyProcess.exe`|

+### Contextual Process Exclusions

+Note that a process exclusion may also be defined via a [Contextual exclusion](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md) allowing for example a specific file to be excluded only if it is opened by a specific process.

+## Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans

+## Use the Windows Security app to exclude files that have been opened by specified processes from scans

+Follow the instructions in [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md).

+ > [!IMPORTANT]

+ > As Microsoft continues to evaluate the value of the features and services to provide, Microsoft has made the decision to retire the Defender Evaluation Lab.

+ > This change will rollout in mid-January 2024 and expect to complete by late January 2024.

+Devices can be categorized as misconfigured or inactive are flagged for different reasons. This article provides information about why a device might be categorized as inactive or misconfigured.

+- Device was off-boarded

+### Device was off-boarded

+If the device was off-boarded, it still appears in devices list. After seven days, the device health state should change to inactive.

+If your devices are running a third-party anti-malware client, Defender for Endpoint agent requires that the Microsoft Defender Antivirus Early Launch anti-malware (ELAM) driver is enabled.

+- For macOS devices that 'sleep' for more than approximately 48 hours (a weekend), Microsoft Defender for Endpoint on macOS still sends Command and Control (CnC) channel data, but doesn't send any Cyber channel data. After the devices are turned on and used on the first business day, the devices will show up as active.

+> In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules. You can also check the status of eBPF (enabled/disabled) on your linux endpoints using the advanced hunting query on the Security Portal. Steps are as follows-

+1. Go to the [Microsoft Defender portal](https://security.microsoft.com) and sign in.

+2. In the navigation pane, go to **Hunting** > **Advanced hunting**.

+3. Under **Advanced hunting**, go to **Defender Vulnerability Management**.

+4. Run the following query: `DeviceTvmInfoGathering`.

+5. In the output, in the **Additional fields** column, select **Show more**, and then look for **EBPF STATUS: true**.

+You can check the agent health status by running the `mdatp` health command. Make sure that the eBPF sensor for Defender for Endpoint on Linux is supported by checking the current kernel version by using the following command line:

+1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To mitigate this issue, you can take one of the following steps:

+ - Switch to auditd mode if you need to use RHEL 8.1 version.

+2. Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result in kernel panic. To mitigate this issue, you can take one of the following steps:

+ - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. Note that the minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.

+In the above output, you can see that stress-ng is the top process generating large number of events and might result into performance issues. Most likely stress-ng is generating the system call with ID 82. You can create a ticket with Microsoft to get this process excluded. In future as part of upcoming enhancements, you have more control to apply such exclusions at your end.

+This document describes the Offline Security Intelligence Update feature of Microsoft Defender for Endpoint on Linux.

+This feature enables an organization to update the security intelligence (also referred to as definitions or signatures in this document) on Linux endpoints with limited or no exposure to the internet using a local hosting server (termed as *Mirror Server* in this document).

+Mirror Server is any server in the customer's environment that can connect to the Microsoft cloud to download the signatures. Other Linux endpoints pull the signatures from the Mirror Server at a predefined interval.

+- Ability to control and manage the frequency of signature downloads on the local server & the frequency at which endpoints pull the signatures from the local server.

+- Adds an extra layer of protection & control as the downloaded signatures can be tested on a test device before being propagated to the entire fleet.

+- Reduces network bandwidth as now only one local server will poll MS cloud to get the latest signatures on behalf of your entire fleet.

+- Provides the most up to date antivirus protection as signatures are always downloaded along with the latest compatible AV engine.

+- On the rare occasion the offline update fails, you can also choose to fallback to online updates from Microsoft cloud(traditional method).

+- Organizations need to set up a Mirror Server, which is a local Web/NFS server that is reachable by the Microsoft cloud.

+- The following operating systems are supported on the Mirror Server:

+> The management and ownership of the Mirror Server lies solely with the customer as it resides in the customer's private environment.

+> Schedule a [cron job](#scheduling-a-cron-job) to keep the repo/downloaded zip file updated to the latest version at regular intervals.

+After cloning the repo/downloaded zip file, the local directory structure should be as follows:

+ To test if the settings are applied correctly on the Linux endpoints, run the following command:

+For example, a sample output would look like:

+offline_definition_update_verify_sig : "enabled"

+offline_definition_update_fallback_to_cloud : false[managed]

+- If the fields `automaticDefinitionUpdateEnabled` and 'offline_definition_update' in the managed json are set to true, then the offline security intelligence updates are triggered automatically at periodic intervals.

