+<b>In this article</b>:

+- [Configure the "Send email notifications from your domain" setting](#configure-the-send-email-notifications-from-your-domain-setting)

+- [Supported Products](#supported-products)

+- [Excluded Scenarios](#excluded-scenarios)

+> Only domains registered within your tenant can be used and ownership must be verified through the existing add domains process within Microsoft 365. Please follow the steps below and note the DNS records required when configuring a domain for sending email.

+## <a name="configsetting">Configure the "Send email notifications from your domain" setting</a>

+## <a name="supportedproducts">Supported Products</a>

+## <a name="excludedscenarios">Excluded Scenarios</a>

+One Time Passcodes (OTP) generated from sharing within OneDrive and SharePoint Online will continue to use no-reply@notify.microsoft.com. These are secure emails generated by Microsoft and utilize this trusted sender address to ensure delivery of these emails.

+ Title: "Turn the profile video feature on or off for all users in your Microsoft 365 organization"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- scotvorg

+- Adm_O365

+description: "Turn the profile video feature on or off for all users in your Microsoft 365 organization."

+# Turn the profile video feature on or off for all users in your Microsoft 365 organization

+As the Microsoft 365 administrator, you can turn the profile video feature on or off for users in your organization. Profile videos are 30-second videos that appear on profile cards in Microsoft 365 apps such as Outlook.

+## Use the Microsoft 365 Admin Center to turn profile videos on or off

+By default, profile video creation is turned on in Microsoft 365 organizations.

+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.

+2. In the left nav, go to **Settings** -> **Org Settings**.

+3. On the **Services** tab, select **Profile video**.

+4. Select or deselect the **Allow your organization to use profile video**.

+ :::image type="content" source="../../media/profile-video.png" alt-text="Screenshot: Profile video":::

+## Use the Microsoft Graph API to turn profile videos on or off

+The requests below are done with the [Microsoft Graph API](/graph/graph-explorer/graph-explorer-overview).

+1. Make a GET request to the following endpoint to get the Organization ID: https://graph.microsoft.com/beta/organization.

+2. Retrieve ΓÇ£idΓÇ¥ field from the response payload. This is your organization ID, referred to as **my-org-id**.

+3. Make a GET request to the following endpoint to get the current state of profile video admin setting: https://graph.microsoft.com/beta/organization/my-org-id/settings/profileVideo The response should look like this:

+```http

+{ "@odata.context": "https://graph.microsoft.com/beta/$metadata#organization('**my-org-id**')/settings/profileVideo/$entity",

+"isEnabledInOrganization": false

+}

+```

+The **isEnabledInOrganization** field will be set to either true or false. True means profile video capabilities are on and false means users can't make profile videos.

+4. Make a PATCH request to the following endpoint to update state of profile video admin setting, https://graph.microsoft.com/beta/organization/my-org-id/settings/profileVideo, with the following request body:

+```http

+{

+"isEnabledInOrganization": true

+}

+```

+In the request body, populate the value for **isEnabledInOrganization** to either true or false, depending on whether youΓÇÖd like to turn profile videos on or off.

+5. Send the request. If it's successful, you should receive a 200 HTTP response code, and the response payload should confirm that your feature has been turned on or off. To validate, you can rerun the steps in the section ΓÇ£Get current state profile video admin toggleΓÇ¥ to get the updated value.

+> [!IMPORTANT]

+> It may take up to 12 hours before changes take effect for users.

+## Frequently asked questions

+* **Where are profile videos stored?**

+ Profile videos are stored in a userΓÇÖs OneDrive for Business, in the **Apps\Microsoft People Cards Service\Live Persona Card** folder.

+* **Can users control who can see their profile video?**

+ Yes, users can view and change who can view their profile video by following these steps. Open their OneDrive for Business in a web browser and navigate to the following folder: **Apps\Microsoft People Cards Service\Live Persona Card**. Select the **...** button in **Profile Video.webm**ΓÇ¥ to open the overflow menu and select **Manage Access**. Add and remove users and groups that they would like to share this video with.

+* **Can I turn off profile videos for individual users?**

+ No, you can't turn off profile videos for individual users at this time.

+* **Can I turn off profile videos based on location?**

+ No, you can't turn off profile videos based on location at this time.

+* **Does disabling profile videos also result in the deletion of the profile video file in OneDrive for Business?**

+ No, turning off profile videos won't delete a user's profile video file.

+* **Who can view profile videos?**

+ Profile videos are available to everyone at your work or school. Profile videos aren't viewable by people outside of your organization.

+* **Can deleted profile videos be recovered?**

+ No, if a user deletes their profile video it can't be recovered.

+- Microsoft 365 experiences, such as Play My Emails, will be enabled using Cortana enterprise services and fully comply with those promises. These features are currently available worldwide (standard multi-tenant). For more information on finding the usage location, please visit [View additional property values for accounts](../../enterprise/view-user-accounts-with-microsoft-365-powershell.md#view-additional-property-values-for-accounts).

+- Office 365: A3, A5, E1, E3, E5, F1, F3, G1, G3, and G5

+> [!VIDEO https://www.youtube.com/embed/G2HOsM767Sw]

+ - The sensitive information types you select will apply only to content that's created or modified after these information types are [created or modified](audit-log-activities.md#sensitive-information-types-activities). This restriction applies to all custom sensitive information types and any new built-in information types.

+<br><br>

+The following table lists the native third-party data connectors available in the compliance portal. The table also summarizes the compliance solutions that you can apply after you import and archive third-party data in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-microsoft-purview-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.

+|**Third-party data**|**Litigation hold**|**eDiscovery**|**Retention settings**|**Records management**|**Communication compliance**|**Insider risk management**|

+|:|::|::|:|::|::|::|

+|[Bloomberg Message](archive-bloomberg-message-data.md)|||||||

+|[Epic EHR healthcare](import-epic-data.md)|||||||

+|[Facebook](archive-facebook-data-with-sample-connector.md)|||||||

+|[Generic EHR healthcare](import-healthcare-data.md) |||||||

+|[Human resources (HR)](import-hr-data.md) |||||||

+|[ICE Chat](archive-icechat-data.md)|||||||

+|[Instant Bloomberg](archive-instant-bloomberg-data.md)|||||||

+|[LinkedIn](archive-linkedin-data.md)|||||||

+|[Physical badging](import-physical-badging-data.md) |||||||

+|[Twitter](archive-twitter-data-with-sample-connector.md)|||||||

+The table in this section lists the third-party data connectors available in partnership with Veritas. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive it in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-microsoft-purview-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.

+|**Third-party data**|**Litigation hold**|**eDiscovery**|**Retention settings**|**Records management**|**Communication compliance**|**Insider risk management**|

+|:|::|::|::|::|::|::|

+|[CellTrust](archive-celltrust-data.md)|||||||

+|[Cisco Jabber on MS SQL](archive-ciscojabberonmssql-data.md)|||||||

+|[Cisco Jabber on Oracle](archive-ciscojabberonoracle-data.md)|||||||

+|[Cisco Jabber on PostgreSQL](archive-ciscojabberonpostgresql-data.md)|||||||

+|[EML](archive-eml-data.md)|||||||

+|[FX Connect](archive-fxconnect-data.md)|||||||

+|[Jive](archive-jive-data.md)|||||||

+|[MS SQL Database](archive-mssqldatabaseimporter-data.md)|||||||

+|[Pivot](archive-pivot-data.md)|||||||

+|[Redtail Speak](archive-redtailspeak-data.md)|||||||

+|[Reuters Dealing](archive-reutersdealing-data.md)|||||||

+|[Reuters Eikon](archive-reuterseikon-data.md)|||||||

+|[Reuters FX](archive-reutersfx-data.md)|||||||

+|[RingCentral](archive-ringcentral-data.md)|||||||

+|[Salesforce Chatter](archive-salesforcechatter-data.md)|||||||

+|[ServiceNow](archive-servicenow-data.md)|||||||

+|[Skype for Business](archive-skypeforbusiness-data.md)|||||||

+|[Slack eDiscovery](archive-slack-data.md)|||||||

+|[Symphony](archive-symphony-data.md)|||||||

+|[Text-delimited](archive-text-delimited-data.md)|||||||

+|[Twitter](archive-veritas-twitter-data.md)|||||||

+|[Webex Teams](archive-webexteams-data.md)|||||||

+|[Webpages](archive-webpagecapture-data.md)|||||||

+|[Workplace from Facebook](archive-workplacefromfacebook-data.md)|||||||

+|[XIP](archive-xip-data.md)|||||||

+|[XSLT/XML](archive-xslt-xml-data.md)|||||||

+|[Yieldbroker](archive-yieldbroker-data.md)|||||||

+|[YouTube](archive-youtube-data.md)|||||||

+|[Zoom Meetings](archive-zoommeetings-data.md)|||||||

+The table in this section lists the third-party data connectors available in partnership with TeleMessage. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive it in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-microsoft-purview-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.

+|**Third-party data**|**Litigation hold**|**eDiscovery**|**Retention settings**|**Records management**|**Communication compliance**|**Insider risk management**|

+|:|::|::|::|::|::|::|

+|[Android](archive-android-archiver-data.md)|||||||

+|[AT&T Network](archive-att-network-archiver-data.md)|||||||

+|[Bell Network](archive-bell-network-data.md)|||||||

+|[Enterprise Number](archive-enterprise-number-data.md)|||||||

+|[O2 Network](archive-o2-network-data.md)|||||||

+|[Rogers Network](archive-rogers-network-archiver-data.md)|||||||

+|[Signal](archive-signal-archiver-data.md)|||||||

+|[Telegram](archive-telegram-archiver-data.md)|||||||

+|[TELUS Network](archive-telus-network-data.md)|||||||

+|[Verizon Network](archive-verizon-network-data.md)|||||||

+|[WeChat](archive-wechat-data.md)|||||||

+|[WhatsApp](archive-whatsapp-data.md)|||||||

+The table in this section lists the third-party data connectors available in partnership with 17a-4 LLC. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive it in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-microsoft-purview-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.

