Updates from: 03/25/2021 04:22:56
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
|Admin role |Who should be assigned this role? | |||
+|Billing admin | Assign the Billing admin role to users who make purchases, manage subscriptions and service requests, and monitor service health. <br><br> Billing admins also can:<br> - Manage all aspects of billing <br> - Create and manage support tickets in the Azure portal <br> |
|Exchange admin | Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups, and Exchange Online. <br><br> Exchange admins can also:<br> - Recover deleted items in a user's mailbox <br> - Set up "Send As" and "Send on behalf" delegates <br> | |Global admin | Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. <br><br> Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins. <br><br> Only global admins can:<br> - Reset passwords for all users <br> - Add and manage domains <br> <br> **Note:** The person who signed up for Microsoft online services automatically becomes a Global admin. | |Global reader | Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings. | |Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal. <br><br> Groups admins can:<br> - Create, edit, delete, and restore Microsoft 365 groups <br> - Create and update group creation, expiration, and naming policies <br> - Create, edit, delete, and restore Azure Active Directory security groups| |Helpdesk admin | Assign the Helpdesk admin role to users who need to do the following:<br> - Reset passwords <br> - Force users to sign out <br> - Manage service requests <br> - Monitor service health <br> <br> **Note**: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. |
+|License admin | Assign the License admin role to users who need to assigm amd remove licenses from users and edit their usage location. <br/><br/> License admins also can: <br> - Reprocess license assignments for group-based licensing <br> - Assign product licenses to groups for group-based licensing |
|Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Office cloud policy service to create and manage cloud-based policies for Office <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Office apps <br> - Monitor service health |
-|Service Support admin | Assign the Service Support admin role as an additional role to admins or users whose role doesn't include the following, but still need to do the following: <br> - Open and manage service requests <br> - View and share message center posts |
+|Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. |
+|Service support admin | Assign the Service Support admin role as an additional role to admins or users need to do the following in addition to their usual admin role: <br> - Open and manage service requests <br> - View and share message center posts |
|SharePoint admin | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. <br><br>SharePoint admins can also: <br> - Create and delete sites <br> - Manage site collections and global SharePoint settings | |Teams service admin | Assign the Teams service admin role to users who need to access and manage the Teams admin center. <br><br>Teams service admins can also: <br> - Manage meetings <br> - Manage conference bridges <br> - Manage all org-wide settings, including federation, teams upgrade, and teams client settings | |User admin | Assign the User admin role to users who need to do the following for all users: <br> - Add users and groups <br> - Assign licenses <br> - Manage most users properties <br> - Create and manage user views <br> - Update password expiration policies <br> - Manage service requests <br> - Monitor service health <br><br> The user admin can also do the following actions for users who aren't admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader: <br> - Manage usernames<br> - Delete and restore users<br> - Reset passwords <br> - Force users to sign out <br> - Update (FIDO) device keys |
admin About Exchange Online Admin Role https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-exchange-online-admin-role.md
Here are some of the key tasks users can do when they are assigned to the Exchan
- [Create a shared mailbox](../email/create-a-shared-mailbox.md) so a group of people can monitor and send email from a common email address. -- [Email anti-spam protection](https://docs.microsoft.com/microsoft-365/security/defender-365-security/anti-spam-protection) and malware filters for the organization.
+- [Email anti-spam protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-protection) and malware filters for the organization.
- Manage Microsoft 365 groups
admin Configure Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-email-forwarding.md
description: "Set up email forwarding to one or more email accounts using Office
As the admin of an organization, you might have company requirements to set up email forwarding for a user's mailbox. Email forwarding lets you forward email messages sent to a user's mailbox to another user's mailbox inside or outside of your organization. > [!IMPORTANT]
-> You can use outbound spam filter policies to control automatic forwarding to external recipients. For more information, see [Control automatic external email forwarding in Microsoft 365](https://docs.microsoft.com/microsoft-365/security/defender-365-security/external-email-forwarding?view=o365-worldwide&preserve-view=true#how-the-outbound-spam-filter-policy-settings-work-with-other-automatic-email-forwarding-controls).
+> You can use outbound spam filter policies to control automatic forwarding to external recipients. For more information, see [Control automatic external email forwarding in Microsoft 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/external-email-forwarding?view=o365-worldwide&preserve-view=true#how-the-outbound-spam-filter-policy-settings-work-with-other-automatic-email-forwarding-controls).
## Configure email forwarding
admin Create Dns Records At Any Dns Hosting Provider https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md
Validate your SPF record by using one of these [SPF validation tools](/office365
SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. To protect against these, once you've set up SPF, you should also set up DKIM and DMARC for Microsoft 365.
-To get started, see [Use DKIM to validate outbound email sent from your domain in Microsoft 365](../../security/defender-365-security/use-dkim-to-validate-outbound-email.md) and [Use DMARC to validate email in Microsoft 365](../../security/defender-365-security/use-dmarc-to-validate-email.md).
+To get started, see [Use DKIM to validate outbound email sent from your domain in Microsoft 365](../../security/office-365-security/use-dkim-to-validate-outbound-email.md) and [Use DMARC to validate email in Microsoft 365](../../security/office-365-security/use-dmarc-to-validate-email.md).
### Add SRV records for communications services (Teams, Skype for Business)
admin Pilot Microsoft 365 From My Custom Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/pilot-microsoft-365-from-my-custom-domain.md
There are two steps for this:
Make sure you have completed the following in Microsoft 365 or Office 365:
-1. To set up connectors, you need permissions assigned before you can begin. To check what permissions you need, see the Microsoft 365 and Office 365 connectors entry in the [Feature permissions in EOP](https://docs.microsoft.com/microsoft-365/security/defender-365-security/feature-permissions-in-eop) topic.
+1. To set up connectors, you need permissions assigned before you can begin. To check what permissions you need, see the Microsoft 365 and Office 365 connectors entry in the [Feature permissions in EOP](https://docs.microsoft.com/microsoft-365/security/office-365-security/feature-permissions-in-eop) topic.
2. If you want EOP or Exchange Online to relay email from your email servers to the Internet, either:
admin Set Up Dns Records Vsb https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/set-up-dns-records-vsb.md
Validate your SPF record by using one of these [SPF validation tools](/office365
SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. To protect against these, once you've set up SPF, you should also set up DKIM and DMARC for Microsoft 365.
-To get started, see [Use DKIM to validate outbound email sent from your domain in Microsoft 365](../../security/defender-365-security/use-dkim-to-validate-outbound-email.md) and [Use DMARC to validate email in Microsoft 365](../../security/defender-365-security/use-dmarc-to-validate-email.md).
+To get started, see [Use DKIM to validate outbound email sent from your domain in Microsoft 365](../../security/office-365-security/use-dkim-to-validate-outbound-email.md) and [Use DMARC to validate email in Microsoft 365](../../security/office-365-security/use-dmarc-to-validate-email.md).
Finally, head back to the admin center domain setup wizard to complete your setup.
admin Sign Up With A Personal Email Address https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/sign-up-with-a-personal-email-address.md
If you choose to add a custom domain now, you get access to all the premium feat
|:--|:--|:--| |**OneDrive <sup>1, 2</sup>**| [Personal OneDrive ](https://onedrive.live.com/about/en-us/plans/)| [OneDrive for Business](https://onedrive.live.com/about/en-us/business/) | |**Office applications: Word, Excel, PowerPoint, OneNote, Outlook, Access (PC only),**| Yes | Yes
-|**Business applications <sup>3</sup> : Microsoft Connections, Invoicing, Listings, Bookings, MileIQ, and Outlook Customer Manager**| No | Yes
+|**Business applications <sup>3</sup> : Microsoft Bookings and MileIQ**| No | Yes
|**Access to Microsoft 365 admin center**| Limited Access (Billing, Support, and Domain setup) | Yes |**Add Users**| No | Yes |**Office 365 |**Security and Compliance tools**| No | Yes
- 1. You'll need to migrate your [Personal OneDrive files over to OneDrive for Business](move-email-and-data-to-office-365-business-premium.md).
-
- 2. For information on how your data will be handled, see the [Privacy Statement](https://g.microsoftonline.com/0BX20en/138). Use of OneDrive is governed by the [Microsoft Services Agreement](https://signup.live.com/signup?ru=https://login.live.com/oauth20_authorize.srf?lc%3d1033%26response_type%3dcode%26client_id%3d51483342-085c-4d86-bf88-cf50c7252078%26scope%3dopenid%2bprofile%2bemail%2boffline_access%26response_mode%3dform_post%26redirect_uri%3dhttps://login.microsoftonline.com/common/federation/oauth2%26state%3drQIIAXWRO2_TUACFc_NSUyGoEBKVEFIHJCSQk-vrR-JIHdLWSdPGaR426TVDZCeO7TjX17Ld5rGzd47EwgLqyFLED2DolBFVMIOYEBMjaXeWM5zvDEfnvEixebb8jOd4wSiaEiMZIsfwEgsZg0ciwwmcyCHIDgXIhQ83t64-PP_-ZvtGvnr04-uX8yedJcj1J-65lR9QcgkeO3EcROVCYTqd5ulo5A7uQOETACsAfgKwTGYsn9G6l8lI5EReYIWSCDmuJIhIKuYxkae6OiT6WIkx6nhNF0K80McN1eYVtR0rB56goKqD1YqgE5lde3wTVb071pOh3oWwSapuo3fkKKS-9vAcIwzx2JlgtT67ST44qZzFDroVGroL608yN6Ih6Qc0ipep9-AksPz6cJ_6vjWI87cxy4_dgRG71G-FNLDC2LWiXbOrtHuKZ7W0_nlgtvwOPZYJU-_7HsIYmWhPY2XSOz2WGh27PzY0ElRHbXgoOqo-N0Rq8KpNTbuzPy_CU1k7VJslRgtmc143vS6vwBrlup0SrYa-ViPzOdNTJHl_OGAachhVhnsz9WMqu56VUP86dX9dyneHO0FIR-7EWqXBr_Q9mCpvbGxuJbYTO4m_afAus36u-1qsZVblo7ffELCfgsR1pkCw8yps8Mh7SaJJaTGxXQU6MB7jakM_iyYHLQVJbRya07a9K5XZiyy4yGZ_ZxOfc_87-h81%26estsfed%3d1%26uaid%3ddd27a8b7188545dab714e7d8c6761b52%26lw%3d1%26fl%3deasi2%26mkt%3den-US&amp;mkt=EN-US&amp;uiflavor=web&amp;lw=1&amp;fl=easi2&amp;client_id=51483342-085c-4d86-bf88-cf50c7252078&amp;uaid=dd27a8b7188545dab714e7d8c6761b52&amp;lic=1). The [Microsoft Online Subscription Agreement](https://admin.microsoft.com/Commerce/Mosa.aspx?cc2=US&amp;cl=en&amp;cc=en-US&amp;gcc=False) governs all the other services included with your subscription.
-
-3. Some business applications aren't available in all regions.
-
+> <sup>1</sup> You'll need to migrate your [Personal OneDrive files over to OneDrive for Business](move-email-and-data-to-office-365-business-premium.md).<br/>
+> <sup>2</sup> For information on how your data will be handled, see the [Privacy Statement](https://g.microsoftonline.com/0BX20en/138). Use of OneDrive is governed by the [Microsoft Services Agreement](https://signup.live.com/signup?ru=https://login.live.com/oauth20_authorize.srf?lc%3d1033%26response_type%3dcode%26client_id%3d51483342-085c-4d86-bf88-cf50c7252078%26scope%3dopenid%2bprofile%2bemail%2boffline_access%26response_mode%3dform_post%26redirect_uri%3dhttps://login.microsoftonline.com/common/federation/oauth2%26state%3drQIIAXWRO2_TUACFc_NSUyGoEBKVEFIHJCSQk-vrR-JIHdLWSdPGaR426TVDZCeO7TjX17Ld5rGzd47EwgLqyFLED2DolBFVMIOYEBMjaXeWM5zvDEfnvEixebb8jOd4wSiaEiMZIsfwEgsZg0ciwwmcyCHIDgXIhQ83t64-PP_-ZvtGvnr04-uX8yedJcj1J-65lR9QcgkeO3EcROVCYTqd5ulo5A7uQOETACsAfgKwTGYsn9G6l8lI5EReYIWSCDmuJIhIKuYxkae6OiT6WIkx6nhNF0K80McN1eYVtR0rB56goKqD1YqgE5lde3wTVb071pOh3oWwSapuo3fkKKS-9vAcIwzx2JlgtT67ST44qZzFDroVGroL608yN6Ih6Qc0ipep9-AksPz6cJ_6vjWI87cxy4_dgRG71G-FNLDC2LWiXbOrtHuKZ7W0_nlgtvwOPZYJU-_7HsIYmWhPY2XSOz2WGh27PzY0ElRHbXgoOqo-N0Rq8KpNTbuzPy_CU1k7VJslRgtmc143vS6vwBrlup0SrYa-ViPzOdNTJHl_OGAachhVhnsz9WMqu56VUP86dX9dyneHO0FIR-7EWqXBr_Q9mCpvbGxuJbYTO4m_afAus36u-1qsZVblo7ffELCfgsR1pkCw8yps8Mh7SaJJaTGxXQU6MB7jakM_iyYHLQVJbRya07a9K5XZiyy4yGZ_ZxOfc_87-h81%26estsfed%3d1%26uaid%3ddd27a8b7188545dab714e7d8c6761b52%26lw%3d1%26fl%3deasi2%26mkt%3den-US&amp;mkt=EN-US&amp;uiflavor=web&amp;lw=1&amp;fl=easi2&amp;client_id=51483342-085c-4d86-bf88-cf50c7252078&amp;uaid=dd27a8b7188545dab714e7d8c6761b52&amp;lic=1). The [Microsoft Online Subscription Agreement](https://admin.microsoft.com/Commerce/Mosa.aspx?cc2=US&amp;cl=en&amp;cc=en-US&amp;gcc=False) governs all the other services included with your subscription.<br/>
+> <sup>3</sup> Some business applications aren't available in all regions.<br/>
+ ## How to add a domain In the admin center, go to **Setup** > <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">Domains</a> > **Add domain**.
admin Multi Factor Authentication Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365.md
For more information, see this [overview of Conditional Access](/azure/active-di
### Azure AD Identity Protection
-With Azure AD Identity Protection, you can create an additional Conditional Access policy to [require MFA when sign-in risk is medium or high](../../security/defender-365-security/identity-access-policies.md#require-mfa-based-on-sign-in-risk).
+With Azure AD Identity Protection, you can create an additional Conditional Access policy to [require MFA when sign-in risk is medium or high](../../security/office-365-security/identity-access-policies.md#require-mfa-based-on-sign-in-risk).
You can use Azure AD Identity Protection and risk-based Conditional Access policies with:
admin Secure Your Business Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/secure-your-business-data.md
Your Microsoft 365 environment includes protection against malware, but you can
6. Select **Save.**
-For more information, see [Anti-malware protection in EOP](https://docs.microsoft.com/microsoft-365/security/defender-365-security/anti-malware-protection).
+For more information, see [Anti-malware protection in EOP](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-malware-protection).
## 5: Protect against ransomware <a name="ransomware"> </a>
To create an anti-phishing policy in Defender for Office 365, view a [short trai
4. On the Anti-phishing page, select **+ Create**. A wizard launches that steps you through defining your anti-phishing policy.
-5. Specify the name, description, and settings for your policy as recommended in the chart below. See [Learn about anti-phishing policy in Microsoft Defender for Office 365 options](https://docs.microsoft.com/microsoft-365/security/defender-365-security/set-up-anti-phishing-policies) for more details.
+5. Specify the name, description, and settings for your policy as recommended in the chart below. See [Learn about anti-phishing policy in Microsoft Defender for Office 365 options](https://docs.microsoft.com/microsoft-365/security/office-365-security/set-up-anti-phishing-policies) for more details.
6. After you have reviewed your settings, select **Create this policy** or **Save**, as appropriate.
To create an anti-phishing policy in Defender for Office 365, view a [short trai
|Applied to|Select **The recipient domain is**. Under **Any of these**, select **Choose**. Select **+ Add**. Select the check box next to the name of the domain, for example, contoso.com, in the list, and then select **Add**. Select **Done**.| |
-For more information, see [Set up anti-phishing policies in Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/defender-365-security/configure-atp-anti-phishing-policies).
+For more information, see [Set up anti-phishing policies in Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-atp-anti-phishing-policies).
## 9: Protect against malicious attachments and files with Safe Attachments <a name="atp"> </a>
To create an Safe attachment policy, view a [short training video](https://suppo
|Applied to|The recipient domain is . . . select your domain.| |
-For more information, see [Set up anti-phishing policies in Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/defender-365-security/configure-atp-anti-phishing-policies).
+For more information, see [Set up anti-phishing policies in Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-atp-anti-phishing-policies).
## 10: Protect against phishing attacks with Safe Links <a name="phishingatp"> </a>
To create a new policy targeted to all recipients in your domain:
|Applied to|The recipient domain is . . . select your domain.| |
-For more information, see [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/defender-365-security/atp-safe-links).
+For more information, see [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links).
admin Priority Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/priority-accounts.md
In every Microsoft 365 organization, there are people that are essential, like e
To help your organization protect these accounts, you can now designate specific users as priority accounts and leverage app-specific features that provide them with extra protection. In the future, more apps and features will support priority accounts, and to start with, weΓÇÖve announced two capabilities: **priority account protection** and **premium mail flow monitoring**. -- **Priority account protection** - Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) supports priority accounts as tags that can be used in filters in alerts, reports, and investigations. For more information, check out [User tags in Microsoft Defender for Office 365](../../security/defender-365-security/user-tags.md).
+- **Priority account protection** - Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) supports priority accounts as tags that can be used in filters in alerts, reports, and investigations. For more information, check out [User tags in Microsoft Defender for Office 365](../../security/office-365-security/user-tags.md).
- **Premium Mail Flow Monitoring** - Healthy mail flow can be critical to business success, and delivery delays or failures can have a negative impact on the business. You can choose a threshold for failed or delayed emails, receive alerts when that threshold is exceeded, and view a report of email issues for priority accounts. For more information, check out [Email issues for priority accounts report in the modern EAC](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report)
-For security best practices for priority accounts, see [Security recommendations for priority accounts](../../security/defender-365-security/security-recommendations-for-priority-accounts.md).
+For security best practices for priority accounts, see [Security recommendations for priority accounts](../../security/office-365-security/security-recommendations-for-priority-accounts.md).
## Before you begin
business Increase Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/increase-threat-protection.md
Your Office 365 or Microsoft 365 environment includes protection against malware
6. Select **Save.**
-For more information, see [Anti-malware protection in EOP](../security/defender-365-security/anti-malware-protection.md).
+For more information, see [Anti-malware protection in EOP](../security/office-365-security/anti-malware-protection.md).
## Protect against ransomware
To create an anti-phishing policy in Microsoft Defender for Office 365, watch [
4. On the **Anti-phishing** page, select **+ Create**. A wizard launches that steps you through defining your anti-phishing policy.
-5. Specify the name, description, and settings for your policy as recommended in the following table. For more details, see [Learn about anti-phishing policy in Microsoft Defender for Office 365 options](../security/defender-365-security/set-up-anti-phishing-policies.md).
+5. Specify the name, description, and settings for your policy as recommended in the following table. For more details, see [Learn about anti-phishing policy in Microsoft Defender for Office 365 options](../security/office-365-security/set-up-anti-phishing-policies.md).
6. After you've reviewed your settings, choose **Create this policy** or **Save**, as appropriate.
To create an Safe Attachment policy, either watch [this short video](https://sup
|Redirect attachment on detection|Enable redirection (select this box) Enter the admin account or a mailbox setup for quarantine. Apply the above selection if malware scanning for attachments times out or error occurs (select this box).| |Applied to|The recipient domain is . . . select your domain.|
-For more information, see [Set up anti-phishing policies in Microsoft Defender for Office 365](../security/defender-365-security/set-up-anti-phishing-policies.md).
+For more information, see [Set up anti-phishing policies in Microsoft Defender for Office 365](../security/office-365-security/set-up-anti-phishing-policies.md).
## Protect against phishing attacks with Safe Links
To create a new policy targeted to all recipients in your domain:
|Use Safe Attachments to scan downloadable content|Select this box.| |Applied to|The recipient domain is . . . select your domain.|
-For more information, see [Safe Links](../security/defender-365-security/safe-links.md).
+For more information, see [Safe Links](../security/office-365-security/safe-links.md).
## Go to Intune admin center
business Migrate From E3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/migrate-from-e3.md
Microsoft 365 Business Premium has a 50 GB storage limit as it uses Exchange Onl
### Threat protection
-After migrating to Microsoft 365 Business Premium, you have Defender for Office 365. See [Microsoft Defender for Office 365](../security/defender-365-security/defender-for-office-365.md) for an overview. To set up, see [set up Safe Links](https://support.microsoft.com/office/61492713-53c2-47da-a6e7-fa97479e97fa), [set up Safe Attachments](https://support.microsoft.com/office/e7e68934-23dc-4b9c-b714-e82e27a8f8a5), and [set up Anti-phishing in Defender for Office 365](https://support.microsoft.com/office/86c425e1-1686-430a-9151-f7176cce4f2c).
+After migrating to Microsoft 365 Business Premium, you have Defender for Office 365. See [Microsoft Defender for Office 365](../security/office-365-security/defender-for-office-365.md) for an overview. To set up, see [set up Safe Links](https://support.microsoft.com/office/61492713-53c2-47da-a6e7-fa97479e97fa), [set up Safe Attachments](https://support.microsoft.com/office/e7e68934-23dc-4b9c-b714-e82e27a8f8a5), and [set up Anti-phishing in Defender for Office 365](https://support.microsoft.com/office/86c425e1-1686-430a-9151-f7176cce4f2c).
### Sensitivity labels
business Security Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/security-features.md
You can manage many of the Microsoft 365 Business Premium security features in t
Advanced features in Microsoft 365 Business Premium are available to help you protect your business against cyber-threats and safeguard sensitive information. -- **[Microsoft Defender for Office 365](../security/defender-365-security/defender-for-office-365.md)**
+- **[Microsoft Defender for Office 365](../security/office-365-security/defender-for-office-365.md)**
Microsoft Defender for Office 365 helps guard your business against sophisticated phishing and ransomware attacks designed to compromise employee or customer information. Features include:
business Set Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/set-up.md
To set up services, you have to update some records at your DNS host or domain r
The policies you set up in the wizard are applied automatically to a [Security group](/office365/admin/create-groups/compare-groups#security-groups) called *All Users*. You can also create additional groups to assign policies to in the admin center.
-1. On the **Increase protection from advanced cyber threats**, it is recommended that you accept the defaults to let [Office 365 Advance Threat Protection](../security/defender-365-security/defender-for-office-365.md) scan files and links in Office apps.
+1. On the **Increase protection from advanced cyber threats**, it is recommended that you accept the defaults to let [Office 365 Advance Threat Protection](../security/office-365-security/defender-for-office-365.md) scan files and links in Office apps.
![Screenshot of Increase protection page.](../media/increasetreatprotection.png)
business Threats Detected Defender Av https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/threats-detected-defender-av.md
To learn more about different threats, visit the <a href="https://www.microsoft.
[How to turn on and use Microsoft Defender Antivirus from the Windows Security app](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus) (article)\ [How to turn on Microsoft Defender Antivirus by using Group Policy](/mem/intune/user-help/turn-on-defender-windows#turn-on-windows-defender) (article)\ [How to update your antivirus definitions](/mem/intune/user-help/turn-on-defender-windows#update-your-antivirus-definitions) (article)\
-[How to submit malware and non-malware to Microsoft for analysis](/microsoft-365/security/defender-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis) (article)
+[How to submit malware and non-malware to Microsoft for analysis](/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis) (article)
campaigns M365 Campaigns Increase Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-increase-protection.md
Your Office 365 or Microsoft 365 environment includes protection against malware
6. Click **Save.**
-For more information, see [Anti-malware protection in EOP](../security/defender-365-security/anti-malware-protection.md).
+For more information, see [Anti-malware protection in EOP](../security/office-365-security/anti-malware-protection.md).
## Protect against ransomware
To create an anti-phishing policy in Defender for Office 365, watch [this short
4. On the **Anti-phishing** page, select **+ Create**. A wizard launches that steps you through defining your anti-phishing policy.
-5. Specify the name, description, and settings for your policy as recommended in the chart below. For more information, see [Learn about anti-phishing policy in Microsoft Defender for Office 365 options](../security/defender-365-security/set-up-anti-phishing-policies.md).
+5. Specify the name, description, and settings for your policy as recommended in the chart below. For more information, see [Learn about anti-phishing policy in Microsoft Defender for Office 365 options](../security/office-365-security/set-up-anti-phishing-policies.md).
6. After you've reviewed your settings, choose **Create this policy** or **Save**, as appropriate.
To create an anti-phishing policy in Defender for Office 365, watch [this short
|Add trusted senders and domains|Here you can add your own domain, or any other trusted domains.| |Applied to|Select **The recipient domain is**. Under **Any of these**, select **Choose**. Select **+ Add**. Select the check box next to the name of the domain, for example, *contoso.<span><span>com*, in the list, and then select **Add**. Select **Done**.|
-For more information, see [Set up anti-phishing policies in Defender for Office 365](../security/defender-365-security/set-up-anti-phishing-policies.md).
+For more information, see [Set up anti-phishing policies in Defender for Office 365](../security/office-365-security/set-up-anti-phishing-policies.md).
## Protect against malicious attachments, files, and links with Defender for Office 365
To create an Safe Attachment policy, either watch [this short video](https://sup
|Redirect attachment on detection|Enable redirection (select this box) <br/> Enter the admin account or a mailbox setup for quarantine. <br/> Apply the above selection if malware scanning for attachments times out or error occurs (select this box).| |Applied to|The recipient domain is . . . select your domain.|
-For more information, see [Set up anti-phishing policies in Defender for Office 365](../security/defender-365-security/set-up-anti-phishing-policies.md).
+For more information, see [Set up anti-phishing policies in Defender for Office 365](../security/office-365-security/set-up-anti-phishing-policies.md).
### Set up Safe Links in the Security & Compliance Center
To create a new policy targeted to all recipients in your domain:
|Use Safe Attachments to scan downloadable content|Select this box.| |Applied to|The recipient domain is . . . select your domain.|
-For more information, see [Safe Links in Defender for Office 365](../security/defender-365-security/safe-links.md).
+For more information, see [Safe Links in Defender for Office 365](../security/office-365-security/safe-links.md).
## Turn on the Unified Audit Log
commerce Extend Your Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/extend-your-trial.md
- Title: "Extend your trial"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management-- Adm_O365-- Adm_TOC-- commerce--- MET150
-description: "Learn how to extend your trial subscription for another 30-day period."
--
-# Extend your trial
--
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../admin/microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
--
-Do you need more time to try out the features of Microsoft 365 for business before buying? If your trial subscription is within 15 days of expiring and the trial hasn't been extended before then you can extend your trial for another 30 day period. You can only do this one time.
--
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, select the trial subscription that you want to extend.
-3. On the subscription details page, in the **Subscriptions and payment settings** section, select **Extend end date**.
-4. In the **Extend end date** pane, review the extension information, and if necessary, select a payment method. When you're finished, select **Extend trial**.
---
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-2. On the **Subscriptions** page, select the trial subscription that you want to extend, and then, under the expiration date, select **Extend trial**.
-3. Complete the steps in the wizard.
---
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-2. On the **Subscriptions** page, select the trial subscription that you want to extend, and then, under the expiration date, select **Extend trial**.
-3. Complete the steps in the wizard.
--
-When you're ready to buy, see [Buy your trial version](./try-or-buy-microsoft-365.md).
commerce Try Or Buy Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/try-or-buy-microsoft-365.md
these steps:
6. On the next page, verify the **Sold to** address, the **Billed to** information, and **Items in this order**. If you need to make any changes, select **Change** next to the applicable section. 7. When you\'re finished, select **Accept agreement & place order**.
+## Extend your trial
+
+Do you need more time to try out the features of Microsoft 365 for business before buying? If your trial subscription is within 15 days of expiring and the trial hasn't been extended before then you can extend your trial for another 30 day period. You can only do this one time.
+
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
+2. On the **Products** tab, select the trial subscription that you want to extend.
+3. On the subscription details page, in the **Subscriptions and payment settings** section, select **Extend end date**.
+4. In the **Extend end date** pane, review the extension information, and if necessary, select a payment method. When you're finished, select **Extend trial**.
+
+When you're ready to buy, see [Buy your trial version](#buy-a-subscription-from-your-free-trial).
+ ## Cancel your free trial subscription If you decide to cancel your trial subscription before the free trial
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
An alert policy consists of the following settings and conditions.
- **Activity the alert is tracking** - You create a policy to track an activity or in some cases a few related activities, such a sharing a file with an external user by sharing it, assigning access permissions, or creating an anonymous link. When a user performs the activity defined by the policy, an alert is triggered based on the alert threshold settings. > [!NOTE]
- > The activities that you can track depend on your organization's Office 365 Enterprise or Office 365 US Government plan. In general, activities related to malware campaigns and phishing attacks require an E5/G5 subscription or an E1/F1/G1 or E3/F3/G3 subscription with an [Defender for Office 365](../security/defender-365-security/defender-for-office-365.md) Plan 2 add-on subscription.
+ > The activities that you can track depend on your organization's Office 365 Enterprise or Office 365 US Government plan. In general, activities related to malware campaigns and phishing attacks require an E5/G5 subscription or an E1/F1/G1 or E3/F3/G3 subscription with an [Defender for Office 365](../security/office-365-security/defender-for-office-365.md) Plan 2 add-on subscription.
- **Activity conditions** - For most activities, you can define additional conditions that must be met to trigger an alert. Common conditions include IP addresses (so that an alert is triggered when the user performs the activity on a computer with a specific IP address or within an IP address range), whether an alert is triggered if a specific user or users perform that activity, and whether the activity is performed on a specific file name or URL. You can also configure a condition that triggers an alert when the activity is performed by any user in your organization. The available conditions are dependent on the selected activity.
The table also indicates the Office 365 Enterprise and Office 365 US Government
| Default alert policy | Description | Category | Enterprise subscription | |:--|:--|:--|:--|
-|**A potentially malicious URL click was detected**|Generates an alert when a user protected by [Safe Links](../security/defender-365-security/safe-links.md) in your organization clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages (based on your organization's Microsoft 365 for business Safe Links policy). This alert policy has a **High** severity setting. For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/defender-365-security/office-365-air.md). For more information on events that trigger this alert, see [Set up Safe Links policies](../security/defender-365-security/set-up-safe-links-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Admin Submission result completed**|Generates an alert when an [Admin Submission](../security/defender-365-security/admin-submission.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. These alerts are meant to remind you to [review the results of previous submissions](https://protection.office.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact. This policy has a **Low** severity setting.|Threat management|E1/F1, E3/F3, or E5|
-|**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer] (https://docs.microsoft.com/microsoft-365/security/defender-365-security/automated-investigation-response-office#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has an **Informational** severity setting.|Threat management| E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
+|**A potentially malicious URL click was detected**|Generates an alert when a user protected by [Safe Links](../security/office-365-security/safe-links.md) in your organization clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages (based on your organization's Microsoft 365 for business Safe Links policy). This alert policy has a **High** severity setting. For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on events that trigger this alert, see [Set up Safe Links policies](../security/office-365-security/set-up-safe-links-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Admin Submission result completed**|Generates an alert when an [Admin Submission](../security/office-365-security/admin-submission.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. These alerts are meant to remind you to [review the results of previous submissions](https://protection.office.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact. This policy has a **Low** severity setting.|Threat management|E1/F1, E3/F3, or E5|
+|**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer] (https://docs.microsoft.com/microsoft-365/security/office-365-security/automated-investigation-response-office#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has an **Informational** severity setting.|Threat management| E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
|**Creation of forwarding/redirect rule**|Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell. This policy has a **Low** severity setting. For more information about using inbox rules to forward and redirect email in Outlook on the web, see [Use rules in Outlook on the web to automatically forward messages to another account](https://support.office.com/article/1433e3a0-7fb0-4999-b536-50e05cb67fed).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5| |**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Security and compliance center. An alert is triggered when the following content search activities are performed: <br/><br/>* A content search is started<br/>* The results of a content search are exported<br/>* A content search report is exported<br/><br/>Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. This policy has a **Medium** severity setting. For more information about content search activities, see [Search for eDiscovery activities in the audit log](search-for-ediscovery-activities-in-the-audit-log.md#ediscovery-activities).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5| |**Elevation of Exchange admin privilege**|Generates an alert when someone is assigned administrative permissions in your Exchange Online organization. For example, when a user is added to the Organization Management role group in Exchange Online. This policy has a **Low** severity setting.|Permissions|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Email messages containing malware removed after delivery**|Generates an alert when any messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/defender-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/defender-365-security/office-365-air.md).|Threat management|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
-|**Email messages containing phish URLs removed after delivery**|Generates an alert when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/defender-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/defender-365-security/office-365-air.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Email reported by user as malware or phish**|Generates an alert when users in your organization report messages as phishing email using the Report Message add-in. This policy has an **Informational** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2). For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/defender-365-security/office-365-air.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Email sending limit exceeded**|Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy. This is usually an indication the user is sending too much email or that the account may be compromised. This policy has a **Medium** severity setting. If you get an alert generated by this alert policy, it's a good idea to [check whether the user account is compromised](../security/defender-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Email messages containing malware removed after delivery**|Generates an alert when any messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
+|**Email messages containing phish URLs removed after delivery**|Generates an alert when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Email reported by user as malware or phish**|Generates an alert when users in your organization report messages as phishing email using the Report Message add-in. This policy has an **Informational** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2). For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Email sending limit exceeded**|Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy. This is usually an indication the user is sending too much email or that the account may be compromised. This policy has a **Medium** severity setting. If you get an alert generated by this alert policy, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
|**Form blocked due to potential phishing attempt**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High severity** setting.|Threat management|E1, E3/F3, or E5| |**Form flagged and confirmed as phishing**|Generates an alert when a form created in Microsoft Forms from within your organization has been identified as potential phishing through Report Abuse and confirmed as phishing by Microsoft. This policy has a **High** severity setting.|Threat management|E1, E3/F3, or E5| |**Messages have been delayed**|Generates an alert when Microsoft can't deliver email messages to your on-premises organization or a partner server by using a connector. When this happens, the message is queued in Office 365. This alert is triggered when there are 2,000 messages or more that have been queued for more than an hour. This policy has a **High** severity setting.|Mail flow|E1/F1/G1, E3/F3/G3, or E5/G5|
The table also indicates the Office 365 Enterprise and Office 365 US Government
|**Malware not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a malware message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting. |Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Phish delivered because a user's Junk Mail folder is disabled**|Generates an alert when Microsoft detects a userΓÇÖs Junk Mail folder is disabled, allowing delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting.|Threat management|E5/G5 or Defender for Office 365 P1 or P2 add-on subscription| |**Phish delivered due to an ETR override**|Generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about Exchange Transport Rules (Mail flow rules), see [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).|Threat management|E5/G5 or Defender for Office 365 P1 or P2 add-on subscription|
-|**Phish delivered due to an IP allow policy**|Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about the IP allow policy (connection filtering), see [Configure the default connection filter policy - Office 365](../security/defender-365-security/configure-the-connection-filter-policy.md).|Threat management|E5/G5 or Defender for Office 365 P1 or P2 add-on subscription|
+|**Phish delivered due to an IP allow policy**|Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about the IP allow policy (connection filtering), see [Configure the default connection filter policy - Office 365](../security/office-365-security/configure-the-connection-filter-policy.md).|Threat management|E5/G5 or Defender for Office 365 P1 or P2 add-on subscription|
|**Phish not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Phish delivered due to tenant or user override**<sup>1</sup>|Generates an alert when Microsoft detects an admin or user override allowed the delivery of a phishing message to a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **High** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Suspicious email forwarding activity**|Generates an alert when someone in your organization has autoforwarded email to a suspicious external account. This is an early warning for behavior that may indicate the account is compromised, but not severe enough to restrict the user. This policy has a **Medium** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. It's a good idea to [check whether the user account is compromised](../security/defender-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Suspicious email sending patterns detected**|Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. This is an early warning for behavior that may indicate that the account is compromised, but not severe enough to restrict the user. This policy has a **Medium** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](../security/defender-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5 |
+|**Suspicious email forwarding activity**|Generates an alert when someone in your organization has autoforwarded email to a suspicious external account. This is an early warning for behavior that may indicate the account is compromised, but not severe enough to restrict the user. This policy has a **Medium** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. It's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Suspicious email sending patterns detected**|Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. This is an early warning for behavior that may indicate that the account is compromised, but not severe enough to restrict the user. This policy has a **Medium** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5 |
|**Tenant restricted from sending email**|Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email. Investigate any potentially compromised user and admin accounts, new connectors, or open relays, and then contact Microsoft Support to unblock your organization. This policy has a **High** severity setting. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5| |**Unusual external user file activity**|Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a **High** severity setting.|Information governance|E5/G5, Microsoft Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription| |**Unusual volume of external file sharing**|Generates an alert when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization. This policy has a **Medium** severity setting.|Information governance|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|
The table also indicates the Office 365 Enterprise and Office 365 US Government
||||| > [!NOTE]
-> <sup>1</sup> We've temporarily removed this default alert policy based on customer feedback. We're working to improve it, and will replace it with a new version in the near future. Until then, you can create a custom alert policy to replace this functionality by using the following settings:<br/>&nbsp; * Activity is Phish email detected at time of delivery<br/>&nbsp; * Mail is not ZAP'd<br/>&nbsp; * Mail direction is Inbound<br/>&nbsp; * Mail delivery status is Delivered<br/>&nbsp; * Detection technology is Malicious URL retention, URL detonation, Advanced phish filter, General phish filter, Domain impersonation, User impersonation, and Brand impersonation<br/><br/>&nbsp;&nbsp;&nbsp;For more information about anti-phishing in Office 365, see [Set up anti-phishing and anti-phishing policies](../security/defender-365-security/set-up-anti-phishing-policies.md).<br/><br/><sup>2</sup> To recreate this alert policy, follow the guidance in the previous footnote, but choose User impersonation as the only Detection technology.
+> <sup>1</sup> We've temporarily removed this default alert policy based on customer feedback. We're working to improve it, and will replace it with a new version in the near future. Until then, you can create a custom alert policy to replace this functionality by using the following settings:<br/>&nbsp; * Activity is Phish email detected at time of delivery<br/>&nbsp; * Mail is not ZAP'd<br/>&nbsp; * Mail direction is Inbound<br/>&nbsp; * Mail delivery status is Delivered<br/>&nbsp; * Detection technology is Malicious URL retention, URL detonation, Advanced phish filter, General phish filter, Domain impersonation, User impersonation, and Brand impersonation<br/><br/>&nbsp;&nbsp;&nbsp;For more information about anti-phishing in Office 365, see [Set up anti-phishing and anti-phishing policies](../security/office-365-security/set-up-anti-phishing-policies.md).<br/><br/><sup>2</sup> To recreate this alert policy, follow the guidance in the previous footnote, but choose User impersonation as the only Detection technology.
The unusual activity monitored by some of the built-in policies is based on the same process as the alert threshold setting that was previously described. Microsoft establishes a baseline value that defines the normal frequency for "usual" activity. Alerts are then triggered when the frequency of activities tracked by the built-in alert policy greatly exceeds the baseline value.
You can use the following filters to view a subset of all the alerts on the **Vi
- **Category.** Use this filter to show alerts from one or more alert categories. -- **Tags.** Use this filter to show alerts from one or more user tags. Tags are reflected based on tagged mailboxes or users that appear in the alerts. See [User tags in Office 356 ATP](../security/defender-365-security/user-tags.md) to learn more.
+- **Tags.** Use this filter to show alerts from one or more user tags. Tags are reflected based on tagged mailboxes or users that appear in the alerts. See [User tags in Office 356 ATP](../security/office-365-security/user-tags.md) to learn more.
- **Source.** Use this filter to show alerts triggered by alert policies in the security and compliance center or alerts triggered by Office 365 Cloud App Security policies, or both. For more information about Office 365 Cloud App Security alerts, see [Viewing Cloud App Security alerts](#viewing-cloud-app-security-alerts).
compliance Communication Compliance Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-configure.md
Use this option to assign users to specific role groups to segment communication
9. Select **Close** to complete the steps.
-For more information about role groups and permissions, see [Permissions in the Compliance Center](../security/defender-365-security/protect-against-threats.md).
+For more information about role groups and permissions, see [Permissions in the Compliance Center](../security/office-365-security/protect-against-threats.md).
## Step 2 (required): Enable the audit log
compliance Compliance Manager Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-setup.md
To set permissions and assign roles in the Office 365 Security & Compliance cent
##### More about the Office 365 Security & Compliance Center
-Learn more about [permissions in the Office 365 Security & Compliance Center](../security/defender-365-security/permissions-in-the-security-and-compliance-center.md).
+Learn more about [permissions in the Office 365 Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
If you don't have access to the Office 365 Security and Compliance Center, or if you need to access the classic version of Compliance Manager in the Microsoft Service Trust Portal, the Admin settings in the Service Trust Portal provides another way to assign roles ([view instructions](meet-data-protection-and-regulatory-reqs-using-microsoft-cloud.md#assigning-compliance-manager-roles-to-users)). Be aware that such roles are more limited in their functionality.
compliance Compliance Quick Tasks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-quick-tasks.md
ItΓÇÖs important to manage who in your organization has access to the Microsoft
Start by assigning compliance permissions to the people in your organization so that they can perform these tasks and to prevent unauthorized people from having access to areas outside of their responsibilities. YouΓÇÖll want to make sure that youΓÇÖve assigned the proper people to the **Compliance data administrator** and the **Compliance administrator** admin roles before you start to configure and implement compliance solutions included with Microsoft 365. YouΓÇÖll also need to assign users to the Azure Active Directory global reader role to view data in Compliance Manager.
-For step-by-step guidance to configure permissions and assign people to admin roles, see [Permissions in the Security & Compliance Center](../security/defender-365-security/permissions-in-the-security-and-compliance-center.md).
+For step-by-step guidance to configure permissions and assign people to admin roles, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
## Task 2: Know your state of compliance
For step-by-step guidance to get started with Compliance Manager, see [Get start
> >Check your [Microsoft 365 Secure Score](../security/defender/microsoft-secure-score.md) in the Microsoft 365 security center and completing the tasks outlined in the following articles: >
-> - [Security roadmap - Top priorities for the first 30 days, 90 days, and beyond](../security/defender-365-security/security-roadmap.md)
+> - [Security roadmap - Top priorities for the first 30 days, 90 days, and beyond](../security/office-365-security/security-roadmap.md)
> - [Top 12 tasks for security teams to support working from home](../security/top-security-tasks-for-remote-work.md) ## Task 3: Enable auditing for your organization
compliance Create Activity Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-activity-alerts.md
You can create an activity alert that will send you an email notification when u
## Confirm roles and configure audit logging -- You must be assigned the Organization Configuration role in the Security & Compliance Center to manage activity alerts. By default, this role is assigned to the Compliance Administrator and Organization Management role groups. For more information about adding members to role groups, see [Give users access to the Security & Compliance Center](../security/defender-365-security/grant-access-to-the-security-and-compliance-center.md).
+- You must be assigned the Organization Configuration role in the Security & Compliance Center to manage activity alerts. By default, this role is assigned to the Compliance Administrator and Organization Management role groups. For more information about adding members to role groups, see [Give users access to the Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
- You (or another admin) must first turn on audit logging for your organization before you can start using activity alerts. To do this, just click **Start recording user and admin activity** on the **Activity alerts** page. (If you don't see this link, auditing has already been turned on for your organization.) You can also turn on auditing on the **Audit log search** page in the Security & Compliance Center (go to **Search** \> **Audit log search**). You only have to do this once for your organization.
compliance Create Test Tune Dlp Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-test-tune-dlp-policy.md
Members of your compliance team who will create DLP policies need permissions to
Use the **View-Only DLP Compliance Management** role to create role group with view-only privileges to the DLP policies and DLP reports.
-For more information, see [Give users access to the Office 365 Compliance Center](../security/defender-365-security/grant-access-to-the-security-and-compliance-center.md).
+For more information, see [Give users access to the Office 365 Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
These permissions are required to create and apply a DLP policy not to enforce policies.
compliance Data Loss Prevention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-loss-prevention-policies.md
Members of your compliance team who will create DLP policies need permissions to
You can also create a role group with view-only privileges to the DLP policies and DLP reports by granting the **View-Only DLP Compliance Management** role.
-For more information, see [Give users access to the Office 365 Compliance Center](../security/defender-365-security/grant-access-to-the-security-and-compliance-center.md).
+For more information, see [Give users access to the Office 365 Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
These permissions are required only to create and apply a DLP policy. Policy enforcement does not require access to the content.
compliance Data Spillage Scenariosearch And Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-spillage-scenariosearch-and-purge.md
To further investigate if email with spilled data was shared, you can optionally
You can use Message trace in the security and compliance center or use the corresponding cmdlets in Exchange Online PowerShell. It's important to note that message tracing doesn't offer full guarantees on the completeness of data returned. For more information about using Message trace, see: -- [Message trace in the Security & Compliance Center](../security/defender-365-security/message-trace-scc.md)
+- [Message trace in the Security & Compliance Center](../security/office-365-security/message-trace-scc.md)
- [New Message Trace in Security & Compliance Center](https://blogs.technet.microsoft.com/exchange/2018/05/02/new-message-trace-in-office-365-security-compliance-center/)
compliance Define Mail Flow Rules To Encrypt Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email.md
If you haven't yet moved your organization to the new OME capabilities, Microsof
[Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)
-[Mail flow rules (transport rules) in Exchange Online Protection](../security/defender-365-security/mail-flow-rules-transport-rules-0.md)
+[Mail flow rules (transport rules) in Exchange Online Protection](../security/office-365-security/mail-flow-rules-transport-rules-0.md)
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
To grant users just the permissions they need for disposition reviews without gr
Additionally, to view the contents of items during the disposition process, add users to the following two role groups: **Content Explorer Content Viewer** and **Content Explorer List Viewer**. If users don't have the permissions from these role groups, they can still select a disposition review action to complete the disposition review, but must do so without being able to view the item's contents from the compliance center.
-For instructions to configure these permissions, see [Give users access to the Office 365 Security & Compliance Center](../security/defender-365-security/grant-access-to-the-security-and-compliance-center.md).
+For instructions to configure these permissions, see [Give users access to the Office 365 Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
### Enable auditing
compliance Download Existing Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/download-existing-reports.md
description: "Learn how to download one or more existing reports in the Security
# Download existing reports in the Security &amp; Compliance Center
-In the [Security &amp; Compliance Center](https://protection.office.com), several [reports and insights](../security/defender-365-security/reports-and-insights-in-security-and-compliance.md) are available to help your organization's security team mitigate and address threats to your organization. If you're a member of your organization's security team, you can download one or more existing reports.
+In the [Security &amp; Compliance Center](https://protection.office.com), several [reports and insights](../security/office-365-security/reports-and-insights-in-security-and-compliance.md) are available to help your organization's security team mitigate and address threats to your organization. If you're a member of your organization's security team, you can download one or more existing reports.
## Download existing reports > [!IMPORTANT]
-> Make sure that you have the necessary [permissions assigned in the Security &amp; Compliance Center](../security/defender-365-security/protect-against-threats.md). In general, global administrators, security administrators, and security readers can access reports in the Security &amp; Compliance Center.
+> Make sure that you have the necessary [permissions assigned in the Security &amp; Compliance Center](../security/office-365-security/protect-against-threats.md). In general, global administrators, security administrators, and security readers can access reports in the Security &amp; Compliance Center.
1. In the [Security &amp; Compliance Center](https://protection.office.com), go to **Reports** \> **Reports for download**.
In the [Security &amp; Compliance Center](https://protection.office.com), severa
## Related topics
-[Reports and insights in the Security &amp; Compliance Center](../security/defender-365-security/reports-and-insights-in-security-and-compliance.md)
+[Reports and insights in the Security &amp; Compliance Center](../security/office-365-security/reports-and-insights-in-security-and-compliance.md)
-[Create a schedule for a report in the Security &amp; Compliance Center](../security/defender-365-security/view-reports-for-mdo.md)
+[Create a schedule for a report in the Security &amp; Compliance Center](../security/office-365-security/view-reports-for-mdo.md)
-[Manage schedules for reports in the Security &amp; Compliance Center](../security/defender-365-security/view-reports-for-mdo.md)
+[Manage schedules for reports in the Security &amp; Compliance Center](../security/office-365-security/view-reports-for-mdo.md)
-[Download a custom report in the Security &amp; Compliance Center](../security/defender-365-security/view-reports-for-mdo.md)
+[Download a custom report in the Security &amp; Compliance Center](../security/office-365-security/view-reports-for-mdo.md)
compliance Encryption Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/encryption-sensitivity-labels.md
For more information, prerequisites, and configuration instructions, see [Double
> [!IMPORTANT] > Not all labeling clients support all the options that let users assign their own permissions. Use this section to learn more.
-You can use these options to let users assign permissions when they manually apply a sensitivity label to content:
+You can use the following options to let users assign permissions when they manually apply a sensitivity label to content:
-- In Outlook, a user can select restrictions equivalent to the [Do Not Forward](/azure/information-protection/configure-usage-rights#do-not-forward-option-for-emails) option or [Encrypt-only](/azure/information-protection/configure-usage-rights#encrypt-only-option-for-emails) for their chosen recipients.
+- In Outlook, a user can select restrictions equivalent to the [Do Not Forward](/azure/information-protection/configure-usage-rights#do-not-forward-option-for-emails) option or [Encrypt-only](/azure/information-protection/configure-usage-rights#encrypt-only-option-for-emails) (currently rolling out) for their chosen recipients.
The Do Not Forward option is supported by all email clients that support sensitivity labels. However, applying the **Encrypt-Only** option with a sensitivity label is a recent release that's supported only by built-in labeling and not the Azure Information Protection unified labeling client. For email clients that don't support this capability, the label won't be visible.
compliance Endpoint Dlp Configure Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-configure-proxy.md
The WinHTTP configuration setting is independent of the Windows Internet (WinINe
> If youΓÇÖre using Transparent proxy or WPAD in your network topology, you donΓÇÖt need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see [Enable access to Endpoint DLP cloud service URLs in the proxy server](#enable-access-to-endpoint-dlp-cloud-service-urls-in-the-proxy-server). - Manual static proxy configuration:
- - Registry based configuration
+ - Registry-based configuration
- WinHTTP configured using netsh command ΓÇô Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) ## Configure the proxy server manually using a registry-based static proxy
Use netsh to configure a system-wide static proxy.
> [!NOTE] > This will affect all applications including Windows services which use WinHTTP with default proxy. - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
-1. Open an elevated command-line:
+1. Open an elevated command line:
1. Go to **Start** and type **cmd** 1. Right-click **Command prompt** and select **Run as administrator**. 2. Enter the following command and press **Enter**:
See [Netsh Command Syntax, Contexts, and Formatting](/windows-server/networking/
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
-This [downloadable spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.
+This [downloadable spreadsheet](https://download.microsoft.com/download/8/e-urls.xlsx) lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning. If a proxy or firewall is blocking anonymous traffic, as Endpoint DLP is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
Verify the proxy configuration completed successfully, that WinHTTP can discover
1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Endpoint DLP is running on. 2. Extract the contents of MDATPClientAnalyzer.zip on the device.
-3. Open an elevated command-line:
+3. Open an elevated command line:
1. Go to **Start** and type **cmd**. 1. Right-click **Command prompt** and select **Run as administrator**. 4. Enter the following command and press **Enter**:
Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was dow
6. Open **MDATPClientAnalyzerResult.txt** and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the **MDATPClientAnalyzerResult.txt** file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:
- **Testing URL : https://xxx.microsoft.com/xxx </br>
+ **Testing URL: https://xxx.microsoft.com/xxx </br>
1 - Default proxy: Succeeded (200) </br> 2 - Proxy auto discovery (WPAD): Succeeded (200)</br> 3 - Proxy disabled: Succeeded (200)</br> 4 - Named proxy: Doesn't exist</br>
-5 - Command line proxy: Doesn't exist**</br>
+5 - Command-line proxy: Doesn't exist**</br>
If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.
compliance Get Started With Records Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-records-management.md
Members of your compliance team who are responsible for records management need
For a read-only role, you can create a new role group and add the **View-Only Record Management** role to this group.
-For more information about role groups and roles, see [Permissions in the Security & Compliance Center](../security/defender-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center).
+For more information about role groups and roles, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center).
-For instructions to add users to role groups and assign roles, see [Give users access to the Security & Compliance Center](../security/defender-365-security/grant-access-to-the-security-and-compliance-center.md).
+For instructions to add users to role groups and assign roles, see [Give users access to the Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
These permissions are required only to create, configure, and apply retention labels that declare records, and manage disposition. The person configuring these labels doesn't require access to the content.
compliance Get Started With Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-retention.md
Members of your compliance team who will create and manage retention policies an
Alternatively to using this default role, you can create a new role group and add the **Retention Management** role to this group. For a read-only role, use **View-Only Retention Management**.
-For more information about role groups and roles, see [Permissions in the Security & Compliance Center](../security/defender-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center).
+For more information about role groups and roles, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center).
-For instructions to add users to role groups and assign roles, see [Give users access to the Security & Compliance Center](../security/defender-365-security/grant-access-to-the-security-and-compliance-center.md).
+For instructions to add users to role groups and assign roles, see [Give users access to the Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
These permissions are required only to create, configure, and apply retention policies and retention labels. The person configuring these policies and labels doesn't require access to the content.
compliance Get Started With Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
By default, global administrators for your tenant have access to these admin cen
Alternatively to using the default roles, you can create a new role group and add either **Sensitivity Label Administrator** or **Organization Configuration** roles to this group. For a read-only role, use **Sensitivity Label Reader**.
-For instructions to add users to the default roles or create your own role groups, see [Give users access to the Office 365 Security & Compliance Center](../security/defender-365-security/grant-access-to-the-security-and-compliance-center.md).
+For instructions to add users to the default roles or create your own role groups, see [Give users access to the Office 365 Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
These permissions are required only to create and configure sensitivity labels and their label policies. They are not required to apply the labels in apps or services. If additional permissions are needed for specific configurations that relate to sensitivity labels, those permissions will be listed in their respective documentation instructions.
compliance Information Barriers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers.md
To [define or edit information barrier policies](information-barriers-policies.m
- Compliance administrator - IB Compliance Management
-(To learn more about roles and permissions, see [Permissions in the Office 365 Security & Compliance Center](../security/defender-365-security/permissions-in-the-security-and-compliance-center.md).)