+- By default, this periodic interval is 8 hours. But it can be configured by setting the `definitionUpdatesInterval` in the managed json.

+>[!WARNING]

+>In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.

+When you select the **x** symbol, you see options as shown in the following screenshot:

+When you select **Action needed**, you get the error message as shown in the following screenshot:

+You encounter this message in a different way: If you're using the terminal to enter **mdatp health** without the double quotes, the message as shown in the following screenshot is displayed:

+- You can encounter an error if you've deployed and/or installed the Microsoft Defender for Endpoint on macOS package [Download installation packages](mac-install-manually.md#download-installation-and-onboarding-packages), but you might not have run the configuration script [Download the onboarding package](mac-install-with-intune.md#step-14-download-the-onboarding-package) that contains the license settings. For information on troubleshooting in this scenario, see [If you didn't run the configuration script](#if-you-did-not-run-the-configuration-script).

+- You can encounter an error message when the Microsoft Defender for Endpoint on macOS agent isn't up to date. For information on troubleshooting in this scenario, see [If Microsoft Defender for Endpoint on macOS isn't up to date](#if-microsoft-defender-for-endpoint-on-macos-is-not-up-to-date).

+- You can encounter an error message if you offboarded and reonboarded Mac from Microsoft Defender for Endpoint on macOS.

+- You can encounter an error message if a license isn't assigned to a user. For information on troubleshooting in this scenario, see [If a license isn't assigned to a user](#if-a-license-is-not-assigned-to-a-user).

+#### If you did not run the configuration script

+This section describes the troubleshooting measures when the error/warning message is caused by nonexecution of the configuration script. The script contains the license settings when the Microsoft Defender for Endpoint on macOS package is installed and deployed.

+#### If Microsoft Defender for Endpoint on macOS is not up to date

+For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, you need to [update](mac-updates.md) the agent.

+#### If Microsoft Defender for Endpoint on macOS has been offboarded

+When the offboarding script is executed on the macOS, it saves a file in `/Library/Application Support/Microsoft/Defender/` and it's named `com.microsoft.wdav.atp.offboarding.plist`.

+If the file exists, it will prevent the macOS from being onboarded again. Delete the **com.microsoft.wdav.atp.offboarding.plist** running the onboarding script again.

+#### If a license is not assigned to a user

+1. In the Microsoft Defender portal (security.microsoft.com), select **Settings**, and then select **Endpoints**.

+ :::image type="content" source="media/endpoints-option-on-settings-screen.png" alt-text="Screenshot of the Settings screen on which the Endpoints option is listed." lightbox="media/endpoints-option-on-settings-screen.png":::

+2. Select **Licenses**.

+ :::image type="content" source="images/selecting-licenses-option-from-endpoints-screen.png" alt-text="Screenshot of the Endpoints page from which the Licenses options can be selected." lightbox="images/selecting-licenses-option-from-endpoints-screen.png":::

+3. Select **View and purchase licenses in the Microsoft 365 admin center**. The following screen in the Microsoft 365 admin center portal appears:

+ :::image type="content" source="images/m365-admin-center-purchase-assign-licenses.png" alt-text="Screenshot of the Microsoft 365 admin center portal page from which licenses can be purchased and assigned." lightbox="images/m365-admin-center-purchase-assign-licenses.png":::

+4. Check the checkbox of the license you want to purchase from Microsoft, and select it. The screen displaying detail of the chosen license appears:

+ :::image type="content" source="images/resultant-screen-of-selecting-preferred-license.png" alt-text="Screenshot of the product page from which you can select the option of assigning the purchased license.":::

+5. Select the **Assign licenses** link.

+ :::image type="content" source="media/assign-licenses-link.png" alt-text="Screenshot of the product page from which you can select the Assign licenses link.":::

+ The following screen appears:

+ :::image type="content" source="images/screen-containing-option-to-assign-licenses.png" alt-text="Screenshot of the page containing the + Assign licenses option." lightbox="images/screen-containing-option-to-assign-licenses.png":::

+6. Select **+ Assign licenses**.

+7. Enter the name or email address of the person to whom you want to assign this license. The following screen appears, displaying the details of the chosen license assignee and a list of options.