+|**Third-party data**|**Litigation hold**|**eDiscovery**|**Retention settings**|**Records management**|**Communication compliance**|**Insider risk management**|

+|:|::|::|::|::|::|::|

+|[BlackBerry](archive-17a-4-blackberry-data.md)|||||||

+|[Bloomberg](archive-17a-4-bloomberg-data.md)|||||||

+|[Cisco Jabber](archive-17a-4-cisco-jabber-data.md)|||||||

+|[Cisco Webex](archive-17a-4-webex-teams-data.md)|||||||

+|[FactSet](archive-17a-4-factset-data.md)|||||||

+|[Fuze](archive-17a-4-fuze-data.md)|||||||

+|[FX Connect](archive-17a-4-fxconnect-data.md)|||||||

+|[ICE Chat](archive-17a-4-ice-im-data.md)|||||||

+|[InvestEdge](archive-17a-4-investedge-data.md)|||||||

+|[LivePerson Conversational Cloud](archive-17a-4-liveperson-data.md)|||||||

+|[Quip](archive-17a-4-quip-data.md)|||||||

+|[Refinitiv Eikon Messenger](archive-17a-4-refinitiv-messenger-data.md)|||||||

+|[ServiceNow](archive-17a-4-servicenow-data.md)|||||||

+[Skype for Business Server](archive-17a-4-skype-for-business-server-data.md)|||||||

+|[Slack](archive-17a-4-slack-data.md)|||||||

+|[SQL](archive-17a-4-sql-database-data.md)|||||||

+|[Symphony](archive-17a-4-symphony-data.md)|||||||

+|[Zoom](archive-17a-4-zoom-data.md)|||||||

+The table in this section lists the third-party data connector available in partnership with CellTrust. The table also summarizes the compliance solutions that you can apply to third-party data after you import and archive it in Microsoft 365. See the [Overview of compliance solutions that support third-party data](#overview-of-microsoft-purview-solutions-that-support-third-party-data) section for a more detailed description of each compliance solution and how it supports third-party data.

+|**Third-party data**|**Litigation hold**|**eDiscovery**|**Retention settings**|**Records management**|**Communication compliance**|**Insider risk management**|

+|:|::|::|::|::|::|::|

+|[CellTrust SL2](archive-data-from-celltrustsl2.md)|||||||

+## Overview of Microsoft Purview solutions that support third-party data

+- **[eDiscovery (Premium)](ediscovery-overview.md).** This powerful tool expands the case functionality of eDiscovery (Standard) by letting you add custodians to a case, placing custodian's data on hold, and then loading a custodian's third-party data into a review for further analysis such as themes and duplicate detection. After you load third-party data into a review set, you can query and filter it to a narrow result set. Both eDiscovery (Standard) and eDiscovery (Premium) let you manage third-party data that may be relevant to your organization's legal or internal investigations.

+You can use [Communication compliance](communication-compliance.md) to examine third-party data to make sure it's compliant with your organization's data standards. You can do this by you detecting, capturing, and taking remediation actions for inappropriate messages in your organization. For example, you can monitor the third-party data that you import for offensive language, sensitive information, and regulatory compliance.

+Values for the *itemclass* property aren't case-sensitive. In general, use the name of the third-party data type (without spaces) followed by a wildcard ( * ) character.

+|:|::|::|::|

+|:|::|::|::|

+|:|::|::|::|

+|:|::|::|::|

+Another option for importing and archiving third-party data is for your organization to work with a Microsoft Partner. If a third-party data type isn't supported by the data connectors available in the compliance portal, you can work with a partner who can provide a custom connector that will be configured to extract items from the third-party data source regularly and then connect to the Microsoft cloud by a third-party API and import those items to Microsoft 365. The partner connector also converts the content of an item from the third-party data source to an email message and then imports it to a mailbox in Microsoft 365.

+> [!TIP]

+> Select one of the links in the **In this article** list on the right side of this page to go to a specific table.

+## Application administration activities

+The following table lists application admin activities that are logged when an admin adds or changes an application that's registered in Azure AD. Any application that relies on Azure AD for authentication must be registered in the directory.

+> [!NOTE]

+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Added delegation entry|Add delegation entry.|An authentication permission was created/granted to an application in Azure AD.|

+|Added service principal|Add service principal.|An application was registered in Azure AD. An application is represented by a service principal in the directory.|

+|Added credentials to a service principal|Add service principal credentials.|Credentials were added to a service principal in Azure AD. A service principle represents an application in the directory.|

+|Removed delegation entry|Remove delegation entry.|An authentication permission was removed from an application in Azure AD.|

+|Removed a service principal from the directory|Remove service principal.|An application was deleted/unregistered from Azure AD. An application is represented by a service principal in the directory.|

+|Removed credentials from a service principal|Remove service principal credentials.|Credentials were removed from a service principal in Azure AD. A service principle represents an application in the directory.|

+|Set delegation entry|Set delegation entry.|An authentication permission was updated for an application in Azure AD.|

+## Azure AD group administration activities

+The following table lists group administration activities that are logged when an admin or a user creates or changes a Microsoft 365 group or when an admin creates a security group by using the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339) or the Azure management portal. For more information about groups in Microsoft 365, see [View, create, and delete Groups in the Microsoft 365 admin center](../admin/create-groups/create-groups.md).

+> [!NOTE]

+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Added group|Add group.|A group was created.|

+|Added member to group|Add member to group.|A member was added to a group.|

+|Deleted group|Delete group.|A group was deleted.|

+|Removed member from group|Remove member from group.|A member was removed from a group.|

+|Updated group|Update group.|A property of a group was changed.|

+## Briefing email activities

+The following table lists the activities in Briefing email that are logged in the Microsoft 365 audit log. For more information about Briefing email, see:

+- [Overview of Briefing email](/Briefing/be-overview)

+- [Configure Briefing email](/Briefing/be-admin)

+|Friendly name|Operation|Description|

+|:-|:--|:--|

+|Updated organization privacy settings|UpdatedOrganizationBriefingSettings|Admin updates the organization privacy settings for Briefing email. |

+|Updated user privacy settings|UpdatedUserBriefingSettings|Admin updates the user privacy settings for Briefing email.

+## Communication compliance activities

+The following table lists communication compliance activities that are logged in the Microsoft 365 audit log. For more information, see [Learn about Microsoft Purview Communication Compliance](communication-compliance.md).

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Policy update|SupervisionPolicyCreated, SupervisionPolicyUpdated, SupervisionPolicyDeleted|A communication compliance administrator has performed a policy update.|

+|Policy match|SupervisionRuleMatch|A user has sent a message that matches a policy's condition.|

+|Tag applied to message(s)|SupervisoryReviewTag|Tags are applied to messages or messages are resolved.|

+## Content explorer activities

+The following table lists the activities in content explorer that are logged in the audit log. Content explorer, which is accessed on the Data classifications tool in the compliance portal. For more information, see [Using data classification content explorer](data-classification-content-explorer.md).

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Accessed item|LabelContentExplorerAccessedItem|An admin (or a user who's a member of the Content Explorer Content Viewer role group) uses content explorer to view an email message or SharePoint/OneDrive document.|

+## Directory administration activities

+The following table lists Azure AD directory and domain-related activities that are logged when an administrator manages their organization in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339) or in the Azure management portal.

+> [!NOTE]

+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Added domain to company|Add domain to company.|Added a domain to your organization.|

+|Added a partner to the directory|Add partner to company.|Added a partner (delegated administrator) to your organization.|

+|Removed domain from company|Remove domain from company.|Removed a domain from your organization.|

+|Removed a partner from the directory|Remove partner from company.|Removed a partner (delegated administrator) from your organization.|

+|Set company information|Set company information.|Updated the company information for your organization. Includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about Microsoft 365 services.|

+|Set domain authentication|Set domain authentication.|Changed the domain authentication setting for your organization.|

+|Updated the federation settings for a domain|Set federation settings on domain.|Changed the federation (external sharing) settings for your organization.|

+|Set password policy|Set password policy.|Changed the length and character constraints for user passwords in your organization.|

+|Turned on Azure AD sync|Set DirSyncEnabled flag.|Set the property that enables a directory for Azure AD Sync.|

+|Updated domain|Update domain.|Updated the settings of a domain in your organization.|

+|Verified domain|Verify domain.|Verified that your organization is the owner of a domain.|

+|Verified email verified domain|Verify email verified domain.|Used email verification to verify that your organization is the owner of a domain.|

+## Disposition review activities

+The following table lists the activities a disposition reviewer took when an item reached the end of its configured retention period. For more information, see [Viewing and disposing of content](disposition.md#viewing-and-disposing-of-content).

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Approved disposal|ApproveDisposal|A disposition reviewer approved the disposition of the item to move it to the next disposition stage. If the item was in the only or final stage of disposition review, the disposition approval marked the item as eligible for permanent deletion.|

+|Extended retention period|ExtendRetention|A disposition reviewer extended the retention period of the item.|

+|Relabeled item|RelabelItem|A disposition reviewer relabeled the retention label.|

+|Added reviewers|AddReviewer|A disposition reviewer added one or more other users to the current disposition review stage.|

+## eDiscovery activities

+Content Search and eDiscovery-related activities that are performed in the security and compliance portal or by running the corresponding PowerShell cmdlets are logged in the audit log. Includes the following activities:

+- Creating and managing eDiscovery cases

+- Creating, starting, and editing Content Searches

+- Performing Content Search actions, such as previewing, exporting, and deleting search results

+- Configuring permissions filtering for Content Search

+- Managing the eDiscovery Administrator role

+For a list and detailed description of the eDiscovery activities that are logged, see [Search for eDiscovery activities in the audit log](ediscovery-search-for-activities-in-the-audit-log.md).

+> [!NOTE]

+> It takes up to 30 minutes for events that result from the activities listed under **eDiscovery activities** and **eDiscovery (Premium) activities** in the **Activities** drop-down list to be displayed in the search results. Conversely, it takes up to 24 hours for the corresponding events from eDiscovery cmdlet activities to appear in the search results.

+## eDiscovery (Premium) activities

+You can also search the audit log for activities in Microsoft Purview eDiscovery (Premium). For a description of these activities, see the "eDiscovery (Premium) activities" section in [Search for eDiscovery activities in the audit log](ediscovery-search-for-activities-in-the-audit-log.md#ediscovery-premium-activities).

+## Encrypted message portal activities

+Access logs are available for encrypted messages through the encrypted message portal that lets your organization determine when messages are read, and forwarded by your external recipients. For more information on enabling and using encrypted message portal activity logs, see [Encrypted message portal activity log](audit-log-encrypted-messages.md).

+Each audit entry for a tracked message will contain the following fields:

+- **MessageID**: Contains the ID of the message being tracked. The key identifier used to follow a message through the system.

