Updates from: 03/29/2022 01:44:36
Category Microsoft Docs article Related commit history on GitHub Change details
admin Create Edit Or Delete A Custom User View https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/create-edit-or-delete-a-custom-user-view.md
You can also filter by additional user profile details used in your organization
## Related content
-[Overview of the Microsoft 365 admin center](Overview of the Microsoft 365 admin center](../admin-overview/admin-center-overview.md) (video)\
+[Overview of the Microsoft 365 admin center](../admin-overview/admin-center-overview.md) (video)\
[About admin roles](../add-users/about-admin-roles.md) (video)\ [Customize the Microsoft 365 theme for your organization](../setup/customize-your-organization-theme.md) (article)
-
+
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
- M365-subscription-management - Adm_O365 - Adm_TOC-+ - AdminSurgePortfolio - AdminTemplateSet search.appverid:
Centralized Deployment is the recommended and most feature-rich way for most cus
Centralized Deployment provides the following benefits: - An admin can deploy and assign an add-in directly to a user, to multiple users via a group, or to everyone in the organization (see Admin requirement section for information).- - When the relevant Office application starts, the add-in automatically downloads. If the add-in supports add-in commands, the add-in automatically appears in the ribbon within the Office application.- - Add-ins no longer appear for users if the admin turns off or deletes the add-in, or if the user is removed from Azure Active Directory or from a group that the add-in is assigned to. Centralized Deployment supports three desktop platforms Windows, Mac and Online Office apps. Centralized Deployment also supports iOS and Android (Outlook Mobile Add-ins Only).
In order to deploy an add-in via Centralized Deployment, you need to be either a
> > ![image](https://user-images.githubusercontent.com/89943918/144516704-8874a10d-b540-41f3-ae9d-c07a8d7e143f.png) - ### Centralized Deployment Compatibility Checker Using the Centralized Deployment Compatibility Checker, you can verify whether the users on your tenant are set up to use Centralized Deployment for Word, Excel and PowerPoint. The Compatibility Checker is not required for Outlook support. Download the [compatibility checker](https://aka.ms/officeaddindeploymentorgcompatibilitychecker).
Using the Centralized Deployment Compatibility Checker, you can verify whether t
Import-Module O365CompatibilityChecker ```
-3. Run the **Invoke-CompatabilityCheck** command:
+3. Run the **Invoke-CompatibilityCheck** command:
```powershell Invoke-CompatibilityCheck ```
- This command prompts you for *_TenantDomain_* (for example, *TailspinToysIncorporated.onmicrosoft.</span>com*) and *_TenantAdmin_* credentials (use your global admin credentials), and then requests consent.
+
+ This command prompts you for _TenantDomain_ (for example, _TailspinToysIncorporated.onmicrosoft.com_) and _TenantAdmin_ credentials (use your global admin credentials), and then requests consent.
> [!NOTE]
- > Depending on the number of users in your tenant, the checker could complete in minutes or hours.
-
+ > Depending on the number of users in your tenant, the checker could complete in minutes or hours.
+ When the tool finishes running, it produces an output file in comma-separated (.csv) format. The file is saved to **the current working directory** by default. The output file contains the following information: - User Name- - User ID (User's email address)- - Centralized Deployment ready - If the remaining items are true- - Office plan - The plan of Office they are licensed for- - Office Activated - If they have activated Office- - Supported Mailbox - If they are on an OAuth-enabled mailbox > [!NOTE]
Take a look at the following example where Sandra, Sheila, and the Sales Departm
![MicrosoftTeams-image](../../media/683094bb-1160-4cce-810d-26ef7264c592.png) - ### Find out if a group contains nested groups The easiest way to detect if a group contains nested groups is to view the group contact card within Outlook. If you enter the group name within the **To** field of an email and then select the group name when it resolves, it will show you if it contains users or nested groups. In the example below, the **Members** tab of the Outlook contact card for the Test Group shows no users and only two sub groups.
You can do the opposite query by resolving the group to see if it's a member of
![Membership tab of the Outlook contact card.](../../media/a9f9b6ab-9c19-4822-9e3d-414ca068c42f.png)
-Alternately, you can use the Azure Active Directory Graph API to run queries to find the list of groups within a group. For more information, see [Operations on groups | Graph API reference](/previous-versions/azure/ad/graph/api/groups-operations).
+Alternately, you can use the Azure Active Directory Graph API to run queries to find the list of groups within a group. For more information, see [Operations on groups| Graph API reference](/previous-versions/azure/ad/graph/api/groups-operations).
### Contacting Microsoft for support If you or your users encounter problems loading the add-in while using Office apps for the web (Word, Excel, etc.), which were centrally deployed, you may need to contact Microsoft support ([learn how](../../business-video/get-help-support.md). Provide the following information about your Microsoft 365 environment in the support ticket.
-| Platform | Debug information |
-|:--|:--|
-|Office | Charles/Fiddler logs <br/> Tenant ID ([learn how](/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>` |
-|Rich clients (Windows, Mac) | Charles/Fiddler logs <br/> Build numbers of the client app (preferably as a screenshot from **File/Account**) |
+|Platform|Debug information|
+|||
+|Office|Charles/Fiddler logs <br/> Tenant ID ([learn how](/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>`|
+|Rich clients (Windows, Mac)|Charles/Fiddler logs <br/> Build numbers of the client app (preferably as a screenshot from **File/Account**)|
## Related content
If you or your users encounter problems loading the add-in while using Office ap
[Manage add-ins in the admin center](manage-addins-in-the-admin-center.md) (article)\ [Centralized Deployment FAQ](../manage/centralized-deployment-faq.yml) (article)\ [Upgrade your Microsoft 365 for business users to the latest Office client](../setup/upgrade-users-to-latest-office-client.md) (article)
-
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
When you create auto-apply retention label policies for sensitive information, y
![Policy templates with sensitive information types.](../media/sensitive-info-configuration.png)
-To learn more about the sensitivity information types, see [Learn about sensitive information types](sensitive-information-type-learn-about.md#learn-about-sensitive-information-types). Currently, [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types) and [document fingerprinting](document-fingerprinting.md) are not supported for this scenario.
+To learn more about the sensitivity information types, see [Learn about sensitive information types](sensitive-information-type-learn-about.md#learn-about-sensitive-information-types). Currently, [exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types) and [document fingerprinting](document-fingerprinting.md) are not supported for this scenario.
After you select a policy template, you can add or remove any types of sensitive information, and you can change the confidence level and instance count. In the previous example screenshot, these options have been changed so that a retention label will be auto-applied only when:
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
If you prefer, you can recommend to your users that they apply the label. With t
Here's an example of a prompt from the Azure Information Protection unified labeling client when you configure a condition to apply a label as a recommended action, with a custom policy tip. You can choose what text is displayed in the policy tip.
-![Prompt to apply a recommended label.](../media/Sensitivity-label-Prompt-for-required-label.png)
+![Prompt to apply a recommended label.](../media/Sensitivity-label-prompt-for-required-label.png)
### When automatic or recommended labels are applied
compliance Archive Slack Data Microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-slack-data-microsoft.md
The following overview explains the process of using a Microsoft data connector
After you click **Allow**, the Slack page closes and the **Map Slack eDiscovery users to Microsoft 365 users** page in the connector wizard is displayed.
-## Step 3: Map users and select data types to import
+## Step 3: Specify the users to import data for
+
+Select one of the following options to specify which users whose Slack eDiscovery data you want to import.
+
+- **All users in your organization**. Select this option to import data for all users.
+
+- **Only users on Litigation hold**. Select this option to import data only for users whose mailboxes are placed on Litigation hold. This option imports data to user mailboxes that have the LitigationHoldEnabled property set to True. For more information, see [Create a Litigation hold](create-a-litigation-hold.md).
+
+## Step 4: Map users and select data types to import
1. Configure one or both of the following options to map Slack users to their Microsoft 365 mailboxes.
The following overview explains the process of using a Microsoft data connector
3. After you configure the data types to import, click **Next**, review the connector settings, and then click **Finish** to create the connector.
-## Step 4: Monitor the Slack eDiscovery connector
+## Step 5: Monitor the Slack eDiscovery connector
After you create the Slack eDiscovery connector, you can view the connector status in the Microsoft 365 compliance center.
compliance Create Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-sensitivity-labels.md
To edit an existing label policy, select it, and then select the **Edit Policy**
This button starts the **Create policy** configuration, which lets you edit which labels are included and the label settings. When you complete the configuration, any changes are automatically replicated to the selected users and services.
-When you use built-in labeling for Office apps on Windows, macOS, iOS, and Android, users see new labels within four hours, and within one hour for Word, Excel, and PowerPoint on the web when you refresh the browser. However, allow up to 24 hours for changes to replicate to all apps and services.
-
-Other apps and services that support sensitivity labels might update more frequently than 24 hours with their own update schedules and triggers for policy updates. Check their documentation for details. For example, for the Azure Information Protection unified labeling client, see the **Policy update** row in the [Detailed comparisons for the Azure Information Protection clients](/azure/information-protection/rms-client/use-client#detailed-comparisons-for-the-azure-information-protection-clients) table.
-
-> [!TIP]
-> Remember to factor in timing dependencies that can sometimes delay sensitivity labels and label policies from working as expected. For example, populating a new group and group membership changes, network replication latency and bandwidth restrictions, and [group membership caching by the Azure Information Protection service](/azure/information-protection/prepare#group-membership-caching-by-azure-information-protection) for labels that apply encryption.
->
-> With many external dependencies that each have their own timing cycles, itΓÇÖs a good idea to wait 24 hours before you spend time troubleshooting labels and label policies for recent changes.
- ### Additional label policy settings with Security & Compliance Center PowerShell Additional label policy settings are available with the [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) cmdlet from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell). The Azure Information Protection unified labeling client supports many [advanced settings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations) that include migrating from other labeling solutions, and pop-up messages in Outlook that warn, justify, or block emails being sent. For the full list, see [Available advanced settings for label policies](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#available-advanced-settings-for-label-policies) from this client's admin guide.
+## When to expect new labels and changes to take effect
+
+For labels and label policy settings, allow 24 hours for the changes to propagate through the services. There are many external dependencies that each have their own timing cycles, so it's a good idea to wait this 24-hour time period before you spend time troubleshooting labels and label policies for recent changes.
+
+However, there are some scenarios where label and label policy changes can take effect much faster or be longer than 24 hours. For example, for new and deleted sensitivity labels for Word, Excel, and PowerPoint on the web, you might see updates replicate within the hour. But for configurations that depend on populating a new group and group membership changes, or network replication latency and bandwidth restrictions, these changes might take 24-48 hours.
+ ## Use PowerShell for sensitivity labels and their policies You can now use [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell) to create and configure all the settings you see in your labeling admin center. This means that in addition to using PowerShell for settings that aren't available in the labeling admin centers, you can now fully script the creation and maintenance of sensitivity labels and sensitivity label policies.
compliance Dlp Conditions And Exceptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-conditions-and-exceptions.md
To configure the sender address location at a DLP rule level, the parameter is _
|With importance|condition: *WithImportance* <br/> exception: *ExceptIfWithImportance*|Importance|Messages that are marked with the specified importance level.| |Content character set contains words|condition: *ContentCharacterSetContainsWords* <br/> *ExceptIfContentCharacterSetContainsWords*|CharacterSets|Messages that have any of the specified character set names.| |Has sender override|condition: *HasSenderOverride* <br/> exception: *ExceptIfHasSenderOverride*|n/a|Messages where the sender has chosen to override a data loss prevention (DLP) policy. For more information about DLP policies see [Learn about data loss prevention](./dlp-learn-about-dlp.md)|
-|Message type matches|condition: *MessageTypeMatches* <br/> exception: *ExceptIfMessageTypeMatches*|MessageType|Messages of the specified type.|
+|Message type matches|condition: *MessageTypeMatches* <br/> exception: *ExceptIfMessageTypeMatches*|MessageType|Messages of the specified type. **Note**: The available message types are Automatic reply, Auto-forward, Encrypted (S/MIME), Calendaring, Permission controlled (rights management), Voicemail, Signed, Read receipt, and Approval request. |
|The message size is greater than or equal to|condition: *MessageSizeOver* <br/> exception: *ExceptIfMessageSizeOver*|`Size`|Messages where the total size (message plus attachments) is greater than or equal to the specified value. **Note**: Message size limits on mailboxes are evaluated before mail flow rules. A message that's too large for a mailbox will be rejected before a rule with this condition is able to act on the message.| |
compliance Sensitivity Labels Aip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-aip.md
Use the AIP add-in for your Windows Office apps only if you've already deployed
Some features are only supported by built-in labeling for Office apps, and won't be supported by the AIP add-in. These include: - For automatic and recommended labeling:
- - Access to intelligent classification services that include [trainable classifiers](classifier-learn-about.md), [Exact Data Match (EDM)](sit-learn-about-exact-data-match-based-sits.md), and [named entities](named-entities-learn.md)
+ - Access to intelligent classification services that include [trainable classifiers](classifier-learn-about.md), [exact data match (EDM)](sit-learn-about-exact-data-match-based-sits.md), and [named entities](named-entities-learn.md)
- Detection of sensitive information as users type - In Word, users can review and remove the identified sensitive content - For labels that let users assign permissions, different permissions (Read or Change) can be granted to users or groups
compliance Sensitivity Labels Sharepoint Onedrive Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md
When you use sensitivity labels with SharePoint and OneDrive, keep in mind that
For example: You create and publish a new sensitivity label that applies encryption and it very quickly appears in a user's desktop app. The user applies this label to a document and then uploads it to SharePoint or OneDrive. If the label replication hasn't completed for the service, the new capabilities won't be applied to that document on upload. As a result, the document won't be returned in search or for eDiscovery and the document can't be opened in Office for the web.
-The following changes replicate within one hour: New and deleted sensitivity labels, and sensitivity label policy settings that include which labels are in the policy.
+For more information about the timing of labels, see [When to expect new labels and changes to take effect](create-sensitivity-labels.md#when-to-expect-new-labels-and-changes-to-take-effect).
-The following changes replicate within 24 hours: Changes to sensitivity label settings for existing labels.
-
-Because the replication delay is only one hour for new sensitivity labels, you are unlikely to run into the scenario in the example. But as a safeguard, we recommend publishing new labels to just a few test users first, wait for an hour, and then verify the label behavior on SharePoint and OneDrive. As the final step, make the label available to more users by either adding more users to the existing label policy, or add the label to an existing label policy for your standard users. At the time your standard users see the label, it has already synchronized to SharePoint and OneDrive.
+As a safeguard, we recommend publishing new labels to just a few test users first, wait for at least one hour, and then verify the label behavior on SharePoint and OneDrive. Wait at least a day before making the label available to more users by either adding more users to the existing label policy, or adding the label to an existing label policy for your standard users. By the time your standard users see the label, it has already synchronized to SharePoint and OneDrive.
## SharePoint Information Rights Management (IRM) and sensitivity labels
However, you can use both protection solutions together and the behavior is as f
With this behavior, you can be assured that all Office and PDF files are protected from unauthorized access if they are downloaded, even if they aren't labeled. However, labeled files that are uploaded won't benefit from the new capabilities. - ## Search for documents by sensitivity label Use the managed property **InformationProtectionLabelId** to find all documents in SharePoint or OneDrive that have a specific sensitivity label. Use the following syntax: `InformationProtectionLabelId:<GUID>`
compliance Sensitivity Labels Teams Groups Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
Use the following guidance for when you create, modify, or delete sensitivity la
### Creating and publishing labels that are configured for sites and groups
-When a new sensitivity label is created and published, it's visible for users in teams, groups, and sites within one hour. However, if you modify an existing label, allow up to 24 hours. Use the following guidance to publish a label for your users when that label is configured for site and group settings:
+Use the following guidance to publish a label for your users when that label is configured for site and group settings:
1. After you create and configure the sensitivity label, add this label to a label policy that applies to just a few test users. 2. Wait for the change to replicate:-
- - New label: Wait for one hour.
- - Existing label: Wait for 24 hours.
+
+ - New label: Wait for at least one hour.
+ - Existing label: Wait for at least 24 hours.
+
+ For more information about the timing of labels, see [When to expect new labels and changes to take effect](create-sensitivity-labels.md#when-to-expect-new-labels-and-changes-to-take-effect).
3. After this wait period, use one of the test user accounts to create a team, Microsoft 365 group, or SharePoint site with the label that you created in step 1.
When a new sensitivity label is created and published, it's visible for users in
### Modifying published labels that are configured for sites and groups
-As a best practice, don't change the site and group settings for a sensitivity label after the label has been applied to teams, groups, or sites. If you do, remember to wait for 24 hours for the changes to replicate to all containers that have the label applied.
+As a best practice, don't change the site and group settings for a sensitivity label after the label has been applied to teams, groups, or sites. If you do, remember to wait for at least 24 hours for the changes to replicate to all containers that have the label applied.
In addition, if your changes include the **External users access** setting:
If you delete a sensitivity label that has the site and group settings enabled,
1. Remove the sensitivity label from all label policies that include the label.
-2. Wait for one hour.
+2. Wait for at least one hour.
3. After this wait period, try creating a team, group, or site and confirm that the label is no longer visible.
contentunderstanding Document Understanding Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/document-understanding-overview.md
Document understanding models support the following file types:
### Supported languages
-Document understanding models support the following languages:
+Document understanding models support *all* of the Latin-based languages, including:
+ - English - French - German
contentunderstanding Form Processing Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/form-processing-overview.md
An Office 365 admin needs to [enable form processing](./set-up-content-understan
When using form processing models, make sure to note the [requirements and limitations for file usage](/ai-builder/form-processing-model-requirements).
+### Supported languages
+
+Form processing supports documents in more than 73 languages. For the list of languages, see [Form processing language support](/power-platform-release-plan/2021wave2/ai-builder/form-processing-new-language-support).
+ ### Multi-Geo environments When setting up SharePoint Syntex in a [Microsoft 365 Multi-Geo environment](../enterprise/microsoft-365-multi-geo.md), you can only configure it to use form processing in the central location. If you want to use form processing in a satellite location, contact Microsoft support.
contentunderstanding Trial Syntex https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/trial-syntex.md
You can get the trial version from one of the following sources:
2. Go to **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">**Purchase Services**</a>. 3. Scroll down to the **Add-Ons** section. 4. On the SharePoint Syntex tile, select **Details**.
- 5. Select **Get free trial**.
+ 5. Select **Start free trial**.
6. To confirm the trial, follow the remaining wizard steps. You must be a Microsoft 365 global administrator or billing administrator to activate a trial.
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
To obtain the tenant ID of a subscription, sign in to the [Microsoft 365 admin c
# Enable customization if tenant is dehydrated $dehydrated=Get-OrganizationConfig | fl isdehydrated
- if ($dehy -eq $true) {Enable-OrganizationCustomization}
+ if ($dehydrated -eq $true) {Enable-OrganizationCustomization}
$AppId = "[guid copied from the migrations app]"
enterprise Modern Desktop Deployment And Management Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
description: Learn about where to access the Windows and Office Deployment Lab K
The Windows and Office 365 deployment lab kit is designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise or Windows 11 Enterprise and Microsoft 365 Apps for enterprise. The labs in the kit cover using Microsoft Endpoint Configuration Manager, OneDrive, Windows Autopilot, and more. This kit is highly recommended for organizations preparing for desktop upgrades. As an isolated environment, the lab is also ideal for exploring deployment tool updates and testing your deployment-related automation.
-**Windows 10 and Windows 11 versions of the lab kit are now available for free download in the Microsoft Evaluation Center.**
+**Windows 10 and Windows 11 versions of the deployment lab kit are now available for free download in the Microsoft Evaluation Center.**
-[Download the Windows 10 and Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit)<br>
-[Download the Windows 11 and Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-windows-11-office-365-lab-kit)
+[Download Windows 11 with Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-windows-11-office-365-lab-kit)<br>
+[Download Windows 10 with Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit)
## A complete lab environment
Detailed lab guides take you through multiple deployment and management scenario
- Microsoft Defender Antivirus - Windows Hello for Business
-## Download the lab
-[Download the Windows 10 and Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit)<br>
-[Download the Windows 11 and Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-windows-11-office-365-lab-kit)
- > [!NOTE] > Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows 10 lab expires May 16, 2022. The Windows 11 lab expires May 6, 2022. New versions will be published prior to expiration.