+ :::image type="content" source="media/assignee-details-and-options.png" alt-text="Screenshot of the page displaying the assignee's details and a list of options.":::

+8. Check the checkboxes for **Microsoft 365 Advanced Auditing**, **Microsoft Defender XDR**, and **Microsoft Defender for Endpoint**. Then select **Save**.

+In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.

+### Mar-2024 (Build: 101.24012.0010 | Release version: 20.124012.10.0)

+| Build: | **101.24012.0010** |

+|--|--|

+| Release version: | **20.124012.10.0** |

+| Engine version: | **1.1.24020.3** |

+| Signature version: | **1.405.788.0** |

+##### What's new

+- Bug and performance fixes

+description: This article describes how to report and troubleshoot Microsoft Defender for Endpoint attack surface reduction rules

+ Title: Troubleshoot Microsoft Defender Antivirus settings

+description: Find out where settings for Microsoft Defender Antivirus are coming from.

+ms.localizationpriority: medium

+search.appverid: MET150

+f1.keywords: NOCSH

+audience: ITPro

+# Troubleshoot Microsoft Defender Antivirus settings

+**Applies to:**

+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)

+- [Microsoft Defender for Endpoint Plan 1 and 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+- Microsoft Defender Antivirus

+Microsoft Defender Antivirus provides numerous ways to manage the product, which provides small and medium-sized businesses and enterprise organizations with flexibility by working with the management tools that they already have.

+- Microsoft Defender for Endpoint security settings management

+- Microsoft Intune (MDM)

+- Microsoft Configuration Manager with Tenant Attach

+- Microsoft Configuration Manager co-management

+- Microsoft Configuration Manager (standalone)

+- Group Policy (GPO)

+- PowerShell

+- Windows Management Instrumentation (WMI)

+- Registry

+> [!TIP]

+> For best results, use one method of managing Microsoft Defender Antivirus.

+## Troubleshooting Microsoft Defender Antivirus settings

+Suppose that migrating from a non-Microsoft antivirus product, and when you try enabling Microsoft Defender Antivirus, it won't start. Most likely, you're experiencing a policy conflict. You can narrow down the issue by checking this registry key: `DisableAntispyware` (dword) 1 (hex) is set.

+To remove policy conflicts, here's our current, recommended process:

+1. Understand the order of precedence.

+2. Determine where Microsoft Defender Antivirus settings are configured.

+3. Identify policies and settings.

+4. Work with your security team to remove or revise conflicting policies.

+## Step 1: Understand the order of precedence

+When policies and settings are configured in multiple tools, in general, here's the order of precedence:

+1. Group Policy (GPO)

+2. Microsoft Configuration Manager co-management

+3. Microsoft Configuration Manager (standalone)

+4. Microsoft Intune (MDM)

+5. Microsoft Configuration Manager with Tenant Attach

+6. PowerShell ([Set-MpPreference](/powershell/module/defender/set-mppreference)), [MpCmdRun.exe](command-line-arguments-microsoft-defender-antivirus.md), or [Windows Management Instrumentation](use-wmi-microsoft-defender-antivirus.md) (WMI).

+> [!WARNING]

+> [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) is a Policy CSP setting that does not apply for all settings, such as [attack surface reduction rules](attack-surface-reduction-rules-reference.md) (ASR rules) in Windows 10.

+ 

+## Step 2: Determine where Microsoft Defender Antivirus settings are configured

+Find out whether Microsoft Defender Antivirus settings are coming through a policy, MDM, or a local setting. The following table describes policies, settings, and relevant tools.

+|Policy or setting| Registry location | Tools|

+| -- | -- | -- |

+|Policy| `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`|- Microsoft Configuration Manager co-management<br/>- Microsoft Configuration Manager<br/>- GPO|

+|MDM|`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager` |- Microsoft Intune (MDM)<br/>- Microsoft Configuration Manager with Tenant Attach|

+|Local setting|`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender`|- MpCmdRun.exe<br/>- PowerShell (Set-MpPreference)<br/>- Windows Management Instrumentation (WMI)|

+## Step 3: Identify policies or settings

+The following table describes how to identify policies and settings.