+(To learn more about roles and permissions, see [Permissions in the Office 365 Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).)
You must be familiar with PowerShell cmdlets in order to define, validate, or edit information barrier policies. Although we provide several examples of PowerShell cmdlets in the [how-to article](information-barriers-policies.md), you'll need to know other details, such as parameters, for your organization.
compliance Legacy Information For Message Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/legacy-information-for-message-encryption.md
When an encrypted reply is sent from the encryption portal or through the OME Vi
**Q. I am an Exchange Hosted Encryption (EHE) subscriber. Where can I learn more about the upgrade to Office 365 Message Encryption?**
-All EHE customers have been upgraded to Office 365 Message Encryption. For more information, visit the [Exchange Hosted Encryption Upgrade Center](../security/defender-365-security/exchange-online-protection-overview.md).
+All EHE customers have been upgraded to Office 365 Message Encryption. For more information, visit the [Exchange Hosted Encryption Upgrade Center](../security/office-365-security/exchange-online-protection-overview.md).
**Q. Do I need to open any URLs, IP addresses, or ports in my organization's firewall to support Office 365 Message Encryption?**
compliance Microsoft 365 Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center.md
You can also use the **Add cards** feature to add additional cards, such as one
## Easy navigation to more compliance features and capabilities
-In addition to links in cards on the home page, you'll see a navigation pane on the left side of the screen that gives you easy access to your [alerts](../security/defender-365-security/alerts.md), [reports](reports-in-security-and-compliance.md), [policies](alert-policies.md), compliance solutions, and more. To add or remove options for a customized navigation pane, use the **Customize navigation** control on the navigation pane. This opens the **Customize your navigation pane** settings so you can configure which items appear in the navigation pane.
+In addition to links in cards on the home page, you'll see a navigation pane on the left side of the screen that gives you easy access to your [alerts](../security/office-365-security/alerts.md), [reports](reports-in-security-and-compliance.md), [policies](alert-policies.md), compliance solutions, and more. To add or remove options for a customized navigation pane, use the **Customize navigation** control on the navigation pane. This opens the **Customize your navigation pane** settings so you can configure which items appear in the navigation pane.
| | | |||
-|![Navigation in the Microsoft 365 compliance center](../medi) <br> Automate and simplify the retention schedule for regulatory, legal and business-critical records in your organization.
+|![Navigation in the Microsoft 365 compliance center](../medi) <br> Automate and simplify the retention schedule for regulatory, legal and business-critical records in your organization.
## How do I get the compliance center?
compliance Ome Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ome-faq.md
Yes! For information on customizing email messages and the OME portal, see Add y
## Are there any reporting capabilities or insights for encrypted emails?
-There is an Encryption report in the Security and Compliance Center. See [View email security reports in the Security & Compliance Center](../security/defender-365-security/view-email-security-reports.md).
+There is an Encryption report in the Security and Compliance Center. See [View email security reports in the Security & Compliance Center](../security/office-365-security/view-email-security-reports.md).
## Can I use message encryption with compliance features such as eDiscovery?
compliance Permissions Filtering For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md
Search permissions filtering is supported by the Content Search feature in the S
## Requirements to configure permissions filtering -- To run the compliance security filter cmdlets, you have to be a member of the Organization Management role group in the Security & Compliance Center. For more information, see [Permissions in the Security & Compliance Center](../security/defender-365-security/permissions-in-the-security-and-compliance-center.md).
+- To run the compliance security filter cmdlets, you have to be a member of the Organization Management role group in the Security & Compliance Center. For more information, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
- You have to connect to both Exchange Online and Security & Compliance Center PowerShell to use the compliance security filter cmdlets. This is necessary because these cmdlets require access to mailbox properties, which is why you have to connect to Exchange Online PowerShell. See the steps in the next section.
compliance Plan For Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/plan-for-security-and-compliance.md
Protecting access to your Microsoft 365 data and services is crucial to defendin
- [Protect access to data and services in Office 365](protect-access-to-data-and-services.md) -- [Secure email policies and configurations](../security/defender-365-security/secure-email-recommended-policies.md)
+- [Secure email policies and configurations](../security/office-365-security/secure-email-recommended-policies.md)
[PDF](https://go.microsoft.com/fwlink/p/?linkid=841656) | [Visio](https://go.microsoft.com/fwlink/p/?linkid=841657) | [More languages](https://www.microsoft.com/download/details.aspx?id=55032)
The Security &amp; Compliance Center gives you a single view into the controls y
- [Go to the Security &amp; Compliance Center](./microsoft-365-compliance-center.md) -- [Permissions in the Security &amp; Compliance Center](~/security/defender-365-security/protect-against-threats.md)
+- [Permissions in the Security &amp; Compliance Center](~/security/office-365-security/protect-against-threats.md)
-- [Give users access to the Security &amp; Compliance Center](~/security/defender-365-security/grant-access-to-the-security-and-compliance-center.md)
+- [Give users access to the Security &amp; Compliance Center](~/security/office-365-security/grant-access-to-the-security-and-compliance-center.md)
## Step 6: Use end-to-end security scenarios as starting points Use these recommended configurations as a starting point for enterprise scale or sophisticated access security scenarios. -- [Secure email policies and configurations](../security/defender-365-security/secure-email-recommended-policies.md)
+- [Secure email policies and configurations](../security/office-365-security/secure-email-recommended-policies.md)
- [Contoso in the Microsoft Cloud](../enterprise/contoso-case-study.md)
compliance Protect Access To Data And Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/protect-access-to-data-and-services.md
The administrative accounts you use to administer your Microsoft 365 environment
Begin by using administrator accounts only for administration. Admins should have a separate user account for regular, non-administrative use and only use their administrative account when necessary to complete a task associated with their job function.
-Protect your administrator accounts with multi-factor authentication and conditional access. For more information, see [Protecting administrator accounts](../security/defender-365-security/identity-access-prerequisites.md#protecting-administrator-accounts).
+Protect your administrator accounts with multi-factor authentication and conditional access. For more information, see [Protecting administrator accounts](../security/office-365-security/identity-access-prerequisites.md#protecting-administrator-accounts).
Next, configure privileged access management in Office 365. Privileged access management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.
Another top recommendation is to use workstations specifically configured for ad
Finally, you can mitigate the impact of inadvertent lack of administrative access by creating two or more emergency access accounts in your tenant. See [Manage emergency access accounts in Azure AD](/azure/active-directory/users-groups-roles/directory-emergency-access). ## Step 3: Configure recommended identity and device access policies
-Multi-factor authentication (MFA) and conditional access policies are powerful tools for mitigating against compromised accounts and unauthorized access. We recommend implementing a set of policies that have been tested together. For more information, including deployment steps, see [Identity and device access configurations](../security/defender-365-security/microsoft-365-policies-configurations.md).
+Multi-factor authentication (MFA) and conditional access policies are powerful tools for mitigating against compromised accounts and unauthorized access. We recommend implementing a set of policies that have been tested together. For more information, including deployment steps, see [Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md).
These policies implement the following capabilities: - Mult-factor authentication
Implementing Intune device compliance requires device enrollment. Managing devic
## Step 4: Configure SharePoint device access policies
-Microsoft recommends you protect content in SharePoint sites with sensitive and highly-regulated content with device access controls. For more information, see [Policy recommendations for securing SharePoint sites and files](../security/defender-365-security/sharepoint-file-access-policies.md).
+Microsoft recommends you protect content in SharePoint sites with sensitive and highly-regulated content with device access controls. For more information, see [Policy recommendations for securing SharePoint sites and files](../security/office-365-security/sharepoint-file-access-policies.md).
compliance Records Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/records-management.md
Use the following capabilities to support your records management solution in Mi
- **Export information about all disposed items** with the [export option](disposition.md#filter-and-export-the-views). -- **Set specific permissions** for records manager functions in your organization to [have the right access](../security/defender-365-security/permissions-in-the-security-and-compliance-center.md).
+- **Set specific permissions** for records manager functions in your organization to [have the right access](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
Using these capabilities, you can incorporate your organization's retention schedules and requirements into a records management solution that manages retention, records declaration, and disposition, to support the full lifecycle of your content.
compliance Revoke Ome Encrypted Mail https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/revoke-ome-encrypted-mail.md
There are multiple ways to find the Message ID of the email that you want to rev
#### To identify the Message ID of the email you want to revoke by using Office Message Encryption reports in the Security &amp; Compliance Center
-1. In the Security &amp; Compliance Center, navigate to the **Message encryption report**. For information on this report, see [View email security reports in the Security &amp; Compliance Center](../security/defender-365-security/view-email-security-reports.md).
+1. In the Security &amp; Compliance Center, navigate to the **Message encryption report**. For information on this report, see [View email security reports in the Security &amp; Compliance Center](../security/office-365-security/view-email-security-reports.md).
2. Choose the **View details** table and identify the message that you want to revoke.
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
The following table lists the activities in content explorer that are logged in
### Quarantine activities
-The following table lists the quarantine activities that you can search for in the audit log. For more information about quarantine, see [Quarantine email messages in Office 365](../security/defender-365-security/quarantine-email-messages.md).
+The following table lists the quarantine activities that you can search for in the audit log. For more information about quarantine, see [Quarantine email messages in Office 365](../security/office-365-security/quarantine-email-messages.md).
|Friendly name|Operation|Description| |:--|:--|:--|
compliance Set Up Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-encryption.md
With Office 365, several encryption capabilities are available by default. Addit
|Files are saved on Windows computers <br/> |Encryption at the computer level can be done using BitLocker on Windows devices. As an enterprise administrator or IT Pro, you can set this up using the Microsoft Deployment Toolkit (MDT). See [Set up MDT for BitLocker](/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker). <br/> | |Files are saved on mobile devices <br/> |Some kinds of mobile devices encrypt files that are saved to those devices by default. With [Capabilities of built-in Mobile Device Management for Office 365](https://support.microsoft.com/en-us/office/capabilities-of-built-in-mobile-device-management-for-microsoft-365-a1da44e5-7475-4992-be91-9ccec25905b0), you can set policies that determine whether to allow mobile devices to access data in Office 365. For example, you can set a policy that allows only devices that encrypt content to access Office 365 data. See [Create and deploy device security policies](https://support.microsoft.com/office/create-and-deploy-device-security-policies-d310f556-8bfb-497b-9bd7-fe3c36ea2fd6). <br/> For additional control over how mobile devices interact with Office 365, you can consider adding [Microsoft Intune](/mem/intune/fundamentals/setup-steps). <br/> | |You need control over the encryption keys used to encrypt your data in Microsoft's data centers <br/> | As an Office 365 administrator, you can control your organization's encryption keys and then configure Office 365 to use them to encrypt your data at rest in Microsoft's data centers. <br/> [Service encryption with Customer Key in Office 365](customer-key-overview.md) <br/> |
-|People are communicating via email (Exchange Online) <br/> | As an Exchange Online administrator, you have several options for configuring email encryption. These include: <br/> Using [Office 365 message encryption (OME)](set-up-new-message-encryption-capabilities.md) with Azure Rights Management (Azure RMS) to enable people to send encrypted messages inside or outside your organization <br/> Using [S/MIME for message signing and encryption](../security/defender-365-security/s-mime-for-message-signing-and-encryption.md) to encrypt and digitally sign email messages <br/> Using TLS to [set up connectors for secure mail flow with another organization](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner) <br/> See [Email encryption in Office 365](./email-encryption.md). <br/> |
+|People are communicating via email (Exchange Online) <br/> | As an Exchange Online administrator, you have several options for configuring email encryption. These include: <br/> Using [Office 365 message encryption (OME)](set-up-new-message-encryption-capabilities.md) with Azure Rights Management (Azure RMS) to enable people to send encrypted messages inside or outside your organization <br/> Using [S/MIME for message signing and encryption](../security/office-365-security/s-mime-for-message-signing-and-encryption.md) to encrypt and digitally sign email messages <br/> Using TLS to [set up connectors for secure mail flow with another organization](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner) <br/> See [Email encryption in Office 365](./email-encryption.md). <br/> |
|Files are accessed from team sites or document libraries (OneDrive for Business or SharePoint Online) <br/> |When people are working with files saved to OneDrive for Business or SharePoint Online, TLS connections are used. This is built into Office 365 automatically. See [Data Encryption in OneDrive for Business and SharePoint Online](./data-encryption-in-odb-and-spo.md). <br/> | |Files are shared in online meetings and IM conversations (Skype for Business Online) <br/> |When people are working with files using Skype for Business Online, TLS is used for the connection. This is built into Office 365 automatically. See [Security and Archiving (Skype for Business Online)](/office365/servicedescriptions/skype-for-business-online-service-description/skype-for-business-online-features). <br/> | |Files are shared in online meetings and IM conversations (Microsoft Teams) <br/> |When people are working with files using Microsoft Teams, TLS is used for the connection. This is built into Office 365 automatically. Microsoft Teams does not currently support inline rendering of encrypted email. To prevent encrypted email from landing in Microsoft Teams as encrypted, see [Message Encryption FAQ](./ome-faq.md?view=o365-worldwide#can-i-automatically-remove-encryption-on-incoming-and-outgoing-mail). <br/>
enterprise Assign Licenses To User Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-licenses-to-user-accounts.md
For more informaion, see [group-based licensing in Azure AD](/azure/active-direc
With the appropriate set of user accounts that have been assigned licenses, you are now ready to: -- [Implement security](../security/defender-365-security/security-roadmap.md)
+- [Implement security](../security/office-365-security/security-roadmap.md)
- [Deploy client software, such as Microsoft 365 Apps](/DeployOffice/deployment-guide-microsoft-365-apps) - [Set up device management](device-management-roadmap-microsoft-365.md) - [Configure services and applications](configure-services-and-applications.md)
enterprise Cloud Only Prereqs M365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-only-prereqs-m365-test-environment.md
description: Create a Microsoft 365 environment to test identity and device acce
*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.*
-[Identity and device access configurations](../security/defender-365-security/microsoft-365-policies-configurations.md) are a set of recommended configurations and conditional access policies to protect access to all services that are integrated with Azure Active Directory (Azure AD).
+[Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) are a set of recommended configurations and conditional access policies to protect access to all services that are integrated with Azure Active Directory (Azure AD).
-This article describes how to configure a Microsoft 365 test environment that meets the requirements of the [cloud only prerequisite configuration](../security/defender-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
+This article describes how to configure a Microsoft 365 test environment that meets the requirements of the [cloud only prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
There are eight phases to setting up this test environment:
For Skype for Business Online:
Get-CsOAuthConfiguration ```
-The result is a test environment that meets the requirements of the [cloud-only prerequisite configuration](../security/defender-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
+The result is a test environment that meets the requirements of the [cloud-only prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
## Next step
-Use [Common identity and device access policies](../security/defender-365-security/identity-access-policies.md) to configure the policies that build on the prerequisites and protect identities and devices.
+Use [Common identity and device access policies](../security/office-365-security/identity-access-policies.md) to configure the policies that build on the prerequisites and protect identities and devices.
## See also
enterprise Configure Services And Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-services-and-applications.md
If you want help getting Microsoft 365 set up, use **[FastTrack](https://www.mic
|**Services & applications**|**Resources**| |:--|:--| |**Microsoft 365 Suite** |- [Add your company branding to Microsoft 365 Sign In Page](https://support.office.com/article/Add-your-company-branding-to-Office-365-Sign-In-Page-a1229cdb-ce19-4da5-90c7-2b9b146aef0a) <br> - [Add customized help desk info to the Microsoft 365 help pane](https://support.office.com/article/Add-customized-help-desk-info-to-the-Office-365-help-pane-9dd9b104-68f7-4d49-9a30-82561c7d79a3) <br> - [Add integration with Azure AD and other applications](https://support.office.com/article/Integrated-Apps-and-Azure-AD-for-Office-365-administrators-cb2250e3-451e-416f-bf4e-363549652c2a). <br> - [Learn more about using groups](https://support.office.com/Article/Learn-more-about-groups-b565caa1-5c40-40ef-9915-60fdb2d97fa2) to collaborate with email, calendar, documents, and chat <br> - [Activate and use mobile device management in Microsoft 365](https://support.office.microsoft.com/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd) <br> - [Monitor Microsoft 365 connectivity](monitor-connectivity.md) |
-|**Email** <br> (Exchange Online) | - Get ready to migrate with [Exchange Hybrid using the Exchange Deployment Assistant](https://technet.microsoft.com/exdeploy2013) <br> - Use the [Exchange migration advisor](https://aka.ms/office365setup) to get customized set up guidance <br> - [Set up Exchange Online Protection](../security/defender-365-security/set-up-your-eop-service.md) |
+|**Email** <br> (Exchange Online) | - Get ready to migrate with [Exchange Hybrid using the Exchange Deployment Assistant](https://technet.microsoft.com/exdeploy2013) <br> - Use the [Exchange migration advisor](https://aka.ms/office365setup) to get customized set up guidance <br> - [Set up Exchange Online Protection](../security/office-365-security/set-up-your-eop-service.md) |
|**Sites** <br> (SharePoint Online) | -Configure hybrid functionality for [SharePoint Server 2013](/SharePoint/hybrid/hybrid)<br> - [Create and use site templates](https://support.office.com/article/Create-and-use-site-templates-60371B0F-00E0-4C49-A844-34759EBDD989) to customize the look and feel of SharePoint Online <br> - Use the [SharePoint Online Planning Guide](https://support.office.com/article/SharePoint-Online-Planning-Guide-for-Office-365-for-business-d5089cdf-3fd2-4230-acbd-20ecda2f9bb8) or the [SharePoint Online deployment advisor](https://aka.ms/spoguidance) to plan and configure additional features <br> - Manage your [Video portal](https://support.office.com/article/Manage-your-Office-365-Video-portal-c059465b-eba9-44e1-b8c7-8ff7793ff5da) | |**IM and online meetings** <br> (Skype for Business Online) | - Configure hybrid functionality for [Lync Server 2013](/previous-versions/office/lync-server-2013/lync-server-2013-lync-server-2013-hybrid) or [Skype for Business 2015](/skypeforbusiness/hybrid/plan-hybrid-connectivity?bc=%2fSkypeForBusiness%2fbreadcrumb%2ftoc.json&toc=%2fSkypeForBusiness%2ftoc.json)<br> - [Set up Skype for Business Online](https://support.office.com/article/Set-up-Skype-for-Business-Online-40296968-e779-4259-980b-c2de1c044c6e) and configure common features such as call routing, conference calling, and sharing <br> - Use the [Skype for Business deployment advisor](/MicrosoftTeams/faq-journey) to get customized set up guidance | | **File storage & sharing** <br> (OneDrive for Business and SharePoint Online) | - [Set up Microsoft 365 file storage and sharing](https://support.office.com/article/7aa9cdc8-2245-4218-81ee-86fa7c35f1de#BKMK_WhatDif): Learn when you should use OneDrive for Business to store files and when you should use ShharePoint Online team sites <br> - [Set up file storage and sharing](https://support.office.com/article/7aa9cdc8-2245-4218-81ee-86fa7c35f1de#BKMK_MoveDocsVideo): See how easy it is to upload files in OneDrive for Business and your SharePoint team site <br> - [Set up file storage and sharing](https://support.office.com/article/7aa9cdc8-2245-4218-81ee-86fa7c35f1de#BKMK_Store): Get all the steps for uploading files to OneDrive for Business and your team site. Learn tips for file sharing <br> - Use the [OneDrive for Business setup guide](https://aka.ms/OD4Bguidance) to get customized set up guidance |
enterprise Contoso Identity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-identity.md
Here's the server running Azure AD Connect polling the Contoso AD DS forest for
## Conditional Access policies for identity and device access
-Contoso created a set of Azure AD and Intune [Conditional Access policies](../security/defender-365-security/identity-access-policies.md) for three protection levels:
+Contoso created a set of Azure AD and Intune [Conditional Access policies](../security/office-365-security/identity-access-policies.md) for three protection levels:
- *Baseline* protections apply to all user accounts. - *Sensitive* protections apply to senior leadership and executive staff.
enterprise Contoso Info Protect https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-info-protect.md
Contoso followed these steps to prepare Microsoft 365 for enterprise for their i
As part of their rollout of Exchange Online and SharePoint, Contoso configured the following set of Conditional Access policies and applied them to the appropriate groups: -- [Managed and unmanaged application access on devices policies](../security/defender-365-security/identity-access-policies.md)-- [Exchange Online access policies](../security/defender-365-security/secure-email-recommended-policies.md)-- [SharePoint access policies](../security/defender-365-security/sharepoint-file-access-policies.md)
+- [Managed and unmanaged application access on devices policies](../security/office-365-security/identity-access-policies.md)
+- [Exchange Online access policies](../security/office-365-security/secure-email-recommended-policies.md)
+- [SharePoint access policies](../security/office-365-security/sharepoint-file-access-policies.md)
Here's resulting set of Contoso policies for information protection.
Learn how Contoso uses the [security features across Microsoft 365 for enterpris
## See also
-[Security roadmap](../security/defender-365-security/security-roadmap.md)
+[Security roadmap](../security/office-365-security/security-roadmap.md)
[Microsoft 365 for enterprise overview](microsoft-365-overview.md)
enterprise Contoso Security Summary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-security-summary.md
To follow security best practices and Microsoft 365 for enterprise deployment re
- Safer device and application access with Conditional Access policies
- Contoso is using [Conditional Access policies](../security/defender-365-security/microsoft-365-policies-configurations.md) for identity, devices, Exchange Online, and SharePoint. Identity Conditional Access policies include requiring password changes for high-risk users and blocking clients from using apps that don't support modern authentication. Device policies include the definition of approved apps and requiring compliant PCs and mobile devices. Exchange Online Conditional Access policies include blocking ActiveSync clients and setting up Office 365 message encryption. SharePoint Conditional Access policies include additional protection for sensitive and highly regulated sites.
+ Contoso is using [Conditional Access policies](../security/office-365-security/microsoft-365-policies-configurations.md) for identity, devices, Exchange Online, and SharePoint. Identity Conditional Access policies include requiring password changes for high-risk users and blocking clients from using apps that don't support modern authentication. Device policies include the definition of approved apps and requiring compliant PCs and mobile devices. Exchange Online Conditional Access policies include blocking ActiveSync clients and setting up Office 365 message encryption. SharePoint Conditional Access policies include additional protection for sensitive and highly regulated sites.
- Windows Hello for Business
enterprise Desktop Deployment Center Home https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/desktop-deployment-center-home.md
Use these resources to deploy modern desktops:
- [Windows 10 deployment](/windows/deployment/) - [Deploy Microsoft 365 Apps](/deployoffice/deployment-guide-microsoft-365-apps) - [Microsoft Intune](/mem/intune/fundamentals/planning-guide)-- [Identity and device access policies](../security/defender-365-security/microsoft-365-policies-configurations.md)
+- [Identity and device access policies](../security/office-365-security/microsoft-365-policies-configurations.md)
You can also view the [Desktop Deployment series videos from Microsoft Mechanics](https://www.aka.ms/watchhowtoshift).
enterprise Device Management Roadmap Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/device-management-roadmap-microsoft-365.md
Based on your assessment, get started managing your devices with:
## Identity and device access recommendations
-Microsoft provides a set of recommendations for [identity and device access](../security/defender-365-security/microsoft-365-policies-configurations.md) to ensure a secure and productive workforce. For device access, use the recommendations and settings in these articles:
+Microsoft provides a set of recommendations for [identity and device access](../security/office-365-security/microsoft-365-policies-configurations.md) to ensure a secure and productive workforce. For device access, use the recommendations and settings in these articles:
-- [Prerequisites](../security/defender-365-security/identity-access-prerequisites.md)-- [Common identity and device access policies](../security/defender-365-security/identity-access-policies.md)
+- [Prerequisites](../security/office-365-security/identity-access-prerequisites.md)
+- [Common identity and device access policies](../security/office-365-security/identity-access-policies.md)
## How Contoso did device management for Microsoft 365
enterprise External Domain Name System Records https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/external-domain-name-system-records.md
There are specific steps to take when you use [Office 365 URLs and IP address r
<a name="BKMK_SPFrecords"> </a> > [!IMPORTANT]
-> SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Office 365. To get started, see [Use DKIM to validate outbound email sent from your domain in Office 365](../security/defender-365-security/use-dkim-to-validate-outbound-email.md). Next, see [Use DMARC to validate email in Office 365](../security/defender-365-security/use-dmarc-to-validate-email.md).
+> SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Office 365. To get started, see [Use DKIM to validate outbound email sent from your domain in Office 365](../security/office-365-security/use-dkim-to-validate-outbound-email.md). Next, see [Use DMARC to validate email in Office 365](../security/office-365-security/use-dmarc-to-validate-email.md).
SPF records are TXT records that help to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain.
An email system that receives an email from your domain looks at the SPF record,
For scenarios where you're not just using Exchange Online email for Office 365 (for example, when you use email originating from SharePoint Online as well), use the following table to determine what to include in the value of the record. > [!NOTE]
-> If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. Learn how: [Set up SPF records in Office 365 to help prevent spoofing](../security/defender-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md). You can also learn much more about how SPF works with Office 365 by reading [How Office 365 uses Sender Policy Framework (SPF) to help prevent spoofing](../security/defender-365-security/how-office-365-uses-spf-to-prevent-spoofing.md).
+> If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. Learn how: [Set up SPF records in Office 365 to help prevent spoofing](../security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md). You can also learn much more about how SPF works with Office 365 by reading [How Office 365 uses Sender Policy Framework (SPF) to help prevent spoofing](../security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing.md).
| Number|If you're using… <br/> |Purpose <br/> |Add these includes <br/> | |:--|:--|:--|:--|
TXT Name @
Values: v=spf1 include:spf.protection.outlook.com include:mail.contoso.com -all ```
-These are some common examples that can help you adapt your existing SPF record when you add your domain to Office 365 for email. If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. Learn how: [Set up SPF records in Office 365 to help prevent spoofing](../security/defender-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md).
+These are some common examples that can help you adapt your existing SPF record when you add your domain to Office 365 for email. If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. Learn how: [Set up SPF records in Office 365 to help prevent spoofing](../security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md).
Here's a short link you can use to come back: [https://aka.ms/o365edns]()
enterprise Identity Device Access M365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/identity-device-access-m365-test-environment.md
description: Create a Microsoft 365 environment to test identity and device acce
*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.*
-[Identity and device access configurations](../security/defender-365-security/microsoft-365-policies-configurations.md) are a set of recommended configurations and conditional access policies to protect access to all services that are integrated with Azure Active Directory (Azure AD).
+[Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) are a set of recommended configurations and conditional access policies to protect access to all services that are integrated with Azure Active Directory (Azure AD).
To create a test environment that has the common identity and device access configurations in place:
To create a test environment that has the common identity and device access conf
- [Password hash synchronization (PHS)](phs-prereqs-m365-test-environment.md) - [Pass-through authentication (PTA)](pta-prereqs-m365-test-environment.md)
-2. Use [Common identity and device access policies](../security/defender-365-security/identity-access-policies.md) to configure the policies that build on the prerequisites configured for your test environment and explore and verify protection for identities and devices.
+2. Use [Common identity and device access policies](../security/office-365-security/identity-access-policies.md) to configure the policies that build on the prerequisites configured for your test environment and explore and verify protection for identities and devices.
## See also
enterprise Identity Roadmap Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/identity-roadmap-microsoft-365.md
To deploy your identity implementation:
### Identity and device access recommendations
-To help ensure a secure and productive workforce, Microsoft provides a set of recommendations for [identity and device access](../security/defender-365-security/microsoft-365-policies-configurations.md). For identity, use the recommendations and settings in these articles:
+To help ensure a secure and productive workforce, Microsoft provides a set of recommendations for [identity and device access](../security/office-365-security/microsoft-365-policies-configurations.md). For identity, use the recommendations and settings in these articles:
-- [Prerequisites](../security/defender-365-security/identity-access-prerequisites.md)-- [Common identity and device access policies](../security/defender-365-security/identity-access-policies.md)
+- [Prerequisites](../security/office-365-security/identity-access-prerequisites.md)
+- [Common identity and device access policies](../security/office-365-security/identity-access-policies.md)
## Manage
enterprise Implementing Expressroute https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/implementing-expressroute.md
Your implementation plan should encompass both the technical details of configur
- Decide how far ExpressRoute routes will be advertised into your network and what is the mechanism for clients to select Internet or ExpressRoute path; for example, direct routing or application proxy. -- Plan DNS record changes, including [Sender Policy Framework](../security/defender-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md) entries.
+- Plan DNS record changes, including [Sender Policy Framework](../security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md) entries.
- Plan NAT strategy including outbound and inbound source NAT.
enterprise Increased O365 Security Microsoft 365 Enterprise Dev Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/increased-o365-security-microsoft-365-enterprise-dev-test-environment.md
In this phase, you enable increased Microsoft 365 security for your Microsoft 36
### Configure SharePoint Online to block apps that don't support modern authentication
-Apps that do not support modern authentication cannot have [identity and device access configurations](../security/defender-365-security/microsoft-365-policies-configurations.md) applied to them, which is an important element of securing your Microsoft 365 subscription and its digital assets.
+Apps that do not support modern authentication cannot have [identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) applied to them, which is an important element of securing your Microsoft 365 subscription and its digital assets.
1. Go to the Microsoft 365 admin center ([https://portal.microsoft.com](https://portal.microsoft.com)) and sign in to your Microsoft 365 test lab subscription with your global administrator account.
Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects y
Malware is comprised of viruses and spyware. Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. Spyware refers to malware that gathers your personal information, such as sign-in information and personal data, and sends it back to the malware author.
-Microsoft 365 has built-in malware and spam filtering capabilities that help protect inbound and outbound messages from malicious software and help protect you from spam. For more information, see [Anti-spam & anti-malware protection](../security/defender-365-security/anti-spam-and-anti-malware-protection.md).
+Microsoft 365 has built-in malware and spam filtering capabilities that help protect inbound and outbound messages from malicious software and help protect you from spam. For more information, see [Anti-spam & anti-malware protection](../security/office-365-security/anti-spam-and-anti-malware-protection.md).
To ensure that anti-malware processing is being performed on files with common attachment file types:
To see the security dashboard:
Take a close look at all the cards on the dashboard to familiarize yourself with the information provided.
-For more information, see [Security Dashboard](../security/defender-365-security/security-dashboard.md).
+For more information, see [Security Dashboard](../security/office-365-security/security-dashboard.md).
## Phase 4: Examine Microsoft Secure Score
enterprise Microsoft 365 Secure Sign In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-secure-sign-in.md
There are three ways to require your administrators or users to use MFA based on
||| |All Microsoft 365 plans (without Azure AD Premium P1 or P2 licenses) |[Enable Security defaults in Azure AD](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). Security defaults in Azure AD include MFA for users and administrators. | |Microsoft 365 E3 (includes Azure AD Premium P1 licenses) | Use [Common Conditional Access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common) to configure the following policies: <br>- [Require MFA for administrators](/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa) <br>- [Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa) <br> - [Block legacy authentication](/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy) |
-|Microsoft 365 E5 (includes Azure AD Premium P2 licenses) | Taking advantage of Azure AD Identity Protection, begin to implement Microsoft's [recommended set of conditional access and related policies](../security/defender-365-security/identity-access-policies.md) by creating these two policies:<br> - [Require MFA when sign-in risk is medium or high](../security/defender-365-security/identity-access-policies.md#require-mfa-based-on-sign-in-risk) <br>- [High risk users must change password](../security/defender-365-security/identity-access-policies.md#high-risk-users-must-change-password) |
+|Microsoft 365 E5 (includes Azure AD Premium P2 licenses) | Taking advantage of Azure AD Identity Protection, begin to implement Microsoft's [recommended set of conditional access and related policies](../security/office-365-security/identity-access-policies.md) by creating these two policies:<br> - [Require MFA when sign-in risk is medium or high](../security/office-365-security/identity-access-policies.md#require-mfa-based-on-sign-in-risk) <br>- [High risk users must change password](../security/office-365-security/identity-access-policies.md#high-risk-users-must-change-password) |
| | | ### Security defaults
Identity and device access policies are defined to be used in three tiers:
These tiers and their corresponding configurations provide consistent levels of protection across your data, identities, and devices.
-Microsoft highly recommends configuring and rolling out identity and device access policies in your organization, including specific settings for Microsoft Teams, Exchange Online, and SharePoint. For more information, see [Identity and device access configurations](../security/defender-365-security/microsoft-365-policies-configurations.md).
+Microsoft highly recommends configuring and rolling out identity and device access policies in your organization, including specific settings for Microsoft Teams, Exchange Online, and SharePoint. For more information, see [Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md).
## Azure AD Identity Protection
See the [steps to enable Azure AD Identity Protection](/azure/active-directory/a
- [Identity roadmap for Microsoft 365](identity-roadmap-microsoft-365.md) - [Azure Academy Azure AD training videos](https://www.youtube.com/watch?v=pN8o0owHfI0&list=PL-V4YVm6AmwUFpC3rXr2i2piRQ708q_ia) - [Configure the Azure AD Multi-Factor Authentication registration policy](/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy)-- [Identity and device access configurations](../security/defender-365-security/microsoft-365-policies-configurations.md)
+- [Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md)
## Next step
enterprise Microsoft 365 Vpn Implement Split Tunnel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel.md
We can then trigger policy such as approve, trigger MFA or block authentication
### How do I protect against viruses and malware?
-Again, Office 365 provides protection for the Optimize marked endpoints in various layers in the service itself, [outlined in this document](/office365/Enterprise/office-365-malware-and-ransomware-protection). As noted, it is vastly more efficient to provide these security elements in the service itself rather than try and do it in line with devices that may not fully understand the protocols/traffic.By default, SharePoint Online [automatically scans file uploads](../security/defender-365-security/virus-detection-in-spo.md) for known malware
+Again, Office 365 provides protection for the Optimize marked endpoints in various layers in the service itself, [outlined in this document](/office365/Enterprise/office-365-malware-and-ransomware-protection). As noted, it is vastly more efficient to provide these security elements in the service itself rather than try and do it in line with devices that may not fully understand the protocols/traffic.By default, SharePoint Online [automatically scans file uploads](../security/office-365-security/virus-detection-in-spo.md) for known malware
For the Exchange endpoints listed above, [Exchange Online Protection](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description) and [Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) do an excellent job of providing security of the traffic to the service.
enterprise Phs Prereqs M365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/phs-prereqs-m365-test-environment.md
description: Create a Microsoft 365 environment to test identity and device acce
*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.*
-[Identity and device access configurations](../security/defender-365-security/microsoft-365-policies-configurations.md) are a set of configurations and conditional access policies to protect access to all services in Microsoft 365 for enterprise that are integrated with Azure Active Directory (Azure AD).
+[Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) are a set of configurations and conditional access policies to protect access to all services in Microsoft 365 for enterprise that are integrated with Azure Active Directory (Azure AD).
-This article describes how to configure a Microsoft 365 test environment that meets the requirements of the [hybrid with password hash sync authentication prerequisite configuration](../security/defender-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
+This article describes how to configure a Microsoft 365 test environment that meets the requirements of the [hybrid with password hash sync authentication prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
There are ten phases to setting up this test environment:
For Skype for Business Online:
Get-CsOAuthConfiguration ```
-The result is a test environment that meets the requirements of the [Active Directory with password hash sync prerequisite configuration](../security/defender-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
+The result is a test environment that meets the requirements of the [Active Directory with password hash sync prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
## Next step
-Use [Common identity and device access policies](../security/defender-365-security/identity-access-policies.md) to configure the policies that build on the prerequisites and protect identities and devices.
+Use [Common identity and device access policies](../security/office-365-security/identity-access-policies.md) to configure the policies that build on the prerequisites and protect identities and devices.
## See also
enterprise Pta Prereqs M365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/pta-prereqs-m365-test-environment.md
description: Create a Microsoft 365 environment to test identity and device acce
*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.*
-[Identity and device access configurations](../security/defender-365-security/microsoft-365-policies-configurations.md) are a set of configurations and conditional access policies to protect access to all services in Microsoft 365 for enterprise that are integrated with Azure Active Directory (Azure AD).
+[Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) are a set of configurations and conditional access policies to protect access to all services in Microsoft 365 for enterprise that are integrated with Azure Active Directory (Azure AD).
-This article describes how you can configure a Microsoft 365 test environment that meets the requirements of the [Pass-through authentication prerequisite configuration](../security/defender-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
+This article describes how you can configure a Microsoft 365 test environment that meets the requirements of the [Pass-through authentication prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
There are ten phases to setting up this test environment:
For Skype for Business Online:
Get-CsOAuthConfiguration ```
-The result is a test environment that meets the requirements of the [Pass-through authentication prerequisite configuration](../security/defender-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
+The result is a test environment that meets the requirements of the [Pass-through authentication prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
## Next step
-Use [Common identity and device access policies](../security/defender-365-security/identity-access-policies.md) to configure the policies that build on the prerequisites and protect identities and devices.
+Use [Common identity and device access policies](../security/office-365-security/identity-access-policies.md) to configure the policies that build on the prerequisites and protect identities and devices.
## See also
includes Microsoft 365 Content Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md
| 3/15/2021 | [Learn about insider risk management](/microsoft-365/compliance/insider-risk-management?view=o365-21vianet) | modified | | 3/15/2021 | [Microsoft 365 tenant-to-tenant migrations](/microsoft-365/enterprise/microsoft-365-tenant-to-tenant-migrations?view=o365-21vianet) | modified | | 3/15/2021 | [Use the Page Diagnostics tool for SharePoint Online](/microsoft-365/enterprise/page-diagnostics-for-spo?view=o365-21vianet) | modified |
-| 3/15/2021 | [Anti-malware protection FAQ](/microsoft-365/security/defender-365-security/anti-malware-protection-faq-eop?view=o365-21vianet) | modified |
-| 3/15/2021 | [Get started using Attack simulation training](/microsoft-365/security/defender-365-security/attack-simulation-training-get-started?view=o365-21vianet) | modified |
-| 3/15/2021 | [Zero-hour auto purge (ZAP)](/microsoft-365/security/defender-365-security/zero-hour-auto-purge?view=o365-21vianet) | modified |
+| 3/15/2021 | [Anti-malware protection FAQ](/microsoft-365/security/office-365-security/anti-malware-protection-faq-eop?view=o365-21vianet) | modified |
+| 3/15/2021 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-21vianet) | modified |
+| 3/15/2021 | [Zero-hour auto purge (ZAP)](/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-21vianet) | modified |
| 3/15/2021 | [Manage who can create Microsoft 365 Groups](/microsoft-365/solutions/manage-creation-of-groups?view=o365-21vianet) | modified | | 3/15/2021 | [About the Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app?view=o365-21vianet) | modified | | 3/15/2021 | [Get started with the Microsoft Compliance Extension (preview)](/microsoft-365/compliance/dlp-chrome-get-started?view=o365-21vianet) | added |
| 3/15/2021 | [Manage sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-21vianet) | modified | | 3/15/2021 | [Pre-work for the migration from Microsoft Cloud Deutschland](/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work?view=o365-21vianet) | modified | | 3/15/2021 | [Migration phases actions and impacts for the migration from Microsoft Cloud Deutschland (general)](/microsoft-365/enterprise/ms-cloud-germany-transition-phases?view=o365-21vianet) | modified |
-| 3/15/2021 | [User submissions policy](/microsoft-365/security/defender-365-security/user-submission?view=o365-21vianet) | modified |
+| 3/15/2021 | [User submissions policy](/microsoft-365/security/office-365-security/user-submission?view=o365-21vianet) | modified |
| 3/16/2021 | [Microsoft Productivity Score](/microsoft-365/admin/productivity/productivity-score?view=o365-worldwide) | modified | | 3/16/2021 | [Get started with the Microsoft Compliance Extension (preview)](/microsoft-365/compliance/dlp-chrome-get-started?view=o365-21vianet) | modified | | 3/16/2021 | [Define information barrier policies](/microsoft-365/compliance/information-barriers-policies?view=o365-21vianet) | modified |
| 3/16/2021 | [View keyword statistics for Content Search results](/microsoft-365/compliance/view-keyword-statistics-for-content-search?view=o365-21vianet) | modified | | 3/16/2021 | [Content stored in Exchange Online mailboxes](/microsoft-365/compliance/what-is-stored-in-exo-mailbox?view=o365-21vianet) | modified | | 3/16/2021 | [AD FS migration steps for the migration from Microsoft Cloud Deutschland](/microsoft-365/enterprise/ms-cloud-germany-transition-add-adfs?view=o365-21vianet) | modified |
-| 3/16/2021 | [Evaluate Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/office-365-evaluation?view=o365-21vianet) | modified |
+| 3/16/2021 | [Evaluate Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-evaluation?view=o365-21vianet) | modified |
| 3/16/2021 | [What is collaboration governance?](/microsoft-365/solutions/collaboration-governance-overview?view=o365-21vianet) | modified | | 3/16/2021 | [Create a secure guest sharing environment](/microsoft-365/solutions/create-secure-guest-sharing-environment?view=o365-21vianet) | modified | | 3/16/2021 | [Governing access in Microsoft 365 groups, Teams, and SharePoint](/microsoft-365/solutions/groups-teams-access-governance?view=o365-21vianet) | modified |
| 3/18/2021 | [Create an app to access Microsoft 365 Defender without a user](/microsoft-365/security/mtp/api-create-app-web?view=o365-21vianet) | modified | | 3/18/2021 | [Microsoft cloud architecture models - enterprise resource planning](/microsoft-365/solutions/cloud-architecture-models?view=o365-21vianet) | modified | | 3/18/2021 | [Use file plan to manage retention labels throughout the content lifecycle](/microsoft-365/compliance/file-plan-manager?view=o365-21vianet) | modified |
-| 3/18/2021 | [Evaluate Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/office-365-evaluation?view=o365-21vianet) | modified |
+| 3/18/2021 | [Evaluate Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-evaluation?view=o365-21vianet) | modified |
| 3/18/2021 | [Steps to configure threat protection capabilities across Microsoft 365](/microsoft-365/solutions/deploy-threat-protection-configure?view=o365-21vianet) | modified | | 3/18/2021 | [Deploy threat protection capabilities across Microsoft 365](/microsoft-365/solutions/deploy-threat-protection?view=o365-21vianet) | modified | | 3/18/2021 | [Microsoft 365 solution and architecture center # < 60 chars](/microsoft-365/solutions/index?view=o365-21vianet) | modified |
| 2/16/2021 | [Manage sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-21vianet) | modified | | 2/16/2021 | [Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-21vianet) | modified | | 2/16/2021 | [Set up Microsoft Viva Topics](/microsoft-365/knowledge/set-up-topic-experiences) | modified |
-| 2/16/2021 | [Safe Attachments](/microsoft-365/security/defender-365-security/atp-safe-attachments?view=o365-21vianet) | modified |
-| 2/16/2021 | [Protection features in Azure Information Protection rolling out to existing tenants](/microsoft-365/security/defender-365-security/azure-ip-protection-features?view=o365-21vianet) | modified |
-| 2/16/2021 | [Application Guard for Office 365 for admins](/microsoft-365/security/defender-365-security/install-app-guard?view=o365-21vianet) | modified |
-| 2/16/2021 | [Monitor for leaks of personal data](/microsoft-365/security/defender-365-security/monitor-for-leaks-of-personal-data?view=o365-21vianet) | modified |
-| 2/16/2021 | [Remove blocked users from the Restricted Users portal](/microsoft-365/security/defender-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-21vianet) | modified |
+| 2/16/2021 | [Safe Attachments](/microsoft-365/security/office-365-security/atp-safe-attachments?view=o365-21vianet) | modified |
+| 2/16/2021 | [Protection features in Azure Information Protection rolling out to existing tenants](/microsoft-365/security/office-365-security/azure-ip-protection-features?view=o365-21vianet) | modified |
+| 2/16/2021 | [Application Guard for Office 365 for admins](/microsoft-365/security/office-365-security/install-app-guard?view=o365-21vianet) | modified |
+| 2/16/2021 | [Monitor for leaks of personal data](/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data?view=o365-21vianet) | modified |
+| 2/16/2021 | [Remove blocked users from the Restricted Users portal](/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-21vianet) | modified |
| 2/16/2021 | [Collaborating with people outside your organization](/microsoft-365/solutions/collaborate-with-people-outside-your-organization?view=o365-21vianet) | modified | | 2/17/2021 | [Manage billing accounts](/microsoft-365/commerce/manage-billing-accounts?view=o365-21vianet) | modified | | 2/17/2021 | [Data loss prevention and Microsoft Teams](/microsoft-365/compliance/dlp-microsoft-teams?view=o365-21vianet) | modified |
| 2/17/2021 | [Compliance](/microsoft-365/managed-desktop/intro/compliance?view=o365-21vianet) | modified | | 2/17/2021 | [What's new in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score-whats-new?view=o365-21vianet) | modified | | 2/17/2021 | [Preview features in Microsoft 365 Defender](/microsoft-365/security/mtp/preview?view=o365-21vianet) | modified |
-| 2/17/2021 | [About the Microsoft Defender for Office 365 trial](/microsoft-365/security/defender-365-security/about-defender-for-office-365-trial?view=o365-21vianet) | modified |
-| 2/17/2021 | [Address compromised user accounts with automated investigation and response](/microsoft-365/security/defender-365-security/address-compromised-users-quickly?view=o365-21vianet) | modified |
-| 2/17/2021 | [Admin submissions](/microsoft-365/security/defender-365-security/admin-submission?view=o365-21vianet) | modified |
-| 2/17/2021 | [ASF settings in EOP](/microsoft-365/security/defender-365-security/advanced-spam-filtering-asf-options?view=o365-21vianet) | modified |
-| 2/17/2021 | [Custom reporting solutions with automated investigation and response](/microsoft-365/security/defender-365-security/air-custom-reporting?view=o365-21vianet) | modified |
-| 2/17/2021 | [Remediation actions in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/air-remediation-actions?view=o365-21vianet) | modified |
-| 2/17/2021 | [How to report false positives or false negatives following automated investigation in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/air-report-false-positives-negatives?view=o365-21vianet) | modified |
-| 2/17/2021 | [Review and manage remediation actions in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/air-review-approve-pending-completed-actions?view=o365-21vianet) | modified |
-| 2/17/2021 | [View the results of an automated investigation in Microsoft 365](/microsoft-365/security/defender-365-security/air-view-investigation-results?view=o365-21vianet) | modified |
-| 2/17/2021 | [Alerts in the Security & Compliance Center](/microsoft-365/security/defender-365-security/alerts?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-malware protection FAQ](/microsoft-365/security/defender-365-security/anti-malware-protection-faq-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-malware protection](/microsoft-365/security/defender-365-security/anti-malware-protection?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-phishing protection](/microsoft-365/security/defender-365-security/anti-phishing-protection?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-spam and anti-malware protection](/microsoft-365/security/defender-365-security/anti-spam-and-anti-malware-protection?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-spam message headers](/microsoft-365/security/defender-365-security/anti-spam-message-headers?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-spam protection FAQ](/microsoft-365/security/defender-365-security/anti-spam-protection-faq?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-spam protection](/microsoft-365/security/defender-365-security/anti-spam-protection?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-spoofing protection FAQ](/microsoft-365/security/defender-365-security/anti-spoofing-protection-faq?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-spoofing protection](/microsoft-365/security/defender-365-security/anti-spoofing-protection?view=o365-21vianet) | modified |
-| 2/17/2021 | [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/defender-365-security/atp-for-spo-odb-and-teams?view=o365-21vianet) | modified |
-| 2/17/2021 | [Safe Attachments](/microsoft-365/security/defender-365-security/atp-safe-attachments?view=o365-21vianet) | modified |
-| 2/17/2021 | [Safe Links](/microsoft-365/security/defender-365-security/atp-safe-links?view=o365-21vianet) | modified |
-| 2/17/2021 | [Get started using Attack simulation training](/microsoft-365/security/defender-365-security/attack-simulation-training-get-started?view=o365-21vianet) | modified |
-| 2/17/2021 | [Gain insights through Attack simulation training](/microsoft-365/security/defender-365-security/attack-simulation-training-insights?view=o365-21vianet) | modified |
-| 2/17/2021 | [Attack Simulator in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/attack-simulator?view=o365-21vianet) | modified |
-| 2/17/2021 | [Auditing reports in standalone EOP](/microsoft-365/security/defender-365-security/auditing-reports-in-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [How automated investigation and response works in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/automated-investigation-response-office?view=o365-21vianet) | modified |
-| 2/17/2021 | [Protection features in Azure Information Protection rolling out to existing tenants](/microsoft-365/security/defender-365-security/azure-ip-protection-features?view=o365-21vianet) | modified |
-| 2/17/2021 | [Backscatter in EOP](/microsoft-365/security/defender-365-security/backscatter-messages-and-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Best practices for configuring EOP](/microsoft-365/security/defender-365-security/best-practices-for-configuring-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Bulk complaint level values](/microsoft-365/security/defender-365-security/bulk-complaint-level-values?view=o365-21vianet) | modified |
-| 2/17/2021 | [Campaign Views in Microsoft Defender for Office 365 Plan](/microsoft-365/security/defender-365-security/campaigns?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configuration analyzer for security policies](/microsoft-365/security/defender-365-security/configuration-analyzer-for-security-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure anti-malware policies](/microsoft-365/security/defender-365-security/configure-anti-malware-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure anti-phishing policies in EOP](/microsoft-365/security/defender-365-security/configure-anti-phishing-policies-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure anti-phishing policies in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/configure-atp-anti-phishing-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure global settings for Safe Links settings in Defender for Office 365](/microsoft-365/security/defender-365-security/configure-global-settings-for-safe-links?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure groups & users - Political campaign dev/test environment](/microsoft-365/security/defender-365-security/configure-groups-and-users-for-a-political-campaign-dev-test-environment?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure junk email settings on Exchange Online mailboxes](/microsoft-365/security/defender-365-security/configure-junk-email-settings-on-exo-mailboxes?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure S/MIME settings - Exchange Online for Outlook on web](/microsoft-365/security/defender-365-security/configure-s-mime-settings-for-outlook-web-app?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure the default connection filter policy](/microsoft-365/security/defender-365-security/configure-the-connection-filter-policy?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure outbound spam filtering](/microsoft-365/security/defender-365-security/configure-the-outbound-spam-policy?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure spam filter policies](/microsoft-365/security/defender-365-security/configure-your-spam-filter-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Create blocked sender lists](/microsoft-365/security/defender-365-security/create-block-sender-lists-in-office-365?view=o365-21vianet) | modified |
-| 2/17/2021 | [Create safe sender lists](/microsoft-365/security/defender-365-security/create-safe-sender-lists-in-office-365?view=o365-21vianet) | modified |
-| 2/17/2021 | [Create team sites - Political campaign dev environment](/microsoft-365/security/defender-365-security/create-team-sites-in-a-political-campaign-dev-test-environment?view=o365-21vianet) | modified |
-| 2/17/2021 | [Delegated administration FAQ](/microsoft-365/security/defender-365-security/delegated-administration-faq?view=o365-21vianet) | modified |
-| 2/17/2021 | [Deploy an isolated SharePoint Online team site](/microsoft-365/security/defender-365-security/deploy-an-isolated-sharepoint-online-team-site?view=o365-21vianet) | modified |
-| 2/17/2021 | [Design an isolated SharePoint Online team site](/microsoft-365/security/defender-365-security/design-an-isolated-sharepoint-online-team-site?view=o365-21vianet) | modified |
-| 2/17/2021 | [Detect and Remediate Illicit Consent Grants](/microsoft-365/security/defender-365-security/detect-and-remediate-illicit-consent-grants?view=o365-21vianet) | modified |
-| 2/17/2021 | [Detect and remediate the Outlook rules and custom forms injections attacks.](/microsoft-365/security/defender-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-21vianet) | modified |
-| 2/17/2021 | [Email authentication in Microsoft 365](/microsoft-365/security/defender-365-security/email-validation-and-authentication?view=o365-21vianet) | modified |
-| 2/17/2021 | [Enable the Report Message add-in](/microsoft-365/security/defender-365-security/enable-the-report-message-add-in?view=o365-21vianet) | modified |
-| 2/17/2021 | [Enable the Report Phish add-in](/microsoft-365/security/defender-365-security/enable-the-report-phish-add-in?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure EOP to junk spam in hybrid environments](/microsoft-365/security/defender-365-security/ensure-that-spam-is-routed-to-each-user-s-junk-email-folder?view=o365-21vianet) | modified |
-| 2/17/2021 | [EOP features](/microsoft-365/security/defender-365-security/eop-features?view=o365-21vianet) | modified |
-| 2/17/2021 | [EOP general FAQ](/microsoft-365/security/defender-365-security/eop-general-faq?view=o365-21vianet) | modified |