Detailed lab guides take you through multiple deployment and management scenario
## Related resources - [Introducing Microsoft 365](https://www.microsoft.com/microsoft-365/default.aspx)-- [Office 365 for business](https://products.office.com/business/office)
+- [Microsoft 365 for business](https://products.office.com/business/office)
- [Introducing Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security)-- [Windows for business](https://www.microsoft.com/windows/business)
+- [Windows 11 for business](https://www.microsoft.com/windows/business)
includes Microsoft 365 Content Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md
+## Week of March 21, 2022
++
+| Published On |Topic title | Change |
+|||--|
+| 3/21/2022 | [Enable shared channels with all external organizations](/microsoft-365/solutions/allow-direct-connect-with-all-organizations?view=o365-21vianet) | added |
+| 3/21/2022 | [Collaborate with external participants in a channel](/microsoft-365/solutions/collaborate-teams-direct-connect?view=o365-21vianet) | added |
+| 3/21/2022 | [Limit guest sharing to specific organizations](/microsoft-365/solutions/limit-guest-sharing-to-specific-organization?view=o365-21vianet) | added |
+| 3/21/2022 | [Limit who can be invited by an organization](/microsoft-365/solutions/limit-invitations-from-specific-organization?view=o365-21vianet) | added |
+| 3/21/2022 | [Limit organizations where users can have guest accounts](/microsoft-365/solutions/limit-organizations-where-users-have-guest-accounts?view=o365-21vianet) | added |
+| 3/21/2022 | [Limit who can invite guests](/microsoft-365/solutions/limit-who-can-invite-guests?view=o365-21vianet) | added |
+| 3/21/2022 | [Plan external collaboration](/microsoft-365/solutions/plan-external-collaboration?view=o365-21vianet) | added |
+| 3/21/2022 | [Require conditional access for people outside your organization](/microsoft-365/solutions/trust-conditional-access-from-other-organizations?view=o365-21vianet) | added |
+| 3/21/2022 | [Collaborate with guests in a team](/microsoft-365/solutions/collaborate-as-team?view=o365-21vianet) | modified |
+| 3/21/2022 | [Collaborating with people outside your organization](/microsoft-365/solutions/collaborate-with-people-outside-your-organization?view=o365-21vianet) | modified |
+| 3/21/2022 | [Configure teams with protection for highly sensitive data](/microsoft-365/solutions/configure-teams-highly-sensitive-protection?view=o365-21vianet) | modified |
+| 3/21/2022 | [Configure teams with protection for sensitive data](/microsoft-365/solutions/configure-teams-sensitive-protection?view=o365-21vianet) | modified |
+| 3/21/2022 | [Configure Teams with three tiers of file sharing security](/microsoft-365/solutions/configure-teams-three-tiers-protection?view=o365-21vianet) | modified |
+| 3/21/2022 | [Create a secure guest sharing environment](/microsoft-365/solutions/create-secure-guest-sharing-environment?view=o365-21vianet) | modified |
+| 3/21/2022 | [End of lifecycle options for groups, teams, and Yammer](/microsoft-365/solutions/end-life-cycle-groups-teams-sites-yammer?view=o365-21vianet) | modified |
+| 3/21/2022 | [Groups services interactions](/microsoft-365/solutions/groups-services-interactions?view=o365-21vianet) | modified |
+| 3/21/2022 | [Governing access in Microsoft 365 groups, Teams, and SharePoint](/microsoft-365/solutions/groups-teams-access-governance?view=o365-21vianet) | modified |
+| 3/21/2022 | [Set up secure file and document sharing and collaboration with Teams in Microsoft 365](/microsoft-365/solutions/setup-secure-collaboration-with-teams?view=o365-21vianet) | modified |
+| 3/21/2022 | [Detect channel signals with communication compliance](/microsoft-365/compliance/communication-compliance-channels?view=o365-21vianet) | modified |
+| 3/21/2022 | [Get started with Data loss prevention for Power BI](/microsoft-365/compliance/dlp-powerbi-get-started?view=o365-21vianet) | added |
+| 3/21/2022 | [Create and configure retention policies to automatically retain or delete content](/microsoft-365/compliance/create-retention-policies?view=o365-21vianet) | modified |
+| 3/21/2022 | [Data loss prevention and Microsoft Teams](/microsoft-365/compliance/dlp-microsoft-teams?view=o365-21vianet) | modified |
+| 3/21/2022 | [Advanced eDiscovery limits](/microsoft-365/compliance/limits-ediscovery20?view=o365-21vianet) | modified |
+| 3/21/2022 | [Limits for Content search and Core eDiscovery in the compliance center](/microsoft-365/compliance/limits-for-content-search?view=o365-21vianet) | modified |
+| 3/21/2022 | [Learn about retention for Teams](/microsoft-365/compliance/retention-policies-teams?view=o365-21vianet) | modified |
+| 3/21/2022 | [Configure retention settings to automatically retain or delete content](/microsoft-365/compliance/retention-settings?view=o365-21vianet) | modified |
+| 3/21/2022 | [Learn about retention policies & labels to automatically retain or delete content](/microsoft-365/compliance/retention?view=o365-21vianet) | modified |
+| 3/21/2022 | [Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-21vianet) | modified |
+| 3/22/2022 | [Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers (preview)](/microsoft-365/compliance/device-onboarding-offboarding-macos-jamfpro-mde?view=o365-21vianet) | modified |
+| 3/22/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/22/2022 | [Microsoft 365 admin center SharePoint site usage reports](/microsoft-365/admin/activity-reports/sharepoint-site-usage-ww?view=o365-21vianet) | modified |
+| 3/22/2022 | [Configurable settings reference for Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-ref?view=o365-21vianet) | modified |
+| 3/22/2022 | [Onboard devices without Internet access to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboard-offline-machines?view=o365-21vianet) | modified |
+| 3/22/2022 | [Enable Modern authentication for Office 2013 on Windows devices](/microsoft-365/admin/security-and-compliance/enable-modern-authentication?view=o365-21vianet) | modified |
+| 3/22/2022 | [Microsoft 365 compliance solutions trial playbook](/microsoft-365/compliance/compliance-easy-trials-compliance-playbook?view=o365-21vianet) | modified |
+| 3/22/2022 | [Get started with insider risk management](/microsoft-365/compliance/insider-risk-management-configure?view=o365-21vianet) | modified |
+| 3/22/2022 | [Insider risk management settings](/microsoft-365/compliance/insider-risk-management-settings?view=o365-21vianet) | modified |
+| 3/22/2022 | [Records Management in Microsoft 365](/microsoft-365/compliance/records-management?view=o365-21vianet) | modified |
+| 3/22/2022 | [Set up Advanced Audit in Microsoft 365](/microsoft-365/compliance/set-up-advanced-audit?view=o365-21vianet) | modified |
+| 3/22/2022 | [Microsoft 365 documentation # < 60 chars](/microsoft-365/index?view=o365-21vianet) | modified |
+| 3/22/2022 | [Microsoft 365 Security for Business Decision Makers (BDMs)](/microsoft-365/security/microsoft-365-security-for-bdm?view=o365-21vianet) | modified |
+| 3/22/2022 | [Microsoft 365 Zero Trust deployment plan](/microsoft-365/security/microsoft-365-zero-trust?view=o365-21vianet) | modified |
+| 3/22/2022 | [Attack surface reduction rules reference](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-21vianet) | modified |
+| 3/22/2022 | [Find ransomware with advanced hunting](/microsoft-365/security/defender/advanced-hunting-find-ransomware?view=o365-21vianet) | modified |
+| 3/22/2022 | [Get relevant info about an entity with go hunt](/microsoft-365/security/defender/advanced-hunting-go-hunt?view=o365-21vianet) | modified |
+| 3/22/2022 | [Link query results to an incident](/microsoft-365/security/defender/advanced-hunting-link-to-incident?view=o365-21vianet) | modified |
+| 3/22/2022 | [Work with advanced hunting query results in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-results?view=o365-21vianet) | modified |
+| 3/22/2022 | [Data tables in the Microsoft 365 Defender advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-21vianet) | modified |
+| 3/22/2022 | [Use shared queries in Microsoft 365 Defender advanced hunting](/microsoft-365/security/defender/advanced-hunting-shared-queries?view=o365-21vianet) | modified |
+| 3/22/2022 | [Take action on advanced hunting query results in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-take-action?view=o365-21vianet) | modified |
+| 3/22/2022 | [Create an app to access Microsoft 365 Defender APIs on behalf of a user](/microsoft-365/security/defender/api-create-app-user-context?view=o365-21vianet) | modified |
+| 3/22/2022 | [Create an app to access Microsoft 365 Defender without a user](/microsoft-365/security/defender/api-create-app-web?view=o365-21vianet) | modified |
+| 3/22/2022 | [Hello World for Microsoft 365 Defender REST API](/microsoft-365/security/defender/api-hello-world?view=o365-21vianet) | modified |
+| 3/22/2022 | [Partner access through Microsoft 365 Defender APIs](/microsoft-365/security/defender/api-partner-access?view=o365-21vianet) | modified |
+| 3/22/2022 | [Configure your Event Hub](/microsoft-365/security/defender/configure-event-hub?view=o365-21vianet) | modified |
+| 3/22/2022 | [Configure and manage Microsoft Threat Experts capabilities through Microsoft 365 Defender](/microsoft-365/security/defender/configure-microsoft-threat-experts?view=o365-21vianet) | modified |
+| 3/22/2022 | [Create and manage custom detection rules in Microsoft 365 Defender](/microsoft-365/security/defender/custom-detection-rules?view=o365-21vianet) | modified |
+| 3/22/2022 | [Device profile in Microsoft 365 security portal](/microsoft-365/security/defender/device-profile?view=o365-21vianet) | modified |
+| 3/22/2022 | [Create the Microsoft 365 Defender Evaluation Environment for greater cyber security and XDR](/microsoft-365/security/defender/eval-create-eval-environment?view=o365-21vianet) | modified |
+| 3/22/2022 | [Review Microsoft Defender for Endpoint architecture requirements and key concepts](/microsoft-365/security/defender/eval-defender-endpoint-architecture?view=o365-21vianet) | modified |
+| 3/22/2022 | [Enable Microsoft Defender for Endpoint evaluation](/microsoft-365/security/defender/eval-defender-endpoint-enable-eval?view=o365-21vianet) | modified |
+| 3/22/2022 | [Step 4. Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture](/microsoft-365/security/defender/eval-defender-endpoint-overview?view=o365-21vianet) | modified |
+| 3/22/2022 | [Pilot Microsoft Defender for Endpoint](/microsoft-365/security/defender/eval-defender-endpoint-pilot?view=o365-21vianet) | modified |
+| 3/22/2022 | [Review architecture requirements and the technical framework for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-architecture?view=o365-21vianet) | modified |
+| 3/22/2022 | [Enable the evaluation environment for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-enable-eval?view=o365-21vianet) | modified |
+| 3/22/2022 | [Step 2. An Overview of Microsoft 365 Defender for Identity evaluation](/microsoft-365/security/defender/eval-defender-identity-overview?view=o365-21vianet) | modified |
+| 3/22/2022 | [Pilot Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-pilot?view=o365-21vianet) | modified |
+| 3/22/2022 | [Try Microsoft 365 Defender incident response capabilities in a pilot environment](/microsoft-365/security/defender/eval-defender-investigate-respond-additional?view=o365-21vianet) | modified |
+| 3/22/2022 | [Run an attack simulation in a Microsoft 365 Defender pilot environment](/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack?view=o365-21vianet) | modified |
+| 3/22/2022 | [Pilot Microsoft Defender for Office 365, use the evaluation in your production environment](/microsoft-365/security/defender/eval-defender-office-365-pilot?view=o365-21vianet) | modified |
+| 3/22/2022 | [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-21vianet) | modified |
+| 3/22/2022 | [Top 12 tasks for security teams to support working from home](/microsoft-365/security/top-security-tasks-for-remote-work?view=o365-21vianet) | modified |
+| 3/22/2022 | [Microsoft cloud architecture models - enterprise resource planning](/microsoft-365/solutions/cloud-architecture-models?view=o365-21vianet) | modified |
+| 3/22/2022 | [Microsoft 365 productivity illustrations](/microsoft-365/solutions/productivity-illustrations?view=o365-21vianet) | modified |
+| 3/23/2022 | [Top 20 most-viewed admin help articles this month # < 60 chars](/microsoft-365/admin/top-m365-admin-articles?view=o365-21vianet) | modified |
+| 3/23/2022 | [Learn about auto-expanding archiving](/microsoft-365/compliance/autoexpanding-archiving?view=o365-21vianet) | modified |
+| 3/23/2022 | [Change history for Microsoft Managed Desktop documentation](/microsoft-365/managed-desktop/change-history-managed-desktop?view=o365-21vianet) | modified |
+| 3/23/2022 | Microsoft Security Guidance - Political campaigns & nonprofits | removed |
+| 3/23/2022 | [Insider risk management cases](/microsoft-365/compliance/insider-risk-management-cases?view=o365-21vianet) | modified |
+| 3/23/2022 | [Configure Microsoft 365 Lighthouse portal security](/microsoft-365/lighthouse/m365-lighthouse-configure-portal-security?view=o365-21vianet) | modified |
+| 3/23/2022 | [Microsoft 365 Lighthouse frequently asked questions (FAQs)](/microsoft-365/lighthouse/m365-lighthouse-faq?view=o365-21vianet) | modified |
+| 3/23/2022 | [Requirements for Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-requirements?view=o365-21vianet) | modified |
+| 3/23/2022 | [Troubleshoot and resolve problems and error messages in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-troubleshoot?view=o365-21vianet) | modified |
+| 3/23/2022 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-21vianet) | modified |
+| 3/23/2022 | [Create the Microsoft 365 Defender Evaluation Environment for greater cyber security and XDR](/microsoft-365/security/defender/eval-create-eval-environment?view=o365-21vianet) | modified |
+| 3/23/2022 | [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-21vianet) | modified |
+| 3/23/2022 | [Email analysis in investigations for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-21vianet) | modified |
+| 3/23/2022 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-policies?view=o365-21vianet) | modified |
+| 3/23/2022 | [Continuous access evaluation for Microsoft 365 - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/microsoft-365-continuous-access-evaluation?view=o365-21vianet) | modified |
+| 3/23/2022 | [Zero Trust identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/microsoft-365-policies-configurations?view=o365-21vianet) | modified |
+| 3/23/2022 | [Threat Explorer and Real-time detections basics in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/real-time-detections?view=o365-21vianet) | modified |
+| 3/23/2022 | [Secure by default in Office 365](/microsoft-365/security/office-365-security/secure-by-default?view=o365-21vianet) | modified |
+| 3/23/2022 | [Remove yourself from the blocked senders list and address 5.7.511 Access denied errors](/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis?view=o365-21vianet) | modified |
+| 3/23/2022 | [View Defender for Office 365 reports](/microsoft-365/security/office-365-security/view-reports-for-mdo?view=o365-21vianet) | modified |
+| 3/23/2022 | [Microsoft 365 solution and architecture center # < 60 chars](/microsoft-365/solutions/index?view=o365-21vianet) | modified |
+| 3/23/2022 | [Microsoft 365 productivity illustrations](/microsoft-365/solutions/productivity-illustrations?view=o365-21vianet) | modified |
+| 3/24/2022 | [Onboard macOS devices into Microsoft 365 overview (preview)](/microsoft-365/compliance/device-onboarding-macos-overview?view=o365-21vianet) | modified |
+| 3/24/2022 | [Onboard Windows 10 or Windows 11 devices into Microsoft 365 overview](/microsoft-365/compliance/device-onboarding-overview?view=o365-21vianet) | modified |
+| 3/24/2022 | [Microsoft 365 Lighthouse Windows 365 (Cloud PCs) page overview](/microsoft-365/lighthouse/m365-lighthouse-win365-page-overview?view=o365-21vianet) | modified |
+| 3/24/2022 | [Manage Microsoft feedback for your organization](/microsoft-365/admin/manage/manage-feedback-ms-org?view=o365-21vianet) | modified |
+| 3/24/2022 | [Azure Active Directory setup guides](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-21vianet) | modified |
+| 3/24/2022 | [GDPR simplified A guide for your small business](/microsoft-365/admin/security-and-compliance/gdpr-compliance?view=o365-21vianet) | modified |
+| 3/24/2022 | [Increase threat protection for Microsoft 365 Business Premium](/microsoft-365/admin/security-and-compliance/set-up-compliance?view=o365-21vianet) | modified |
+| 3/24/2022 | [Set up Windows devices for Microsoft 365 Business Premium users](/microsoft-365/admin/setup/set-up-windows-devices?view=o365-21vianet) | modified |
+| 3/24/2022 | [Increase threat protection for Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-increase-protection?view=o365-21vianet) | modified |
+| 3/24/2022 | [Troubleshoot and resolve problems and error messages in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-troubleshoot?view=o365-21vianet) | modified |
+| 3/24/2022 | [Microsoft Defender for Business](/microsoft-365/security/defender-business/index?view=o365-21vianet) | modified |
+| 3/24/2022 | [Outbound delivery pools](/microsoft-365/security/office-365-security/high-risk-delivery-pool-for-outbound-messages?view=o365-21vianet) | modified |
+| 3/24/2022 | [Permissions - Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-21vianet) | modified |
+| 3/25/2022 | [Customer Lockbox Requests](/microsoft-365/compliance/customer-lockbox-requests?view=o365-21vianet) | modified |
+| 3/25/2022 | [Get started driving adoption of Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/adoption-getstarted) | modified |
+| 3/25/2022 | [Scenarios and use cases for Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/adoption-scenarios) | modified |
+| 3/25/2022 | [Run a trial of Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/trial-syntex) | modified |
+| 3/25/2022 | [Manage Skype for Business Online with PowerShell](/microsoft-365/enterprise/manage-skype-for-business-online-with-microsoft-365-powershell?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure advanced features in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/advanced-features?view=o365-21vianet) | modified |
+| 3/25/2022 | [Advanced hunting schema reference](/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference?view=o365-21vianet) | modified |
+| 3/25/2022 | [View and organize the Microsoft Defender for Endpoint Alerts queue](/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-21vianet) | modified |
+| 3/25/2022 | [Provide feedback on the Microsoft Defender for Endpoint Client Analyzer tool](/microsoft-365/security/defender-endpoint/analyzer-feedback?view=o365-21vianet) | modified |
+| 3/25/2022 | [Understand the client analyzer HTML report](/microsoft-365/security/defender-endpoint/analyzer-report?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure Microsoft Defender for Endpoint risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-21vianet) | modified |
+| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-21vianet) | modified |
+| 3/25/2022 | [Troubleshoot issues on Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-support-signin?view=o365-21vianet) | modified |
+| 3/25/2022 | [Hello World for Microsoft Defender for Endpoint API](/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-21vianet) | modified |
+| 3/25/2022 | [How to use Power Automate Connector to set up a Flow for events](/microsoft-365/security/defender-endpoint/api-microsoft-flow?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Endpoint APIs connection to Power BI](/microsoft-365/security/defender-endpoint/api-power-bi?view=o365-21vianet) | modified |
+| 3/25/2022 | [Implement attack surface reduction (ASR) rules deployment](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement?view=o365-21vianet) | modified |
+| 3/25/2022 | [Operationalize attack surface reduction (ASR) rules deployment](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize?view=o365-21vianet) | modified |
+| 3/25/2022 | [Plan ASR rules attack surface reduction deployment rules deployment](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan?view=o365-21vianet) | modified |
+| 3/25/2022 | [Test attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test?view=o365-21vianet) | modified |
+| 3/25/2022 | [ASR rules deployment prerequisites](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment?view=o365-21vianet) | modified |
+| 3/25/2022 | [Use attack surface reduction rules to prevent malware infection](/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-21vianet) | modified |
+| 3/25/2022 | [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center?view=o365-21vianet) | modified |
+| 3/25/2022 | [Take response actions on a file in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Permissions - Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-21vianet) | modified |
+| 3/25/2022 | [Collaborate with external participants in a channel](/microsoft-365/solutions/collaborate-teams-direct-connect?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft 365 Security for Business Decision Makers (BDMs)](/microsoft-365/security/microsoft-365-security-for-bdm?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft 365 Zero Trust deployment plan](/microsoft-365/security/microsoft-365-zero-trust?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manage active content in Office documents for IT admins](/microsoft-365/security/active-content-in-trusted-docs?view=o365-21vianet) | modified |
+| 3/25/2022 | [Behavioral blocking and containment](/microsoft-365/security/defender-endpoint/behavioral-blocking-containment?view=o365-21vianet) | modified |
+| 3/25/2022 | [Check the health state of the sensor at Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-21vianet) | modified |
+| 3/25/2022 | [Client behavioral blocking](/microsoft-365/security/defender-endpoint/client-behavioral-blocking?view=o365-21vianet) | modified |
+| 3/25/2022 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-21vianet) | modified |
+| 3/25/2022 | [Cloud protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Collect diagnostic data of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/collect-diagnostic-data?view=o365-21vianet) | modified |
+| 3/25/2022 | [Enable block at first sight to detect malware in seconds](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboard Windows devices to Microsoft Defender for Endpoint via Group Policy](/microsoft-365/security/defender-endpoint/configure-endpoints-gp?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboard Windows devices using Configuration Manager](/microsoft-365/security/defender-endpoint/configure-endpoints-sccm?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboard Windows devices using a local script](/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboarding tools and methods for Windows devices](/microsoft-365/security/defender-endpoint/configure-endpoints?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure and validate exclusions based on extension, name, or location](/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Optimize ASR rule deployment and detections](/microsoft-365/security/defender-endpoint/configure-machines-asr?view=o365-21vianet) | modified |
+| 3/25/2022 | [Get devices onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-machines-onboarding?view=o365-21vianet) | modified |
+| 3/25/2022 | [Increase compliance to the Microsoft Defender for Endpoint security baseline](/microsoft-365/security/defender-endpoint/configure-machines-security-baseline?view=o365-21vianet) | modified |
+| 3/25/2022 | [Ensure your devices are configured properly](/microsoft-365/security/defender-endpoint/configure-machines?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure and manage Microsoft Threat Experts capabilities](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure and validate Microsoft Defender Antivirus network connections](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure device proxy and Internet connection settings](/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-21vianet) | modified |
+| 3/25/2022 | [Enable and configure Microsoft Defender Antivirus protection capabilities](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboard Windows servers to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-21vianet) | modified |
+| 3/25/2022 | [Connected applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/connected-applications?view=o365-21vianet) | modified |
+| 3/25/2022 | [Contact Microsoft Defender for Endpoint support](/microsoft-365/security/defender-endpoint/contact-support?view=o365-21vianet) | modified |
+| 3/25/2022 | [Enable Corelight integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/corelight-integration?view=o365-21vianet) | modified |
+| 3/25/2022 | [Customize controlled folder access](/microsoft-365/security/defender-endpoint/customize-controlled-folders?view=o365-21vianet) | modified |
+| 3/25/2022 | [Data collection for advanced troubleshooting on Windows](/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-21vianet) | modified |
+| 3/25/2022 | [Address false positives/negatives in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives?view=o365-21vianet) | modified |
+| 3/25/2022 | [Overview of Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1?view=o365-21vianet) | modified |
+| 3/25/2022 | [Deployment phases](/microsoft-365/security/defender-endpoint/deployment-phases?view=o365-21vianet) | modified |
+| 3/25/2022 | [Deploy Microsoft Defender for Endpoint in rings](/microsoft-365/security/defender-endpoint/deployment-rings?view=o365-21vianet) | modified |
+| 3/25/2022 | [Plan your Microsoft Defender for Endpoint deployment](/microsoft-365/security/defender-endpoint/deployment-strategy?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-21vianet) | modified |
+| 3/25/2022 | [Protect your organization's data with device control](/microsoft-365/security/defender-endpoint/device-control-report?view=o365-21vianet) | modified |
+| 3/25/2022 | [Device discovery overview](/microsoft-365/security/defender-endpoint/device-discovery?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Endpoint device timeline event flags](/microsoft-365/security/defender-endpoint/device-timeline-event-flag?view=o365-21vianet) | modified |
+| 3/25/2022 | [Endpoint detection and response in block mode](/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-21vianet) | modified |
+| 3/25/2022 | [Enable attack surface reduction rules](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-21vianet) | modified |
+| 3/25/2022 | [Turn on cloud protection in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Enable controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-21vianet) | modified |
+| 3/25/2022 | [Turn on exploit protection to help mitigate against attacks](/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-21vianet) | modified |
+| 3/25/2022 | [Enable Microsoft Defender for IoT integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration?view=o365-21vianet) | modified |
+| 3/25/2022 | [Turn on network protection](/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-21vianet) | modified |
+| 3/25/2022 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Endpoint evaluation lab](/microsoft-365/security/defender-endpoint/evaluation-lab?view=o365-21vianet) | modified |
+| 3/25/2022 | [Use Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp?view=o365-21vianet) | modified |
+| 3/25/2022 | [Create an Application to access Microsoft Defender for Endpoint without a user](/microsoft-365/security/defender-endpoint/exposed-apis-create-app-partners?view=o365-21vianet) | modified |
+| 3/25/2022 | [Create an app to access Microsoft Defender for Endpoint without a user](/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-21vianet) | modified |
+| 3/25/2022 | [Grant access to managed security service provider (MSSP)](/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o365-21vianet) | modified |
+| 3/25/2022 | [Host firewall reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/host-firewall-reporting?view=o365-21vianet) | modified |
+| 3/25/2022 | [Import, export, and deploy exploit protection configurations](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml?view=o365-21vianet) | modified |
+| 3/25/2022 | [Create indicators for files](/microsoft-365/security/defender-endpoint/indicator-file?view=o365-21vianet) | modified |
+| 3/25/2022 | [Use sensitivity labels to prioritize incident response](/microsoft-365/security/defender-endpoint/information-protection-investigation?view=o365-21vianet) | modified |
+| 3/25/2022 | [Investigate Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/investigate-alerts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Investigate connection events that occur behind forward proxies](/microsoft-365/security/defender-endpoint/investigate-behind-proxy?view=o365-21vianet) | modified |
+| 3/25/2022 | [Investigate Microsoft Defender for Endpoint files](/microsoft-365/security/defender-endpoint/investigate-files?view=o365-21vianet) | modified |
+| 3/25/2022 | [Investigate incidents in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-incidents?view=o365-21vianet) | modified |
+| 3/25/2022 | [Investigate devices in the Defender for Endpoint Devices list](/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-21vianet) | modified |
+| 3/25/2022 | [Investigate a user account in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-user?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-21vianet) | modified |
+| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-install-unmanaged?view=o365-21vianet) | modified |
+| 3/25/2022 | [App-based deployment for Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-install?view=o365-21vianet) | modified |
+| 3/25/2022 | [Troubleshoot issues and find answers on FAQs related to Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-troubleshoot?view=o365-21vianet) | modified |
+| 3/25/2022 | [Enable the limited periodic Microsoft Defender Antivirus scanning feature](/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-21vianet) | modified |
+| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on Linux with Ansible](/microsoft-365/security/defender-endpoint/linux-install-with-ansible?view=o365-21vianet) | modified |
+| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on Linux with Puppet](/microsoft-365/security/defender-endpoint/linux-install-with-puppet?view=o365-21vianet) | modified |
+| 3/25/2022 | [How to schedule scans with Microsoft Defender for Endpoint (Linux)](/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde?view=o365-21vianet) | modified |
+| 3/25/2022 | [Investigate entities on devices using live response in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/live-response?view=o365-21vianet) | modified |
+| 3/25/2022 | [Device control for macOS](/microsoft-365/security/defender-endpoint/mac-device-control-overview?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure and validate exclusions for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-exclusions?view=o365-21vianet) | modified |
+| 3/25/2022 | [Log in to Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manual deployment for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-21vianet) | modified |
+| 3/25/2022 | [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-21vianet) | modified |
+| 3/25/2022 | [Set up device groups in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups?view=o365-21vianet) | modified |
+| 3/25/2022 | [Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices?view=o365-21vianet) | modified |
+| 3/25/2022 | [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [Troubleshoot kernel extension issues in Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-kext?view=o365-21vianet) | modified |
+| 3/25/2022 | [Troubleshoot license issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-license?view=o365-21vianet) | modified |
+| 3/25/2022 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-perf?view=o365-21vianet) | modified |
+| 3/25/2022 | [New configuration profiles for macOS Catalina and newer versions of macOS](/microsoft-365/security/defender-endpoint/mac-sysext-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [Deploy updates for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-updates?view=o365-21vianet) | modified |
+| 3/25/2022 | [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports?view=o365-21vianet) | modified |
+| 3/25/2022 | [Create and manage device tags](/microsoft-365/security/defender-endpoint/machine-tags?view=o365-21vianet) | modified |
+| 3/25/2022 | [Device inventory](/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manage Microsoft Defender for Endpoint incidents](/microsoft-365/security/defender-endpoint/manage-incidents?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manage how and where Microsoft Defender Antivirus receives updates](/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Overview of management and APIs](/microsoft-365/security/defender-endpoint/management-apis?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Endpoint Device Control Device Installation](/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manage Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-p1-maintenance-operations?view=o365-21vianet) | modified |
+| 3/25/2022 | [Set up and configure Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration?view=o365-21vianet) | modified |
+| 3/25/2022 | [Get started with Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-plan1-getting-started?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender Offline in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-offline?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-21vianet) | modified |
+| 3/25/2022 | [Network device discovery and vulnerability management](/microsoft-365/security/defender-endpoint/network-devices?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboard devices and configure Microsoft Defender for Endpoint capabilities](/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboard previous versions of Windows on Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboard-downlevel?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboarding using Microsoft Endpoint Configuration Manager](/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboarding using Microsoft Endpoint Manager](/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-21vianet) | modified |