+|Method used | What to check |

+| -- | -- |

+|Policy| - If you're using GPO: Select **Start**, open Command Prompt as an administrator, and then run the command `GpResult.exe /h C:\temp\GpResult_output.html`. <br/>- If you're using Microsoft Configuration Manager co-management or Microsoft Configuration Manager (standalone), go to `C:\Windows\CCM\Logs`.|

+|MDM | If you're using Intune, on your device, select Start, open Command Prompt as an administrator, and then run the command `mdmdiagnosticstool.exe -zip "c:\temp\MDMDiagReport.zip"`. For more details, see [Collect MDM logs - Windows Client Management](/windows/client-management/mdm-collect-logs). |

+|Local setting | Determine whether the policy or setting was deployed during the imaging (sysprep), via PowerShell (for example, Set-MpPreference), Windows Management Instrumentation (WMI), or through a direct modification to the registry.|

+## Step 4: Remove or revise conflicting policies

+Once you have identified the conflicting policy, work with your security administrators to change device targeting so that devices receive the correct Microsoft Defender Antivirus settings.

+A clickable identity link is available in these views that will take you to the **User** page where more details about the user are shown. For example, you can see the details of user accounts identified in the alerts of an incident in the Microsoft Defender portal at **Incidents & alerts** \> ***incident*** \> **Assets** > **Users**.

+- [Incidents and alerts](#incidents-and-alerts) tab

+## Incidents and alerts

+You can see all active incidents and alerts involving the user from the last 180 days in this tab. Information like alert severity and the time the alert was generated is available in this tab. Select the alert row to view more details about the alert.

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>

+Organizations gain access to robust visualizations of metrics and trends, integration with other Microsoft products, score comparison with similar organizations, and much more. The score can also reflect when non-Microsoft solutions addressed recommended actions.

+- Addressing the recommended action with a non-Microsoft application or software, or an alternate mitigation

+For example, a recommended action states you get 10 points by protecting all your users with multi-factor authentication. You only have 50 of 100 total users protected, so you'd get a partial score of five points (50 protected / 100 total * 10 max pts = 5 pts).

+- GitHub

+With [Microsoft Defender XDR Unified role-based access control(RBAC)](manage-rbac.md), you can create custom roles with specific permissions for Secure Score. This allows you to control which users have access to Secure Score data, the products for which they'll see Secure Score data (for example, Microsoft Defender for Endpoint) and their permission level to the data.

+Microsoft Entra global roles (for example, Global Administrator) can still be used to access Secure Score. Users who have the supported Microsoft Entra global roles, but aren't assigned to a custom role in Microsoft Defender XDR Unified RBAC, will continue to have access to view (and manage where permitted) Secure Score data as outlined:

+ Title: Devices in multitenant management

+description: Learn about multitenant device view in multitenant management of the Microsoft Defender XDR.

+# Devices

+The **Devices** page in multitenant management enables you to quickly manage tenants and devices.

+The Tenants page in multitenant management lists each tenant you have access to. Each tenant page includes details such as the number of devices and device types, the number of high value and high exposure devices, and the number of devices available to onboard:

+ :::image type="content" source="../../media/multi-tenant/devices/devices-tenant-view.png" alt-text="Screenshot of the Microsoft Defender XDR tenants list in the Devices page" lightbox="../../media/multi-tenant/devices/devices-tenant-view.png":::

+## Device inventory

+The Device inventory page lists all the devices in each tenant that you have access to. The page is like the [Defender for Endpoint device inventory](../defender-endpoint/machines-view-overview.md) with the addition of the **Tenant name** column. Moreover, the device inventory page doesn't have the network, IOT, and uncategorized devices tabs.

+You can navigate to the device inventory page by selecting **Assets > Devices** in Microsoft Defender XDR's navigation menu.

+ :::image type="content" source="../../media/multi-tenant/devices/devices-device-inventory.png" alt-text="Screenshot of the Microsoft Defender XDR Devices page for multitenant management" lightbox="../../media/multi-tenant/devices/devices-device-inventory.png":::

+The total number of devices, critical assets, high risk devices, and internet-facing devices for all tenants are shown at the top of the page.

+You can search a specific device with the search function. You can sort and filter the device list according to the following fields to customize your view:

+- Tenant name

+- Risk level

+- Criticality level

+- Mitigation status

+- Cloud platforms

+- Operating system (OS) platforms

+- Windows OS version

+- Sensor health state

+- Antivirus status

+- Tags

+- First seen

+- Internet facing

+- Group

+- Exclusion state

+- Managed by

+To manage a device, select a specific device from the list. Device management tasks like managing tags, device exclusion, and reporting inaccuracy becomes available at the top of the device list.