-| 2/17/2021 | [EOP queued, deferred, and bounced messages FAQ](/microsoft-365/security/defender-365-security/eop-queued-deferred-and-bounced-messages-faq?view=o365-21vianet) | modified |
-| 2/17/2021 | [Exchange admin center in standalone EOP](/microsoft-365/security/defender-365-security/exchange-admin-center-in-exchange-online-protection-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Exchange Online Protection (EOP) overview](/microsoft-365/security/defender-365-security/exchange-online-protection-overview?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configuring and controlling external email forwarding, Automatic forwarding, 5.7.520 Access Denied, disable external forwarding, Your administrator has disabled external forwarding, outbound anti-spam policy](/microsoft-365/security/defender-365-security/external-email-forwarding?view=o365-21vianet) | modified |
-| 2/17/2021 | [Feature permissions in EOP](/microsoft-365/security/defender-365-security/feature-permissions-in-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Find and release quarantined messages as a user](/microsoft-365/security/defender-365-security/find-and-release-quarantined-messages-as-a-user?view=o365-21vianet) | modified |
-| 2/17/2021 | [Give users access to the Security & Compliance Center](/microsoft-365/security/defender-365-security/grant-access-to-the-security-and-compliance-center?view=o365-21vianet) | modified |
-| 2/17/2021 | [Help and support for EOP](/microsoft-365/security/defender-365-security/help-and-support-for-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Outbound delivery pools](/microsoft-365/security/defender-365-security/high-risk-delivery-pool-for-outbound-messages?view=o365-21vianet) | modified |
-| 2/17/2021 | [How Sender Policy Framework (SPF) prevents spoofing](/microsoft-365/security/defender-365-security/how-office-365-uses-spf-to-prevent-spoofing?view=o365-21vianet) | modified |
-| 2/17/2021 | [How EOP validates the From address to prevent phishing](/microsoft-365/security/defender-365-security/how-office-365-validates-the-from-address?view=o365-21vianet) | modified |
-| 2/17/2021 | [Order and precedence of email protection](/microsoft-365/security/defender-365-security/how-policies-and-protections-are-combined?view=o365-21vianet) | modified |
-| 2/17/2021 | [Common identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/defender-365-security/identity-access-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Prerequisite work for implementing identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/defender-365-security/identity-access-prerequisites?view=o365-21vianet) | modified |
-| 2/17/2021 | [Office 365 Security, Microsoft Defender for Office 365, EOP, MSDO](/microsoft-365/security/defender-365-security/index?view=o365-21vianet) | modified |
-| 2/17/2021 | [Investigate malicious email that was delivered in Office 365, Find and investigate malicious email](/microsoft-365/security/defender-365-security/investigate-malicious-email-that-was-delivered?view=o365-21vianet) | modified |
-| 2/17/2021 | [Isolated SharePoint Online team site dev/test environment](/microsoft-365/security/defender-365-security/isolated-sharepoint-online-team-site-dev-test-environment?view=o365-21vianet) | modified |
-| 2/17/2021 | [Isolated SharePoint Online team sites](/microsoft-365/security/defender-365-security/isolated-sharepoint-online-team-sites?view=o365-21vianet) | modified |
-| 2/17/2021 | [Install and use the Junk Email Reporting add-in for Microsoft Outlook](/microsoft-365/security/defender-365-security/junk-email-reporting-add-in-for-microsoft-outlook?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure spoof intelligence](/microsoft-365/security/defender-365-security/learn-about-spoof-intelligence?view=o365-21vianet) | modified |
-| 2/17/2021 | [Mail flow in EOP](/microsoft-365/security/defender-365-security/mail-flow-in-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Mail flow insights in the Mail flow dashboard](/microsoft-365/security/defender-365-security/mail-flow-insights-v2?view=o365-21vianet) | modified |
-| 2/17/2021 | [Mail flow intelligence](/microsoft-365/security/defender-365-security/mail-flow-intelligence-in-office-365?view=o365-21vianet) | modified |
-| 2/17/2021 | [Mail flow rules in EOP](/microsoft-365/security/defender-365-security/mail-flow-rules-transport-rules-0?view=o365-21vianet) | modified |
-| 2/17/2021 | [Manage role groups in EOP](/microsoft-365/security/defender-365-security/manage-admin-role-group-permissions-in-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Manage an isolated SharePoint Online team site](/microsoft-365/security/defender-365-security/manage-an-isolated-sharepoint-online-team-site?view=o365-21vianet) | modified |
-| 2/17/2021 | [Manage groups in EOP](/microsoft-365/security/defender-365-security/manage-groups-in-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Manage mail users in standalone EOP](/microsoft-365/security/defender-365-security/manage-mail-users-in-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Manage quarantined messages and files as an admin](/microsoft-365/security/defender-365-security/manage-quarantined-messages-and-files?view=o365-21vianet) | modified |
-| 2/17/2021 | [Manage recipients in standalone EOP](/microsoft-365/security/defender-365-security/manage-recipients-in-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [The Microsoft Defender for Office 365 (MDO) email entity page](/microsoft-365/security/defender-365-security/mdo-email-entity-page?view=o365-21vianet) | modified |
-| 2/17/2021 | [Message trace in the Security & Compliance Center](/microsoft-365/security/defender-365-security/message-trace-scc?view=o365-21vianet) | modified |
-| 2/17/2021 | [Auto-forwarded messages insight](/microsoft-365/security/defender-365-security/mfi-auto-forwarded-messages-report?view=o365-21vianet) | modified |
-| 2/17/2021 | [Top domain mail flow status insight in the Mail flow dashboard](/microsoft-365/security/defender-365-security/mfi-domain-mail-flow-status-insight?view=o365-21vianet) | modified |
-| 2/17/2021 | [Mail flow map](/microsoft-365/security/defender-365-security/mfi-mail-flow-map-report?view=o365-21vianet) | modified |
-| 2/17/2021 | [Fix possible mail loop insight](/microsoft-365/security/defender-365-security/mfi-mail-loop-insight?view=o365-21vianet) | modified |
-| 2/17/2021 | [New domains being forwarded email insight](/microsoft-365/security/defender-365-security/mfi-new-domains-being-forwarded-email?view=o365-21vianet) | modified |
-| 2/17/2021 | [New users forwarding email insight](/microsoft-365/security/defender-365-security/mfi-new-users-forwarding-email?view=o365-21vianet) | modified |
-| 2/17/2021 | [Non-accepted domain report in the Mail flow dashboard](/microsoft-365/security/defender-365-security/mfi-non-accepted-domain-report?view=o365-21vianet) | modified |
-| 2/17/2021 | [Non-delivery report in the Mail flow dashboard](/microsoft-365/security/defender-365-security/mfi-non-delivery-report?view=o365-21vianet) | modified |
-| 2/17/2021 | [Outbound and inbound mail flow insight in the Mail flow dashboard](/microsoft-365/security/defender-365-security/mfi-outbound-and-inbound-mail-flow?view=o365-21vianet) | modified |
-| 2/17/2021 | [Queues insight in the Mail flow dashboard](/microsoft-365/security/defender-365-security/mfi-queue-alerts-and-queues?view=o365-21vianet) | modified |
-| 2/17/2021 | [Fix slow mail flow rules insight](/microsoft-365/security/defender-365-security/mfi-slow-mail-flow-rules-insight?view=o365-21vianet) | modified |
-| 2/17/2021 | [SMTP Auth clients insight and report in the Mail flow dashboard](/microsoft-365/security/defender-365-security/mfi-smtp-auth-clients-report?view=o365-21vianet) | modified |
-| 2/17/2021 | [Identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/defender-365-security/microsoft-365-policies-configurations?view=o365-21vianet) | modified |
-| 2/17/2021 | [Microsoft Report Message and Report Phishing Add-In license terms](/microsoft-365/security/defender-365-security/microsoft-message-phishing-report-terms?view=o365-21vianet) | modified |
-| 2/17/2021 | [Microsoft Security Guidance - Political campaigns & nonprofits](/microsoft-365/security/defender-365-security/microsoft-security-guidance-for-political-campaigns-nonprofits-and-other-agile-o?view=o365-21vianet) | modified |
-| 2/17/2021 | [Monitor for leaks of personal data](/microsoft-365/security/defender-365-security/monitor-for-leaks-of-personal-data?view=o365-21vianet) | modified |
-| 2/17/2021 | [Move domains & settings from one EOP organization to another](/microsoft-365/security/defender-365-security/move-domains-and-settings-from-one-eop-organization-to-another-eop-organization?view=o365-21vianet) | modified |
-| 2/17/2021 | [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/office-365-air?view=o365-21vianet) | modified |
-| 2/17/2021 | [Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/office-365-atp?view=o365-21vianet) | modified |
-| 2/17/2021 | [Evaluate Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/office-365-evaluation?view=o365-21vianet) | modified |
-| 2/17/2021 | [Threat investigation & response capabilities - Microsoft Defender for Office 365 Plan 2](/microsoft-365/security/defender-365-security/office-365-ti?view=o365-21vianet) | modified |
-| 2/17/2021 | [Security Incident Response](/microsoft-365/security/defender-365-security/office365-security-incident-response-overview?view=o365-21vianet) | modified |
-| 2/17/2021 | [Outbound spam protection](/microsoft-365/security/defender-365-security/outbound-spam-controls?view=o365-21vianet) | modified |
-| 2/17/2021 | [Permissions - Security & Compliance Center](/microsoft-365/security/defender-365-security/permissions-in-the-security-and-compliance-center?view=o365-21vianet) | modified |
-| 2/17/2021 | [Permissions in the Microsoft 365 security and compliance centers](/microsoft-365/security/defender-365-security/permissions-microsoft-365-compliance-security?view=o365-21vianet) | modified |
-| 2/17/2021 | [Preset security policies](/microsoft-365/security/defender-365-security/preset-security-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Protect against threats](/microsoft-365/security/defender-365-security/protect-against-threats?view=o365-21vianet) | modified |
-| 2/17/2021 | [Protect on-premises mailboxes in China with standalone EOP](/microsoft-365/security/defender-365-security/protect-on-premises-mailboxes-with-exchange-online-protection?view=o365-21vianet) | modified |
-| 2/17/2021 | [Quarantined email messages](/microsoft-365/security/defender-365-security/quarantine-email-messages?view=o365-21vianet) | modified |
-| 2/17/2021 | [Quarantined messages FAQ](/microsoft-365/security/defender-365-security/quarantine-faq?view=o365-21vianet) | modified |
-| 2/17/2021 | [Quarantine tags](/microsoft-365/security/defender-365-security/quarantine-tags?view=o365-21vianet) | modified |
-| 2/17/2021 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/defender-365-security/recommended-settings-for-eop-and-office365-atp?view=o365-21vianet) | modified |
-| 2/17/2021 | [Recover from a ransomware attack](/microsoft-365/security/defender-365-security/recover-from-ransomware?view=o365-21vianet) | modified |
-| 2/17/2021 | [Use mail flow rules to block messages with executable attachments](/microsoft-365/security/defender-365-security/reducing-malware-threats-through-file-attachment-blocking-in-exchange-online-pro?view=o365-21vianet) | modified |
-| 2/17/2021 | [Reference Policies, practices, and guidelines](/microsoft-365/security/defender-365-security/reference-policies-practices-and-guidelines?view=o365-21vianet) | modified |
-| 2/17/2021 | [Remediate malicious email that was delivered in Office 365](/microsoft-365/security/defender-365-security/remediate-malicious-email-delivered-office-365?view=o365-21vianet) | modified |
-| 2/17/2021 | [Remove blocked users from the Restricted Users portal](/microsoft-365/security/defender-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-21vianet) | modified |
-| 2/17/2021 | [Report junk and phishing email in Outlook for iOS and Android](/microsoft-365/security/defender-365-security/report-junk-email-and-phishing-scams-in-outlook-for-ios-and-android?view=o365-21vianet) | modified |
-| 2/17/2021 | [Report junk and phishing email in Outlook on the web](/microsoft-365/security/defender-365-security/report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Report spam, non-spam, and phishing messages to Microsoft](/microsoft-365/security/defender-365-security/report-junk-email-messages-to-microsoft?view=o365-21vianet) | modified |
-| 2/17/2021 | [Reporting and message trace](/microsoft-365/security/defender-365-security/reporting-and-message-trace-in-exchange-online-protection?view=o365-21vianet) | modified |
-| 2/17/2021 | [Smart reports, insights - Microsoft 365 Security & Compliance Center](/microsoft-365/security/defender-365-security/reports-and-insights-in-security-and-compliance?view=o365-21vianet) | modified |
-| 2/17/2021 | [Responding to a Compromised Email Account](/microsoft-365/security/defender-365-security/responding-to-a-compromised-email-account?view=o365-21vianet) | modified |
-| 2/17/2021 | [Run an administrator role group report in standalone EOP](/microsoft-365/security/defender-365-security/run-an-administrator-role-group-report-in-eop-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [S/MIME for encryption in Exchange Online - Office 365](/microsoft-365/security/defender-365-security/s-mime-for-message-signing-and-encryption?view=o365-21vianet) | modified |
-| 2/17/2021 | [Safe Documents in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/safe-docs?view=o365-21vianet) | modified |
-| 2/17/2021 | [Safety tips in email messages](/microsoft-365/security/defender-365-security/safety-tips-in-office-365?view=o365-21vianet) | modified |
-| 2/17/2021 | [Sample script for EOP settings - multiple tenants](/microsoft-365/security/defender-365-security/sample-script-for-applying-eop-settings-to-multiple-tenants?view=o365-21vianet) | modified |
-| 2/17/2021 | [Secure by default in Office 365](/microsoft-365/security/defender-365-security/secure-by-default?view=o365-21vianet) | modified |
-| 2/17/2021 | [Secure email recommended policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/defender-365-security/secure-email-recommended-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Security recommendations for priority accounts in Microsoft 365, priority accounts, priority accounts in Office 365, priority accounts in Microsoft 365](/microsoft-365/security/defender-365-security/security-recommendations-for-priority-accounts?view=o365-21vianet) | modified |
-| 2/17/2021 | [Microsoft 365 security roadmap - Top priorities](/microsoft-365/security/defender-365-security/security-roadmap?view=o365-21vianet) | modified |
-| 2/17/2021 | [Anti-phishing policies](/microsoft-365/security/defender-365-security/set-up-anti-phishing-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Set up Safe Attachments policies in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/set-up-atp-safe-attachments-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Set up Safe Links policies in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/set-up-atp-safe-links-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [Set up SPF to help prevent spoofing](/microsoft-365/security/defender-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-21vianet) | modified |
-| 2/17/2021 | [Set up your standalone EOP service](/microsoft-365/security/defender-365-security/set-up-your-eop-service?view=o365-21vianet) | modified |
-| 2/17/2021 | [Recommended secure document policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/defender-365-security/sharepoint-file-access-policies?view=o365-21vianet) | modified |
-| 2/17/2021 | [SIEM integration with Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/siem-integration-with-office-365-ti?view=o365-21vianet) | modified |
-| 2/17/2021 | [SIEM server integration with Microsoft 365 services and applications](/microsoft-365/security/defender-365-security/siem-server-integration?view=o365-21vianet) | modified |
-| 2/17/2021 | [Spam confidence level](/microsoft-365/security/defender-365-security/spam-confidence-levels?view=o365-21vianet) | modified |
-| 2/17/2021 | [Manually submit messages to Microsoft for analysis](/microsoft-365/security/defender-365-security/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis?view=o365-21vianet) | modified |
-| 2/17/2021 | [Submit malware and non-malware to Microsoft for analysis](/microsoft-365/security/defender-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis?view=o365-21vianet) | modified |
-| 2/17/2021 | [Add support for anonymous inbound email over IPv6](/microsoft-365/security/defender-365-security/support-for-anonymous-inbound-email-messages-over-ipv6?view=o365-21vianet) | modified |
-| 2/17/2021 | [Support for validation of Domain Keys Identified Mail (DKIM) signed messages](/microsoft-365/security/defender-365-security/support-for-validation-of-dkim-signed-messages?view=o365-21vianet) | modified |
-| 2/17/2021 | [Switch to EOP from another protection service](/microsoft-365/security/defender-365-security/switch-to-eop-from-google-postini-the-barracuda-spam-and-virus-firewall-or-cisco?view=o365-21vianet) | modified |
-| 2/17/2021 | [Manage your allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/defender-365-security/tenant-allow-block-list?view=o365-21vianet) | modified |
-| 2/17/2021 | [Configure your Microsoft 365 tenant for increased security](/microsoft-365/security/defender-365-security/tenant-wide-setup-for-increased-security?view=o365-21vianet) | modified |
-| 2/17/2021 | [Views in Threat Explorer and real-time detections](/microsoft-365/security/defender-365-security/threat-explorer-views?view=o365-21vianet) | modified |
-| 2/17/2021 | [Threat Explorer and Real-time detections](/microsoft-365/security/defender-365-security/threat-explorer?view=o365-21vianet) | modified |
-| 2/17/2021 | [Threat Trackers - New and Noteworthy](/microsoft-365/security/defender-365-security/threat-trackers?view=o365-21vianet) | modified |
-| 2/17/2021 | [Troubleshooting mail sent to Microsoft 365](/microsoft-365/security/defender-365-security/troubleshooting-mail-sent-to-office-365?view=o365-21vianet) | modified |
-| 2/17/2021 | [Tune anti-phishing protection](/microsoft-365/security/defender-365-security/tuning-anti-phishing?view=o365-21vianet) | modified |
-| 2/17/2021 | [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/defender-365-security/turn-on-atp-for-spo-odb-and-teams?view=o365-21vianet) | modified |
-| 2/17/2021 | [How to use DKIM for email in your custom domain](/microsoft-365/security/defender-365-security/use-dkim-to-validate-outbound-email?view=o365-21vianet) | modified |
-| 2/17/2021 | [Use DMARC to validate email](/microsoft-365/security/defender-365-security/use-dmarc-to-validate-email?view=o365-21vianet) | modified |
-| 2/17/2021 | [Use mail flow rules to see what your users are reporting to Microsoft](/microsoft-365/security/defender-365-security/use-mail-flow-rules-to-see-what-your-users-are-reporting-to-microsoft?view=o365-21vianet) | modified |
-| 2/17/2021 | [Use mail flow rules to the SCL in messages](/microsoft-365/security/defender-365-security/use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages?view=o365-21vianet) | modified |
-| 2/17/2021 | [End-user spam notifications in Microsoft 365](/microsoft-365/security/defender-365-security/use-spam-notifications-to-release-and-report-quarantined-messages?view=o365-21vianet) | modified |
-| 2/17/2021 | [Remove yourself from the blocked senders list](/microsoft-365/security/defender-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis?view=o365-21vianet) | modified |
-| 2/17/2021 | [Use mail flow rules to filter bulk email](/microsoft-365/security/defender-365-security/use-transport-rules-to-configure-bulk-email-filtering?view=o365-21vianet) | modified |
-| 2/17/2021 | [User submissions policy](/microsoft-365/security/defender-365-security/user-submission?view=o365-21vianet) | modified |
-| 2/17/2021 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/user-tags?view=o365-21vianet) | modified |
-| 2/17/2021 | [View and release quarantined messages from shared mailboxes](/microsoft-365/security/defender-365-security/view-and-release-quarantined-messages-from-shared-mailboxes?view=o365-21vianet) | modified |
-| 2/17/2021 | [View email security reports in the Security & Compliance Center](/microsoft-365/security/defender-365-security/view-email-security-reports?view=o365-21vianet) | modified |
-| 2/17/2021 | [View mail flow reports in the Reports dashboard](/microsoft-365/security/defender-365-security/view-mail-flow-reports?view=o365-21vianet) | modified |
-| 2/17/2021 | [View Defender for Office 365 reports in the Reports dashboard](/microsoft-365/security/defender-365-security/view-reports-for-atp?view=o365-21vianet) | modified |
-| 2/17/2021 | [View the admin audit log in standalone EOP](/microsoft-365/security/defender-365-security/view-the-admin-audit-log-eop?view=o365-21vianet) | modified |
-| 2/17/2021 | [Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams](/microsoft-365/security/defender-365-security/virus-detection-in-spo?view=o365-21vianet) | modified |
-| 2/17/2021 | [Walkthrough - Spoof intelligence insight](/microsoft-365/security/defender-365-security/walkthrough-spoof-intelligence-insight?view=o365-21vianet) | modified |
-| 2/17/2021 | [What&apos;s the difference between junk email and bulk email?](/microsoft-365/security/defender-365-security/what-s-the-difference-between-junk-email-and-bulk-email?view=o365-21vianet) | modified |
-| 2/17/2021 | [What's new in Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/whats-new-in-office-365-atp?view=o365-21vianet) | modified |
-| 2/17/2021 | [Zero-hour auto purge (ZAP)](/microsoft-365/security/defender-365-security/zero-hour-auto-purge?view=o365-21vianet) | modified |
+| 2/17/2021 | [About the Microsoft Defender for Office 365 trial](/microsoft-365/security/office-365-security/about-defender-for-office-365-trial?view=o365-21vianet) | modified |
+| 2/17/2021 | [Address compromised user accounts with automated investigation and response](/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-21vianet) | modified |
+| 2/17/2021 | [Admin submissions](/microsoft-365/security/office-365-security/admin-submission?view=o365-21vianet) | modified |
+| 2/17/2021 | [ASF settings in EOP](/microsoft-365/security/office-365-security/advanced-spam-filtering-asf-options?view=o365-21vianet) | modified |
+| 2/17/2021 | [Custom reporting solutions with automated investigation and response](/microsoft-365/security/office-365-security/air-custom-reporting?view=o365-21vianet) | modified |
+| 2/17/2021 | [Remediation actions in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-remediation-actions?view=o365-21vianet) | modified |
+| 2/17/2021 | [How to report false positives or false negatives following automated investigation in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-report-false-positives-negatives?view=o365-21vianet) | modified |
+| 2/17/2021 | [Review and manage remediation actions in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions?view=o365-21vianet) | modified |
+| 2/17/2021 | [View the results of an automated investigation in Microsoft 365](/microsoft-365/security/office-365-security/air-view-investigation-results?view=o365-21vianet) | modified |
+| 2/17/2021 | [Alerts in the Security & Compliance Center](/microsoft-365/security/office-365-security/alerts?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-malware protection FAQ](/microsoft-365/security/office-365-security/anti-malware-protection-faq-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-malware protection](/microsoft-365/security/office-365-security/anti-malware-protection?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-phishing protection](/microsoft-365/security/office-365-security/anti-phishing-protection?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-spam and anti-malware protection](/microsoft-365/security/office-365-security/anti-spam-and-anti-malware-protection?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-spam message headers](/microsoft-365/security/office-365-security/anti-spam-message-headers?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-spam protection FAQ](/microsoft-365/security/office-365-security/anti-spam-protection-faq?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-spam protection](/microsoft-365/security/office-365-security/anti-spam-protection?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-spoofing protection FAQ](/microsoft-365/security/office-365-security/anti-spoofing-protection-faq?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-spoofing protection](/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-21vianet) | modified |
+| 2/17/2021 | [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/atp-for-spo-odb-and-teams?view=o365-21vianet) | modified |
+| 2/17/2021 | [Safe Attachments](/microsoft-365/security/office-365-security/atp-safe-attachments?view=o365-21vianet) | modified |
+| 2/17/2021 | [Safe Links](/microsoft-365/security/office-365-security/atp-safe-links?view=o365-21vianet) | modified |
+| 2/17/2021 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-21vianet) | modified |
+| 2/17/2021 | [Gain insights through Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights?view=o365-21vianet) | modified |
+| 2/17/2021 | [Attack Simulator in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/attack-simulator?view=o365-21vianet) | modified |
+| 2/17/2021 | [Auditing reports in standalone EOP](/microsoft-365/security/office-365-security/auditing-reports-in-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [How automated investigation and response works in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/automated-investigation-response-office?view=o365-21vianet) | modified |
+| 2/17/2021 | [Protection features in Azure Information Protection rolling out to existing tenants](/microsoft-365/security/office-365-security/azure-ip-protection-features?view=o365-21vianet) | modified |
+| 2/17/2021 | [Backscatter in EOP](/microsoft-365/security/office-365-security/backscatter-messages-and-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Best practices for configuring EOP](/microsoft-365/security/office-365-security/best-practices-for-configuring-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Bulk complaint level values](/microsoft-365/security/office-365-security/bulk-complaint-level-values?view=o365-21vianet) | modified |
+| 2/17/2021 | [Campaign Views in Microsoft Defender for Office 365 Plan](/microsoft-365/security/office-365-security/campaigns?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configuration analyzer for security policies](/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure anti-malware policies](/microsoft-365/security/office-365-security/configure-anti-malware-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure anti-phishing policies in EOP](/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure anti-phishing policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/configure-atp-anti-phishing-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure global settings for Safe Links settings in Defender for Office 365](/microsoft-365/security/office-365-security/configure-global-settings-for-safe-links?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure groups & users - Political campaign dev/test environment](/microsoft-365/security/office-365-security/configure-groups-and-users-for-a-political-campaign-dev-test-environment?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure junk email settings on Exchange Online mailboxes](/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure S/MIME settings - Exchange Online for Outlook on web](/microsoft-365/security/office-365-security/configure-s-mime-settings-for-outlook-web-app?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure the default connection filter policy](/microsoft-365/security/office-365-security/configure-the-connection-filter-policy?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure outbound spam filtering](/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure spam filter policies](/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Create blocked sender lists](/microsoft-365/security/office-365-security/create-block-sender-lists-in-office-365?view=o365-21vianet) | modified |
+| 2/17/2021 | [Create safe sender lists](/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-21vianet) | modified |
+| 2/17/2021 | [Create team sites - Political campaign dev environment](/microsoft-365/security/office-365-security/create-team-sites-in-a-political-campaign-dev-test-environment?view=o365-21vianet) | modified |
+| 2/17/2021 | [Delegated administration FAQ](/microsoft-365/security/office-365-security/delegated-administration-faq?view=o365-21vianet) | modified |
+| 2/17/2021 | [Deploy an isolated SharePoint Online team site](/microsoft-365/security/office-365-security/deploy-an-isolated-sharepoint-online-team-site?view=o365-21vianet) | modified |
+| 2/17/2021 | [Design an isolated SharePoint Online team site](/microsoft-365/security/office-365-security/design-an-isolated-sharepoint-online-team-site?view=o365-21vianet) | modified |
+| 2/17/2021 | [Detect and Remediate Illicit Consent Grants](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-21vianet) | modified |
+| 2/17/2021 | [Detect and remediate the Outlook rules and custom forms injections attacks.](/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-21vianet) | modified |
+| 2/17/2021 | [Email authentication in Microsoft 365](/microsoft-365/security/office-365-security/email-validation-and-authentication?view=o365-21vianet) | modified |
+| 2/17/2021 | [Enable the Report Message add-in](/microsoft-365/security/office-365-security/enable-the-report-message-add-in?view=o365-21vianet) | modified |
+| 2/17/2021 | [Enable the Report Phish add-in](/microsoft-365/security/office-365-security/enable-the-report-phish-add-in?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure EOP to junk spam in hybrid environments](/microsoft-365/security/office-365-security/ensure-that-spam-is-routed-to-each-user-s-junk-email-folder?view=o365-21vianet) | modified |
+| 2/17/2021 | [EOP features](/microsoft-365/security/office-365-security/eop-features?view=o365-21vianet) | modified |
+| 2/17/2021 | [EOP general FAQ](/microsoft-365/security/office-365-security/eop-general-faq?view=o365-21vianet) | modified |
+| 2/17/2021 | [EOP queued, deferred, and bounced messages FAQ](/microsoft-365/security/office-365-security/eop-queued-deferred-and-bounced-messages-faq?view=o365-21vianet) | modified |
+| 2/17/2021 | [Exchange admin center in standalone EOP](/microsoft-365/security/office-365-security/exchange-admin-center-in-exchange-online-protection-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Exchange Online Protection (EOP) overview](/microsoft-365/security/office-365-security/exchange-online-protection-overview?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configuring and controlling external email forwarding, Automatic forwarding, 5.7.520 Access Denied, disable external forwarding, Your administrator has disabled external forwarding, outbound anti-spam policy](/microsoft-365/security/office-365-security/external-email-forwarding?view=o365-21vianet) | modified |
+| 2/17/2021 | [Feature permissions in EOP](/microsoft-365/security/office-365-security/feature-permissions-in-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Find and release quarantined messages as a user](/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user?view=o365-21vianet) | modified |
+| 2/17/2021 | [Give users access to the Security & Compliance Center](/microsoft-365/security/office-365-security/grant-access-to-the-security-and-compliance-center?view=o365-21vianet) | modified |
+| 2/17/2021 | [Help and support for EOP](/microsoft-365/security/office-365-security/help-and-support-for-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Outbound delivery pools](/microsoft-365/security/office-365-security/high-risk-delivery-pool-for-outbound-messages?view=o365-21vianet) | modified |
+| 2/17/2021 | [How Sender Policy Framework (SPF) prevents spoofing](/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing?view=o365-21vianet) | modified |
+| 2/17/2021 | [How EOP validates the From address to prevent phishing](/microsoft-365/security/office-365-security/how-office-365-validates-the-from-address?view=o365-21vianet) | modified |
+| 2/17/2021 | [Order and precedence of email protection](/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined?view=o365-21vianet) | modified |
+| 2/17/2021 | [Common identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Prerequisite work for implementing identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-prerequisites?view=o365-21vianet) | modified |
+| 2/17/2021 | [Office 365 Security, Microsoft Defender for Office 365, EOP, MSDO](/microsoft-365/security/office-365-security/index?view=o365-21vianet) | modified |
+| 2/17/2021 | [Investigate malicious email that was delivered in Office 365, Find and investigate malicious email](/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered?view=o365-21vianet) | modified |
+| 2/17/2021 | [Isolated SharePoint Online team site dev/test environment](/microsoft-365/security/office-365-security/isolated-sharepoint-online-team-site-dev-test-environment?view=o365-21vianet) | modified |
+| 2/17/2021 | [Isolated SharePoint Online team sites](/microsoft-365/security/office-365-security/isolated-sharepoint-online-team-sites?view=o365-21vianet) | modified |
+| 2/17/2021 | [Install and use the Junk Email Reporting add-in for Microsoft Outlook](/microsoft-365/security/office-365-security/junk-email-reporting-add-in-for-microsoft-outlook?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure spoof intelligence](/microsoft-365/security/office-365-security/learn-about-spoof-intelligence?view=o365-21vianet) | modified |
+| 2/17/2021 | [Mail flow in EOP](/microsoft-365/security/office-365-security/mail-flow-in-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Mail flow insights in the Mail flow dashboard](/microsoft-365/security/office-365-security/mail-flow-insights-v2?view=o365-21vianet) | modified |
+| 2/17/2021 | [Mail flow intelligence](/microsoft-365/security/office-365-security/mail-flow-intelligence-in-office-365?view=o365-21vianet) | modified |
+| 2/17/2021 | [Mail flow rules in EOP](/microsoft-365/security/office-365-security/mail-flow-rules-transport-rules-0?view=o365-21vianet) | modified |
+| 2/17/2021 | [Manage role groups in EOP](/microsoft-365/security/office-365-security/manage-admin-role-group-permissions-in-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Manage an isolated SharePoint Online team site](/microsoft-365/security/office-365-security/manage-an-isolated-sharepoint-online-team-site?view=o365-21vianet) | modified |
+| 2/17/2021 | [Manage groups in EOP](/microsoft-365/security/office-365-security/manage-groups-in-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Manage mail users in standalone EOP](/microsoft-365/security/office-365-security/manage-mail-users-in-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-21vianet) | modified |
+| 2/17/2021 | [Manage recipients in standalone EOP](/microsoft-365/security/office-365-security/manage-recipients-in-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [The Microsoft Defender for Office 365 (MDO) email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page?view=o365-21vianet) | modified |
+| 2/17/2021 | [Message trace in the Security & Compliance Center](/microsoft-365/security/office-365-security/message-trace-scc?view=o365-21vianet) | modified |
+| 2/17/2021 | [Auto-forwarded messages insight](/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report?view=o365-21vianet) | modified |
+| 2/17/2021 | [Top domain mail flow status insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-domain-mail-flow-status-insight?view=o365-21vianet) | modified |
+| 2/17/2021 | [Mail flow map](/microsoft-365/security/office-365-security/mfi-mail-flow-map-report?view=o365-21vianet) | modified |
+| 2/17/2021 | [Fix possible mail loop insight](/microsoft-365/security/office-365-security/mfi-mail-loop-insight?view=o365-21vianet) | modified |
+| 2/17/2021 | [New domains being forwarded email insight](/microsoft-365/security/office-365-security/mfi-new-domains-being-forwarded-email?view=o365-21vianet) | modified |
+| 2/17/2021 | [New users forwarding email insight](/microsoft-365/security/office-365-security/mfi-new-users-forwarding-email?view=o365-21vianet) | modified |
+| 2/17/2021 | [Non-accepted domain report in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-non-accepted-domain-report?view=o365-21vianet) | modified |
+| 2/17/2021 | [Non-delivery report in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-non-delivery-report?view=o365-21vianet) | modified |
+| 2/17/2021 | [Outbound and inbound mail flow insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-outbound-and-inbound-mail-flow?view=o365-21vianet) | modified |
+| 2/17/2021 | [Queues insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues?view=o365-21vianet) | modified |
+| 2/17/2021 | [Fix slow mail flow rules insight](/microsoft-365/security/office-365-security/mfi-slow-mail-flow-rules-insight?view=o365-21vianet) | modified |
+| 2/17/2021 | [SMTP Auth clients insight and report in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-smtp-auth-clients-report?view=o365-21vianet) | modified |
+| 2/17/2021 | [Identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/microsoft-365-policies-configurations?view=o365-21vianet) | modified |
+| 2/17/2021 | [Microsoft Report Message and Report Phishing Add-In license terms](/microsoft-365/security/office-365-security/microsoft-message-phishing-report-terms?view=o365-21vianet) | modified |
+| 2/17/2021 | [Microsoft Security Guidance - Political campaigns & nonprofits](/microsoft-365/security/office-365-security/microsoft-security-guidance-for-political-campaigns-nonprofits-and-other-agile-o?view=o365-21vianet) | modified |
+| 2/17/2021 | [Monitor for leaks of personal data](/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data?view=o365-21vianet) | modified |
+| 2/17/2021 | [Move domains & settings from one EOP organization to another](/microsoft-365/security/office-365-security/move-domains-and-settings-from-one-eop-organization-to-another-eop-organization?view=o365-21vianet) | modified |
+| 2/17/2021 | [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-air?view=o365-21vianet) | modified |
+| 2/17/2021 | [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp?view=o365-21vianet) | modified |
+| 2/17/2021 | [Evaluate Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-evaluation?view=o365-21vianet) | modified |
+| 2/17/2021 | [Threat investigation & response capabilities - Microsoft Defender for Office 365 Plan 2](/microsoft-365/security/office-365-security/office-365-ti?view=o365-21vianet) | modified |
+| 2/17/2021 | [Security Incident Response](/microsoft-365/security/office-365-security/office365-security-incident-response-overview?view=o365-21vianet) | modified |
+| 2/17/2021 | [Outbound spam protection](/microsoft-365/security/office-365-security/outbound-spam-controls?view=o365-21vianet) | modified |
+| 2/17/2021 | [Permissions - Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-21vianet) | modified |
+| 2/17/2021 | [Permissions in the Microsoft 365 security and compliance centers](/microsoft-365/security/office-365-security/permissions-microsoft-365-compliance-security?view=o365-21vianet) | modified |
+| 2/17/2021 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Protect against threats](/microsoft-365/security/office-365-security/protect-against-threats?view=o365-21vianet) | modified |
+| 2/17/2021 | [Protect on-premises mailboxes in China with standalone EOP](/microsoft-365/security/office-365-security/protect-on-premises-mailboxes-with-exchange-online-protection?view=o365-21vianet) | modified |
+| 2/17/2021 | [Quarantined email messages](/microsoft-365/security/office-365-security/quarantine-email-messages?view=o365-21vianet) | modified |
+| 2/17/2021 | [Quarantined messages FAQ](/microsoft-365/security/office-365-security/quarantine-faq?view=o365-21vianet) | modified |
+| 2/17/2021 | [Quarantine tags](/microsoft-365/security/office-365-security/quarantine-tags?view=o365-21vianet) | modified |
+| 2/17/2021 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp?view=o365-21vianet) | modified |
+| 2/17/2021 | [Recover from a ransomware attack](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-21vianet) | modified |
+| 2/17/2021 | [Use mail flow rules to block messages with executable attachments](/microsoft-365/security/office-365-security/reducing-malware-threats-through-file-attachment-blocking-in-exchange-online-pro?view=o365-21vianet) | modified |
+| 2/17/2021 | [Reference Policies, practices, and guidelines](/microsoft-365/security/office-365-security/reference-policies-practices-and-guidelines?view=o365-21vianet) | modified |
+| 2/17/2021 | [Remediate malicious email that was delivered in Office 365](/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365?view=o365-21vianet) | modified |
+| 2/17/2021 | [Remove blocked users from the Restricted Users portal](/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-21vianet) | modified |
+| 2/17/2021 | [Report junk and phishing email in Outlook for iOS and Android](/microsoft-365/security/office-365-security/report-junk-email-and-phishing-scams-in-outlook-for-ios-and-android?view=o365-21vianet) | modified |
+| 2/17/2021 | [Report junk and phishing email in Outlook on the web](/microsoft-365/security/office-365-security/report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Report spam, non-spam, and phishing messages to Microsoft](/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft?view=o365-21vianet) | modified |
+| 2/17/2021 | [Reporting and message trace](/microsoft-365/security/office-365-security/reporting-and-message-trace-in-exchange-online-protection?view=o365-21vianet) | modified |
+| 2/17/2021 | [Smart reports, insights - Microsoft 365 Security & Compliance Center](/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance?view=o365-21vianet) | modified |
+| 2/17/2021 | [Responding to a Compromised Email Account](/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-21vianet) | modified |
+| 2/17/2021 | [Run an administrator role group report in standalone EOP](/microsoft-365/security/office-365-security/run-an-administrator-role-group-report-in-eop-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [S/MIME for encryption in Exchange Online - Office 365](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption?view=o365-21vianet) | modified |
+| 2/17/2021 | [Safe Documents in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-docs?view=o365-21vianet) | modified |
+| 2/17/2021 | [Safety tips in email messages](/microsoft-365/security/office-365-security/safety-tips-in-office-365?view=o365-21vianet) | modified |
+| 2/17/2021 | [Sample script for EOP settings - multiple tenants](/microsoft-365/security/office-365-security/sample-script-for-applying-eop-settings-to-multiple-tenants?view=o365-21vianet) | modified |
+| 2/17/2021 | [Secure by default in Office 365](/microsoft-365/security/office-365-security/secure-by-default?view=o365-21vianet) | modified |
+| 2/17/2021 | [Secure email recommended policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Security recommendations for priority accounts in Microsoft 365, priority accounts, priority accounts in Office 365, priority accounts in Microsoft 365](/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts?view=o365-21vianet) | modified |
+| 2/17/2021 | [Microsoft 365 security roadmap - Top priorities](/microsoft-365/security/office-365-security/security-roadmap?view=o365-21vianet) | modified |
+| 2/17/2021 | [Anti-phishing policies](/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Set up Safe Attachments policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Set up Safe Links policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/set-up-atp-safe-links-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [Set up SPF to help prevent spoofing](/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-21vianet) | modified |
+| 2/17/2021 | [Set up your standalone EOP service](/microsoft-365/security/office-365-security/set-up-your-eop-service?view=o365-21vianet) | modified |
+| 2/17/2021 | [Recommended secure document policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/sharepoint-file-access-policies?view=o365-21vianet) | modified |
+| 2/17/2021 | [SIEM integration with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti?view=o365-21vianet) | modified |
+| 2/17/2021 | [SIEM server integration with Microsoft 365 services and applications](/microsoft-365/security/office-365-security/siem-server-integration?view=o365-21vianet) | modified |
+| 2/17/2021 | [Spam confidence level](/microsoft-365/security/office-365-security/spam-confidence-levels?view=o365-21vianet) | modified |
+| 2/17/2021 | [Manually submit messages to Microsoft for analysis](/microsoft-365/security/office-365-security/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis?view=o365-21vianet) | modified |
+| 2/17/2021 | [Submit malware and non-malware to Microsoft for analysis](/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis?view=o365-21vianet) | modified |
+| 2/17/2021 | [Add support for anonymous inbound email over IPv6](/microsoft-365/security/office-365-security/support-for-anonymous-inbound-email-messages-over-ipv6?view=o365-21vianet) | modified |
+| 2/17/2021 | [Support for validation of Domain Keys Identified Mail (DKIM) signed messages](/microsoft-365/security/office-365-security/support-for-validation-of-dkim-signed-messages?view=o365-21vianet) | modified |
+| 2/17/2021 | [Switch to EOP from another protection service](/microsoft-365/security/office-365-security/switch-to-eop-from-google-postini-the-barracuda-spam-and-virus-firewall-or-cisco?view=o365-21vianet) | modified |
+| 2/17/2021 | [Manage your allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list?view=o365-21vianet) | modified |
+| 2/17/2021 | [Configure your Microsoft 365 tenant for increased security](/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security?view=o365-21vianet) | modified |
+| 2/17/2021 | [Views in Threat Explorer and real-time detections](/microsoft-365/security/office-365-security/threat-explorer-views?view=o365-21vianet) | modified |
+| 2/17/2021 | [Threat Explorer and Real-time detections](/microsoft-365/security/office-365-security/threat-explorer?view=o365-21vianet) | modified |
+| 2/17/2021 | [Threat Trackers - New and Noteworthy](/microsoft-365/security/office-365-security/threat-trackers?view=o365-21vianet) | modified |
+| 2/17/2021 | [Troubleshooting mail sent to Microsoft 365](/microsoft-365/security/office-365-security/troubleshooting-mail-sent-to-office-365?view=o365-21vianet) | modified |
+| 2/17/2021 | [Tune anti-phishing protection](/microsoft-365/security/office-365-security/tuning-anti-phishing?view=o365-21vianet) | modified |
+| 2/17/2021 | [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/turn-on-atp-for-spo-odb-and-teams?view=o365-21vianet) | modified |
+| 2/17/2021 | [How to use DKIM for email in your custom domain](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-21vianet) | modified |
+| 2/17/2021 | [Use DMARC to validate email](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-21vianet) | modified |
+| 2/17/2021 | [Use mail flow rules to see what your users are reporting to Microsoft](/microsoft-365/security/office-365-security/use-mail-flow-rules-to-see-what-your-users-are-reporting-to-microsoft?view=o365-21vianet) | modified |
+| 2/17/2021 | [Use mail flow rules to the SCL in messages](/microsoft-365/security/office-365-security/use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages?view=o365-21vianet) | modified |
+| 2/17/2021 | [End-user spam notifications in Microsoft 365](/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages?view=o365-21vianet) | modified |
+| 2/17/2021 | [Remove yourself from the blocked senders list](/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis?view=o365-21vianet) | modified |
+| 2/17/2021 | [Use mail flow rules to filter bulk email](/microsoft-365/security/office-365-security/use-transport-rules-to-configure-bulk-email-filtering?view=o365-21vianet) | modified |
+| 2/17/2021 | [User submissions policy](/microsoft-365/security/office-365-security/user-submission?view=o365-21vianet) | modified |
+| 2/17/2021 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags?view=o365-21vianet) | modified |
+| 2/17/2021 | [View and release quarantined messages from shared mailboxes](/microsoft-365/security/office-365-security/view-and-release-quarantined-messages-from-shared-mailboxes?view=o365-21vianet) | modified |
+| 2/17/2021 | [View email security reports in the Security & Compliance Center](/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-21vianet) | modified |
+| 2/17/2021 | [View mail flow reports in the Reports dashboard](/microsoft-365/security/office-365-security/view-mail-flow-reports?view=o365-21vianet) | modified |
+| 2/17/2021 | [View Defender for Office 365 reports in the Reports dashboard](/microsoft-365/security/office-365-security/view-reports-for-atp?view=o365-21vianet) | modified |
+| 2/17/2021 | [View the admin audit log in standalone EOP](/microsoft-365/security/office-365-security/view-the-admin-audit-log-eop?view=o365-21vianet) | modified |
+| 2/17/2021 | [Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-21vianet) | modified |
+| 2/17/2021 | [Walkthrough - Spoof intelligence insight](/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight?view=o365-21vianet) | modified |
+| 2/17/2021 | [What&apos;s the difference between junk email and bulk email?](/microsoft-365/security/office-365-security/what-s-the-difference-between-junk-email-and-bulk-email?view=o365-21vianet) | modified |
+| 2/17/2021 | [What's new in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/whats-new-in-office-365-atp?view=o365-21vianet) | modified |
+| 2/17/2021 | [Zero-hour auto purge (ZAP)](/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-21vianet) | modified |
includes Microsoft Defender Api Usgov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-defender-api-usgov.md
>[!NOTE]
->If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov.md#api).
+>If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov#api).
security Microsoft 365 Security For Bdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-security-for-bdm.md
Known threats include malware, compromised accounts, and phishing. Some protecti
|Recommendation |E3 |E5 | ||||
-|**Setup multi-factor authentication and use recommended conditional access policies, including sign-in risk policies**. Microsoft recommends and has tested a set of policies that work together to protect all cloud apps, including Office 365 and Microsoft 365 services. See [Identity and device access configurations](./defender-365-security/microsoft-365-policies-configurations.md). | |![green check mark](../media/green-check-mark.png)|
+|**Setup multi-factor authentication and use recommended conditional access policies, including sign-in risk policies**. Microsoft recommends and has tested a set of policies that work together to protect all cloud apps, including Office 365 and Microsoft 365 services. See [Identity and device access configurations](./office-365-security/microsoft-365-policies-configurations.md). | |![green check mark](../media/green-check-mark.png)|
|**Require multi-factor authentication for all users**. If you don't have the licensing required to implement the recommended conditional access policies, at a minimum require multi-factor authentication for all users.|![green check mark](../media/green-check-mark.png)|![green check mark](../media/green-check-mark.png)| |**Raise the level of protection against malware in mail**. Your Office 365 or Microsoft 365 environment includes protection against malware, but you can increase this protection by blocking attachments with file types that are commonly used for malware.|![green check mark](../media/green-check-mark.png)|![green check mark](../media/green-check-mark.png)| |**Protect your email from targeted phishing attacks**. If you've configured one or more custom domains for your Office 365 or Microsoft 365 environment, you can configure targeted anti-phishing protection. Anti-phishing protection, part of Defender for Office 365, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you haven't configured a custom domain, you do not need to do this.| |![green check mark](../media/green-check-mark.png)|
Microsoft 365 information protection capabilities can help you discover what inf
|Recommendation |E3|E5 | ||||
-|**Review and optimize your conditional access and related policies to align with your objectives for a zero trust network**. Protecting against known threats includes implementing a set of [recommended policies](./defender-365-security/microsoft-365-policies-configurations.md). Review your implementation of these policies to ensure you're protecting your apps and data against hackers who have gained access to your network. Note that the recommended Intune app protection policy for Windows 10 enables Windows Information Protection (WIP). WIP protects against accidental leaks of your organization data through apps and services, like email, social media, and the public cloud. | |![green check mark](../media/green-check-mark.png)|
+|**Review and optimize your conditional access and related policies to align with your objectives for a zero trust network**. Protecting against known threats includes implementing a set of [recommended policies](./office-365-security/microsoft-365-policies-configurations.md). Review your implementation of these policies to ensure you're protecting your apps and data against hackers who have gained access to your network. Note that the recommended Intune app protection policy for Windows 10 enables Windows Information Protection (WIP). WIP protects against accidental leaks of your organization data through apps and services, like email, social media, and the public cloud. | |![green check mark](../media/green-check-mark.png)|
|**Disable external email forwarding**. Hackers who gain access to a user's mailbox can steal your mail by setting the mailbox to automatically forward email. This can happen even without the user's awareness. You can prevent this from happening by configuring a mail flow rule.|![green check mark](../media/green-check-mark.png) |![green check mark](../media/green-check-mark.png)| |**Disable anonymous external calendar sharing**. By default external anonymous calendar sharing is allowed. [Disable calendar sharing](/exchange/sharing/sharing-policies/modify-a-sharing-policy) to reduce potential leaks of sensitive information.|![green check mark](../media/green-check-mark.png) |![green check mark](../media/green-check-mark.png)| |**Configure data loss prevention policies for sensitive data**. Create a Data Loss Prevention Policy in the Security &amp; Compliance center to discover and protect sensitive data such as credit card numbers, Social Security numbers and bank account numbers. Microsoft 365 includes many predefined sensitive information types you can use in data loss prevention policies. You can also create your own sensitive information types for sensitive data that is custom to your environment. |![green check mark](../media/green-check-mark.png)|![green check mark](../media/green-check-mark.png)|
security Isolated Sharepoint Online Team Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-365-security/isolated-sharepoint-online-team-sites.md
- Title: Isolated SharePoint Online team sites
- - NOCSH
--- Previously updated : 12/15/2017--
-localization_priority: Priority
-
- - Ent_O365
- - Strat_O365_Enterprise
-
- - Ent_Solutions
- - seo-marvel-apr2020
-description: Learn about isolated SharePoint Online team sites, including uses, requirements, and features they can be used with.
--
-# Isolated SharePoint Online team sites
--
-**Applies to**
-- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1](defender-for-office-365.md)-- SharePoint Online -
- **Summary:** Learn about the uses for isolated SharePoint Online team sites.
-
-SharePoint Online team sites are an easy way to quickly create a space for collaboration. Users can work together on notes, documents, articles, a calendar, and other resources in Microsoft Office 365. SharePoint Online team sites are based on a Microsoft 365 group and have a simplified administration model to allow open collaboration with a private set of group members or the entire organization. A default SharePoint Online team site allows members of the Microsoft 365 group to invite other users and control permissions settings.
-
-However, you'll sometimes need site access to be controlled by group memberships, and SharePoint Online permission levels managed by SharePoint administrators. We call this an isolated site, which is isolated to the set of users that are either collaborating, viewing its contents, or administering the site. You might need an isolated site for the following:
--- A secret project within your organization.--- The location for highly-sensitive or valuable intellectual property for your organization.--- The resources for a legal action taken by your organization or that to which it is being subjected.--- To share a Microsoft 365 subscription between multiple organizations that have some overlap, but for the most part exist as separate business entities.-
-Here are the requirements of an isolated site:
--- Only SharePoint Online administrators can perform site administration, which includes group membership for access to the site and configuring custom permissions.--- Members of the site cannot invite other members to the team site.--- Users who are not members of the isolated site cannot request access to the site. They will receive an access denied web page when they attempt to access any URL associated with the site.-
-The tradeoff of requiring centralized access control and custom permissions by SharePoint Online administrators is that the site remains isolated over time. For example, current members cannot, either intentionally or accidentally, invite or configure custom permissions for other users within the Microsoft 365 subscription who should not be members of the site.
-
-An isolated site can be used with other features, such as:
--- Information Rights Management to ensure that the resources on the site remain encrypted, even if they are downloaded locally and uploaded to another site that is available to the entire organization.--- Data loss prevention to prevent users from sending the resources of the site, such as files, in email.-
-## Next steps
-
-To try out an isolated SharePoint Online team site in a trial subscription, see the step-by-step instructions in [Isolated SharePoint Online team site dev/test environment](/microsoft-365/solutions/team-security-isolation-dev-test).
-
-## Related topic
-
-[Configure a team with security isolation](/microsoft-365/solutions/secure-teams-security-isolation)
security Manage An Isolated Sharepoint Online Team Site https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-365-security/manage-an-isolated-sharepoint-online-team-site.md
- Title: Manage an isolated SharePoint Online team site
- - NOCSH
--- Previously updated : 12/15/2017--
-localization_priority: Normal
--
- - Ent_Solutions
- - seo-marvel-apr2020
-description: Manage an isolated SharePoint Online team site, add new users and groups, remove users and groups, and create a documents subfolder with custom permissions.
--
-# Manage an isolated SharePoint Online team site
--
-**Applies to**
-- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1](defender-for-office-365.md)-- SharePoint Online -
- **Summary:** Manage your isolated SharePoint Online team site with these procedures.
-
-This article describes common management operations for an isolated SharePoint Online team site.
-
-## Add a new user
-
-When someone new joins the site, you must decide their level of participation in the site:
--- Administration: Add the new user account to the site admins access group--- Active collaboration: Add the user account to the site members access group--- Viewing: Add the user account to the site viewers access group-
-If you are managing user accounts and groups through Active Directory Domain Services (AD DS), add the appropriate users to the appropriate access groups using your normal AD DS user and group management procedures and wait for synchronization with your subscription.
-
-If you are managing user accounts and groups through Microsoft 365, you can use the Microsoft 365 admin center or Microsoft PowerShell:
--- For the Microsoft 365 admin center, sign in with a user account that has been assigned the User Account Administrator or Company Administrator role and use Groups to add the appropriate users to the appropriate access groups.--- For PowerShell, first [Connect with the Azure Active Directory PowerShell for Graph module](../../enterprise/connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module). To add a user account to an access group with its user principal name (UPN), use the following PowerShell command block:-
-```powershell
-$userUPN="<UPN of the user account>"
-$grpName="<display name of the group>"
-Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $grpName }).ObjectID
-```
-
-To add a user account to an access group with its display name, use the following PowerShell command block:
-
-```powershell
-$userDisplayName="<display name of the user account>"
-$grpName="<display name of the group>"
-Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $userDisplayName }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $grpName }).ObjectID
-```
-
-## Add a new group
-
-To add access to an entire group, you must decide the level of participation of all the members of the group in the site:
--- Administration: Add the group to the site admins access group--- Active collaboration: Add the group to the site members access group--- Viewing: Add the group to the site viewers access group-
-If you are managing user accounts and groups through AD DS, add the appropriate groups to the appropriate groups using your normal AD DS user and group management procedures and wait for synchronization with your subscription.
-
-If you are managing user accounts and groups through Office 365, you can use the Microsoft 365 admin center or PowerShell:
--- For the Microsoft 365 admin center, sign in with a user account that has been assigned the User Account Administrator or Company Administrator role and use Groups to add the appropriate groups to the appropriate access groups.--- For PowerShell, first [Connect with the Azure Active Directory PowerShell for Graph module](../../enterprise/connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).
- Then, use the following PowerShell commands:
-
-```powershell
-$newGroupName="<display name of the new group to add>"
-$siteGrpName="<display name of the access group>"
-Add-AzureADGroupMember -RefObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $newGroupName }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $siteGrpName }).ObjectID
-```
-
-## Remove a user
-
-When someone's access must be removed from the site, you remove them from the access group for which they are currently a member based on their participation in the site:
--- Administration: Remove the user account from the site admins access group--- Active collaboration: Remove the user account from the site members access group--- Viewing: Remove the user account from the site viewers access group-
-If you are managing user accounts and groups through AD DS, remove the appropriate users from the appropriate access groups using your normal AD DS user and group management procedures and wait for synchronization with your subscription.
-
-If you are managing user accounts and groups through Office 365, you can use the Microsoft 365 admin center or PowerShell:
--- For the Microsoft 365 admin center, sign in with a user account that has been assigned the User Account Administrator or Company Administrator role and use Groups to remove the appropriate users from the appropriate access groups.--- For PowerShell, first [Connect with the Azure Active Directory PowerShell for Graph module](../../enterprise/connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).
-To remove a user account from an access group with its UPN, use the following PowerShell command block:
-
-```powershell
-$userUPN="<UPN of the user account>"
-$grpName="<display name of the access group>"
-Remove-AzureADGroupMember -MemberId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $grpName }).ObjectID
-```
-
-To remove a user account from an access group with its display name, use the following PowerShell command block:
-
-```powershell
-$userDisplayName="<display name of the user account>"
-$grpName="<display name of the access group>"
-Remove-AzureADGroupMember -MemberId (Get-AzureADUser | Where { $_.DisplayName -eq $userDisplayName }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $grpName }).ObjectID
-```
-
-## Remove a group
-
-To remove access for an entire group, you remove the group from the access group for which they are currently a member based on their participation in the site:
--- Administration: Remove the group from the site admins access group--- Active collaboration: Remove the group from the site members access group--- Viewing: Remove the group from the site viewers access group-
-If you are managing user accounts and groups through Windows Server Active Directory, remove the appropriate groups from the appropriate access groups using your normal AD DS user and group management procedures and wait for synchronization with your subscription.