+- **Recipient**: List of all recipient email addresses.

+- **Sender**: The originating email address.

+- **AuthenticationMethod**: Describes the authenticating method for accessing the message, for example OTP, Yahoo, Gmail, or Microsoft.

+- **AuthenticationStatus**: Contains a value indicating that the authentication succeeded or failed.

+- **OperationStatus**: Indicates whether the indicated operation succeeded or failed.

+- **AttachmentName**: Name of the attachment.

+- **OperationProperties**: A list of optional properties. For example, the number of OTP passcodes sent, or the email subject.

+## Exchange admin activities

+Exchange administrator audit logging (which is enabled by default in Microsoft 365) logs an event in the audit log when an administrator (or a user who has been assigned administrative permissions) makes a change in your Exchange Online organization. Changes made by using the Exchange admin center or by running a cmdlet in Exchange Online PowerShell are logged in the Exchange admin audit log. Cmdlets that begin with the verbs **Get-**, **Search-**, or **Test-** aren't logged in the audit log. For more detailed information about admin audit logging in Exchange, see [Administrator audit logging](/exchange/administrator-audit-logging-exchange-2013-help).

+> [!IMPORTANT]

+> Some Exchange Online cmdlets that aren't logged in the Exchange admin audit log (or in the audit log). Many of these cmdlets are related to maintaining the Exchange Online service and are run by Microsoft datacenter personnel or service accounts. These cmdlets aren't logged because they would result in a large number of "noisy" auditing events. If there's an Exchange Online cmdlet that isn't being audited, please submit a design change request (DCR) to Microsoft Support.

+Here are some tips for searching for Exchange admin activities when searching the audit log:

+- To return entries from the Exchange admin audit log, you have to select **Show results for all activities** in the **Activities** list. Use the date range boxes and the **Users** list to narrow the search results for cmdlets run by a specific Exchange administrator within a specific date range.

+- To display events from the Exchange admin audit log, select the **Activity** column to sort the cmdlet names in alphabetical order.

+- To get information about what cmdlet was run, which parameters and parameter values were used, and what objects were affected, you can export the search results by selecting the **Download all results** option. For more information, see [Export, configure, and view audit log records](audit-log-export-records.md).

+- You can also use the `Search-UnifiedAuditLog -RecordType ExchangeAdmin` command in Exchange Online PowerShell to return only audit records from the Exchange admin audit log. It may take up to 30 minutes after an Exchange cmdlet is run for the corresponding audit log entry to be returned in the search results. For more information, see [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog). For information about exporting the search results returned by the **Search-UnifiedAuditLog** cmdlet to a CSV file, see the "Tips for exporting and viewing the audit log" section in [Export, configure, and view audit log records](audit-log-export-records.md#tips-for-exporting-and-viewing-the-audit-log).

+- You can also view events in the Exchange admin audit log by using the Exchange admin center or running the **Search-AdminAuditLog** in Exchange Online PowerShell. The audit log is a good way to specifically search for activity performed by Exchange Online administrators. For instructions, see:

+ - [View the administrator audit log](/exchange/security-and-compliance/exchange-auditing-reports/view-administrator-audit-log)

+ - [Search-AdminAuditLog](/powershell/module/exchange/search-adminauditlog)

+ Keep in mind that the same Exchange admin activities are logged in both the Exchange admin audit log and audit log.

+## Exchange mailbox activities

+The following table lists the activities that can be logged by mailbox audit logging. Mailbox activities performed by the mailbox owner, a delegated user, or an administrator are automatically logged in the audit log for up to 90 days. It's possible for an admin to turn off mailbox audit logging for all users in your organization. In this case, no mailbox actions for any user are logged. For more information, see [Manage mailbox auditing](audit-mailboxes.md).

+ You can also search for mailbox activities by using the [Search-MailboxAuditLog](/powershell/module/exchange/search-mailboxauditlog) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Accessed mailbox items|MailItemsAccessed|Messages were read or accessed in mailbox. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. Analyzing audit records for this activity is useful when investigating compromised email account. For more information, see the "Audit (Premium) events" section in [Audit (Premium)](audit-premium.md#audit-premium-events). |

+|Added delegate mailbox permissions|Add-MailboxPermission|An administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox. The audit record for this activity is also generated when a system account in the Microsoft 365 service periodically performs maintenance tasks in behalf of your organization. A common task performed by a system account is updating the permissions for system mailboxes. For more information, see [System accounts in Exchange mailbox audit records](#system-accounts-in-exchange-mailbox-audit-records).|

+|Added or removed user with delegate access to calendar folder|UpdateCalendarDelegation|A user was added or removed as a delegate to the calendar of another user's mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.|

+|Added permissions to folder|AddFolderPermissions|A folder permission was added. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.|

+|Copied messages to another folder|Copy|A message was copied to another folder.|

+|Created mailbox item|Create|An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.|

+|Created new inbox rule in Outlook web app|New-InboxRule|A mailbox owner or other user with access to the mailbox created an inbox rule in the Outlook web app.|

+|Deleted messages from Deleted Items folder|SoftDelete|A message was permanently deleted or deleted from the Deleted Items folder. These items are moved to the Recoverable Items folder. Messages are also moved to the Recoverable Items folder when a user selects it and presses **Shift+Delete**.|

+|Labeled message as a record|ApplyRecordLabel|A message was classified as a record. Occurs when a retention label that classifies content as a record is manually or automatically applied to a message.|

+|Moved messages to another folder|Move|A message was moved to another folder.|

+|Moved messages to Deleted Items folder|MoveToDeletedItems|A message was deleted and moved to the Deleted Items folder.|

+|Modified folder permission|UpdateFolderPermissions|A folder permission was changed. Folder permissions control which users in your organization can access mailbox folders and the messages in the folder.|

+|Modified inbox rule from Outlook web app|Set-InboxRule|A mailbox owner or other user with access to the mailbox modified an inbox rule using the Outlook web app.|

+|Purged messages from the mailbox|HardDelete|A message was purged from the Recoverable Items folder (permanently deleted from the mailbox).|

+|Removed delegate mailbox permissions|Remove-MailboxPermission|An administrator removed the FullAccess permission (that was assigned to a delegate) from a person's mailbox. After the FullAccess permission is removed, the delegate can't open the other person's mailbox or access any content in it.|

+|Removed permissions from folder|RemoveFolderPermissions|A folder permission was removed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.|

+|Sent message|Send|A message was sent, replied to or forwarded. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. For more information, see the "Audit (Premium) events" section in [Audit (Premium)](audit-premium.md#audit-premium-events).|

+|Sent message using Send As permissions|SendAs|A message was sent using the SendAs permission. This means that another user sent the message as though it came from the mailbox owner.|

+|Sent message using Send On Behalf permissions|SendOnBehalf|A message was sent using the SendOnBehalf permission. This means that another user sent the message on behalf of the mailbox owner. The message indicates to the recipient whom the message was sent on behalf of and who actually sent the message.|

+|Updated inbox rules from Outlook client|UpdateInboxRules|A mailbox owner or other user with access to the mailbox created, modified, or removed an inbox rule by using the Outlook client.|

+|Updated message|Update|A message or its properties was changed.|

+|User signed in to mailbox|MailboxLogin|The user signed in to their mailbox.|

+|Label message as a record||A user applied a retention label to an email message and that label is configured to mark the item as a record. |

+### System accounts in Exchange mailbox audit records

+In audit records for some mailbox activities (especially **Add-MailboxPermissions**), you may notice the user who performed the activity (and is identified in the User and UserId fields) is NT AUTHORITY\SYSTEM or NT AUTHORITY\SYSTEM(Microsoft.Exchange.Servicehost). This indicates that the "user" who performed the activity was a system account in Exchange service in the Microsoft cloud. This system account often performs scheduled maintenance tasks on behalf of your organization. For example, a common audited activity performed by the NT AUTHORITY\SYSTEM(Microsoft.Exchange.ServiceHost) account is to update the permissions on the DiscoverySearchMailbox, which is a system mailbox. The purpose of this update is to verify that the FullAccess permission (which is the default) is assigned to the Discovery Management role group for the DiscoverySearchMailbox. Ensures that eDiscovery administrators can perform necessary tasks in their organization.

+Another system user account that may be identified in an audit record for **Add-MailboxPermission** is Administrator@apcprd03.prod.outlook.com. This service account is also included in mailbox audit records related to verifying and updating the FullAccess permission is assigned to the Discovery Management role group for the DiscoverySearchMailbox system mailbox. Specifically, audit records that identify the Administrator@apcprd03.prod.outlook.com account are typically triggered when Microsoft support personnel run a role-based access control diagnostic tool on behalf of your organization.

+## Information barriers activities

+The following table lists the activities in information barriers that are logged in the Microsoft 365 audit log. For more information about information barriers, see [Learn about information barriers in Microsoft 365](information-barriers.md).

+|:-|:|:--|

+| Added segments to a site | SegmentsAdded | A SharePoint, global administrator, or site owner added one or more information barriers segments to a site. |

+| Changed segments of a site | SegmentsChanged | A SharePoint or global administrator changed one or more information barriers segments for a site. |

+| Removed segments from a site | SegmentsRemoved | A SharePoint or global administrator removed one or more information barriers segments from a site. |

+## Microsoft Forms activities

+The tables in this section the user and admin activities in Microsoft Forms that are logged in the audit log. Microsoft Forms is a forms/quiz/survey tool used to collect data for analysis. Where noted below in the descriptions, some operations contain additional activity parameters.

+If a Forms activity is performed by a coauthor or an anonymous responder, it will be logged slightly differently. For more information, see the [Forms activities performed by coauthors and anonymous responders](#forms-activities-performed-by-coauthors-and-anonymous-responders) section.

+> [!NOTE]

+> Some Forms audit activities are only available in Audit (Premium). That means users must be assigned the appropriate license before these activities are logged in the audit log. For more information about activities only available in Audit (Premium), see [Audit (Premium) in Microsoft 365](advanced-audit.md#audit-premium-events). For Audit (Premium) licensing requirements, see [Auditing solutions in Microsoft 365](audit-solutions-overview.md#licensing-requirements). <br/><br/>In the following table, Audit (Premium) activities are highlighted with an asterisk (*).

+## Microsoft Power Apps activities

+You can search the audit log for app-related activities in Power Apps. These activities include creating, launching, and publishing an app. Assigning permissions to apps is also audited. For a description of all Power Apps activities, see [Activity logging for Power Apps](/power-platform/admin/logging-powerapps#what-events-are-audited).