+ :::image type="content" source="../../media/multi-tenant/devices/devices-choose-device.png" alt-text="Screenshot of choosing a device from the device inventory list" lightbox="../../media/multi-tenant/devices/devices-choose-device.png":::

+Selecting a device by clicking on the device name opens the device page in a new tab. You can further apply other actions on the device in the new tab.

+On the **Anti-malware** page, select the anti-malware policy by using either of the following methods:

+- Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** dropdown list that appears:

+ - **Enable selected policies**.

+ - **Disable selected policies**.

+ - **Delete selected policies**.

+ :::image type="content" source="../../media/anti-malware-policies-main-page.png" alt-text="The Anti-malware page with a policy selected and the More actions control expanded." lightbox="../../media/anti-malware-policies-main-page.png":::

+- Select the policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:

+ - Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)

+ - :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** or :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** (custom policies only)

+ - :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** or :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** (custom policies only)

+ - :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)

+ :::image type="content" source="../../media/anti-malware-policies-details-flyout.png" alt-text="The details flyout of a custom anti-malware policy." lightbox="../../media/anti-malware-policies-details-flyout.png":::

+You need to be a member of the Global Administrator role in [Microsoft Entra ID](/entra/identity/role-based-access-control/manage-roles-portal) or the Organization Management role group in [Exchange Online](/exchange/permissions-exo/permissions-exo), because the script connects to every mailbox in the organization to read rules and forms.

+**[Threat trackers](threat-trackers.md)** are [saved queries from Threat Explorer](threat-explorer-real-time-detections-about.md#saved-queries-in-threat-explorer) that you run manually or that can be configured to periodically run automatically. The **Trending campaigns** tab automatically highlights new email threats that were recently received by your organization.

+|Global Administrator in Microsoft Entra|[Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference#global-administrator)|

+|Security Administrator in Microsoft Entra|[Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference#security-administrator)

+|Security Administrator in Email & collaboration role groups|[Email & collaboration permissions in Microsoft Defender for Office 365](scc-permissions.md#role-groups-in-microsoft-defender-for-office-365-and-microsoft-purview)|

+- [Threat trackers in Microsoft Defender for Office 365 Plan 2](threat-trackers.md)

+|**Show first contact safety tip** (_EnableFirstContactSafetyTips_)|Not selected (`$false`)|Selected (`$true`)|Selected (`$true`)|For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).|

+ As previously described, this setting is turned on by default for new tenants, and existing tenants need to enable it. Typically, you leave it turned on if message reporting is also turned on in Teams admin center. [Learn more about reported message destinations](submissions-report-messages-files-to-microsoft.md#report-suspicious-email-messages-to-microsoft).

+ > The default settings on the **User reported settings** page include **Send reported messages to** \> **Microsoft and my reporting mailbox** with a blank value for the reporting mailbox. In PowerShell, there's no report submission rule. This default configuration means the reporting mailbox is the global admin's Exchange Online mailbox. The global admin isn't _shown_ as the reporting mailbox in the output of the **Get-ReportSubmissionPolicy** and **Get-ReportSubmissionRule** cmdlets or on the **User reported settings** page until _after_ the first user in the organization reports a message from Outlook. [Learn more about reported message destinations](submissions-report-messages-files-to-microsoft.md#report-suspicious-email-messages-to-microsoft).

+- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:

+|Delivery action|Select one or more values: <ul><li>**Blocked**: Email messages that were quarantined, that failed delivery, or were dropped.</li><li>**Delivered**: Email delivered to the user's Inbox or other folder where the user can access the message.</li><li>**Delivered to junk**: Email delivered to the user's Junk Email folder or Deleted Items folder where the user can access the message.</li><li>**Replaced**: Message attachments that were replaced by [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li></ul>|

+|Primary override source|Messages can have multiple allow or block overrides as identified in **Override source**. The override that ultimately allowed or blocked the message is identified in **Primary override source**. <br/> Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel** (ZAP)</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|

+ <! The target URL is constructed such that it should open a new submission with the details filled out. But it takes me to the Email tab on the main Submissions page.>

+|Delivery action|Select one or more values: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**: Message attachments that were replaced by [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li></ul>|Γ£ö|Γ£ö|