-
-If you are managing user accounts and groups through Office 365, you can use the Microsoft 365 admin center or PowerShell:
--- For the Microsoft 365 admin center, sign in with a user account that has been assigned the User Account Administrator or Company Administrator role and use Groups to remove the appropriate groups from the appropriate access groups.--- For PowerShell, first [Connect with the Azure Active Directory PowerShell for Graph module](../../enterprise/connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).
-To remove a group from an access group using their display names, use the following PowerShell command block:
-
-```powershell
-$groupMemberName="<display name of the group to remove>"
-$grpName="<display name of the access group>"
-Remove-AzureADGroupMember -MemberId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupMemberName }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $grpName }).ObjectID
-```
-
-## Create a documents subfolder with custom permissions
-
-In some cases, a subset of the people working within the isolated site need a more private place to collaborate. For SharePoint Online sites, you can create a subfolder in the Documents folder of the site and assign custom permissions. Those without permissions will not see the subfolder.
-
-To create a documents subfolder with custom permissions, do the following:
-
-1. Sign in to an account that is a member of the admins access group for the site. For help, see [Where to sign in to Microsoft 365](https://support.microsoft.com/office/e9eb7d51-5430-4929-91ab-6157c5a050b4).
-
-2. Go to the isolated team site and click **Documents**.
-
-3. Browse to the folder in the documents folder that will contain the subfolder with custom permissions, create the folder, and then open it.
-
-4. Click **Share**.
-
-5. Click **Shared with > Advanced**.
-
-6. Click **Stop inheriting permissions**, and then click **OK**.
-
-7. Click **Share**.
-
-8. Click **Shared with > Advanced**.
-
-9. Click **Grant Permissions > Shared with > Advanced**.
-
-10. On the permissions page, click **\<site name> Members in the list**.
-
-11. On the **\<site name> Members** page, select the checkmark next to the site members access group, click **Actions**, click **Remove users from group**, and then click **OK**.
-
-12. To add specific members to this subfolder, click **New > Add users**.
-
-13. In the **Share** dialog box, type the names of the user accounts that can collaborate on files in the subfolder, and then click **Share**.
-
-14. Refresh the web page to see the new results.
-
-15. Under **Groups** in the left navigation, click the **\<site name> Visitors** group and use steps 11-14 to specify the set of user accounts that can view the files in the subfolder (as needed).
-
-16. Under **Groups** in the left navigation, click the **\<site name> Owners** group and use steps 11-14 to specify the set of user accounts that can administer the permissions in the subfolder (as needed).
-
-17. Close the **People and Groups** tab in your browser.
-
-## See Also
-
-[Isolated SharePoint Online team sites](isolated-sharepoint-online-team-sites.md)
-
-[Configure a team with security isolation](/microsoft-365/solutions/secure-teams-security-isolation)
security Mcas Saas Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-365-security/mcas-saas-access-policies.md
- Title: Recommended Microsoft Cloud App Security policies for SaaS apps - Microsoft 365 Enterprise | Microsoft Docs
-description: Describes recommended policies for integration with Microsoft Cloud App Security.
---- Previously updated : 03/22/2021---- it-pro-- goldenconfig--- M365-identity-device-management-- M365-security-compliance---
-# Recommended Microsoft Cloud App Security policies for SaaS apps
-Microsoft Cloud App Security builds on Azure AD conditional access policies to enable real-time monitoring and control of granular actions with SaaS apps, such as blocking downloads, uploads, copy and paste, and printing. This feature adds security to sessions that carry inherent risk, such as when corporate resources are accessed from unmanaged devices or by guest users.
-
-Microsoft Cloud App Security also integrates natively with Microsoft Information Protection, providing real-time content inspection to find sensitive data based on sensitive information types and sensitivity labels and to take appropriate action.
-
-This guidance includes recommendations for these scenarios:
-- Bring SaaS apps into IT management-- Tune protection for specific SaaS apps-- Configure data loss prevention (DLP) to help comply with data protection regulations-
-## Bring SaaS apps into IT management
-
-The first step in using Microsoft Cloud App Security to manage SaaS apps is to discover these and then add them to your Azure AD tenant. If you need help with discovery, see [Discover and manage SaaS apps in your network](https://docs.microsoft.com/cloud-app-security/tutorial-shadow-it). After you've discovered apps, [add these to your Azure AD tenant](https://docs.microsoft.com/azure/active-directory/manage-apps/add-application-portal).
-
-You can begin to manage these by doing the following:
-1. First, in Azure AD, create a new conditional access policy and configure it to "Use Conditional Access App Control." This redirects the request to Cloud App Security. You can create one policy and add all SaaS apps to this policy.
-1. Next, in Cloud App Security, create session policies. Create one policy for each control you want to apply.
-
-Permissions to SaaS apps are typically based on business need for access to the app. These permissions can be highly dynamic. Using Cloud App Security policies ensures protection to app data, regardless of whether users are assigned to an Azure AD group associated with baseline, sensitive, or highly regulated protection.
-
-To protect data across your collection of SaaS apps, the following diagram illustrates the necessary Azure AD conditional access policy plus suggested policies you can create in Cloud App Security. In this example, the policies created in Cloud App Security apply to all SaaS apps you are managing. These are designed to apply appropriate controls based on whether devices are managed as well as sensitivity labels that are already applied to files.
-
-<br>
-
-![Policies for managing SaaS apps in Cloud App Security](../../media/microsoft-365-policies-configurations/mcas-manage-saas-apps-2.png)
-
-The following table lists the new conditional access policy you must create in Azure AD.
-
-|Protection level|Policy|More information|
-||||
-|All protection levels | [Use Conditional Access App Control in Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad#configure-integration-with-azure-ad) |This configures your IdP (Azure AD) to work with Cloud App Security. |
-
-This next table lists the example policies illustrated above that you can create to protect all SaaS apps. Be sure to evaluate your own business, security, and compliance objectives and then create policies that provide the most appropriate protection for your environment.
-
-|Protection level|Policy|
-|||
-|Baseline | Monitor traffic from unmanaged devices<br><br>Add protection to file downloads from unmanaged devices |
-|Sensitive | Block download of files labeled with sensitive or classified from unmanaged devices (this provides browser only access) |
-| Highly regulated | Block download of files labeled with classified from all devices (this provides browser only access) |
-| | |
-
-For end-to-end instructions for setting up Conditional Access App Control, see [Deploy Conditional Access App Control for featured apps](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad). This article walks you through the process of creating the necessary conditional access policy in Azure AD and testing your SaaS apps.
----
-For more information, see [Protect apps with Microsoft Cloud App Security Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad).
--
-## Tune protection for specific SaaS apps
-You might want to apply additional monitoring and controls to specific SaaS apps in your environment. Cloud App Security allows you to accomplish this. For example, if an app like Box is used heavily in your environment, it makes sense to apply additional controls. Or, if your legal or finance department is using a specific SaaS app for sensitive business data, you can target extra protection to these apps.
-
-For example, you can protect your Box environment with these types of built-in anomaly detection policy templates:
-- Activity from anonymous IP addresses-- Activity from infrequent country-- Activity from suspicious IP addresses-- Impossible travel-- Activity performed by terminated user (requires AAD as IdP)-- Malware detection-- Multiple failed login attempts-- Ransomware activity-- Risky Oauth App-- Unusual file share activity-
-These are examples. Additional policy templates are added on a regular basis. For examples of how to apply additional protection to specific apps, see [Protecting connected apps](https://docs.microsoft.com/cloud-app-security/protect-connected-apps).
-
-[How Cloud App Security helps protect your Box environment](https://docs.microsoft.com/cloud-app-security/protect-box) demonstrates the types of controls that can help you protect your business data in Box and other apps with sensitive data.
--
-## Configure data loss prevention (DLP) to help comply with data protection regulations
-
-Cloud App Security can be a valuable tool for configuring protection for compliance regulations. In this case, you create specific policies to look for specific data that a regulation applies to and configure each policy to take appropriate action.
-
-The following illustration and table provide several examples of policies that can be configured to help comply with the General Data Protection Regulation (GDPR). In these examples, policies look for specific data. Based on the sensitivity of the data, each policy is configured to take appropriate action.
-
-![Example Cloud App Security policies for data loss prevention](../../media/microsoft-365-policies-configurations/mcas-dlp.png)
-
-|Protection level|Example policies|
-|:|:-|
-| Baseline |Alert when files containing this sensitive information type ("Credit Card Number") are shared outside the organization <br><br>Block downloads of files containing this sensitive information type (ΓÇ¥Credit card number") to unmanaged devices|
-| Sensitive | Protect downloads of files containing this sensitive information type ("Credit card number") to managed devices <br><br>Block downloads of files containing this sensitive information type ("Credit card number") to unmanaged devices <br><br>Alert when a file with on of these labels is uploaded to OneDrive for Business or Box (Customer data, Human Resources: Salary Data,Human Resources, Employee data)|
-| Highly regulated |Alert when files with this label ("Highly classified") are downloaded to managed devices <p>Block downloads of files with this label ("Highly classified") to unmanaged devices |
-| | |
---
-## Next steps
-
-For more information about using Cloud App Security, see [Microsoft Cloud App Security documentation](https://docs.microsoft.com//cloud-app-security/).
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
# [Microsoft Defender for Endpoint](index.yml) ## [Overview]()
-### [What is Microsoft Defender for Endpoint?](microsoft-defender-advanced-threat-protection.md)
+### [What is Microsoft Defender for Endpoint?](microsoft-defender-endpoint.md)
### [Minimum requirements](minimum-requirements.md) ### [What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-atp.md) ### [Preview features](preview.md)
#### [Troubleshoot attack surface reduction issues]() ##### [Network protection](troubleshoot-np.md) ##### [Attack surface reduction rules](troubleshoot-asr.md)+
+# [Microsoft 365 Security](../index.yml)
+# [Microsoft 365 Defender](../defender/index.yml)
+# [Defender for Office 365](../office-365-security/overview.md)
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
When you turn this feature on, you'll be able to incorporate data from Office 36
> [!NOTE] > You'll need to have the appropriate license to enable this feature.
-To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Threat investigation and response](https://docs.microsoft.com/microsoft-365/security/defender-365-security/office-365-ti).
+To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Threat investigation and response](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-ti).
## Microsoft Threat Experts
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
ms.technology: mde-+ # Use attack surface reduction rules to prevent malware infection
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - ## Why attack surface reduction rules are important Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!
You can set attack surface reduction rules for devices that are running any of t
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/defender/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
+Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-endpoint.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/defender/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft Defender Security Center
security Auto Investigation Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md
The following table compares the new, unified Action center to the previous Acti
|The new, unified Action center |The previous Action center | |||
-|Lists pending and completed actions for devices and email in one location <br/>([Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) plus [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/defender-365-security/office-365-atp))|Lists pending and completed actions for devices <br/> ([Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) only) |
+|Lists pending and completed actions for devices and email in one location <br/>([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) plus [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp))|Lists pending and completed actions for devices <br/> ([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) only) |
|Is located at:<br/>[https://security.microsoft.com/action-center](https://security.microsoft.com/action-center) |Is located at:<br/>[https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center) | | In the Microsoft 365 security center, choose **Action center**. <p>:::image type="content" source="images/action-center-nav-new.png" alt-text="Navigating to the Action Center in the Microsoft 365 security center"::: | In the Microsoft Defender Security Center, choose **Automated investigations** > **Action center**. <p>:::image type="content" source="images/action-center-nav-old.png" alt-text="Navigating to the Action center from the Microsoft Defender Security Center"::: | The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience. You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:-- [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md)-- [Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/defender-365-security/office-365-atp)
+- [Defender for Endpoint](microsoft-defender-endpoint.md)
+- [Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) > [!TIP]
security Autoir Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/autoir-investigation-results.md
With Microsoft Defender for Endpoint, when an [automated investigation](automate
## (NEW!) Unified investigation page
-The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) and [Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/office-365-atp).
+The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp).
> [!TIP] > To learn more about what's changing, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results).
security Automated Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automated-investigations.md
Currently, AIR only supports the following OS versions:
## See also - [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)-- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/defender-365-security/office-365-air)
+- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/mtp-autoir)
security Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/controlled-folders.md
ms.technology: mde+ # Protect important folders with controlled folder access
Controlled folder access helps protect your valuable data from malicious apps an
> [!NOTE] > Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/indicator-certificates).
-Controlled folder access works best with [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
+Controlled folder access works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
> [!TIP] > Controlled folder access blocks don't generate alerts in the [Alerts queue](alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](investigate-machines.md), while using [advanced hunting](advanced-hunting-overview.md), or with [custom detection rules](custom-detection-rules.md).
security Customize Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-controlled-folders.md
Previously updated : 01/06/2021 Last updated : 03/24/2021 ms.technology: mde+ # Customize controlled folder access -- **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
An allowed application or service only has write access to a controlled folder a
4. Select **Add an allowed app** and follow the prompts to add apps.
- ![Screenshot of how to add an allowed app button](/microsoft-365/security/defender-endpoint/images/cfa-allow-app)
+ :::image type="content" source="images/cfa-allow-app.png" alt-text="Add an allowed app button":::
### Use Group Policy to allow specific apps
An allowed application or service only has write access to a controlled folder a
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
-![Screenshot of a PowerShell window with the above cmdlet entered](/microsoft-365/security/defender-endpoint/images/cfa-allow-app-ps)
+ :::image type="content" source="images/cfa-allow-app-ps.png" alt-text="PowerShell cmdlet to allow an app":::
> [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
And, you can [get help if you still have issues with false positives/negatives](
![Steps to address false positives and negatives](images/false-positives-step-diagram.png) > [!NOTE]
-> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md).
+> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).
## Part 1: Review and classify alerts
security Enable Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-exploit-protection.md
ms.technology: mde+ # Enable exploit protection
security Evaluate Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-atp.md
Next gen protections help detect and block the latest threats.
## See Also
-[Microsoft Defender for Endpoint overview](microsoft-defender-advanced-threat-protection.md)
+[Microsoft Defender for Endpoint overview](microsoft-defender-endpoint.md)
security Evaluate Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-exploit-protection.md
Last updated 01/06/2021
ms.technology: mde+ # Evaluate exploit protection
security Exploit Protection Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection-reference.md
ms.technology: mde+ # Exploit Protection Reference
security Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection.md
ms.technology: mde+ # Protect devices from exploits
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
- Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-Exploit protection works best with [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
+Exploit protection works best with [Defender for Endpoint](microsoft-defender-endpoint.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
You can [enable exploit protection](enable-exploit-protection.md) on an individual device, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
The following OS versions are supported:
OS version | GCC | GCC High | DoD (PREVIEW) :|:|:|: Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows 10, version 1709 | ![No](/security/defender-endpoint/images/svg/check-no)<br>Note: Won't be supported | ![Yes](/security/defender-endpoint/images/svg/check-yes) With [KB4499147](https://support.microsoft.com/help/4499147)<br>Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade | ![No](/security/defender-endpoint/images/svg/check-no)<br>Note: Won't be supported
-Windows 10, version 1703 and earlier | ![No](/security/defender-endpoint/images/svg/check-no)<br>Note: Won't be supported | ![No](/security/defender-endpoint/images/svg/check-no)<br>Note: Won't be supported | ![No](/security/defender-endpoint/images/svg/check-no)<br>Note: Won't be supported
-Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows Server 2016 | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows Server 2012 R2 | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows Server 2008 R2 SP1 | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows 8.1 Enterprise | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows 8 Pro | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows 7 SP1 Enterprise | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows 7 SP1 Pro | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Linux | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development
-macOS | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development
-Android | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog
-iOS | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog
+Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows 10, version 1709 | ![No](images/svg/check-no.svg)<br>Note: Won't be supported | ![Yes](images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br>Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade | ![No](images/svg/check-no.svg)<br>Note: Won't be supported
+Windows 10, version 1703 and earlier | ![No](images/svg/check-no.svg)<br>Note: Won't be supported | ![No](images/svg/check-no.svg)<br>Note: Won't be supported | ![No](images/svg/check-no.svg)<br>Note: Won't be supported
+Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows Server 2016 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows Server 2012 R2 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows Server 2008 R2 SP1 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows 8.1 Enterprise | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows 8 Pro | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows 7 SP1 Enterprise | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows 7 SP1 Pro | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Linux | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+macOS | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+Android | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
+iOS | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
> [!NOTE] > Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.
The following OS versions are supported when using [Azure Defender for Servers](
OS version | GCC | GCC High | DoD (PREVIEW) :|:|:|:
-Windows Server 2016 | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows Server 2012 R2 | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Windows Server 2008 R2 SP1 | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
+Windows Server 2016 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows Server 2012 R2 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Windows Server 2008 R2 SP1 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
<br>
These are the known gaps as of February 2021:
Feature name | GCC | GCC High | DoD (PREVIEW) :|:|:|:
-Automated investigation and remediation: Live response | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Automated investigation and remediation: Response to Office 365 alerts | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog
-Email notifications | ![No](/security/defender-endpoint/images/svg/check-no) Rolling out | ![No](/security/defender-endpoint/images/svg/check-no) Rolling out | ![No](/security/defender-endpoint/images/svg/check-no) Rolling out
-Evaluation lab | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Management and APIs: Device health and compliance report | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Management and APIs: Integration with third-party products | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development
-Management and APIs: Streaming API | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development
-Management and APIs: Threat protection report | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Threat & vulnerability management | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Threat analytics | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Web content filtering | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development
-Integrations: Azure Sentinel | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development
-Integrations: Microsoft Cloud App Security | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog
-Integrations: Microsoft Compliance Manager | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog
-Integrations: Microsoft Defender for Identity | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog
-Integrations: Microsoft Defender for Office 365 | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog
-Integrations: Microsoft Endpoint DLP | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog
-Integrations: Microsoft Intune | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development
-Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![No](/security/defender-endpoint/images/svg/check-no) In development | ![No](/security/defender-endpoint/images/svg/check-no) In development
-Integrations: Skype for Business / Teams | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes) | ![Yes](/security/defender-endpoint/images/svg/check-yes)
-Microsoft Threat Experts | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog | ![No](/security/defender-endpoint/images/svg/check-no) On engineering backlog
+Automated investigation and remediation: Live response | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Automated investigation and remediation: Response to Office 365 alerts | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
+Email notifications | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out
+Evaluation lab | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Management and APIs: Device health and compliance report | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Management and APIs: Integration with third-party products | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+Management and APIs: Streaming API | ![Yes](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+Management and APIs: Threat protection report | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Threat & vulnerability management | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Threat analytics | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Web content filtering | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+Integrations: Azure Sentinel | ![Yes](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+Integrations: Microsoft Cloud App Security | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
+Integrations: Microsoft Compliance Manager | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
+Integrations: Microsoft Defender for Identity | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
+Integrations: Microsoft Defender for Office 365 | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
+Integrations: Microsoft Endpoint DLP | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
+Integrations: Microsoft Intune | ![Yes](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development
+Integrations: Skype for Business / Teams | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
+Microsoft Threat Experts | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+> [!TIP]
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
It's important to understand the following prerequisites prior to creating indic
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
->[!IMPORTANT]
->- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
->- Trusted signed files will be treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
+Performance can be affected if you are copying large files from a network share onto your local device, especially over a VPN connection.
-
->[!NOTE]
->Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes.
+> [!IMPORTANT]
+> - The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
+> - Trusted signed files will be treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
+> - Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes.
+> - If there are conflicting file indicator policies, the enforcement policy of the more secure policy is applied. For example, a SHA-256 file hash indicator policy takes precedence over an MD5 file hash indicator policy if both hash types define the same file.
### Create an indicator for files from the settings page
security Indicator Ip Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+> [!TIP]
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
Defender for Endpoint can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
It's important to understand the following prerequisites prior to creating indic
> [!IMPORTANT] > Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
-> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement: <br>
-> NOTE:
+> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS).
+> If there are conflicting URL indicator policies, the longer path is applied. For example, the URL indicator policy `https:\\support.microsoft.com/en-us/office` takes precedence over the URL indicator policy `https:\\support.microsoft.com`.
+
+> [!NOTE]
+> For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
> - IP is supported for all three protocols > - Only single IP addresses are supported (no CIDR blocks or IP ranges) > - Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
security Indicator Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-manage.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Information Protection In Windows Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview.md
ms.technology: mde
**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Information Protection Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Initiate Autoir Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/initiate-autoir-investigation.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-alerts.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
security Investigate Behind Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-behind-proxy.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
security Investigate Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-domain.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
security Investigate Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-incidents.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Investigate Ip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-ip.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Investigate Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
security Investigate User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigation.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Ios Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-privacy.md
ms.technology: mde
# Privacy information - Microsoft Defender for Endpoint for iOS **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Isolate Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/isolate-machine.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Linux Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-exclusions.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Install With Puppet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-privacy.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-pua.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Static Proxy Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Support Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-connectivity.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-install.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-updates.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+## 101.23.64 (30.121021.12364.0)
+
+- Performance improvement for the situation where an entire mount point is added to the antivirus exclusion list. Prior to this version, file activity originating from the mount point was still processed by the product. Starting with this version, file activity for excluded mount points is suppressed, leading to better product performance
+- Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run `mdatp health --details antivirus`
+- Other performance improvements & bug fixes
+ ## 101.18.53 - EDR for Linux is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-is-generally-available/ba-p/2048539)
security Live Response Command Examples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-command-examples.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Mac Device Control Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-intune.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Device Control Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-jamf.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Mac Install Jamfpro Login https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
You do not need any special provisioning for a Mac device beyond a standard [Com
1. Confirm device management.
- ![Confirm device management screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-3-confirmdevicemgmt)
+ ![Confirm device management screenshot](./images/mdatp-3-confirmdevicemgmt.png)
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
To approve the system extensions:
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
-3. In the `Basics` tab, give a name to this new profile.
+3. In the **Basics** tab, give a name to this new profile.
-4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+4. In the **Configuration settings** tab, add the following entries in the **Allowed system extensions** section:
Bundle identifier | Team identifier --|-
To approve the system extensions:
com.microsoft.wdav.netext | UBF8T346G9 > [!div class="mx-imgBorder"]
- > ![Screenshot of the Configuration settings tab, including the Allowed team identifiers section](images/mac-system-extension-intune2.png)
+ > ![Screenshot of the extension settings in Configuration settings on the Basics tab](images/mac-system-extension-intune2.png)
-5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+5. In the **Assignments** tab, assign this profile to **All Users & All devices**.
6. Review and create this configuration profile.
To approve the system extensions:
4. Select **OK**.
- ![System configuration profiles screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles)
+ ![Import a configuration from a file for Custom Configuration Profile](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles)
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
To approve the system extensions:
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
+8. Download **fulldisk.mobileconfig** from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as **tcc.xml**. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
> [!CAUTION] > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device. > > This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile.
-9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
+9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download **netfilter.mobileconfig** from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
10. To allow Microsoft Defender for Endpoint for Mac and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. <a name = "create-system-configuration-profiles-step-10" id = "create-system-configuration-profiles-step-10"></a>
To approve the system extensions:
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: > [!div class="mx-imgBorder"]
-> ![Screenshot of kext - Device status](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade)
+> ![View of Device Status in Monitor](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png)
## Publish application
Once the Intune changes are propagated to the enrolled devices, you can see them
4. Select **Configure** and add the required information.
-5. Use **macOS High Sierra 10.13** as the minimum OS.
+5. Use **macOS High Sierra 10.14** as the minimum OS.
6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
Once the Intune changes are propagated to the enrolled devices, you can see them
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Microsoft Defender for Endpoint. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Microsoft Defender for Endpoint with *Ignore app version* set to **No**, please change it to **Yes**. If Microsoft Defender for Endpoint still cannot be installed on a client device, then uninstall Microsoft Defender for Endpoint and push the updated policy. > [!div class="mx-imgBorder"]
- > ![Screenshot of the Configure App information option in the Add app dialog box](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo)
+ > ![Display of App information in App add](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo)
7. Select **OK** and **Add**. > [!div class="mx-imgBorder"]
- > ![Screenshot of a sample overview](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo)
+ > ![Device status shown in Notifications window](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo)
8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
security Mac Install With Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-jamf.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Mac Install With Other Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Mac Jamfpro Device Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Mac Jamfpro Enroll Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
security Mac Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-pua.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-resources.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Schedule Scan Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan-atp.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-install.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint for Mac](microsoft-defender-endpoint-mac.md)-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Support Kext https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-kext.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint for Mac](microsoft-defender-endpoint-mac.md)-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint for Mac](microsoft-defender-endpoint-mac.md)-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint for Mac](microsoft-defender-endpoint-mac.md)-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Sysext Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-policies.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Sysext Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-preview.md
ms.technology: mde
# Microsoft Defender for Endpoint for Mac - system extensions public preview) **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
ms.technology: mde
> [!IMPORTANT] > Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.
+## 101.22.79 (20.121012.12279.0)
+
+- Performance improvements & bug fixes
+ ## 101.19.88 (20.121011.11988.0) - Performance improvements & bug fixes
security Machine Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-reports.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Machine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Machineaction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machineaction.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
security Manage Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-alerts.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Manage Atp Post Migration Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-configuration-manager.md
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Manage Atp Post Migration Group Policy Objects https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-group-policy-objects.md
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Manage Atp Post Migration Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-intune.md
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Manage Atp Post Migration Other Tools https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-other-tools.md
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Manage Atp Post Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration.md
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Manage Automation File Uploads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-file-uploads.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
security Manage Automation Folder Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-incidents.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Manage Indicators https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-indicators.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+> [!TIP]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response). Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the device group to apply it to.
-Currently supported sources are the cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV).
+Currently supported sources are the cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender Antivirus).
**Cloud detection engine**<br> The cloud detection engine of Defender for Endpoint regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.
You can create an indicator for:
- [Certificates](indicator-certificates.md)
->[!NOTE]
->There is a limit of 15,000 indicators per tenant.
+> [!NOTE]
+> There is a limit of 15,000 indicators per tenant. File and certificate indicators do not block [exclusions defined for Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators are not supported in Microsoft Defender Antivirus is in passive mode.
## Related topics
security Manage Suppression Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-suppression-rules.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Management Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink)
security Mcafee To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-migration.md
- M365-security-compliance - m365solution-mcafeemigrate - m365solution-overview-+ Last updated 03/03/2021
# Migrate from McAfee to Microsoft Defender for Endpoint **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide.
security Mcafee To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-onboard.md
# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender for Endpoint **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Mcafee To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-prepare.md
# Migrate from McAfee - Phase 1: Prepare for your migration **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) |![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
security Mcafee To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-setup.md
# Migrate from McAfee - Phase 2: Set up Microsoft Defender for Endpoint **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) |[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
security Microsoft Cloud App Security Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-config.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Microsoft Cloud App Security Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration.md
ms.technology: mde
[!include[Prerelease information](../../includes/prerelease.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Microsoft Defender Endpoint Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Microsoft Defender Endpoint Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md
Title: Microsoft Defender ATP for Mac description: Learn how to install, configure, update, and use Microsoft Defender for Endpoint for Mac.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, catalina, mojave
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
The three most recent major releases of macOS are supported.
> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md). > [!IMPORTANT]
-> Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.
+> Support for macOS 10.13 (High Sierra) has been discontinued as of February 15th, 2021.
-- 11 (Big Sur), 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
+- 11 (Big Sur), 10.15 (Catalina), 10.14 (Mojave)
- Disk space: 1GB Beta versions of macOS are not supported.
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
+
+ Title: Microsoft Defender for Endpoint
+description: Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps defend against advanced persistent threats.
+keywords: introduction to Microsoft Defender for Endpoint, introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+# Microsoft Defender for Endpoint
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
+
+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
+<p></p>
+
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4wDob]
+
+Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
+
+- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
++
+- **Cloud security analytics**: Leveraging big-data, device-learning, and
+ unique Microsoft optics across the Windows ecosystem,
+ enterprise cloud products (such as Office 365), and online assets, behavioral signals
+ are translated into insights, detections, and recommended responses
+ to advanced threats.
+
+- **Threat intelligence**: Generated by Microsoft hunters, security teams,
+ and augmented by threat intelligence provided by partners, threat
+ intelligence enables Defender for Endpoint to identify attacker
+ tools, techniques, and procedures, and generate alerts when they
+ are observed in collected sensor data.
+
+<center><h2>Microsoft Defender for Endpoint</center></h2>
+<table>
+<tr>
+<td><a href="#tvm"><center><img src="images/TVM_icon.png" alt="Threat & Vulnerability Management"> <br><b>Threat & Vulnerability Management</b></center></a></td>
+<td><a href="#asr"><center><img src="images/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td>
+<td><center><a href="#ngp"><img src="images/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td>
+<td><center><a href="#edr"><img src="images/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td>
+<td><center><a href="#ai"><img src="images/air-icon.png" alt="Automated investigation and remediation"><br> <b>Automated investigation and remediation</b></a></center></td>
+<td><center><a href="#mte"><img src="images/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td>
+</tr>
+<tr>
+<td colspan="7">
+<a href="#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>
+</tr>
+<tr>
+<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
+</tr>
+</table>
+<br>
+
+<p></p>
+
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vnC4?rel=0]
+
+> [!TIP]
+> - Learn about the latest enhancements in Defender for Endpoint: [What's new in Microsoft Defender for Endpoint](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+> - Microsoft Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
+
+<a name="tvm"></a>
+
+**[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)**<br>
+This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+
+<a name="asr"></a>
+
+**[Attack surface reduction](overview-attack-surface-reduction.md)**<br>
+The attack surface reduction set of capabilities provides the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs.
+
+<a name="ngp"></a>
+
+**[Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**<br>
+To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
+
+<a name="edr"></a>
+
+**[Endpoint detection and response](overview-endpoint-detection-response.md)**<br>
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. [Advanced hunting](advanced-hunting-overview.md) provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections.
+
+<a name="ai"></a>
+
+**[Automated investigation and remediation](automated-investigations.md)**<br>
+In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+
+<a name="ss"></a>
+
+**[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**<br>
+
+Defender for Endpoint includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
+
+<a name="mte"></a>
+
+**[Microsoft Threat Experts](microsoft-threat-experts.md)**<br>
+Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
+
+>[!IMPORTANT]
+>Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.<p>
+><p>If you are not enrolled yet and would like to experience its benefits, go to <b>Settings</b> > <b>General</b> > <b>Advanced features</b> > <b>Microsoft Threat Experts</b> to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
+
+<a name="apis"></a>
+
+**[Centralized configuration and administration, APIs](management-apis.md)**<br>
+Integrate Microsoft Defender for Endpoint into your existing workflows.
+
+<a name="mtp"></a>
+
+**[Integration with Microsoft solutions](threat-protection-integration.md)** <br>
+Defender for Endpoint directly integrates with various Microsoft solutions, including:
+- Azure Security Center
+- Azure Sentinel
+- Intune
+- Microsoft Cloud App Security
+- Microsoft Defender for Identity
+- Microsoft Defender for Office
+- Skype for Business
+
+**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-threat-protection)**<br>
+With Microsoft 365 Defender, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
++
+## Related topic
+[Microsoft Defender for Endpoint helps detect sophisticated threats](https://www.microsoft.com/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)
security Microsoft Defender Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-threat-experts.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Migration Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migration-guides.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Let us know what you think! Submit your feedback at the bottom of the page. We'l
## See also - [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection)-- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/defender-365-security/office-365-atp)
+- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-threat-protection?)
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mssp List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-list.md
ms.technology: mde
# Supported managed security service providers **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Mssp Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-support.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection.md
ms.technology: mde Last updated 03/08/2021+ # Protect your network
Last updated 03/08/2021
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Next Gen Threat And Vuln Mgt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Offboard Machine Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machine-api.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Offboard Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machines.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) **Platforms**
security Onboard Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) [!include[Prerelease information](../../includes/prerelease.md)]
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) **Platforms**
security Onboard Offline Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-offline-machines.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Onboarding Endpoint Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Onboarding Endpoint Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Onboarding Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Overview Custom Detections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-custom-detections.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Overview Endpoint Detection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Overview Hardware Based Isolation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Partner Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Partner Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-integration.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Portal Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/portal-overview.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Post Ti Indicator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/post-ti-indicator.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Preferences Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preferences-setup.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Prepare Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prepare-deployment.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Preview Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview-settings.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md
ms.technology: mde
>The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Production Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Pull Alerts Using Rest Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/pull-alerts-using-rest-api.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
security Restrict Code Execution https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/restrict-code-execution.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
security Set Device Value https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/set-device-value.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
security Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/software.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
security Supported Response Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/supported-response-apis.md
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> [!TIP] > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink)
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
# Switch to Microsoft Defender for Endpoint - Phase 3: Onboard **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) | [![Phase 1: Prepare3](images/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) | [![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) | ![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
security Switch To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-prepare.md
# Switch to Microsoft Defender for Endpoint - Phase 1: Prepare **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) | ![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare | [![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) | [![Phase 3: Onboard](images/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
# Switch to Microsoft Defender for Endpoint - Phase 2: Setup **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) |[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard3](images/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
security Symantec To Microsoft Defender Atp Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-migration.md
- M365-security-compliance - m365solution-symantecmigrate - m365solution-overview-+ Last updated 03/03/2021
If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide. **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) :::image type="content" source="images/symantec-mde-migration.png" alt-text="Overview of migrating from Symantec to Defender for Endpoint":::
security Symantec To Microsoft Defender Atp Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-onboard.md
# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender for Endpoint **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) |[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
security Symantec To Microsoft Defender Atp Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-prepare.md
# Migrate from Symantec - Phase 1: Prepare for your migration **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) |![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
security Symantec To Microsoft Defender Atp Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-setup.md
# Migrate from Symantec - Phase 2: Set up Microsoft Defender for Endpoint **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) |[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
security Techniques Device Timeline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/techniques-device-timeline.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can gain more insight in an investigation by analyzing the events that happened on a specific device. First, select the device of interest from the [Devices list](machines-view-overview.md). On the device page, you can select the **Timeline** tab to view all the events that occurred on the device.
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports.md
ms.technology: mde
**Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Threat Protection Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Ti Indicator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ti-indicator.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
security Time Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/time-settings.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Troubleshoot Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr.md
ms.technology: mde+ # Troubleshoot attack surface reduction rules
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
security Troubleshoot Collect Support Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
security Troubleshoot Exploit Protection Mitigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-exploit-protection-mitigations.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
security Troubleshoot Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-live-response.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
security Troubleshoot Mdatp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-mdatp.md
Title: Troubleshoot Microsoft Defender for Endpoint service issues
-description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
+description: Find solutions and workarounds to known issues such as server errors when trying to access the service.
keywords: troubleshoot microsoft defender for endpoint, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, allow, event viewer search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
If you encounter a server error when trying to access the service, youΓÇÖll need
Configure your browser to allow cookies. ## Elements or data missing on the portal
-If some UI elements or data is missing on Microsoft Defender Security Center itΓÇÖs possible that proxy settings are blocking it.
+If some elements or data is missing on Microsoft Defender Security Center itΓÇÖs possible that proxy settings are blocking it.
-Make sure that `*.securitycenter.windows.com` is included the proxy allow list.
+Make sure that `*.securitycenter.windows.com` is included the proxy allowlist.
> [!NOTE]
Make sure that `*.securitycenter.windows.com` is included the proxy allow list.
## Microsoft Defender for Endpoint service shows event or error logs in the Event Viewer
-See the topic [Review events and errors using Event Viewer](event-error-codes.md) for a list of event IDs that are reported by the Microsoft Defender for Endpoint service. The topic also contains troubleshooting steps for event errors.
+See [Review events and errors using Event Viewer](event-error-codes.md) for a list of event IDs that are reported by the Microsoft Defender for Endpoint service. The article also contains troubleshooting steps for event errors.
## Microsoft Defender for Endpoint service fails to start after a reboot and shows error 577
security Troubleshoot Np https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
security Troubleshoot Onboarding Error Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
security Troubleshoot Siem https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-siem.md
ms.technology: mde
**Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Tvm Supported Os https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-supported-os.md
Windows Server 2008 R2 | Operating System (OS) vulnerabilities<br/>Software prod
Windows Server 2012 R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment Windows Server 2016 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment Windows Server 2019 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
-macOS 10.13 "High Sierra" and above | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
+macOS 10.14 "Mojave" and above | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
Linux | Not supported (planned) ## Related articles
security Web Content Filtering https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!IMPORTANT]
security Web Protection Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-monitoring.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
security Web Protection Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-overview.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Web Protection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-response.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
security Web Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-threat-protection.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
security Advanced Hunting Emailpostdeliveryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table.md
To get more information about individual email messages, you can also use the [`
## Supported event types This table captures events with the following `ActionType` values: -- **Manual remediation** ΓÇô An administrator manually took action on an email message after it was delivered to the user mailbox. This includes actions taken manually through [Threat Explorer](../defender-365-security/threat-explorer.md) or approvals of [automated investigation and response (AIR) actions](m365d-autoir-actions.md).-- **Phish ZAP** ΓÇô [Zero-hour auto purge (ZAP)](../defender-365-security/zero-hour-auto-purge.md) took action on a phishing email after delivery.
+- **Manual remediation** ΓÇô An administrator manually took action on an email message after it was delivered to the user mailbox. This includes actions taken manually through [Threat Explorer](../office-365-security/threat-explorer.md) or approvals of [automated investigation and response (AIR) actions](m365d-autoir-actions.md).
+- **Phish ZAP** ΓÇô [Zero-hour auto purge (ZAP)](../office-365-security/zero-hour-auto-purge.md) took action on a phishing email after delivery.
- **Malware ZAP** ΓÇô Zero-hour auto purge (ZAP) took action on an email message found containing malware after delivery. ## Related topics
security Advanced Hunting Query Emails Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-emails-devices.md
DeviceInfo
## Hunting scenarios ### List logon activities of users that received emails that were not zapped successfully
-[Zero-hour auto purge (ZAP)](../defender-365-security/zero-hour-auto-purge.md) addresses malicious emails after they have been received. If ZAP fails, malicious code might eventually run on the device and leave accounts compromised. This query checks for logon activity made by the recipients of emails that were not successfully addressed by ZAP.
+[Zero-hour auto purge (ZAP)](../office-365-security/zero-hour-auto-purge.md) addresses malicious emails after they have been received. If ZAP fails, malicious code might eventually run on the device and leave accounts compromised. This query checks for logon activity made by the recipients of emails that were not successfully addressed by ZAP.
```kusto EmailPostDeliveryEvents
security Config M365d Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/config-m365d-eval.md
There's a PowerShell Module called the *Office 365 Advanced Threat Protection Re
7. Next, select the **Safe Links** policy, then click the pencil icon to edit the default policy.
-8. Make sure that the **Do not track when users click safe links** option is not selected, while the rest of the options are selected. See [Safe Links settings](/microsoft-365/security/defender-365-security/recommended-settings-for-eop-and-office365) for details. Click **Save**.
+8. Make sure that the **Do not track when users click safe links** option is not selected, while the rest of the options are selected. See [Safe Links settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365) for details. Click **Save**.
![Image of_Office 365 Security & Compliance Center page which shows that the option Do not track when users click safe is not selected](../../media/mtp-eval-38.png)
security Custom Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-roles.md
Users with existing Custom roles may access data in the Microsoft 365 security c
Custom roles and permissions can be created and individually managed through each of the following security portals: - Microsoft Defender for Endpoint ΓÇô [Edit roles in Microsoft Defender for Endpoint](../defender-endpoint/user-roles.md)-- Microsoft Defender for Office 365 ΓÇô [Permissions in the Security & Compliance Center](../defender-365-security/permissions-in-the-security-and-compliance-center.md?preserve-view=true&view=o365-worldwide)
+- Microsoft Defender for Office 365 ΓÇô [Permissions in the Security & Compliance Center](../office-365-security/permissions-in-the-security-and-compliance-center.md?preserve-view=true&view=o365-worldwide)
- Microsoft Cloud App Security ΓÇô [Manage admin access](/cloud-app-security/manage-admins) Each custom role created through an individual portal allows access to the data of the relevant product portal. For example, a custom role created through Microsoft Defender for Endpoint will only allow access to Defender for Endpoint data.
security Deploy Supported Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/deploy-supported-services.md
Deploying each service typically requires provisioning to your tenant and some i
| Service | Provisioning instructions | Initial configuration | | | | | | Microsoft Defender for Endpoint | [Microsoft Defender for Endpoint deployment guide](../defender-endpoint/deployment-phases.md) | *See provisioning instructions* |
-|Microsoft Defender for Office 365 | *None, provisioned with Office 365* | [Configure Microsoft Defender for Office 365 policies](/microsoft-365/security/defender-365-security/defender-for-office-365#configure-atp-policies) |
+|Microsoft Defender for Office 365 | *None, provisioned with Office 365* | [Configure Microsoft Defender for Office 365 policies](/microsoft-365/security/office-365-security/defender-for-office-365#configure-atp-policies) |
| Microsoft Defender for Identity | [Quickstart: Create your Microsoft Defender for Identity instance](/azure-advanced-threat-protection/install-atp-step1) | *See provisioning instructions* | | Microsoft Cloud App Security | *None* | [Quickstart: Get started with Microsoft Cloud App Security](/cloud-app-security/getting-started-with-cloud-app-security) |
Once youΓÇÖve deployed the supported services, [turn on Microsoft 365 Defender](
- [Microsoft 365 Defender overview](microsoft-365-defender.md) - [Turn on Microsoft 365 Defender](m365d-enable.md)-- [Microsoft Defender for Endpoint overview](../defender-endpoint/microsoft-defender-advanced-threat-protection.md)-- [Microsoft Defender for Office 365 overview](../defender-365-security/defender-for-office-365.md)
+- [Microsoft Defender for Endpoint overview](../defender-endpoint/microsoft-defender-endpoint.md)
+- [Microsoft Defender for Office 365 overview](../office-365-security/defender-for-office-365.md)
- [Microsoft Cloud App Security overview](/cloud-app-security/what-is-cloud-app-security) - [Microsoft Defender for Identity overview](/azure-advanced-threat-protection/what-is-atp)
security Device Profile https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/device-profile.md
Actions available on the device profile page include:
* **Run antivirus scan** - Updates Windows Defender Antivirus definitions and immediately runs an antivirus scan. Choose between Quick scan or Full scan. * **Collect investigation package** - Gathers information about the device. When the investigation is completed, you can download it. * **Initiate Live Response Session** - Loads a remote shell on the device for [in-depth security investigations](/microsoft-365/security/defender-endpoint/live-response).
-* **Initiate automated investigation** - Automatically [investigates and remediates threats](../defender-365-security/office-365-air.md). Although you can manually trigger automated investigations to run from this page, [certain alert policies](../../compliance/alert-policies.md?view=o365-worldwide#default-alert-policies) trigger automatic investigations on their own.
+* **Initiate automated investigation** - Automatically [investigates and remediates threats](../office-365-security/office-365-air.md). Although you can manually trigger automated investigations to run from this page, [certain alert policies](../../compliance/alert-policies.md?view=o365-worldwide#default-alert-policies) trigger automatic investigations on their own.
* **Action center** - Displays information about any response actions that are currently running. ## Tabs section
Selecting an item will open a flyout that links to the update.
* [Microsoft 365 Defender overview](microsoft-365-defender.md) * [Turn on Microsoft 365 Defender](m365d-enable.md) * [Investigate entities on devices, using live response](../defender-endpoint/live-response.md)
-* [Automated investigation and response (AIR) in Office 365](../defender-365-security/office-365-air.md)
+* [Automated investigation and response (AIR) in Office 365](../office-365-security/office-365-air.md)
security M365d Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-action-center.md
The unified Action center brings together remediation actions across Defender fo
You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions: -- [Defender for Endpoint](../defender-endpoint/microsoft-defender-advanced-threat-protection.md)-- [Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365)
+- [Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md)
+- [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
- [Microsoft 365 Defender](microsoft-365-defender.md) > [!TIP]
In addition to remediation actions that are taken automatically as a result of [
| Action source value | Description | |:--|:| | **Manual device action** | A manual action taken on a device. Examples include [device isolation](../defender-endpoint/respond-machine-alerts.md#isolate-devices-from-the-network) or [file quarantine](../defender-endpoint/respond-file-alerts.md#stop-and-quarantine-files). |
-| **Manual email action** | A manual action taken on email. An example includes soft-deleting email messages or [remediating an email message](../defender-365-security/remediate-malicious-email-delivered-office-365.md). |
+| **Manual email action** | A manual action taken on email. An example includes soft-deleting email messages or [remediating an email message](../office-365-security/remediate-malicious-email-delivered-office-365.md). |
| **Automated device action** | An automated action taken on an entity, such as a file or process. Examples of automated actions include sending a file to quarantine, stopping a process, and removing a registry key. (See [Remediation actions in Microsoft Defender for Endpoint](../defender-endpoint/manage-auto-investigation.md#remediation-actions).) |
-| **Automated email action** | An automated action taken on email content, such as an email message, attachment, or URL. Examples of automated actions include soft-deleting email messages, blocking URLs, and turning off external mail forwarding. (See [Remediation actions in Microsoft Defender for Office 365](../defender-365-security/air-remediation-actions.md).) |
+| **Automated email action** | An automated action taken on email content, such as an email message, attachment, or URL. Examples of automated actions include soft-deleting email messages, blocking URLs, and turning off external mail forwarding. (See [Remediation actions in Microsoft Defender for Office 365](../office-365-security/air-remediation-actions.md).) |
| **Advanced hunting action** | Actions taken on devices or email with [advanced hunting](./advanced-hunting-overview.md). |
-| **Explorer action** | Actions taken on email content with [Explorer](../defender-365-security/threat-explorer.md). |
+| **Explorer action** | Actions taken on email content with [Explorer](../office-365-security/threat-explorer.md). |
| **Manual live response action** | Actions taken on a device with [live response](../defender-endpoint/live-response.md). Examples include deleting a file, stopping a process, and removing a scheduled task. | | **Live response action** | Actions taken on a device with [Microsoft Defender for Endpoint APIs](../defender-endpoint/management-apis.md#microsoft-defender-for-endpoint-apis). Examples of actions include isolating a device, running an antivirus scan, and getting information about a file. |
To perform tasks, such as approving or rejecting pending actions in the Action c
|Remediation action |Required roles and permissions | |--|-| |Microsoft Defender for Endpoint remediation (devices) |**Security Administrator** role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> or <br/>**Active remediation actions** role assigned in Microsoft Defender for Endpoint <br/> <br/> To learn more, see the following resources: <br/>- [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Create and manage roles for role-based access control (Microsoft Defender for Endpoint)](../defender-endpoint/user-roles.md) |
-|Microsoft Defender for Office 365 remediation (Office content and email) |**Security Administrator** role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> and <br/>**Search and Purge** role assigned the Security & Compliance Center ([https://protection.office.com](https://protection.office.com)) <br/><br/>**IMPORTANT**: If you have the **Security Administrator** role assigned only in the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), you will not be able to access the Action center or Microsoft 365 Defender capabilities. You must have the **Security Administrator** role assigned in Azure Active Directory or the Microsoft 365 admin center. <br/><br/>To learn more, see the following resources: <br/>- [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Permissions in the Security & Compliance Center](/microsoft-365/security/defender-365-security/permissions-in-the-security-and-compliance-center) |
+|Microsoft Defender for Office 365 remediation (Office content and email) |**Security Administrator** role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> and <br/>**Search and Purge** role assigned the Security & Compliance Center ([https://protection.office.com](https://protection.office.com)) <br/><br/>**IMPORTANT**: If you have the **Security Administrator** role assigned only in the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), you will not be able to access the Action center or Microsoft 365 Defender capabilities. You must have the **Security Administrator** role assigned in Azure Active Directory or the Microsoft 365 admin center. <br/><br/>To learn more, see the following resources: <br/>- [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Permissions in the Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center) |
> [!TIP] > Users who have the **Global Administrator** role assigned in Azure Active Directory can approve or reject any pending action in the Action center. However, as a best practice, your organization should limit the number of people who have the **Global Administrator** role assigned. We recommend using the **Security Administrator**, **Active remediation actions**, and **Search and Purge** roles listed in the preceding table for Action center permissions.
security M365d Autoir Report False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-report-false-positives-negatives.md
The following sections describe how to perform these tasks.
|Item missed or wrongly detected |Service |What to do | ||||
-|- Email message <br/>- Email attachment <br/>- URL in an email message<br/>- URL in an Office file |[Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365) |[Submit suspected spam, phish, URLs, and files to Microsoft for scanning](../defender-365-security/admin-submission.md) |
+|- Email message <br/>- Email attachment <br/>- URL in an email message<br/>- URL in an Office file |[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) |[Submit suspected spam, phish, URLs, and files to Microsoft for scanning](../office-365-security/admin-submission.md) |
|File or app on a device |[Microsoft Defender for Endpoint](/windows/security/threat-protection) |[Submit a file to Microsoft for malware analysis](https://www.microsoft.com/wdsi/filesubmission) | ## Adjust an alert to prevent false positives from recurring
security M365d Autoir Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-results.md
With Microsoft 365 Defender, when an [automated investigation](m365d-autoir.md)
## (NEW!) Unified investigation page
-The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and [Microsoft Defender for Office 365](../defender-365-security/defender-for-office-365.md). To access the unified investigation page, select the link in the yellow banner you'll see on:
+The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and [Microsoft Defender for Office 365](../office-365-security/defender-for-office-365.md). To access the unified investigation page, select the link in the yellow banner you'll see on:
- Any investigation page in the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)) - Any investigation page in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) - Any incident or Action center experience in the improved Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com))
security M365d Autoir https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir.md
In Microsoft 365 Defender, each automated investigation correlates signals acros
|Entities |Threat protection services | |:|:| |Devices (also referred to as endpoints, and sometimes referred to as machines) |[Microsoft Defender for Endpoint](../defender-endpoint/automated-investigations.md)<br/>[Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) |
-|Email content (email messages that can contain files and URLs) |[Microsoft Defender for Office 365](../defender-365-security/defender-for-office-365.md) |
+|Email content (email messages that can contain files and URLs) |[Microsoft Defender for Office 365](../office-365-security/defender-for-office-365.md) |
> [!NOTE] > Not every alert triggers an automated investigation, and not every investigation results in automated remediation actions; it depends on how automated investigation and response is configured for your organization. See [Configure automated investigation and response capabilities in Microsoft 365 Defender](m365d-configure-auto-investigation-response.md).
security M365d Configure Auto Investigation Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-configure-auto-investigation-response.md
Then, after you're all set up, [View and manage actions in the Action center](m3
|Subscription requirements |One of these subscriptions: <br/>- Microsoft 365 E5<br/>- Microsoft 365 A5<br/>- Microsoft 365 E5 Security<br/>- Microsoft 365 A5 Security<br/>- Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5<p> See [Microsoft 365 Defender licensing requirements](./prerequisites.md#licensing-requirements).| |Network requirements |- [Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) enabled<br/>- [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) configured<br/>- [Microsoft Defender for Identity integration](/cloud-app-security/mdi-integration) | |Windows machine requirements |- Windows 10, version 1709 or later installed (See [Windows 10 release information](/windows/release-information/)) <br/>- The following threat protection services configured:<br/>- [Microsoft Defender for Endpoint](../defender-endpoint/configure-endpoints.md)<br/>- [Microsoft Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) |
-|Protection for email content and Office files |[Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365#configure-atp-policies) configured |
+|Protection for email content and Office files |[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365#configure-atp-policies) configured |
|Permissions | To configure automated investigation and response capabilities, you must have the Global Administrator or Security Administrator role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).<p>To get the permissions needed to work with automated investigation and response capabilities, such as reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](m365d-action-center.md#required-permissions-for-action-center-tasks). | ## Review or change the automation level for device groups
Whether automated investigations run, and whether remediation actions are taken
## Review your security and alert policies in Office 365
-Microsoft provides built-in [alert policies](../../compliance/alert-policies.md) that help identify certain risks. These risks include Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Some alerts can trigger [automated investigation and response in Office 365](../defender-365-security/office-365-air.md). Make sure your [Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365) features are configured correctly.
+Microsoft provides built-in [alert policies](../../compliance/alert-policies.md) that help identify certain risks. These risks include Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Some alerts can trigger [automated investigation and response in Office 365](../office-365-security/office-365-air.md). Make sure your [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) features are configured correctly.
Although certain alerts and security policies can trigger automated investigations, no remediation actions are taken automatically for email and content. Instead, all remediation actions for email and email content await approval by your security operations team in the [Action center](m365d-action-center.md).
-Security settings in Office 365 help protect email and content. To view or change these settings, follow the guidance in [Protect against threats](../defender-365-security/protect-against-threats.md).
+Security settings in Office 365 help protect email and content. To view or change these settings, follow the guidance in [Protect against threats](../office-365-security/protect-against-threats.md).
1. In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies** > **Threat protection**.
-2. Make sure all of the following policies are configured. To get help and recommendations, see [Protect against threats](/microsoft-365/security/defender-365-security/protect-against-threats).
- - [Anti-malware (Office 365)](../defender-365-security/protect-against-threats.md#part-1anti-malware-protection)
- - [Anti-phishing in Defender for Office 365)](../defender-365-security/protect-against-threats.md#part-2anti-phishing-protection)
- - [Safe Attachments (Office 365)](../defender-365-security/protect-against-threats.md#safe-attachments-policies-in-microsoft-defender-for-office-365)
- - [Safe Links (Office 365)](../defender-365-security/protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365)
- - [Anti-spam (Office 365)](../defender-365-security/protect-against-threats.md#part-3anti-spam-protection)
-3. Make sure [Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](../defender-365-security/protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on) is turned on.
-4. Make sure [zero-hour auto purge for email](../defender-365-security/protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop) protection is in effect.
+2. Make sure all of the following policies are configured. To get help and recommendations, see [Protect against threats](/microsoft-365/security/office-365-security/protect-against-threats).
+ - [Anti-malware (Office 365)](../office-365-security/protect-against-threats.md#part-1anti-malware-protection)
+ - [Anti-phishing in Defender for Office 365)](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection)
+ - [Safe Attachments (Office 365)](../office-365-security/protect-against-threats.md#safe-attachments-policies-in-microsoft-defender-for-office-365)
+ - [Safe Links (Office 365)](../office-365-security/protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365)
+ - [Anti-spam (Office 365)](../office-365-security/protect-against-threats.md#part-3anti-spam-protection)
+3. Make sure [Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on) is turned on.