+## Microsoft Power Automate activities

+You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog [Power Automate audit events now available in compliance portal](https://flow.microsoft.com/blog/security-and-compliance-center).

+## Microsoft Stream activities

+You can search the audit log for activities in Microsoft Stream. These activities include video activities performed by users, group channel activities, and admin activities such as managing users, managing organization settings, and exporting reports. For a description of these activities, see the "Actions logged in Stream" section in [Audit Logs in Microsoft Stream](/stream/audit-logs#actions-logged-in-stream).

+## Microsoft Teams activities

+You can search the audit log for user and admin activities in Microsoft Teams. Teams is a chat-centered workspace in Microsoft 365. It brings a team's conversations, meetings, files, and notes together into a single place. For descriptions of the Teams activities that are audited, see [Search the audit log for events in Microsoft Teams](/microsoftteams/audit-log-events#teams-activities).

+## Microsoft Teams Healthcare activities

+If your organization is using the [Patients application](/MicrosoftTeams/expand-teams-across-your-org/healthcare/patients-app-overview) in Microsoft Teams, you can search the audit log for activities related to the using the Patients app. If your environment is configured to support Patients app, an additional activity group for these activities is available in the **Activities** picker list.

+

+For a description of the Patients app activities, see [Audit logs for Patients app](/MicrosoftTeams/expand-teams-across-your-org/healthcare/patients-audit).

+## Microsoft Teams Shifts activities

+If your organization is using the Shifts app in Microsoft Teams, you can search the audit log for activities related to the using the Shifts app. If your environment is configured to support Shifts apps, an additional activity group for these activities is available in the **Activities** picker list.

+For a description of Shifts app activities, see [Search the audit log for events in Microsoft Teams](/microsoftteams/audit-log-events#shifts-in-teams-activities).

+## Microsoft Workplace Analytics activities

+Workplace Analytics provides insight into how groups collaborate across your organization. The following table lists activities performed by users that are assigned the Administrator role or the Analyst roles in Workplace Analytics. Users assigned the Analyst role have full access to all service features and use the product to do analysis. Users assigned the Administrator role can configure privacy settings and system defaults, and can prepare, upload, and verify organizational data in Workplace Analytics. For more information, see [Workplace Analytics](/workplace-analytics/index-orig).

+|Accessed OData link|AccessedOdataLink|Analyst accessed the OData link for a query.|

+|Canceled query|CanceledQuery|Analyst canceled a running query.|

+|Created meeting exclusion|MeetingExclusionCreated|Analyst created a meeting exclusion rule.|

+|Deleted result|DeletedResult|Analyst deleted a query result.|

+|Downloaded report|DownloadedReport|Analyst downloaded a query result file.|

+|Executed query|ExecutedQuery|Analyst ran a query.|

+|Updated data access setting|UpdatedDataAccessSetting|Admin updated data access settings.|

+|Updated privacy setting|UpdatedPrivacySetting|Admin updated privacy settings; for example, minimum group size.|

+|Uploaded organization data|UploadedOrgData|Admin uploaded organizational data file.|

+|User logged in^*| UserLoggedIn |A user signed in to their Microsoft 365 user account.|

+|User logged off^*| UserLoggedOff |A user signed out of their Microsoft 365 user account.

+|Viewed Explore|ViewedExplore|Analyst viewed visualizations in one or more Explore page tabs.|

+> [!NOTE]

+> ^*These are Azure Active Directory sign in and sign off activities. These activities are logged even if you don't have Workplace Analytics turned on in your organization. For more information about user sign in activities, see [Sign-in logs in Azure Active Directory](/azure/active-directory/reports-monitoring/concept-sign-ins).

+## MyAnalytics activities

+The following table lists the activities in MyAnalytics that are logged in the Microsoft 365 audit log. For more information about MyAnalytics, see [MyAnalytics for admins](/workplace-analytics/myanalytics/overview/mya-for-admins).

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Updated organization MyAnalytics settings|UpdatedOrganizationMyAnalyticsSettings|Admin updates organization-level settings for MyAnalytics. |

+|Updated user MyAnalytics settings|UpdatedUserMyAnalyticsSettings|Admin updates user settings for MyAnalytics.|

+## Power BI activities

+You can search the audit log for activities in Power BI. For information about Power BI activities, see the "Activities audited by Power BI" section in [Using auditing within your organization](/power-bi/service-admin-auditing#activities-audited-by-power-bi).

+Audit logging for Power BI isn't enabled by default. To search for Power BI activities in the audit log, you have to enable auditing in the Power BI admin portal. For instructions, see the "Audit logs" section in [Power BI admin portal](/power-bi/service-admin-portal#audit-logs).

+## Quarantine activities

+The following table lists the quarantine activities that you can search for in the audit log. For more information about quarantine, see [Quarantine email messages](../security/office-365-security/quarantine-about.md).

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Deleted quarantine message|QuarantineDelete|An Admin or user deleted an email message that was deemed to be harmful.|

+|Exported quarantine message|QuarantineExport|An Admin or user exported an email message that was deemed to be harmful.|

+|Previewed quarantine message|QuarantinePreview|An Admin or user previewed an email message that was deemed to be harmful.|

+|Released quarantine message|QuarantineRelease|An Admin or user released an email message from quarantine that was deemed to be harmful.|

+|Viewed quarantine message's header|QuarantineViewHeader|An Admin or user viewed the header an email message that was deemed to be harmful.|

+|Release request quarantine message|QuarantineReleaseRequest|A user requested the release of an email message that was deemed to be harmful.|

+## Report activities

+The following table lists the activities for usage reports that are logged in the Microsoft 365 audit log.

+|**Friendly name**|**Operation**|**Description**|

+|:--|:--|:--|

+|Updated usage report privacy settings|UpdateUsageReportsPrivacySetting|Admin updated privacy settings for usage reports. |

+## Role administration activities

+The following table lists Azure AD role administration activities that are logged when an admin manages admin roles in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339) or in the Azure management portal.

+> [!NOTE]

+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.

+|:--|:--|:--|

+|Add member to Role|Add member to role.|Added a user to an admin role in Microsoft 365.|

+|Removed a user from a directory role|Remove member from role.|Removed a user to from an admin role in Microsoft 365.|

+|Set company contact information|Set company contact information.|Updated the company-level contact preferences for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.|

+## Sensitive information types activities

+The following table describes the audit events for activities involving creation and updating of [sensitive information types](/microsoft-365/compliance/create-a-custom-sensitive-information-type).

+|Created new sensitive information type| CreateRulePackage / EditRulePackage* | A new sensitive information type was [created](/microsoft-365/compliance/create-a-custom-sensitive-information-type). This includes SIT created by copying an [out of the box SIT](/microsoft-365/compliance/create-a-custom-sensitive-information-type). </br><p>**Note**: This activity will surface under the audit activities ΓÇ£Created rule packageΓÇ¥ or ΓÇ£Edited rule package.ΓÇ¥ </p>|

+|Edited a sensitive information type|EditRulePackage| An existing sensitive information type was edited. This can include operations like adding/removing a pattern and editing the regex/keyword associated with the sensitive information type. </br><p>**Note:** This activity will surface under the audit activity "Edited rule package."</p> |

+| Deleted a sensitive information type|EditRulePackage / RemoveRulePackage | An existing sensitive information type was deleted. </br><p>**Note:** This activity will surface under the audit activity ΓÇ£Edited rule packageΓÇ¥ or ΓÇ£Removed rule package.ΓÇ¥</p> |

+## Sensitivity label activities

+The following table lists events that result from using [sensitivity labels](sensitivity-labels.md) with sites and items that are managed by Microsoft Purview. Items include documents, emails, and calendar events. For auto-labeling policies, items also include files and schematized data assets in Microsoft Purview Data Map.

+|:--|:--|:--|

+|Applied sensitivity label to site|SiteSensitivityLabelApplied|A sensitivity label was applied to a SharePoint site or Teams site that isn't group-connected.|

+|Removed sensitivity label from site|SiteSensitivityLabelRemoved|A sensitivity label was removed from a SharePoint site or Teams site that isn't group-connected.|

+|Applied sensitivity label to file|FileSensitivityLabelApplied <br /><br> SensitivityLabelApplied|A sensitivity label was applied to an item by using Microsoft 365 apps, Office on the web, or an auto-labeling policy. <br /><br>The operations for this activity are different depending on how the label was applied:<br /> - Office on the web or an auto-labeling policy (FileSensitivityLabelApplied) <br /> - Microsoft 365 apps (SensitivityLabelApplied)|

+|Changed sensitivity label applied to file|FileSensitivityLabelChanged<br /><br>SensitivityLabelUpdated|A different sensitivity label was applied to an item. <br /><br>The operations for this activity are different depending on how the label was changed:<br /> - Office on the web or an auto-labeling policy (FileSensitivityLabelChanged) <br /> - Microsoft 365 apps (SensitivityLabelUpdated)|

+|Changed sensitivity label on a site|SiteSensitivityLabelChanged|A different sensitivity label was applied to a SharePoint site or Teams site that isn't group-connected.|

+|Removed sensitivity label from file|FileSensitivityLabelRemoved <br /><br> SensitivityLabelRemoved|A sensitivity label was removed from an item by using Microsoft 365 apps, Office on the web, an auto-labeling policy, or the [Unlock-SPOSensitivityLabelEncryptedFile](/powershell/module/sharepoint-online/unlock-sposensitivitylabelencryptedFile) cmdlet. <br /><br>The operations for this activity are different depending on how the label was removed:<br /> - Office on the web or an auto-labeling policy (FileSensitivityLabelRemoved) <br /> - Microsoft 365 apps (SensitivityLabelRemoved)|

+Additional auditing information for sensitivity labels:

+- When you use sensitivity labels for Microsoft 365 Groups, and therefore Teams sites that are group-connected, the labels are audited with group management in Azure Active Directory. For more information, see [Audit logs in Azure Active Directory](/azure/active-directory/reports-monitoring/concept-audit-logs).

+- When you use sensitivity labels for Teams meeting invites, and Teams meeting options and chat, see [Search the audit log for events in Microsoft Teams](/microsoftteams/audit-log-events).

+- When you use sensitivity labels with Power BI, see [Audit schema for sensitivity labels in Power BI](/power-bi/enterprise/service-security-sensitivity-label-audit-schema).