+|Primary override source|Messages can have multiple allow or block overrides as identified in **Override source**. The override that ultimately allowed or blocked the message is identified in **Primary override source**. <br/> Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel** (ZAP)</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|Γ£ö|Γ£ö|

+|Delivery action|Select one or more values: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**: Message attachments that were replaced by [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li></ul>|Γ£ö|Γ£ö|

+|Primary override source|Messages can have multiple allow or block overrides as identified in **Override source**. The override that ultimately allowed or blocked the message is identified in **Primary override source**. <br/> Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel** (ZAP)</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|Γ£ö|Γ£ö|

+> In Threat Explorer, each pivot in **URL clicks** view has a :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all clicks** action that opens the [URL clicks view in Threat Explorer](#url-clicks-view-in-threat-explorer) in a new tab. This action isn't available in Real-time detections, because the **URL clicks** view isn't available in Real-time detections.

+Select an entry by selecting the check box next to the first column in the row, and then select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all clicks** to open Threat Explorer in a new tab in **URL clicks** view.

+> **Save query** is part of [Threat trackers](threat-trackers.md) and isn't available in Real-time detections. Saved queries and Threat trackers are available only in Defender for Office 365 Plan 2.

+Most views in Threat Explorer allow you to save filters (queries) for later use. Saved queries are available on the **Threat tracker** page in the Defender portal at <https://security.microsoft.com/threattrackerv2>. For more information about Threat trackers, see [Threat trackers in Microsoft Defender for Office 365 Plan 2](threat-trackers.md).

+ - **Track query** not selected: The query is available for you to run manually in Threat Explorer. The query is saved on the **Saved queries** tab on the **Threat tracker** page with the **Tracked query** property value **No**.

+ - **Track query** selected: The query periodically runs in the background. The query is available on the **Saved queries** tab on the **Threat tracker** page with the **Tracked query** property value **Yes**. The periodic results of the query are shown on the **Tracked queries** tab on the **Threat tracker** page.

+When you open the query by selecting **Explore** from the **Threat tracker** page, :::image type="icon" source="../../media/m365-cc-sc-save-icon.png" border="false"::: **Save query as** and :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Saved query settings** are now available in **Save query** on the **Explorer** page:

+ Title: Threat trackers in Microsoft Defender for Office 365 Plan 2

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>

+# Threat trackers in Microsoft Defender for Office 365 Plan 2

+Microsoft 365 organizations that have [Microsoft Defender for Office 365 Plan 2](mdo-security-comparison.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet) included in their subscription or purchased as an add-on have _Threat trackers_. Threat trackers are queries that you create and save in [Threat Explorer (also known as Explorer)](threat-explorer-real-time-detections-about.md). You use these queries to automatically or manually discover cybersecurity threats in your organization.

+For information about creating and saving queries in Threat Explorer, see [Saved queries in Threat Explorer](threat-explorer-real-time-detections-about.md#saved-queries-in-threat-explorer).

+## Permissions and licensing for Threat trackers

+To use Threat trackers, you need to be assigned permissions. You have the following options:

+- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md):

+ - _Create, save, and modify Threat Explorer queries_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Read-only access to Threat Explorer queries on the Threat tracker page_: Membership in the **Security Reader** or **Global Reader** role groups.

+- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:

+ - _Create, save, and modify Threat Explorer queries_: Membership in the **Global Administrator** or **Security Administrator** roles.

+ - _Read-only access to Threat Explorer queries on the Threat tracker page_: Membership in the **Security Reader** or **Global Reader** roles.

+To remediate messages in Threat Explorer, you need additional permissions. For more information, see [Permissions and licensing for Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#permissions-and-licensing-for-threat-explorer-and-real-time-detections).

+To use Threat Explorer or Threat trackers, you need to be assigned a license for Defender for Office 365 (included in your subscription or an add-on license).

+Threat Explorer and Threat trackers contain data for users with Defender for Office 365 licenses assigned to them.

+## Threat trackers

+The **Threat tracker** page is available in the Microsoft Defender portal at <https://security.microsoft.com> at **Email & collaboration** \> **Threat tracker**. Or, to go directly to the **Threat tracker** page, use <https://security.microsoft.com/threattrackerv2>.