+4. Make sure [zero-hour auto purge for email](../office-365-security/protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop) protection is in effect.
5. (This step is optional.) Review your [Office 365 alert policies](../../compliance/alert-policies.md) in the Microsoft 365 compliance center ([https://compliance.microsoft.com/compliancepolicies](https://compliance.microsoft.com/compliancepolicies)). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see [Default alert policies](../../compliance/alert-policies.md#default-alert-policies). ## Make sure Microsoft 365 Defender is turned on
security M365d Enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable.md
Microsoft support staff can help provision or deprovision the service and relate
- [Licensing requirements and other prerequisites](prerequisites.md) - [Deploy supported services](deploy-supported-services.md) - [Microsoft 365 Defender overview](microsoft-365-defender.md)-- [Microsoft Defender for Endpoint overview](../defender-endpoint/microsoft-defender-advanced-threat-protection.md)-- [Defender for Office 365 overview](../defender-365-security/defender-for-office-365.md)
+- [Microsoft Defender for Endpoint overview](../defender-endpoint/microsoft-defender-endpoint.md)
+- [Defender for Office 365 overview](../office-365-security/defender-for-office-365.md)
- [Microsoft Cloud App Security overview](/cloud-app-security/what-is-cloud-app-security) - [Microsoft Defender for Identity overview](/azure-advanced-threat-protection/what-is-atp) - [Microsoft Defender for Endpoint data storage](../defender-endpoint/data-storage-privacy.md)
security M365d Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-remediation-actions.md
During and after an automated investigation in Microsoft 365 Defender, remediati
> Whether remediation actions are taken automatically or only upon approval depends on certain settings, such as how automation levels. To learn more, see the following articles: > - [Configure your automated investigation and response capabilities in Microsoft 365 Defender](m365d-configure-auto-investigation-response.md) > - [How threats are remediated on devices](../defender-endpoint/automated-investigations.md)
-> - [Threats and remediation actions on email & collaboration content](../defender-365-security/air-remediation-actions.md#threats-and-remediation-actions)
+> - [Threats and remediation actions on email & collaboration content](../office-365-security/air-remediation-actions.md#threats-and-remediation-actions)
The following table summarizes remediation actions that are currently supported in Microsoft 365 Defender:
In addition to remediation actions that follow automated investigations, your se
- Manual device action, such as device isolation or file quarantine. - Manual email action, such as soft-deleting email messages. - [Advanced hunting](../defender-endpoint/advanced-hunting-overview.md) action on devices or email.-- [Explorer](../defender-365-security/threat-explorer.md) action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email.
+- [Explorer](../office-365-security/threat-explorer.md) action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email.
- Manual [live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response) action, such as deleting a file, stopping a process, and removing a scheduled task. - Live response action with [Microsoft Defender for Endpoint APIs](../defender-endpoint/management-apis.md#microsoft-defender-for-endpoint-apis), such as isolating a device, running an antivirus scan, and getting information about a file.
security Microsoft 365 Security Center Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mde.md
- [Microsoft 365 Defender](microsoft-365-defender.md) - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
The improved [Microsoft 365 security center](overview-security-center.md) at [https://security.microsoft.com](https://security.microsoft.com) combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats. This security center brings together functionality from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance center.
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
ms.technology: m365d
**Applies to:** - [Microsoft 365 Defender](microsoft-365-defender.md) - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
The improved [Microsoft 365 security center](./overview-security-center.md) at [https://security.microsoft.com](https://security.microsoft.com) combines security capabilities from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
This table is a quick reference of Email & Collaboration areas where change has
|**Area** |**Description of change** | |||
-| [Email entity page](../defender-365-security/mdo-email-entity-page.md) | This page **unifies** email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is *centralized*. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling. |
-| [Investigation](../defender-365-security/office-365-air.md#changes-are-coming-soon-in-your-security-center) | Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place. |
+| [Email entity page](../office-365-security/mdo-email-entity-page.md) | This page **unifies** email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is *centralized*. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling. |
+| [Investigation](../office-365-security/office-365-air.md#changes-are-coming-soon-in-your-security-center) | Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place. |
| [Alert view](../../compliance/alert-policies.md) | The **View alerts** flyout pane in the Office Security and Compliance center now includes links to the Microsoft 365 security center. Click on the **Open Alert Page** link and the Microsoft 365 security center opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue. |
-| [Attack Simulation training](../defender-365-security/attack-simulation-training-insights.md) | Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage. |
+| [Attack Simulation training](../office-365-security/attack-simulation-training-insights.md) | Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage. |
No changes to these areas:-- [Explorer](../defender-365-security/threat-explorer.md)
+- [Explorer](../office-365-security/threat-explorer.md)
- [Policies & Rules](../../compliance/alert-policies.md)-- [Campaign](../defender-365-security/campaigns.md)-- [Submissions](../defender-365-security/admin-submission.md)
+- [Campaign](../office-365-security/campaigns.md)
+- [Submissions](../office-365-security/admin-submission.md)
- [Review](./m365d-action-center.md)-- [Threat Tracker](../defender-365-security/threat-trackers.md)
+- [Threat Tracker](../office-365-security/threat-trackers.md)
Also, check the **Related Information** section at the bottom of this article.
View reports, change your settings, and modify user roles.
## Advanced Hunting example for Microsoft Defender for Office 365 Want to get started searching for email threats using advanced hunting? Try this:
-The [Getting Started](/microsoft-365/security/defender-365-security/defender-for-office-365.md#getting-started) section of the [Microsoft Defender for Office 365 article](/microsoft-365/security/defender-365-security/defender-for-office-365) has logical early configuration chunks that look like this:
+The [Getting Started](/microsoft-365/security/office-365-security/defender-for-office-365.md#getting-started) section of the [Microsoft Defender for Office 365 article](/microsoft-365/security/office-365-security/defender-for-office-365) has logical early configuration chunks that look like this:
1. Configure everything with 'anti' in the name. - anti-malware
The [Getting Started](/microsoft-365/security/defender-365-security/defender-for
3. Defend the workloads (ex. SharePoint Online, OneDrive, and Teams) 4. Protect with Zero-Hour auto purge
-Along with a [link](../defender-365-security/protect-against-threats.md) to jump right in and get configuration going on Day 1.
+Along with a [link](../office-365-security/protect-against-threats.md) to jump right in and get configuration going on Day 1.
The last step in **Getting Started** is protecting users with **Zero-Hour auto purge**, also known as ZAP. Knowing if your efforts to ZAP a suspicious or malicious mail, post-delivery, were successful can be very important.
The data from this query will appear in the results panel below the query itself
- [Email & collaboration alerts](../../compliance/alert-policies.md#default-alert-policies) - [Hunt for threats across devices, emails, apps, and identities](./advanced-hunting-query-emails-devices.md) - [Custom detection rules](/microsoft-365/security/defender-endpoint/custom-detection-rules)-- [Create a phishing attack simulation](../defender-365-security/attack-simulation-training.md) and [create a payload for training your people](../defender-365-security/attack-simulation-training-payloads.md)
+- [Create a phishing attack simulation](../office-365-security/attack-simulation-training.md) and [create a payload for training your people](../office-365-security/attack-simulation-training-payloads.md)
security Overview Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/overview-security-center.md
ms.technology: m365d
- [Microsoft 365 Defender](microsoft-365-defender.md) - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
> Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) or [run your pilot project in production](m365d-pilot.md?ocid=cx-evalpilot).
The improved **Microsoft 365 security center** ([https://security.microsoft.com]
Microsoft 365 security center brings together functionality from existing Microsoft security portals, like Microsoft Defender Security Center and the Office 365 Security & Compliance center. The security center emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. This center includes: -- **[Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365)** Microsoft Defender for Office 365 helps organizations secure their enterprise with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources.
+- **[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)** Microsoft Defender for Office 365 helps organizations secure their enterprise with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources.
- **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-advanced-threat-protection)** delivers preventative protection, post-breach detection, automated investigation, and response for devices in your organization. - **[Microsoft 365 Defender](microsoft-365-defender.md)** is part of MicrosoftΓÇÖs *Extended Detection and Response* (XDR) solution that leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, and build a picture of an attack on a single dashboard.
Common controls and content either appear in the same place, or are condensed in
![Permissions & Roles page showing Endpoints roles & groups, Roles, and Device groups.](../../media/converged-roles-5.png)
- Access the Microsoft 365 security center is configured with Azure Active Directory global roles or by using custom roles. For Defender for Endpoint, see [Assign user access to Microsoft Defender Security Center](/microsoft-365/security/defender-endpoint/assign-portal-access). For Defender for Office 365, see [Permissions in the Microsoft 365 compliance center and Microsoft 365 security center](../defender-365-security/permissions-microsoft-365-compliance-security.md).
+ Access the Microsoft 365 security center is configured with Azure Active Directory global roles or by using custom roles. For Defender for Endpoint, see [Assign user access to Microsoft Defender Security Center](/microsoft-365/security/defender-endpoint/assign-portal-access). For Defender for Office 365, see [Permissions in the Microsoft 365 compliance center and Microsoft 365 security center](../office-365-security/permissions-microsoft-365-compliance-security.md).
- Learn more about how to [manage access to Microsoft 365 Defender](m365d-permissions.md) - Learn more about how to [create custom roles](custom-roles.md) in Microsoft 365 security center
Keep exploring the features and capabilities in the Microsoft 365 security cente
- [Hunt for threats across devices, emails, apps, and identities](./advanced-hunting-query-emails-devices.md) - [Custom detection rules](./custom-detection-rules.md) - [Email & collaboration alerts](../../compliance/alert-policies.md#default-alert-policies)-- [Create a phishing attack simulation](../defender-365-security/attack-simulation-training.md) and [create a payload for training your teams](/microsoft-365/security/defender-365-security/attack-simulation-training-payloads)
+- [Create a phishing attack simulation](../office-365-security/attack-simulation-training.md) and [create a payload for training your teams](/microsoft-365/security/office-365-security/attack-simulation-training-payloads)
### Related information - [Microsoft 365 security center](overview-security-center.md)
security Portals https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/portals.md
Security operators and admins can go to the following portals to manage security
|||| | Microsoft 365 security center | Monitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with [Microsoft 365 Defender](microsoft-365-defender.md) | [security.microsoft.com](https://security.microsoft.com/) | | Microsoft Defender Security Center | Monitor and respond to threat activity on your endpoints using capabilities provided with [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) | [securitycenter.windows.com](https://securitycenter.microsoft.com/) |
-| Security & Compliance Center | Manage [Exchange Online Protection](../defender-365-security/exchange-online-protection-overview.md?view=o365-worldwide) and [Microsoft Defender for Office 365](/microsoft-365/security/defender-365-security/defender-for-office-365?view=o365-worldwide) to protect your email and collaboration services, and ensure compliance to various data-handling regulations | [protection.office.com](https://protection.office.com) |
+| Security & Compliance Center | Manage [Exchange Online Protection](../office-365-security/exchange-online-protection-overview.md?view=o365-worldwide) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide) to protect your email and collaboration services, and ensure compliance to various data-handling regulations | [protection.office.com](https://protection.office.com) |
| Azure Defender portal | Use [Azure Defender](/azure/security-center/security-center-intro) to strengthen the security posture of your data centers and your hybrid workloads in the cloud | [portal.azure.com/#blade/Microsoft_Azure_Security](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) | | Microsoft Defender for Identity portal | Identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions using Active Directory signals with [Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) | [portal.atp.azure.com](https://portal.atp.azure.com/) | | Cloud App Security portal | Use [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) to get rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats on cloud services | [portal.cloudappsecurity.com](https://portal.cloudappsecurity.com/) |
security Prepare M365d Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/prepare-m365d-eval.md
The following table indicates the order Microsoft recommends for configuring the
| Component | Description | Configuration order rank | |--|-||
-|Microsoft Defender for Office 365|Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. <br> [Learn more.](/microsoft-365/security/defender-365-security/defender-for-office-365) | 1 |
+|Microsoft Defender for Office 365|Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. <br> [Learn more.](/microsoft-365/security/office-365-security/defender-for-office-365) | 1 |
|Microsoft Defender for Identity|Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. <br> [Learn more](/azure-advanced-threat-protection/).| 2 | |Microsoft Cloud App Security| Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. <br> [Learn more](/cloud-app-security/). |3 | |Microsoft Defender for Endpoint | Microsoft Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. <br> [Learn more.](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) |4 |
security About Defender For Office 365 Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/about-defender-for-office-365-trial.md
+
+ Title: "About the Microsoft Defender for Office 365 trial"
+f1.keywords:
+++
+audience: Admin
++
+localization_priority: Normal
+search.appverid:
+- MET150
+ms.assetid:
+
+- M365-security-compliance
+- m365initiative-defender-office365
+
+- seo-marvel-apr2020
+
+description: "Admins can learn about the trial mode of Microsoft Defender for Office 365"
++
+# About the Microsoft Defender for Office 365 trial
+
+Microsoft Defender for Office 365 safeguards your organization against malicious threats that are posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:
+
+- **Threat protection policies**: Define threat-protection policies to set the appropriate level of protection for your organization.
+- **Reports**: View real-time reports to monitor Defender for Office 365 performance in your organization.
+- **Threat investigation and response capabilities**: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
+- **Automated investigation and response capabilities**: Save time and effort investigating and mitigating threats.
+
+A Microsoft Defender for Office 365 trial is the easiest way to try the capabilities of Defender for Office 365, and setting it up only takes a couple of clicks. After the trial setup is complete, all Defender for Office 365 Plan 1 and Plan 2 capabilities are available in the organization for up to 90 days.
+
+> [!NOTE]
+> The automated configuration that's described in this article is currently in Public Preview and might not be available in your location.
+
+## Terms and conditions
+
+The Defender for Office 365 trial is available for 90 days and can be initiated for all of your users. For more information, see [Microsoft Defender for Office 365 Trial Terms & Conditions](defender-for-office-365-trial-terms-and-conditions.md).
+
+## Set up a Defender for Office 365 trial
+
+A trial allows organizations to easily set up and configure the Defender for Office 365 capabilities. During setup, policies that are exclusive to Defender for Office 365 (specifically, [Safe Attachments](safe-attachments.md), [Safe Links](safe-links.md), and [impersonation protection in anti-spam policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)) are applied using the Standard template for [preset security policies](preset-security-policies.md).
+
+By default, these policies are scoped to all users in the organization, but admins can customize the policies during or after setup so they apply only to specific users.
+
+During setup, MDO response functionality (found in MDO P2 or equivalent) is also set up for the entire organization. No policy scoping is required.
+
+## Licensing
+
+As part of the trial setup, the Defender for Office 365 licenses are automatically applied to the organization. The licenses are free of charge for the first 90 days.
+
+## Permissions
+
+To start or end the trial, you need to be a member of the **Global Administrator** or **Security Administrator** roles in Azure Active Directory. For details, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+
+## Additional information
+
+After you enroll in the trial, it might take up to 2 hours for the changes and updates to be available. And, admins must log out and log back in to see the changes.
+
+Admins can disable the trial at any point by going to the <> card.
+
+## Availability
+
+The Defender for Office 365 trial is gradually rolling out to existing customers who meet specific criteria (including geography) and who don't have existing Defender for Office 365 Plan 1 or Plan 2 licenses (included in their subscription or as an add-on).
+
+## Learn more about Defender for Office 365
+
+Defender for Office 365 helps organizations secure their enterprise by offering a comprehensive slate of capabilities.
+
+You can also learn more about Defender for Office 365 at this [interactive guide](https://techcommunity.microsoft.com/t5/video-hub/protect-your-organization-with-microsoft-365-defender/m-p/1671189).
+
+![Microsoft Defender for Office 365 conceptual diagram](../../media/microsoft-defender-for-office-365.png)
+
+### Prevention
+
+A robust filtering stack prevents a wide variety of volume-based and targeted attacks including business email compromise, credential phishing, ransomware, and advanced malware.
+
+- [Anti-phishing policies: Exclusive settings in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)
+- [Safe Attachments](safe-attachments.md)
+- [Safe Links](safe-links.md)
+
+### Detection
+
+Industry-leading AI detects malicious and suspicious content and correlates attack patterns to identify campaigns designed to evade protection.
+
+- [Campaign Views in Microsoft Defender for Office 365](campaigns.md)
+
+### Investigation and hunting
+
+Powerful experiences help identify, prioritize, and investigate threats, with advanced hunting capabilities to track attacks across Office 365.
+
+- [Threat Explorer and Real-time detections](threat-explorer.md)
+- [Real-time reports in Defender for Office 365](view-reports-for-mdo.md)
+- [Threat Trackers - New and Noteworthy](threat-trackers.md)
+- Integration with [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-threat-protection)
+
+### Response and remediation
+
+Extensive incident response and automation capabilities amplify your security teamΓÇÖs effectiveness and efficiency.
+
+- [Automated investigation and response (AIR) in Microsoft Defender for Office 365](office-365-air.md)
+
+### Awareness and training
+
+Rich simulation and training capabilities along with integrated experiences within client applications build user awareness.
+
+- [Get started using Attack simulation training](attack-simulation-training-get-started.md)
+
+### Secure posture
+
+Recommended templates and configuration insights help customers get and stay secure.
+
+- [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md)
+- [Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365](configuration-analyzer-for-security-policies.md).
+
+## Give feedback
+
+Your feedback helps us get better at protecting your environment from advanced attacks. Share your experience and impressions of product capabilities and trial results.
security Address Compromised Users Quickly https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/address-compromised-users-quickly.md
+
+ Title: Address compromised user accounts with automated investigation and response
+keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection, compromised
+++
+audience: ITPro
+
+localization_priority: Normal
+search.appverid:
+ - MET150
+ - MOE150
+ Last updated : 02/25/2020
+description: Learn how to speed up the process of detecting and addressing compromised user accounts with automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2.
+ms.technology: mdo
++
+# Address compromised user accounts with automated investigation and response
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
++
+[Microsoft Defender for Office 365 Plan 2](defender-for-office-365.md#microsoft-defender-for-office-365-plan-1-and-plan-2) includes powerful [automated investigation and response](office-365-air.md) (AIR) capabilities. Such capabilities can save your security operations team a lot of time and effort dealing with threats. Microsoft continues to improve security capabilities. Recently, AIR capabilities were enhanced to include a compromised user security playbook (currently in preview). Read this article to learn more about the compromised user security playbook. And see the blog post [Speed up time to detect and respond to user compromise and limit breach scope with Microsoft Defender for Office 365](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Speed-up-time-to-detect-and-respond-to-user-compromise-and-limit/ba-p/977053) for additional details.
+
+![Automated investigation for a compromised user](/microsoft-365/media/office365atp-compduserinvestigation.jpg)
+
+The compromised user security playbook enables your organization's security team to:
+
+- Speed up detection of compromised user accounts;
+
+- Limit the scope of a breach when an account is compromised; and
+
+- Respond to compromised users more effectively and efficiently.
+
+## Compromised user alerts
+
+When a user account is compromised, atypical or anomalous behaviors occur. For example, phishing and spam messages might be sent internally from a trusted user account. Defender for Office 365 can detect such anomalies in email patterns and collaboration activity within Office 365. When this happens, alerts are triggered, and the threat mitigation process begins.
+
+For example, here's an alert that was triggered because of suspicious email sending:
+
+![Alert triggered because of suspicious email sending](/microsoft-365/media/office365atp-suspiciousemailsendalert.jpg)
+
+And here's an example of an alert that was triggered when a sending limit was reached for a user:
+
+![Alert triggered by sending limit reached](/microsoft-365/media/office365atp-sendinglimitreached.jpg)
+
+## Investigate and respond to a compromised user
+
+When a user account is compromised, alerts are triggered. And in some cases, that user account is blocked and prevented from sending any further email messages until the issue is resolved by your organization's security operations team. In other cases, an automated investigation begins which can result in recommended actions that your security team should take.
+
+- [View and investigate restricted users](#view-and-investigate-restricted-users)
+
+- [View details about automated investigations](#view-details-about-automated-investigations)
+
+> [!IMPORTANT]
+> You must have appropriate permissions to perform the following tasks. See [Required permissions to use AIR capabilities](office-365-air.md#required-permissions-to-use-air-capabilities).
+
+### View and investigate restricted users
+
+You have a few options for navigating to a list of restricted users. For example, in the Security & Compliance Center, you can go to **Threat management** \> **Review** \> **Restricted Users**. The following procedure describes navigation using the **Alerts** dashboard, which is a good way to see various kinds of alerts that might have been triggered.
+
+1. Go to <https://protection.office.com> and sign in.
+
+2. In the navigation pane, choose **Alerts** \> **Dashboard**.
+
+3. In the **Other alerts** widget, choose **Restricted Users**.
+
+ ![Other alerts widget](/microsoft-365/media/office365atp-otheralertswidget.jpg)
+
+ This opens the list of restricted users.
+
+ ![Restricted users in Office 365](/microsoft-365/media/office365atp-restrictedusers.jpg)
+
+4. Select a user account in the list to view details and take action, such as [releasing the restricted user](removing-user-from-restricted-users-portal-after-spam.md).
+
+### View details about automated investigations
+
+When an automated investigation has begun, you can see its details and results in the Security & Compliance Center. Go to **Threat management** \> **Investigations**, and then select an investigation to view its details.
+
+To learn more, see [View details of an investigation](air-view-investigation-results.md).
+
+## Keep the following points in mind
+
+- **Stay on top of your alerts**. As you know, the longer a compromise goes undetected, the larger the potential for widespread impact and cost to your organization, customers, and partners. Early detection and timely response are critical to mitigate threats, and especially when a user's account is compromised.
+
+- **Automation assists, but does not replace, your security operations team**. Automated investigation and response capabilities can detect a compromised user early on, but your security operations team will likely need to engage and do some investigation and remediation. Need some help with this? See [Review and approve actions](air-review-approve-pending-completed-actions.md).
+
+- **Don't rely on a suspicious login alert as your only indicator**. When a user account is compromised, it might or might not trigger a suspicious login alert. Sometimes it's the series of activities that occur after an account is compromised that triggers an alert. Want to know more about alerts? See [Alert policies](../../compliance/alert-policies.md).
+
+## Next steps
+
+- [Review the required permissions to use AIR capabilities](office-365-air.md#required-permissions-to-use-air-capabilities)
+
+- [Find and investigate malicious email in Office 365](investigate-malicious-email-that-was-delivered.md)
+
+- [Learn about AIR in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
+
+- [Visit the Microsoft 365 Roadmap to see what's coming soon and rolling out](https://www.microsoft.com/microsoft-365/roadmap?filters=)
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
+
+ Title: Admin submissions
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
+
+localization_priority: Normal
+search.appverid:
+ - MET150
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+
+ - seo-marvel-apr2020
+description: Admins can learn how to use the Submissions portal in the Security & Compliance Center to submit suspicious emails, suspected phishing mails, spam, and other potentially harmful messages, URLs, and files to Microsoft for scanning.
+ms.technology: mdo
++
+# Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
++
+In Microsoft 365 organizations with mailboxes in Exchange Online, admins can use the Submissions portal in the Security & Compliance Center to submit email messages, URLs, and attachments to Microsoft for scanning.
+
+When you submit an email message, you will get:
+
+1. **Email authentication check**: Details on whether email authentication passed or failed when it was delivered.
+2. **Policy hits**: Information about any policies that may have allowed or blocked the incoming email into your tenant, overriding our service filter verdicts.
+3. **Payload reputation/detonation**: Examination of any URLs and attachments in the message.
+4. **Grader analysis**: Review done by human graders in order to confirm whether or not messages are malicious.
+
+> [!IMPORTANT]
+> Payload reputation/detonation and grader analysis are not done in all tenants. Information is blocked from going outside the organization when data is not supposed to leave the tenant boundary for compliance purposes.
+
+For other ways to submit email messages, URLs, and attachments to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+## What do you need to know before you begin?
+
+- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Submission** page, use <https://protection.office.com/reportsubmission>.
+
+- To submit messages and files to Microsoft, you need to be a member of one of the following role groups:
+
+ - **Organization Management** or **Security Administrator** in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+
+ - **Organization Management** in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups).
+
+ Note that membership in this role group is required to [View user submissions to the custom mailbox](#view-user-submissions-to-the-custom-mailbox) as described later in this article.
+
+- For more information about how users can submit messages and files to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+## Report suspicious content to Microsoft
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Submissions**, verify that you're on the **Admin submissions** tab, and then click **New submission**.
+
+2. Use **New submission** flyout that appears to submit the message, URL, or attachment as described in the following sections.
+
+### Submit a questionable email to Microsoft
+
+1. In the **Object type** section, select **Email**. In the **Submission format** section, use one of the following options:
+
+ - **Network Message ID**: This is a GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header in the message, or in the **X-MS-Office365-Filtering-Correlation-Id** header in quarantined messages.
+
+ - **File**: Click **Choose file**. In the dialog that opens, find and select the .eml or .msg file, and then click **Open**.
+
+ > [!NOTE]
+ > Admins with Defender for Office 365 Plan 1 or Plan 2 are able to submit messages as old as 30 days. Other admins will only be able to go back 7 days.
+
+2. In the **Recipients** section, specify one or more recipients that you would like to run a policy check against. The policy check will determine if the email bypassed scanning due to user or organization policies.
+
+3. In the **Reason for submission** section, select one of the following options:
+
+ - **Should not have been blocked**
+
+ - **Should have been blocked**: Select **Spam**, **Phishing**, or **Malware**. If you're not sure, use your best judgment.
+
+4. When you're finished, click the **Submit** button.
+
+ ![URL submission example](../../media/submission-flyout-email.PNG)
+
+### Send a suspect URL to Microsoft
+
+1. In the **Object type** section, select **URL**. In the box that appears, enter the full URL (for example, `https://www.fabrikam.com/marketing.html`).
+
+2. In the **Reason for submission** section, select one of the following options:
+
+ - **Should not have been blocked**
+
+ - **Should have been blocked**: Select **Phishing** or **Malware**.
+
+3. When you're finished, click the **Submit** button.
+
+ ![Email submission example](../../media/submission-url-flyout.png)
+
+### Submit a suspected file to Microsoft
+
+1. In the **Object type** section, select **Attachment**.
+
+2. Click **Choose File**. In the dialog that opens, find and select the file, and then click **Open**.
+
+3. In the **Reason for submission** section, select one of the following options:
+
+ - **Should not have been blocked**
+
+ - **Should have been blocked**: **Malware** is the only choice, and is automatically selected..
+
+4. When you're finished, click the **Submit** button.
+
+ ![Attachment submission example](../../media/submission-file-flyout.PNG)
+
+## View admin submissions
+
+In the Security & Compliance Center, go to **Threat management** \> **Submissions**, verify that you're on the **Admin submissions** tab, and then click **New submission**.
+
+Near the top of the page, you can enter a start date, an end date, and (by default) you can filter by **Submission ID** (a GUID value that's assigned to every submission) by entering a value in the box and clicking ![Refresh button](../../media/scc-quarantine-refresh.png). You can enter multiple values separated by commas.
+
+To change the filter criteria, click the **Submission ID** button and choose one of the following values:
+
+- **Sender**
+- **Subject/URL/File name**
+- **Submitted by**
+- **Submission type**
+- **Status**
+
+![Filter options for admin submissions](../../media/admin-submission-email-filter-options.png)
+
+To export the results, click **Export** near the top of the page and select **Chart data** or **Table**. In the dialog that appears, save the .csv file.
+
+Below the graph, there are three tabs: **Email** (default), **URL**, and **Attachment**.
+
+### View admin email submissions
+
+Click the **Email** tab.
+
+You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
+
+- **Date**
+- **Submission ID**: A GUID value that's assigned to every submission.
+- **Submitted by**<sup>\*</sup>
+- **Subject**<sup>\*</sup>
+- **Sender**
+- **Sender IP**<sup>\*</sup>
+- **Submission type**
+- **Delivery reason**
+- **Status**<sup>\*</sup>
+
+ <sup>\*</sup> If you click this value, detailed information is displayed in a flyout.
+
+#### Admin submission rescan details
+
+Messages that are submitted in admin submissions are rescanned and results shown in the details flyout:
+
+- If there was a failure in the sender's email authentication at the time of delivery.
+- Information about any policy hits that could have affected or overridden the verdict of a message.
+- Current detonation results to see if the URLs or files contained in the message were malicious or not.
+- Feedback from graders.
+
+If an override was found, the rescan should complete in several minutes. If there wasn't a problem in email authentication or delivery wasn't affected by an override, then the feedback from graders could take up to a day.
+
+### View admin URL submissions
+
+Click the **URL** tab.
+
+You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
+
+- **Date**
+- **Submission ID**
+- **Submitted by**<sup>\*</sup>
+- **URL**<sup>\*</sup>
+- **Submission type**
+- **Status**<sup>\*</sup>
+
+ <sup>\*</sup> If you click this value, detailed information is displayed in a flyout.
+
+### View admin attachment submissions
+
+Click the **Attachments** tab.
+
+You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
+
+- **Date**
+- **Submission ID**
+- **Submitted by**<sup>\*</sup>
+- **File name**<sup>\*</sup>
+- **Submission type**
+- **Status**<sup>\*</sup>
+
+ <sup>\*</sup> If you click this value, detailed information is displayed in a flyout.
+
+## View user submissions to Microsoft
+
+If you've deployed the [Report Message add-in](enable-the-report-message-add-in.md), the [Report Phishing add-in](enable-the-report-phish-add-in.md), or people use the [built-in reporting in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md), you can see what users are reporting on the **User submissions** tab.
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Submissions**.
+
+2. Select the **User submissions** tab, and then click **New submission**.
+
+You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
+
+- **Submitted on**
+- **Submitted by**<sup>\*</sup>
+- **Subject**<sup>\*</sup>
+- **Sender**
+- **Sender IP**<sup>\*</sup>
+- **Submission type**
+
+<sup>\*</sup> If you click this value, detailed information is displayed in a flyout.
+
+Near the top of the page, you can enter a start date, an end date, and (by default) you can filter by **Sender** by entering a value in the box and clicking ![Refresh button](../../media/scc-quarantine-refresh.png). You can enter multiple values separated by commas.
+
+To change the filter criteria, click the **Sender** button and choose one of the following values:
+
+- **Sender domain**
+- **Subject**
+- **Submitted by**
+- **Submission type**
+- **Sender IP**
+
+![Filter options for user submissions](../../media/user-submissions-filter-options.png)
+
+To export the results, click **Export** near the top of the page and select **Chart data** or **Table**. In the dialog that appears, save the .csv file.
+
+## View user submissions to the custom mailbox
+
+**If** you've [configured a custom mailbox](user-submission.md) to receive user reported messages, you can view and also submit messages that were delivered to the reporting mailbox.
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Submissions**.
+
+2. Select the **Custom mailbox** tab.
+
+You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
+
+- **Submitted on**
+- **Submitted by**<sup>\*</sup>
+- **Subject**<sup>\*</sup>
+- **Sender**
+- **Sender IP**<sup>\*</sup>
+- **Submission type**
+
+Near the top of the page, you can enter a start date, an end date, and you can filter by **Submitted by** by entering a value in the box and clicking ![Refresh button](../../media/scc-quarantine-refresh.png). You can enter multiple values separated by commas.
+
+To export the results, click **Export** near the top of the page and select **Chart data** or **Table**. In the dialog that appears, save the .csv file.
+
+## Undo user submissions
+
+Once a user submits a suspicious email to the custom mailbox, the user and admin don't have an option to undo the submission. If the user would like to recover the email, it will be available for recovery in the Deleted Items or Junk Email folders.
+
+### Submit messages to Microsoft from the custom mailbox
+
+If you've configured the custom mailbox to intercept user-reported messages without sending the messages to Microsoft, you can find and send specific messages to Microsoft for analysis. This effectively moves a user submission to an admin submission.
+
+On the **Custom mailbox** tab, select a message in the list, click the **Action** button, and make one of the following selections:
+
+- **Report clean**
+- **Report phishing**
+- **Report malware**
+- **Report spam**
+
+![Options on the Action button](../../media/user-submission-custom-mailbox-action-button.png)
security Advanced Spam Filtering Asf Options https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-spam-filtering-asf-options.md
+
+ Title: ASF settings in EOP
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
+
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: b286f853-b484-4af0-b01f-281fffd85e7a
+
+ - M365-security-compliance
+
+ - seo-marvel-apr2020
+description: Admins can learn about the Advanced Spam Filter (ASF) settings that are available in anti-spam policies in Exchange Online Protection (EOP).
+ms.technology: mdo
++
+# Advanced Spam Filter (ASF) settings in EOP
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+> [!NOTE]
+> ASF settings that are currently available in anti-spam policies are in the process of being deprecated. We recommend that you don't use these settings in anti-spam policies. The functionality of these ASF settings is being incorporated into other parts of the filtering stack. For more information, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
+
+In all Microsoft 365 organizations, the Advanced Spam Filter (ASF) settings in anti-spam policies in EOP allow admins to mark messages as spam based on specific message properties. ASF specifically targets these properties because they're commonly found in spam. Depending on the property, ASF detections will either mark the message as **Spam** or **High confidence spam**.
+
+> [!NOTE]
+> Enabling one or more of the ASF settings is an aggressive approach to spam filtering. You can't report messages that are filtered by ASF as false positives. You can identify messages that were filtered by ASF by:
+>
+> - Periodic end-user spam quarantine notifications.
+>
+> - The presence of filtered messages in quarantine.
+>
+> - The specific `X-CustomSpam:` X-header fields that are added to messages as described in this article.
+
+The following sections describe the ASF settings and options that are available in anti-spam policies in the Security & Compliance Center, and in Exchange Online PowerShell or standalone EOP PowerShell ([New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy) and [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy)). For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
+
+## Enable, disable, or test ASF settings
+
+For each ASF setting, the following options are available in anti-spam policies:
+
+- **On**: ASF adds the corresponding X-header field to the message, and either marks the message as **Spam** (SCL 5 or 6 for [Increase spam score settings](#increase-spam-score-settings)) or **High confidence spam** (SCL 9 for [Mark as spam settings](#mark-as-spam-settings)).
+
+- **Off**: The ASF setting is disabled. This is the default value, and we recommend that you don't change it.
+
+- **Test**: ASF adds the corresponding X-header field to the message. What happens to the message is determined by the **Test mode options** (*TestModeAction*) value:
+
+ - **None**: Message delivery is unaffected by the ASF detection. The message is still subject to other types of filtering and rules in EOP.
+
+ - **Add default X-header text (*AddXHeader*)**: The X-header value `X-CustomSpam: This message was filtered by the custom spam filter option` is added to the message. You can use this value in Inbox rules or mail flow rules (also known as transport rules) to affect the delivery of the message.
+
+ - **Send Bcc message (*BccMessage*)**: The specified email addresses (the *TestModeBccToRecipients* parameter value in PowerShell) are added to the Bcc field of the message, and the message is delivered to the additional Bcc recipients. In the Security & Compliance Center, you separate multiple email addresses by semicolons (;). In PowerShell, you separate multiple email addresses by commas.
+
+ **Notes**:
+
+ - Test mode is not available for the following ASF settings:
+
+ - **Conditional Sender ID filtering: hard fail** (*MarkAsSpamFromAddressAuthFail*)
+ - **NDR backscatter**(*MarkAsSpamNdrBackscatter*)
+ - **SPF record: hard fail** (*MarkAsSpamSpfRecordHardFail*)
+
+ - The same test mode action is applied to *all* ASF settings that are set to **Test**. You can't configure different test mode actions for different ASF settings.
+
+## Increase spam score settings
+
+The following ASF settings set the spam confidence level (SCL) of detected messages to 5 or 6, which corresponds to the **Spam** filter verdict and the corresponding action in anti-spam policies.
+
+****
+
+|Anti-spam policy setting|Description|X-header added|
+||||
+|**Image links to remote sites** <p> *IncreaseScoreWithImageLinks*|Messages that contain `<Img>` HTML tag links to remote sites (for example, using http) are marked as spam.|`X-CustomSpam: Image links to remote sites`|
+|**URL redirect to other port** <p> *IncreaseScoreWithRedirectToOtherPort*|Message that contain hyperlinks that redirect to TCP ports other than 80 (HTTP), 8080 (alternate HTTP), or 443 (HTTPS) are marked as spam.|`X-CustomSpam: URL redirect to other port`|
+|**Numeric IP address in URL** <p> *IncreaseScoreWithNumericIps*|Messages that contain numeric-based URLs (typically, IP addresses) are marked as spam.|`X-CustomSpam: Numeric IP in URL`|
+|**URL to .biz or .info websites** <p> *IncreaseScoreWithBizOrInfoUrls*|Messages that contain `.biz` or `.info` links in the body of the message are marked as spam.|`X-CustomSpam: URL to .biz or .info websites`|
+|
+
+## Mark as spam settings
+
+The following ASF settings set the SCL of detected messages to 9, which corresponds to the **High confidence spam** filter verdict and the corresponding action in anti-spam policies.
+
+****
+
+|Anti-spam policy setting|Description|X-header added|
+||||
+|**Empty messages** <p> *MarkAsSpamEmptyMessages*|Messages with no subject, no content in the message body, and no attachments are marked as high confidence spam.|`X-CustomSpam: Empty Message`|
+|**JavaScript or VBScript in HTML** <p> *MarkAsSpamJavaScriptInHtml*|Messages that use JavaScript or Visual Basic Script Edition in HTML are marked as high confidence spam. <p> These scripting languages are used in email messages to cause specific actions to automatically occur.|`X-CustomSpam: Javascript or VBscript tags in HTML`|
+|**Frame or IFrame tags in HTML** <p> *MarkAsSpamFramesInHtml*|Messages that contain `<frame>` or `<iframe>` HTML tags are marked as high confidence spam. <p> These tags are used in email messages to format the page for displaying text or graphics.|`X-CustomSpam: IFRAME or FRAME in HTML`|
+|**Object tags in HTML** <p> *MarkAsSpamObjectTagsInHtml*|Messages that contain `<object>` HTML tags are marked as high confidence spam. <p> This tag allows plug-ins or applications to run in an HTML window.|`X-CustomSpam: Object tag in html`|
+|**Embed tags in HTML** <p> *MarkAsSpamEmbedTagsInHtml*|Message that contain `<embed>` HTML tags are marked as high confidence spam. <p> This tag allows the embedding of different kinds of documents in an HTML document (for example, sounds, videos, or pictures).|`X-CustomSpam: Embed tag in html`|
+|**Form tags in HTML** <p> *MarkAsSpamFormTagsInHtml*|Messages that contain `<form>` HTML tags are marked as high confidence spam. <p> This tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.|`X-CustomSpam: Form tag in html`|
+|**Web bugs in HTML** <p> *MarkAsSpamWebBugsInHtml*|A *web bug* (also known as a *web beacon*) is a graphic element (often as small as one pixel by one pixel) that's used in email messages to determine whether the message was read by the recipient. <p> Messages that contain web bugs are marked as high confidence spam. <p> Legitimate newsletters might use web bugs, although many consider this an invasion of privacy. |`X-CustomSpam: Web bug`|
+|**Apply sensitive word list** <p> *MarkAsSpamSensitiveWordList*|Microsoft maintains a dynamic but non-editable list of words that are associated with potentially offensive messages. <p> Messages that contain words from the sensitive word list in the subject or message body are marked as high confidence spam.|`X-CustomSpam: Sensitive word in subject/body`|
+|**SPF record: hard fail** <p> *MarkAsSpamSpfRecordHardFail*|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF Record Fail`|
+|**Conditional Sender ID filtering: hard fail** <p> *MarkAsSpamFromAddressAuthFail*|Messages that hard fail a conditional Sender ID check are marked as spam. <p> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF From Record Fail`|
+|**NDR backscatter** <p> *MarkAsSpamNdrBackscatter*|*Backscatter* is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](backscatter-messages-and-eop.md). <p> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered, and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route *outbound* email through EOP.</li></ul> <p> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs will be delivered to the original message sender. Some, but not all, backscatter are marked as high confidence spam. By definition, backscatter can only be delivered to the spoofed sender, not to the original sender.</li></ul> <p> Test mode is not available for this setting.|`X-CustomSpam: Backscatter NDR`|
+|
security Air Custom Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-custom-reporting.md
+
+ Title: Custom reporting solutions with automated investigation and response
+keywords: SIEM, API, AIR, autoIR, ATP, automated investigation, integration, custom report
+f1.keywords:
+- NOCSH
+++
+audience: ITPro
+
+localization_priority: Normal
+search.appverid:
+- MET150
+- MOE150
+
+- M365-security-compliance
+- m365initiative-defender-office365
+description: Learn how to integrate automated investigation and response with a custom or third-party reporting solution.
Last updated : 01/29/2021+
+- air
+ms.technology: mdo
++
+# Custom or third-party reporting solutions for Microsoft Defender for Office 365
+
+With [Microsoft Defender for Office 365](defender-for-office-365.md), you get [detailed information about automated investigations](air-view-investigation-results.md). However, some organizations also use a custom or third-party reporting solution. If your organization wants to integrate information about [automated investigations](office-365-air.md) with such a solution, you can use the Office 365 Management Activity API.
+
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+With [Microsoft Defender for Office 365](defender-for-office-365.md), you get [detailed information about automated investigations](air-view-investigation-results.md). However, some organizations also use a custom or third-party reporting solution. If your organization wants to integrate information about automated investigations with such a solution, you can use the Office 365 Management Activity API.
+
+|Resource|Description|
+|:|:|
+|[Office 365 Management APIs overview](/office/office-365-management-api/office-365-management-apis-overview)|The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Microsoft 365 and Azure Active Directory activity logs.|
+|[Get started with Office 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis)|The Office 365 Management API uses Azure AD to provide authentication services for your application to access Microsoft 365 data. Follow the steps in this article to set this up.|
+|[Office 365 Management Activity API reference](/office/office-365-management-api/office-365-management-activity-api-reference)|You can use the Office 365 Management Activity API to retrieve information about user, admin, system, and policy actions and events from Microsoft 365 and Azure AD activity logs. Read this article to learn more about how this works.|
+|[Office 365 Management Activity API schema](/office/office-365-management-api/office-365-management-activity-api-schema)|Get an overview of the [Common schema](/office/office-365-management-api/office-365-management-activity-api-schema#common-schema) and the [Defender for Office 365 and threat investigation and response schema](/office/office-365-management-api/office-365-management-activity-api-schema#office-365-advanced-threat-protection-and-threat-investigation-and-response-schema) to learn about specific kinds of data available through the Office 365 Management Activity API.|
+|
+
+## See also
+
+- [Microsoft Defender for Office 365](defender-for-office-365.md)
+- [Automated investigation and response in Microsoft 365 Defender](/microsoft-365/security/defender/m365d-autoir)
security Air Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-remediation-actions.md
+
+ Title: Remediation actions in Microsoft Defender for Office 365
+keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection
+f1.keywords:
+- NOCSH
+++
+audience: ITPro
+
+localization_priority: Normal
+search.appverid:
+- MET150
+- MOE150
+
+- M365-security-compliance
+- m365initiative-defender-office365
+description: "Learn about remediation actions following automated investigation in Microsoft Defender for Office 365."
Last updated : 02/09/2021+
+- air
+ms.technology: mdo
++
+# Remediation actions in Microsoft Defender for Office 365
++
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+## Remediation actions
+
+Threat protection features in [Microsoft Defender for Office 365](defender-for-office-365.md) include certain remediation actions. Such remediation actions can include:
+
+- Soft delete email messages or clusters
+- Block URL (time-of-click)
+- Turn off external mail forwarding
+- Turn off delegation
+
+In Microsoft Defender for Office 365, remediation actions are not taken automatically. Instead, remediation actions are taken only upon approval by your organization's security operations team.
+
+## Threats and remediation actions
+
+Microsoft Defender for Office 365 includes remediation actions to address various threats. Automated investigations often result in one or more remediation actions to review and approve. In some cases, an automated investigation does not result in a specific remediation action. To further investigate and take appropriate actions, use the guidance in the following table.
+
+|Category|Threat/risk|Remediation action(s)|
+|:|:|:|
+|Email|Malware|Soft delete email/clusterΓÇï <p> If more than a handful of email messages in a cluster contain malware, the cluster is considered to be malicious.ΓÇï|
+|Email|Malicious URLΓÇï<br/>(A malicious URL was detected by [Safe Links](safe-links.md).)|Soft delete email/clusterΓÇï <br/>Block URL (time-of-click verification)<p> Email that contains a malicious URL is considered to be maliciousΓÇï.|
+|Email|Phish|Soft delete email/clusterΓÇï <p> If more than a handful of email messages in a cluster contain phishing attempts, the whole cluster is considered a phishing attempt.ΓÇï|
+|Email|Zapped phishΓÇï <br>(Email messages were delivered and then [zappedΓÇï](zero-hour-auto-purge.md).)|Soft delete email/clusterΓÇï <p>Reports are available to view zapped messages. [See if ZAP moved a message and FAQs](zero-hour-auto-purge.md#how-to-see-if-zap-moved-your-message).|
+|Email|Missed phish email [reported](enable-the-report-message-add-in.md) by a user|[Automated investigation triggered by the user's report](automated-investigation-response-office.md#example-a-user-reported-phish-message-launches-an-investigation-playbook)|
+|Email|Volume anomalyΓÇï <br> (Recent email quantities exceed the previous 7-10 days for matching criteria.ΓÇï)|Automated investigation does not result in a specific pending action. <p>Volume anomaly is not a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days. <p>Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See [Find suspicious email that was delivered](investigate-malicious-email-that-was-delivered.md#find-suspicious-email-that-was-delivered).|
+|Email|No threats found <br> (The system did not find any threats based on files, URLs, or analysis of email cluster verdicts.ΓÇï)|Automated investigation does not result in a specific pending action. <p>Threats found and [zapped](zero-hour-auto-purge.md) after an investigation is complete are not reflected in an investigation's numerical findings, but such threats are viewable in [Threat Explorer](threat-explorer.md).ΓÇï|
+|User|A user clicked a malicious URL <br> (A user navigated to a page that was later found to be malicious, or a user bypassed a [Safe Links warning page](safe-links.md#warning-pages-from-safe-links) to get to a malicious page.ΓÇï)|Automated investigation does not result in a specific pending action. <p>Block URL (time-of-click) <p>Use Threat Explorer to [view data about URLs and click verdicts](threat-explorer.md#view-phishing-url-and-click-verdict-data). <p>If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) to determine if their account is compromised.|
+|User|A user is sending malware/phish|Automated investigation does not result in a specific pending action. <p> The user might be reporting malware/phish, or someone could be [spoofing the user](anti-spoofing-protection.md) as part of an attack. Use [Threat Explorer](threat-explorer.md) to view and handle email containing [malware](threat-explorer-views.md#email--malware) or [phish](threat-explorer-views.md#email--phish).|
+|User|Email forwarding <br> (Mailbox forwarding rules are configured, which could be used for data exfiltrationΓÇï.)|Remove forwarding ruleΓÇï <p> Use [mail flow insights](mail-flow-insights-v2.md), including the [Autoforwarded messages report](mfi-auto-forwarded-messages-report.md), to view more specific details about forwarded email.|
+|User|Email delegation rulesΓÇï <br> (A user's account has delegation set up.)|Remove delegation ruleΓÇï <p> If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) who's getting the delegation permission.ΓÇï|
+|User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](../../compliance/data-loss-prevention-policies.md).)|Automated investigation does not result in a specific pending action. <p> [View DLP reports and take action](../../compliance/view-the-dlp-reports.md).|
+|User|Anomalous email sending <br> (A user recently sent more email than during the previous 7-10 days.)|Automated investigation does not result in a specific pending action. <p> Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use [mail flow insights](mail-flow-insights-v2.md), including the [mail flow map report](mfi-mail-flow-map-report.md) to determine what's going on and take action.|
+
+## Next steps
+
+- [View details and results of an automated investigation in Microsoft Defender for Office 365](air-view-investigation-results.md)
+- [View pending or completed remediation actions following an automated investigation in Microsoft Defender for Office 365](air-review-approve-pending-completed-actions.md)
+
+## Related articles
+
+- [Learn about automated investigation in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
+- [Learn about capabilities in Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
security Air Report False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-report-false-positives-negatives.md
+
+ Title: "How to report false positives or false negatives following automated investigation in Microsoft Defender for Office 365"
+description: Was something missed or wrongly detected by AIR in Microsoft Defender for Office 365? Learn how to submit false positives or false negatives to Microsoft for analysis.
+keywords: automated, investigation, alert, trigger, action, remediation, false positive, false negative
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++ Last updated : 01/29/2021
+localization_priority: Normal
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-defender-office365
++
+- autoir
+ms.technology: mdo
++
+# How to report false positives/negatives in automated investigation and response capabilities
++
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+If [automated investigation and response (AIR) capabilities in Office 365](automated-investigation-response-office.md) missed or wrongly detected something, there are steps your security operations team can take to fix it. Such actions include:
+
+- [Reporting a false positive/negative to Microsoft](#report-a-false-positivenegative-to-microsoft-for-analysis);
+- [Adjusting alerts](#adjust-an-alert-to-prevent-false-positives-from-recurring) (if needed); and
+- [Undoing remediation actions that were taken](#undo-a-remediation-action).
+
+Use this article as a guide.
+
+## Report a false positive/negative to Microsoft for analysis
+
+If AIR in Microsoft Defender for Office 365 missed an email message, an email attachment, a URL in an email message, or a URL in an Office file, you can [submit suspected spam, phish, URLs, and files to Microsoft for Office 365 scanning](admin-submission.md).
+
+You can also [Submit a file to Microsoft for malware analysis](https://www.microsoft.com/wdsi/filesubmission).
+
+## Adjust an alert to prevent false positives from recurring
+
+If an alert is triggered by legitimate use, or the alert is inaccurate, you can [Manage alerts in the Cloud App Security portal](/cloud-app-security/managing-alerts).
+
+If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection) in addition to Office 365, and a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can [create a custom indicator with an "Allow" action for your device](/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
+
+## Undo a remediation action
+
+In most cases, if a remediation action was taken on an email message, email attachment, or URL, and the item is actually not a threat, your security operations team can undo the remediation action and take steps to prevent the false positive from recurring. You can either use [Threat Explorer](#undo-an-action-using-threat-explorer) or the [Actions tab for an investigation](#undo-an-action-in-the-action-center) to undo an action.
+
+> [!IMPORTANT]
+> Make sure you have the necessary permissions before attempting to perform the following tasks.
+
+### Undo an action using Threat Explorer
+
+With Threat Explorer, your security operations team can find an email affected by an action and potentially undo the action.
+
+|Scenario|Undo Options|Learn more|
+||||
+|An email message was routed to a user's Junk Email folder|- Move the message to the user's Deleted Items folder<br/>- Move the message to the user's Inbox<br/>- Delete the message|[Find and investigate malicious email that was delivered in Office 365](investigate-malicious-email-that-was-delivered.md)|
+|An email message or a file was quarantined|- Release the email or file<br/>- Delete the email or file|[Manage quarantined messages as an admin](manage-quarantined-messages-and-files.md)|
+|
+
+### Undo an action in the Action center
+
+In the Action center, you can see remediation actions that were taken and potentially undo the action.
+
+1. Go to the Microsoft 365 security center (<https://security.microsoft.com>).
+2. In the navigation pane, select **Action center**.
+3. Select the **History** tab to view the list of completed actions.
+4. Select an item. Its flyout pane opens.
+5. In the flyout pane, select **Undo**. (Only actions that can be undone will have an **Undo** button.)
+
+## See also
+
+- [Microsoft Defender for Office 365](defender-for-office-365.md)
+- [Automated investigations in Microsoft Defender for Office 365](office-365-air.md)
security Air Review Approve Pending Completed Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions.md
+
+ Title: Review and manage remediation actions in Microsoft Defender for Office 365
+keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection
+f1.keywords:
+- NOCSH
+++
+audience: ITPro
+
+localization_priority: Normal
+search.appverid:
+- MET150
+- MOE150
+
+- M365-security-compliance
+- m365initiative-defender-office365
+description: Learn about remediation actions in automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2.
+ms.technology: mdo
Last updated : 01/29/2021++
+# Review and manage remediation actions in Office 365
+
+As automated investigations on email & collaboration content result in verdicts, such as *Malicious* or *Suspicious*, certain remediation actions are created. In Microsoft Defender for Office 365, remediation actions can include:
+- Blocking a URL (time-of-click)
+- Soft deleting email messages or clusters
+- Quarantining email or email attachments
+- Turning off external mail forwarding
+
+These remediation actions are not taken unless and until your security operations team approves them. We recommend reviewing and approving any pending actions as soon as possible so that your automated investigations complete in a timely manner. In some cases, you can undo a remediation action.
+
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+## Approve (or reject) pending actions
+
+1. Go to the Microsoft 365 security center (<https://security.microsoft.com>) and sign in.
+2. In the navigation pane, select **Action center**.
+3. On the **Pending** tab, review the list of actions that are awaiting approval.
+4. Select an item in the list. Its flyout pane opens.
+5. Review the information in the flyout pane, and then take one of the following steps:
+ - Select **Open investigation page** to view more details about the investigation.
+ - Select **Approve** to initiate a pending action.
+ - Select **Reject** to prevent a pending action from being taken.
+
+## Undo one remediation action
+
+1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
+2. On the **History** tab, select an action that you want to undo.
+3. In the pane on the right side of the screen, select **Undo**.
+
+## Undo multiple remediation actions
+
+1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
+2. On the **History** tab, select the actions that you want to undo. Make sure to select items that have the same Action type. A flyout pane opens.
+3. In the flyout pane, select Undo.
+
+## To remove a file from quarantine across multiple devices
+
+1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
+2. On the **History** tab, select a file that has the Action type **Quarantine file**.
+3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
+
+## Next steps
+
+- [Use Threat Explorer](threat-explorer.md)
+- [How to report false positives/negatives in automated investigation and response capabilities](air-report-false-positives-negatives.md)
+
+## See also
+
+- [View details and results of an automated investigation in Office 365](air-view-investigation-results.md)
security Air View Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-view-investigation-results.md
+
+ Title: View the results of an automated investigation in Microsoft 365
+keywords: AIR, autoIR, ATP, automated, investigation, remediation, actions
+f1.keywords:
+- NOCSH
+++
+audience: ITPro
+
+localization_priority: Normal
+search.appverid:
+- MET150
+- MOE150
+
+- M365-security-compliance
+- m365initiative-defender-office365
+description: During and after an automated investigation in Microsoft 365, you can view the results and key findings.