+- When you use sensitivity labels with Microsoft Defender for cloud apps, see [Governing connected apps](/defender-cloud-apps/governance-actions) and the labeling information for file governance actions.

+- When you apply sensitivity labels by using the Azure Information Protection client or scanner, or the Microsoft Purview Information Protection (MIP) SDK, see [Azure Information Protection audit log reference](/azure/information-protection/audit-logs).

+## SharePoint list activities

+The following table describes activities related to when users interact with lists and list items in SharePoint Online. As previously explained, audit records for some SharePoint activities will indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see [The app\@sharepoint user in audit records](#the-appsharepoint-user-in-audit-records).

+|Created list|ListCreated|A user created a SharePoint list.|

+|Created list column|ListColumnCreated|A user created a SharePoint list column. A list column is a column that's attached to one or more SharePoint lists.|

+|Created list content type|ListContentTypeCreated|A user created a list content type. A list content type is a content type that's attached to one or more SharePoint lists.|

+|Created list item|ListItemCreated|A user created an item in an existing SharePoint list.|

+|Created site column|SiteColumnCreated|A user created a SharePoint site column. A site column is a column that isn't attached to a list. A site column is also a metadata structure that can be used by any list in a given web.|

+|Created site content type|Site ContentType Created|A user created a site content type. A site content type is a content type that's attached to the parent site.|

+|Deleted list|ListDeleted|A user deleted a SharePoint list.|

+|Deleted list column|List Column Deleted|A user deleted a SharePoint list column.|

+|Deleted list content type|ListContentTypeDeleted|A user deleted a list content type.|

+|Deleted list item|List Item Deleted|A user deleted a SharePoint list item.|

+|Deleted site column|SiteColumnDeleted|A user deleted a SharePoint site column.|

+|Deleted site content type|SiteContentTypeDeleted|A user deleted a site content type.|

+|Recycled list item|ListItemRecycled|A user moved a SharePoint list item to the Recycle Bin.|

+|Restored list|ListRestored|A user restored a SharePoint list from the Recycle Bin.|

+|Restored list item|ListItemRestored|A user restored a SharePoint list item from the Recycle Bin.|

+|Updated list|ListUpdated|A user updated a SharePoint list by modifying one or more properties.|

+|Updated list column|ListColumnUpdated|A user updated a SharePoint list column by modifying one or more properties.|

+|Updated list content type|ListContentTypeUpdated|A user updated a list content type by modifying one or more properties.|

+|Updated list item|ListItemUpdated|A user updated a SharePoint list item by modifying one or more properties.|

+|Updated site column|SiteColumnUpdated|A user updated a SharePoint site column by modifying one or more properties.|

+|Updated site content type|SiteContentTypeUpdated|A user updated a site content type by modifying one or more properties.|

+## Sharing and access request activities

+The following table describes the user sharing and access request activities in SharePoint Online and OneDrive for Business. For sharing events, the **Detail** column under **Results** identifies the name of the user or group the item was shared with and whether that user or group is a member or guest in your organization. For more information, see [Use sharing auditing in the audit log](audit-log-sharing.md).

+> [!NOTE]

+> Users can be either *members* or *guests* based on the UserType property of the user object. A member is usually an employee, and a guest is usually a collaborator outside of your organization. When a user accepts a sharing invitation (and isn't already part of your organization), a guest account is created for them in your organization's directory. Once the guest user has an account in your directory, resources may be shared directly with them (without requiring an invitation).

+|Added permission level to site collection|PermissionLevelAdded|A permission level was added to a site collection.|

+|Accepted access request|AccessRequestAccepted|An access request to a site, folder, or document was accepted and the requesting user has been granted access.|

+|Accepted sharing invitation|SharingInvitationAccepted|User (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.|

+|Blocked sharing invitation|SharingInvitationBlocked|A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user. In this case, the sharing invitation was blocked because: <br/> The target user's domain isn't included in the list of allowed domains. <br/> Or <br/> The target user's domain is included in the list of blocked domains. <br/> For more information about allowing or blocking external sharing based on domains, see [Restricted domains sharing in SharePoint Online and OneDrive for Business](/sharepoint/restricted-domains-sharing).|

+|Created access request|AccessRequestCreated|User requests access to a site, folder, or document they don't have permissions to access.|

+|Created a company shareable link|CompanyLinkCreated|User created a company-wide link to a resource. company-wide links can only be used by members in your organization. They can't be used by guests.|

+|Created an anonymous link|AnonymousLinkCreated|User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated.|

+|Created secure link|SecureLinkCreated|A secure sharing link was created to this item.|

+|Created sharing invitation|SharingInvitationCreated|User shared a resource in SharePoint Online or OneDrive for Business with a user who isn't in your organization's directory.|

+|Deleted secure link|SecureLinkDeleted|A secure sharing link was deleted.|

+|Denied access request|AccessRequestDenied|An access request to a site, folder, or document was denied.|

+|Removed a company shareable link|CompanyLinkRemoved|User removed a company-wide link to a resource. The link can no longer be used to access the resource.|

+|Removed an anonymous link|AnonymousLinkRemoved|User removed an anonymous link to a resource. The link can no longer be used to access the resource.|

+|Shared file, folder, or site|SharingSet|User (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the **Detail** column for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. <br/><br/> This activity is often accompanied by a second event that describes how the user was granted access to the resource. For example, adding the user to a group that has access to the resource.|

+|Updated access request|AccessRequestUpdated|An access request to an item was updated.|

+|Updated an anonymous link|AnonymousLinkUpdated|User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results.|

+|Updated sharing invitation|SharingInvitationUpdated|An external sharing invitation was updated.|

+|Used an anonymous link|AnonymousLinkUsed|An anonymous user accessed a resource by using an anonymous link. The user's identity might be unknown, but you can get other details such as the user's IP address.|

+|Unshared file, folder, or site|SharingRevoked|User (member or guest) unshared a file, folder, or site that was previously shared with another user.|

+|Used a company shareable link|CompanyLinkUsed|User accessed a resource by using a company-wide link.|

+|Used secure link|SecureLinkUsed|A user used a secure link.|

+|User added to secure link|AddedToSecureLink|A user was added to the list of entities who can use a secure sharing link.|

+|User removed from secure link|RemovedFromSecureLink|A user was removed from the list of entities who can use a secure sharing link.|

+|Withdrew sharing invitation|SharingInvitationRevoked|User withdrew a sharing invitation to a resource.|

+## Site administration activities

+The following table lists events that result from site administration tasks in SharePoint Online. As previously explained, audit records for some SharePoint activities will indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see [The app\@sharepoint user in audit records](#the-appsharepoint-user-in-audit-records).

+|Friendly name|Operation|Description|

+|Added allowed data location|AllowedDataLocationAdded|A SharePoint or global administrator added an allowed data location in a multi-geo environment.|

+|Added exempt user agent|ExemptUserAgentSet|A SharePoint or global administrator added a user agent to the list of exempt user agents in the SharePoint admin center.|

+|Added geo location admin|GeoAdminAdded|A SharePoint or global administrator added a user as a geo admin of a location.|

+|Allowed user to create groups|AllowGroupCreationSet|Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.|

+|Canceled site geo move|SiteGeoMoveCancelled|A SharePoint or global administrator successfully cancels a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see [Multi-Geo Capabilities in OneDrive and SharePoint Online](../enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md).|

+|Changed a sharing policy|SharingPolicyChanged|A SharePoint or global administrator changed a SharePoint sharing policy by using the Microsoft 365 admin center, SharePoint admin center, or SharePoint Online Management Shell. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the **ModifiedProperties** field in the detailed properties of the event record.|

+|Changed device access policy|DeviceAccessPolicyChanged|A SharePoint or global administrator changed the unmanaged devices policy for your organization. This policy controls access to SharePoint, OneDrive, and Microsoft 365 from devices that aren't joined to your organization. Configuring this policy requires an Enterprise Mobility + Security subscription. For more information, see [Control access from unmanaged devices](/sharepoint/control-access-from-unmanaged-devices).|

+|Changed exempt user agents|CustomizeExemptUsers|A SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form will be returned as an XML file, instead of an entire web page. This makes indexing InfoPath forms faster.|

+|Changed network access policy|NetworkAccessPolicyChanged|A SharePoint or global administrator changed the location-based access policy (also called a trusted network boundary) in the SharePoint admin center or by using SharePoint Online PowerShell. This type of policy controls who can access SharePoint and OneDrive resources in your organization based on authorized IP address ranges that you specify. For more information, see [Control access to SharePoint Online and OneDrive data based on network location](/sharepoint/control-access-based-on-network-location).|

+|Completed site geo move|SiteGeoMoveCompleted|A site geo move that was scheduled by a global administrator in your organization was successfully completed. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see [Multi-Geo Capabilities in OneDrive and SharePoint Online](../enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md).|

+|Created Sent To connection|SendToConnectionAdded|A SharePoint or global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.|

+|Created site collection|SiteCollectionCreated|A SharePoint or global administrator creates a site collection in your SharePoint Online organization or a user provisions their OneDrive for Business site.|

+|Deleted orphaned hub site|HubSiteOrphanHubDeleted|A SharePoint or global administrator deleted an orphan hub site, which is a hub site that doesn't have any sites associated with it. An orphaned hub is likely caused by the deletion of the original hub site.|

+|Deleted Sent To connection|SendToConnectionRemoved|A SharePoint or global administrator deletes a Send To connection on the Records management page in the SharePoint admin center.|

+|Deleted site|SiteDeleted|Site administrator deletes a site.|

+|Enabled document preview|PreviewModeEnabledSet|Site administrator enables document preview for a site.|

+|Enabled legacy workflow|LegacyWorkflowEnabledSet|Site administrator or owner adds the SharePoint 2013 Workflow Task content type to the site. Global administrators can also enable work flows for the entire organization in the SharePoint admin center.|

+|Enabled Office on Demand|OfficeOnDemandSet|Site administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint admin center and requires a Microsoft 365 subscription that includes full, installed Office applications.|

+|Enabled result source for People Searches|PeopleResultsScopeSet|Site administrator creates the result source for People Searches for a site.|

+|Enabled RSS feeds|NewsFeedEnabledSet|Site administrator or owner enables RSS feeds for a site. Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.|

+|Joined site to hub site|HubSiteJoined|A site owner associates their site with a hub site.|

+|Modified site collection quota|SiteCollectionQuotaModified|Site administrator modifies the quota for a site collection.|

+|Registered hub site|HubSiteRegistered|A SharePoint or global administrator creates a hub site. The results are that the site is registered to be a hub site.|

+|Removed allowed data location|AllowedDataLocationDeleted|A SharePoint or global administrator removed an allowed data location in a multi-geo environment.|

+|Removed geo location admin|GeoAdminDeleted|A SharePoint or global administrator removed a user as a geo admin of a location.|

+|Renamed site|SiteRenamed|Site administrator or owner renames a site|

+|Scheduled site geo move|SiteGeoMoveScheduled|A SharePoint or global administrator successfully schedules a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see [Multi-Geo Capabilities in OneDrive and SharePoint Online](../enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md).|

+|Set host site|HostSiteSet|A SharePoint or global administrator changes the designated site to host personal or OneDrive for Business sites.|

+|Set storage quota for geo location|GeoQuotaAllocated|A SharePoint or global administrator configured the storage quota for a geo location in a multi-geo environment.|

+|Unjoined site from hub site|HubSiteUnjoined|A site owner disassociates their site from a hub site.|

+|Unregistered hub site|HubSiteUnregistered|A SharePoint or global administrator unregisters a site as a hub site. When a hub site is unregistered, it no longer functions as a hub site.|

+## Site permissions activities

+The following table lists events related to assigning permissions in SharePoint and using groups to give (and revoke) access to sites. As previously explained, audit records for some SharePoint activities will indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see [The app\@sharepoint user in audit records](#the-appsharepoint-user-in-audit-records).