+| 3/25/2022 | [Create an onboarding or offboarding notification rule](/microsoft-365/security/defender-endpoint/onboarding-notification?view=o365-21vianet) | modified |
+| 3/25/2022 | [Onboard to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/onboarding?view=o365-21vianet) | modified |
+| 3/25/2022 | [Protect security settings with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-21vianet) | modified |
+| 3/25/2022 | [Hide the Microsoft Defender Antivirus interface](/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Turn on the preview experience in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/preview-settings?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Endpoint Device Control Printer Protection](/microsoft-365/security/defender-endpoint/printer-protection?view=o365-21vianet) | modified |
+| 3/25/2022 | [Set up Microsoft Defender for Endpoint deployment](/microsoft-365/security/defender-endpoint/production-deployment?view=o365-21vianet) | modified |
+| 3/25/2022 | [Stream Microsoft Defender for Endpoint events to Azure Event Hubs](/microsoft-365/security/defender-endpoint/raw-data-export-event-hub?view=o365-21vianet) | modified |
+| 3/25/2022 | [Stream Microsoft Defender for Endpoint events to your Storage account](/microsoft-365/security/defender-endpoint/raw-data-export-storage?view=o365-21vianet) | modified |
+| 3/25/2022 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Review alerts in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/review-alerts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Review the results of Microsoft Defender Antivirus scans](/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-21vianet) | modified |
+| 3/25/2022 | [Run the client analyzer on Windows](/microsoft-365/security/defender-endpoint/run-analyzer-windows?view=o365-21vianet) | modified |
+| 3/25/2022 | [Run a detection test on a device to verify it has been properly onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/run-detection-test?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender Security Center Security operations dashboard](/microsoft-365/security/defender-endpoint/security-operations-dashboard?view=o365-21vianet) | modified |
+| 3/25/2022 | [Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/switch-to-mde-overview?view=o365-21vianet) | modified |
+| 3/25/2022 | [Switch to Microsoft Defender for Endpoint - Prepare](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-1?view=o365-21vianet) | modified |
+| 3/25/2022 | [Switch to Microsoft Defender for Endpoint - Setup](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2?view=o365-21vianet) | modified |
+| 3/25/2022 | [Switch to Microsoft Defender for Endpoint - Onboard](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-21vianet) | modified |
+| 3/25/2022 | [Techniques in the device timeline](/microsoft-365/security/defender-endpoint/techniques-device-timeline?view=o365-21vianet) | modified |
+| 3/25/2022 | [Understand the analyst report section in threat analytics.](/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports?view=o365-21vianet) | modified |
+| 3/25/2022 | [Track and respond to emerging threats with Microsoft Defender for Endpoint threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics?view=o365-21vianet) | modified |
+| 3/25/2022 | [Event timeline in threat and vulnerability management](/microsoft-365/security/defender-endpoint/threat-and-vuln-mgt-event-timeline?view=o365-21vianet) | modified |
+| 3/25/2022 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft 365 Defender time zone settings](/microsoft-365/security/defender-endpoint/time-settings?view=o365-21vianet) | modified |
+| 3/25/2022 | [Report and troubleshoot Microsoft Defender for Endpoint ASR Rules](/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-21vianet) | modified |
+| 3/25/2022 | [Collect support logs in Microsoft Defender for Endpoint using live response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-21vianet) | modified |
+| 3/25/2022 | [Troubleshoot onboarding issues and error messages](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages?view=o365-21vianet) | modified |
+| 3/25/2022 | [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-21vianet) | modified |
+| 3/25/2022 | [Troubleshoot performance issues](/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues?view=o365-21vianet) | modified |
+| 3/25/2022 | [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt?view=o365-21vianet) | modified |
+| 3/25/2022 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-21vianet) | modified |
+| 3/25/2022 | [Assign device value - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-assign-device-value?view=o365-21vianet) | modified |
+| 3/25/2022 | [Dashboard insights - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights?view=o365-21vianet) | modified |
+| 3/25/2022 | [Plan for end-of-support software and software versions](/microsoft-365/security/defender-endpoint/tvm-end-of-support-software?view=o365-21vianet) | modified |
+| 3/25/2022 | [Create and view exceptions for security recommendations - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-exception?view=o365-21vianet) | modified |
+| 3/25/2022 | [Exposure score in threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-exposure-score?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Secure Score for Devices](/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices?view=o365-21vianet) | modified |
+| 3/25/2022 | [Remediate vulnerabilities with threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-remediation?view=o365-21vianet) | modified |
+| 3/25/2022 | [Security recommendations by threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-security-recommendation?view=o365-21vianet) | modified |
+| 3/25/2022 | [Software inventory in threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-software-inventory?view=o365-21vianet) | modified |
+| 3/25/2022 | [Vulnerable devices report - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-vulnerable-devices-report?view=o365-21vianet) | modified |
+| 3/25/2022 | [Vulnerabilities in my organization - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-weaknesses?view=o365-21vianet) | modified |
+| 3/25/2022 | [Mitigate zero-day vulnerabilities - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-zero-day-vulnerabilities?view=o365-21vianet) | modified |
+| 3/25/2022 | [View and organize the Incidents queue](/microsoft-365/security/defender-endpoint/view-incidents-queue?view=o365-21vianet) | modified |
+| 3/25/2022 | [Web content filtering](/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-21vianet) | modified |
+| 3/25/2022 | [Monitoring web browsing security in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-monitoring?view=o365-21vianet) | modified |
+| 3/25/2022 | [Web protection](/microsoft-365/security/defender-endpoint/web-protection-overview?view=o365-21vianet) | modified |
+| 3/25/2022 | [Respond to web threats in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-response?view=o365-21vianet) | modified |
+| 3/25/2022 | [Why cloud protection should be enabled for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/why-cloud-protection-should-be-on-mdav?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure Directory Services account in Microsoft Defender for Identity](/microsoft-365/security/defender-identity/directory-service-accounts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Identity entity tags in Microsoft 365 Defender](/microsoft-365/security/defender-identity/entity-tags?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Identity detection exclusions in Microsoft 365 Defender](/microsoft-365/security/defender-identity/exclusions?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Identity security alerts in Microsoft 365 Defender](/microsoft-365/security/defender-identity/manage-security-alerts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Identity notifications in Microsoft 365 Defender](/microsoft-365/security/defender-identity/notifications?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Identity sensor health and settings in Microsoft 365 Defender](/microsoft-365/security/defender-identity/sensor-health?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Identity VPN integration in Microsoft 365 Defender](/microsoft-365/security/defender-identity/vpn-integration?view=o365-21vianet) | modified |
+| 3/25/2022 | [About the Microsoft Defender for Office 365 trial](/microsoft-365/security/office-365-security/about-defender-for-office-365-trial?view=o365-21vianet) | modified |
+| 3/25/2022 | [Address compromised user accounts with automated investigation and response](/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-21vianet) | modified |
+| 3/25/2022 | [Admin review for reported messages](/microsoft-365/security/office-365-security/admin-review-reported-message?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manage submissions](/microsoft-365/security/office-365-security/admin-submission?view=o365-21vianet) | modified |
+| 3/25/2022 | [Anti-spoofing protection](/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-21vianet) | modified |
+| 3/25/2022 | [Attack simulation training deployment considerations and FAQ](/microsoft-365/security/office-365-security/attack-simulation-training-faq?view=o365-21vianet) | modified |
+| 3/25/2022 | [Insights and reports Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights?view=o365-21vianet) | modified |
+| 3/25/2022 | [Payload automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations?view=o365-21vianet) | modified |
+| 3/25/2022 | [Create custom payloads for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-21vianet) | modified |
+| 3/25/2022 | [Simulation automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-21vianet) | modified |
+| 3/25/2022 | [Simulate a phishing attack with Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training?view=o365-21vianet) | modified |
+| 3/25/2022 | [How automated investigation and response works in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/automated-investigation-response-office?view=o365-21vianet) | modified |
+| 3/25/2022 | [Protection features in Azure Information Protection rolling out to existing tenants](/microsoft-365/security/office-365-security/azure-ip-protection-features?view=o365-21vianet) | modified |
+| 3/25/2022 | [Campaign Views in Microsoft Defender for Office 365 Plan](/microsoft-365/security/office-365-security/campaigns?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configuration analyzer for security policies](/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [Create safe sender lists](/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-21vianet) | modified |
+| 3/25/2022 | [Email analysis in investigations for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-21vianet) | modified |
+| 3/25/2022 | [Email security with Threat Explorer in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/email-security-in-microsoft-defender?view=o365-21vianet) | modified |
+| 3/25/2022 | [Enable the Report Message or the Report Phishing add-ins](/microsoft-365/security/office-365-security/enable-the-report-message-add-in?view=o365-21vianet) | modified |
+| 3/25/2022 | [Exchange Online Protection (EOP) overview](/microsoft-365/security/office-365-security/exchange-online-protection-overview?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configuring and controlling external email forwarding in Microsoft 365.](/microsoft-365/security/office-365-security/external-email-forwarding?view=o365-21vianet) | modified |
+| 3/25/2022 | [Find and release quarantined messages as a user](/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user?view=o365-21vianet) | modified |
+| 3/25/2022 | [Identity and device access policies for allowing guest and external user B2B access - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-policies-guest-access?view=o365-21vianet) | modified |
+| 3/25/2022 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [Prerequisite work for implementing identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-prerequisites?view=o365-21vianet) | modified |
+| 3/25/2022 | [Impersonation insight](/microsoft-365/security/office-365-security/impersonation-insight?view=o365-21vianet) | modified |
+| 3/25/2022 | [Application Guard for Office for admins](/microsoft-365/security/office-365-security/install-app-guard?view=o365-21vianet) | modified |
+| 3/25/2022 | [Use Microsoft Defender for Office 365 together with Microsoft Defender for Endpoint](/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde?view=o365-21vianet) | modified |
+| 3/25/2022 | [Investigate malicious email that was delivered in Microsoft 365, Find and investigate malicious email](/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered?view=o365-21vianet) | modified |
+| 3/25/2022 | [Spoof intelligence insight](/microsoft-365/security/office-365-security/learn-about-spoof-intelligence?view=o365-21vianet) | modified |
+| 3/25/2022 | [Mail flow insights in the Mail flow dashboard](/microsoft-365/security/office-365-security/mail-flow-insights-v2?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manage your allows in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/manage-tenant-allows?view=o365-21vianet) | modified |
+| 3/25/2022 | [Recommended Microsoft Defender for Cloud Apps policies for SaaS apps - Microsoft 365 Enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/mcas-saas-access-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [The Microsoft Defender for Office 365 email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page?view=o365-21vianet) | modified |
+| 3/25/2022 | [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/mdo-for-spo-odb-and-teams?view=o365-21vianet) | modified |
+| 3/25/2022 | [Auto-forwarded messages insight](/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report?view=o365-21vianet) | modified |
+| 3/25/2022 | [Top domain mail flow status insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-domain-mail-flow-status-insight?view=o365-21vianet) | modified |
+| 3/25/2022 | [Mail flow map](/microsoft-365/security/office-365-security/mfi-mail-flow-map-report?view=o365-21vianet) | modified |
+| 3/25/2022 | [Fix possible mail loop insight](/microsoft-365/security/office-365-security/mfi-mail-loop-insight?view=o365-21vianet) | modified |
+| 3/25/2022 | [New domains being forwarded email insight](/microsoft-365/security/office-365-security/mfi-new-domains-being-forwarded-email?view=o365-21vianet) | modified |
+| 3/25/2022 | [New users forwarding email insight](/microsoft-365/security/office-365-security/mfi-new-users-forwarding-email?view=o365-21vianet) | modified |
+| 3/25/2022 | [Non-accepted domain report in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-non-accepted-domain-report?view=o365-21vianet) | modified |
+| 3/25/2022 | [Non-delivery report in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-non-delivery-report?view=o365-21vianet) | modified |
+| 3/25/2022 | [Outbound and inbound mail flow insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-outbound-and-inbound-mail-flow?view=o365-21vianet) | modified |
+| 3/25/2022 | [Queues insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues?view=o365-21vianet) | modified |
+| 3/25/2022 | [Fix slow mail flow rules insight](/microsoft-365/security/office-365-security/mfi-slow-mail-flow-rules-insight?view=o365-21vianet) | modified |
+| 3/25/2022 | [SMTP Auth clients insight and report in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-smtp-auth-clients-report?view=o365-21vianet) | modified |
+| 3/25/2022 | [Zero Trust identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/microsoft-365-policies-configurations?view=o365-21vianet) | modified |
+| 3/25/2022 | [Migrate to Microsoft Defender for Office 365 Phase 3: Onboard](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard?view=o365-21vianet) | modified |
+| 3/25/2022 | [Migrate to Microsoft Defender for Office 365 Phase 1: Prepare](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-prepare?view=o365-21vianet) | modified |
+| 3/25/2022 | [Migrate to Microsoft Defender for Office 365 Phase 2: Setup](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup?view=o365-21vianet) | modified |
+| 3/25/2022 | [Migrate from a third-party protection service to Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365?view=o365-21vianet) | modified |
+| 3/25/2022 | [Monitor for leaks of personal data](/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data?view=o365-21vianet) | modified |
+| 3/25/2022 | [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-air?view=o365-21vianet) | modified |
+| 3/25/2022 | [Threat investigation & response capabilities - Microsoft Defender for Office 365 Plan 2](/microsoft-365/security/office-365-security/office-365-ti?view=o365-21vianet) | modified |
+| 3/25/2022 | [Office 365 Security overview, Microsoft Defender for Office 365, EOP, MSDO](/microsoft-365/security/office-365-security/old-index?view=o365-21vianet) | modified |
+| 3/25/2022 | [Office 365 Security including Microsoft Defender for Office 365 and Exchange Online Protection](/microsoft-365/security/office-365-security/overview?view=o365-21vianet) | modified |
+| 3/25/2022 | [Permissions in the Microsoft 365 Defender portal](/microsoft-365/security/office-365-security/permissions-microsoft-365-security-center?view=o365-21vianet) | modified |
+| 3/25/2022 | [Step-by-step threat protection stack in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365?view=o365-21vianet) | modified |
+| 3/25/2022 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [Report false positives and false negatives in Outlook](/microsoft-365/security/office-365-security/report-false-positives-and-false-negatives?view=o365-21vianet) | modified |
+| 3/25/2022 | [Smart reports, insights - Microsoft 365 Security & Compliance Center](/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance?view=o365-21vianet) | modified |
+| 3/25/2022 | [Safe Documents in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-docs?view=o365-21vianet) | modified |
+| 3/25/2022 | [Complete Safe Links overview for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links?view=o365-21vianet) | modified |
+| 3/25/2022 | [Secure email recommended policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [Security dashboard overview](/microsoft-365/security/office-365-security/security-dashboard?view=o365-21vianet) | modified |
+| 3/25/2022 | [Security recommendations for priority accounts in Microsoft 365, priority accounts, priority accounts in Office 365, priority accounts in Microsoft 365](/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts?view=o365-21vianet) | modified |
+| 3/25/2022 | [Anti-phishing policies](/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [Recommended secure document policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/sharepoint-file-access-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [Submit malware and non-malware to Microsoft for analysis](/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis?view=o365-21vianet) | modified |
+| 3/25/2022 | [Recommended Teams policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/teams-access-policies?view=o365-21vianet) | modified |
+| 3/25/2022 | [Configure your Microsoft 365 tenant for increased security](/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security?view=o365-21vianet) | modified |
+| 3/25/2022 | [Views in Threat Explorer and real-time detections](/microsoft-365/security/office-365-security/threat-explorer-views?view=o365-21vianet) | modified |
+| 3/25/2022 | [Threat Explorer and Real-time detections](/microsoft-365/security/office-365-security/threat-explorer?view=o365-21vianet) | modified |
+| 3/25/2022 | [Threat hunting in Threat Explorer for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/threat-hunting-in-threat-explorer?view=o365-21vianet) | modified |
+| 3/25/2022 | [Threat Trackers - New and Noteworthy](/microsoft-365/security/office-365-security/threat-trackers?view=o365-21vianet) | modified |
+| 3/25/2022 | [Microsoft Defender for Office 365 trial playbook](/microsoft-365/security/office-365-security/trial-playbook-defender-for-office-365?view=o365-21vianet) | modified |
+| 3/25/2022 | [How to use DKIM for email in your custom domain](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-21vianet) | modified |
+| 3/25/2022 | [Use DMARC to validate email, setup steps](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-21vianet) | modified |
+| 3/25/2022 | [Use Azure Privileged Identity Management (PIM) in Microsoft Defender for Office 365 to limit admin access to cyber security tools.](/microsoft-365/security/office-365-security/use-privileged-identity-management-in-defender-for-office-365?view=o365-21vianet) | modified |
+| 3/25/2022 | [Quarantine notifications (end-user spam notifications) in Microsoft 365](/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages?view=o365-21vianet) | modified |
+| 3/25/2022 | [Remove yourself from the blocked senders list and address 5.7.511 Access denied errors](/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis?view=o365-21vianet) | modified |
+| 3/25/2022 | [View email security reports](/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-21vianet) | modified |
+| 3/25/2022 | [View mail flow reports in the Reports dashboard](/microsoft-365/security/office-365-security/view-mail-flow-reports?view=o365-21vianet) | modified |
+| 3/25/2022 | [View Defender for Office 365 reports](/microsoft-365/security/office-365-security/view-reports-for-mdo?view=o365-21vianet) | modified |
+| 3/25/2022 | [Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight](/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight?view=o365-21vianet) | modified |
+| 3/25/2022 | [Top 12 tasks for security teams to support working from home](/microsoft-365/security/top-security-tasks-for-remote-work?view=o365-21vianet) | modified |
++ ## Week of March 14, 2022
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
The following downloadable spreadsheet lists the services and their associated U
<br>
-****
|Spreadsheet of domains list| Description| |||
-|:::image type="content" source="images/mdatp-urls.png" alt-text="The Microsoft Defender for Endpoint URLs spreadsheet" lightbox="images/mdatp-urls.png":::|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)|
-|
+|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning. In your firewall, open all the URLs where the geography column is WW. For rows where the geography column isn't WW, open the URLs to your specific data location. To verify your data location setting, see [Verify data storage location and update data retention settings for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/data-retention-settings).
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
For other Windows server versions, you have two options to offboard Windows serv
- Uninstall the MMA agent - Remove the Defender for Endpoint workspace configuration
->[!NOTE]
-> These offboarding instructions for other Windows server versions also apply if you are running the previous Microsoft Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unfiied solution are at [Server migration scenarios in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration).
+> [!NOTE]
+> These offboarding instructions for other Windows server versions also apply if you are running the previous Microsoft Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unified solution are at [Server migration scenarios in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration).
## Related topics
security Evaluate Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-mde.md
You can also evaluate the different security capabilities in Microsoft Defender
These capabilities help prevent attacks and exploitations from infecting your organization. -- [Evaluate attack surface reduction](./evaluate-attack-surface-reduction.md) - [Evaluate exploit protection](./evaluate-exploit-protection.md) - [Evaluate network protection](./evaluate-exploit-protection.md) - [Evaluate controlled folder access](./evaluate-controlled-folder-access.md)
security Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection.md
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
> [!WARNING] > Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
-## Review exploit protection events in the Microsoft Security Center
+## Review exploit protection events in the Microsoft 365 Defender portal
Defender for Endpoint provides detailed reporting into events and blocks as part of its alert investigation scenarios.
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
If a proxy or firewall is blocking all traffic by default and allowing only spec
The following downloadable spreadsheet lists the services and their associated URLs your network must be able to connect to. Verify there are no firewall or network-filtering rules that would deny access to these URLs, or create an *allow* rule specifically for them.
-Spreadsheet of domains list|Description
-:--|:--
+|Spreadsheet of domains list| Description|
+|||
+|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
For more information, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
ms.technology: mde
**Applies to:**
+- [Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1)
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+## 101.62.74 (30.122022.16274.0)
+
+- Addressed an issue where the product would incorrectly block access to files greater than 2GB in size when running on older kernel versions
+- Bug fixes
+ ## 101.60.93 (30.122012.16093.0) - This version contains a security update for [CVE-2022-23278](https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoofing-in-microsoft-defender-for-endpoint/)
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+## 101.61.69 (20.122022.16169.0)
+
+- Bug fixes
+ ## 101.60.91 (20.122021.16091.0) - This version contains a security update for [CVE-2022-23278](https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoofing-in-microsoft-defender-for-endpoint/)
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
The following table summarizes the state of Microsoft Defender Antivirus in seve
> [!NOTE] > For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded with the modern, unified solution described in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016).
-(<a id="fn3">3</a>) On Windows Server 2016 or Windows Server 2012 R2, if you are using a non-Microsoft antivirus product and that endpoint is not onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server.
+(<a id="fn3">3</a>) On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, and Windows Server 2022, if you are using a non-Microsoft antivirus product on an endpoint that is *not* onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server.
> [!TIP] > On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*.
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
If you experience any installation failures, refer to [Troubleshooting installat
### System requirements -- Supported Linux server distributions and x64 (AMD64/EM64T) versions:
+- Supported Linux server distributions and x64 (AMD64/EM64T) and x86_64 versions:
- Red Hat Enterprise Linux 6.7 or higher - Red Hat Enterprise Linux 7.2 or higher
The following downloadable spreadsheet lists the services and their associated U
**** - |Spreadsheet of domains list| Description| |||
-|:::image type="content" source="images/mdatp-urls.png" alt-text="Microsoft Defender for Endpoint URLs spreadsheet" lightbox="images/mdatp-urls.png":::|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> Download the spreadsheet [here](https://download.microsoft.com/download/8/e-urls.xlsx).|
-|||
+|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
> [!NOTE] > For a more specific URL list, see [Configure proxy and internet connectivity settings](/microsoft-365/security/defender-endpoint/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
security Microsoft Defender Endpoint Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md
The following downloadable spreadsheet lists the services and their associated U
|Spreadsheet of domains list| Description| |||
-|:::image type="content" source="images/mdatp-urls.png" alt-text="The spreadsheet for the URLs of the Microsoft Defender for Endpoint portal" lightbox="images/mdatp-urls.png":::|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> Download the spreadsheet here: [mdatp-urls.xlsx](https://download.microsoft.com/download/8/e-urls.xlsx).
+|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
Microsoft Defender for Endpoint can discover a proxy server by using the following discovery methods:
security Production Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md
The following downloadable spreadsheet lists the services and their associated U
|Spreadsheet of domains list| Description| |||
-|:::image type="content" source="images/mdatp-urls.png" alt-text="The Microsoft Defender for Endpoint URLs spreadsheet" lightbox="images/mdatp-urls.png":::|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)|
-|
+|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
## Next step
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
ms.technology: mde
**Applies to:**+
+- [Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1)
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) [!include[Prerelease information](../../includes/prerelease.md)]
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
ms.technology: mde
**Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-overview)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-respondmachine-abovefoldlink)
security Switch To Mde Phase 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md
- migrationguides - admindeeplinkDEFENDER Previously updated : 12/02/2021 Last updated : 03/28/2022
If at this point you have:
- Onboarded your organization's devices to Defender for Endpoint, and - Microsoft Defender Antivirus is installed and enabled,
-Then your next step is to uninstall your non-Microsoft antivirus, antimalware, and endpoint protection solution. When you uninstall your non-Microsoft solution, Microsoft Defender Antivirus switches from passive mode to active mode. In most cases, this happens automatically.
+Then your next step is to uninstall your non-Microsoft antivirus, antimalware, and endpoint protection solution. When you uninstall your non-Microsoft solution, Microsoft Defender Antivirus switches from passive mode to active mode. In most cases, this happens automatically.
+
+> [!IMPORTANT]
+> If, for some reason, Microsoft Defender Antivirus does not go into active mode after you have uninstalled your non-Microsoft antivirus/antimalware solution, see [Microsoft Defender Antivirus seems to be stuck in passive mode](switch-to-mde-troubleshooting.md#microsoft-defender-antivirus-seems-to-be-stuck-in-passive-mode).
To get help with uninstalling your non-Microsoft solution, contact their technical support team.
security Switch To Mde Troubleshooting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting.md
- M365-security-compliance Previously updated : 01/11/2022 Last updated : 03/28/2022 ms.technology: mde
Value: `1`
For more information, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
+## Microsoft Defender Antivirus seems to be stuck in passive mode
+
+If Microsoft Defender Antivirus is stuck in passive mode, set it to active mode manually by following these steps:
+
+1. On your Windows device, open Registry Editor as an administrator.
+
+2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
+
+3. Set or define a **REG_DWORD** entry called `ForceDefenderPassiveMode`, and set its value to `0`.
+
+4. Reboot the device.
+
+> [!IMPORTANT]
+> If you're still having trouble setting Microsoft Defender Antivirus to active mode after following this procedure, [contact support](../../admin/get-help-support.md).
+ ## I am having trouble re-enabling Microsoft Defender Antivirus on Windows Server 2016 If you are using a non-Microsoft antivirus/antimalware solution on Windows Server 2016, your existing solution might have required Microsoft Defender Antivirus to be disabled or uninstalled. You can use the[ Malware Protection Command-Line Utility](command-line-arguments-microsoft-defender-antivirus.md) to re-enable Microsoft Defender Antivirus on Windows Server 2016.
security Tvm Microsoft Secure Score Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices.md
Your score for devices is visible in the [threat and vulnerability management da
Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.
-## Turn on the Microsoft Secure Score connector
-
-Forward Microsoft Defender for Endpoint signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.
-
-Changes might take up to a few hours to reflect in the dashboard.
-
-1. In the navigation pane, go to **Settings** \> **Endpoints** \> **General** \> **Advanced features**
-
-2. Scroll down to **Microsoft Secure Score** and toggle the setting to **On**.
-
-3. Select **Save preferences**.
- ## How it works > [!NOTE]
security Api Advanced Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-advanced-hunting.md
One of the following permissions is required to call the advanced hunting API. T
Permission type | Permission | Permission display name -|-|-
-Application | AdvancedHunting.Read.All | Run advanced queries
-Delegated (work or school account) | AdvancedHunting.Read | Run advanced queries
+Application | AdvancedQuery.Read.All| Run advanced queries
+Delegated (work or school account) | AdvancedQuery.Read | Run advanced queries
>[!Note] > When obtaining a token using user credentials:
security Eval Defender Investigate Respond Simulate Attack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack.md
Switching to the SOC analyst point of view, you can now start to investigate the
3. The new incident for the simulated attack will appear in the incident queue.
- :::image type="content" source="../../media/mtp/fig2.png" alt-text="The Incidents queue in the Microsoft 365 Defender portal" lightbox="../../media/mtp/fig2.png":::
+ :::image type="content" source="../../media/mtp/fig2.png" alt-text="An example of the Incidents queue" lightbox="../../media/mtp/fig2.png":::
#### Investigate the attack as a single incident
Let's look at some of the alerts generated during the simulated attack.