Last updated : 01/29/2021
+ms.technology: mdo
++
+# Details and results of an automated investigation in Microsoft 365
+
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+When an [automated investigation](office-365-air.md) occurs in [Microsoft Defender for Office 365](defender-for-office-365.md), details about that investigation are available during and after the automated investigation process. If you have the necessary permissions, you can view those details in the Microsoft 365 security center. Investigation details provide you with up-to-date status, and the ability to approve any pending actions.
+
+> [!TIP]
+> Check out the new, unified investigation page in the Microsoft 365 security center. To learn more, see [(NEW!) Unified investigation page](../defender/m365d-autoir-results.md#new-unified-investigation-page).
+
+## Investigation status
+
+The investigation status indicates the progress of the analysis and actions. As the investigation runs, status changes to indicate whether threats were found, and whether actions have been approved.
+
+|Status|Description|
+|:|:|
+|**Starting**|The investigation has been triggered and waiting to start runningΓÇï.|
+|**Running**|The investigation process has started and is underway. This state also occurs when [pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions) are approved.|
+|**No Threats Found**|The investigation has finished and no threats (user account, email message, URL, or file) were identified. <p> **TIP**: If you suspect something was missed (such as a false negative), you can take action using [Threat Explorer](threat-explorer.md)ΓÇï.|
+|**Threats Found**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Threats Found** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <br/>- A [data loss prevention](../../compliance/data-loss-prevention-policies.md) (DLP) event<br/>- An email sending anomaly<br/>- Sent malware<br/>- Sent phish <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer.md)ΓÇï.|
+|**Terminated By System**|The investigation stopped. An investigation can stop for several reasons:ΓÇï <br/>- The investigation's pending actions expired. Pending actions time out after awaiting approval for one week.<br/>- There are too many actions. For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation haltsΓÇï.<p> **TIP**: If an investigation halts before actions were taken, try using [Threat Explorer](threat-explorer.md) to find and address threats.|
+|**Pending Action**|The investigation has found a threat, such as a malicious email, a malicious URL, or a risky mailbox settingΓÇï, and an action to remediate that threat is [awaiting approval](air-review-approve-pending-completed-actions.md). <p> The **Pending Action** state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. View investigation details to see if other items are still pending completion.ΓÇï|
+|**Remediated**|The investigation finished and all remediation actions were approved (noted as fully remediated). <p> **NOTE**: Approved remediation actions can have errors that prevent the actions from being taken. Regardless of whether remediation actions are successfully completed, the investigation status does not change. View investigation details.ΓÇï|
+|**Partially Remediated**|The investigation resulted in remediation actions, and some were approved and completedΓÇï. Other actions are still [pending](air-review-approve-pending-completed-actions.md).|
+|**Failed**|At least one investigation analyzer ran into a problem where it could not complete properlyΓÇï. <p> **NOTE**: If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. View the investigation details. ΓÇïΓÇï|
+|**Queued By Throttling**|An investigation is being held in a queue. When other investigations complete, queued investigations begin. Throttling helps avoid poor service performance. <p> **TIP**: Pending actions can limit how many new investigations can run. Make sure to [approve (or reject) pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions).|
+|**Terminated By Throttling**|If an investigation is held in the queue too long, it stops. <p> **TIP**: You can [start an investigation from Threat Explorer](automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).|
+|
+
+## View details of an investigation
+
+1. Go to the Microsoft 365 security center (<https://security.microsoft.com>) and sign in.
+2. In the navigation pane, select **Action center**.
+3. On either the **Pending** or **History** tabs, select an action. Its flyout pane opens.
+4. In the flyout pane, select **Open investigation page**.
+5. Use the various tabs to learn more about the investigation.
+
+## View details about an alert related to an investigation
+
+Certain kinds of alerts trigger automated investigation in Microsoft 365. To learn more, see [alert policies that trigger automated investigations](office-365-air.md#which-alert-policies-trigger-automated-investigations).
+
+1. Go to the Microsoft 365 security center (<https://security.microsoft.com>) and sign in.
+2. In the navigation pane, select **Action center**.
+3. On either the **Pending** or **History** tabs, select an action. Its flyout pane opens.
+4. In the flyout pane, select **Open investigation page**.
+5. Select the **Alerts** tab to view a list of all of the alerts associated with that investigation.
+6. Select an item in the list to open its flyout pane. There, you can view more information about the alert.
+
+## Keep the following points in mind
+
+- Email counts are calculated at the time of the investigation, and some counts are recalculated when you open investigation flyouts (based on an underlying query).
+
+- The email counts shown for the email clusters on the **Email** tab and the email quantity value shown on cluster flyout are calculated at the time of investigation, and do not change.
+
+- The email count shown at the bottom of the **Email** tab of the email cluster flyout and the count of email messages shown in Explorer reflect email messages received after the investigation's initial analysis.
+
+ Thus, an email cluster that shows an original quantity of 10 email messages would show an email list total of 15 when five more email messages arrive between the investigation analysis phase and when the admin reviews the investigation. Likewise, old investigations might start showing higher counts than Explorer queries show, because data in Microsoft Defender for Office 365 Plan 2 expires after seven days for trials and after 30 days for paid licenses.
+
+ Showing both count historical and current counts in different views is done to indicate the email impact at the time of investigation and the current impact up until the time that remediation is run.
+
+- In the context of email, you might see a volume anomaly threat surface as part of the investigation. A volume anomaly indicates a spike in similar email messages around the investigation event time compared to earlier timeframes. A spike in email traffic together with certain characteristics (for example, subject and sender domain, body similarity, and sender IP) is typical of the start of email campaigns or attacks. However, bulk, spam, and legitimate email campaigns commonly share these characteristics.
+
+- Volume anomalies represent a potential threat, and accordingly could be less severe compared to malware or phish threats that are identified using anti-virus engines, detonation, or malicious reputation.
+
+- You do not have to approve every action. If you do not agree with the recommended action or your organization does not choose certain types of actions, then you can choose to **Reject** the actions or simply ignore them and take no action.
+
+- Approving and/or rejecting all actions lets the investigation fully close (status becomes remediated), while leaving some actions incomplete results in the investigation status changing to a partially remediated state.
+
+## Next steps
+
+- [Review and approve pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions)
security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/alerts.md
+
+ Title: Alerts in the Security & Compliance Center
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: Admin
+
+localization_priority: Normal
+search.appverid:
+ - MOE150
+ - MET150
+ - BCS160
+ms.assetid: 2bb4e7c0-5f7f-4144-b647-cc6a956aaa53
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Learn about how to use the alerts features in the Office 365 Security & Compliance Center to view and manage alerts, including managing advanced alerts.
+
+ms.technology: mdo
++
+# Alerts in the Security & Compliance Center
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+
+Use the alerts features in the Security & Compliance Center to view and manage alerts for your organization, including managing advanced alerts as part of [Microsoft Cloud App Security overview](/cloud-app-security/what-is-cloud-app-security).
+
+## How to get to the alerts features
+
+Alerts are in the Security & Compliance Center. Here's how to get to the page.
+
+### To go directly to the Security & Compliance Center
+
+1. Go to <https://protection.office.com>.
+
+2. Sign in using your work or school account.
+
+3. In the left pane, click **Alerts** to see the alerts features.
+
+### To go to the Security & Compliance Center using the app launcher
+
+1. Sign in using your work or school account.
+
+2. Click the app launcher in the upper left corner, and then click **Security & Compliance**.
+
+ Can't find the app you're looking for? From the app launcher, select **All apps** to see an alphabetical list of the Office 365 apps available to you. From there, you can search for a specific app.
+
+3. In the left pane, click **Alerts** to see the alerts features.
+
+## Alerts features
+
+The following table describes the tools that are available under **Alerts** in the Security & Compliance Center.
+
+****
+
+|Tool|Description|
+|||
+|[Manage alerts](../../compliance/create-activity-alerts.md)|Use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. Activity alerts are similar to searching the audit log for events, except that you'll be sent an email message when an event that you've created an alert for occurs.|
+|[Manage advanced alerts](/cloud-app-security/what-is-cloud-app-security)|Use the **Manage advanced alerts** feature of Microsoft 365 Cloud App Security to set up policies that can alert you to suspicious and anomalous activity in Microsoft 365. After you're alerted, you can investigate situations that are potentially problematic and, if needed, take action to address security issues.|
+|
security Anti Malware Protection Faq Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection-faq-eop.md
+
+ Title: Anti-malware protection FAQ
+f1.keywords:
+ - NOCSH
+++
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: 013c8a5f-8990-40e4-bfa8-f92ff1042623
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+
+ - seo-marvel-apr2020
+description: Admins can view frequently asked questions and answers about anti-malware protection in Exchange Online Protection (EOP).
+ms.technology: mdo
++
+# Anti-malware protection FAQ
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+This article provides frequently asked questions and answers about anti-malware protection for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.
+
+For questions and answers about the quarantine, see [Quarantine FAQ](quarantine-faq.md).
+
+For questions and answers about anti-spam protection, see [Anti-spam protection FAQ](anti-spam-protection-faq.md).
+
+For questions and answers about anti-spoofing protection, see [Anti-spoofing protection FAQ](anti-spoofing-protection-faq.md).
+
+## What are best practice recommendations for configuring and using the service to combat malware?
+
+See [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings).
+
+## How often are the malware definitions updated?
+
+Each server checks for new malware definitions from our anti-malware partners every hour.
+
+## How many anti-malware partners do you have? Can I choose which malware engines we use?
+
+We have partnerships with multiple anti-malware technology providers, so messages are scanned with the Microsoft anti-malware engines, two added signature based engines, plus URL and file reputation scans from multiple sources. Our partners are subject to change, but EOP always uses anti-malware protection from multiple partners. You can't choose one anti-malware engine over another.
+
+## Where does malware scanning occur?
+
+We scan for malware in messages that are sent to or sent from a mailbox (messages in transit). For Exchange Online mailboxes, we also have [malware zero-hour auto purge (ZAP)](zero-hour-auto-purge.md) to scan for malware in messages that have already been delivered. If you resend a message from a mailbox, then it's scanned again (because it's in transit).
+
+## If I make a change to an anti-malware policy, how long does it take after I save my changes for them to take effect?
+
+It might take up to 1 hour for the changes to take effect.
+
+## Does the service scan internal messages for malware?
+
+For organizations with Exchange Online mailbox, the service scans for malware in all inbound and outbound messages, including messages sent between internal recipients.
+
+A standalone EOP subscription scans messages as they enter or leave your on-premises email organization. Messages sent between internal users aren't scanned for malware. However, you can use the built-in anti-malware scanning features of Exchange Server. For more information, see [Antimalware protection in Exchange Server](/Exchange/antispam-and-antimalware/antimalware-protection/antimalware-protection).
+
+## Do all anti-malware engines used by the service have heuristic scanning enabled?
+
+Yes. Heuristic scanning scans for both known (signature match) and unknown (suspicious) malware.
+
+## Can the service scan compressed files (such as .zip files)?
+
+Yes. The anti-malware engines can drill into compressed (archive) files.
+
+## Is the compressed attachment scanning support recursive (.zip within a .zip within a .zip) and if so, how deep does it go?
+
+Yes, recursive scanning of compressed files scans many layers deep.
+
+## Does the service work with legacy Exchange versions and non-Exchange environments?
+
+Yes, the service is server agnostic.
+
+## What's a zero-day virus and how is it handled by the service?
+
+A zero-day virus is a first generation, previously unknown variant of malware that's never been captured or analyzed.
+
+After a zero-day virus sample is captured and analyzed by our anti-malware engines, a definition and unique signature is created to detect the malware.
+
+When a definition or signature exists for the malware, it's no longer considered zero-day.
+
+## How can I configure the service to block specific executable files (such as \*.exe) that I fear may contain malware?
+
+You can enable the **Common Attachment Types Filter** (also known as common attachment blocking) as described in [Anti-malware policies](anti-malware-protection.md#anti-malware-policies).
+
+You can also create an Exchange mail flow rule (also known as transport rule) that blocks any email attachment that has executable content.
+
+Follow the steps in [How to reduce malware threats through file attachment blocking in Exchange Online Protection](https://support.microsoft.com/help/2959596) to block the file types listed in [Supported file types for mail flow rule content inspection in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection).
+
+For increased protection, we also recommend using the **Any attachment file extension includes these words** condition in mail flow rules to block some or all of the following extensions: `ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh`.
+
+## Why did a specific malware get past the filters?
+
+There are two possible reasons why you might have received malware:
+
+1. Most likely, the attachment does not actually contain malicious code. Some anti-malware engines that run on computers might be more aggressive and could stop messages with truncated payloads.
+
+2. The malware you received is a new variant (see [What's a zero-day virus and how is it handled by the service?](#whats-a-zero-day-virus-and-how-is-it-handled-by-the-service)). The time it takes for a malware definition update is dependent on our anti-malware partners.
+
+## How can I submit malware that made it past the filters to Microsoft? Also, how can I submit a file that I believe was incorrectly detected as malware?
+
+See [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+## I received an email message with an unfamiliar attachment. Is this malware or can I disregard this attachment?
+
+We strongly advise that you do not open any attachments that you do not recognize. If you would like us to investigate the attachment, go to the Malware Protection Center and submit the possible malware to us as described previously.
+
+## Where can I get the messages that have been deleted by the malware filters?
+
+The messages contain active malicious code and therefore we do not allow access to these messages. They are unceremoniously deleted.
+
+## I am not able to receive a specific attachment because it is being falsely filtered by the malware filters. Can I allow this attachment through via mail flow rules?
+
+No. You can't use Exchange mail flow rules to skip malware filtering.
+
+## Can I get reporting data about malware detections?
+
+Yes, you can access reports in the admin center. For more information about reporting, see the following links:
+
+Exchange Online customers: [Monitoring, Reporting, and Message Tracing in Exchange Online](/exchange/monitoring/monitoring)
+
+Exchange Online Protection customers: [Reporting and message trace in Exchange Online Protection](reporting-and-message-trace-in-exchange-online-protection.md)
+
+## Is there a tool that I can use to follow a malware-detected message through the service?
+
+Yes, the message trace tool enables you to follow email messages as they pass through the service. For more information about how to use the message trace tool to find out why a message was detected to contain malware, see [Message trace in the Security & Compliance Center](message-trace-scc.md).
+
+## Can I use a third-party anti-spam and anti-malware provider in conjunction with Exchange Online?
+
+Yes. In most cases, we recommend that you point your MX records to (that is, deliver email directly to) EOP. If you need to route your email somewhere else first, you need to enable [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) so EOP can use the true message source in filtering decisions.
+
+## Are spam and malware messages being investigated as to who sent them, or being transferred to law enforcement entities?
+
+The service focuses on spam and malware detection and removal, though we may occasionally investigate especially dangerous or damaging spam or attack campaigns and pursue the perpetrators.
+
+We often with our legal and digital crime units to take the following actions:
+
+- Take down a spam botnet.
+- Block an attacker from using the service.
+- Pass the information on to law enforcement for criminal prosecution.
+
+## For more information
+
+[Configure anti-malware policies](configure-anti-malware-policies.md)
+
+[Anti-malware protection](anti-malware-protection.md)
security Anti Malware Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection.md
+
+ Title: Anti-malware protection
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: 0e39a0ce-ab8b-4820-8b5e-93fbe1cc11e8
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Admins can learn about anti-malware protection and anti-malware policies that protect against viruses, spyware, and ransomware in Exchange Online Protection (EOP).
+
+ms.technology: mdo
++
+# Anti-malware protection in EOP
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:
+
+- **Viruses** that infect other programs and data, and spread through your computer or network looking for programs to infect.
+
+- **Spyware** that that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.
+
+- **Ransomware** that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect and remove the malware payload that's associated with the ransomware.
+
+EOP offers multi-layered malware protection that's designed to catch all known malware traveling into or out of your organization. The following options help provide anti-malware protection:
+
+- **Layered defenses against malware**: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.
+
+- **Real-time threat response**: During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.
+
+- **Fast anti-malware definition deployment**: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.
+
+In EOP, messages that are found to contain malware in *any* attachments are quarantined, and can only be released from quarantine by an admin. For more information, see [Manage quarantined messages and files as an admin in EOP](manage-quarantined-messages-and-files.md).
+
+For more information about anti-malware protection, see the [Anti-malware protection FAQ](anti-malware-protection-faq-eop.md).
+
+To configure anti-malware policies, see [Configure anti-malware policies](configure-anti-malware-policies.md).
+
+To submit malware to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+## Anti-malware policies
+
+Anti-malware policies control the settings and notification options for malware detections. The important settings in anti-malware policies are:
+
+- **Recipient notifications**: By default, a message recipient isn't told that a message intended for them was quarantined due to malware. But, you can enable recipient notifications in the form of delivering the original message with *all* attachments removed and replaced by a single file named **Malware Alert Text.txt** that contains the following text:
+
+ > Malware was detected in one or more attachments included with this email message. <br> Action: All attachments have been removed. <br> \<Original malware attachment name\> \<Malware detection result\>
+
+ You can replace the default text in the **Malware Alert Text.txt** file with your own custom text.
+
+- **Common Attachment Types Filter**: There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these type of files for malware, when you should probably block them all, anyway? That's where the Common Attachment Types Filter comes in. It's disabled by default, but when you enable it, the file types you specify are automatically treated as malware. You can use the default list of file types or customize the list. The default file types are: `.ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs`.
+
+ The Common Attachment Types Filter uses best effort true-typing to detect the file type regardless of the file name extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is used.
+
+- **Malware zero-hour auto purge (ZAP)**: Malware ZAP quarantines messages that are found to contain malware *after* they've been delivered to Exchange Online mailboxes. By default, malware ZAP is on, and we recommend that you leave it on.
+
+- **Sender notifications**: By default, a message sender isn't told that their message was quarantined due to malware. But, you can enabled notification messages for senders based on whether the sender is internal or external. The default notification message looks like this:
+
+ > From: Postmaster postmaster@_\<defaultdomain\>_.com <br> Subject: Undeliverable message <p> This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected. All attachments were deleted. <p> Additional Information : <p> Subject: \<message subject\> <br> Sender: \<message sender\> <p> Time received: \<date/time\> <br> Message ID: \<message id\> <br> Detections found: <br> \<attachment name\> \<malware detection result\>
+
+ You can customize the **From address**, **subject**, and **message text** for internal and external notifications.
+
+ You can also specify an additional recipient (an admin) to receive notifications for malware detected in messages from internal or external senders.
+
+- **Recipient filters**: For custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:
+
+ - **The recipient is**
+ - **The recipient domain is**
+ - **The recipient is a member of**
+
+ You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
+
+- **Priority**: If you create multiple custom anti-malware policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied.
+
+ For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
+
+### Anti-malware policies in the Security & Compliance Center vs PowerShell
+
+The basic elements of an anti-malware policy are:
+
+- **The malware filter policy**: Specifies the recipient notification, sender and admin notification, ZAP, and the Common Attachment Types Filter settings.
+- **The malware filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.
+
+The difference between these two elements isn't obvious when you manage anti-malware polices in the Security & Compliance Center:
+
+- When you create an anti-malware policy, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.
+
+- When you modify an anti-malware policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (recipient notification, sender and admin notification, ZAP, and the Common Attachment Types Filter) modify the associated malware filter policy.
+
+- When you remove an anti-malware policy, the malware filter rule and the associated malware filter policy are removed.
+
+In Exchange Online PowerShell or standalone EOP PowerShell, the difference between malware filter policies and malware filter rules is apparent. You manage malware filter policies by using the **\*-MalwareFilterPolicy** cmdlets, and you manage malware filter rules by using the **\*-MalwareFilterRule** cmdlets.
+
+- In PowerShell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.
+- In PowerShell, you modify the settings in the malware filter policy and the malware filter rule separately.
+- When you remove a malware filter policy from PowerShell, the corresponding malware filter rule isn't automatically removed, and vice versa.
+
+### Default anti-malware policy
+
+Every organization has a built-in anti-malware policy named Default that has these properties:
+
+- The policy is applied to all recipients in the organization, even though there's no malware filter rule (recipient filters) associated with the policy.
+
+- The policy has the custom priority value **Lowest** that you can't modify (the policy is always applied last). Any custom anti-malware policies that you create always have a higher priority than the policy named Default.
+
+- The policy is the default policy (the **IsDefault** property has the value `True`), and you can't delete the default policy.
security Anti Phishing Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection.md
+
+ Title: Anti-phishing protection
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: 75af74b2-c7ea-4556-a912-8c48e07271d3
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+
+ - TopSMBIssues
+ - seo-marvel-apr2020
+description: Admins can learn about the anti-phishing protection features in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.
+ms.technology: mdo
++
+# Anti-phishing protection in Microsoft 365
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+*Phishing* is an email attack that tries to steal sensitive information in messages that appear to be from legitimate or trusted senders. There are specific categories of phishing. For example:
+
+- **Spear phishing** uses focused, customized content that's specifically tailored to the targeted recipients (typically, after reconnaissance on the recipients by the attacker).
+
+- **Whaling** is directed at executives or other high value targets within an organization for maximum effect.
+
+- **Business email compromise (BEC)** uses forged trusted senders (financial officers, customers, trusted partners, etc.) to trick recipients into approving payments, transferring funds, or revealing customer data.
+
+- **Ransomware** that encrypts your data and demands payment to decrypt it almost always starts out in phishing messages. Anti-phishing protection can't help you decrypt encrypted files, but it can help detect the initial phishing messages that are associated with the ransomware campaign. For more information about recovering from a ransomware attack, see [Recover from a ransomware attack in Microsoft 365](recover-from-ransomware.md).
+
+With the growing complexity of attacks, it's even difficult for trained users to identify sophisticated phishing messages. Fortunately, Exchange Online Protection (EOP) and the additional features in Microsoft Defender for Office 365 can help.
+
+## Anti-phishing protection in EOP
+
+EOP (that is, Microsoft 365 organizations without Microsoft Defender for Office 365) contains features that can help protect your organization from phishing threats:
+
+- **Spoof intelligence**: Review spoofed messages from senders in internal and external domains, and allow or block those senders. For more information, see [Configure spoof intelligence in EOP](learn-about-spoof-intelligence.md).
+
+- **Anti-phishing policies in EOP**: Turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and specify the action for blocked spoofed senders (move to Junk Email folder or quarantine). For more information, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
+
+- **Implicit email authentication**: EOP enhances standard email authentication checks for inbound email ([SPF](set-up-spf-in-office-365-to-help-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md)) with sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques to help identify forged senders. For more information, see [Email authentication in Microsoft 365](email-validation-and-authentication.md).
+
+## Additional anti-phishing protection in Microsoft Defender for Office 365
+
+Microsoft Defender for Office 365 contains additional and more advanced anti-phishing features:
+
+- **Anti-phishing policies in Microsoft Defender for Office 365**: Create new custom policies, configure anti-impersonation settings (protect users and domains from impersonation), mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md). For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md).
+
+- **Campaign Views**: Machine learning and other heuristics identify and analyze messages that are involved in coordinated phishing attacks against the entire service and your organization. For more information, see [Campaign Views in Microsoft Defender for Office 365](campaigns.md).
+
+- **Attack simulator**: Admins can create fake phishing messages and send them to internal users as an education tool. For more information, see [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md).
+
+## Other anti-phishing resources
+
+- For end users: [Protect yourself from phishing schemes and other forms of online fraud](https://support.microsoft.com/office/be0de46a-29cd-4c59-aaaf-136cf177d593).
+
+- [How Microsoft 365 validates the From address to prevent phishing](how-office-365-validates-the-from-address.md).
security Anti Spam And Anti Malware Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-and-anti-malware-protection.md
+
+ Title: Anti-spam and anti-malware protection
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: 5ce5cf47-2120-4e51-a403-426a13358b7e
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Admins can learn about the built-in anti-spam and anti-malware protection that's available in Exchange Online Protection (EOP).
+ms.technology: mdo
++
+# Anti-spam and anti-malware protection in EOP
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam and malware by EOP.
+
+Spam is unsolicited and unwanted email. Malware is viruses and spyware. Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. Spyware is a specific type of malware that gathers your personal information (for example, sign-in information and personal data) and sends it back to the malware author.
+
+EOP has built-in inbound and outbound malware filtering to help protect your organization from malicious software, and built-in spam filtering to help protect your organization from both receiving and sending spam (for example, in case of compromised accounts). Admins don't need to set up or maintain the filtering technologies because they're enabled by default. However, you can customize the settings based on the needs of your organization.
+
+> [!NOTE]
+> If you use SharePoint Online, anti-malware protection is also automatically provided for files that are uploaded and saved to document libraries. This protection is provided by the Microsoft anti-malware engine that's also integrated into Exchange. This anti-malware service runs on all SharePoint Online Content Front Ends (CFEs).
+
+## Anti-malware protection in EOP
+
+The following table contains links to topics that explain how anti-malware protection works in EOP, and how you can fine-tune your anti-malware configuration settings to best meet the needs of your organization.
+
+****
+
+|Topic|Description|
+|||
+|[Anti-malware protection in EOP](anti-malware-protection.md)|Provides overview information about how the service offers multi-layered malware protection that's designed to catch all known malware traveling to or from your organization.|
+|[Anti-malware protection FAQ](anti-malware-protection-faq-eop.md)|Provides a detailed list of frequently asked questions and answers about anti-malware protection in the service.|
+|[Configure anti-malware policies in EOP](configure-anti-malware-policies.md)|Describes how to configure the default company-wide anti-malware policy, as well as create custom anti-malware policies that you can apply to specified users, groups, or domains in your organization.|
+|[Recover from a ransomware attack](recover-from-ransomware.md)||
+|[Virus detection in SharePoint Online](virus-detection-in-spo.md)|
+|
+
+## Anti-spam protection in EOP
+
+The following table contains links to topics that explain how anti-spam protection works in EOP, and how you can fine-tune your anti-spam configuration settings to best meet the needs of your organization.
+
+****
+
+|Topic|Description|
+|||
+|[Anti-spam protection in EOP](anti-spam-protection.md)|Provides overview information about the main anti-spam protection features included in the service.|
+|[Anti-spam protection FAQ](anti-spam-protection-faq.md)|Provides frequently asked questions and answers about anti-spam protection.|
+|[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)|Provides information about how you can configure anti-spam policies (also known as spam filter policies or content filter policies). You can configure the default company-wide anti-spam policy or create custom anti-spam policies that apply to specific users, groups, or domains in your organization.|
+|[Configure connection filtering](configure-the-connection-filter-policy.md)|Shows how you can add source IP address to the IP Allow List and the IP Block List in the default connection filter policy.|
+|[Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md)|Learn the recommended methods to keep good messages from being identified as spam.|
+|[Create blocked sender lists in EOP](create-block-sender-lists-in-office-365.md)|Learn the recommended methods to block bad messages that aren't being correctly identified as spam.|
+|[Spam confidence level (SCL) in EOP](spam-confidence-levels.md)|Learn about the spam determination of spam filtering.|
+|[Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md)|Learn about the threshold that determines whether bulk email is spam.|
+|[What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md)|Explains the difference between junk email and bulk email messages the controls that are available for both in EOP.|
+|[Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md)|Learn about the junk email rule in all mailboxes that's responsible for moving messages into the Junk Email folder.|
+|[Use mail flow rules to set the spam confidence level (SCL) in messages](use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages.md)|Learn how to use mail flow rules (also known as transport rules) to set the SCL in messages before spam filtering.|
+|[Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md)|Learn about the ASF settings that are available in anti-spam policies.|
+|
+
+### Outbound spam protection in Exchange Online
+
+The following table contains links to topics that explain how outbound spam protection works for Exchange Online mailboxes.
+
+****
+
+|Topic|Description|
+|||
+|[Outbound spam protection in EOP](outbound-spam-controls.md)||
+|[Configure outbound spam filtering in EOP](configure-the-outbound-spam-policy.md)|Shows how to configure outbound spam policies, which contain settings that help make sure your users don't send spam through the service.|
+|[High-risk delivery pool for outbound messages](high-risk-delivery-pool-for-outbound-messages.md)||
+|[Remove blocked users from the Restricted Users portal in Office 365](removing-user-from-restricted-users-portal-after-spam.md)||
+|
+
+## Common protection technologies
+
+The following table contains links to topics that explain settings that are common to anti-malware and anti-spam protection.
+
+****
+
+|Topic|Description|
+|||
+|[Anti-spam message headers](anti-spam-message-headers.md)|Describes the anti-spam fields placed in Internet headers, which can help provide administrators with information about the message and about how it was processed.|
+|[Order and precedence of email protection](how-policies-and-protections-are-combined.md)||
+|[Zero-hour auto purge (ZAP) - protection against spam and malware](zero-hour-auto-purge.md)||
+|[Safety tips in email messages](safety-tips-in-office-365.md)||
+|[Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md)||
+|[Use the delist portal to remove yourself from the Microsoft 365 blocked senders list](use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md)||
+|
security Anti Spam Message Headers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-message-headers.md
+
+ Title: Anti-spam message headers
+f1.keywords:
+ - NOCSH
+++
+audience: ITPro
++
+localization_priority: Priority
+search.appverid:
+ - MET150
+ms.assetid: 2e3fcfc5-5604-4b88-ac0a-c5c45c03f1db
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Admins can learn about the header fields that are added to messages by Exchange Online Protection (EOP). These header fields provide information about the message and how it was processed.
+
+ms.technology: mdo
++
+# Anti-spam message headers in Microsoft 365
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+In all Microsoft 365 organizations, Exchange Online Protection (EOP) scans all incoming messages for spam, malware, and other threats. The results of these scans are added to the following header fields in messages:
+
+- **X-Forefront-Antispam-Report**: Contains information about the message and about how it was processed.
+
+- **X-Microsoft-Antispam**: Contains additional information about bulk mail and phishing.
+
+- **Authentication-results**: Contains information about SPF, DKIM, and DMARC (email authentication) results.
+
+This article describes what's available in these header fields.
+
+For information about how to view an email message header in various email clients, see [View internet message headers in Outlook](https://support.microsoft.com/office/cd039382-dc6e-4264-ac74-c048563d212c).
+
+> [!TIP]
+> You can copy and paste the contents of a message header into the [Message Header Analyzer](https://mha.azurewebsites.net/) tool. This tool helps parse headers and put them into a more readable format.
+
+## X-Forefront-Antispam-Report message header fields
+
+After you have the message header information, find the **X-Forefront-Antispam-Report** header. There will be multiple field and value pairs in this header separated by semicolons (;). For example:
+
+`...CTRY:;LANG:hr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;PTR:;CAT:NONE;SFTY:;...`
+
+The individual fields and values are described in the following table.
+
+> [!NOTE]
+> The **X-Forefront-Antispam-Report** header contains many different fields and values. Fields that aren't described in the table are used exclusively by the Microsoft anti-spam team for diagnostic purposes.
+
+****
+
+|Field|Description|
+|||
+|`ARC`|The `ARC` protocol has the following fields: <ul><li>`AAR`: Records the content of the **Authentication-results** header from DMARC.</li><li>`AMS`: Includes cryptographic signatures of the message.</li><li>`AS`: Includes cryptographic signatures of the message headers. This field contains a tag of a chain validation called `"cv="`, which includes the outcome of the chain validation as **none**, **pass**, or **fail**.</li></ul>|
+|`CAT:`|The category of protection policy, applied to the message: <ul><li>`BULK`: Bulk</li><li>`DIMP`: Domain Impersonation</li><li>`GIMP`: [Mailbox intelligence based impersonation](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>`HPHSH` or `HPHISH` : High confidence phishing</li><li>`HSPM`: High confidence spam</li><li>`MALW`: Malware</li><li>`PHSH`: Phishing</li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User Impersonation</li><li>`AMP`: Anti-malware</li><li>`SAP`: Safe attachments</li><li>`OSPM`: Outbound spam</li></ul> <p> An inbound message may be flagged by multiple forms of protection and multiple detection scans. Policies have different priorities, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).|
+|`CIP:[IP address]`|The connecting IP address. You can use this IP address in the IP Allow List or the IP Block List. For more information, see [Configure connection filtering](configure-the-connection-filter-policy.md).|
+|`CTRY`|The source country as determined by the connecting IP address, which may not be the same as the originating sending IP address.|
+|`H:[helostring]`|The HELO or EHLO string of the connecting email server.|
+|`IPV:CAL`|The message skipped spam filtering because the source IP address was in the IP Allow List. For more information, see [Configure connection filtering](configure-the-connection-filter-policy.md).|
+|`IPV:NLI`|The IP address was not found on any IP reputation list.|
+|`LANG`|The language in which the message was written, as specified by the country code (for example, ru_RU for Russian).|
+|`PTR:[ReverseDNS]`|The PTR record (also known as the reverse DNS lookup) of the source IP address.|
+|`SCL`|The spam confidence level (SCL) of the message. A higher value indicates the message is more likely to be spam. For more information, see [Spam confidence level (SCL)](spam-confidence-levels.md).|
+|`SFTY`|The message was identified as phishing and will also be marked with one of the following values: <ul><li>9.1: Default value. The message contains some or all of the following elements: a phishing URL, other phishing content, or was marked as phishing by on-premises Exchange.</li><li>9.11: [Intra-org or self-to-self spoofing](anti-spoofing-protection.md#different-types-of-spoofing). The safety tip for intra-org spoofing will be added to the message.</li><li>9.19: Domain impersonation. The sending domain is attempting to [impersonate a protected domain](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). The safety tip for domain impersonation is added to the message (if it's enabled).</li><li>9.20: User impersonation. The sending user is attempting to impersonate a user in the recipient's organization, or a protected user that's specified in an anti-phishing policy in Microsoft Defender for office 365. The safety tip for user impersonation is added to the message (if it's enabled).</li><li>9.21: [Cross-domain spoofing](anti-spoofing-protection.md#different-types-of-spoofing). The message failed anti-spoofing checks. The sender's email domain in the From header does not authenticate and is an external domain. Used in combination with [composite authentication](#authentication-results-message-header-fields).</li><li>9.22: Same as 9.21, except that the user has a safe sender that was overridden.</li><li>9.23: Same as 9.22, except that the organization has an allowed sender or domain that was overridden.</li><li>9.24: Same as 9.23, except that the user has an Exchange mail flow rule (also known as a transport rule) that was overridden.</li></ul>|
+|`SFV:BLK`|Filtering was skipped and the message was blocked because it was sent from an address in a user's Blocked Senders list. <p> For more information about how admins can manage a user's Blocked Senders list, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).|
+|`SFV:NSPM`|Spam filtering marked the message as non-spam and the message was sent to the intended recipients.|
+|`SFV:SFE`|Filtering was skipped and the message was allowed because it was sent from an address in a user's Safe Senders list. <p> For more information about how admins can manage a user's Safe Senders list, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).|
+|`SFV:SKA`|The message skipped spam filtering and was delivered to the Inbox because the sender was in the allowed senders list or allowed domains list in an anti-spam policy. For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).|
+|`SFV:SKB`|The message was marked as spam because it matched a sender in the blocked senders list or blocked domains list in an anti-spam policy. For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).|
+|`SFV:SKI`|Similar to SFV:SKN, the message skipped spam filtering for another reason (for example, an intra-organizational email within a tenant).|
+|`SFV:SKN`|The message was marked as non-spam prior to being processed by spam filtering. For example, the message was marked as SCL -1 or **Bypass spam filtering** by a mail flow rule.|
+|`SFV:SKQ`|The message was released from the quarantine and was sent to the intended recipients.|
+|`SFV:SKS`|The message was marked as spam prior to being processed by spam filtering. For example, the message was marked as SCL 5 to 9 by a mail flow rule.|
+|`SFV:SPM`|The message was marked as spam by spam filtering.|
+|`SRV:BULK`|The message was identified as bulk email by spam filtering and the bulk complaint level (BCL) threshold. When the _MarkAsSpamBulkMail_ parameter is `On` (it's on by default), a bulk email message is marked as high confidence spam (SCL 9). For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).|
+|`X-CustomSpam: [ASFOption]`|The message matched an Advanced Spam Filter (ASF) setting. To see the X-header value for each ASF setting, see [Advanced Spam Filter (ASF) settings](advanced-spam-filtering-asf-options.md).|
+|
+
+## X-Microsoft-Antispam message header fields
+
+The following table describes useful fields in the **X-Microsoft-Antispam** message header. Other fields in this header are used exclusively by the Microsoft anti-spam team for diagnostic purposes.
+
+****
+
+|Field|Description|
+|||
+|`BCL`|The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (and is therefore more likely to be spam). For more information, see [Bulk complaint level (BCL)](bulk-complaint-level-values.md).|
+|
+
+## Authentication-results message header
+
+The results of email authentication checks for SPF, DKIM, and DMARC are recorded (stamped) in the **Authentication-results** message header in inbound messages.
+
+The following list describes the text that's added to the **Authentication-Results** header for each type of email authentication check:
+
+- SPF uses the following syntax:
+
+ ```text
+ spf=<pass (IP address)|fail (IP address)|softfail (reason)|neutral|none|temperror|permerror> smtp.mailfrom=<domain>
+ ```
+
+ For example:
+
+ ```text
+ spf=pass (sender IP is 192.168.0.1) smtp.mailfrom=contoso.com
+ spf=fail (sender IP is 127.0.0.1) smtp.mailfrom=contoso.com
+ ```
+
+- DKIM uses the following syntax:
+
+ ```text
+ dkim=<pass|fail (reason)|none> header.d=<domain>
+ ```
+
+ For example:
+
+ ```text
+ dkim=pass (signature was verified) header.d=contoso.com
+ dkim=fail (body hash did not verify) header.d=contoso.com
+ ```
+
+- DMARC uses the following syntax:
+
+ ```text
+ dmarc=<pass|fail|bestguesspass|none> action=<permerror|temperror|oreject|pct.quarantine|pct.reject> header.from=<domain>
+ ```
+
+ For example:
+
+ ```text
+ dmarc=pass action=none header.from=contoso.com
+ dmarc=bestguesspass action=none header.from=contoso.com
+ dmarc=fail action=none header.from=contoso.com
+ dmarc=fail action=oreject header.from=contoso.com
+ ```
+
+### Authentication-results message header fields
+
+The following table describes the fields and possible values for each email authentication check.
+
+****
+
+|Field|Description|
+|||
+|`action`|Indicates the action taken by the spam filter based on the results of the DMARC check. For example: <ul><li>**oreject** or **o.reject**: Stands for override reject. In this case Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC TXT record has a policy of p=reject. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam. For more information on why Microsoft 365 is configured this way, see [How Microsoft 365 handles inbound email that fails DMARC](use-dmarc-to-validate-email.md#how-microsoft-365-handles-inbound-email-that-fails-dmarc).</li><li>**pct.quarantine**: Indicates that a percentage less than 100% of messages that do not pass DMARC will be delivered anyway. This means that the message failed DMARC and the policy was set to quarantine, but the pct field was not set to 100% and the system randomly determined not to apply the DMARC action, as per the specified domain's policy.</li><li>**pct.reject**: Indicates that a percentage less than 100% of messages that do not pass DMARC will be delivered anyway. This means that the message failed DMARC and the policy was set to reject, but the pct field was not set to 100% and the system randomly determined not to apply the DMARC action, as per the specified domain's policy.</li><li>**permerror**: A permanent error occurred during DMARC evaluation, such as encountering an incorrectly formed DMARC TXT record in DNS. Attempting to resend this message isn't likely to end with a different result. Instead, you may need to contact the domain's owner in order to resolve the issue.</li><li>**temperror**: A temporary error occurred during DMARC evaluation. You may be able to request that the sender resend the message later in order to process the email properly.</li></ul>|
+|`compauth`|Composite authentication result. Used by Microsoft 365 to combine multiple types of authentication such as SPF, DKIM, DMARC, or any other part of the message to determine whether or not the message is authenticated. Uses the From: domain as the basis of evaluation.|
+|`dkim`|Describes the results of the DKIM check for the message. Possible values include: <ul><li>**pass**: Indicates the DKIM check for the message passed.</li><li>**fail (reason)**: Indicates the DKIM check for the message failed and why. For example, if the message was not signed or the signature was not verified.</li><li>**none**: Indicates that the message was not signed. This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed.</li></ul>|
+|`dmarc`|Describes the results of the DMARC check for the message. Possible values include: <ul><li>**pass**: Indicates the DMARC check for the message passed.</li><li>**fail**: Indicates the DMARC check for the message failed.</li><li>**bestguesspass**: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed. This is because the domain in the `5321.MailFrom` address (also known as the MAIL FROM address, P1 sender, or envelope sender) matches the domain in the `5322.From` address (also known as the From address or P2 sender).</li><li>**none**: Indicates that no DMARC TXT record exists for the sending domain in DNS.|
+|`header.d`|Domain identified in the DKIM signature if any. This is the domain that's queried for the public key.|
+|`header.from`|The domain of the `5322.From` address in the email message header (also known as the From address or P2 sender). Recipient see the From address in email clients.|
+|`reason`|The reason the composite authentication passed or failed. The value is a 3-digit code. For example: <ul><li>**000**: The message failed explicit authentication (`compauth=fail`). For example, the message received a DMARC fail with an action of quarantine or reject.</li><li>**001**: The message failed implicit authentication (`compauth=fail`). This means that the sending domain did not have email authentication records published, or if they did, they had a weaker failure policy (SPF soft fail or neutral, DMARC policy of `p=none`).</li><li>**002**: The organization has a policy for the sender/domain pair that is explicitly prohibited from sending spoofed email. This setting is manually set by an admin.</li><li>**010**: The message failed DMARC with an action of reject or quarantine, and the sending domain is one of your organization's accepted-domains (this is part of self-to-self, or intra-org, spoofing).</li><li>**1xx** or **7xx**: The message passed authentication (`compauth=pass`). The last two digits are internal codes used by Microsoft 365.</li><li>**2xx**: The message soft-passed implicit authentication (`compauth=softpass`). The last two digits are internal codes used by Microsoft 365.</li><li>**3xx**: The message was not checked for composite authentication (`compauth=none`).</li><li>**4xx** or **9xx**: The message bypassed composite authentication (`compauth=none`). The last two digits are internal codes used by Microsoft 365.</li><li>**6xx**: The message failed implicit email authentication, and the sending domain is one of your organization's accepted domains (this is part of self-to-self or intra-org spoofing).</li></ul>|
+|`smtp.mailfrom`|The domain of the `5321.MailFrom` address (also known as the MAIL FROM address, P1 sender, or envelope sender). This is the email address that's used for non-delivery reports (also known as NDRs or bounce messages).|
+|`spf`|Describes the results of the SPF check for the message. Possible values include: <ul><li>`pass (IP address)`: The SPF check for the message passed and includes the sender's IP address. The client is authorized to send or relay email on behalf of the sender's domain.</li><li>`fail (IP address)`: The SPF check for the message failed and includes the sender's IP address. This is sometimes called _hard fail_.</li><li>`softfail (reason)`: The SPF record designated the host as not being allowed to send, but is in transition.</li><li>`neutral`: The SPF record explicitly states that it does not assert whether the IP address is authorized to send.</li><li>`none`: The domain doesn't have an SPF record or the SPF record doesn't evaluate to a result.</li><li>`temperror`: A temporary error has occurred. For example, a DNS error. The same check later might succeed.</li><li>`permerror`: A permanent error has occurred. For example, the domain has a badly formatted SPF record.</li></ul>|
+|
security Anti Spam Protection Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection-faq.md
+
+ Title: Anti-spam protection FAQ
+f1.keywords:
+ - NOCSH
+++
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: c534a35d-b121-45da-9d0a-ce738ce51fce
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+
+ - seo-marvel-apr2020
+description: Admins can view frequently asked questions and answers about anti-spam protection in Exchange Online Protection (EOP).
+ms.technology: mdo
++
+# Anti-spam protection FAQ
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+This topic provides frequently asked questions and answers about anti-malware protection for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.
+
+For questions and answers about the quarantine, see [Quarantine FAQ](quarantine-faq.md).
+
+For questions and answers about anti-malware protection, see [Anti-malware protection FAQ](anti-malware-protection-faq-eop.md).
+
+For questions and answers about anti-spoofing protection, see [Anti-spoofing protection FAQ](anti-spoofing-protection-faq.md).
+
+## By default, what happens to a spam-detected message?
+
+**For inbound messages:** The majority of spam is deleted via connection filtering, which is based on the IP address of the source email server. Anti-spam policies (also known as spam filter policies or content filter policies) inspect and classify messages as spam, bulk, or phishing. By default, messages that are classified as spam or bulk are delivered to the recipient's Junk Email folder, while messages classified as phishing are quarantined. You can modify the default anti-spam policy (applies to all recipients), or you can create custom anti-spam policies with stricter settings for specific groups of users (for example, you can quarantine spam that's sent to executives). For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md) and [Recommended anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
+
+> [!IMPORTANT]
+> In hybrid deployments where EOP protects on-premises mailboxes, you need to configure two Exchange mail flow rules (also known as transport rules) in your on-premises Exchange organization to detect the EOP spam filtering headers that are added to messages. For details, see [Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments](ensure-that-spam-is-routed-to-each-user-s-junk-email-folder.md).
+
+ **For outbound messages:** The message is either routed through the [high-risk delivery pool](high-risk-delivery-pool-for-outbound-messages.md) or is returned to the sender in a non-delivery report (also known as an NDR or bounce message). For more information about outbound spam protection, see [Outbound spam controls](outbound-spam-controls.md).
+
+## What's a zero-day spam variant and how is it handled by the service?
+
+A zero-day spam variant is a first generation, previously unknown variant of spam that's never been captured or analyzed, so our anti-spam filters don't yet have any information available for detecting it. After a zero-day spam sample is captured and analyzed by our spam analysts, if it meets the spam classification criteria, our anti-spam filters are updated to detect it, and it's no longer considered "zero-day."
+
+**Note:** If you receive a message that may be a zero-day spam variant, in order to help us improve the service, please submit the message to Microsoft using one of the methods described in [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+## Do I need to configure the service to provide anti-spam protection?
+
+After you sign up for the service and add your domain, spam filtering is automatically enabled. By default, spam filtering is tuned to protect you without needing any additional configuration (aside from the previously noted exception for standalone EOP standalone customers in hybrid environments). As an admin, you can edit the default spam filtering settings to best meet the needs of your organization. For greater granularity, you can also create anti-spam policies and outbound anti-spam policies that are applied to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies.
+
+For more information, see the following topics:
+
+[Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)
+
+[Configure connection filtering in EOP](configure-the-connection-filter-policy.md)
+
+[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)
+
+[Configure the outbound spam policy](configure-the-outbound-spam-policy.md)
+
+## If I make a change to an anti-spam policy, how long does it take after I save my changes for them to take effect?
+
+It may take up to 1 hour for the changes to take effect.
+
+## Is bulk email filtering automatically enabled?
+
+Yes. For more information about bulk email, see [What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md).
+
+## Does the service provide URL filtering?
+
+Yes, the service has a URL filter that checks for URLs within messages. If URLs associated with known spam or malicious content are detected then the message is marked as spam.
+
+## How can customers using the service send false negative (spam) and false positive (non-spam) messages to Microsoft?
+
+Spam and non-spam messages can be submitted to Microsoft for analysis in several ways. For more information, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+## Can I get spam reports?
+
+Yes, for example you can get a spam detection report in the Microsoft 365 admin center. This report shows spam volume as a count of unique messages. For more information about reporting, see the following links:
+
+Exchange Online customers: [Monitoring, Reporting, and Message Tracing in Exchange Online](/exchange/monitoring/monitoring)
+
+Standalone EOP customers: [Reporting and message trace in Exchange Online Protection](reporting-and-message-trace-in-exchange-online-protection.md)
+
+## Someone sent me a message and I can't find it. I suspect that it may have been detected as spam. Is there a tool that I can use to find out?
+
+Yes, the message trace tool enables you to follow email messages as they pass through the service, in order to find out what happened to them. For more information about how to use the message trace tool to find out why a message was marked as spam, see [Was a message marked as spam?](/exchange/monitoring/trace-an-email-message/message-trace-faq#was-a-message-marked-as-spam)
+
+## Will the service throttle (rate limit) my mail if my users send outbound spam?
+
+If more than half of the mail that is sent from a user through the service within a certain time frame (for example, per hour), is determined to be spam by EOP, the user will be blocked from sending messages. In most cases, if an outbound message is determined to be spam, it is routed through the high-risk delivery pool, which reduces the probability of the normal outbound-IP pool being added to a block list.
+
+You can send a notification to a specified email address when a sender is blocked sending outbound spam. For more information about this setting, see [Configure the outbound spam policy](configure-the-outbound-spam-policy.md).
+
+## Can I use a third-party anti-spam and anti-malware provider in conjunction with Exchange Online?
+
+Yes. Although we recommend that you point your MX record to Microsoft, we realize that there are legitimate business reasons to route your email to somewhere other than Microsoft first.
+
+- **Inbound**: Change your MX records to point to the third-party provider, and then redirect the messages to EOP for additional processing. For more information, see [Enhanced Filtering for connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
+
+- **Outbound**: Configure smart host routing from Microsoft 365 to the destination third-party provider.
+
+## Does Microsoft have any documentation about how I can protect myself from phishing scams?
+
+Yes. For more information, see [Protect your privacy on the internet](https://support.microsoft.com/help/4091455)
+
+## Are spam and malware messages being investigated as to who sent them, or being transferred to law enforcement entities?
+
+The service focuses on spam and malware detection and removal, though we may occasionally investigate especially dangerous or damaging spam or attack campaigns and pursue the perpetrators. This may involve working with our legal and digital crime units to take down a spammer botnet, blocking the spammer from using the service (if they're using it for sending outbound email), and passing the information on to law enforcement for criminal prosecution.
+
+## What are a set of best outbound mailing practices that will ensure that my mail is delivered?
+
+The guidelines presented below are best practices for sending outbound email messages.
+
+- **The source email domain should resolve in DNS.**
+
+ For example, if the sender is user@fabrikam, the domain fabrikam resolves to the IP address 192.0.43.10.
+
+ If a sending domain has no A-record and no MX record in DNS, the service will route the message through its higher risk delivery pool regardless of whether or not the content of the message is spam. For more information about the higher risk delivery pool, see [High-risk delivery pool for outbound messages](high-risk-delivery-pool-for-outbound-messages.md).
+
+- **Outbound mail eserver should have a reverse DNS (PTR) entry.**
+
+ For example, if the email source IP address is 192.0.43.10, the reverse DNS entry would be `43-10.any.icann.org`.`
+
+- **The HELO/EHLO and MAIL FROM commands should be consistent and be present in the form of a domain name rather than an IP address.**
+
+ The HELO/EHLO command should be configured to match the reverse DNS of the sending IP address so that the domain remains the same across the various parts of the message headers.
+
+- **Ensure that proper SPF records are set up in DNS.**
+
+ SPF records are a mechanism for validating that mail sent from a domain really is coming from that domain and is not spoofed. For more information about SPF records, see the following links:
+
+ [Set up SPF to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md)
+
+ [Domains FAQ](../../admin/setup/domains-faq.yml#how-can-i-validate-spf-records-for-my-domain)
+
+- **Signing email with DKIM, sign with relaxed canonicalization.**
+
+ If a sender wants to sign their messages using Domain Keys Identified Mail (DKIM) and they want to send outbound mail through the service, they should sign using the relaxed header canonicalization algorithm. Signing with strict header canonicalization may invalidate the signature when it passes through the service.
+
+- **Domain owners should have accurate information in the WHOIS database.**
+
+ This identifies the owners of the domain and how to contact them by entering the stable parent company, point of contact, and name servers.
+
+- **For bulk mailers, the From: name should reflect who is sending the message, while the subject line of the message should be a brief summary on what the message is about.**
+
+ The message body should have a clear indication of the offering, service, or product. For example, if a sender is sending out a bulk mailing for the Contoso company, the following is what the email From and Subject should resemble:
+
+ > From: marketing@contoso.com <br> Subject: New updated catalog for the Christmas season!
+
+ The following is an example of what not to do because it is not descriptive:
+
+ > From: user@hotmail.com <br> Subject: Catalogs
+
+- **If sending a bulk mailing to many recipients and the message is in newsletter format, there should be a way of unsubscribing at the bottom of the message.**
+
+ The unsubscribe option should resemble the following:
+
+ > This message was sent to example@contoso.com by sender@fabrikam.com. Update Profile/Email Address | Instant removal with **SafeUnsubscribe**&trade; | Privacy Policy
+
+- **If sending bulk email, list acquisition should be performed using double opt-in. If you are a bulk mailer, double opt-in is an industry best practice.**
+
+ Double opt-in is the practice of requiring a user to take two actions to sign up for marketing mail:
+
+ 1. Once when the user clicks on a previously unchecked check box where they opt-in to receive further offers or email messages from the marketer.
+
+ 2. A second time when the marketer sends a confirmation email to the user's provided email address asking them to click on a time-sensitive link that will complete their confirmation.
+
+ Using double opt-in builds a good reputation for bulk email senders.
+
+- **Bulk senders should create transparent content for which they can be held accountable:**
+
+ 1. Verbiage requesting that recipients add the sender to the address book should clearly state that such action is not a guarantee of delivery.
+
+ 2. When constructing redirects in the body of the message, use a consistent link style.
+
+ 3. Don't send large images or attachments, or messages that are solely composed of an image.
+
+ 4. When employing tracking pixels (web bugs or beacons), clearly state their presence in your public privacy or P3P settings.
+
+- **Format outbound bounce messages.**
+
+ When generating delivery status notification messages (also known as non-delivery reports, NDRs, or bounce messages), senders should follow the format of a bounce as specified in [RFC 3464](https://www.ietf.org/rfc/rfc3464.txt).
+
+- **Remove bounced email addresses for non-existent users.**
+
+ If you receive an NDR indicating that an email address is no longer in use, remove the non-existent email alias from your list. Email addresses change over time, and people sometimes discard them.
+
+- **Use Hotmail's Smart Network Data Services (SNDS) program.**
+
+ Hotmail uses a program called Smart Network Data Services that allows senders to check complaints submitted by end users. The SNDS is the primary portal for troubleshooting delivery problems to Hotmail.
security Anti Spam Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection.md
+
+ Title: Anti-spam protection
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ - MOE150
+ms.assetid: 6a601501-a6a8-4559-b2e7-56b59c96a586
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+
+ - seo-marvel-apr2020
+description: Admins can learn about the anti-spam settings and filters that will help prevent spam in Exchange Online Protection (EOP).