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Added site collection admin|SiteCollectionAdminAdded|Site collection administrator or owner adds a person as a site collection administrator for a site. Site collection administrators have full control permissions for the site collection and all subsites. This activity is also logged when an admin gives themselves access to a user's OneDrive account (by editing the user profile in the SharePoint admin center or by [using the Microsoft 365 admin center](/office365/admin/add-users/get-access-to-and-back-up-a-former-user-s-data)).|

+|Added user or group to SharePoint group|AddedToGroup|User added a member or guest to a SharePoint group. This might have been an intentional action or the result of another activity, such as a sharing event.|

+|Broke permission level inheritance|PermissionLevelsInheritanceBroken|An item was changed so that it no longer inherits permission levels from its parent.|

+|Broke sharing inheritance|SharingInheritanceBroken|An item was changed so that it no longer inherits sharing permissions from its parent.|

+|Created group|GroupAdded|Site administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.|

+|Deleted group|GroupRemoved|User deletes a group from a site.|

+|Modified access request setting|WebRequestAccessModified|The access request settings were modified on a site.|

+|Modified 'Members Can Share' setting|WebMembersCanShareModified|The **Members Can Share** setting was modified on a site.|

+|Modified permission level on a site collection|PermissionLevelModified|A permission level was changed on a site collection.|

+|Modified site permissions|SitePermissionsModified|Site administrator or owner (or system account) changes the permission level that is assigned to a group on a site. This activity is also logged if all permissions are removed from a group. <br/><br/> **NOTE**: This operation has been deprecated in SharePoint Online. To find related events, you can search for other permission-related activities such as **Added site collection admin**, **Added user or group to SharePoint group**, **Allowed user to create groups**, **Created group**, and **Deleted group.**|

+|Removed permission level from site collection|PermissionLevelRemoved|A permission level was removed from a site collection.|

+|Removed site collection admin|SiteCollectionAdminRemoved|Site collection administrator or owner removes a person as a site collection administrator for a site. This activity is also logged when an admin removes themselves from the list of site collection administrators for a user's OneDrive account (by editing the user profile in the SharePoint admin center). To return this activity in the audit log search results, you have to search for all activities.|

+|Removed user or group from SharePoint group|RemovedFromGroup|User removed a member or guest from a SharePoint group. This might have been an intentional action or the result of another activity, such as an unsharing event.|

+|Requested site admin permissions|SiteAdminChangeRequest|User requests to be added as a site collection administrator for a site collection. Site collection administrators have full control permissions for the site collection and all subsites.|

+|Restored sharing inheritance|SharingInheritanceReset|A change was made so that an item inherits sharing permissions from its parent.|

+|Updated group|GroupUpdated|Site administrator or owner changes the settings of a group for a site. This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled.|

+## Synchronization activities

+The following table lists file synchronization activities in SharePoint Online and OneDrive for Business.

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Allowed computer to sync files|ManagedSyncClientAllowed|User successfully establishes a sync relationship with a site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the *safe recipients list*) that can access document libraries in your organization. <br/><br/> For more information about this feature, see [Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list](/powershell/module/sharepoint-online/).|

+|Blocked computer from syncing files|UnmanagedSyncClientBlocked|User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the *safe recipients list)* that can access document libraries in your organization. The sync relationship isn't allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. <br/><br/> For information about this feature, see [Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list](/powershell/module/sharepoint-online/).|

+|Downloaded files to computer|FileSyncDownloadedFull|User downloads a file to their computer from a SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).|

+|Downloaded file changes to computer|FileSyncDownloadedPartial|This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).|

+|Uploaded files to document library|FileSyncUploadedFull|User uploads a new file or changes to a file in SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).|

+|Uploaded file changes to document library|FileSyncUploadedPartial|This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).|

+## User administration activities

+The following table lists user administration activities that are logged when an admin adds or changes a user account by using the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339) or the Azure management portal.

+> [!NOTE]

+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.

+|Activity|Operation|Description|

+|:--|:--|:--|

+|Added user|Add user.|A user account was created.|

+|Changed user license|Change user license.|The license assigned to a user what changed. To see what licenses were changes, see the corresponding **Updated user** activity.|

+|Changed user password|Change user password.|A user changes their password. Self-service password reset has to be enabled (for all or selected users) in your organization to allow users to reset their password. You can also track self-service password reset activity in Azure Active Directory. For more information, see [Reporting options for Azure AD password management](/azure/active-directory/authentication/howto-sspr-reporting).

+|Deleted user|Delete user.|A user account was deleted.|

+|Reset user password|Reset user password.|Administrator resets the password for a user.|

+|Set property that forces user to change password|Set force change user password.|Administrator set the property that forces a user to change their password the next time the user signs in to Microsoft 365.|

+|Set license properties|Set license properties.|Administrator modifies the properties of a licensed assigned to a user.|

+|Updated user|Update user.|Administrator changes one or more properties of a user account. For a list of the user properties that can be updated, see the "Update user attributes" section in [Azure Active Directory Audit Report Events](/azure/active-directory/reports-monitoring/concept-audit-logs).|

+## Yammer activities

+The following table lists the user and admin activities in Yammer that are logged in the audit log. To return Yammer-related activities from the audit log, you have to select **Show results for all activities** in the **Activities** list. Use the date range boxes and the **Users** list to narrow the search results.

+> [!NOTE]

+> Some Yammer audit activities are only available in Audit (Premium). That means users must be assigned the appropriate license before these activities are logged in the audit log. For more information about activities only available in Audit (Premium), see [Audit (Premium) in Microsoft 365](audit-premium.md#audit-premium-events). For Audit (Premium) licensing requirements, see [Auditing solutions in Microsoft 365](audit-solutions-overview.md#licensing-requirements). <br/><br/>In the following table, Audit (Premium) activities are highlighted with an asterisk (*).

+|Friendly name|Operation|Description|

+|:--|:--|:--|

+|Changed data retention policy|SoftDeleteSettingsUpdated|Verified admin updates the setting for the network data retention policy to either Hard Delete or Soft Delete. Only verified admins can perform this operation.|

+|Changed network configuration|NetworkConfigurationUpdated|Network or verified admin changes the Yammer network's configuration. This includes setting the interval for exporting data and enabling chat.|

+|Changed network profile settings|ProcessProfileFields|Network or verified admin changes the information that appears on member profiles for network users network.|

+|Changed private content mode|SupervisorAdminToggled|Verified admin turns *Private Content Mode* on or off. This mode lets an admin view the posts in private groups and view private messages between individual users (or groups of users). Only verified admins only can perform this operation.|

+|Changed security configuration|NetworkSecurityConfigurationUpdated|Verified admin updates the Yammer network's security configuration. This includes setting password expiration policies and restrictions on IP addresses. Only verified admins can perform this operation.|

+|Created file|FileCreated|User uploads a file.|

+|Created group|GroupCreation|User creates a group.|

+|Created message^*|MessageCreated|User creates a message.|

+|Deleted group|GroupDeletion|A group is deleted from Yammer.|

+|Deleted message|MessageDeleted|User deletes a message.|

+|Downloaded file|FileDownloaded|User downloads a file.|

+|Exported data|DataExport|Verified admin exports Yammer network data. Only verified admins can perform this operation.|

+|Failed to access community^*|CommunityAccessFailure|User failed to access a community.|

+|Failed to access file^*|FileAccessFailure|User failed to access a file.|

+|Failed to access message^*|MessageAccessFailure|User failed to access a message.|

+|Reacted to message|MarkedMessageChanged|User reacted to a message.|

+|Shared file|FileShared|User shares a file with another user.|

+|Suspended network user|NetworkUserSuspended|Network or verified admin suspends (deactivates) a user from Yammer.|

+|Suspended user|UserSuspension|User account is suspended (deactivated).|

+|Updated file description|FileUpdateDescription|User changes the description of a file.|

+|Updated file name|FileUpdateName|User changes the name of a file.|

+|Updated message^*|MessageUpdated|User updates a message.|

+|Viewed file|FileVisited|User views a file.|

+|Viewed message^*|MessageViewed|User views a message.|

+You can use the Microsoft Purview compliance portal to view a list of the inactive mailboxes in your organization.

+> [!NOTE]

+> The Microsoft Purview compliance portal is limited to displaying up to 5,000 inactive mailboxes. To view more than 5,000 inactive mailboxes, you must use Exchange Online PowerShell as described after the step instructions.

+ Get-Mailbox -InactiveMailboxOnly -ResultSize Unlimited | FT DisplayName,PrimarySMTPAddress,WhenSoftDeleted

+Get-Mailbox -InactiveMailboxOnly -ResultSize Unlimited | Select Displayname,PrimarySMTPAddress,DistinguishedName,ExchangeGuid,WhenSoftDeleted | Export-Csv InactiveMailboxes.csv -NoTypeInformation

+If you need to disable the PDF support in Office apps for Word, Excel, and PowerPoint, you can do so by using an Office setting under **User Configuration/Administrative Templates/Microsoft Office 2016/Microsoft Save As PDF and Save As XPS add-ins**:

+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: Rolling Out to 2302+<br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) |Current Channel: Rolling Out to 2302+<br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

+2. Go to **Settings** > **Endpoints** > **Licenses**. Your usage report opens and displays information about your organizationΓÇÖs Defender for Endpoint licenses.