> [!NOTE] > We'll walk through only a few of the alerts generated during the simulated attack. Depending on the version of Windows and the Microsoft 365 Defender products running on your test device, you might see more alerts that appear in a slightly different order. ##### Alert: Suspicious process injection observed (Source: Microsoft Defender for Endpoint)
Advanced attackers use sophisticated and stealthy methods to persist in memory a
To allow the SOC analysts to catch these advanced attacks, deep memory sensors in Microsoft Defender for Endpoint provide our cloud service with unprecedented visibility into a variety of cross-process code injection techniques. The following figure shows how Defender for Endpoint detected and alerted on the attempt to inject code to <i>notepad.exe</i>. ##### Alert: Unexpected behavior observed by a process run with no command-line arguments (Source: Microsoft Defender for Endpoint)
Notice that the alert details include the external IP addressΓÇöan indicator tha
Select the IP address in the alert process tree to view the IP address details page. The following figure displays the selected IP Address details page (clicking on IP address in the Alert process tree). - ##### Alert: User and IP address reconnaissance (SMB) (Source: Microsoft Defender for Identity)
Enumeration using Server Message Block (SMB) protocol enables attackers to get r
In this detection, an alert is triggered when the SMB session enumeration runs against a domain controller. #### Review the device timeline with Microsoft Defender for Endpoint
Select the name of the device where the attack was conducted, to open the entity
Select the **Timeline** tab to open the device timeline and view all events and behaviors observed on the device in chronological order, interspersed with the alerts raised. Expanding some of the more interesting behaviors provides useful details, such as process trees. For example, scroll down until you find the alert event **Suspicious process injection observed**. Select the **powershell.exe injected to notepad.exe process** event below it, to display the full process tree for this behavior under the **Event entities** graph on the side pane. Use the search bar for filtering if necessary. #### Review the user information with Microsoft Defender for Cloud Apps
On the incident page, select the **Users** tab to display the list of users invo
Select the user name to open the user's profile page where further investigation can be conducted. [Read more about investigating risky users](/cloud-app-security/tutorial-ueba#identify). #### Automated investigation and remediation
Select the user name to open the user's profile page where further investigation
Navigate back to the incident in the Microsoft 365 Defender portal. The **Investigations** tab in the **Incident** page shows the automated investigations that were triggered by Microsoft Defender for Identity and Microsoft Defender for Endpoint. The screenshot below displays only the automated investigation triggered by Defender for Endpoint. By default, Defender for Endpoint automatically remediates the artifacts found in the queue, which requires remediation. Select the alert that triggered an investigation to open the **Investigation details** page. You'll see the following details:
Select the alert that triggered an investigation to open the **Investigation det
> [!NOTE] > Depending on timing, the automated investigation might still be running. Wait a few minutes for the process to complete before you collect and analyze the evidence and review the results. Refresh the **Investigation details** page to get the latest findings. During the automated investigation, Microsoft Defender for Endpoint identified the notepad.exe process, which was injected as one of the artifacts requiring remediation. Defender for Endpoint automatically stops the suspicious process injection as part of the automated remediation.
After the investigation is complete and confirmed to be remediated, you resolve
From the **Incident** page, select **Manage incident**. Set the status to **Resolve incident** and select **True alert** for the classification and **Security testing** for the determination. When the incident is resolved, it resolves all of the associated alerts in the Microsoft 365 Defender portal and the related portals.
security Eval Defender Investigate Respond https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond.md
Title: Step 6. Investigate and respond using Microsoft 365 Defender in a pilot environment
-description: Set up attack simulations in Microsoft 365 Defender trial lab or pilot environment to try out the security solution designed to teach users to protect devices, identity, data, and applications.
+ Title: Investigate and respond using Microsoft 365 Defender in a pilot environment
+description: Set up attack simulations at Microsoft 365 Defender trial lab or pilot environment to try out the security solution designed to teach users to protect devices, identity, data, and applications.
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
This article outlines the process to create incidents with attack simulations an
Use the following steps.
-![Steps for performing simulated incident response in the Microsoft 365 Defender evaluation environment.](../../media/eval-defender-investigate-respond/eval-defender-eval-investigate-respond-steps.png)
The following table describes the steps in the illustration.
security Eval Defender Mcas Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-architecture.md
Microsoft Defender for Cloud Apps is a cloud access security broker (CASB). CASB
Without Defender for Cloud Apps, cloud apps that are used by your organization are unmanaged and unprotected, as illustrated.
-![Architecture for Microsoft Defender for Cloud Apps.](../../media/defender/m365-defender-mcas-architecture-a.png)
In the illustration: - The use of cloud apps by an organization is unmonitored and unprotected.
In the illustration:
The first step to managing the use of cloud apps is to discover which cloud apps are used by your organization. This next diagram illustrates how cloud discovery works with Defender for Cloud Apps.
-![Architecture for Microsoft Defender for Cloud Apps - Cloud discovery.](../../media/defender/m365-defender-mcas-architecture-b.png)
+ In this illustration, there are two methods that can be used to monitor network traffic and discover cloud apps that are being used by your organization. - A. Cloud App Discovery integrates with Microsoft Defender for Endpoint natively. Defender for Endpoint reports cloud apps and services being accessed from IT-managed Windows 10 and Windows 11 devices.
In this illustration, there are two methods that can be used to monitor network
#### Managing cloud apps
-After you discover cloud apps and analyze the behavior of how these are used by your organization, you can begin managing cloud apps that you choose.
+After you discover cloud apps and analyze how these apps are used by your organization, you can begin managing cloud apps that you choose.
-![Architecture for Microsoft Defender for Cloud Apps - Managing cloud apps.](../../media/defender/m365-defender-mcas-architecture-c.png)
In this illustration:-- Some apps are sanctioned for use. This is a simple way of beginning to manage apps.
+- Some apps are sanctioned for use. This sanction is a simple way of beginning to manage apps.
- You can enable greater visibility and control by connecting apps with app connectors. App connectors use the APIs of app providers. #### Applying session controls to cloud apps
-Microsoft Defender for Cloud Apps serves as a reverse proxy, providing proxy access to sanctioned cloud apps. This allows Defender for Cloud Apps to apply session controls that you configure.
+Microsoft Defender for Cloud Apps serves as a reverse proxy, providing proxy access to sanctioned cloud apps. This provision allows Defender for Cloud Apps to apply session controls that you configure.
-![Architecture for Microsoft Defender for Cloud Apps - Proxy access session control.](../../media/defender/m365-defender-mcas-architecture-d.png)
In this illustration: - Access to sanctioned cloud apps from users and devices in your organization is routed through Defender for Cloud Apps. - This proxy access allows session controls to be applied. - Cloud apps that you have not sanctioned or explicitly unsanctioned are not affected.
-Session controls allow you to apply parameters to how cloud apps are used by your organization. For example, if your organization is using Salesforce, you can configure a session policy that allows only managed devices to access your organization's data in Salesforce. A simpler example could be configuring a policy to monitor traffic from unmanaged devices so you can analyze the risk of this traffic before applying stricter policies.
+Session controls allow you to apply parameters to how cloud apps are used by your organization. For example, if your organization is using Salesforce, you can configure a session policy that allows only managed devices to access your organization's data at Salesforce. A simpler example could be configuring a policy to monitor traffic from unmanaged devices so you can analyze the risk of this traffic before applying stricter policies.
#### Integrating with Azure AD with Conditional Access App Control You might already have SaaS apps added to your Azure AD tenant to enforce multi-factor authentication and other conditional access policies. Microsoft Defender for Cloud Apps natively integrates with Azure AD. All you have to do is configure a policy in Azure AD to use Conditional Access App Control in Defender for Cloud Apps. This routes network traffic for these managed SaaS apps through Defender for Cloud Apps as a proxy, which allows Defender for Cloud Apps to monitor this traffic and to apply session controls.
-![Architecture for Microsoft Defender for Cloud Apps - SaaS apps.](../../media/defender/m365-defender-mcas-architecture-e.png)
In this illustration:-- SaaS apps are integrated with the Azure AD tenant. This allows Azure AD to enforce conditional access policies, including multi-factor authentication.-- A policy is added to Azure Active Directory to direct traffic for SaaS apps to Defender for Cloud Apps. The policy specifies which SaaS apps to apply this policy to. Consequently, after Azure AD enforces any conditional access policies that apply to these SaaS apps, Azure AD then directs (proxies) the session traffic through Defender for Cloud Apps.
+- SaaS apps are integrated with the Azure AD tenant. This integration allows Azure AD to enforce conditional access policies, including multi-factor authentication.
+- A policy is added to Azure Active Directory to direct traffic for SaaS apps to Defender for Cloud Apps. The policy specifies which SaaS apps to apply this policy to. Therefore, after Azure AD enforces any conditional access policies that apply to these SaaS apps, Azure AD then directs (proxies) the session traffic through Defender for Cloud Apps.
- Defender for Cloud Apps monitors this traffic and applies any session control policies that have been configured by administrators. You might have discovered and sanctioned cloud apps using Defender for Cloud Apps that have not been added to Azure AD. You can take advantage of Conditional Access App Control by adding these cloud apps to your Azure AD tenant and the scope of your conditional access rules. #### Protecting your organization from hackers
-Defender for Cloud Apps provides powerful protection on its own. However, when combined with the other capabilities of Microsoft 365 Defender, Defender for Cloud Apps provides data into the shared signals which, together, helps stop attacks.
+Defender for Cloud Apps provides powerful protection on its own. However, when combined with the other capabilities of Microsoft 365 Defender, Defender for Cloud Apps provides data into the shared signals which (together) helps stop attacks.
It's worth repeating this illustration from the overview to this Microsoft 365 Defender evaluation and pilot guide.
-![How Microsoft 365 Defender stops a chain of threats.](../../media/defender/m365-defender-eval-threat-chain.png)
-Focusing on the right side of this illustration, Microsoft Defender for Cloud Apps notices anomalous behavior like impossible-travel, credential access, and unusual download, file share, or mail forwarding activity and reports these to the security team. Consequently, Defender for Cloud Apps helps prevent lateral movement by hackers and exfiltration of sensitive data. Microsoft 356 Defender for Cloud correlates the signals from all the components to provide the full attack story.
+Focusing on the right side of this illustration, Microsoft Defender for Cloud Apps notices anomalous behavior like impossible-travel, credential access, and unusual download, file share, or mail forwarding activity and reports these behaviors to the security team. Therefore, Defender for Cloud Apps helps prevent lateral movement by hackers and exfiltration of sensitive data. Microsoft 356 Defender for Cloud correlates the signals from all the components to provide the full attack story.
## Understand key concepts
The following table identified key concepts that are important to understand whe
| Conditional Access App Control | Reverse proxy architecture that integrates with your Identity Provider (IdP) to give Azure AD conditional access policies and selectively enforce session controls. | [Protect apps with Microsoft Defender for Cloud Apps Conditional Access App Control](/cloud-app-security/proxy-intro-aad) | | Cloud App Catalog | The Cloud App Catalog gives you a full picture against Microsoft catalog of over 16,000 cloud apps that are ranked and scored based on more than 80 risk factors. | [Working with App risk scores](/cloud-app-security/risk-score) | | Cloud Discovery Dashboard | Cloud Discovery analyzes your traffic logs and is designed to give more insight into how cloud apps are being used in your organization as well as give alerts and risk levels. | [Working with discovered apps ](/cloud-app-security/discovered-apps) |
-|Connected Apps |Defender for Cloud Apps provides end-to-end protection for connected apps using Cloud-to-Cloud integration, API connectors, and real-time access and session controls leveraging our Conditional App Access Controls. |[Protecting connected apps](/cloud-app-security/protect-connected-apps) |
+|Connected Apps |Defender for Cloud Apps provides end-to-end protection for connected apps using Cloud-to-Cloud integration, API connectors, and real-time access and session controls using our Conditional App Access Controls. |[Protecting connected apps](/cloud-app-security/protect-connected-apps) |
| | | | ## Review architecture requirements ### Discovering cloud apps
-To discover cloud apps used in your environment, you can do one or both of the following:
+To discover cloud apps used in your environment, you can implement one or both of the following methods:
- Get up and running quickly with Cloud Discovery by integrating with Microsoft Defender for Endpoint. This native integration enables you to immediately start collecting data on cloud traffic across your Windows 11 and Windows 10 devices, on and off your network.-- To discover all cloud apps accessed by all devices connected to your network, deploy the Defender for Cloud Apps log collector on your firewalls and other proxies. This collects data from your endpoints and sends it to Defender for Cloud Apps for analysis. Defender for Cloud Apps natively integrates with some third-party proxies for even more capabilities.
+- To discover all cloud apps accessed by all devices connected to your network, deploy the Defender for Cloud Apps log collector on your firewalls and other proxies. This deployment helps collect data from your endpoints and sends it to Defender for Cloud Apps for analysis. Defender for Cloud Apps natively integrates with some third-party proxies for even more capabilities.
These options are included in [Step 2. Enable the evaluation environment](eval-defender-mcas-enable-eval.md). ### Applying Azure AD Conditional Access policies to cloud apps
-Conditional Access App Control (the ability to apply Conditional Access policies to cloud apps) requires integration with Azure AD. This isn't a requirement for getting started with Defender for Cloud Apps. It is a step we encourage you to try out during the pilot phase ΓÇö [Step 3. Pilot Microsoft Defender for Cloud Apps](eval-defender-mcas-pilot.md).
+Conditional Access App Control (the ability to apply Conditional Access policies to cloud apps) requires integration with Azure AD. This integration isn't a requirement for getting started with Defender for Cloud Apps. It is a step we encourage you to try out during the pilot phaseΓÇö[Step 3. Pilot Microsoft Defender for Cloud Apps](eval-defender-mcas-pilot.md).
## SIEM integration You can integrate Microsoft Defender for Cloud Apps with your generic SIEM server or with Microsoft Sentinel to enable centralized monitoring of alerts and activities from connected apps.
-Additionally, Microsoft Sentinel includes a Microsoft Defender for Cloud Apps connector to provide deeper integration with Microsoft Sentinel. This enables you to not only gain visibility into your cloud apps but to also get sophisticated analytics to identify and combat cyberthreats and to control how your data travels.
+Additionally, Microsoft Sentinel includes a Microsoft Defender for Cloud Apps connector to provide deeper integration with Microsoft Sentinel. This arrangement enables you to not only gain visibility into your cloud apps but to also get sophisticated analytics to identify and combat cyberthreats and to control how your data travels.
- [Generic SIEM integration](/cloud-app-security/siem) - [Stream alerts and Cloud Discovery logs from Defender for Cloud Apps into Microsoft Sentinel](/azure/sentinel/connect-cloud-app-security)
security Eval Defender Mcas Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-enable-eval.md
This article is [Step 2 of 2](eval-defender-mcas-overview.md) in the process of
This article walks you through the process of accessing the Defender for Cloud Apps portal and configuring the necessary integration to collect cloud app traffic data.
-To discover cloud apps used in your environment, you can do one or both of the following:
+To discover cloud apps used in your environment, you can implement one or both of the following methods:
- Get up and running quickly with Cloud Discovery by integrating with Microsoft Defender for Endpoint. This native integration enables you to immediately start collecting data on cloud traffic across your Windows 10 and Windows 11 devices, on and off your network.-- To discover all cloud apps accessed by all devices connected to your network, deploy the Defender for Cloud Apps log collector on your firewalls and other proxies. This collects data from your endpoints and sends it to Defender for Cloud Apps for analysis. Defender for Cloud Apps natively integrates with some third-party proxies for even more capabilities.
+- To discover all cloud apps accessed by all devices connected to your network, deploy the Defender for Cloud Apps log collector on your firewalls and other proxies. This deployment helps collect data from your endpoints and sends it to Defender for Cloud Apps for analysis. Defender for Cloud Apps natively integrates with some third-party proxies for even more capabilities.
This article includes guidance for both methods. Use the following steps to set up Microsoft Defender for Cloud Apps.
-![Steps to enable Microsoft Microsoft Defender for Cloud Apps in the Microsoft Defender evaluation environment.](../../media/defender/m365-defender-mcas-eval-enable-steps.png)
- [Step 1. Connect to the Defender for Cloud Apps portal](#step-1) - [Step 2. Integrate with Microsoft Defender for Endpoint](#step-2)
Use the following steps to set up Microsoft Defender for Cloud Apps.
To verify licensing and to connect to the Defender for Cloud Apps portal, see [Quickstart: Get started with Microsoft Defender for Cloud Apps](/cloud-app-security/getting-started-with-cloud-app-security).
-If you're not immediately able to connect to the portal, you might need to add the IP address to the allow list of your firewall. See [Basic setup for Defender for Cloud Apps](/cloud-app-security/general-setup).
+If you're not immediately able to connect to the portal, you might need to add the IP address to the allowlist of your firewall. See [Basic setup for Defender for Cloud Apps](/cloud-app-security/general-setup).
If you're still having trouble, review [Network requirements](/cloud-app-security/network-requirements).
security Eval Defender Mcas Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-overview.md
This article outlines the process to enable and pilot Microsoft Defender for Clo
Use the following steps to enable and pilot Microsoft Defender for Cloud Apps.
-![Steps for adding Microsoft Defender for Office to the Defender evaluation environment.](../../media/defender/m365-defender-office-eval-steps.png)
-- |Step |Description | |||
security Eval Defender Mcas Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-pilot.md
This article is [Step 3 of 3](eval-defender-mcas-overview.md) in the process of
Use the following steps to set up and configure the pilot for Microsoft Defender for Cloud Apps.
-![Steps for piloting Microsoft Defender for Cloud Apps.](../../media/defender/m365-defender-mcas-pilot-steps.png)
+- [Step 1. Create the pilot groupΓÇöScope your pilot deployment to certain user groups](#step-1-create-the-pilot-groupscope-your-pilot-deployment-to-certain-user-groups)
+- [Step 2. Configure protectionΓÇöConditional Access App Control](#step-2-configure-protectionconditional-access-app-control)
+- [Step 3. Try out capabilitiesΓÇöWalk through tutorials for protecting your environment](#step-3-try-out-capabilitieswalk-through-tutorials-for-protecting-your-environment)
-- Step 1. [Create the pilot group ΓÇö Scope your pilot deployment to certain user groups](#step-1-create-the-pilot-group--scope-your-pilot-deployment-to-certain-user-groups)-- [Step 2. Configure protection ΓÇö Conditional Access App Control](#step-2-configure-protection--conditional-access-app-control)-- [Step 3. Try out capabilities ΓÇö Walk through tutorials for protecting your environment](#step-3-try-out-capabilities--walk-through-tutorials-for-protecting-your-environment) -
-## Step 1. Create the pilot group ΓÇö Scope your pilot deployment to certain user groups
+## Step 1. Create the pilot groupΓÇöScope your pilot deployment to certain user groups
Microsoft Defender for Cloud Apps enables you to scope your deployment. Scoping allows you to select certain user groups to be monitored for apps or excluded from monitoring. You can include or exclude user groups. To scope your pilot deployment, see [Scoped Deployment](/cloud-app-security/scoped-deployment).
-## Step 2. Configure protection ΓÇö Conditional Access App Control
+## Step 2. Configure protectionΓÇöConditional Access App Control
-One of the most powerful protections you can configure is Conditional Access App Control. This requires integration with Azure Active Directory (Azure AD). It allows you to apply Conditional Access policies, including related policies (like requiring healthy devices), to cloud apps you've sanctioned.
+One of the most powerful protections you can configure is Conditional Access App Control. This protection requires integration with Azure Active Directory (Azure AD). It allows you to apply Conditional Access policies, including related policies (like requiring healthy devices), to cloud apps you've sanctioned.
-The first step in using Microsoft Defender for Cloud Apps to manage SaaS apps is to discover these and then add them to your Azure AD tenant. If you need help with discovery, see [Discover and manage SaaS apps in your network](/cloud-app-security/tutorial-shadow-it). After you've discovered apps, [add these to your Azure AD tenant](/azure/active-directory/manage-apps/add-application-portal).
+The first step in using Microsoft Defender for Cloud Apps to manage SaaS apps is to discover these apps and then add them to your Azure AD tenant. If you need help with discovery, see [Discover and manage SaaS apps in your network](/cloud-app-security/tutorial-shadow-it). After you've discovered apps, [add these apps to your Azure AD tenant](/azure/active-directory/manage-apps/add-application-portal).
-You can begin to manage these by doing the following:
+You can begin to manage these apps by executing the following tasks:
-- First, in Azure AD, create a new conditional access policy and configure it to "Use Conditional Access App Control." This redirects the request to Defender for Cloud Apps. You can create one policy and add all SaaS apps to this policy.
+- First, in Azure AD, create a new conditional access policy and configure it to "Use Conditional Access App Control." This configuration helps to redirect the request to Defender for Cloud Apps. You can create one policy and add all SaaS apps to this policy.
- Next, in Defender for Cloud Apps, create session policies. Create one policy for each control you want to apply. For more information, including supported apps and clients, see [Protect apps with Microsoft Defender for Cloud Apps Conditional Access App Control](/cloud-app-security/proxy-intro-aad). For example policies, see [Recommended Microsoft Defender for Cloud Apps policies for SaaS apps](../office-365-security/mcas-saas-access-policies.md). These policies build on a set of [common identity and device access policies](../office-365-security/microsoft-365-policies-configurations.md) that are recommended as a starting point for all customers.
-## Step 3. Try out capabilities ΓÇö Walk through tutorials for protecting your environment
+## Step 3. Try out capabilitiesΓÇöWalk through tutorials for protecting your environment
The Microsoft Defender for Cloud Apps documentation includes a series of tutorials to help you discover risk and protect your environment.
security Eval Defender Office 365 Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-architecture.md
Before enabling Defender for Office 365, be sure you understand the architecture
## Understand the architecture
-The following diagram illustrates baseline architecture for Microsoft Defender for Office, which can include a third-party SMTP gateway or on-premises integration. Hybrid coexistence scenarios (i.e. production mailboxes are both on-premise and online) require more complex configurations and are not covered in this article or evaluation guidance.
+The following diagram illustrates baseline architecture for Microsoft Defender for Office, which can include a third-party SMTP gateway or on-premises integration. Hybrid coexistence scenarios (that is, production mailboxes are both on-premise and online) require more complex configurations and are not covered in this article or evaluation guidance.
-![Architecture for Microsoft Defender for Office 365.](../../media/defender/m365-defender-office-architecture.png)
The following table describes this illustration. |Call-out |Description | ||| |1 | The host server for the external sender typically performs a public DNS lookup for an MX record, which provides the target server to relay the message. This referral can either be Exchange Online (EXO) directly or an SMTP gateway that has been configured to relay against EXO. |
-|2 | Exchange Online Protection negotiates and validates the inbound connection and inspects the message headers and content to determine what additional policies, tagging, or processing is required. |
+|2 | Exchange Online Protection negotiates and validates the inbound connection and inspects the message headers and content to determine what extra policies, tagging, or processing is required. |
|3 | Exchange Online integrates with Microsoft Defender for Office 365 to offer more advanced threat protection, mitigation, and remediation. | |4 | A message that is not malicious, blocked, or quarantined is processed and delivered to the recipient in EXO where user preferences related to junk mail, mailbox rules, or other settings are evaluated and triggered. | |5 | Integration with on-premises Active Directory can be enabled using Azure AD Connect to synchronize and provision mail-enabled objects and accounts to Azure Active Directory and ultimately Exchange Online. |
-|6 | When integrating an on-premises environment, it is strongly encouraged to use an Exchange server for supported management and administration of mail-related attributes, settings, and configurations |
+|6 | When integrating an on-premises environment, it is encouraged to use an Exchange server for supported management and administration of mail-related attributes, settings, and configurations |
|7 | Microsoft Defender for Office 365 shares signals to Microsoft 365 Defender for extended detection and response (XDR).| On-premises integration is common but optional. If your environment is cloud-only, this guidance will also work for you.
The following table identified key concepts that are important to understand whe
|Concept |Description |More information | ||||
-|Exchange Online Protection | Exchange Online Protection (EOP) is the cloud-based filtering service that helps protect your organization against spam and malware emails. EOP is included in all Microsoft 365 licenses which include Exchange Online. | [Exchange Online Protection overview](../office-365-security/exchange-online-protection-overview.md) |
+|Exchange Online Protection | Exchange Online Protection (EOP) is the cloud-based filtering service that helps protect your organization against spam and malware emails. EOP is included in all Microsoft 365 licenses that include Exchange Online. | [Exchange Online Protection overview](../office-365-security/exchange-online-protection-overview.md) |
|Anti-malware protection | Organizations with mailboxes in EXO are automatically protected against malware. | [Anti-malware protection in EOP](../office-365-security/anti-malware-protection.md) | |Anti-spam protection | Organizations with mailboxes in EXO are automatically protected against junk mail and spam policies. | [Anti-spam protection in EOP](../office-365-security/anti-spam-protection.md) |
-|Anti-phishing protection | MDO offers more advanced anti-phishing protection related to spear phishing, whaling, ransomware, and other malicious activities. | [Additional anti-phishing protection in Microsoft Defender for Office 365](../office-365-security/anti-phishing-protection.md) |
+|Anti-phishing protection | MDO offers more advanced anti-phishing protection related to spear phishing, whaling, ransomware, and other malicious activities. | [Extra anti-phishing protection in Microsoft Defender for Office 365](../office-365-security/anti-phishing-protection.md) |
|Anti-spoofing protection | EOP includes features to help protect your organization from spoofed (forged) senders. | [Anti-spoofing protection in EOP](../office-365-security/anti-spoofing-protection.md) |
-|Safe attachments | Safe Attachments provides an additional layer of protection by using a virtual environment to check and "detonate" attachments in email messages before they are delivered. | [Safe Attachments in Microsoft Defender for Office 365](../office-365-security/safe-attachments.md) |
-|Safe attachments for SharePoint, OneDrive, and Microsoft Teams | In addition, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams offers an additional layer of protection for files that have been uploaded to cloud storage repositories. | [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/mdo-for-spo-odb-and-teams.md) |
+|Safe attachments | Safe Attachments provides an extra layer of protection by using a virtual environment to check and "detonate" attachments in email messages before they are delivered. | [Safe Attachments in Microsoft Defender for Office 365](../office-365-security/safe-attachments.md) |
+|Safe attachments for SharePoint, OneDrive, and Microsoft Teams | In addition, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams offers an extra layer of protection for files that have been uploaded to cloud storage repositories. | [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/mdo-for-spo-odb-and-teams.md) |
|Safe Links | Safe Links is a feature that provides URL scanning and rewriting within inbound email messages and offers verification of those links before they are delivered or clicked. | [Safe Links in Microsoft Defender for Office 365](../office-365-security/safe-links.md) | | | | |
security Eval Defender Office 365 Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-enable-eval.md
This article is [Step 2 of 3](eval-defender-office-365-overview.md) in the proce
Use the following steps to enable the evaluation for Microsoft Defender for Office 365.