+ms.technology: mdo
++
+# Anti-spam protection in EOP
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
+
+> [!NOTE]
+> This topic is intended for admins. For end-user topics, see [Overview of the Junk Email Filter](https://support.microsoft.com/office/5ae3ea8e-cf41-4fa0-b02a-3b96e21de089) and [Learn about junk email and phishing](https://support.microsoft.com/office/86c1d76f-4d5a-4967-9647-35665dc17c31).
+
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.
+
+Microsoft's email safety roadmap involves an unmatched cross-product approach. EOP anti-spam and anti-phishing technology is applied across our email platforms to provide users with the latest anti-spam and anti-phishing tools and innovations throughout the network. The goal for EOP is to offer a comprehensive and usable email service that helps detect and protect users from junk email, fraudulent email threats (phishing), and malware.
+
+As email use has grown, so has email abuse. Unmonitored junk email can clog inboxes and networks, impact user satisfaction, and hamper the effectiveness of legitimate email communications. That's why Microsoft continues to invest in anti-spam technologies. Simply put, it starts by containing and filtering junk email.
+
+> [!TIP]
+> The following anti-spam technologies are useful when you want to allow or block messages based on the message envelope (for example, the sender's domain or the source IP address of the message). To allow or block messages based on payload (for example, URLs in the message or attached files), then you should use the [Tenant Allow/Block List portal](tenant-allow-block-list.md).
+
+## Anti-spam technologies in EOP
+
+To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform, Outlook.com. Ongoing feedback from EOP users in the junk email classification program helps ensure that the EOP technologies are continually trained and improved.
+
+The anti-spam settings in EOP are made of the following technologies:
+
+- **Connection filtering**: Identifies good and bad email source servers early in the inbound email connection via the IP Allow List, IP Block List, and the *safe list* (a dynamic but non-editable list of trusted senders maintained by Microsoft). You configure these settings in the connection filter policy. Learn more at [Configure connection filtering](configure-the-connection-filter-policy.md).
+
+ > [!NOTE]
+ > Spoof intelligence uses connection filtering to create allow and block lists of senders who are spoofing your email domain. For more information, see [Learn more about spoof intelligence in Microsoft 365](learn-about-spoof-intelligence.md).
+
+- **Spam filtering (content filtering)**: EOP uses the spam filtering verdicts **Spam**, **High confidence spam**, **Bulk email**, **Phishing email** and **High confidence phishing email** to classify messages. You can configure the actions to take based on these verdicts, and you can configure the end-user notification options for messages that were quarantined instead of delivered. For more information, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md).
+
+ > [!NOTE]
+ > By default, spam filtering is configured to send messages that were marked as spam to the recipient's Junk Email folder. However, in hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the EOP spam headers that are added to messages. For details, see [Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments](ensure-that-spam-is-routed-to-each-user-s-junk-email-folder.md).
+
+- **Outbound spam filtering**: EOP also checks to make sure that your users don't send spam, either in outbound message content or by exceeding outbound message limits. For more information, see [Configure outbound spam filtering in Microsoft 365](configure-the-outbound-spam-policy.md).
+
+- **Spoof intelligence**: For more information, see [Learn more about spoof intelligence in Microsoft 365](learn-about-spoof-intelligence.md).
+
+## Manage errors in spam filtering
+
+It's possible that good messages can be identified as spam (also known as false positives), or that spam can be delivered to the Inbox. You can use the suggestions in the following sections to find out what happened and help prevent it from happening in the future.
+
+Here are some best practices that apply to either scenario:
+
+- Always submit misclassified messages to Microsoft. For more information, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+- **Examine the anti-spam message headers**: These values will tell you why a message was marked as spam, or why it skipped spam filtering. For more information, see [Anti-spam message headers](anti-spam-message-headers.md).
+
+- **Point your MX record to Microsoft 365**: In order for EOP to provide the best protection, we always recommend that you have email delivered to Microsoft 365 first. For instructions, see [Create DNS records at any DNS hosting provider for Microsoft 365](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md).
+
+ If the MX record points to some other location (for example, a third-party anti-spam solution or appliance), it's difficult for EOP to provide accurate spam filtering. In this scenario, you need to configure Enhanced Filtering for connectors (also known as _skip listing_). For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
+
+- **Use email authentication**: If you own an email domain, you can use DNS to help insure that messages from senders in that domain are legitimate. To help prevent spam and unwanted spoofing in EOP, use all of the following email authentication methods:
+
+ - **SPF**: Sender Policy Framework verifies the source IP address of the message against the owner of the sending domain. For a quick introduction to SPF and to get it configured quickly, see [Set up SPF to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md). For a more in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](how-office-365-uses-spf-to-prevent-spoofing.md).
+
+ - **DKIM**: DomainKeys Identified Mail adds a digital signature to the message header of messages sent from your domain. For information, see [Use DKIM to validate outbound email sent from your custom domain in Microsoft 365](use-dkim-to-validate-outbound-email.md).
+
+ - **DMARC**: Domain-based Message Authentication, Reporting, and Conformance helps destination email systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners. For more information, see [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).
+
+- **Verify your bulk email settings**: The bulk compliant level (BCL) threshold that you configure in anti-spam policies determines whether bulk email (also known as _gray mail_) is marked as spam. The PowerShell-only setting _MarkAsSpamBulkMail_ that's on by default also contributes to the results. For more information, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md).
+
+### Prevent the delivery of spam to the Inbox
+
+- **Verify your organization settings**: Watch out for settings that allow messages to skip spam filtering (for example, if you add your own domain to the allowed domains list in anti-spam policies). For our recommended settings, see [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md) and [Create safe sender lists](create-safe-sender-lists-in-office-365.md).
+
+- **Verify the junk email rule is enabled in the user's mailbox**: It's enabled by default, but if it's disabled, messages marked as junk can't be moved into the Junk Email folder. For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md).
+
+- **Use the available blocked sender lists**: For information, see [Create blocked sender lists](create-block-sender-lists-in-office-365.md).
+
+- **Unsubscribe from bulk email** If the message was something that the user signed up for (newsletters, product announcements, etc.) and contains an unsubscribe link from a reputable source, consider asking them to simply unsubscribe.
+
+- **Standalone EOP: create mail flow rules in on-premises Exchange for EOP spam filtering verdicts**: In standalone EOP environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange to translate the EOP spam filtering verdict so the junk email rule can move the message to the Junk Email folder. For details, see [Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments](ensure-that-spam-is-routed-to-each-user-s-junk-email-folder.md).
+
+### Prevent good email from being identified as spam
+
+Here are some steps that you can take to help prevent false positives:
+
+- **Verify the user's Outlook Junk Email Filter settings**:
+
+ - **Verify the Outlook Junk Email Filter is disabled**: When the Outlook Junk Email Filter is set to the default value **No automatic filtering**, Outlook doesn't attempt to classify massages as spam. When it's set to **Low** or **High**, the Outlook Junk Email Filter uses its own SmartScreen filter technology to identify and move spam to the Junk Email folder, so you could get false positives. Note that Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook in November, 2016. The existing SmartScreen spam definitions were left in place, but their effectiveness will likely degrade over time.
+
+ - **Verify the Outlook 'Safe Lists Only' setting is disabled**: When this setting is enabled, only messages from senders in the user's Safe Senders list or Safe Recipients list are delivered to the Inbox; email from everyone else is automatically moved to the Junk Email folder.
+
+ For more information about these settings, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md).
+
+- **Use the available safe sender lists**: For information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md).
+
+- **Verify users are within the sending and receiving limits** as described in [Receiving and sending limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#receiving-and-sending-limits) in the Exchange Online service description.
+
+- **Standalone EOP: use directory synchronization**: If you use standalone EOP to help protect your on-premises Exchange organization, you should sync user settings with the service by using directory synchronization. Doing this ensures that your users' Safe Senders lists are respected by EOP. For more information, see [Use directory synchronization to manage mail users](manage-mail-users-in-eop.md#use-directory-synchronization-to-manage-mail-users).
+
+## Anti-spam legislation
+
+At Microsoft, we believe that the development of new technologies and self-regulation requires the support of effective government policy and legal frameworks. The worldwide spam proliferation has spurred numerous legislative bodies to regulate commercial email. Many countries now have spam-fighting laws in place. The United States has both federal and state laws governing spam, and this complementary approach is helping to curtail spam while enabling legitimate e-commerce to prosper. The CAN-SPAM Act expands the tools available for curbing fraudulent and deceptive email messages.
security Anti Spoofing Protection Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-protection-faq.md
+
+ Title: Anti-spoofing protection FAQ
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid:
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Admins can view frequently asked questions and answers about anti-spoofing protection in Exchange Online Protection (EOP).
+ms.technology: mdo
++
+# Anti-spoofing protection FAQ
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+This article provides frequently asked questions and answers about anti-spoofing protection for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.
+
+For questions and answers about anti-spam protection, see [Anti-spam protection FAQ](anti-spam-protection-faq.md).
+
+For questions and answers about anti-malware protection, see [Anti-malware protection FAQ](anti-malware-protection-faq-eop.md)
+
+## Why did Microsoft choose to junk unauthenticated inbound email?
+
+Microsoft believes that the risk of continuing to allow unauthenticated inbound email is higher than the risk of losing legitimate inbound email.
+
+## Does junking unauthenticated inbound email cause legitimate email to be marked as spam?
+
+When Microsoft enabled this feature in 2018, some false positives happened (good messages were marked as bad). However, over time, senders adjusted to the requirements. The number of messages that were misidentified as spoofed became negligible for most email paths.
+
+Microsoft itself first adopted the new email authentication requirements several weeks before deploying it to customers. While there was disruption at first, it gradually declined.
+
+## Is spoof intelligence available to Microsoft 365 customers without Defender for Office 365?
+
+Yes. As of October 2018, spoof intelligence is available to all organizations with mailboxes in Exchange Online, and standalone EOP organizations without Exchange Online mailboxes.
+
+## How can I report spam or non-spam messages back to Microsoft?
+
+See [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+## I'm an admin and I don't know all of sources for messages in my email domain!
+
+See [You don't know all sources for your email](email-validation-and-authentication.md#you-dont-know-all-sources-for-your-email).
+
+## What happens if I disable anti-spoofing protection for my organization?
+
+We do not recommend disabling anti-spoofing protection. Disabling the protection will allow more phishing and spam messages to be delivered in your organization. Not all phishing is spoofing, and not all spoofed messages will be missed. However, your risk will be higher.
+
+Now that [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) is available, we no longer recommended turning off anti-spoofing protection when your email is routed through another service before EOP.
+
+## Does anti-spoofing protection mean I will be protected from all phishing?
+
+Unfortunately, no. Attackers will adapt to use other techniques (for example, compromised accounts or accounts in free email services). However, anti-phishing protection works much better to detect these other types of phishing methods. The protection layers in EOP are designed work together and build on top of each other.
+
+## Do other large email services block unauthenticated inbound email?
+
+Nearly all large email services implement traditional SPF, DKIM, and DMARC checks. Some services have other, more strict checks, but few go as far as EOP to block unauthenticated email and treat them as spoofed messages. However, the industry is becoming more aware about issues with unauthenticated email, particularly because of the problem of phishing.
+
+## Do I still need to enable the Advanced Spam Filter setting "SPF record: hard fail" (_MarkAsSpamSpfRecordHardFail_) if I enable anti-spoofing?
+
+No. This ASF setting is no longer required. Anti-spoofing protection considers both SPF hard fails and a much wider set of criteria. If you have anti-spoofing enabled and the **SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_) turned on, you will probably get more false positives.
+
+We recommend that you disable this feature as it provides almost no additional benefit for detecting spam or phishing message, and would instead generate mostly false positives. For more information, see [Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md).
+
+## Does Sender Rewriting Scheme help fix forwarded email?
+
+SRS only partially fixes the problem of forwarded email. By rewriting the SMTP **MAIL FROM**, SRS can ensure that the forwarded message passes SPF at the next destination. However, because anti-spoofing is based upon the **From** address in combination with the **MAIL FROM** or DKIM-signing domain (or other signals), it's not enough to prevent SRS forwarded email from being marked as spoofed.
security Anti Spoofing Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-protection.md
+
+ Title: Anti-spoofing protection
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+search.appverid:
+ - MET150
+ms.assetid: d24bb387-c65d-486e-93e7-06a4f1a436c0
+
+ - M365-security-compliance
+ - Strat_O365_IP
+ - m365initiative-defender-office365
+
+ - TopSMBIssues
+ - seo-marvel-apr2020
+localization_priority: Priority
+description: Admins can learn about the anti-spoofing features that are available in Exchange Online Protection (EOP), which can help mitigate against phishing attacks from spoofed senders and domains.
+ms.technology: mdo
++
+# Anti-spoofing protection in EOP
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP includes features to help protect your organization from spoofed (forged) senders.
+
+When it comes to protecting its users, Microsoft takes the threat of phishing seriously. Spoofing is a common technique that's used by attackers. **Spoofed messages appear to originate from someone or somewhere other than the actual source**. This technique is often used in phishing campaigns that are designed to obtain user credentials. The anti-spoofing technology in EOP specifically examines forgery of the From header in the message body (used to display the message sender in email clients). When EOP has high confidence that the From header is forged, the message is identified as spoofed.
+
+The following anti-spoofing technologies are available in EOP:
+
+- **Spoof intelligence**: Review spoofed messages from senders in internal and external domains, and allow or block those senders. For more information, see [Configure spoof intelligence in Microsoft 365](learn-about-spoof-intelligence.md).
+
+- **Anti-phishing policies**: In EOP, anti-phishing policies allow you to turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and specify the action for blocked spoofed senders (move to the Junk Email folder or quarantine). Advanced anti-phishing policies that are available in Microsoft Defender for Office 365 also contain anti-impersonation settings (protected senders and domains), mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md).
+
+- **Email authentication**: An integral part of any anti-spoofing effort is the use of email authentication (also known as email validation) by SPF, DKIM, and DMARC records in DNS. You can configure these records for your domains so destination email systems can check the validity of messages that claim to be from senders in your domains. For inbound messages, Microsoft 365 requires email authentication for sender domains. For more information, see [Email authentication in Microsoft 365](email-validation-and-authentication.md).
+
+As of October 2018, anti-spoofing protection is available in EOP.
+
+EOP analyzes and blocks messages that can't be authenticated by the combination of standard email authentication methods and sender reputation techniques.
+
+![EOP anti-spoofing checks](../../media/eop-anti-spoofing-protection.png)
+
+## How spoofing is used in phishing attacks
+
+Spoofing messages have the following negative implications for users:
+
+- **Spoofed messages deceive users**: A spoofed message might trick the recipient into clicking a link and giving up their credentials, downloading malware, or replying to a message with sensitive content (known as a business email compromise or BEC).
+
+ The following message is an example of phishing that uses the spoofed sender msoutlook94@service.outlook.com:
+
+ ![Phishing message impersonating service.outlook.com](../../media/1a441f21-8ef7-41c7-90c0-847272dc5350.jpg)
+
+ This message didn't come from service.outlook.com, but the attacker spoofed the **From** header field to make it look like it did. This was an attempt to trick the recipient into clicking the **change your password** link and giving up their credentials.
+
+ The following message is an example of BEC that uses the spoofed email domain contoso.com:
+
+ ![Phishing message - business email compromise](../../media/da15adaa-708b-4e73-8165-482fc9182090.jpg)
+
+ The message looks legitimate, but the sender is spoofed.
+
+- **Users confuse real messages for fake ones**: Even users who know about phishing might have difficulty seeing the differences between real messages and spoofed messages.
+
+ The following message is an example of a real password reset message from the Microsoft Security account:
+
+ ![Microsoft legitimate password reset](../../media/58a3154f-e83d-4f86-bcfe-ae9e8c87bd37.jpg)
+
+ The message really did come from Microsoft, but users have been conditioned to be suspicious. Because it's difficult to the difference between a real password reset message and a fake one, users might ignore the message, report it as spam, or unnecessarily report the message to Microsoft as phishing.
+
+## Different types of spoofing
+
+Microsoft differentiates between two different types of spoofed messages:
+
+- **Intra-org spoofing**: Also known as _self-to-self_ spoofing. For example:
+
+ - The sender and recipient are in the same domain:
+ > From: chris@contoso.com <br> To: michelle@contoso.com
+
+ - The sender and the recipient are in subdomains of the same domain:
+ > From: laura@marketing.fabrikam.com <br> To: julia@engineering.fabrikam.com
+
+ - The sender and recipient are in different domains that belong to the same organization (that is, both domains are configured as [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in the same organization):
+ > From: sender @ microsoft.com <br> To: recipient @ bing.com
+
+ Spaces are used in the email addresses to prevent spambot harvesting.
+
+ Messages that fail [composite authentication](email-validation-and-authentication.md#composite-authentication) due to intra-org spoofing contain the following header values:
+
+ `Authentication-Results: ... compauth=fail reason=6xx`
+
+ `X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.11`
+
+ - `reason=6xx` indicates intra-org spoofing.
+
+ - SFTY is the safety level of the message. 9 indicates phishing, .11 indicates intra-org spoofing.
+
+- **Cross-domain spoofing**: The sender and recipient domains are different, and have no relationship to each other (also known as external domains). For example:
+ > From: chris@contoso.com <br> To: michelle@tailspintoys.com
+
+ Messages that fail [composite authentication](email-validation-and-authentication.md#composite-authentication) due to cross-domain spoofing contain the following headers values:
+
+ `Authentication-Results: ... compauth=fail reason=000/001`
+
+ `X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.22`
+
+ - `reason=000` indicates the message failed explicit email authentication. `reason=001` indicates the message failed implicit email authentication.
+
+ - SFTY is the safety level of the message. 9 indicates phishing, .22 indicates cross-domain spoofing.
+
+For more information about the Category and composite authentication (compauth) values that are related to spoofing, see [Anti-spam message headers in Microsoft 365](anti-spam-message-headers.md).
+
+For more information about DMARC, see [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).
+
+## Reports of how many messages were marked as spoofed
+
+EOP organizations can use the **Spoof detections** report in the Reports dashboard in the Security & Compliance Center. For more information, see [Spoof Detections report](view-email-security-reports.md#spoof-detections-report).
+
+Microsoft Defender for Office 365 organization can use Threat Explorer in the Security & Compliance Center to view information about phishing attempts. For more information, see [Microsoft 365 threat investigation and response](office-365-ti.md).
+
+## Problems with anti-spoofing protection
+
+Mailing lists (also known as discussion lists) are known to have problems with anti-spoofing due to the way they forward and modify messages.
+
+For example, Gabriela Laureano (glaureano@contoso.com) is interested in bird watching, joins the mailing list birdwatchers@fabrikam.com, and sends the following message to the list:
+
+> **From:** "Gabriela Laureano" \<glaureano@contoso.com\> <br> **To:** Birdwatcher's Discussion List \<birdwatchers@fabrikam.com\> <br> **Subject:** Great viewing of blue jays at the top of Mt. Rainier this week <p> Anyone want to check out the viewing this week from Mt. Rainier?
+
+The mailing list server receives the message, modifies its content, and replays it to the members of list. The replayed message has the same From address (glaureano@contoso.com), but a tag is added to the subject line, and a footer is added to the bottom of the message. This type of modification is common in mailing lists, and may result in false positives for spoofing.
+
+> **From:** "Gabriela Laureano" \<glaureano@contoso.com\> <br> **To:** Birdwatcher's Discussion List \<birdwatchers@fabrikam.com\> <br> **Subject:** [BIRDWATCHERS] Great viewing of blue jays at the top of Mt. Rainier this week <p> Anyone want to check out the viewing this week from Mt. Rainier? <p> This message was sent to the Birdwatchers Discussion List. You can unsubscribe at any time.
+
+To help mailing list messages pass anti-spoofing checks, do following steps based on whether you control the mailing list:
+
+- Your organization owns the mailing list:
+
+ - Check the FAQ at DMARC.org: [I operate a mailing list and I want to interoperate with DMARC, what should I do?](https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F).
+
+ - Read the instructions at this blog post: [A tip for mailing list operators to interoperate with DMARC to avoid failures](/archive/blogs/tzink/a-tip-for-mailing-list-operators-to-interoperate-with-dmarc-to-avoid-failures).
+
+ - Consider installing updates on your mailing list server to support ARC, see <http://arc-spec.org>.
+
+- Your organization doesn't own the mailing list:
+
+ - Ask the maintainer of the mailing list to configure email authentication for the domain that the mailing list is relaying from.
+
+ When enough senders reply back to domain owners that they should set up email authentication records, it spurs them into taking action. While Microsoft also works with domain owners to publish the required records, it helps even more when individual users request it.
+
+ - Create inbox rules in your email client to move messages to the Inbox. You can also ask your admins to configure overrides as discussed in the [Use spoof intelligence to configure permitted senders of unauthenticated email](email-validation-and-authentication.md#use-spoof-intelligence-to-configure-permitted-senders-of-unauthenticated-email).
+
+ - Create a support ticket with Microsoft 365 to create an override for the mailing list to treat it as legitimate. For more information, see [Contact support for business products - Admin Help](../../admin/contact-support-for-business-products.md).
+
+If all else fails, you can report the message as a false positive to Microsoft. For more information, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+You may also contact your admin who can raise it as a support ticket with Microsoft. The Microsoft engineering team will investigate why the message was marked as a spoof.
+
+## Considerations for anti-spoofing protection
+
+If you're an admin who currently sends messages to Microsoft 365, you need to ensure that your email is properly authenticated. Otherwise, it might be marked as spam or phishing. For more information, see [Solutions for legitimate senders who are sending unauthenticated email](email-validation-and-authentication.md#solutions-for-legitimate-senders-who-are-sending-unauthenticated-email).
+
+Senders in an individual user's (or admin's) Safe Senders list will bypass parts of the filtering stack, including spoof protection. For more information, see [Outlook Safe Senders](create-safe-sender-lists-in-office-365.md#use-outlook-safe-senders).
+
+Admins should avoid (when possible) using allowed sender lists or allowed domain lists. These senders bypass all spam, spoofing, and phishing protection, and also sender authentication (SPF, DKIM, DMARC). For more information, see [Use allowed sender lists or allowed domain lists](create-safe-sender-lists-in-office-365.md#use-allowed-sender-lists-or-allowed-domain-lists).
security Attack Simulation Training Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-faq.md
+
+ Title: Attack simulation training deployment considerations and FAQ
+f1.keywords:
+ - NOCSH
+++
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ - MOE150
+ms.assetid:
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+ - seo-marvel-apr2020
+description: Admins can learn about deployment considerations and frequently asked questions regarding Attack simulation and training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.
+ms.technology: mdo
++
+# Attack simulation training deployment considerations and FAQ
+
+Attack simulation training is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-security-and/attack-simulation-training-in-microsoft-defender-for-office-365/ba-p/2037291). Attack simulation training enables Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations to measure and manage social engineering risk by allowing the creation and management of phishing simulations that are powered by real-world, de-weaponized phishing payloads. Hyper-targeted training, delivered in partnership with Terranova security, helps improve knowledge and change employee behavior.
+
+For more information about getting started with Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
+
+While the whole simulation creation and scheduling experience has been designed to be free-flowing and frictionless, running simulations at an enterprise scale often requires planning. This article helps address specific challenges that we see as our customers run simulations in their own environments.
+
+## Issues with end user experiences
+
+### Phishing simulation URLs blocked by Google Safe Browsing
+
+A URL reputation service might identify one or more of the URLs that are used by Attack simulation training as unsafe. Google Safe Browsing in Google Chrome blocks some of the simulated phishing URLs with a **Deceptive site ahead** message. While we work with many URL reputation vendors to always allow our simulation URLs, we don't always have full coverage.
+
+![Deceptive site ahead warning in Google Chrome](../../media/attack-sim-chrome-deceptive-site-message.png)
+
+Note that this issue does not affect Microsoft Edge.
+
+As part of the planning phase, be sure to check the availability of the URL in your supported web browsers before you use the URL in a phishing campaign. If the URLs are blocked by Google Safe Browsing, [follow this guidance](https://support.google.com/chrome/a/answer/7532419) from Google to allow access to the URLs.
+
+Refer to [Get started using Attack simulation training](attack-simulation-training-get-started.md) for the list of URLs that are currently used by Attack simulation training.
+
+### Phishing simulation and admin URLs blocked by network proxy solutions and filter drivers
+
+Both phishing simulation URLs and admin URLs might be blocked or dropped by your intermediate security devices or filters. For example:
+
+- Firewalls
+- Web Application Firewall (WAF) solutions
+- Third-party filter drivers (for example, kernel mode filters)
+
+While we have seen few customers being blocked at this layer, it does happen. If you encounter problems, consider configuring the following URLs to bypass scanning by your security devices or filters as required:
+
+- The simulated phishing URLs as described in [Get started using Attack simulation training](attack-simulation-training-get-started.md).
+- <https://security.microsoft.com/attacksimulator>
+- <https://security.microsoft.com/attacksimulationreport>
+- <https://security.microsoft.com/trainingassignments>
+
+### Simulation messages not delivered to all targeted users
+
+It's possible that the number of users who actually receive the simulation email messages is less than the number of users who were targeted by the simulation. The following types of users will be excluded as part of target validation:
+
+- Invalid recipient email addresses.
+- Guest users.
+- Users that are no longer active in Azure Active Directory (Azure AD).
+
+Only valid, non-guest users with a valid mailbox will be included in simulations. If you use distribution groups or mail-enabled security groups to target users, you can use the [Get-DistributionGroupMember](/powershell/module/exchange/get-distributiongroupmember) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to view and validate distribution group members.
+
+## Issues with Attack simulation training reporting
+
+### Attack simulation training reports do not contain any activity details
+
+Attack simulation training comes with rich, actionable insights that keep you informed of the threat readiness progress of your employees. If Attack simulation training reports are not populated with data, verify that audit log search is turned on in your organization (it's on by default).
+
+Audit log search is required by Attack simulation training so events can be captured, recorded, and read back. Turning off audit log search has the following consequences for Attack simulation training:
+
+- Reporting data is not available across all reports. The reports will appear empty.
+- Training assignments are blocked, because data is not available.
+
+To turn on audit log search, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+
+> [!NOTE]
+> Empty activity details can also be caused by no E5 licenses being assigned to users. Verify at least one E5 license is assigned to an active user to ensure that reporting events are captured and recorded.
+
+### Simulation reports are not updated immediately
+
+Detailed simulation reports are not updated immediately after you launch a campaign. Don't worry; this behavior is expected.
+
+Every simulation campaign has a lifecycle. When first created, the simulation is in the **Scheduled** state. When the simulation starts, it transitions to the **In progress** state. When completed, the simulation transitions to the **Completed** state.
+
+While a simulation is in the **Scheduled** state, the simulation reports will be mostly empty. During this stage, the simulation engine is resolving the target user email addresses, expanding distribution groups, removing guest users from the list, etc.:
+
+![Reporting in the Scheduled state](../../media/attack-sim-empty-reporting.png)
+
+Once the simulation enters the **In progress** stage, you will notice information starting to trickle into the reporting:
+
+![Reporting in the In progress state](../../media/attack-sim-in-progress.png)
+
+It can take up to 30 minutes for the individual simulation reports to update after the transition to the **In progress** state. The report data continues to build until the simulation reaches the **Completed** state. Reporting updates occur at the following intervals:
+
+- Every 10 minutes for the first 60 minutes.
+- Every 15 minutes after 60 minutes until 2 days.
+- Every 30 minutes after 2 days until 7 days.
+- Every 60 minutes after 7 days.
+
+Widgets on the **Overview** page provide a quick snapshot of your organization's simulation-based security posture over time. Because these widgets reflect your overall security posture and journey over time, they're updated after each simulation campaign is completed.
+
+> [!NOTE]
+> You can use the **Export** option on the various reporting pages to extract data.
+
+### Messages reported as phishing by users aren't appearing in simulation reports
+
+Simulation reports in Attack simulator training provide details on user activity. For example:
+
+- Users who clicked on the link in the message.
+- Users who gave up their credentials.
+- Users who reported the message as phishing.
+
+If messages that users reported as phishing aren't captured in Attack simulation training simulation reports, there might be an Exchange mail flow rule (also known as a transport rule) that's blocking the delivery of the reported messages to Microsoft. Verify that any mail flow rules aren't blocking delivery to the following email addresses:
+
+- junk@office365.microsoft.com
+- abuse@messaging.microsoft.com
+- phish@office365.microsoft.com
+- not\_junk@office365.microsoft.com
+
+## Other frequently asked questions
+
+### Q: What is the recommended method to target users for simulation campaigns?
+
+A: Several options are available to target users:
+
+- Include all users (currently available to organizations with less than 40,000 users).
+- Choose specific users.
+- Select users from a CSV file.
+- Azure AD group-based targeting.
+
+We've found that campaigns where the targeted users are identified by Azure AD groups are generally easier to manage.
+
+### Q: Are there any limits in targeting users while importing from a CSV or adding users?
+
+A: The limit for importing recipients from a CSV file or adding individual recipients to a simulation is 40,000.
+
+A recipient can be an individual user or a group. A group might contain hundreds or thousands of recipients, so an actual limit isn't placed on the number of individual users.
+
+Managing a large CSV file or adding many individual recipients can be cumbersome. Using Azure AD groups will simplify the overall management of the simulation.
+
+### Q: Does Microsoft provide payloads in other languages?
+
+A: Currently, there are 5 localized payloads available. We've noticed than any direct or machine translations of existing payloads to other languages will lead to inaccuracies and decreased relevance.
+
+That being said, you can create your own payload in the language of your choice using the custom payload authoring experience. We also strongly recommend that you harvest existing payloads that were used to target users in a specific geography. In other words, let the attackers localize the content for you.
+
+### Q: How can I switch to other languages for my admin portal and training experience?
+
+A: In Microsoft 365 or Office 365, language configuration is specific and centralized for each user account. For instructions on how to change your language setting, see [Change your display language and time zone in Microsoft 365 for Business](https://support.microsoft.com/office/6f238bff-5252-441e-b32b-655d5d85d15b).
+
+Note that the configuration change might take up to 30 minutes to synchronize across all services.
+
+### Q: Can I trigger a test simulation to understand what it looks like prior to launching a full-fledged campaign?
+
+A: Yes you can! On the very last **Review Simulation** page in the wizard to create a new simulation, there's an option to **Send a test**. This option will send a sample phishing simulation message to the currently logged in user. After you validate the phishing message in your Inbox, you can submit the simulation.
+
+![Send a test button on the Review simulation page](../../media/attack-sim-review-simulation-page.png)
+
+### Q: Can I target users that belong to a different tenant as part of the same simulation campaign?
+
+A: No. Currently, cross-tenant simulations are not supported. Verify that all of your targeted users are in the same tenant. Any cross-tenant users or guest users will be excluded from the simulation campaign.
+
+### Q: How does region aware delivery work?
+
+A: Region aware delivery uses the TimeZone attribute of the targeted user's mailbox and 'not before' logic to determine when to deliver the message. For example, consider the following scenario:
+
+- At 7:00 AM in the Pacific time zone (UTC-8), an admin creates and schedules a campaign to start at 9:00 AM on the same day.
+- UserA is in the Eastern time zone (UTC-5).
+- UserB is also in the Pacific time zone.
+
+At 9:00 AM on the same day, the simulation message is sent to UserB. With region-aware delivery, the message is not sent to UserA on the same day, because 9:00 AM Pacific time is 12:00 PM Eastern time. Instead, the message is sent to UserA at 9:00 AM Eastern time on the following day.
+
+So, on the initial run of a campaign with region aware delivery enabled, it might appear that the simulation message was sent only to users in a specific time zone. But, as time passes and more users come into scope, the targeted users will increase.
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
+
+ Title: Get started using Attack simulation training
+f1.keywords:
+ - NOCSH
+++
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ - MOE150
+ms.assetid:
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+ - seo-marvel-apr2020
+description: Admins can learn how to use Attack simulation training to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.
+ms.technology: mdo
++
+# Get started using Attack simulation training
++
+If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes [Threat Investigation and Response capabilities](office-365-ti.md), you can use Attack simulation training in the Microsoft Security Center to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.
+
+> [!NOTE]
+> Attack simulation training replaces the old Attack Simulator v1 experience that's described in [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md).
+
+## What do you need to know before you begin?
+
+- To open the Microsoft Security Center, go to <https://security.microsoft.com/>. Attack simulation training is available at **Email and collaboration** \> **Attack simulation training**. To go directly to Attack simulation training, open <https://security.microsoft.com/attacksimulator>.
+
+- For more information about the availability of Attack simulation training across different Microsoft 365 subscriptions, see [Microsoft Defender for Office 365 service description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description).
+
+- You need to be assigned permissions in the Security & Compliance Center or in Azure Active Directory before you can do the procedures in this article. Specifically, you need to be a member of **Organization Management**, **Security Administrator**, or one of the following roles:
+ - **Attack Simulator Administrators**: Create and managed all aspects of attack simulation campaigns.
+ - **Attack Simulator Payload Authors**: Create attack payloads that an admin can initiate later.
+
+ For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md) or [About admin roles](../../admin/add-users/about-admin-roles.md).
+
+- There are no corresponding PowerShell cmdlets for Attack simulation training.
+
+- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information see [Microsoft 365 data locations](../../enterprise/o365-data-locations.md). Attack simulation is available in the following regions: NAM, APC, EUR, IND, CAN, AUS, FRA, GBR, JPN, and KOR.
+
+## Simulations
+
+*Phishing* is a generic term for email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders. *Phishing* is a part of a subset of techniques we classify as _social engineering_.
+
+In Attack simulation training, multiple types of social engineering techniques are available:
+
+- **Credential harvest**: An attacker sends the recipient a message that contains a URL. When the recipient clicks on the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
+
+- **Malware attachment**: An attacker sends the recipient a message that contains an attachment. When the recipient opens the attachment, arbitrary code (for example, a macro) is run on the user's device to help the attacker install additional code or further entrench themselves.
+
+- **Link in attachment**: This is a hybrid of a credential harvest. An attacker sends the recipient a message that contains a URL inside of an attachment. When the recipient opens the attachment and clicks on the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
+
+- **Link to malware**: An attacker sends the recipient a message that contains a link to an attachment on a well-known file sharing site (for example, SharePoint Online or Dropbox). When the recipient clicks on the URL, the attachment opens and arbitrary code (for example, a macro) is run on the user's device to help the attacker install additional code or further entrench themselves.
+
+- **Drive-by-url**: An attacker sends the recipient a messages that contains a URL. When the recipient clicks on the URL, they're taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to click. This technique is also known as a _watering hole attack_.
+
+> [!NOTE]
+> Check the availability of the simulated phishing URL in your supported web browsers before you use the URL in a phishing campaign. While we work with many URL reputation vendors to always allow these simulation URLs, we don't always have full coverage (for example, Google Safe Browsing). Most vendors provide guidance that allows you to always allow specific URLs (for example, <https://support.google.com/chrome/a/answer/7532419>).
+
+The URLs that are used by Attack simulation training are described in the following list:
+
+- <https://www.mcsharepoint.com>
+- <https://www.attemplate.com>
+- <https://www.doctricant.com>
+- <https://www.mesharepoint.com>
+- <https://www.officence.com>
+- <https://www.officenced.com>
+- <https://www.officences.com>
+- <https://www.officentry.com>
+- <https://www.officested.com>
+- <https://www.prizegives.com>
+- <https://www.prizemons.com>
+- <https://www.prizewel.com>
+- <https://www.prizewings.com>
+- <https://www.shareholds.com>
+- <https://www.sharepointen.com>
+- <https://www.sharepointin.com>
+- <https://www.sharepointle.com>
+- <https://www.sharesbyte.com>
+- <https://www.sharession.com>
+- <https://www.sharestion.com>
+- <https://www.templateau.com>
+- <https://www.templatent.com>
+- <https://www.templatern.com>
+- <https://www.windocyte.com>
+
+### Create a simulation
+
+For step by step instructions on how to create and send a new simulation, see [Simulate a phishing attack](attack-simulation-training.md).
+
+### Create a payload
+
+For step by step instructions on how to create a payload for use within a simulation, see [Create a custom payload for Attack simulation training](attack-simulation-training-payloads.md).
+
+### Gaining insights
+
+For step by step instructions on how to gain insights with reporting, see [Gain insights through Attack simulation training](attack-simulation-training-insights.md).
+
+> [!NOTE]
+> Attack Simulator uses Safe Links in Defender for Office 365 to securely track click data for the URL in the payload message that's sent to targeted recipients of a phishing campaign, even if the **Do not track user clicks** setting in Safe Links policies is turned on.
security Attack Simulation Training Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md
+
+ Title: Gain insights through Attack simulation training
+++
+audience: ITPro
+
+localization_priority: Normal
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Admins can learn how Attack simulation training in the Microsoft 365 security center affects employees and can gain insights from simulation and training outcomes.
+ms.technology: mdo
++
+# Gain insights through Attack simulation training
+
+Within Attack simulation training, Microsoft provides you with insights based on outcomes of simulations and trainings that employees went through. These insights will help keep you informed on the threat readiness progress of your employees, as well as recommend next steps to better prepare your employees and your environment for attacks.
+
+We are continuously working on expanding the insights that are available to you. Behavior impact and recommended actions are currently available. To start, head over to [Attack simulation training in the Microsoft 365 security center](https://security.microsoft.com/attacksimulator?viewid=overview).
+
+## Behavior impact on compromise rate
+
+On the **Overview** tab of Attack simulation training, you'll find the **behavior impact on compromise rate** card. This card shows how employees dealt with the simulations you ran in contrast to the **predicted compromise rate**. You can use these insights to track progress in employees threat readiness by running multiple simulations against the same groups of employees.
+
+In the graph you can see:
+
+- **Predicted compromise rate** which reflects the average compromise rate for simulations using the same type of payload across other Microsoft 365 tenants that use Attack simulation training.
+- **Actual compromise rate** reflects the percentage of employees that fell for the simulation.
+
+Additionally, `<number> less susceptible to phishing` reflects the difference between actual number of employees compromised by the attack and the predicted compromise rate. This number of employees is less likely to be compromised by similar attacks in the future, while `<percent%> better than predicted rate` indicates how employees did overall in contrast with the predicted compromise rate.
+
+> [!div class="mx-imgBorder"]
+> ![Behavior impact card on Attack simulation training overview](../../media/attack-sim-preview-behavior-impact-card.png)
+
+To see a more detailed report, click **View simulations and training efficacy report**. This report provides the same information with additional context from the simulation itself (for example, simulation technique and total users targeted).
+
+## Recommended actions
+
+On the [**Simulations** tab](https://security.microsoft.com/attacksimulator?viewid=simulations), selecting a simulation will take you to the simulation details, where you'll find the **Recommended actions** section.
+
+The recommended actions section details recommendations as available in [Microsoft Secure Score](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-secure-score). These recommendations are based on the payload used in the simulation, and will help you protect your employees and your environment. Clicking on each improvement action will take you to its details.
+
+> [!div class="mx-imgBorder"]
+> ![Recommendation actions section on Attack simulation training](../../media/attack-sim-preview-recommended-actions.png)
+
+## Related Links
+
+[Get started using Attack simulation training](attack-simulation-training-get-started.md)
+
+[Create a phishing attack simulation](attack-simulation-training.md)
+
+[create a payload for training your people](attack-simulation-training-payloads.md)
security Attack Simulation Training Payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
+
+ Title: Create a payload for Attack simulation training
+++
+audience: ITPro
+
+localization_priority: Normal
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Admins can learn how to create custom payloads for Attack simulation training in Microsoft Defender for Office 365.
+ms.technology: mdo
++
+# Create a custom payload for Attack simulation training
+
+Microsoft offers a robust payload catalog for various social engineering techniques to pair with your attack simulation training. However, you might want to create custom payloads that will work better for your organization. This article describes how to create a payload in Attack simulation training in Microsoft Defender for Office 365.
+
+You can create a payload by clicking on **Create a payload** in either the [dedicated **Payloads** tab](https://security.microsoft.com/attacksimulator?viewid=payload) or within the [simulation creation wizard](attack-simulation-training.md#selecting-a-payload).
+
+The first step in the wizard will have you select a payload type. **Currently, only email is available**.
+
+Next, select an associated technique. See more details on techniques at [Selecting a social engineering technique](attack-simulation-training.md#selecting-a-social-engineering-technique).
+
+In the next step name your payload. Optionally, you can give it a description.
+
+## Configure payload
+
+Now it's time to build your payload. Input the sender's name, email address, and the email's subject in the **Sender details** section. Pick a phishing URL from the provided list. This URL will later be embedded into the body of the message.
+
+> [!TIP]
+> You can choose an internal email for your payload's sender, which will make the payload appear as coming from another employee of the company. This will increase susceptibility to the payload and will help educate employees on the risk of internal threats.
+
+A rich text editor is available to create your payload. You can also import an email that you've created beforehand. As you create the body of the email, take advantage of the **dynamic tags** to personalize the email to your targets. Click **Phishing link** to add the previously selected phishing URL into the body of the message.
+
+![Phishing link and dynamic tags highlighted in payload creation for Microsoft Defender for Office 365](../../media/attack-sim-preview-payload-email-body.png)
+
+> [!TIP]
+> To save time, toggle on the option to **replace all links in the email message with the phishing link**.
+
+Once you're done building the payload to your liking, click **Next**.
+
+## Adding indicators
+
+Indicators will help employees going through the attack simulation understand the clue they can look for in future attacks. To start, click **Add indicator**.
+
+Select an indicator you'd like to use from the drop-down list. This list is curated to contain the most common clues that appear in phishing email messages. Once selected, make sure the indicator placement is set to **From the body of the email** and click on **Select text**. Highlight the portion of your payload where this indicator appears and click **Select**.
+
+![Highlighted text in message body to add to an indicator in attack simulation training](../../media/attack-sim-preview-select-text.png)
+
+Add a custom description to describe the indicator and click within the indicator preview frame to see a preview of your indicator. Once done, click **Add**. Repeat these steps until you've covered all indicators in your payload.
+
+## Review payload
+
+You're done building your payload. Now it's time to review the details and see a preview of your payload. The preview will include all indicators that you've created. You can edit each part of the payload from this step. Once satisfied, you can **Submit** your payload.
+
+> [!IMPORTANT]
+> Payloads that you've created will have **Tenant** as their source. When selecting payloads, make sure that you don't filter out **Tenant**.
+
+## Related links
+
+[Get started using Attack simulation training](attack-simulation-training-get-started.md)
+
+[Create a phishing attack simulation](attack-simulation-training.md)
+
+[Gain insights through Attack simulation training](attack-simulation-training-insights.md)
security Attack Simulation Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training.md
+
+ Title: Simulate a phishing attack with Microsoft Defender for Office 365
+++
+audience: ITPro
+
+localization_priority: Normal
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Admins can learn how to simulate phishing attacks and train their users on phishing prevention using Attack simulation training in Microsoft Defender for Office 365.
+ms.technology: mdo
++
+# Simulate a phishing attack
+
+Attack simulation training in Microsoft Defender for Office 365 lets you run benign cyberattack simulations on your organization to test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using attack simulation training.
+
+For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
+
+To launch a simulated phishing attack, open the [Microsoft 365 security center](https://security.microsoft.com/), go to **Email & collaboration** \> **Attack simulation training**, and switch to the [**Simulations**](https://security.microsoft.com/attacksimulator?viewid=simulations) tab.
+
+Under **Simulations**, select **+ Launch a simulation**.
+
+![Launch a simulation button in Microsoft 365 security center](../../media/attack-sim-preview-launch.png)
+
+> [!NOTE]
+> At any point during simulation creation, you can save and close to continue configuring the simulation at a later time.
+
+## Selecting a social engineering technique
+
+Select from 4 different techniques, curated from the [MITRE ATT&CK® framework](https://attack.mitre.org/techniques/enterprise/). Different payloads are available for different techniques:
+
+- **Credential harvest** attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
+- **Malware attachment** adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that will help the attacker compromise the target's device.
+- **Link in attachment** is a type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
+- **Link to malware** will run some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user will contain a link to this malicious file. Opening the file and help the attacker compromise the target's device.
+- **Drive-by URL** is where the malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code code on the user's device.
+
+> [!TIP]
+> Clicking on **View details** within the description of each technique will display further information and the simulation steps for the technique.
+>
+> ![Simulation steps for credential harvest within attack simulation training in Microsoft 365 security center](../../media/attack-sim-preview-sim-steps.png)
+
+After you've selected the technique and clicked on **Next**, give your simulation a name and optionally a description.
+
+## Selecting a payload
+
+Next, you'll need to either select a payload from the pre-existing payload catalog.
+
+Payloads have a number of data points to help you choose:
+
+- **Click rate** counts how many people clicked this payload.
+- **Predicted compromise rate** predicts the percentage of people that will get compromised by this payload based on historical data for the payload across Microsoft Defender for Office 365 customers.
+- **Simulations launched** counts the number of times this payload was used in other simulations.
+- **Complexity**, available through **filters**, is calculated based on the number of indicators within the payload that clue targets in on it being an attack. More indicators lead to lower complexity.
+- **Source**, available through **filters**, indicates whether the payload was created on your tenant or is a part of Microsoft's pre-existing payload catalog (global).
+
+![Selected payload within attack simulation training in Microsoft 365 security center](../../media/attack-sim-preview-select-payload.png)
+
+Select a payload from the list to see a preview of the payload with additional information about it.
+
+If you'd like to create your own payload, read [create a payload for attack simulation training](attack-simulation-training-payloads.md).
+
+## Audience targeting
+
+Now it's time to select this simulation's audience. You can choose to **include all users in your organization** or **include only specific users and groups**.
+
+When you choose to **include only specific users and groups** you can either:
+
+- **Add users**, which allows you to leverage search for your tenant, as well as advanced search and filtering capabilities, like targeting users who haven't been targeted by a simulation in the last 3 months.
+ ![User filtering in attack simulation training on Microsoft 365 security center](../../media/attack-sim-preview-user-targeting.png)
+- **Import from CSV** allows you to import a predefined set of users for this simulation.
+
+## Assigning training
+
+We recommend that you assign training for each simulation, as employees who go through training are less susceptible to similar attacks.
+
+You can either choose to have training assigned for you or select training courses and modules yourself.
+
+Select the **training due date** to make sure employees finish their training in a timely manner.
+
+> [!NOTE]
+> If you choose to select courses and modules yourself, you'll still be able to see the recommended content as well as all available courses and modules.
+>
+> ![Adding recommended training within attack simulation training in Microsoft 365 security center](../../media/attack-sim-preview-add-training.png)
+
+In the next steps you'll need to **Add trainings** if you opted to select it yourself, and customize your training landing page. You'll be able to preview the training landing page, as well as change the header and body of it.
+
+## Launch details and review
+
+Now that everything is configured, you can launch this simulation immediately or schedule it for a later date. You will also need to choose when to end this simulation. We will stop capturing interaction with this simulation past the selected time.
+
+**Enable region aware timezone delivery** to deliver simulated attack messages to your employees during their working hours based on their region.
+
+Once you're done, click on **Next** and review the details of your simulation. Click on **Edit** on any of the parts to go back and change any details that need changing. Once done, click **Submit**.
security Attack Simulator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulator.md
+
+ Title: Attack Simulator in Microsoft Defender for Office 365
+f1.keywords:
+ - NOCSH
+++
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ - MOE150
+ms.assetid: da5845db-c578-4a41-b2cb-5a09689a551b
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+
+ - seo-marvel-apr2020
+description: Admins can learn how to use Attack Simulator to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.
+ms.technology: mdo
++
+# Attack Simulator in Microsoft Defender for Office 365
++
+**Applies to**
+ [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+
+If your organization has Microsoft Defender for Office 365 Plan 2, which includes [Threat Investigation and Response capabilities](office-365-ti.md), you can use Attack Simulator in the Security & Compliance Center to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.
+
+> [!NOTE]
+>
+> Attack Simulator as described in this article is now read-only and has been replaced by **Attack simulation training** in the **Email & collaboration** node in the [Microsoft 365 security center](https://security.microsoft.com). For more information, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
+>
+> The ability to launch new simulations from this version of Attack Simulator has been disabled. However, you can still access reports for up to 90 days from January 24, 2021.
+
+## What do you need to know before you begin?
+
+- To open the Security & Compliance Center, go to <https://protection.office.com/>. Attack simulator is available at **Threat management** \> **Attack simulator**. Go go directly to attack simulator, open <https://protection.office.com/attacksimulator>.
+
+- For more information about the availability of Attack Simulator across different Microsoft 365 subscriptions, see [Microsoft Defender for Office 365 service description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description).
+
+- You need to be a member of the **Organization Management** or **Security Administrator** role groups. For more information about role groups in the Security & Compliance Center, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+
+- Your account needs to be configured for multi-factor authentication (MFA) to create and manage campaigns in Attack Simulator. For instructions, see [Set up multi-factor authentication](../../admin/security-and-compliance/set-up-multi-factor-authentication.md).
+
+- Attack Simulator only works on cloud-based mailboxes.
+
+- Phishing campaigns will collect and process events for 30 days. Historical campaign data will be available for up to 90 days after you launch the campaign.
+
+- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information see [Microsoft 365 data locations](../../enterprise/o365-data-locations.md).
+
+- There are no corresponding PowerShell cmdlets for Attack Simulator.
+
+## Spear phishing campaigns
+
+*Phishing* is a generic term for email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders. *Spear phishing* is a targeted phishing attack that uses focused and customized content that's specifically tailored to the targeted recipients (typically, after reconnaissance on the recipients by the attacker).
+
+In Attack Simulator, two different types of spear phishing campaigns are available:
+
+- **Spear phishing (credentials harvest)**: The attack tries to convince the recipients to click a URL in the message. If they click the link, they're asked to enter their credentials. If they do, they're taken to one of the following locations:
+
+ - A default page that explains that this was a just a test, and gives tips for recognizing phishing messages.
+
+ ![What users see if they click the phishing link and enter their credentials](../../media/attack-simulator-phishing-result.png)
+
+ - A custom page (URL) that you specify.
+
+- **Spear phishing (attachment)**: The attack tries to convince the recipients to open a .docx or .pdf attachment in the message. The attachment contains the same content from the default phishing link, but the first sentence starts with "\<Display Name\>, you are seeing this message as a recent email message you opened...".
+
+> [!NOTE]
+> Currently, spear phishing campaigns in Attack Simulator don't expire.
+
+### Create a spear phishing campaign
+
+An important part of any spear phishing campaign is the look and feel of the email message that's sent to the targeted recipients. To create and configure the email message, you have these options:
+
+- **Use a built-in email template**: Two built-in templates are available: **Prize Giveaway** and **Payroll Update**. You can further customize some, all, or none of the email properties from the template when you create and launch the campaign.
+
+- **Create a reusable email template**: After you create and save the email template, you can use it again in future spear phishing campaigns. You can further customize some, all, or none of the email properties from the template when you create and launch the campaign.
+
+- **Create the email message in the wizard**: You can create the email message directly in the wizard as you create and launch the spear phishing campaign.
+
+#### Step 1 (Optional): Create a custom email template
+
+If you're going to use one of the built-in templates or create the email message directly in the wizard, you can skip this step.
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Attack simulator**.
+
+2. On the **Simulate attacks** page, in either the **Spear Phishing (Credentials Harvest)** or **Spear Phishing (Attachment)** sections, click **Attack Details**.
+
+ It doesn't matter where you create the template. The available options in the template are the same for both types of phishing attacks.
+
+3. In the **Attack details** page that opens, in the **Phishing Templates** section, in the **Create Templates** area, click **New Template**.
+
+4. The **Configure Phishing Template** wizard starts in a new flyout. In the **Start** step, enter a unique display name for the template, and then click **Next**.
+
+5. In the **Configure email details** step, configure the following settings:
+
+ - **From (Name)**: The display name that's used for the message sender.
+
+ - **From (Email)**: The sender's email address.
+
+ - **Phishing Login Server URL**: Click the drop down and select one of the available URLs from the list. This is the URL that users will be tempted to click. The choices are:
+
+ - <http://portal.docdeliveryapp.com>
+ - <http://portal.docdeliveryapp.net>
+ - <http://portal.docstoreinternal.com>
+ - <http://portal.docstoreinternal.net>
+ - <http://portal.hardwarecheck.net>
+ - <http://portal.hrsupportint.com>
+ - <http://portal.payrolltooling.com>
+ - <http://portal.payrolltooling.net>
+ - <http://portal.prizegiveaway.net>
+ - <http://portal.prizesforall.com>
+ - <http://portal.salarytoolint.com>
+ - <http://portal.salarytoolint.net>
+
+ > [!NOTE]
+ >
+ > A URL reputation service might identify one or more of these URLs as unsafe. Check the availability of the URL in your supported web browsers before you use the URL in a phishing campaign.
+
+ - **Custom Landing Page URL**: Enter an optional landing page where users are taken if they click the phishing link and enter their credentials. This link replaces the default landing page. For example, if you have internal awareness training, you can specify that URL here.
+
+ - **Category**: Currently, this setting isn't used (anything you enter is ignored).
+
+ - **Subject**: The **Subject** field of the email message.
+
+ When you're finished, click **Next**.
+
+6. In the **Compose email** step, create the message body of the email message. You can use the **Email** tab (a rich HTML editor) or the **Source** tab (raw HTML code).
+
+ The HTML formatting can be as simple or complex as you need it to be. You can insert images and text to enhance the believability of the message in the recipient's email client.
+
+ - `${username}` inserts the recipient's name.
+
+ - `${loginserverurl}` inserts the **Phishing Login Server URL** value from the previous step.
+
+ When you're finished, click **Next**.
+
+7. In the **Confirm** step, click **Finish**.
+
+#### Step 2: Create and launch the spear phishing campaign
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Attack simulator**.
+
+2. On the **Simulate attacks** page, make one of the following selections based on the type of campaign you want to create:
+
+ - In the **Spear Phishing (Credentials Harvest)** section, click **Launch Attack** or click **Attack Details** \> **Launch Attack**.
+
+ - In the **Spear Phishing (Attachment)** section, click **Launch Attack** or click **Attack Details** \> **Launch Attack**.
+
+3. The **Configure Phishing Attack** wizard starts in a new flyout. In the **Start** step, do one of the following steps:
+
+ - In the **Name** box, enter a unique display name for the campaign. Don't click **Use Template**, because you'll create the email message later in the wizard.
+
+ - Click **Use Template** and select a built-in or custom email template. After you select the template, the **Name** box is automatically filled based on the template, but you can change the name.
+
+ > [!div class="mx-imgBorder"]
+ > ![Phishing Start Page](../../media/5e93b3cc-5981-462f-8b45-bdf85d97f1b8.jpg)
+
+ When you're finished, click **Next**.