+|**GroupId**|GUID, a unique ID, represents the group and will be used in the policy.| You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).|

+| **PolicyRule Id** | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).|

+| **Entry Id** | GUID, a unique ID, represents the entry and will be used in the reporting and troubleshooting.| You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).|

+#### Office 365 Threat Intelligence connection

+To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Use Microsoft Defender for Office 365 together with Microsoft Defender for Endpoint](/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde).

+|**Bulk email threshold** <br/><br/> _BulkThreshold_|7|6|5|For details, see [Bulk complaint level (BCL) in EOP](anti-spam-bulk-complaint-level-bcl-about.md).|

+|**Contains specific languages** <br/><br/> _EnableLanguageBlockList_ <br/><br/> _LanguageBlockList_|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.|

+|**From these countries** <br/><br/> _EnableRegionBlockList_ <br/><br/> _RegionBlockList_|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.|

+|**Actions**||||Wherever you select **Quarantine message** as the action for a spam filter verdict, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages and whether they receive notifications for quarantined messages. <br/><br/> The **Select quarantine policy** value is blank when you create a new anti-spam policy in the Defender portal. This blank value means the default quarantine policy for that particular spam filter verdict is used. These default quarantine policies enforce the historical capabilities for the spam filter verdict that quarantined the message as described in the table [here](quarantine-end-user.md). <br/><br/> The default quarantine policies that are used for each impersonation verdict are described in this table. <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with more restrictive or less restrictive capabilities in the default anti-spam policy or in custom anti-spam policies. For more information, see [Quarantine policies](quarantine-policies.md). <br/><br/> The capabilities of the quarantine policy are meaningful only if the action for the spam filter verdict is to quarantine messages.|

+|**Spam** detection action <br/><br/> _SpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||

+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Spam** <br/><br/> _SpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only when the detection action quarantines the message.|

+|**High confidence spam** detection action <br/><br/> _HighConfidenceSpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`||

+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Hight confidence spam** <br/><br/> _HighConfidenceSpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only when the action quarantines the message.|

+|**Phishing** detection action <br/><br/> _PhishSpamAction_|**Move message to Junk Email folder**^\* <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|^\* The default value is **Move message to Junk Email folder** in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is **Quarantine message** in new anti-spam policies that you create in the Microsoft 365 Defender portal.|

+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Phishing** <br/><br/> _PhishQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only when the detection action quarantines the message.|

+|**High confidence phishing** detection action <br/><br/> _HighConfidencePhishAction_|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|Users can't release their own messages that were quarantined as high confidence phishing. At best, admins can configure the quarantine policy so users can request the release of their quarantined high confidence phishing messages.|

+|**Quarantine policy** for **High confidence phishing** <br/><br/> _HighConfidencePhishQuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||

+|**Bulk** detection action <br/><br/> _BulkSpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||

+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Bulk** <br/><br/> _BulkQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only when the detection action quarantines the message.|

+|**Retain spam in quarantine for this many days** <br/><br/> _QuarantineRetentionPeriod_|15 days|30 days|30 days|This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-about.md).|

+|**Enable spam safety tips** <br/><br/> _InlineSafetyTipsEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|Enable zero-hour auto purge (ZAP) for phishing messages <br/><br/> _PhishZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|Enable ZAP for spam messages <br/><br/> _SpamZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|Allowed senders <br/><br/> _AllowedSenders_|None|None|None||

+|Allowed sender domains <br/><br/> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <br/><br/> Use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list-about.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|

+|Blocked senders <br/><br/> _BlockedSenders_|None|None|None||

+|Blocked sender domains <br/><br/> _BlockedSenderDomains_|None|None|None||

+┬╣ As described in [Full access permissions and quarantine notifications](quarantine-policies.md#full-access-permissions-and-quarantine-notifications), your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.

+|**Image links to remote sites** <br/><br/> _IncreaseScoreWithImageLinks_|Off|Off|Off||

+|**Numeric IP address in URL** <br/><br/> _IncreaseScoreWithNumericIps_|Off|Off|Off||

+|**URL redirect to other port** <br/><br/> _IncreaseScoreWithRedirectToOtherPort_|Off|Off|Off||

+|**Links to .biz or .info websites** <br/><br/> _IncreaseScoreWithBizOrInfoUrls_|Off|Off|Off||

+|**Empty messages** <br/><br/> _MarkAsSpamEmptyMessages_|Off|Off|Off||

+|**Embed tags in HTML** <br/><br/> _MarkAsSpamEmbedTagsInHtml_|Off|Off|Off||

+|**JavaScript or VBScript in HTML** <br/><br/> _MarkAsSpamJavaScriptInHtml_|Off|Off|Off||

+|**Form tags in HTML** <br/><br/> _MarkAsSpamFormTagsInHtml_|Off|Off|Off||

+|**Frame or iframe tags in HTML** <br/><br/> _MarkAsSpamFramesInHtml_|Off|Off|Off||

+|**Web bugs in HTML** <br/><br/> _MarkAsSpamWebBugsInHtml_|Off|Off|Off||

+|**Object tags in HTML** <br/><br/> _MarkAsSpamObjectTagsInHtml_|Off|Off|Off||

+|**Sensitive words** <br/><br/> _MarkAsSpamSensitiveWordList_|Off|Off|Off||

+|**SPF record: hard fail** <br/><br/> _MarkAsSpamSpfRecordHardFail_|Off|Off|Off||

+|**Sender ID filtering hard fail** <br/><br/> _MarkAsSpamFromAddressAuthFail_|Off|Off|Off||

+|**Backscatter** <br/><br/> _MarkAsSpamNdrBackscatter_|Off|Off|Off||

+|**Test mode** <br/><br/> _TestModeAction_)|None|None|None|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](anti-spam-policies-asf-settings-about.md#enable-disable-or-test-asf-settings).|

+|**Set an external message limit** <br/><br/> _RecipientLimitExternalPerHour_|0|500|400|The default value 0 means use the service defaults.|

+|**Set an internal message limit** <br/><br/> _RecipientLimitInternalPerHour_|0|1000|800|The default value 0 means use the service defaults.|

+|**Set a daily message limit** <br/><br/> _RecipientLimitPerDay_|0|1000|800|The default value 0 means use the service defaults.|

+|**Restriction placed on users who reach the message limit** <br/><br/> _ActionWhenThresholdReached_|**Restrict the user from sending mail until the following day** <br/><br/> `BlockUserForToday`|**Restrict the user from sending mail** <br/><br/> `BlockUser`|**Restrict the user from sending mail** <br/><br/> `BlockUser`||

+|**Automatic forwarding rules** <br/><br/> _AutoForwardingMode_|**Automatic - System-controlled** <br/><br/> `Automatic`|**Automatic - System-controlled** <br/><br/> `Automatic`|**Automatic - System-controlled** <br/><br/> `Automatic`|

+|**Send a copy of outbound messages that exceed these limits to these users and groups** <br/><br/> _BccSuspiciousOutboundMail_ <br/><br/> _BccSuspiciousOutboundAdditionalRecipients_|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. <br/><br/> This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.|

+|**Notify these users and groups if a sender is blocked due to sending outbound spam** <br/><br/> _NotifyOutboundSpam_ <br/><br/> _NotifyOutboundSpamRecipients_|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|

+|**Enable the common attachments filter** <br/><br/> _EnableFileFilter_|Selected <br/><br/> `$true`^\*|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|The common attachment filter identifies messages that contain attachments based on file type, regardless of the attachment content. For the list of file types, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies). <br/><br/> ^\*The common attachments filter is on by default in new anti-malare policies that you create in the Microsoft 365 Defender portal. The common attahcments filter is off by default in the default anti-malware policy and in new policies that you create in PowerShell.|

+|Common attachment filter notifications (**When these file types are found**) <br/><br/> _FileTypeAction_|**Reject the message with a non-delivery report (NDR)** <br/><br/> `Reject`|**Reject the message with a non-delivery report (NDR)** <br/><br/> `Reject`|**Reject the message with a non-delivery report (NDR)** <br/><br/> `Reject`||

+|**Enable zero-hour auto purge for malware** <br/><br/> _ZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Quarantine policy** <br/><br/> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|The **Quarantine policy** value is blank when you create a new anti-malware policy in the Defender portal. This blank value means the default quarantine policy from malware detections is used (AdminOnlyAccessPolicy with no quarantine notifications). This default quarantine policy enforces the historical capabilities for messages that were quarantined as malware as described in the table [here](quarantine-end-user.md). <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with less restrictive capabilities in the default anti-malware policy or in custom anti-malware policies. For more information, see [Quarantine policies](quarantine-policies.md). <br/><br/> Users can't release their own messages that were quarantined as malware. At best, admins can configure the quarantine policy so users can request the release of their quarantined malware messages.|

+|**Notify an admin about undelivered messages from internal senders** <br/><br/> _EnableInternalSenderAdminNotifications_ <br/><br/> _InternalSenderAdminAddress_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting.|

+|**Notify an admin about undelivered messages from external senders** <br/><br/> _EnableExternalSenderAdminNotifications_ <br/><br/> _ExternalSenderAdminAddress_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting.|

+|**Use customized notification text** <br/><br/> _CustomNotifications_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`||

+|**From name** <br/><br/> _CustomFromName_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||

+|**From address** <br/><br/> _CustomFromAddress_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||

+|**Subject** <br/><br/> _CustomInternalSubject_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||

+|**Message** <br/><br/> _CustomInternalBody_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||

+|**Subject** <br/><br/> _CustomExternalSubject_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||

+|**Message** <br/><br/> _CustomExternalBody_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||

+|**Enable spoof intelligence** <br/><br/> _EnableSpoofIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**If message is detected as spoof** <br/><br/> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). <br/><br/> If you select **Quarantine the message** as the action for the spoof verdict, an **Apply quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages and whether they receive notifications for quarantined messages. For more information, see [Quarantine policies](quarantine-policies.md).|

+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Spoof** <br/><br/> _SpoofQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy| <br/><br/> The **Apply quarantine policy** value is blank when you create a new anti-phishing policy in the Defender portal. This blank value means the default quarantine policy for the spoof is used. This default quarantine policy enforces the historical capabilities for messages that were quarantined as spoof as described in the table [here](quarantine-end-user.md). <br/><br/> The capabilities of the quarantine policy are meaningful only if the action for the spoof verdict is to quarantine messages. <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with more restrictive or less restrictive capabilities in the default anti-phishing policy or in custom anti-phishing policies.|

+|**Show first contact safety tip** <br/><br/> _EnableFirstContactSafetyTips_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).|

+|**Show (?) for unauthenticated senders for spoof** <br/><br/> _EnableUnauthenticatedSender_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|

+|**Show "via" tag** <br/><br/> _EnableViaTag_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br/><br/> For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|

+┬╣ As described in [Full access permissions and quarantine notifications](quarantine-policies.md#full-access-permissions-and-quarantine-notifications), your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.