-![Steps to enable Microsoft Defender for Office 365 in the Microsoft Defender evaluation environment.](../../media/defender/m365-defender-office-eval-enable-steps.png)
+ - [Step 1: Activate trial licenses](#step-1-activate-trial-licenses) - [Step 2: Audit and verify the public MX record](#step-2-audit-and-verify-the-public-mx-record)
Log on to your existing Microsoft Defender for Office 365 environment or tenant
1. Navigate to the administration portal. 2. Select Purchase Services from the quick launch.
- :::image type="content" source="../../media/mdo-eval/1_m365-purchase-services.png" alt-text="Click Purchase services on the navigation pane of Office 365.":::
+ :::image type="content" source="../../medio-eval/1_m365-purchase-services.png":::
3. Scroll down to the Add-On section (or search for "Defender") to locate the Microsoft Defender for Office 365 plans. 4. Click Details next the plan you want to evaluate.
- :::image type="content" source="../../medio-eval-license-details.png" alt-text="Click the Details button, next.":::
+ :::image type="content" source="../../medio-eval-license-details.png":::
5. Click the *Start free trial* link.
- :::image type="content" source="../../media/mdo-eval/3-m365-purchase-button.png" alt-text="Click the Start free trial *hyperlink* on this panel.":::
+ :::image type="content" source="../../medio-eval/3-m365-purchase-button.png":::
6. Confirm your request and click the *Try now* button.
- :::image type="content" source="../../medio-trial-order.png" alt-text="Now click the Try now *button*.":::
+ :::image type="content" source="../../medio-trial-order.png":::
## Step 2: Audit and verify the public MX record
Use the instructions here to activate your Microsoft Defender for Office 365 eva
1. Log on to your tenant with an account that has access to the Microsoft 365 Defender portal. 2. Choose whether you want to make the **Microsoft 365 Defender portal** your default interface for Microsoft Defender for Office 365 administration (recommended).
- :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="Click the Turn on settings button to use the centralized and improved Microsoft 365 Defender portal for administration.":::
+ :::image type="content" source="../../medio-eval-activate-eval.png":::
3. From the navigation menu, select **Policies & Rules** under *Email & Collaboration*.
- :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="Here's an Email & Collaboration menu picture pointing at Policies & rules. Click that!":::
+ :::image type="content" source="../../medio-eval-activate-eval.png":::
4. On the *Policy & Rules* dashboard, click **Threat Policies**.
- :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="Picture of the Policy & Rules dashboard and an arrow pointing at Threat policies. Click that next!":::
+ :::image type="content" source="../../medio-eval-activate-eval.png":::
5. Scroll down to *Additional Policies* and select the **Evaluate Defender for Office 365** tile.
- :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="The Eval Defender for Office 365 tile saying it's a 30 day trial across email & collaboration vectors. Click through.":::
+ :::image type="content" source="../../medio-eval-activate-eval.png":::
6. Now choose whether external email routes to Exchange Online directly, or to a third-party gateway or service, and click Next.
- :::image type="content" source="../../medio-eval-activate-eval.png" alt-text="Defender for Office 365 will evaluate mail send to your Exchange Online mailboxes. Give the details of how your mail is routed now, including the name of the outbound connector that routs your mail. If you only use Exchange Online Protection (EOP) you won't have a connector. Choose one of I'm using a 3rd-party or on-premises provider, or I only use EOP.":::
+ :::image type="content" source="../../medio-eval-activate-eval.png":::
7. If you use a third-party gateway, select the vendor name from the drop-down along with the inbound connector associated with that solution. When you've listed your answers, click Next.
- :::image type="content" source="../../medio-eval-activate-eval-settings.png" alt-text="In this dialog, you choose the 3rd-party vendor service your organization is using, or select *Other*. In the next dialog down, select the inbound connector. Then click Next.":::
+ :::image type="content" source="../../medio-eval-activate-eval-settings.png":::
8. Review your settings and click the **Create Evaluation** button. |Before|After| |::|::|
- |:::image type="content" source="../../medio-eval-activate-complete.png" alt-text="And now the set up is complete. The blue button on this page says 'Go to Evaluation'.":::|
+ |:::image type="content" source="../../medio-eval-activate-complete.png":::|
| ## Next steps
security Eval Defender Office 365 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-overview.md
This article outlines the process to enable and pilot Microsoft Defender for Off
Use the following steps to enable and pilot Microsoft Defender for Office 365.
-![Steps for adding Microsoft Defender for Office to the Defender evaluation environment.](../../media/defender/m365-defender-office-eval-steps.png)
The following table describes the steps in the illustration.
-| |Step |Description |
+| Serial Number|Step |Description |
|||| |1|[Review architecture requirements and key concepts](eval-defender-office-365-architecture.md) | Understand the Defender for Office architecture and be sure your Exchange Online environment meets the architecture prerequisites. | |2|[Enable the evaluation environment](eval-defender-office-365-enable-eval.md) | Follow the steps to setup the evaluation environment. | |3|[Set up the pilot ](eval-defender-office-365-pilot.md) | Create pilot groups, configure protection, and become familiar with key features and dashboards. |
-||||
security Eval Defender Office 365 Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md
This article is [Step 3 of 3](eval-defender-office-365-overview.md) in the proce
Use the following steps to set up and configure the pilot for Microsoft Defender for Office 365.
-![Steps for creating the pilot for Microsoft Defender for Office 365.](../../media/defender/m365-defender-office-pilot.png)
- [Step 1: Create pilot groups](#step-1-create-pilot-groups) - [Step 2: Configure protection](#step-2-configure-protection)-- [Step 3: Try out capabilities ΓÇö Get familiar with simulation, monitoring, and metrics](#step-3-try-out-capabilities--get-familiar-with-simulation-monitoring-and-metrics)
+- [Step 3: Try out capabilities ΓÇö Get familiar with simulation, monitoring, and metrics](#step-3-try-out-capabilities-and-get-familiar-with-simulation-monitoring-and-metrics)
When you evaluate Microsoft Defender for Office 365, you may choose to pilot specific users before enabling and enforcing policies for your entire organization. Creating distribution groups can help manage the deployment processes. For example, create groups such as *Defender for Office 365 Users - Standard Protection*, *Defender for Office 365 Users - Strict Protection*, *Defender for Office 365 Users - Custom Protection*, or *Defender for Office 365 Users - Exceptions*.
Distribution groups can be created and defined directly in Exchange Online or sy
1. Sign in to the Exchange Admin Center (EAC) using an account that has been granted Recipient Administrator role or been delegated group management permissions. 2. From the navigation menu, expand *Recipients* and select *Groups*.
- :::image type="content" source="../../medio-eval-pilot.png":::
+ :::image type="content" source="../../medio-eval-pilot.png":::
3. From the Groups dashboard, select "Add a group".
- :::image type="content" source="../../medio-eval-pilot-add-group.png":::
+ :::image type="content" source="../../medio-eval-pilot-add-group.png":::
4. For group type, select *Distribution* and click Next.
- :::image type="content" source="../../medio-eval-pilot-group-type.png":::
+ :::image type="content" source="../../medio-eval-pilot-group-type.png":::
5. Give the group a name and description and then click Next.
- :::image type="content" source="../../medio-eval-pilot-set-up-basics.png":::
+ :::image type="content" source="../../medio-eval-pilot-set-up-basics.png":::
## Step 2: Configure protection
Some capabilities in Defender for Office 365 are configured and turned on by def
Some capabilities are *not yet* configured. You have three options for configuring protection: -- **Assign preset security policies automatically** ΓÇö [Preset security policies](../office-365-security/preset-security-policies.md) are provided as a method to quickly assign a uniform level of protection across all of the capabilities. You can choose from ***standard*** or ***strict***. A good approach is to start with preset security policies and then fine-tune the policies as you learn more about the capabilities and your own unique threat environment. The advantage here is that you protect groups of users as quickly as possible, with the ability to tweak protection afterward. (This method is recommended.)-- **Configure baseline protection manually** ΓÇö If you prefer to configure the environment yourself, you can quickly achieve a *baseline* of protection by following the guidance in [Protect against threats](../office-365-security/protect-against-threats.md). With this approach, you get to learn more about the settings that are configurable. And, of course, you can fine-tune the policies later.-- **Configure *custom* protection policies** ΓÇö You can also build and assign custom protection policies as part of your evaluation. Before you start customizing policies, it's important to understand the precedence in which these protection policies are applied and enforced. Security ops will need to create some policies even if when the preset is applied, in specific in order to define security policies for Safe Links and Safe Attachments.-
+- **Assign preset security policies automatically**ΓÇö[Preset security policies](../office-365-security/preset-security-policies.md) are provided as a method to quickly assign a uniform level of protection across all of the capabilities. You can choose from ***standard*** or ***strict***. A good approach is to start with preset security policies and then fine-tune the policies as you learn more about the capabilities and your own unique threat environment. The advantage here is that you protect groups of users as quickly as possible, with the ability to tweak protection afterward. (This method is recommended.)
+- **Configure baseline protection manually**ΓÇöIf you prefer to configure the environment yourself, you can quickly achieve a *baseline* of protection by following the guidance in [Protect against threats](../office-365-security/protect-against-threats.md). With this approach, you get to learn more about the settings that are configurable. And, you can fine-tune the policies later.
+- **Configure *custom* protection policies**ΓÇöYou can also build and assign custom protection policies as part of your evaluation. Before you start customizing policies, it's important to understand the precedence in which these protection policies are applied and enforced. Security ops will need to create some policies even if when the preset is applied, in specific in order to define security policies for Safe Links and Safe Attachments.
> [!IMPORTANT] > **If you need to configure custom protection policies**, you should examine the values that make up the **Standard** and **Strict** security definitions here: *[Recommended settings for EOP and Microsoft Defender for Office 365 security](../office-365-security/recommended-settings-for-eop-and-office365.md)*. Default values, as seen before any configuration takes place are also listed. Keep a spreadsheet of where your custom build deviates.
Some capabilities are *not yet* configured. You have three options for configuri
It's recommended you begin with the *recommended baseline policies* when evaluating MDO and then refine them as needed over the course of your evaluation period.
-You can enable recommended EOP and Defender for Office 365 protection policies fast, and assign them to specific pilot users or defined groups as part of your evaluation. Preset policies offer a baseline **Standard** protection template or a more aggressive **Strict** protection template which can be assigned independently, or combined.
+You can enable recommended EOP and Defender for Office 365 protection policies fast, and assign them to specific pilot users or defined groups as part of your evaluation. Preset policies offer a baseline **Standard** protection template or a more aggressive **Strict** protection template, which can be assigned independently, or combined.
Here is the [Preset security policies in EOP and Microsoft Defender for Office 365](../office-365-security/preset-security-policies.md) article outlining the steps. 1. Log on to your Microsoft 365 tenant. Use an account with access to the Microsoft 365 Defender portal, added to Organization Management role in Office 365, or Security Administrator role in Microsoft 365. 2. From the navigation menu, select *Polices & Rules* under Email & Collaboration.
- :::image type="content" source="../../medio-eval-pilot-policies.png" alt-text="Under Email & Collaboration on the navigation panel, click Policies & rules.":::
+ :::image type="content" source="../../medio-eval-pilot-policies.png":::
3. On the Policy & Rules dashboard, click *Threat Policies*.
- :::image type="content" source="../../medio-eval-pilot-threat-policies.png":::
+ :::image type="content" source="../../medio-eval-pilot-threat-policies.png":::
4. From the Microsoft 365 Defender portal, expand Threat Management from the navigation menu and then select Policy from the submenu. 5. On the Policy dashboard, click *Preset security policies*.
- :::image type="content" source="../../medio-eval-pilot-template-policies.png":::
+ :::image type="content" source="../../medio-eval-pilot-template-policies.png":::
6. Click *Edit* to configure and assign the Standard policy and/or Strict policy.
- :::image type="content" source="../../medio-eval-pilot-preset.png":::
+ :::image type="content" source="../../medio-eval-pilot-preset.png":::
7. Add conditions to apply baseline ***EOP*** protections to specific pilot users, or groups of users, as needed, and select *Next* to continue.
- Example, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are *members* of a defined *Defender for Office 365 Standard Protection* group, and then managed by simply adding accounts to, or removing account from, the group.
+ Example, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are *members* of a defined *Defender for Office 365 Standard Protection* group, and then managed by adding accounts to, or removing account from, the group.
- :::image type="content" source="../../medio-eval-pilot-eop-protections.png":::
+ :::image type="content" source="../../medio-eval-pilot-eop-protections.png":::
8. Add conditions to apply baseline ***MDO*** protections to specific pilot users, or groups of users, as needed. Click *Next* to continue.
- For example, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are *members* of a defined *Defender for Office 365 Standard Protection* group and then managed by simply adding / removing accounts via the group.
+ For example, a Defender for Office 365 condition for pilot evaluations could be applied if the recipients are *members* of a defined *Defender for Office 365 Standard Protection* group and then managed by adding / removing accounts via the group.
- :::image type="content" source="../../medio-protections.png":::
+ :::image type="content" source="../../medio-protections.png":::
9. Review and confirm your changes for assigning preset security policies.
-10. Preset protection policies can be managed (re-configured, re-applied, disabled, etc.) by returning to the Microsoft 365 Defender portal > Policies & rules > Threat Policies > and clicking the *Preset security policies* tile.
+10. Preset protection policies can be managed (reconfigured, re-applied, disabled, etc.) by returning to the Microsoft 365 Defender portal > Policies & rules > Threat Policies > and clicking the *Preset security policies* tile.
### Configure custom protection policies
The pre-defined *Standard* or *Strict* Defender for Office 365 policy templates
It's *important* to be aware of the precedence these protection policies take when applied and enforced, as [Order and precedence of email protection - Office 365](../office-365-security/how-policies-and-protections-are-combined.md) explains.
-The table below provides references and additional guidance for configuring and assigning custom protection policies:
+The table below provides references and more guidance for configuring and assigning custom protection policies:
<br>
The table below provides references and additional guidance for configuring and
|Safe Links|Protect users from opening and sharing malicious links in email messages or Office desktop apps.|[Set up safe links policies in Defender for Office 365](../office-365-security/set-up-safe-links-policies.md)| |
-## Step 3: Try out capabilities ΓÇö Get familiar with simulation, monitoring, and metrics
+## Step 3: Try out capabilities and get familiar with simulation, monitoring, and metrics
Now that your pilot is set up and configured, it's helpful to become familiar with the reporting, monitoring, and attack simulation tools that are unique to Microsoft Defender for Microsoft 365.
Now that your pilot is set up and configured, it's helpful to become familiar wi
|Capability|Description|More information| |||| |Threat Explorer|Threat Explorer is a powerful near real-time tool to help Security Operations teams investigate and respond to threats and displays information about suspected malware and phish in email and files in Office 365, as well as other security threats and risks to your organization.|[Views in Threat Explorer and real-time detections](../office-365-security/threat-explorer-views.md)|
-|Attack Simulator|You can use Attack Simulation Training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization which help you identify and find vulnerable users before a real attack impacts your environment.|[Get started using Attack simulation training](../office-365-security/attack-simulation-training-get-started.md)|
-|Reports dashboard|On the left navigation menu, click Reports and expand the Email & collaboration heading. The Email & collaboration reports are about spotting security trends some of which will allow you to take action (through buttons like 'Go to submissions'), and others that will show trends, like Mailflow status summary, Top Malware, Spoof detections, Compromised users, Mail latency, Safe Links and Safe attachments reports. These metrics are generated automatically.|[View Reports](../office-365-security/view-email-security-reports.md)|
+|Attack Simulator|You can use Attack Simulation Training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization, which help you identify and find vulnerable users before a real attack impacts your environment.|[Get started using Attack simulation training](../office-365-security/attack-simulation-training-get-started.md)|
+|Reports dashboard|On the left navigation menu, click Reports and expand the Email & collaboration heading. The Email & collaboration reports are about spotting security trends some of which will allow you to take action (through buttons like 'Go to submissions'), and others that will show trends, like Mailflow status summary, Top Malware, Spoof detections, Compromised users, Mail latency, Safe Links, and Safe attachments reports. These metrics are generated automatically.|[View Reports](../office-365-security/view-email-security-reports.md)|
| ## Next steps
security Eval Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-overview.md
Microsoft 365 Defender is a Cloud-based, unified, pre- and post-breach enterpris
In this illustration an attack is underway. Phishing email arrives at the Inbox of an employee in your organization, who unknowingly opens the email attachment. This installs malware, which leads to a chain of events that could end with the theft of sensitive data. But in this case, Defender for Office 365 is in operation.
-![How Microsoft 365 Defender stops a chain of threats.](../../media/defender/m365-defender-eval-threat-chain.png)
In the illustration:
Microsoft 365 Defender is made up of these security technologies, operating in t
The diagram below illustrates high-level architecture for key Microsoft 365 Defender components and integrations. *Detailed* architecture for each Defender component, and use-case scenarios, are given throughout this series of articles.
-![Microsoft 365 Defender high-level architecture.](../../media/defender/m365-defender-eval-architecture.png)
In this illustration:
Additional optional architecture components not included in this illustration:
Microsoft recommends enabling the components of Microsoft 365 in the order illustrated:
-![Microsoft 365 Defender high-level evaluation process.](../../media/defender/m365-defender-eval-process.png)
The following table describes this illustration.
-|Step|Link|Description|
-||||
-|1|[Create the evaluation environment](eval-create-eval-environment.md)|This step ensures you have the trial license for Microsoft 365 Defender.|
-|2|[Enable Defender for Identity](eval-defender-identity-overview.md)|Review the architecture requirements, enable the evaluation, and walk through tutorials for identifying and remediating different attack types.|
-|3|[Enable Defender for Office 365](eval-defender-office-365-overview.md)|Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. This component includes Exchange Online Protection and so you will actually evaluate *both* here.|
-|4|[Enable Defender for Endpoint](eval-defender-endpoint-overview.md)|Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment.|
-|5|[Enable Microsoft Defender for Cloud Apps](eval-defender-mcas-overview.md)|Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment.|
-|6|[Investigate and respond to threats](eval-defender-investigate-respond.md)|Simulate an attack and begin using incident response capabilities.|
-|7|[Promote the trial to production](eval-defender-promote-to-production.md)|Promote the Microsoft 365 components to production one-by-one.|
-||||
+| Serial Number |Step |Description |
+||||
+|1 | [Create the evaluation environment](eval-create-eval-environment.md) |This step ensures you have the trial license for Microsoft 365 Defender. |
+|2 | [Enable Defender for Identity](eval-defender-identity-overview.md) | Review the architecture requirements, enable the evaluation, and walk through tutorials for identifying and remediating different attack types. |
+|3 | [Enable Defender for Office 365 ](eval-defender-office-365-overview.md) | Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. This component includes Exchange Online Protection and so you will actually evaluate *both* here. |
+|4 | [Enable Defender for Endpoint ](eval-defender-endpoint-overview.md) | Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. |
+|5 | [Enable Microsoft Defender for Cloud Apps](eval-defender-mcas-overview.md) | Ensure you meet the architecture requirements, enable the evaluation, and then create the pilot environment. |
+|6 | [Investigate and respond to threats](eval-defender-investigate-respond.md) | Simulate an attack and begin using incident response capabilities. |
+|7 | [Promote the trial to production](eval-defender-promote-to-production.md) | Promote the Microsoft 365 components to production one-by-one. |
This is a commonly recommended order designed to leverage the value of the capabilities quickly based on how much effort is typically required to deploy and configure the capabilities. For example, Defender for Office 365 can be configured in less time than it takes to enroll devices in Defender for Endpoint. Of course, you should prioritize the components to meet your business needs, and can enable these in a different order.
security Feedback https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/feedback.md
Check out this video to see how easy it is to provide feedback.
1. From any part of the portal, select **Give feedback**.
- ![Image of feedback button.](../../media/feedback.png)
-
+ :::image type="content" source="../../media/feedback.png" alt-text="The incidents in the Microsoft 365 security portal" lightbox="../../media/feedback.png":::
+
2. Rate your experience and provide details on what you liked or where improvement can be made. You can also choose to be contacted about the feedback. 3. Select **Submit**.
security First Incident Analyze https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-analyze.md
Once a security incident is detected, Microsoft 365 Defender presents details yo
## Detection by Microsoft 365 Defender
-Microsoft 365 Defender receives alerts and events from multiple Microsoft security platforms as detection sources to create a holistic picture and context of malicious activity. These are the possible detection sources:
+Microsoft 365 Defender receives alerts and events from multiple Microsoft security platforms as detection sources to create a holistic picture and context of malicious activity. The possible detection sources are:
- [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md) is an endpoint detection and response solution (EDR) that uses Microsoft Defender antivirus and cloud-enabled advanced threat protection using Microsoft Security Graph. Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. It protects endpoints from cyberthreats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. - [Microsoft Defender for Identity](/defender-for-identity/what-is) is a cloud-based security solution that uses your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft 365 Defender receives alerts and events from multiple Microsoft securi
- [Azure Security Center](/azure/security-center/security-center-introduction) is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud and on premises.
-In Microsoft 365 Defender, [incidents](incidents-overview.md) are identified by correlating alerts from these different detection sources. Instead of spending resources stringing together or distinguishing multiple alerts into their respective incidents, you can start with the incident queue in Microsoft 365 Defender right away. This allows you to triage incidents in an efficient manner across endpoints, identities, email, and applications, and reduce the damage from an attack.
+In Microsoft 365 Defender, [incidents](incidents-overview.md) are identified by correlating alerts from these different detection sources. Instead of spending resources stringing together or distinguishing multiple alerts into their respective incidents, you can start with the incident queue in Microsoft 365 Defender right away. This approach allows you to triage incidents in an efficient manner across endpoints, identities, email, and applications, and reduce the damage from an attack.
## Triage your incidents
A useful sample guide for determining which incident to prioritize in Microsoft
Analysts then initiate investigations based on the **Priority** criteria set by the organization.
-Incident prioritization might vary depending on the organization. NIST recommends also considering the functional and informational impact of the incident, and recoverability.
+Incident prioritization might vary depending on the organization. NIST also recommends considering the functional and informational impact of the incident, and recoverability.
-The following is just one approach to triage to consider:
+One approach to triage is described below:
1. Go to the [incidents](incidents-overview.md) page to initiate triage. Here you can see a list of incidents affecting your organization. By default, they are arranged from the most recent to the oldest incident. From here, you can also see different columns for each incident showing their severity, category, number of active alerts, and impacted entities, among others. You can customize the set of columns and sort the incident queue by some of these columns by selecting the column name. You can also filter the incident queue according to your needs. For a full list of available filters, see [Prioritize incidents](incident-queue.md#available-filters).
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-queue.png" alt-text="Example of the incident queue.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-queue.png" alt-text="The incidents in the Microsoft 365 security portal" lightbox="../../media/first-incident-analyze/first-incident-analyze-queue.png":::
- One example of how you might perform triage for this set of incidents is to prioritize incidents that affected more users and devices. In this example, you might prioritize incident ID 6769 because it affected the largest number of entities: 7 devices, 6 users, and 2 mailboxes. Furthermore, the incident appears to contain alerts from Microsoft Defender for Identity, which indicate an identity-based alert and possible credential theft.
+ One example of how you might perform triage for this set of incidents is to prioritize incidents that affected more users and devices. In this example, you might prioritize incident ID 6769 because it affected the largest number of entities: seven devices, six users, and two mailboxes. Furthermore, the incident appears to contain alerts from Microsoft Defender for Identity, which indicate an identity-based alert and possible credential theft.
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-high-impact.png" alt-text="Example of a high-impact incident.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-high-impact.png" alt-text="The Incidents** page showing example of a high-impact incident in the Microsoft 365 security portal" lightbox="../../media/first-incident-analyze/first-incident-analyze-high-impact.png":::
2. Select the circle next to the incident name to review the details. A side pane will appear on the right side, which contains additional information that can assist your triage further.
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-incident-flyout.png" alt-text="Example of an incident side pane.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-incident-flyout.png" alt-text="The Incidents page showing example of an incident side pane in the Microsoft 365 security portal" lightbox="../../media/first-incident-analyze/first-incident-analyze-incident-flyout.png":::
- For example, by looking at which [MITRE ATT&CK](https://attack.mitre.org/) tactics the attacker used based on the incidentΓÇÖs categories, you might prioritize this incident because the attacker used stolen credentials, established command and control, performed lateral movement, and exfiltrated some data. This suggests the attacker has already gone deep into the network and possibly stolen confidential information.
+ For example, by looking at which [MITRE ATT&CK](https://attack.mitre.org/) tactics the attacker used based on the incidentΓÇÖs categories, you might prioritize this incident because the attacker used stolen credentials, established command and control, performed lateral movement, and exfiltrated some data. These actions suggest that the attacker has already gone deep into the network and possibly stolen confidential information.
Additionally, if your organization has implemented the Zero Trust framework, you would consider credential access as an important security violation worth prioritizing. Scrolling down the side pane, you will see the specific impacted entities such as users, devices, and mailboxes. You can check the exposure level of each device and the owners of affected mailboxes.
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-incident-flyout-details.png" alt-text="Example of an incident side pane details.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-incident-flyout-details.png" alt-text="The incident side pane details" lightbox="../../media/first-incident-analyze/first-incident-analyze-incident-flyout-details.png":::
3. Further down the side pane, you can find the associated alerts. Microsoft 365 Defender has already performed the correlation of said alerts into a single incident, saving you time and resources better spent remediating the attack. Alerts are suspicious and therefore possibly malicious system events that suggest the presence of an attacker on a network. In this example, 87 individual alerts were determined to be part of one security incident. You can view all the alerts to get a quick view of how the attack played out.