+
+4. In the **Target recipients** step, do one of the following steps:
+
+ - Click **Address Book** to select the recipients (users or groups) for the campaign. Each targeted recipient must have an Exchange Online mailbox. If you click **Filter** and **Apply** without entering a search criteria, all recipients are returned and added to the campaign.
+
+ - Click **Import** then **File Import** to import a comma-separated value (CSV) or line-separated file of email addresses. Each line must contain the recipient's email address.
+
+ When you're finished, click **Next**.
+
+5. In the **Configure email details** step, configure the following settings:
+
+ If you selected a template in the **Start** step, most of these values are already configured, but you can change them.
+
+ - **From (Name)**: The display name that's used for the message sender.
+
+ - **From (Email)**: The sender's email address. You can enter a real or fake email address from your organization's email domain, or you can enter a real or fake external email address. A valid sender email address from your organization will actually resolve in the recipient's email client.
+
+ - **Phishing Login Server URL**: Click the drop down and select one of the available URLs from the list. This is the URL that users will be tempted to click. The choices are:
+
+ - <http://portal.docdeliveryapp.com>
+ - <http://portal.docdeliveryapp.net>
+ - <http://portal.docstoreinternal.com>
+ - <http://portal.docstoreinternal.net>
+ - <http://portal.hardwarecheck.net>
+ - <http://portal.hrsupportint.com>
+ - <http://portal.payrolltooling.com>
+ - <http://portal.payrolltooling.net>
+ - <http://portal.prizegiveaway.net>
+ - <http://portal.prizesforall.com>
+ - <http://portal.salarytoolint.com>
+ - <http://portal.salarytoolint.net>
+
+ > [!NOTE]
+ >
+ > - All of the URLs are intentionally http, not https.
+ >
+ > - A URL reputation service might identify one or more of these URLs as unsafe. Check the availability of the URL in your supported web browsers before you use the URL in a phishing campaign.
+ >
+ > - You are required to select a URL. For **Spear Phishing (Attachment)** campaigns, you can remove the link from the body of the message in the next step (otherwise, the message will contain both a link **and** an attachment).
+
+ - **Attachment Type**: This setting is only available in **Spear Phishing (Attachment)** campaigns. Click the drop down and select **.DOCX** or **.PDF** from the list.
+
+ - **Attachment Name**: This setting is only available in **Spear Phishing (Attachment)** campaigns. Enter a filename for the .docx or .pdf attachment.
+
+ - **Custom Landing Page URL**: Enter an optional landing page where users are taken if they click the phishing link and enter their credentials. This link replaces the default landing page. For example, if you have internal awareness training, you can specify that URL here.
+
+ - **Subject**: The **Subject** field of the email message.
+
+ When you're finished, click **Next**.
+
+6. In the **Compose email** step, create the message body of the email message. If you selected a template in the **Start** step, the message body is already configured, but you can customize it. You can use the **Email** tab (a rich HTML editor) or the **Source** tab (raw HTML code).
+
+ The HTML formatting can be as simple or complex as you need it to be. You can insert images and text to enhance the believability of the message in the recipient's email client.
+
+ - `${username}` inserts the recipient's name.
+
+ - `${loginserverurl}` inserts the **Phishing Login Server URL** value.
+
+ For **Spear Phishing (Attachment)** campaigns, you should remove the link from the body of the message (otherwise, the message will contain both a link **and** an attachment, and link clicks aren't tracked in an attachment campaign).
+
+ > [!div class="mx-imgBorder"]
+ > ![Compose Email Body](../../media/9bd65af4-1f9d-45c1-8c06-796d7ccfd425.jpg)
+
+ When you're finished, click **Next**.
+
+7. In the **Confirm** step, click **Finish** to launch the campaign. The phishing message is delivered to the targeted recipients.
+
+## Password attack campaigns
+
+A *password attack* tries to guess passwords for user accounts in an organization, typically after the attacker has identified one or more valid user accounts.
+
+In Attack Simulator, two different types of password attack campaigns are available for you to test the complexity of your users' passwords:
+
+- **Brute force password (dictionary attack)**: A *brute force* or *dictionary* attack uses a large dictionary file of passwords on a user account with the hope that one of them will work (many passwords against one account). Incorrect password lock-outs help deter brute force password attacks.
+
+ For the dictionary attack, you can specify one or many passwords to try (manually entered or in an uploaded file), and you can specify one or many users.
+
+- **Password spray attack**: A *password spray* attack uses the same carefully considered password against a list of user accounts (one password against many accounts). Password spray attacks are harder to detect than brute force password attacks (the probability of success increases when an attacker tries one password across dozens or hundreds of accounts without the risk of tripping the user's incorrect password lock-out).
+
+ For the password spray attack, you can only specify one password to try, and you can specify one or many users.
+
+> [!NOTE]
+> The password attacks in Attack Simulator pass username and password Basic auth requests to an endpoint, so they also work with other authentication methods (AD FS, password hash sync, pass-through, PingFederate, etc.). For users that have MFA enabled, even if the password attack tries their actual password, the attempt will always register as a failure (in other words, MFA users will never appear in the **Successful attempts** count of the campaign). This is the expected result. MFA is a primary method to help protect against password attacks.
+
+### Create and launch a password attack campaign
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Attack simulator**.
+
+2. On the **Simulate attacks** page, make one of the following selections based on the type of campaign you want to create:
+
+ - In the **Brute Force Password (Dictionary Attack)** section, click **Launch Attack** or click **Attack Details** \> **Launch Attack**.
+
+ - in the **Password spray attack** section, click **Launch Attack** or click **Attack Details** \> **Launch Attack**.
+
+3. The **Configure Password Attack** wizard starts in a new flyout. In the **Start** step, enter a unique display name for the campaign, and then click **Next**.
+
+4. In the **Target users** step, do one of the following steps:
+
+ - Click **Address Book** to select the recipients (users or groups) for the campaign. Each targeted recipient must have an Exchange Online mailbox. If you click **Filter** and **Apply** without entering a search criteria, all recipients are returned and added to the campaign.
+
+ - Click **Import** then **File Import** to import a comma-separated value (CSV) or line-separated file of email addresses. Each line must contain the recipient's email address.
+
+ When you're finished, click **Next**.
+
+5. In the **Choose attack settings** step, choose what to do based on the campaign type:
+
+ - **Brute Force Password (Dictionary Attack)**: Do either of the following steps:
+
+ - **Enter passwords manually**: In the **Press enter to add a password** box, type a password and then press ENTER. Repeat this step as many times as necessary.
+
+ - **Upload passwords from a dictionary file**: Click **Upload** to import an existing text file that contains one password on each line and a blank last line. The text file must be 10 MB or less in size, and can't contain more than 30000 passwords.
+
+ - **Password spray attack**: In **The password(s) to use in the attack** box, enter one password.
+
+ When you're finished, click **Next**.
+
+6. In the **Confirm** step, click **Finish** to launch the campaign. The passwords you specified are tried on users you specified.
+
+## View campaign results
+
+After you launch a campaign, you can check the progress and results on the main **Simulate attacks** page.
+
+Active campaigns will show a status bar, a completed percentage value and "(completed users) of (total users)" count. Clicking the **Refresh** button will update the progress of any active campaigns. You can also click **Terminate** to stop an active campaign.
+
+When the campaign is finished, the status changes to **Attack completed**. You can view the results of the campaign by doing either of the following actions:
+
+- On the main **Simulate attacks** page, click **View Report** under the name of the campaign.
+
+- On the main **Simulate attacks** page, click **Attack Details** in the section for the type of attack. On the **Attack details** page that opens, select the campaign in the **Attack History** section.
+
+Either of the previous actions will take you to a page named **Attack details**. The information that's available on this page for each type of campaign is described in the following sections.
+
+### Spear Phishing (Credentials Harvest) campaign results
+
+The following information is available on the **Attack details** page for each campaign:
+
+- The duration (start date/time and end date/time) of the campaign.
+
+- **Total users targeted**
+
+- **Successful attempts**: The number of users who clicked the link **and** entered their credentials (*any* username and password value).
+
+- **Overall Success Rate**: A percentage that's calculated by **Successful attempts** / **Total users targeted**.
+
+- **Fastest Click**: How long it took the first user to click the link after you launched the campaign.
+
+- **Average Click**: The sum of how long it took everyone to click the link divided by the number of users who clicked the link.
+
+- **Click Success Rate**: A percentage that's calculated by (number of users who clicked the link) / **Total users targeted**.
+
+- **Fastest Credentials**: How long it took the first user to enter their credentials after you launched the campaign.
+
+- **Average Credentials**: The sum of how long it took everyone to enter their credentials divided by the number of users who entered their credentials.
+
+- **Credential Success Rate**: A percentage that's calculated by (number of users who entered their credentials) / **Total users targeted**.
+
+- A bar graph that shows the **Link clicked** and **Credential supplied** numbers per day.
+
+- A circle graph that shows the **Link clicked**, **Credential supplied**, and **None** percentages for the campaign.
+
+- The **Compromised Users** section lists the details of the users who clicked the link:
+
+ - The user's email address
+
+ - The date/time when they clicked the link.
+
+ - The client IP address.
+
+ - Details about the user's version of Windows and web browser.
+
+ You can click **Export** to export the results to a CSV file.
+
+### Spear Phishing (Attachment) campaign results
+
+The following information is available on the **Attack details** page for each campaign:
+
+- The duration (start date/time and end date/time) of the campaign.
+
+- **Total users targeted**
+
+- **Successful attempts**: The number of users who opened or downloaded and opened the attachment (preview doesn't count).
+
+- **Overall Success Rate**: A percentage that's calculated by **Successful attempts** / **Total users targeted**.
+
+- **Fastest attachment open time**: How long it took the first user to open the attachment after you launched the campaign.
+
+- **Average attachment open time**: The sum of how long it took everyone to open the attachment divided by the number of users who opened the attachment.
+
+- **Attachment open success rate**: A percentage that's calculated by (number of users who opened the attachment) / **Total users targeted**.
+
+### Brute Force Password (Dictionary Attack) campaign results
+
+The following information is available on the **Attack details** page for each campaign:
+
+- The duration (start date/time and end date/time) of the campaign.
+
+- **Total users targeted**
+
+- **Successful attempts**: The number of users who were found to be using one of the specified passwords.
+
+- **Overall Success Rate**: A percentage that's calculated by **Successful attempts** / **Total users targeted**.
+
+- The **Compromised Users** section lists the email addresses of the affected users. You can click **Export** to export the results to a CSV file.
+
+### Password spray attack campaign results
+
+The following information is available on the **Attack details** page for each campaign:
+
+- The duration (start date/time and end date/time) of the campaign.
+
+- **Total users targeted**
+
+- **Successful attempts**: The number of users who were found to be using the specified password.
+
+- **Overall Success Rate**: A percentage that's calculated by **Successful attempts** / **Total users targeted**.
security Auditing Reports In Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/auditing-reports-in-eop.md
+
+ Title: Auditing reports in standalone EOP
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+ms.assetid: 003d7a74-3e16-4453-ae0c-9dbae51f66d1
+description: Admins can learn about the administrator auditing reports that are available in Exchange Online Protection (EOP)
+ms.technology: mdo
++
+# Auditing reports in standalone EOP
++
+**Applies to**
+- [Exchange Online Protection standalone](exchange-online-protection-overview.md)
+
+In standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, auditing reports can help you meet regulatory, compliance, and litigation requirements for your organization. You can obtain auditing reports at any time to determine the changes that have been made to your EOP configuration. These reports can help you troubleshoot configuration issues or find the cause of security-related or compliance-related problems.
+
+There are two auditing reports available in standalone EOP:
+
+- **Administrator role group report**: The administrator role group report lets you view when a user is added to or removed from membership in an administrator role group. You can use this report to monitor changes to the administrative permissions assigned to users in your organization. For more information, see [Run an administrator role group report in standalone EOP](run-an-administrator-role-group-report-in-eop-eop.md).
+
+- **Administrator audit log**: The administrator audit log records any action (based on standalone EOP PowerShell cmdlets) by an admin or a user with administrative privileges. For more information, see [View the Administrator Audit Log in Exchange Online](/exchange/security-and-compliance/exchange-auditing-reports/view-administrator-audit-log).
security Automated Investigation Response Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/automated-investigation-response-office.md
+
+ Title: How automated investigation and response works in Microsoft Defender for Office 365
+f1.keywords:
+- NOCSH
+++
+audience: ITPro
+
+localization_priority: Normal
+search.appverid:
+- MET150
+- MOE150
+
+- M365-security-compliance
+- m365initiative-defender-office365
+keywords: automated incident response, investigation, remediation, threat protection
Last updated : 01/29/2021
+description: See how automated investigation and response capabilities work in Microsoft Defender for Office 365
+
+- air
+- seo-marvel-mar2020
+ms.technology: mdo
++
+# How automated investigation and response works in Microsoft Defender for Office 365
++
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+As security alerts are triggered, it's up to your security operations team to look into those alerts and take steps to protect your organization. Sometimes, security operations teams can feel overwhelmed by the volume of alerts that are triggered. Automated investigation and response (AIR) capabilities in Microsoft Defender for Office 365 can help.
+
+AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond to detected threats.
+
+This article describes how AIR works through several examples. When you're ready to get started using AIR, see [Automatically investigate and respond to threats](office-365-air.md).
+
+- [Example 1: A user-reported phish message launches an investigation playbook](#example-a-user-reported-phish-message-launches-an-investigation-playbook)
+- [Example 2: A security administrator triggers an investigation from Threat Explorer](#example-a-security-administrator-triggers-an-investigation-from-threat-explorer)
+- [Example 3: A security operations team integrates AIR with their SIEM using the Office 365 Management Activity API](#example-a-security-operations-team-integrates-air-with-their-siem-using-the-office-365-management-activity-api)
+
+## Example: A user-reported phish message launches an investigation playbook
+
+Suppose that a user in your organization receives an email that they think is a phishing attempt. The user, trained to report such messages, uses the [Report Message add-in](enable-the-report-message-add-in.md) or the [Report Phishing add-in](enable-the-report-phish-add-in.md) to send it to Microsoft for analysis. The submission is also sent to your system and is visible in Explorer in the **Submissions** view (formerly referred to as the **User-reported** view). In addition, the user-reported message now triggers a system-based informational alert, which automatically launches the investigation playbook.
+
+During the root investigation phase, various aspects of the email are assessed. These aspects include:
+
+- A determination about what type of threat it might be;
+- Who sent it;
+- Where the email was sent from (sending infrastructure);
+- Whether other instances of the email were delivered or blocked;
+- An assessment from our analysts;
+- Whether the email is associated with any known campaigns;
+- and more.
+
+After the root investigation is complete, the playbook provides a list of recommended actions to take on the original email and entities associated with it.
+
+Next, several threat investigation and hunting steps are executed:
+
+- Similar email messages are identified via email cluster searches.
+- The signal is shared with other platforms, such as [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).
+- A determination is made on whether any users have clicked through any malicious links in suspicious email messages.
+- A check is done across Exchange Online Protection ([EOP](exchange-online-protection-overview.md)) and ([Microsoft Defender for Office 365](defender-for-office-365.md)) to see if there are any other similar messages reported by users.
+- A check is done to see if a user has been compromised. This check leverages signals across Office 365, [Microsoft Cloud App Security](/cloud-app-security), and [Azure Active Directory](/azure/active-directory), correlating any related user activity anomalies.
+
+During the hunting phase, risks and threats are assigned to various hunting steps.
+
+Remediation is the final phase of the playbook. During this phase, remediation steps are taken, based on the investigation and hunting phases.
+
+## Example: A security administrator triggers an investigation from Threat Explorer
+
+In addition to automated investigations that are triggered by an alert, your organization's security operations team can trigger an automated investigation from a view in [Threat Explorer](threat-explorer.md). This investigation also creates an alert, so that Microsoft Defender Incidents and external SIEM tools can see that this investigation was triggered.
+
+For example, suppose that you are using the **Malware** view in Explorer. Using the tabs below the chart, you select the **Email** tab. If you select one or more items in the list, the **+ Actions** button activates.
+
+![Explorer with selected messages](../../media/Explorer-Malware-Email-ActionsInvestigate.png)
+
+Using the **Actions** menu, you can select **Trigger investigation**.
+
+![Actions menu for selected messages](../../media/explorer-malwareview-selectedemails-actions.jpg)
+
+Similar to playbooks triggered by an alert, automatic investigations that are triggered from a view in Explorer include a root investigation, steps to identify and correlate threats, and recommended actions to mitigate those threats.
+
+## Example: A security operations team integrates AIR with their SIEM using the Office 365 Management Activity API
+
+AIR capabilities in Microsoft Defender for Office 365 include [reports & details](air-view-investigation-results.md) that security operations teams can use to monitor and address threats. But you can also integrate AIR capabilities with other solutions. Examples include a security information and event management (SIEM) system, a case management system, or a custom reporting solution. These kinds of integrations can be done by using the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference).
+
+For example, recently, an organization set up a way for their security operations team to view user-reported phish alerts that were already processed by AIR. Their solution integrates relevant alerts with the organization's SIEM server and their case-management system. The solution greatly reduces the number of false positives so that their security operations team can focus their time and effort on real threats. To learn more about this custom solution, see [Tech Community blog: Improve the Effectiveness of your SOC with Microsoft Defender for Office 365 and the O365 Management API](https://techcommunity.microsoft.com/t5/microsoft-security-and/improve-the-effectiveness-of-your-soc-with-office-365-atp-and/ba-p/1525185).
+
+## Next steps
+
+- [Get started using AIR](office-365-air.md)
+- [View pending or completed remediation actions](air-review-approve-pending-completed-actions.md)
security Azure Ip Protection Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/azure-ip-protection-features.md
+
+ Title: Protection features in Azure Information Protection rolling out to existing tenants
+f1.keywords:
+ - NOCSH
+++ Last updated : 6/29/2018
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: 7ad6f58e-65d7-4c82-8e65-0b773666634d
+
+ - M365-security-compliance
+
+ - seo-marvel-apr2020
+description: This article explains the changes being rolled out to the protection features in Azure Information Protection
+ms.technology: mdo
++
+# Protection features in Azure Information Protection rolling out to existing tenants
++
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+To help with the initial step in protecting your information, starting July 2018 all Azure Information Protection eligible tenants will have the protection features in Azure Information Protection turned on by default. The protection features in Azure Information Protection were formerly known in Office 365 as Rights Management or Azure RMS. If your organization has an Office E3 service plan or a higher service plan you will now get a head start protecting information through Azure Information Protection when we roll out these features.
+
+## Changes beginning July 1, 2018
+
+Starting July 1, 2018, Microsoft will enable the protection capability in Azure Information Protection for all organizations with one of the following subscription plans:
+
+- Office 365 Message Encryption is offered as part of Office 365 E3 and E5, Microsoft E3 and E5, Office 365 A1, A3, and A5, and Office 365 G3 and G5. You do not need additional licenses to receive the new protection capabilities powered by Azure Information Protection.
+
+- You can also add Azure Information Protection Plan 1 to the following plans to receive the new Office 365 Message Encryption capabilities: Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Microsoft 365 Business Basic, Microsoft 365 Business Standard, or Office 365 Enterprise E1.
+
+- Each user benefiting from Office 365 Message Encryption needs to be licensed to be covered by the feature.
+
+- For the full list, see the [Exchange Online service descriptions](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description) for Office 365 Message Encryption.
+
+Tenant administrators can check the protection status in the Office 365 administrator portal.
+
+![Screenshot that shows that rights management in Office 365 is activated.](../../media/303453c8-e4a5-4875-b49f-e80c3eb7b91e.png)
+
+## Why are we making this change?
+
+Office 365 Message Encryption leverages the protection capabilities in Azure Information Protection. At the heart of the recent improvements to Office 365 Message Encryption and our broader investments to information protection in Microsoft 365, we are making it easier for organizations to turn on and use our protection capabilities, as historically, encryption technologies have been difficult to set up. By turning on the protection features in Azure Information Protection by default, you can quickly get started to protect your sensitive data.
+
+## Does this impact me?
+
+If your organization has purchased an eligible Office 365 license, then your tenant will be impacted by this change.
+
+> [!IMPORTANT]
+> If you're using Active Directory Rights Management Services (AD RMS) in your on-premises environment, you must either opt-out of this change immediately or migrate to Azure Information Protection before we roll out this change within the next 30 days. For information on how to opt-out, see "I use AD RMS, how do I opt out?" later in this article. If you prefer to migrate, see [Migrating from AD RMS to Azure Information Protection.](/azure/information-protection/plan-design/migrate-from-ad-rms-to-azure-rms).
+
+## Can I use Azure Information Protection with Active Directory Rights Management Services (AD RMS)?
+
+No. This is not a supported deployment scenario. Without taking the additional opt-out steps, some computers might automatically start using the Azure Rights Management service and also connect to your AD RMS cluster. This scenario isn't supported and has unreliable results, so it's important that you opt out of this change within the next 30 days before we roll out these new features. For information on how to opt-out, see "I use AD RMS, how do I opt out?" later in this article. If you prefer to migrate, see [Migrating from AD RMS to Azure Information Protection.](/azure/information-protection/plan-design/migrate-from-ad-rms-to-azure-rms)
+
+## How do I know if I'm using AD RMS?
+
+Use these instructions from [Preparing the environment for Azure Rights Management when you also have Active Directory Rights Management Services (AD RMS)](/azure/information-protection/deploy-use/prepare-environment-adrms) to check if you have deployed AD RMS:
+
+1. Although optional, most AD RMS deployments publish the service connection point (SCP) to Active Directory so that domain computers can discover the AD RMS cluster.
+
+ Use ADSI Edit to see whether you have an SCP published in Active Directory: CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCP
+
+2. If you are not using an SCP, Windows computers that connect to an AD RMS cluster must be configured for client-side service discovery or licensing redirection by using the Windows registry: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\ServiceLocation`.
+
+For more information about these registry configurations, see [Enabling client-side service discovery by using the Windows registry](/azure/information-protection/rms-client/client-deployment-notes#enabling-client-side-service-discovery-by-using-the-windows-registry) and [Redirecting licensing server traffic](/azure/information-protection/rms-client/client-deployment-notes#redirecting-licensing-server-traffic).
+
+## I use AD RMS, how do I opt out?
+
+To opt out of the upcoming change, complete these steps:
+
+1. Using a work or school account that has global administrator permissions in your organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
+
+2. Run the Set-IRMConfiguration cmdlet using the following syntax:
+
+ ```powershell
+ Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false
+ ```
+
+## What can I expect after this change has been made?
+
+Once this is enabled, provided you haven't opted out, you can start using the new version of Office 365 Message Encryption which was announced at [Microsoft Ignite 2017](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Email-Encryption-and-Rights-Protection/ba-p/110801) and leverages the encryption and protection capabilities of Azure Information Protection.
+
+![Screenshot that shows an OME protected message in Outlook on the web.](../../media/599ca9e7-c05a-429e-ae8d-359f1291a3d8.png)
+
+For more information about the new enhancements, see [Office 365 Message Encryption](../../compliance/ome.md).
security Backscatter Messages And Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/backscatter-messages-and-eop.md
+
+ Title: Backscatter in EOP
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: 6f64f2de-d626-48ed-8084-03cc72301aa4
+
+ - M365-security-compliance
+
+ - seo-marvel-apr2020
+description: In this article, you'll learn about Backscatter and Microsoft Exchange Online Protection (EOP)
+ms.technology: mdo
++
+# Backscatter in EOP
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+*Backscatter* is non-delivery reports (also known as NDRs or bounce messages) you receive for messages that you didn't send. Spammers forge (spoof) the From: address of their messages, and they often use real email addresses to lend credibility to their messages. So, when spammers inevitably send messages to non-existent recipients (spam is a high-volume operation), the destination email server is essentially tricked into returning the undeliverable message in an NDR to the forged sender in the From: address.
+
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP makes every effort to identify and silently drop messages from dubious sources without generating an NDR. But, based on the sheer volume email flowing through the service, there's always the possibility that EOP will unintentionally send backscatter.
+
+Backscatterer.org maintains a block list (also known as a DNS block list or DNSBL) of email servers that were responsible for sending backscatter, and EOP servers might appear on this list. But, we don't try to remove ourselves from the Backscatterer.org block list because it isn't a list of spammers (by their own admission).
+
+> [!TIP]
+> The Backscatter.org website (<http://www.backscatterer.org/?target=usage>) recommends using their service to check incoming email in Safe mode instead of Reject mode (large email services almost always send some backscatter).
security Best Practices For Configuring Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/best-practices-for-configuring-eop.md
+
+ Title: Best practices for configuring EOP
+f1.keywords:
+ - NOCSH
+++
+audience: ITPro
++
+localization_priority: Normal
+ms.assetid: faf1efd1-3b0c-411a-804d-17f37292eac0
+description: Follow these best-practice recommendations for standalone Exchange Online Protection (EOP) in order to set yourself up for success and avoid common configuration errors.
+ms.technology: mdo
++
+# Best practices for configuring standalone EOP
++
+**Applies to**
+- [Exchange Online Protection standalone](exchange-online-protection-overview.md)
+
+Follow these best-practice recommendations for standalone Exchange Online Protection (EOP) in order to set yourself up for success and avoid common configuration errors. This topic assumes that you've already completed the setup process. If you haven't completed EOP setup, see [Set up your EOP service](set-up-your-eop-service.md).
+
+## Use a test domain
+
+We recommend that you use a test domain, subdomain, or low volume domain for trying out service features before implementing them on your higher-volume, production domains.
+
+## Synchronize recipients
+
+If your organization has existing user accounts in an on-premises Active Directory environment, you can synchronize those accounts to Azure Active Directory in the cloud. Using directory synchronization is recommended. To learn more about the benefits of using directory synchronization, and the steps for setting it up, see [Manage mail users in EOP](manage-mail-users-in-eop.md).
+
+## Recommended settings
+
+We empower security admins to customize their security settings to satisfy the needs of their organization. Although, as a general rule, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. These settings are listed in the [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+
+### Miscellaneous/non-policy settings
+
+These settings cover a range of features that are outside of security policies.
+
+<br>
+
+****
+
+|Security feature name|Standard|Strict|Comment|
+|||||
+|[Set up SPF to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md)|Yes|Yes||
+|[Use DKIM to validate outbound email sent from your custom domain in Office 365](use-dkim-to-validate-outbound-email.md)|Yes|Yes||
+|[Use DMARC to validate email in Office 365](use-dmarc-to-validate-email.md)|Yes|Yes|Use `action=quarantine` for Standard, and `action=reject` for Strict.|
+|Deploy the [Report Message add-in](enable-the-report-message-add-in.md) or the [Report Phishing add-in](enable-the-report-phish-add-in.md) to improve end-user reporting of suspicious email|Yes|Yes||
+|Schedule Malware and Spam Reports|Yes|Yes||
+|Auto-forwarding to external domains should be disallowed or monitored|Yes|Yes||
+|Unified Auditing should be enabled|Yes|Yes||
+|[IMAP connectivity to mailbox](/Exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access)|Disabled|Disabled||
+|[POP connectivity to mailbox](/Exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access)|Disabled|Disabled||
+|Authenticated SMTP submission|Disabled|Disabled|Authenticated client SMTP submission (also known as client SMTP submission or SMTP AUTH) is required for POP3 and IMAP4 clients and applications and devices that generate and send email. <p> For instructions to enable and disable SMTP AUTH globally or selectively, see [Enable or disable authenticated client SMTP submission in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission).|
+|EWS connectivity to mailbox|Disabled|Disabled|Outlook uses Exchange Web Services for free/busy, out-of-office settings, and calendar sharing. If you can't disable EWS globally, you have the following options: <ul><li>Use [Authentication policies](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online) to prevent EWS from using Basic authentication if your clients support modern authentication (modern auth).</li><li>Use [Client Access Rules](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) to limit EWS to specific users or source IP addresses.</li><li>Control EWS access to specific applications globally or per user. For instructions, see [Control access to EWS in Exchange](/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange).</li></ul> <p> The [Report message add-in](enable-the-report-message-add-in.md) and the [Report phishing add-in](enable-the-report-phish-add-in.md) uses REST by default in supported environments, but will fall back to EWS if REST isn't available. The supported environments that use REST are:<ul><li>Exchange Online</li><li>Exchange 2019 or Exchange 2016</li><li>Current Outlook for Windows from a Microsoft 365 subscription or one-time purchase Outlook 2019.</li><li>Current Outlook for Mac from a Microsoft 365 subscription or one-time purchase Outlook for Mac 2016 or later.</li><li>Outlook for iOS and Android</li><li>Outlook on the web</li></ul>|
+|[PowerShell connectivity](/powershell/exchange/disable-access-to-exchange-online-powershell)|Disabled|Disabled|Available for mailbox users or mail users (user objects returned by the [Get-User](/powershell/module/exchange/get-user) cmdlet).|
+|Use [spoof intelligence](learn-about-spoof-intelligence.md) to add senders to your allow list|Yes|Yes||
+|[Directory-Based Edge Blocking (DBEB)](/Exchange/mail-flow-best-practices/use-directory-based-edge-blocking)|Enabled|Enabled|Domain Type = Authoritative|
+|[Set up multi-factor authentication for all admin accounts](../../admin/security-and-compliance/set-up-multi-factor-authentication.md)|Enabled|Enabled||
+|
+
+## Troubleshooting
+
+Troubleshoot general issues and trends by using the reports in the admin center. Find single point specific data about a message by using the message trace tool. Learn more about reporting at [Reporting and message trace in Exchange Online Protection](reporting-and-message-trace-in-exchange-online-protection.md). Learn more about the message trace tool at [Message trace in the Security & Compliance Center](message-trace-scc.md).
+
+## Report false positives and false negatives to Microsoft
+
+To help improve spam filtering in the service for everyone, you should report false positives (good email marked as bad) and false negatives (bad email allowed) to Microsoft for analysis. For more information, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
+
+## Create mail flow rules
+
+Create mail flow rules (also known as transport rules) or custom filters to meet your business needs.
+
+When you deploy a new rule to production, select one of the test modes first to see the effect of the rule. Once you are satisfied that the rule is working in the manner intended, change the rule mode to **Enforce**.
+
+When you deploy new rules, consider adding the additional action of **Generate Incident Report** to monitor the rule in action.
+
+In hybrid environments where your organization includes both on-premises Exchange and Exchange Online, consider the conditions that you use in mail flow rules. If you want the rules to apply to the entire organization, be sure to use conditions that are available in both on-premises Exchange and in Exchange Online. While most conditions are available in both environments, there are a few that are only available in one environment or the other. Learn more at [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).
security Bulk Complaint Level Values https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/bulk-complaint-level-values.md
+
+ Title: Bulk complaint level values
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: a5b03b3c-37dd-429e-8e9b-2c1b25031794
+
+ - M365-security-compliance
+description: Admins can learn about bulk compliance level (BCL) values that are used in Exchange Online Protection (EOP).
+ms.technology: mdo
++
+# Bulk complaint level (BCL) in EOP
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP assigns a bulk compliant level (BCL) to inbound messages from bulk mailers. The BCL is added to the message in an X-header and is similar to the [spam confidence level (SCL)](spam-confidence-levels.md) that's used to identify messages as spam. A higher BCL indicates a bulk message is more likely to generate complaints (and is therefore more likely to be spam). Microsoft uses both internal and third party sources to identify bulk mail and determine the appropriate BCL.
+
+Bulk mailers vary in their sending patterns, content creation, and recipient acquisition practices. Good bulk mailers send desired messages with relevant content to their subscribers. These messages generate few complaints from recipients. Other bulk mailers send unsolicited messages that closely resemble spam and generate many complaints from recipients. Messages from a bulk mailer are known as bulk mail or gray mail.
+
+ Spam filtering marks messages as **Bulk email** based on the BCL threshold (the default value or a value you specify) and takes the specified action on the message (the default action is deliver the message to the recipient's Junk Email folder). For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md) and [What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md)
+
+The BCL thresholds are described in the following table.
+
+****
+
+|BCL|Description|
+|::||
+|0|The message isn't from a bulk sender.|
+|1, 2, 3|The message is from a bulk sender that generates few complaints.|
+|4, 5, 6, 7<sup>\*</sup>|The message is from a bulk sender that generates a mixed number of complaints.|
+|8, 9|The message is from a bulk sender that generates a high number of complaints.|
+|
+
+<sup>\*</sup> This is the default threshold value that's used in anti-spam policies.
security Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md
+
+ Title: Campaign Views in Microsoft Defender for Office 365 Plan
+f1.keywords:
+ - NOCSH
++++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid:
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Learn about Campaign Views in Microsoft Defender for Office 365.
+ms.technology: mdo
++
+# Campaign Views in Microsoft Defender for Office 365
++
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+
+Campaign Views is a feature in Microsoft Defender for Office 365 Plan 2 (for example Microsoft 365 E5 or organizations with an Defender for Office 365 Plan 2 add-on). Campaign Views in the Security & Compliance Center identifies and categorizes phishing attacks in the service. Campaign Views can help you to:
+
+- Efficiently investigate and respond to phishing attacks.
+- Better understand the scope of the attack.
+- Show value to decision makers.
+
+Campaign Views lets you see the big picture of an attack faster and more complete than any human.
+
+## What is a campaign?
+
+A campaign is a coordinated email attack against one or many organizations. Email attacks that steal credentials and company data are a large and lucrative industry. As technologies increase in an effort to stop attacks, attackers modify their methods in an effort to ensure continued success.
+
+Microsoft leverages the vast amounts of anti-phishing, anti-spam, and anti-malware data across the entire service to help identify campaigns. We analyze and classify the attack information according to several factors. For example:
+
+- **Attack source**: The source IP addresses and sender email domains.
+- **Message properties**: The content, style, and tone of the messages.
+- **Message recipients**: How recipients are related. For example, recipient domains, recipient job functions (admins, executives, etc.), company types (large, small, public, private, etc.), and industries.
+- **Attack payload**: Malicious links, attachments, or other payloads in the messages.
+
+A campaign might be short-lived, or could span several days, weeks, or months with active and inactive periods. A campaign might be launched against your specific organization, or your organization might be part of a larger campaign across multiple companies.
+
+## Campaign Views in the Security & Compliance Center
+
+Campaign Views is available in the [Security & Compliance Center](https://protection.office.com) at **Threat management** \> **Campaigns**, or directly at <https://protection.office.com/campaigns>.
+
+![Campaigns overview in the Security & Compliance Center](../../media/campaigns-overview.png)
+
+You can also get to Campaign Views from:
+
+- **Threat management** \> **Explorer** \> **View** \> **Campaigns**
+- **Threat management** \> **Explorer** \> **View** \> **All email** \> **Campaign** tab
+- **Threat management** \> **Explorer** \> **View** \> **Phish** \> **Campaign** tab
+- **Threat management** \> **Explorer** \> **View** \> **Malware** \> **Campaign** tab
+
+To access Campaign Views, you need to be a member of the **Organization Management**, **Security Administrator**, or **Security Reader** role groups in the Security & Compliance Center. For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+
+## Campaigns overview
+
+The overview page shows information about all campaigns.
+
+On the default **Campaign** tab, the **Campaign type** area shows a bar graph that shows the number of recipients per day. By default, the graph shows both **Phish** and **Malware** data.
+
+> [!TIP]
+> If you don't see any campaign data, try changing the date range or [filters](#filters-and-settings).
+
+The rest of the overview page shows the following information on the **Campaign** tab:
+
+- **Name**
+
+- **Sample subject**: The subject line of one of the messages in the campaign. Note that all messages in the campaign will not necessarily have the same subject.
+
+- **Targeted**: The percentage as calculated by: (the number of campaign recipients in your organization) / (the total number of recipients in the campaign across all organizations in the service). This value indicates the degree to which the campaign is directed only at your organization (a higher value) vs. also directed at other organizations in the service (a lower value).
+
+- **Type**: This value is either **Phish** or **Malware**.
+
+- **Subtype**: This value contains more details about the campaign. For example:
+ - **Phish**: Where available, the brand that is being phished by this campaign. For example, `Microsoft`, `365`, `Unknown`, `Outlook`, or `DocuSign`.
+ - **Malware**: For example, `HTML/PHISH` or `HTML/<MalwareFamilyName>`.
+
+ Where available, the brand that is being phished by this campaign. When the detection is driven by Defender for Office 365 technology, the prefix **ATP-** is added to the subtype value.
+
+- **Recipients**: The number of users that were targeted by this campaign.
+
+- **Inboxed**: The number of users that received messages from this campaign in their Inbox (not delivered to their Junk Email folder).
+
+- **Clicked**: The number of users that clicked on the URL or opened the attachment in the phishing message.
+
+- **Click rate**: The percentage as calculated by "**Clicked** / **Inboxed**". This value is an indicator of the effectiveness of the campaign. In other words, if the recipients were able to identify the message as phishing, and if they didn't click on the payload URL.
+
+ Note that **Click rate** isn't used in malware campaigns.
+
+- **Visited**: How many users actually made it through to the payload website. If there are **Clicked** values, but Safe Links blocked access to the website, this value will be zero.
+
+The **Campaign origin** tab shows the message sources on a map of the world.
+
+### Filters and settings
+
+At the top of the Campaign Views page, there are several filter and query settings to help you find and isolate specific campaigns.
+
+![Campaign filters](../../media/campaign-filters-and-settings.png)
+
+The most basic filtering that you can do is the start date/time and the end date/time.
+
+To further filter the view, you can do single property with multiple values filtering by clicking the **Campaign type** button, making your selection, and then clicking **Refresh**.
+
+The filterable campaign properties that are available in the **Campaign type** button are described in the following list:
+
+- **Basic**:
+ - **Campaign type**: Select **Malware** or **Phish**. Clearing the selections has the same result as selecting both.
+ - **Campaign name**
+ - **Campaign subtype**
+ - **Sender**
+ - **Recipients**
+ - **Sender domain**
+ - **Subject**
+ - **Attachment filename**
+ - **Malware family**
+ - **Tags**: Users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags.md).
+ - **System overrides**
+ - **Delivery action**
+ - **Additional action**
+ - **Directionality**
+ - **Detection technology**
+ - **Original delivery location**
+ - **Latest delivery location**
+ - **System overrides**
+
+- **Advanced**:
+ - **Internet message ID**: Available in the **Message-ID** header field in the message header. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets).
+ - **Network message ID**: A GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header field in the message header.
+ - **Sender IP**
+ - **Attachment SHA256**: To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt: `certutil.exe -hashfile "<Path>\<Filename>" SHA256`.
+ - **Cluster ID**
+ - **Alert Policy ID**
+ - **ZAP URL signal**
+
+- **URLs**:
+ - **URL domain**
+ - **URL domain and path**
+ - **URL**
+ - **URL path**
+ - **Click verdict**
+
+For more advanced filtering, including filtering by multiple properties, you can click the **Advanced filter** button to build a query. The same campaign properties are available, but with the following enhancements:
+
+- You can click **Add a condition** to select multiple conditions.
+- You can choose the **And** or **Or** operator between conditions.
+- You can select the **Condition group** item at the bottom of the conditions list to form complex compound conditions.
+
+When you're finished, click the **Query** button.
+
+After you create a basic or advanced filter, you can save it by using **Save query** or **Save query as**. Later, when you return to Campaign Views, you can load a saved filter by clicking **Saved query settings**.
+
+To export the graph or the list of campaigns, click **Export** and select **Export chart data** or **Export campaign list**.
+
+If you have a Microsoft Defender for Endpoint subscription, you can click **MDE Settings** to connect or disconnect the campaigns information with Microsoft Defender for Endpoint. For more information, see [Integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](integrate-office-365-ti-with-mde.md).
+
+## Campaign details
+
+When you click on the name of a campaign, the campaign details appear in a flyout.
+
+### Campaign information
+
+At the top of the campaign details view, the following campaign information is available:
+
+- **ID**: The unique campaign identifier.
+
+- **Started** and **Ended**: The start date and end date of the campaign. Note that these dates might extend further than your filter dates that you selected on the overview page.
+
+- **Impact**: This section contains the following data for the date range filter you selected (or that you select in the timeline):
+ - The total number of recipients.
+ - The number of messages that were "Inboxed" (that is, delivered to the Inbox, not to the Junk Email folder).
+ - How many users clicked on the URL payload in the phishing message.
+ - Howe many users visited the URL.
+
+- **Targeted**: The percentage as calculated by: (the number of campaign recipients in your organization) / (the total number of recipients in the campaign across all organizations in the service). Note that this value is calculated over the entire lifetime of the campaign, and doesn't change based on date filters.
+
+- An interactive timeline of campaign activity: The timeline shows activity over the entire lifetime of the campaign. By default, the shaded area includes the date range filter that you selected in the overview. You can click and drag to select a specific start point and end point, <u>which will change the data that's displayed in **Impact** area, and on the rest of the page as described in the next sections</u>.
+
+In the title bar, you can click the **Download campaign write-up** button ![Download campaign write-up icon](../../media/download-campaign-write-up-button.png) to download the campaign details to a Word document (by default, named CampaignReport.docx). Note that the download contains details over the entire lifetime of the campaign (not just the filter dates you selected).
+
+![Campaign information](../../media/campaign-details-campaign-info.png)
+
+### Campaign flow
+
+In the middle of the campaign details view, important details about the campaign are presented in the **Flow** section in a horizontal flow diagram (known as a _Sankey_ diagram). These details will help you to understand the elements of the campaign and the potential impact in your organization.
+
+> [!TIP]
+> The information that's displayed in the **Flow** diagram is controlled by the shaded date range in the timeline as described in the previous section.
+
+![Campaign details that don't contain user URL clicks](../../media/campaign-details-no-recipient-actions.png)
+
+If you hover over a horizontal band in the diagram, you'll see the number of related messages (for example, messages from a particular source IP, messages from the source IP using the specified sender domain, etc.).
+
+The diagram contains the following information:
+
+- **Sender IPs**
+- **Sender domains**
+- **Filter verdicts**: Verdict values are related to the available phishing and spam filtering verdicts as described in [Anti-spam message headers](anti-spam-message-headers.md). The available values are described in the following table:
+
+ ****
+
+ |Value|Spam filter verdict|Description|
+ ||||
+ |**Allowed**|`SFV:SKN` <p> `SFV:SKI`|The message was marked as not spam and/or skipped filtering before being evaluated by spam filtering. For example, the message was marked as not spam by a mail flow rule (also known as a transport rule). <p> The message skipped spam filtering for other reasons. For example, the sender and recipient appear to be in the same organization.|
+ |**Blocked**|`SFV:SKS`|The message was marked as spam before being evaluated by spam filtering. For example, by a mail flow rule.|
+ |**Detected**|`SFV:SPM`|The message was marked as spam by spam filtering.|
+ |**Not Detected**|`SFV:NSPM`|The message was marked as not spam by spam filtering.|
+ |**Released**|`SFV:SKQ`|The message skipped spam filtering because it was released from quarantine.|
+ |**Tenant Allow**<sup>\*</sup>|`SFV:SKA`|The message skipped spam filtering because of the settings in an anti-spam policy. For example, the sender was in the allowed sender list or allowed domain list.|
+ |**Tenant Block**<sup>\*\*</sup>|`SFV:SKA`|The message was blocked by spam filtering because of the settings in an anti-spam policy. For example, the sender was in the allowed sender list or allowed domain list.|
+ |**User Allow**<sup>\*</sup>|`SFV:SFE`|The message skipped spam filtering because the sender was in a user's Safe Senders list.|
+ |**User Block**<sup>\*\*</sup>|`SFV:BLK`|The message was blocked by spam filtering because the sender was in a user's Blocked Senders list.|
+ |**ZAP**|n/a|[Zero-hour auto purge (ZAP)](zero-hour-auto-purge.md) moved the delivered message to the Junk Email folder or quarantine. You configure the action in your anti-spam policy.|
+ |
+
+ <sup>\*</sup> Review your anti-spam policies, because the allowed message would have likely been blocked by the service.
+
+ <sup>\*\*</sup> Review your anti-spam policies, because these messages should be quarantined, not delivered.
+
+- **Delivery locations**: You'll likely want to investigate messages that were delivered to recipients (either to the Inbox or the Junk Email folder), even if users didn't click on the payload URL in the message. You can also remove the quarantined messages from quarantine. For more information, see [Quarantined email messages in EOP](quarantine-email-messages.md).
+ - **Deleted folder**
+ - **Dropped**
+ - **External**: The recipient is located in your on-premises email organization in hybrid environments.
+ - **Failed**
+ - **Forwarded**
+ - **Inbox**
+ - **Junk folder**
+ - **Quarantine**
+ - **Unknown**
+
+- **URL clicks**: These values are described in the next section.
+
+> [!NOTE]
+> In all layers that contain more than 10 items, the top 10 items are shown, while the rest are bundled together in **Others**.
+
+#### URL clicks
+
+When a phishing message is delivered to a recipient's Inbox or Junk Email folder, there's always a chance that the user will click on the payload URL. Not clicking on the URL is a small measure of success, but you need to determine why the phishing message was even delivered to the mailbox.
+
+If a user clicked on the payload URL in the phishing message, the actions are displayed in the **URL clicks** area of the diagram in the campaign details view.
+
+- **Allowed**
+- **BlockPage**: The recipient clicked on the payload URL, but their access to the malicious website was blocked by a [Safe Links](safe-links.md) policy in your organization.
+- **BlockPageOverride**: The recipient clicked on the payload URL in the message, Safe Links tried to stop them, but they were allowed to override the block. Inspect your [Safe Links policies](set-up-safe-links-policies.md) to see why users are allowed to override the Safe Links verdict and continue to the malicious website.
+- **PendingDetonationPage**: Safe Attachments in Microsoft Defender for Office 365 is in the process of opening and investigating the payload URL in a virtual computer environment.
+- **PendingDetonationPageOverride**: The recipient was allowed to override the payload detonation process and open the URL without waiting for the results.
+
+### Tabs
+
+The tabs in the campaign details view allow you to further investigate the campaign.
+
+> [!TIP]
+> The information that's displayed on the tabs is controlled by the shaded date range in the timeline as described in [Campaign information](#campaign-information) section.
+
+- **URL clicks**: If users didn't click on the payload URL in the message, this section will be blank. If a user was able to click on the URL, the following values will be populated:
+ - **User**<sup>\*</sup>
+ - **URL**<sup>\*</sup>
+ - **Click time**
+ - **Click verdict**
+
+- **Sender IPs**
+ - **Sender IP**<sup>\*</sup>
+ - **Total count**
+ - **Inboxed**
+ - **Not Inboxed**
+ - **SPF passed**: The sender was authenticated by the [Sender Policy Framework (SPF)](how-office-365-uses-spf-to-prevent-spoofing.md). A sender that doesn't pass SPF validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender.
+
+- **Senders**
+ - **Sender**: This is the actual sender address in the SMTP MAIL FROM command, which is not necessarily the From: email address that users see in their email clients.
+ - **Total count**
+ - **Inboxed**
+ - **Not Inboxed**
+ - **DKIM passed**: The sender was authenticated by [Domain Keys Identified Mail (DKIM)](support-for-validation-of-dkim-signed-messages.md). A sender that doesn't pass DKIM validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender.
+ - **DMARC passed**: The sender was authenticated by [Domain-based Message Authentication, Reporting, and Conformance (DMARC)](use-dmarc-to-validate-email.md). A sender that doesn't pass DMARC validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender.
+
+- **Attachments**
+ - **Filename**
+ - **SHA256**
+ - **Malware family**
+ - **Total count**
+
+- **URL**
+ - **URL**<sup>\*</sup>
+ - **Total Count**
+
+<sup>\*</sup> Clicking on this value opens a new flyout that contains more details about the specified item (user, URL, etc.) on top of the campaign details view. To return to the campaign details view, click **Done** in the new flyout.
+
+### Buttons
+
+The buttons in the campaign details view allow you to use the power of Threat Explorer to further investigate the campaign.
+
+- **Explore campaign**: Opens a new Threat Explorer search tab using the **Campaign ID** value as the search filter.
+- **Explore Inboxed messages**: Opens a new Threat Explorer search tab using the **Campaign ID** and **Delivery location: Inbox** as the search filter.
security Configuration Analyzer For Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md
+
+ Title: Configuration analyzer for security policies
+f1.keywords:
+ - NOCSH
++++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid:
+
+ - M365-security-compliance
+description: Admins can learn how to use the configuration analyzer to find and fix security policies that are below the Standard protection and Strict protection preset security policies.
+ms.technology: mdo
++
+# Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+Configuration analyzer in the Security & Compliance center provides a central location to find and fix security policies where the settings are below the Standard protection and Strict protection profile settings in [preset security policies](preset-security-policies.md).
+
+The following types of policies are analyzed by the configuration analyzer:
+
+- **Exchange Online Protection (EOP) policies**: This includes Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes:
+
+ - [Anti-spam policies](configure-your-spam-filter-policies.md).
+ - [Anti-malware policies](configure-anti-malware-policies.md).
+ - [EOP Anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
+
+- **Microsoft Defender for Office 365 policies**: This includes organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:
+
+ - Anti-phishing policies in Microsoft Defender for Office 365, which include:
+
+ - The same [spoof settings](set-up-anti-phishing-policies.md#spoof-settings) that are available in the EOP anti-phishing policies.
+ - [Impersonation settings](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)
+ - [Advanced phishing thresholds](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365)
+
+ - [Safe Links policies](set-up-safe-links-policies.md).
+
+ - [Safe Attachments policies](set-up-safe-attachments-policies.md).
+
+The **Standard** and **Strict** policy setting values that are used as baselines are described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+
+## What do you need to know before you begin?
+
+- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Configuration analyzer** page, use <https://protection.office.com/configurationAnalyzer>.
+
+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
+
+- You need to be assigned permissions in the Security & Compliance Center before you can do the procedures in this article:
+ - To use the configuration analyzer **and** make updates to security policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups.
+ - For read-only access to the configuration analyzer, you need to be a member of the **Global Reader** or **Security Reader** role groups.
+
+ For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+
+ > [!NOTE]
+ >
+ > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ >
+ > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
+
+## Use the configuration analyzer in the Security & Compliance Center
+
+In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Configuration analyzer**.
+
+![Configuration analyzer widget on the Threat management \> Policy page](../../media/configuration-analyzer-widget.png)
+
+The configuration analyzer has two main tabs:
+
+- **Settings and recommendations**: You pick Standard or Strict and compare those settings to your existing security policies. In the results, you can adjust the values of your settings to bring them up to the same level as Standard or Strict.
+
+- **Configuration drift analysis and history**: This view allows you to track policy changes over time.
+
+### Setting and recommendations tab in the configuration analyzer
+
+By default, the tab opens on the comparison to the Standard protection profile. You can switch to the comparison of the Strict protection profile by clicking **View Strict recommendations**. To switch back, select **View Standard recommendations**.
+
+![Settings and recommendations view in the Configuration analyzer](../../media/configuration-analyzer-settings-and-recommendations-view.png)
+
+By default, the **Policy group/setting name** column contains a collapsed view of the different types of security policies and the number of settings that need improvement (if any). The types of policies are:
+
+- **Anti-spam**
+- **Anti-phishing**
+- **Anti-malware**
+- **ATP Safe Attachments** (if your subscription includes Microsoft Defender for Office 365)
+- **ATP Safe Links** (if your subscription includes Microsoft Defender for Office 365)
+
+In the default view, everything is collapsed. Next to each policy, there's a summary of comparison results from your policies (which you can modify) and the settings in the corresponding policies for the Standard or Strict protection profiles (which you can't modify). You'll see the following information for the protection profile that you're comparing to:
+
+- **Green**: All settings in all existing policies are at least as secure as the protection profile.
+- **Amber**: A small number of settings in the existing policies are not as secure as the protection profile.
+- **Red**: A significant number of settings in the existing policies are not as secure as the protection profile. This could be a few settings in many policies or many settings in one policy.
+
+For favorable comparisons, you'll see the text: **All settings follow** \<**Standard** or **Strict**\> **recommendations**. Otherwise, you'll see the number of recommended settings to change.
+
+If you expand **Policy group/setting name**, all of the policies and the associated settings in each specific policy that require attention are revealed. Or, you can expand a specific type of policy (for example, **Anti-spam**) to see just those settings in those types of policies that require your attention.
+
+If the comparison has no recommendations for improvement (green), expanding the policy reveals nothing. If there are any number of recommendations for improvement (amber or red), the settings that require attention are revealed, and corresponding information is revealed in the following columns:
+
+- The name of the setting that requires your attention. For example, in the previous screenshot, it's the **Bulk email threshold** in an anti-spam policy.
+
+- **Policy**: The name of the affected policy that contains the setting.
+
+- **Applied to**: The number of users that the affected policies are applied to.
+
+- **Current configuration**: The current value of the setting.
+
+- **Last modified**: The date that the policy was last modified.
+
+- **Recommendations**: The value of the setting in the Standard or Strict protection profile. To change the value of the setting in your policy to match the recommended value in the protection profile, click **Adopt**. If the change is successful, you'll see the message: **Recommendations successfully adopted**. Click **Refresh** to see the reduced number of recommendations, and the removal of the specific setting/policy row from the results.
+
+### Configuration drift analysis and history tab in the configuration analyzer
+
+This tab allows you to track the changes that you've made to your custom security policies. By default, the following information is displayed:
+
+- **Last modified**
+- **Modified by**
+- **Setting Name**
+- **Policy**
+- **Type**
+
+To filter the results, click **Filter**. In the **Filters** flyout that appears, you can select from the following filters:
+
+- **Start time** and **End time** (date)
+- **Standard protection** or **Strict protection**
+
+To export the results to a .csv file, click **Export**.
+
+![Configuration drift analysis and history view in the Configuration analyzer](../../media/configuration-analyzer-configuration-drift-analysis-view.png)
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
+
+ Title: Configure anti-malware policies
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ms.assetid: b0cfc21f-e3c6-41b6-8670-feb2b2e252e5
+
+ - M365-security-compliance
+ - m365initiative-defender-office365
+description: Admins can learn how to view, create, modify, and remove anti-malware policies in Exchange Online Protection (EOP).
+
+ms.technology: mdo
++
+# Configure anti-malware policies in EOP
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. EOP uses anti-malware policies for malware protection settings. For more information, see [Anti-malware protection](anti-malware-protection.md).
+
+Admins can view, edit, and configure (but not delete) the default anti-malware policy to meet the needs of their organizations. For greater granularity, you can also create custom anti-malware policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
+
+You can configure anti-malware policies in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exch