+The **Threat tracker** page contains three tabs:

+- **Saved queries**: Contains all queries that you saved in Threat Explorer.

+- **Tracked queries**: Contains the results of queries that you saved in Threat Explorer where you selected **Track query**. The query automatically runs periodically, and the results are shown on this tab.

+- **Trending campaigns**: We populate the information on this tab to highlight new threats received in your organization.

+These tabs are described in the following subsections.

+### Saved queries tab

+The **Save queries** tab on the **Threat tracker** page at <https://security.microsoft.com/threattrackerv2> contains all of your saved queries from Threat Explorer. You can use these queries without having to re-create the search filters.

+The following information is shown on the **Save queries** tab. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.

+- **Date created**

+- **Name**

+- **Type**

+- **Author**

+- **Last executed**

+- **Tracked query**: This value is controlled by whether you selected **Track this query** when you created the query in Threat Explorer:

+ - **No**: You need to run the query manually.

+ - **Yes**: The query automatically runs periodically. The query and the results are also available on the **Tracked queries** page.

+- **Actions**: Select **Explore** to open and run the query in Threat Explorer, or to update or save a modified or unmodified copy of the query in Threat Explorer.

+If you select a query, the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** and :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** actions that appear.

+If you select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**, you can update the date and **Track query** settings of the existing query in the details flyout that opens.

+### Tracked queries

+The **Tracked queries** tab on the **Threat tracker** page at <https://security.microsoft.com/threattrackerv2> contains the results of queries that you created in Threat Explorer where you selected **Track this query**. Tracked queries run automatically, giving you up-to-date information without having to remember to run the queries.

+The following information is shown on the **Tracked queries** tab. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.

+- **Date created**

+- **Name**

+- **Today's message count**

+- **Prior day message count**

+- **Trend: today vs. prior week**

+- **Actions**: Select **Explore** to open and run the query in Threat Explorer.

+If you select a query, the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action appears. If you select this action, you can update the date and **Track query** settings of the existing query in the details flyout that opens.

+### Trending campaigns tab

+The **Trending campaigns** tab on the **Threat tracker** page at <https://security.microsoft.com/threattrackerv2> automatically highlights new email threats that were recently received by your organization.

+The following information is shown on the **Trending campaigns** tab. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.

+- **Malware family**

+- **Prior day message count**

+- **Trend: today vs. prior week**

+- **Targeting: your company vs. global**

+- **Actions**: Select **Explore** to open and run the query in Threat Explorer.

+The following permissions are required in [Microsoft Entra ID](/entra/identity/role-based-access-control/manage-roles-portal) to set up an evaluation or trial of Defender for Microsoft 365:

+- Create and use separate accounts that are assigned [Microsoft 365 administrator roles](/entra/identity/role-based-access-control/manage-roles-portal) *only for administration*. Admins should have their own user account for regular non-administrative use and only use an administrative account when necessary to complete a task associated with their role or job function.

+Before you can enable SharePoint eSignature, an admin must [set up SharePoint eSignature](esignature-setup.md) in the Microsoft 365 admin center. SharePoint eSignature enables binding agreements between parties by allowing guests access to SharePoint to electronically sign documents. Certain external sharing must be enabled at a tenant or site level to allow this access - see Admin section for more details. Consider whether this meets your compliance and security requirements when enabling eSignature.

+When requesting eSignatures, you must be signed in to SharePoint Online by using your work email address.

+> [Create a signature request](esignature-send-requests.md)

+ If you will be requesting signatures from external recipients, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration#enabling-the-integration) and [guest sharing](/microsoft-365/solutions/collaborate-in-site). External recipients are people outside your organization and would be onboarded as guests into your tenant. Microsoft Entra B2B provides authentication and management of guests.

+External recipients might need to authenticate before they're able to access a document for signing. The type of authentication required by the external recipients depends on the configuration for guest users at the SharePoint level or at the tenant level. Additionally, if the external user belongs to an organization with a Microsoft 365 tenant, it's possible for their organization's setup to affect their authentication experience when attempting to sign the document. For more information, see [Collaboration with guests in a site](/microsoft-365/solutions/collaborate-in-site).

+To check whether all SharePoint Online external sharing settings, following powershell script can be used:

+`</> Shell

+Connect-SPOService -Url "https://yourtenant.sharepoint.com"

+Get-SPOSite -Limit All | Select-Object Url, SharingCapability`