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-incident-flyout-alerts.png" alt-text="Example of alerts in an incident side pane.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-incident-flyout-alerts.png" alt-text="The alerts in an incident side pane in the Microsoft 365 security portal" lightbox="../../media/first-incident-analyze/first-incident-analyze-incident-flyout-alerts.png":::
## Analyze your first incident
-Understanding the context surrounding alerts is equally important. Often an alert is not a single independent event. There is a chain of processes created, commands, and actions that might not have occurred at the same time. Therefore, you must look for the first and last activities of the suspicious entity in device timelines to understand the context of the alerts.
+Understanding the context that surrounds alerts is equally important. Often an alert is not a single independent event. There is a chain of processes created, commands, and actions that might not have occurred at the same time. Therefore, an analyst must look for the first and last activities of the suspicious entity in device timelines to understand the context of the alerts.
There are multiple ways to read and analyze data using Microsoft 365 Defender but the end goal for analysts is to respond to incidents as quickly as possible. While Microsoft 365 Defender can significantly reduce [Mean Time to Remediate (MTTR)](https://www.microsoft.com/security/blog/2020/05/04/lessons-learned-microsoft-soc-part-3c/) through the industry-leading [automated investigation and response](m365d-autoir.md) feature, there are always cases that require manual analysis. Here's an example:
-1. Once triage priority has been determined, you can begin an in-depth analysis by selecting the incident name. This page brings up the **Incident Summary** where data is displayed in tabs to assist with the analysis. Under the **Alerts** tab, the type of alerts are displayed. Analysts can click on each alert to drill down into the respective detection source.
+1. Once triage priority has been determined, an analyst begins an in-depth analysis by selecting the incident name. This page brings up the **Incident Summary** where data is displayed in tabs to assist with the analysis. Under the **Alerts** tab, the types of alerts are displayed. Analysts can click on each alert to drill down into the respective detection source.
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-summary-tab.png" alt-text="Example of the Summary tab of an incident.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-summary-tab.png" alt-text="The Summary tab of an incident" lightbox="../../media/first-incident-analyze/first-incident-analyze-summary-tab.png":::
For a quick guide about which domain each detection source covers, review the [Detect](#detection-by-microsoft-365-defender) section of this article. 2. From the **Alerts** tab, you can pivot to the detection source to conduct a more in-depth investigation and analysis. For example, selecting Malware Detection with Microsoft Defender for Cloud Apps as the detection source takes the analyst to its corresponding alert page.
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-select-alert.png" alt-text="Example of selecting an alert of an incident.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-select-alert.png" alt-text="The Incidents page that shows an example of selecting an alert of an incident." lightbox="../../media/first-incident-analyze/first-incident-analyze-select-alert.png":::
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-link-to-mcas.png" alt-text="Example of a corresponding page in Microsoft Defender for Cloud Apps.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-link-to-mcas.png" alt-text="A corresponding page in the Microsoft Defender for Cloud Apps" lightbox="../../media/first-incident-analyze/first-incident-analyze-link-to-mcas.png":::
-3. To investigate our example further, scrolling to the bottom of the page to view the **Users affected**. To see the activity and context surrounding the malware detection, select Annette HillΓÇÖs user page .
+3. To investigate our example further, scrolling to the bottom of the page to view the **Users affected**. To see the activity and context surrounding the malware detection, select Annette HillΓÇÖs user page.
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-user-page.png" alt-text="Example of a user page.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-user-page.png" alt-text="A user page" lightbox="../../media/first-incident-analyze/first-incident-analyze-user-page.png":::
-4. On the user page is a chronological list of events starting with a *Risky Sign-in from a TOR network IP Address* alert. While the suspiciousness of an activity depends on the nature of how an organization conducts its business, in most cases the use of The Onion Router (TOR), a network that allows users to browse the web anonymously, in an enterprise environment might be considered highly unlikely and unnecessary for regular online operations.
+4. The user page lists events chronologically, starting with a *Risky Sign-in from a TOR network IP Address* alert. While the suspiciousness of an activity depends on the nature of how an organization conducts its business, in most cases the use of The Onion Router (TOR), a network that allows users to browse the web anonymously, in an enterprise environment might be considered highly unlikely and unnecessary for regular online operations.
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-user-event-list.png" alt-text="Example of the chronological list of events for a user.":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-user-event-list.png" alt-text="The chronological list of events for a user" lightbox="../../media/first-incident-analyze/first-incident-analyze-user-event-list.png":::
-5. Each alert can be selected to obtain more information on the activity. For example, selecting **Activity from a Tor IP Address** alert leads you to that alertΓÇÖs own page. Annette is an Administrator of Office 365, which means she has elevated privileges and the source incident might have led to access to confidential information.
+5. Each alert can be selected to obtain more information on the activity. For example, selecting **Activity from a Tor IP Address** alert leads you to that alertΓÇÖs own page. Annette is an Administrator of Office 365, which indicates elevated privileges and that the source incident might have led to access to confidential information.
- :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-mcas-alert.png" alt-text="Example of alerts details for Microsoft Defender for Cloud Apps .":::
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-mcas-alert.png" alt-text="The alerts details for the Microsoft Defender for Cloud Apps" lightbox="../../media/first-incident-analyze/first-incident-analyze-mcas-alert.png" :::
6. By selecting other alerts, you can get a complete picture of the attack. ## Next step
-[![Step 2: Learn how to remediate incidents.](../../medi)
Learn how to [remediate incidents](first-incident-remediate.md).
security First Incident Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-overview.md
Incidents in Microsoft 365 Defender are the logical starting points for analysis
## Next step
-[![Prepare your organization and Microsoft 365 tenant.](../../medi)
Make sure your organization and Microsoft 365 tenant is [prepared for incident handling](first-incident-prepare.md).
Incident response guidance for Microsoft 365 Defender:
- [Investigate incidents](investigate-incidents.md) - [Manage incidents](manage-incidents.md)
-Additional examples of first incident responses:
+More examples of first incident responses:
- [Phishing email](first-incident-path-phishing.md) - [Identity-base attack](first-incident-path-identity.md)
security First Incident Path Identity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-path-identity.md
Microsoft Defender for Identity can help detect malicious attempts to compromise
Microsoft 365 Defender allows analysts to filter alerts by detection source on the **Alerts** tab of the incidents page. In the following example, the detection source is filtered to **Defender for Identity**.
-Selecting the **Suspected overpass-the-hash attack** alert goes to a page in Microsoft Defender for Cloud Apps that displays more detailed information. You can always find out more about an alert or attack by selecting **Learn more about this alert type** to read a [description of the attack](/defender-for-identity/lateral-movement-alerts#suspected-overpass-the-hash-attack-kerberos-external-id-2002) as well as remediation suggestions.
+Selecting the **Suspected overpass-the-hash attack** alert goes to a page in Microsoft Defender for Cloud Apps that displays more detailed information. You can always find out more about an alert or attack by selecting **Learn more about this alert type** to read a [description of the attack](/defender-for-identity/lateral-movement-alerts#suspected-overpass-the-hash-attack-kerberos-external-id-2002) and remediation suggestions.
## Investigating the same attack in Microsoft Defender for Endpoint
-Alternatively, an analyst can use Defender for Endpoint to learn more about the activity on an endpoint. Select the incident from the incident queue, then select the **Alerts** tab. From here, they can identify the detection source as well. A detection source labeled as EDR stands for Endpoint Detection and Response, which is Defender for Endpoint. From here, the analyst select an alert detected by EDR.
+Alternatively, an analyst can use Defender for Endpoint to learn more about the activity on an endpoint. Select the incident from the incident queue, then select the **Alerts** tab. From here, they can identify the detection source as well. A detection source labeled as EDR stands for Endpoint Detection and Response, which is Defender for Endpoint. From here, the analyst selects an alert detected by EDR.
The alert page displays various pertinent information such as the impacted device name, username, status of auto-investigation, and the alert details. The alert story depicts a visual representation of the process tree. The process tree is a hierarchical representation of parent and child processes related to the alert.
-Each process can be expanded to view additional details. Details that an analyst can see are the actual commands that were entered as part of a malicious script, outbound connection IP addresses, and other useful information.
+Each process can be expanded to view more details. Details that an analyst can see are the actual commands that were entered as part of a malicious script, outbound connection IP addresses, and other useful information.
By selecting **See in timeline**, an analyst can drill down even further to determine the exact time of the compromise. Microsoft Defender for Endpoint can detect many malicious files and scripts. However, due to many legitimate uses for outbound connections, PowerShell, and command-line activity, some activity would be considered benign until it creates a malicious file or activity. Therefore, using the timeline helps analysts to put the alert into context with the surrounding activity to determine the original source or time of the attack that otherwise is obscured by common file system and user activity.
-To do this, an analyst would start at the time of the alert detection (in red) and scroll down backwards in time to determine when the original activity that led to the malicious activity actually started.
+To use the timeline, an analyst would start at the time of the alert detection (in red) and scroll down backwards in time to determine when the original activity that led to the malicious activity actually started.
-It is important to understand and distinguish common activity such as Windows Update connections, Windows Trusted Software activation traffic, other common connections to Microsoft sites, third-party Internet activity, Microsoft Endpoint Configuration Manager activity, and other benign activity from suspicious activity. One way to accomplish this is by using timeline filters. There are many filters that can highlight specific activity while filtering out anything that the analyst does not want to view.
+It is important to understand and distinguish common activity such as Windows Update connections, Windows Trusted Software activation traffic, other common connections to Microsoft sites, third-party Internet activity, Microsoft Endpoint Configuration Manager activity, and other benign activity from suspicious activity. One way to distinguish is by using timeline filters. There are many filters that can highlight specific activity while filtering out anything that the analyst does not want to view.
-In the image below, the analyst filtered to view only network and process events. This allows the analyst to see the network connections and processes surrounding the event where Notepad established a connection with an IP address, which we also saw in the process tree.
+In the image below, the analyst filtered to view only network and process events. This filter criteria allows the analyst to see the network connections and processes surrounding the event where Notepad established a connection with an IP address, which we also saw in the process tree.
-In this particular event, Notepad was used to make a malicious outbound connection. However, often attackers will simply use iexplorer.exe to establish connections to download a malicious payload because ordinarily iexplorer.exe processes are considered regular web browser activity.
+In this particular event, Notepad was used to make a malicious outbound connection. However, often attackers will use iexplorer.exe to establish connections to download a malicious payload because ordinarily iexplorer.exe processes are considered regular web browser activity.
Another item to look for in the timeline would be PowerShell uses for outbound connections. The analyst would look for successful PowerShell connections with commands such as `IEX (New-Object Net.Webclient)` followed by an outbound connection to a website hosting a malicious file.
security First Incident Path Phishing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-path-phishing.md
Microsoft 365 Defender can help detect malicious attachments delivered via email
For example, an analyst was assigned a multi-stage incident. In the **Alerts** tab of the incident, alerts from Defender for Office 365 and Microsoft Defender for Cloud Apps are displayed. The analyst can drill down into the Defender for Office 365 alerts by selecting the email messages alerts. The details of the alert are displayed on the side pane. By scrolling down further, more information is displayed, showing the malicious files and user that was impacted. Selecting **Open alert page** takes you to the specific alert where various information can be viewed in greater detail by selecting the link. The actual email message can be viewed by selecting **View messages in Explorer** toward the bottom of the panel. This takes the analyst to the Threat Management page where the email Subject, Recipient, Sender, and other information are displayed. **ZAP** under **Special Actions** tells the analyst that the Zero-hour auto purge feature was implemented. ZAP automatically detects and removes malicious and spam messages from mailboxes across the organization. For more information, see [Zero-hour auto purge (ZAP) in Exchange Online](../office-365-security/zero-hour-auto-purge.md). Other actions can be taken on specific messages by selecting **Actions**. ## Next step
security First Incident Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-prepare.md
Automation is a crucial part of implementing and maintaining a Zero Trust enviro
Next, organizations can use the [Microsoft Secure Score](microsoft-secure-score.md) in Microsoft 365 Defender to determine your current security posture and consider recommendations on how to improve it. The higher the score is, the more security recommendations and improvement actions have been taken by the organization. Secure Score recommendations can be taken across different products and allow organizations to raise their scores even higher. ## Step 3. Assess your organizationΓÇÖs vulnerability exposure
Preventing incidents can help streamline security operations efforts to focus on
To check your software patching progress, visit the [Threat and Vulnerability Management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md) page in Defender for Endpoint, which you can access from Microsoft 365 Defender through the **More resources** tab. ## 4. Understand emerging threats
security First Incident Remediate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-remediate.md
Continuing the example in [Detect, triage, and analyze incidents](first-incident
7. Create a custom indicator in Microsoft Defender for Endpoint to block a Tor IP address 8. Create a governance action in Microsoft Defender for Cloud Apps for this type of alert such as those shown in the following image:
- :::image type="content" source="../../media/first-incident-remediate/first-incident-mcas-governance.png" alt-text="Example of governance actions in the Microsoft Defender for Cloud Apps portal.":::
+ :::image type="content" source="../../media/first-incident-remediate/first-incident-mcas-governance.png" alt-text="Governance actions in the Microsoft Defender for Cloud Apps portal" lightbox="../../media/first-incident-remediate/first-incident-mcas-governance.png":::
Most of the remediation actions can be applied and tracked in Microsoft 365 Defender.
Playbooks use Power Automate to create custom robotic process automation flows t
Here's an example. Playbooks can also be created during [post-incident review](first-incident-post.md) to create remediation actions from resolved incidents.
security Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started.md
Microsoft 365 Defender is a unified experience where you can monitor and manage
Whether you're new to the Microsoft suite of security products or familiar with individual workflows, this topic will guide you in the simple steps you need to take to get started with Microsoft 365 Defender.
-![Image of getting started with Microsoft 365 Defender steps.](../../media/mtp/get-started-m365d.png)
In general, you'll need to take the following steps to get started:
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
The **Incident queue** shows a collection of incidents that were created across
You get to the incident queue from **Incidents & alerts > Incidents** on the quick launch of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. Here's an example. The **Most recent incidents and alerts** section shows a graph of the number of alerts received and incidents created in the last 24 hours.
The **Filters** list above the list of incidents shows the currently applied fil
From the default incident queue, you can select **Filter** to see a **Filter** pane, from which you specify a filtered set of incidents. Here's an example. You can also see the **Filter** pane by selecting any of the filters in the **Filters** list above the list of incidents.
security Incidents Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md
You manage incidents from **Incidents & alerts > Incidents** on the quick launch
Selecting an incident name displays a summary of the incident and provides access to tabs with additional information. HereΓÇÖs an example. The additional tabs for an incident are:
Here's the relationship between an incident and its data and the tabs of an inci
Here's an example workflow for responding to incidents in Microsoft 365 with the Microsoft 365 Defender portal. On an ongoing basis, identify the highest priority incidents for analysis and resolution in the incident queue and get them ready for response. This is a combination of:
For more information about incident response across Microsoft products, see [thi
Here's an example of security operations (SecOps) for Microsoft 365 Defender. Daily tasks can include:
Follow these steps to create a new rule and customize email notification setting
- **Include organization name in the email** - Select if you want your organization name to appear in the email notification. - **Include tenant-specific portal link** - Select if you want to add a link with the tenant ID in the email notification for access to a specific Microsoft 365 tenant.
- :::image type="content" source="../../media/get-incident-notifications/incidents-ss-email-notification-settings.png" alt-text="Notification settings for incident email notifications." lightbox="../../media/get-incident-notifications/incidents-ss-email-notification-settings.png":::
+ :::image type="content" source="../../media/get-incident-notifications/incidents-ss-email-notification-settings.png" alt-text="The Notification settings page for incident email notifications in the Microsoft 365 Defender portal." lightbox="../../media/get-incident-notifications/incidents-ss-email-notification-settings.png":::
5. Select **Next**. On the **Recipients** page, add the email addresses that will receive the incident notifications. Select **Add** after typing each new email address. To test notifications and ensure that the recipients receive them in the inboxes, select **Send test email**. 6. Select **Next**. On the **Review rule** page, review the settings of the rule, and then select **Create rule**. Recipients will start receiving incident notifications through email based on the settings.
security Integrate Microsoft 365 Defender Secops Use Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-use-cases.md
SOC Oversight activities related to use case development include:
To facilitate the runbook and playbook creation processes, create a use case decision tree. This figure shows an example. Once a high-level use case standard has been defined and approved, the next step is to create and test an actual use case. The following sections use anti-phishing and threat and vulnerability scanning scenarios as examples.
Once a high-level use case standard has been defined and approved, the next step
The first step in creating a use case is to outline the workflow using a story board. HereΓÇÖs an example of a high-level story board for a new phishing exploit notification to a Threat Intelligence team. ### Invoke the use case workflow for example 1 Once the story board has been approved, the next step is to invoke the use case workflow. Here is an example process for an anti-phishing campaign. ## Use case example 2: Threat and vulnerability scanning
Another scenario where a use case could be used is for threat and vulnerability
Here is an example high-level storyboard for the threat and vulnerability management of assets. ### Invoke the use case workflow for example 2 Here is an example process for threat and vulnerability scanning. ### Analyze the use case output and lessons learned
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
In Microsoft 365 Defender, related alerts are aggregated together to form [incid
The **Alerts queue** shows the current set of alerts. You get to the alerts queue from **Incidents & alerts > Alerts** on the quick launch of the [Microsoft 365 Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139). Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft 365 Defender appear here.
By default, the alerts queue in the Microsoft 365 Defender portal displays the n
From the default alerts queue, you can select **Filter** to see a **Filter** pane, from which you can specify a subset of the alerts. Here's an example. You can filter alerts according to these criteria:
YouΓÇÖll need to have any of the following roles to access Microsoft Defender fo
To see the main alert page, select the name of the alert. Here's an example. +
+You can also select the **Open the main alert page** action from the **Manage alert** pane.
An alert page is composed of these sections:
Once you've selected an entity of interest, the details page changes to display
To manage an alert, select **Manage alert** in the summary details section of the alert page. For a single alert, here's an example of the **Manage alert** pane. The **Manage alert** pane allows you to view or specify:
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
Before diving into the details, take a look at the properties and summary of the
You can start by selecting the incident from the check mark column. Here's an example. When you do, a summary pane opens with key information about the incident, such as severity, to whom it is assigned, and the [MITRE ATT&CK&trade;](https://attack.mitre.org/) categories for the incident. Here's an example. From here, you can select **Open incident page**. This opens the main page for the incident where you'll find more summary information and tabs for alerts, devices, users, investigations, and evidence.
You can also open the main page for an incident by selecting the incident name f
The **Summary** page gives you a snapshot glance at the top things to notice about the incident. Information is organized in these sections.
On the **Alerts** tab, you can view the alert queue for alerts related to the in
Here's an example. By default, the alerts are ordered chronologically to allow you to see how the attack played out over time. When you select an alert within an incident, Microsoft 365 Defender displays the alert information specific to the context of the overall incident.
You can see the events of the alert, which other triggered alerts caused the cur
Here's an example. The incident alert page has these sections:
Learn how to use the alert queue and alert pages in [investigate alerts](investi
The **Devices** tab lists all the devices related to the incident. Here's an example. You can select the check mark for a device to see details of the device, directory data, active alerts, and logged on users. Select the name of the device to see device details in the Defender for Endpoint device inventory. Here's an example. From the device page, you can gather additional information about the device, such as all of its alerts, a timeline, and security recommendations. For example, from the **Timeline** tab, you can scroll through the machine timeline and view all events and behaviors observed on the machine in chronological order, interspersed with the alerts raised.
From the device page, you can gather additional information about the device, su
The **Users** tab lists all the users that have been identified to be part of or related to the incident. Here's an example. You can select the check mark for a user to see details of the user account threat, exposure, and contact information. Select the user name to see additional user account details.
Learn how to view additional user information and manage the users of an inciden
The **Mailboxes** tab lists all the mailboxes that have been identified to be part of or related to the incident. Here's an example. You can select the check mark for a mailbox to see a list of active alerts. Select the mailbox name to see additional mailbox details on the Explorer page for Defender for Office 365.
You can select the check mark for a mailbox to see a list of active alerts. Sele
The **Investigations** tab lists all the [automated investigations](m365d-autoir.md) triggered by alerts in this incident. Automated investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Defender for Endpoint and Defender for Office 365. Select an investigation to navigate to its details page for full information on the investigation and remediation status. If there are any actions pending for approval as part of the investigation, they will appear in the **Pending actions history** tab. Take action as part of incident remediation.
For more information, see [Automated investigation and response in Microsoft 365
The **Evidence and Response** tab shows all the supported events and suspicious entities in the alerts in the incident. Here's an example. Microsoft 365 Defender automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with information about the important emails, files, processes, services, IP Addresses, and more. This helps you quickly detect and block potential threats in the incident.
From the **Graph** tab, you can:
1. Play the alerts and the nodes on the graph as they occurred over time to understand the chronology of the attack.
- :::image type="content" source="../../media/investigate-incidents/incident-graph-play.gif" alt-text="Example of playing the alerts and nodes on the Graph page":::
+ :::image type="content" source="../../media/investigate-incidents/incident-graph-play.gif" alt-text="The playing of the alerts and nodes on the Graph page":::
2. Open an entity pane, allowing you to review the entity details and act on remediation actions, such as deleting a file or isolating a device.
- :::image type="content" source="../../media/investigate-incidents/incident-graph-entity-pane.png" alt-text="Example of an entity pane on the Graph page" lightbox="../../media/investigate-incidents/incident-graph-entity-pane.png":::
+ :::image type="content" source="../../media/investigate-incidents/incident-graph-entity-pane.png" alt-text="The entity pane on the Graph page in the Microsoft 365 Defender portal" lightbox="../../media/investigate-incidents/incident-graph-entity-pane.png":::
3. Highlight the alerts based on the entity to which they are related.
- :::image type="content" source="../../media/investigate-incidents/incident-graph-alert.png" alt-text="Example of an alert highlight on the Graph page" lightbox="../../media/investigate-incidents/incident-graph-alert.png":::
+ :::image type="content" source="../../media/investigate-incidents/incident-graph-alert.png" alt-text="An alert highlight on the Graph page" lightbox="../../media/investigate-incidents/incident-graph-alert.png":::
## Next steps
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
ms.technology: m365d
Part of your incident investigation can include user accounts. You can see the details of user accounts identified in the alerts of an incident in the Microsoft 365 Defender portal from **Incidents & alerts** \> ***incident*** \> **Users**. Here's an example. To get a quick summary of a user account for the incident, select the check mark next to the user account name. Here's an example. > [!NOTE] > The user page shows Azure Active Directory (Azure AD) organization as well as groups, helping you understand the groups and permissions associated with a user.
In addition, you can take action directly in the Microsoft 365 Defender portal t
From here, you can select **Go to user page** to see the details of a user account. Here's an example. You can also see this page by selecting the name of the user account from the list on the **Users** page. You can see group membership for the user by selecting the number under **Groups**. By selecting the icon under **Manager**, you can see where the user is in the organization tree.
From this page, you can do these additional actions:
Here's an example. ## View lateral movement paths
The map provides you with a list of how many hops between computers or users an
If a potential lateral movement path wasn't detected for the entity during the past two days, the graph doesn't display. Select a different date using View a different date to view previous lateral movement paths graphs discovered for this entity. The lateral movement path report is always available to provide you with information about the potential lateral movement paths discovered, and can be customized by time. For more information, see [Lateral movement paths](/defender-for-identity/use-case-lateral-movement-path).
security M365d Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-action-center.md
Because the Action center provides a comprehensive view of Microsoft 365 Defende
The unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) lists pending and completed remediation actions for your devices, email & collaboration content, and identities in one location. For example:
security M365d Autoir Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-actions.md
It's important to approve (or reject) pending actions as soon as possible so tha
3. In the Action center, on the **Pending** tab, select an item in the list. Its flyout pane opens. Here's an example.
- :::image type="content" source="../../media/air-actioncenter-itemselected.png" alt-text="Example of approving or rejecting an action." lightbox="../../media/air-actioncenter-itemselected.png":::
+ :::image type="content" source="../../media/air-actioncenter-itemselected.png" alt-text="The options to approve or reject an action" lightbox="../../media/air-actioncenter-itemselected.png":::
4. Review the information in the flyout pane, and then take one of the following steps: - Select **Open investigation page** to view more details about the investigation.
security M365d Autoir Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-results.md
Use an incident details page to view detailed information about an incident, inc
Here's an example. ## Investigation details Use the investigation details view to see past, current, and pending activity pertaining to an investigation. Here's an example. In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
security M365d Configure Auto Investigation Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-configure-auto-investigation-response.md
Security settings in Office 365 help protect email and content. To view or chang
## Make sure Microsoft 365 Defender is turned on 1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>
security M365d Enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable.md
Once the service is provisioned, it adds:
- [Advanced hunting](advanced-hunting-overview.md) capabilities - Threat analytics
-![Image of Microsoft 365 Defender portal navigation pane with Microsoft 365 Defender features.](../../media/overview-incident.png)
*Microsoft 365 Defender portal with incidents management and other capabilities* ### Getting Microsoft Defender for Identity data
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
Incident management is critical to ensuring that incidents are named, assigned,
You can manage incidents from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)). Here's an example. Here are the ways you can manage your incidents:
Here are the ways you can manage your incidents:
You can manage incidents from the **Manage incident** pane for an incident. Here's an example. You can display this pane from the **Manage incident** link on the:
security Microsoft 365 Defender Integration With Azure Sentinel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-integration-with-azure-sentinel.md
Watch this short overview of Microsoft Sentinel integration with Microsoft 365 D
Here's how it works. ## Next steps
security Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md
Microsoft 365 Defender's unique cross-product layer augments the individual serv
Here's an example of how the Microsoft 365 Defender portal correlates all related alerts across products into a single incident. Here's an example of the list of related alerts for an incident. Here's an example of query-based hunting on top of email and endpoint raw data. Microsoft 365 Defender cross-product features include:
Microsoft 365 Defender emphasizes *unity, clarity, and common goals* as it merge
Centralizing security information creates a single place for investigating security incidents across Microsoft 365. A primary example is **Incidents** under **Incidents & alerts** on the quick launch of Microsoft 365 Defender. Selecting an incident name displays a page that demonstrates the value of centralizing security information. Along the top of an incident page, you'll see the **Summary**, **Alerts**, **Devices**, **Users**, **Mailboxes**, **Investigations**, **Evidence and response**, and **Graph** tabs. Select these tabs for more detailed information. For example, the **Users** tab displays information for users from converged workloads (Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps) and a range of sources such as on-premises Active Directory Domain Services (AD DS), Azure AD, and third-party identity providers. For more information, see [investigate users](investigate-users.md).