+|**Phishing email threshold** <br/><br/> _PhishThresholdLevel_|**1 - Standard** <br/><br/> `1`|**3 - More aggressive** <br/><br/> `3`|**4 - Most aggressive** <br/><br/> `4`||

+|**Enable users to protect** (impersonated user protection) <br/><br/> _EnableTargetedUserProtection_ <br/><br/> _TargetedUsersToProtect_|Not selected <br/><br/> `$false` <br/><br/> none|Selected <br/><br/> `$true` <br/><br/> \<list of users\>|Selected <br/><br/> `$true` <br/><br/> \<list of users\>|We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|

+|**Include domains I own** <br/><br/> _EnableOrganizationDomainsProtection_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Include custom domains** <br/><br/> _EnableTargetedDomainsProtection_ <br/><br/> _TargetedDomainsToProtect_|Off <br/><br/> `$false` <br/><br/> none|Selected <br/><br/> `$true` <br/><br/> \<list of domains\>|Selected <br/><br/> `$true` <br/><br/> \<list of domains\>|We recommend adding domains (sender domains) that you don't own, but you frequently interact with.|

+|**Add trusted senders and domains** <br/><br/> _ExcludedSenders_ <br/><br/> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|

+|**Enable mailbox intelligence** <br/><br/> _EnableMailboxIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Enable intelligence for impersonation protection** <br/><br/> _EnableMailboxIntelligenceProtection_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|

+|**Actions**||||Wherever you select **Quarantine the message** as the action for an impersonation verdict, an **Apply quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages and whether they receive notifications for quarantined messages. <br/><br/> The **Apply quarantine policy** value is blank when you create a new anti-phishing policy in the Defender portal. This blank value means the default quarantine policy for that particular impersonation verdict is used. These default quarantine policies enforce the historical capabilities for messages that were quarantined as impersonation as described in the table [here](quarantine-end-user.md). <br/><br/> The default quarantine policies that are used for each impersonation verdict are described in this table. <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with more restrictive or less restrictive capabilities in the default anti-phishing policy or in custom anti-phishing policies. For more information, see [Quarantine policies](quarantine-policies.md). <br/><br/> The capabilities of the quarantine policy are meaningful only if the action for the impersonation verdict is to quarantine messages.|

+|**If message is detected as an impersonated user** <br/><br/> _TargetedUserProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Quarantine the message** <br/><br/> `Quarantine`|**Quarantine the message** <br/><br/> `Quarantine`||

+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **user impersonation** <br/><br/> _TargetedUserQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The capabilities of the quarantine policy are meaningful only if the action for the user impersonation verdict is to quarantine messages.|

+|**If message is detected as an impersonated domain** <br/><br/> _TargetedDomainProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Quarantine the message** <br/><br/> `Quarantine`|**Quarantine the message** <br/><br/> `Quarantine`||

+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **domain impersonation** <br/><br/> _TargetedDomainQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The capabilities of the quarantine policy are meaningful only if the action for the domain impersonation verdict is to quarantine messages.|

+|**If mailbox intelligence detects an impersonated user** <br/><br/> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`||

+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **mailbox intelligence impersonation** <br/><br/> _MailboxIntelligenceQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The capabilities of the quarantine policy are meaningful only if the action for the mailbox intelligence impersonation verdict is to quarantine messages.|

+|**Show user impersonation safety tip** <br/><br/> _EnableSimilarUsersSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Show domain impersonation safety tip** <br/><br/> _EnableSimilarDomainsSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Show user impersonation unusual characters safety tip** <br/><br/> _EnableUnusualCharactersSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+┬╣ As described in [Full access permissions and quarantine notifications](quarantine-policies.md#full-access-permissions-and-quarantine-notifications), your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.

+|**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** <br/><br/> _EnableATPForSPOTeamsODB_|Off <br/><br/> `$false`|On <br/><br/> `$true`|To prevent users from downloading malicious files, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](safe-attachments-for-spo-odfb-teams-configure.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).|

+|**Turn on Safe Documents for Office clients** <br/><br/> _EnableSafeDocs_|Off <br/><br/> `$false`|On <br/><br/> `$true`|This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 A5 or Microsoft 365 E5 Security). For more information, see [Safe Documents in Microsoft 365 A5 or E5 Security](safe-documents-in-e5-plus-security-about.md).|

+|**Allow people to click through Protected View even if Safe Documents identified the file as malicious** <br/><br/> _AllowSafeDocsOpen_|Off <br/><br/> `$false`|Off <br/><br/> `$false`|This setting is related to Safe Documents.|

+|**Safe Attachments unknown malware response** <br/><br/> _Enable_ and _Action_|**Off** <br/><br/> `-Enable $false` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|

+|**Quarantine policy** <br/><br/> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|The **Quarantine policy** value is blank when you create a new Safe Attachments policy in the Defender portal. This blank value means the default quarantine policy from Safe Attachments detections is used (AdminOnlyAccessPolicy with no quarantine notifications). This default quarantine policy enforces the historical capabilities for messages that were quarantined as malware by Safe Attachments as described in the table [here](quarantine-end-user.md). <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with less restrictive capabilities in the default anti-malware policy or in custom anti-malware policies. For more information, see [Quarantine policies](quarantine-policies.md). <br/><br/> Users can't release their own messages that were quarantined as malware by Safe Attachments. At best, admins can configure the quarantine policy so users can request the release of their quarantined malware messages.|

+|**Redirect attachment with detected attachments** : **Enable redirect** <br/><br/> _Redirect_ <br/><br/> _RedirectAddress_|Not selected and no email address specified. <br/><br/> `-Redirect $false` <br/><br/> _RedirectAddress_ is blank (`$null`)|Not selected and no email address specified. <br/><br/> `-Redirect $false` <br/><br/> _RedirectAddress_ is blank (`$null`)|Selected and specify an email address. <br/><br/> `$true` <br/><br/> an email address|Selected and specify an email address. <br/><br/> `$true` <br/><br/> an email address|Redirect messages to a security admin for review. <br/><br/> **Note**: This setting is not configured in the **Standard**, **Strict**, or **Built-in protection** preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in new Safe Attachments policies that you create.|

+|**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <br/><br/> _ActionOnError_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Block the following URLs** <br/><br/> _ExcludedUrls_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|We have no specific recommendation for this setting. <br/><br/> For more information, see ["Block the following URLs" list for Safe Links](safe-links-about.md#block-the-following-urls-list-for-safe-links). <br/><br/> **Note**: You can now manage block URL entries in the [Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.|

+|**On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default.** <br/><br/> _EnableSafeLinksForEmail_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Apply Safe Links to email messages sent within the organization** <br/><br/> _EnableForInternalSenders_|Selected <br/><br/> `$true`|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Apply real-time URL scanning for suspicious links and links that point to files** <br/><br/> _ScanUrls_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Wait for URL scanning to complete before delivering the message** <br/><br/> _DeliverMessageAfterScan_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Do not rewrite URLs, do checks via Safe Links API only** <br/><br/> _DisableURLRewrite_|Selected^\* <br/><br/> `$true`|Selected <br/><br/> `$true`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|^\* In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the _DisableURLRewrite_ parameter is `$false`.|

+|**Do not rewrite the following URLs in email** <br/><br/> _DoNotRewriteUrls_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|We have no specific recommendation for this setting. <br/><br/> **Note**: Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [allow URL entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-on-the-submissions-page) so URLs are not scanned or wrapped by Safe Links during mail flow _and_ at time of click.|

+|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten.** <br/><br/> _EnableSafeLinksForTeams_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten.** <br/><br/> _EnableSafeLinksForOffice_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office apps](safe-links-about.md#safe-links-settings-for-office-apps).|

+|**Track user clicks** <br/><br/> _TrackClicks_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||

+|**Let users click through to the original URL** <br/><br/> _AllowClickThrough_|Selected^\* <br/><br/> `$true`|Selected <br/><br/> `$true`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|^\* In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the _AllowClickThrough_ parameter is `$false`.|

+|**Display the organization branding on notification and warning pages** <br/><br/> _EnableOrganizationBranding_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting. <br/><br/> Before you turn on this setting, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.|

+|**How would you like to notify your users?** <br/><br/> _CustomNotificationText_ <br/><br/> _UseTranslatedNotificationText_|**Use the default notification text** <br/><br/> Blank (`$null`) <br/><br/> `$false`|**Use the default notification text** <br/><br/> Blank (`$null`) <br/><br/> `$false`|**Use the default notification text** <br/><br/> Blank (`$null`) <br/><br/> `$false`|**Use the default notification text** <br/><br/> Blank (`$null`) <br/><br/> `$false`|We have no specific recommendation for this setting. <br/><br/> You can select **Use custom notification text** (`-CustomNotificationText "<Custom text>"`) to enter and use customized notification text. If you specify custom text, you can also select **Use Microsoft Translator for automatic localization** (`-UseTranslatedNotificationText $true`) to automatically translate the text into the user's language.|

+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP or Microsoft Defender for Office 365 filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).

+The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The Tenant Allow/Block List is used during mail flow for incoming messages from external senders. The Tenant Allow/Block List doesn't apply to internal messages within the organization.

+For usage and configuration instructions, see the following articles:

+If Microsoft has learned from the allow entry, the entry will be removed. You'll get an alert about the removal of the now unnecessary allow entry from the built-in [alert policy](../../compliance/alert-policies.md) named **Removed an entry in Tenant Allow/Block List**).