Common controls and content either appear in the same place, or are condensed in
#### Unified settings #### Permissions & roles Access to Microsoft 365 Defender is configured with Azure AD global roles or by using custom roles. For Defender for Endpoint, see [Assign user access to the Microsoft 365 Defender portal](/microsoft-365/security/defender-endpoint/assign-portal-access). For Defender for Office 365, see [Permissions in the Microsoft 365 compliance center and Microsoft 365 Defender](../office-365-security/permissions-microsoft-365-compliance-security.md).
security Microsoft 365 Security Center Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mde.md
The image and the table below lists the changes in navigation between the Microsoft Defender Security Center and Microsoft 365 Defender. > [!div class="mx-imgBorder"]
-> ![Image of what moved to where.](../../media/mde-m3d-security-center.png)
+> :::image type="content" source="../../medie-m3d-security-center.png":::
| Microsoft Defender Security Center | Microsoft 365 Defender | |||
Brings together incident and alert management across your email, devices, and id
- [Learn more about incidents](incidents-overview.md) - [Learn more about managing alerts](investigate-alerts.md)
-![The Alerts and Actions quick launch bar.](../../media/converge-1-alerts-and-actions.png)
### Hunting
Learn more about how to [track and respond to emerging threats with threat analy
View and manage the security of endpoints in your organization. If you've used the Microsoft Defender Security Center, it will look familiar.
-![The Endpoints quick launch bar.](../../media/converge-2-endpoints.png)
### Access and reports View reports, change your settings, and modify user roles.
-![The Access and Reporting quicklaunch bar.](../../media/converge-4-access-and-reporting-new.png)
### SIEM API connections
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
The left navigation, or quick launch bar, will look familiar. However, there are
With the unified Microsoft 365 Defender solution, you can stitch together the threat signals and determine the full scope and impact of the threat, and how it's currently impacting the organization. Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. ### Incidents and alerts
Brings together incident and alert management across your email, devices, and id
- [Learn more about Investigations](incidents-overview.md) - [Learn more about managing alerts](/windows/security/threat-protection/microsoft-defender-atp/review-alerts)
-![The Alerts and Actions quick launch bar.](../../media/converge-1-alerts-and-actions.png)
### Hunting
Learn more about how to [track and respond to emerging threats with threat analy
Track and investigate threats to your users' email, track campaigns, and more. If you've used the Security & Compliance Center, this will be familiar. #### Email entity page
The [Email entity page](../office-365-security/mdo-email-entity-page.md) *unifie
View reports, change your settings, and modify user roles. > [!NOTE] > DomainKeys Identified Mail (DKIM) ensures that destination email systems trust messages sent outbound from your custom domain.
security Microsoft Secure Score History Metrics Trends https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-history-metrics-trends.md
View a graph of your organization's score over time in the **History** tab.
Below the graph is a list of all the actions taken in the selected time range and their attributes, such as resulting points and category. You can customize a date range and filter by category.
-![Activity history.](../../media/secure-score/secure-score-history-activity.png)
If you select the improvement action associated with an activity, the full improvement action flyout will appear. To view all history for that specific improvement action, select the history link in the flyout.
-![Improvement action history.](../../media/secure-score/secure-score-history-flyout.png)
## Discover trends and set goals
There are two places to see how your score compares to organizations that are si
The comparison bar chart is available on the **Overview** tab. Hover over the chart to view the score and score opportunity.
-**Organizations like yours** is an average score of other tenants in same region (provided we have at least five or more tenants to compare) with a similar organization size to yours.
The comparison data is anonymized so we donΓÇÖt know exactly which others tenants are in the mix.
The comparison data is anonymized so we donΓÇÖt know exactly which others tenant
In the **Metrics & trends** tab, view how your organization's Secure Score compares to others' over time.
-![Line graph of similar organization's scores over time.](../../media/secure-score/secure-score-comparison-trend.png)
## We want to hear from you
security Microsoft Secure Score Improvement Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-improvement-actions.md
To help you find the information you need more quickly, Microsoft improvement ac
In the Microsoft Secure Score overview page, view how points are split between these groups and what points are available. You can also get an all-up view of the total score, historical trend of your secure score with benchmark comparisons, and prioritized improvement actions that can be taken to improve your score.
-![Secure Score homepage.](../../media/secure-score/secure-score-home-page.png)
## Check your current score
The following are scores you can add to your view of your overall score to give
This view is what it will look like if you've included all possible score views:
-![Your secure score including planned score, current license score, and achievable score.](../../media/secure-score/secure-score-achievable.png)
## Take action to improve your score
Ranking is based on the number of points left to achieve, implementation difficu
When you select a specific improvement action, a full page flyout appears.
-![Improvement action flyout example.](../../media/secure-score/secure-score-improvement-action-details.png)
To complete the action, you have a few options:
security Microsoft Secure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score.md
Watch this video for a quick overview of Secure score.
Organizations gain access to robust visualizations of metrics and trends, integration with other Microsoft products, score comparison with similar organizations, and much more. The score can also reflect when third-party solutions have addressed recommended actions.
-![Secure Score homepage.](../../media/secure-score/secure-score-home-page.png)
## How it works
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-threat-experts.md
Microsoft Threat Experts ΓÇô Experts on Demand lets you get expert advice about
If you already have Microsoft Defender for Endpoint and Microsoft 365 Defender, you can apply for Microsoft Threat Experts ΓÇô Targeted Attack Notifications through their Microsoft 365 Defender portal. Go to **Settings > Endpoints > General > Advanced features > Microsoft Threat Experts ΓÇô Targeted Attack Notifications**, and select **Apply**. See [Configure Microsoft Threat Experts capabilities](./configure-microsoft-threat-experts.md) for a full description.
-![Screenshot of MTE application page.](../../media/mte/mte-collaboratewithmte.png)
Once your application is approved, you'll start receiving targeted attack notifications whenever Threat Experts detect a threat to your environment.
You can also contact Microsoft threat experts from directly inside the Microsoft
The option to **Consult a threat expert** is available in several places throughout the portal: - <i>**Device page actions menu**</i><BR>
-![Screenshot of MTE-EOD menu option in the Device page action menu.](../../media/mte/device-actions-mte-highlighted.png)
+ - <i>**Device inventory page flyout menu**</i><BR>
-![Screenshot of MTE-EOD menu option on the device inventory page.](../../media/mte/device-inventory-mte-highlighted.png)
+ - <i>**Alerts page flyout menu**</i><BR>
-![Screenshot of MTE-EOD menu option on the alert page.](../../media/mte/alerts-actions-mte-highlighted.png)
+ - <i>**Incidents page actions menu**</i><BR>
-![Screenshot of MTE-EOD menu option on the incidents page.](../../media/mte/incidents-action-mte-highlighted.png)
+ - <i>**Incidents inventory page**</i><BR>
-![Screenshot of MTE-EOD menu option on the incidents inventory page.](../../media/mte/incidents-inventory-mte-highlighted.png)
+ > [!NOTE] > If you have Premier Support subscription mapped to your Microsoft Defender for Office 365 license, you can track the status of your Experts on Demand cases through Microsoft Services Hub.
security Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mssp-access.md
To implement a multi-tenant delegated access solution, take the following steps:
To enable RBAC in the customer Microsoft 365 Defender portal, access **Permissions > Endpoints roles & groups > Roles** with a user account with Global Administrator or Security Administrator rights.
- ![Image of MSSP access.](../../media/mssp-access.png)
+ :::image type="content" source="../../media/mssp-access.png" alt-text="The details of the MSSP access in the Microsoft 365 Defender portal" lightbox="../../media/mssp-access.png":::
Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via "Assigned user groups".
To implement a multi-tenant delegated access solution, take the following steps:
To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
- ![Image of new catalog.](../../media/goverance-catalog.png)
+ :::image type="content" source="../../media/goverance-catalog.png" alt-text="A new catalog in the Microsoft 365 Defender portal" lightbox="../../media/goverance-catalog.png":::
+ Further more information, see [Create a catalog of resources](/azure/active-directory/governance/entitlement-management-catalog-create).
To implement a multi-tenant delegated access solution, take the following steps:
- Can only be requested by users in the MSSP SOC Tenant - Access auto expires after 365 days
- ![Image of new access package.](../../media/new-access-package.png)
+ :::image type="content" source="../../media/new-access-package.png" alt-text="The details of a new access package in the Microsoft 365 Defender portal" lightbox="../../media/new-access-package.png":::
For more information, see [Create a new access package](/azure/active-directory/governance/entitlement-management-access-package-create).
To implement a multi-tenant delegated access solution, take the following steps:
The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
- ![Image of access properties.](../../media/access-properties.png)
+ :::image type="content" source="../../media/access-properties.png" alt-text="The access properties in the Microsoft 365 Defender portal" lightbox="../../media/access-properties.png":::
The link is located on the overview page of each access package.
security Setup M365deval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/setup-m365deval.md
This topic guides you to set up a dedicated lab environment. For information on
1. Go to the [Office 365 E5 product portal](https://www.microsoft.com/microsoft-365/business/office-365-enterprise-e5-business-software?activetab=pivot%3aoverviewtab) and select **Free trial**.
- ![Image of_Office 365 E5 free trial page.](../../media/mtp-eval-9.png)
+ :::image type="content" source="../../media/mtp-eval-9.png" alt-text="The Office 365 E5 free trial page" lightbox="../../media/mtp-eval-9.png":::
2. Complete the trial registration by entering your email address (personal or corporate). Click **Set up account**.
- ![Image of_Office 365 E5 trial registration setup page.](../../media/mtp-eval-10.png)
+ :::image type="content" source="../../media/mtp-eval-10.png" alt-text="The Office 365 E5 trial registration setup page" lightbox="../../media/mtp-eval-10.png":::
3. Fill in your first name, last name, business phone number, company name, company size, and country or region.
- ![Image of_Office 365 E5 trial registration setup page asking for name, phone, and company details.](../../media/mtp-eval-11.png)
+ :::image type="content" source="../../media/mtp-eval-11.png" alt-text="The Office 365 E5 trial registration setup page asking for name, phone, and company details" lightbox="../../media/mtp-eval-11.png":::
> [!NOTE] > The country or region you set here determines the data center region your Office 365 will be hosted. 4. Choose your verification preference: through a text message or call. Click **Send Verification Code**.
- ![Image of_Office 365 E5 trial registration setup page asking for verification preference.](../../media/mtp-eval-12.png)
+ :::image type="content" source="../../media/mtp-eval-12.png" alt-text="The Office 365 E5 trial registration setup page asking for verification preference" lightbox="../../media/mtp-eval-12.png":::
5. Set the custom domain name for your tenant, then click **Next**.
- ![Image of_Office 365 E5 trial registration setup page where you can set up your custom domain name.](../../media/mtp-eval-13.png)
+ :::image type="content" source="../../media/mtp-eval-13.png" alt-text="The Office 365 E5 trial registration setup page where you can set up your custom domain name" lightbox="../../media/mtp-eval-13.png":::
6. Set up the first identity, which will be a Global Administrator for the tenant. Fill in **Name** and **Password**. Click **Sign up**.
- ![Image of_Office 365 E5 trial registration setup page where you can set your business identity.](../../media/mtp-eval-14.png)
+ :::image type="content" source="../../media/mtp-eval-14.png" alt-text="The Office 365 E5 trial registration setup page where you can set your business identity" lightbox="../../media/mtp-eval-14.png":::
7. Click **Go to Setup** to complete the Office 365 E5 trial tenant provisioning.
- ![Image of Office 365 E5 trial registration setup page prompting to click Go Setup button.](../../media/mtp-eval-15.png)
+ :::image type="content" source="../../media/mtp-eval-15.png" alt-text="The Office 365 E5 trial registration setup page prompting to click Go to Setup button" lightbox="../../media/mtp-eval-15.png":::
8. Connect your corporate domain to the Office 365 tenant. [Optional] Choose **Connect a domain you already own** and type in your domain name. Click **Next**.
- ![Image of_Office 365 E5 Setup page where you should personalize your sign-in and email.](../../media/mtp-eval-16.png)
+ :::image type="content" source="../../media/mtp-eval-16.png" alt-text="The Office 365 E5 Setup page where you should personalize your sign-in and email" lightbox="../../media/mtp-eval-16.png":::
9. Add a TXT or MX record to validate the domain ownership. Once youΓÇÖve added the TXT or MX record to your domain, select **Verify**.
- ![Image of_Office 365 E5 setup page where you should add a TXT of MX record to verify your domain.](../../media/mtp-eval-17.png)
+ :::image type="content" source="../../media/mtp-eval-17.png" alt-text="The Office 365 E5 setup page where you should add a TXT of MX record to verify your domain" lightbox="../../media/mtp-eval-17.png":::
10. [Optional] Create more user accounts for your tenant. You can skip this step by clicking **Next**.
- ![Image of_Office 365 E5 setup page where you can add more users.](../../media/mtp-eval-18.png)
+ :::image type="content" source="../../media/mtp-eval-18.png" alt-text="The Office 365 E5 setup page where you can add more users" lightbox="../../media/mtp-eval-18.png":::
11. [Optional] Download Office apps. Click **Next** to skip this step.
- ![Image of_Office 365 E5 page where you can install your Office apps.](../../media/mtp-eval-19.png)
+ :::image type="content" source="../../media/mtp-eval-19.png" alt-text="The Office 365 E5 page where you can install your Office apps" lightbox="../../media/mtp-eval-19.png":::
12. [Optional] Migrate email messages. Again, you can skip this step.
- ![Image of_Office 365 E5 where you can set whether to migrate email messages or not.](../../media/mtp-eval-20.png)
+ :::image type="content" source="../../media/mtp-eval-20.png" alt-text="The Office 365 E5 where you can set whether to migrate email messages or not" lightbox="../../media/mtp-eval-20.png":::
13. Choose online services. Select **Exchange** and click **Next**.
- ![Image of_Office 365 E5 where you can choose your online services.](../../media/mtp-eval-21.png)
+ :::image type="content" source="../../media/mtp-eval-21.png" alt-text="The Office 365 E5 where you can choose your online services" lightbox="../../media/mtp-eval-21.png":::
14. Add MX, CNAME, and TXT records to your domain. When completed, select **Verify**.
- ![Image of_Office 365 E5 here you can add your DNS records.](../../media/mtp-eval-22.png)
+ :::image type="content" source="../../media/mtp-eval-22.png" alt-text="The Office 365 E5 here you can add your DNS records" lightbox="../../media/mtp-eval-22.png":::
15. Congratulations, you have completed the provisioning of your Office 365 tenant.
- ![Image of_Office 365 E5 setup completion confirmation page.](../../media/mtp-eval-23.png)
+ :::image type="content" source="../../media/mtp-eval-23.png" alt-text="The Office 365 E5 setup completion confirmation page" lightbox="../../media/mtp-eval-23.png":::
+
## Enable Microsoft 365 trial subscription
This topic guides you to set up a dedicated lab environment. For information on
2. Select **Microsoft 365 E5** and click **Start free trial**.
- ![Image of_Microsoft 365 E5 Start free trial page.](../../media/mtp-eval-24.png)
+ :::image type="content" source="../../media/mtp-eval-24.png" alt-text="The Microsoft 365 E5 Start free trial page" lightbox="../../media/mtp-eval-24.png":::
3. Choose your verification preference: through a text message or call. Once you have decided, enter the phone number, select **Text me** or **Call me** depending on your selection.
- ![Image of_Microsoft 365 E5 Start free trial page asking for contact details to send code to prove you are not a robot.](../../media/mtp-eval-25.png)
+ :::image type="content" source="../../media/mtp-eval-25.png" alt-text="The Microsoft 365 E5 Start free trial page asking for contact details to send code to prove you are not a robot" lightbox="../../media/mtp-eval-25.png":::
4. Enter the verification code and click **Start your free trial**.
- ![Image of_Microsoft 365 E5 Start free trial page where you can fill out verification code the system sent to prove you are not a robot.](../../media/mtp-eval-26.png)
+ :::image type="content" source="../../media/mtp-eval-26.png" alt-text="The Microsoft 365 E5 Start free trial page where you can fill out verification code the system sent to prove you are not a robot" lightbox="../../media/mtp-eval-26.png":::
5. Click **Try now** to confirm your Microsoft 365 E5 trial.
- ![Image of_Microsoft 365 E5 Start free trial page where you should clock the Try now button to start.](../../media/mtp-eval-27.png)
+ :::image type="content" source="../../media/mtp-eval-27.png" alt-text="The Microsoft 365 E5 Start free trial page where you should clock the Try now button to start" lightbox="../../media/mtp-eval-27.png":::
6. Go to the **Microsoft 365 Admin Center** > **Users** > **Active users**. Select your user account, select **Manage product licenses**, then swap the license from Office 365 E5 to **Microsoft 365 E5**. Click **Save**.
- ![Image of_Microsoft 365 Admin Center page where you can select Microsoft 365 E5 license.](../../media/mtp-eval-28.png)
+ :::image type="content" source="../../media/mtp-eval-28.png" alt-text="The Microsoft 365 Admin Center page where you can select the Microsoft 365 E5 license" lightbox="../../media/mtp-eval-28.png":::
7. Select the global administrator account again then click **Manage username**.
- ![Image of_Microsoft 365 Admin Center page where you can select Account and then Manage username.](../../media/mtp-eval-29.png)
+ :::image type="content" source="../../media/mtp-eval-29.png" alt-text="The Microsoft 365 Admin Center page where you can select Account and Manage username" lightbox="../../media/mtp-eval-29.png":::
8. [Optional] Change the domain from *onmicrosoft.com* to your own domainΓÇödepending on what you chose on the previous steps. Click **Save changes**.
- ![Image of_Microsoft 365 Admin Center page where you can change your domain preference.](../../media/mtp-eval-30.png)
--
+ :::image type="content" source="../../media/mtp-eval-30.png" alt-text="The Microsoft 365 Admin Center page where you can change your domain preference" lightbox="../../media/mtp-eval-30.png":::
## Next step |[Phase 3: Configure & Onboard](config-m365d-eval.md) | Configure each Microsoft 365 Defender pillar for your Microsoft 365 Defender trial lab or pilot environment and onboard your endpoints.
security Streaming Api Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-event-hub.md
Once the Event Hub namespace is created you will need to:
To get your **Event Hub resource ID**, go to your Azure Event Hub namespace page on [Azure](https://ms.portal.azure.com/) > **Properties** tab > copy the text under **Resource ID**:
- ![Image of Event Hub resource Id1.](../defender-endpoint/images/event-hub-resource-id.png)
+ :::image type="content" source="../defender-endpoint/images/event-hub-resource-id.png" alt-text="An Event Hub resource ID" lightbox="../defender-endpoint/images/event-hub-resource-id.png":::
8. Go to the [Supported Microsoft 365 Defender event types in event streaming API](supported-event-types.md) to review the support status of event types in the Microsoft 365 Streaming API.
To get the data types for event properties do the following:
- Here is an example for Device Info event:
- ![Image of Event Hub resource Id2.](../defender-endpoint/images/machine-info-datatype-example.png)
+ :::image type="content" source="../defender-endpoint/images/machine-info-datatype-example.png" alt-text="An example query for device info" lightbox="../defender-endpoint/images/machine-info-datatype-example.png":::
## Related topics
security Streaming Api Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-storage.md
ms.technology: mde
2. Select **Forward events to Azure Storage**. 3. In the **Storage Account Resource ID** box that appears, type your **Storage Account Resource ID**. To get your **Storage Account Resource ID**, open the Azure portal at <https://portal.azure.com>, click **Storage accounts** \> go to the properties tab \> copy the text under **Storage Account Resource ID**.
- ![Image of event hub resource ID1.](../defender-endpoint/images/storage-account-resource-id.png)
+ :::image type="content" source="../defender-endpoint/images/storage-account-resource-id.png" alt-text="A Storage Account Resource ID" lightbox="../defender-endpoint/images/storage-account-resource-id.png":::
4. Back on the **Add new Streaming API settings** flyout, choose the **Event types** that you want to stream.
ms.technology: mde
- A blob container will be created for each event type:
- ![Image of event hub resource ID2.](../defender-endpoint/images/storage-account-event-schema.png)
+ :::image type="content" source="../defender-endpoint/images/storage-account-event-schema.png" alt-text="Example of a blob container" lightbox="../defender-endpoint/images/storage-account-event-schema.png":::
- The schema of each row in a blob is the following JSON:
In order to get the data types for our events properties do the following:
- Here is an example for Device Info event:
- ![Image of event hub resource ID3.](../defender-endpoint/images/machine-info-datatype-example.png)
+ :::image type="content" source="../defender-endpoint/images/machine-info-datatype-example.png" alt-text="An example device info query" lightbox="../defender-endpoint/images/machine-info-datatype-example.png":::
## Related topics
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics-analyst-reports.md
Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the **Analyst report** tab.
-![Image of the analyst report section of a threat analytics report.](../../media/threat-analytics/ta_analystreport_mtp.png)
_Analyst report section of a threat analytics report_
security Threat Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics.md
Watch this short video to learn more about how threat analytics can help you tra
You can access threat analytics either from the upper left-hand side of Microsoft 365 security portalΓÇÖs navigation bar, or from a dedicated dashboard card that shows the top threats to your org, both in terms of impact, and in terms of exposure.
-![Image of the threat analytics dashboard.](../../media/threat-analytics/ta_inlandingpage_mtp.png)
High impact threats have the greatest potential to cause harm, while high exposure threats are the ones that your assets are most vulnerable to. Getting visibility on active or ongoing campaigns and knowing what to do through threat analytics can help equip your security operations team with informed decisions.
The threat analytics dashboard ([security.microsoft.com/threatanalytics3](https:
Select a threat from the dashboard to view the report for that threat.
-![Screenshot of threat analytics dashboard.](../../media/threat-analytics/ta_dashboard_mtp.png)
_Threat analytics dashboard. You can also select the Search field to key in a keyword that's related to the threat analytics report that you'd like to read._
Each threat analytics report provides information in several sections:
The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization, and your exposure through misconfigured and unpatched devices.
-![Image of the overview section of a threat analytics report.](../../media/threat-analytics/ta_overview_mtp.png)
_Overview section of a threat analytics report_
The Microsoft Threat Intelligence team has added threat tags to each threat repo
- Activity group - Threat tags are presented at the top of the threat analytics page. There are counters for the number of available reports under each tag.
- ![threat tags.](../../media/threat-analytics/ta-threattags-mtp.png)
+ :::image type="content" source="../../media/threat-analytics/ta-threattags-mtp.png" alt-text="The threat tags" lightbox="../../media/threat-analytics/ta-threattags-mtp.png":::
- The list can also be sorted by threat tags:
- ![lists.](../../media/threat-analytics//ta-taglist-mtp.png)
+ :::image type="content" source="../../media/threat-analytics//ta-taglist-mtp.png" alt-text="The Threat tags section" lightbox="../../media/threat-analytics//ta-taglist-mtp.png":::
- Filters are available per threat tag and report type:
- ![filters.](../../media/threat-analytics/ta-threattag-filters-mtp.png)
+ :::image type="content" source="../../media/threat-analytics/ta-threattag-filters-mtp.png" alt-text="The Filters page" lightbox="../../media/threat-analytics/ta-threattag-filters-mtp.png":::
### Analyst report: Get expert insight from Microsoft security researchers
In the **Analyst report** section, read through the detailed expert write-up. Mo
### Related incidents: View and manage related incidents
-The **Related incidents** tab provides the list of all incidents related to the tracked threat. You can assign incidents or manage alerts linked to each incident.
+The **Related incidents** tab provides the list of all incidents related to the tracked threat. You can assign incidents or manage alerts linked to each incident.
-![Image of the related incidents section of a threat analytics report.](../../media/threat-analytics/ta_related_incidents_mtp.png)
_Related incidents section of a threat analytics report_
An asset is considered impacted if it's affected by an active, unresolved alert.
- **Impacted devices**ΓÇöendpoints that have unresolved Microsoft Defender for Endpoint alerts. These alerts typically fire on sightings of known threat indicators and activities. - **Impacted mailboxes**ΓÇömailboxes that have received email messages that have triggered Microsoft Defender for Office 365 alerts. While most messages that trigger alerts are typically blocked, user- or org-level policies can override filters.
-![Image of the impacted assets section of a threat analytics report.](../../media/threat-analytics/ta_impacted_assets_mtp.png)
_Impacted assets section of a threat analytics report_
Microsoft Defender for Office 365 typically blocks emails with known threat indi
The **Prevented email attempts** tab lists all the emails that have either been blocked before delivery or sent to the junk mail folder by Microsoft Defender for Office 365.
-![Image of the prevented email attempts section of a threat analytics report.](../../media/threat-analytics/ta_prevented_email_attempts_mtp.png)
_Prevented email attempts section of a threat analytics report_
In the **Exposure & mitigations** section, review the list of specific actionabl
Mitigation information in this section incorporates data from [threat and vulnerability management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt), which also provides detailed drill-down information from various links in the report.
-![Image of the mitigations section of a threat analytics report showing secure configuration details.](../../media/threat-analytics/ta_mitigations_mtp.png)
-![Image of the mitigations section of a threat analytics report showing vulnerability details.](../../media/threat-analytics/ta_mitigations_mtp2.png)
_Exposure & mitigations section of a threat analytics report_
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
For more information on what's new with other Microsoft Defender security produc
You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter). ++
+## March 2022
+
+- (Preview) The incident queue has been enhanced with several features designed to help your investigations. Enhancements include capabilities such as ability to search for incidents by ID or name, specify a custom time range, and others.
+ ## December 2021 - (GA) The `DeviceTvmSoftwareEvidenceBeta` table was added on a short-term basis in advanced hunting to allow you to view evidence of where a specific software was detected on a device.
You can also get product updates and important notifications through the [messag
Find information about events in various cloud apps and services covered by Microsoft Cloud App Security. This table also includes information previously available in the `AppFileEvents` table.
-## February 2021
--- (Preview) The enhanced [Microsoft 365 Defender portal (https://security.microsoft.com)](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint and Defender for Office 365 to the center. [Learn more about what's changed](microsoft-365-defender.md#the-microsoft-365-defender-portal).--- **[(Preview) Microsoft 365 Defender APIs](api-overview.md)** - The top-level Microsoft 365 Defender APIs will enable you to automate workflows based on the shared incident and advanced hunting tables.
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
For step by step instructions on how to create a payload for use within a simula
For step by step instructions on how to gain insights with reporting, see [Gain insights through Attack simulation training](attack-simulation-training-insights.md). > [!NOTE]
-> Attack Simulator uses Safe Links in Defender for Office 365 to securely track click data for the URL in the payload message that's sent to targeted recipients of a phishing campaign, even if the **Do not track user clicks** setting in Safe Links policies is turned on.
+> Attack Simulator uses Safe Links in Defender for Office 365 to securely track click data for the URL in the payload message that's sent to targeted recipients of a phishing campaign, even if the **Track user clicks** setting in Safe Links policies is turned off.
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
For more information about the recommended settings for Safe Links, see [Safe Li
- **Name**: Enter something unique and descriptive. - **Description**: Enter an optional description. - **Users and domains** page: Because this is your first policy and you likely want to maximize coverage, consider entering your [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in the **Domains** box. Otherwise, you can use the **Users** and **Groups** boxes for more granular control. You can specify exceptions by selecting **Exclude these users, groups, and domains** and entering values.
- - **Protection settings** page:
- - **Select the action for unknown potentially malicious URLs in messages**: Turn this setting **On**.
- - **Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Turn this setting **On**. As of March 2020, this setting is in Preview and is available or functional only for members of the Microsoft Teams Technology Adoption Program (TAP).
- - **Apply real-time URL scanning for suspicious links and links that point to files**: Select this setting (turn on).
+ - **Url & click protection settings** page:
+ - **Action on potentially malicious URLs within Emails** section:
+ - **On: Safe Links checks a list of known, malicious links when users click links in email**: Select his setting (turn on).
+ - **Apply Safe Links to email messages sent within the organization**: Select this setting (turn on).
+ - **Apply real-time URL scanning for suspicious links and links that point to files**: Select this setting (turn on).
- **Wait for URL scanning to complete before delivering the message**: Select this setting (turn on).
- - **Apply Safe Links to email messages sent within the organization**: Select this setting (turn on).
- - **Do not track user clicks**: Verify this setting is not selected (turned off).
- - **Do not let users click through to the original URL**: Verify this setting is turned on (selected).
- - **Display the organization branding on notification and warning pages**: Selecting this setting (turning it on) is meaningful only after you've followed the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.
- - **Do not rewrite the following URLs**: We have no specific recommendation for this setting. For more information, see ["Do not rewrite the following URLs" lists in Safe Links policies](safe-links.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies).
+ - **Do not rewrite URLs, do checks via Safe Links API only**: Verify this setting is not selected (turn off).
+ - **Do not rewrite the following URLs in email**: We have no specific recommendation for this setting. For more information, see ["Do not rewrite the following URLs" lists in Safe Links policies](safe-links.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies).
+ - **Action for potentially malicious URLs in Microsoft Teams** section:
+ - ***On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams**: Select this setting (turn on).
+ - **Click protection settings** section:
+ - **Track user clicks**: Verify this setting is selected (turned on).
+ - **Let users click through to the original URL**: Turn off this setting (not selected).
+ - **Display the organization branding on notification and warning pages**: Selecting this setting (turning it on) is meaningful only after you've followed the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.
- **Notification** page: - **How would you like to notify users?** section: Optionally, you can select **Use custom notification text** to enter customized notification text to use. You can also select **Use Microsoft Translator for automatic localization** to translate the custom notification text into the user's language. Otherwise, leave **Use the default notification text** selected.
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
To create and configure anti-spam policies, see [Configure anti-spam policies in
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Bulk email threshold & spam properties**|||||
-|**Bulk email threshold** <p> _BulkThreshold_|7|6|4|For details, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md).|
+|**Bulk email threshold** <br/><br/> _BulkThreshold_|7|6|4|For details, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md).|
|_MarkAsSpamBulkMail_|`On`|`On`|`On`|This setting is only available in PowerShell.| |**Increase spam score** settings|Off|Off|Off|All of these settings are part of the Advanced Spam Filter (ASF). For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.| |**Mark as spam** settings|Off|Off|Off|Most of these settings are part of ASF. For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.|
-|**Contains specific languages** <p> _EnableLanguageBlockList_ <p> _LanguageBlockList_|**Off** <p> `$false` <p> Blank|**Off** <p> `$false` <p> Blank|**Off** <p> `$false` <p> Blank|We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.|
-|**From these countries** <p> _EnableRegionBlockList_ <p> _RegionBlockList_|**Off** <p> `$false` <p> Blank|**Off** <p> `$false` <p> Blank|**Off** <p> `$false` <p> Blank|We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.|
+|**Contains specific languages** <br/><br/> _EnableLanguageBlockList_ <br/><br/> _LanguageBlockList_|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.|
+|**From these countries** <br/><br/> _EnableRegionBlockList_ <br/><br/> _RegionBlockList_|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.|
|**Test mode** (_TestModeAction_)|**None**|**None**|**None**|This setting is part of ASF. For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.|
-|**Actions**||||Wherever you select **Quarantine message**, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages. <p> When you create a new anti-spam policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that particular verdict (AdminOnlyAccessPolicy for **High confidence phishing**; DefaultFullAccessPolicy for everything else). <p> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
-|**Spam** detection action <p> _SpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`||
-|**High confidence spam** detection action <p> _HighConfidenceSpamAction_|**Quarantine message** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
-|**Phishing** detection action <p> _PhishSpamAction_|**Quarantine message** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
-|**High confidence phishing** detection action <p> _HighConfidencePhishAction_|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
-|**Bulk** detection action <p> _BulkSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`||
-|**Retain spam in quarantine for this many days** <p> _QuarantineRetentionPeriod_|15 days<sup>\*</sup>|30 days|30 days|<sup>\*</sup> The default value is 15 days in the default anti-spam policy, and in new anti-spam policies that you create in PowerShell. The default value is 30 days in new anti-spam policies that you create in the Microsoft 365 Defender portal. <p> This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-email-messages.md).|
-|**Enable spam safety tips** <p> _InlineSafetyTipsEnabled_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
-|Enable zero-hour auto purge (ZAP) for phishing messages <p> _PhishZapEnabled_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
-|Enable ZAP for spam messages <p> _SpamZapEnabled_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Actions**||||Wherever you select **Quarantine message**, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages. <br/><br/> When you create a new anti-spam policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that particular verdict (AdminOnlyAccessPolicy for **High confidence phishing**; DefaultFullAccessPolicy for everything else). <br/><br/> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
+|**Spam** detection action <br/><br/> _SpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||
+|**High confidence spam** detection action <br/><br/> _HighConfidenceSpamAction_|**Quarantine message** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`||
+|**Phishing** detection action <br/><br/> _PhishSpamAction_|**Quarantine message** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`||
+|**High confidence phishing** detection action <br/><br/> _HighConfidencePhishAction_|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`||
+|**Bulk** detection action <br/><br/> _BulkSpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||
+|**Retain spam in quarantine for this many days** <br/><br/> _QuarantineRetentionPeriod_|15 days<sup>\*</sup>|30 days|30 days|<sup>\*</sup> The default value is 15 days in the default anti-spam policy, and in new anti-spam policies that you create in PowerShell. The default value is 30 days in new anti-spam policies that you create in the Microsoft 365 Defender portal. <br/><br/> This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-email-messages.md).|
+|**Enable spam safety tips** <br/><br/> _InlineSafetyTipsEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|Enable zero-hour auto purge (ZAP) for phishing messages <br/><br/> _PhishZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|Enable ZAP for spam messages <br/><br/> _SpamZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
|**Allow & block list**|||||
-|Allowed senders <p> _AllowedSenders_|None|None|None||
-|Allowed sender domains <p> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <p> Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|
-|Blocked senders <p> _BlockedSenders_|None|None|None||
-|Blocked sender domains <p> _BlockedSenderDomains_|None|None|None||
+|Allowed senders <br/><br/> _AllowedSenders_|None|None|None||
+|Allowed sender domains <br/><br/> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <br/><br/> Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|
+|Blocked senders <br/><br/> _BlockedSenders_|None|None|None||
+|Blocked sender domains <br/><br/> _BlockedSenderDomains_|None|None|None||
#### ASF settings in anti-spam policies
For more information about the default sending limits in the service, see [Sendi
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Set an external message limit** <p> _RecipientLimitExternalPerHour_|0|500|400|The default value 0 means use the service defaults.|
-|**Set an internal message limit** <p> _RecipientLimitInternalPerHour_|0|1000|800|The default value 0 means use the service defaults.|
-|**Set a daily message limit** <p> _RecipientLimitPerDay_|0|1000|800|The default value 0 means use the service defaults.|
-|**Restriction placed on users who reach the message limit** <p> _ActionWhenThresholdReached_|**Restrict the user from sending mail until the following day** <p> `BlockUserForToday`|**Restrict the user from sending mail** <p> `BlockUser`|**Restrict the user from sending mail** <p> `BlockUser`||
-|**Automatic forwarding rules** <p> _AutoForwardingMode_|**Automatic - System-controlled** <p> `Automatic`|**Automatic - System-controlled** <p> `Automatic`|**Automatic - System-controlled** <p> `Automatic`|
-|**Send a copy of outbound messages that exceed these limits to these users and groups** <p> _BccSuspiciousOutboundMail_ <p> _BccSuspiciousOutboundAdditionalRecipients_|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|We have no specific recommendation for this setting. <p> This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.|
-|**Notify these users and groups if a sender is blocked due to sending outbound spam** <p> _NotifyOutboundSpam_ <p> _NotifyOutboundSpamRecipients_|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|Not selected <p> `$false` <p> Blank|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|
+|**Set an external message limit** <br/><br/> _RecipientLimitExternalPerHour_|0|500|400|The default value 0 means use the service defaults.|
+|**Set an internal message limit** <br/><br/> _RecipientLimitInternalPerHour_|0|1000|800|The default value 0 means use the service defaults.|
+|**Set a daily message limit** <br/><br/> _RecipientLimitPerDay_|0|1000|800|The default value 0 means use the service defaults.|
+|**Restriction placed on users who reach the message limit** <br/><br/> _ActionWhenThresholdReached_|**Restrict the user from sending mail until the following day** <br/><br/> `BlockUserForToday`|**Restrict the user from sending mail** <br/><br/> `BlockUser`|**Restrict the user from sending mail** <br/><br/> `BlockUser`||
+|**Automatic forwarding rules** <br/><br/> _AutoForwardingMode_|**Automatic - System-controlled** <br/><br/> `Automatic`|**Automatic - System-controlled** <br/><br/> `Automatic`|**Automatic - System-controlled** <br/><br/> `Automatic`|
+|**Send a copy of outbound messages that exceed these limits to these users and groups** <br/><br/> _BccSuspiciousOutboundMail_ <br/><br/> _BccSuspiciousOutboundAdditionalRecipients_|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. <br/><br/> This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.|
+|**Notify these users and groups if a sender is blocked due to sending outbound spam** <br/><br/> _NotifyOutboundSpam_ <br/><br/> _NotifyOutboundSpamRecipients_|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|
### EOP anti-malware policy settings
To create and configure anti-malware policies, see [Configure anti-malware polic
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Protection settings**|||||
-|**Enable the common attachments filter** <p> _EnableFileFilter_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.|
-|**Enable zero-hour auto purge for malware** <p> _ZapEnabled_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
-|**Quarantine policy**|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|When you create a new anti-malware policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as malware (AdminOnlyAccessPolicy). <p> Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
+|**Enable the common attachments filter** <br/><br/> _EnableFileFilter_|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.|
+|**Enable zero-hour auto purge for malware** <br/><br/> _ZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Quarantine policy**|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|When you create a new anti-malware policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as malware (AdminOnlyAccessPolicy). <br/><br/> Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
|**Recipient notifications**|||||
-|**Notify recipients when messages are quarantined as malware** <p> _Action_|Not selected <p> _DeleteMessage_|Not selected <p> _DeleteMessage_|Not selected <p> _DeleteMessage_|If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.|
+|**Notify recipients when messages are quarantined as malware** <br/><br/> _Action_|Not selected <br/><br/> _DeleteMessage_|Not selected <br/><br/> _DeleteMessage_|Not selected <br/><br/> _DeleteMessage_|If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.|
|**Sender notifications**|||||
-|**Notify internal senders when messages are quarantined as malware** <p> _EnableInternalSenderNotifications_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`||
-|**Notify external senders when messages are quarantined as malware** <p> _EnableExternalSenderNotifications_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`||
+|**Notify internal senders when messages are quarantined as malware** <br/><br/> _EnableInternalSenderNotifications_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`||
+|**Notify external senders when messages are quarantined as malware** <br/><br/> _EnableExternalSenderNotifications_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`||
|**Admin notifications**|||||
-|**Notify an admin about undelivered messages from internal senders** <p> _EnableInternalSenderAdminNotifications_ <p> _InternalSenderAdminAddress_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|We have no specific recommendation for this setting.|
-|**Notify an admin about undelivered messages from external senders** <p> _EnableExternalSenderAdminNotifications_ <p> _ExternalSenderAdminAddress_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|We have no specific recommendation for this setting.|
+|**Notify an admin about undelivered messages from internal senders** <br/><br/> _EnableInternalSenderAdminNotifications_ <br/><br/> _InternalSenderAdminAddress_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting.|
+|**Notify an admin about undelivered messages from external senders** <br/><br/> _EnableExternalSenderAdminNotifications_ <br/><br/> _ExternalSenderAdminAddress_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting.|
|**Customize notifications**||||We have no specific recommendations for these settings.|
-|**Use customized notification text** <p> _CustomNotifications_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`||
-|**From name** <p> _CustomFromName_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
-|**From address** <p> _CustomFromAddress_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
+|**Use customized notification text** <br/><br/> _CustomNotifications_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`||
+|**From name** <br/><br/> _CustomFromName_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
+|**From address** <br/><br/> _CustomFromAddress_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
|**Customize notifications for messages from internal senders**||||These settings are used only if **Notify internal senders when messages are quarantined as malware** or **Notify an admin about undelivered messages from internal senders** is selected.|
-|**Subject** <p> _CustomInternalSubject_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
-|**Message** <p> _CustomInternalBody_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
+|**Subject** <br/><br/> _CustomInternalSubject_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
+|**Message** <br/><br/> _CustomInternalBody_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
|**Customize notifications for messages from external senders**||||These settings are used only if **Notify external senders when messages are quarantined as malware** or **Notify an admin about undelivered messages from external senders** is selected.|
-|**Subject** <p> _CustomExternalSubject_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
-|**Message** <p> _CustomExternalBody_|Blank <p> `$null`|Blank <p> `$null`|Blank <p> `$null`||
+|**Subject** <br/><br/> _CustomExternalSubject_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
+|**Message** <br/><br/> _CustomExternalBody_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
### EOP anti-phishing policy settings
For more information about these settings, see [Spoof settings](set-up-anti-phis
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
-|**Enable spoof intelligence** <p> _EnableSpoofIntelligence_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Enable spoof intelligence** <br/><br/> _EnableSpoofIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
|**Actions**|||||
-|**If message is detected as spoof** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md). <p> If you select **Quarantine the message**, an **Apply quarantine policy** box is available to select the quarantine policy that defines what users are allowed to do to messages that are quarantined as spoofing. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as spoofing (DefaultFullAccessPolicy). <p> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
-|**Show first contact safety tip** <p> _EnableFirstContactSafetyTips_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).|
-|**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
-|**Show "via" tag** <p> _EnableViaTag_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
+|**If message is detected as spoof** <br/><br/> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md). <br/><br/> If you select **Quarantine the message**, an **Apply quarantine policy** box is available to select the quarantine policy that defines what users are allowed to do to messages that are quarantined as spoofing. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as spoofing (DefaultFullAccessPolicy). <br/><br/> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
+|**Show first contact safety tip** <br/><br/> _EnableFirstContactSafetyTips_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).|
+|**Show (?) for unauthenticated senders for spoof** <br/><br/> _EnableUnauthenticatedSender_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
+|**Show "via" tag** <br/><br/> _EnableViaTag_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br/><br/> For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
## Microsoft Defender for Office 365 security
For more information about this setting, see [Advanced phishing thresholds in an
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Phishing email threshold** <p> _PhishThresholdLevel_|**1 - Standard** <p> `1`|**2 - Aggressive** <p> `2`|**3 - More aggressive** <p> `3`||
+|**Phishing email threshold** <br/><br/> _PhishThresholdLevel_|**1 - Standard** <br/><br/> `1`|**2 - Aggressive** <br/><br/> `2`|**3 - More aggressive** <br/><br/> `3`||
#### Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
For more information about these settings, see [Impersonation settings in anti-p
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
-|**Enable users to protect** (impersonated user protection) <p> _EnableTargetedUserProtection_ <p> _TargetedUsersToProtect_|Not selected <p> `$false` <p> none|Selected <p> `$true` <p> \<list of users\>|Selected <p> `$true` <p> \<list of users\>|We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors. <p> In preset security policies, you can't specify the users to protect. You need to disable the preset security policies and use custom anti-phishing policies to add users in key roles as suggested.|
+|**Enable users to protect** (impersonated user protection) <br/><br/> _EnableTargetedUserProtection_ <br/><br/> _TargetedUsersToProtect_|Not selected <br/><br/> `$false` <br/><br/> none|Selected <br/><br/> `$true` <br/><br/> \<list of users\>|Selected <br/><br/> `$true` <br/><br/> \<list of users\>|We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors. <br/><br/> In preset security policies, you can't specify the users to protect. You need to disable the preset security policies and use custom anti-phishing policies to add users in key roles as suggested.|
|**Enable domains to protect** (impersonated domain protection)|Not selected|Selected|Selected||
-|**Include domains I own** <p> _EnableOrganizationDomainsProtection_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
-|**Include custom domains** <p> _EnableTargetedDomainsProtection_ <p> _TargetedDomainsToProtect_|Off <p> `$false` <p> none|Selected <p> `$true` <p> \<list of domains\>|Selected <p> `$true` <p> \<list of domains\>|We recommend adding domains (sender domains) that you don't own, but you frequently interact with. <p> In preset security policies, you can't specify the custm domains to protect. You need to disable the preset security policies and use custom anti-phishing policies to add custom domains to protect as suggested.|
-|**Add trusted senders and domains** <p> _ExcludedSenders_ <p> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|
-|**Enable mailbox intelligence** <p> _EnableMailboxIntelligence_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
-|**Enable intelligence for impersonation protection** <p> _EnableMailboxIntelligenceProtection_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|
-|**Actions**||||Wherever you select **Quarantine the message**, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages. <p> When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that verdict (DefaultFullAccessPolicy for all impersonation detection types). <p> Admins can create and select custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
-|**If message is detected as an impersonated user** <p> _TargetedUserProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`|Remember, preset security policies don't allow you to specify the users to protect, so this setting effectively does nothing in preset security policies.|
-|**If message is detected as an impersonated domain** <p> _TargetedDomainProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`|Remember, preset security policies don't allow you to specify the custom domains to protect, so this setting affects only domains that you own, not custom domains.|
-|**If mailbox intelligence detects and impersonated user** <p> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <p> `NoAction`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`||
-|**Show user impersonation safety tip** <p> _EnableSimilarUsersSafetyTips_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
-|**Show domain impersonation safety tip** <p> _EnableSimilarDomainsSafetyTips_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
-|**Show user impersonation unusual characters safety tip** <p> _EnableUnusualCharactersSafetyTips_|Off <p> `$false`|Selected <p> `$true`|Selected <p> `$true`||
+|**Include domains I own** <br/><br/> _EnableOrganizationDomainsProtection_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Include custom domains** <br/><br/> _EnableTargetedDomainsProtection_ <br/><br/> _TargetedDomainsToProtect_|Off <br/><br/> `$false` <br/><br/> none|Selected <br/><br/> `$true` <br/><br/> \<list of domains\>|Selected <br/><br/> `$true` <br/><br/> \<list of domains\>|We recommend adding domains (sender domains) that you don't own, but you frequently interact with. <br/><br/> In preset security policies, you can't specify the custm domains to protect. You need to disable the preset security policies and use custom anti-phishing policies to add custom domains to protect as suggested.|
+|**Add trusted senders and domains** <br/><br/> _ExcludedSenders_ <br/><br/> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|
+|**Enable mailbox intelligence** <br/><br/> _EnableMailboxIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Enable intelligence for impersonation protection** <br/><br/> _EnableMailboxIntelligenceProtection_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|
+|**Actions**||||Wherever you select **Quarantine the message**, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages. <br/><br/> When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that verdict (DefaultFullAccessPolicy for all impersonation detection types). <br/><br/> Admins can create and select custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
+|**If message is detected as an impersonated user** <br/><br/> _TargetedUserProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Quarantine the message** <br/><br/> `Quarantine`|**Quarantine the message** <br/><br/> `Quarantine`|Remember, preset security policies don't allow you to specify the users to protect, so this setting effectively does nothing in preset security policies.|
+|**If message is detected as an impersonated domain** <br/><br/> _TargetedDomainProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Quarantine the message** <br/><br/> `Quarantine`|**Quarantine the message** <br/><br/> `Quarantine`|Remember, preset security policies don't allow you to specify the custom domains to protect, so this setting affects only domains that you own, not custom domains.|
+|**If mailbox intelligence detects and impersonated user** <br/><br/> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`||
+|**Show user impersonation safety tip** <br/><br/> _EnableSimilarUsersSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Show domain impersonation safety tip** <br/><br/> _EnableSimilarDomainsSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Show user impersonation unusual characters safety tip** <br/><br/> _EnableUnusualCharactersSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
#### EOP anti-phishing policy settings in Microsoft Defender for Office 365
The spoof settings are inter-related, but the **Show first contact safety tip**
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
-|**Enable spoof intelligence** <p> _EnableSpoofIntelligence_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Enable spoof intelligence** <br/><br/> _EnableSpoofIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
|**Actions**|||||
-|**If message is detected as spoof** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md). <p> If you select **Quarantine the message**, an **Apply quarantine policy** box is available to select the quarantine policy that defines what users are allowed to do to quarantined messages. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for spoof quarantined messages (DefaultFullAccessPolicy). <p> Admins can create and select a custom quarantine policy that defines what recipients are allowed to do to these messages in quarantine. For more information, see [Quarantine policies](quarantine-policies.md).|
-|**Show first contact safety tip** <p> _EnableFirstContactSafetyTips_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).|
-|**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
-|**Show "via" tag** <p> _EnableViaTag_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
+|**If message is detected as spoof** <br/><br/> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md). <br/><br/> If you select **Quarantine the message**, an **Apply quarantine policy** box is available to select the quarantine policy that defines what users are allowed to do to quarantined messages. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for spoof quarantined messages (DefaultFullAccessPolicy). <br/><br/> Admins can create and select a custom quarantine policy that defines what recipients are allowed to do to these messages in quarantine. For more information, see [Quarantine policies](quarantine-policies.md).|
+|**Show first contact safety tip** <br/><br/> _EnableFirstContactSafetyTips_|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).|
+|**Show (?) for unauthenticated senders for spoof** <br/><br/> _EnableUnauthenticatedSender_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
+|**Show "via" tag** <br/><br/> _EnableViaTag_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br/><br/> For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
### Safe Attachments settings
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/se
|Security feature name|Default|Built-in protection|Comment| ||::|::||
-|**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** <p> _EnableATPForSPOTeamsODB_|Off <p> `$false`|On <p> `$true`|To prevent users from downloading malicious files, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).|
-|**Turn on Safe Documents for Office clients** <p> _EnableSafeDocs_|Off <p> `$false`|On <p> `$true`|This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 E5 or Microsoft 365 E5 Security). For more information, see [Safe Documents in Microsoft 365 E5](safe-docs.md).|
-|**Allow people to click through Protected View even if Safe Documents identified the file as malicious** <p> _AllowSafeDocsOpen_|Off <p> `$false`|Off <p> `$false`|This setting is related to Safe Documents.|
+|**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** <br/><br/> _EnableATPForSPOTeamsODB_|Off <br/><br/> `$false`|On <br/><br/> `$true`|To prevent users from downloading malicious files, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).|
+|**Turn on Safe Documents for Office clients** <br/><br/> _EnableSafeDocs_|Off <br/><br/> `$false`|On <br/><br/> `$true`|This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 E5 or Microsoft 365 E5 Security). For more information, see [Safe Documents in Microsoft 365 E5](safe-docs.md).|
+|**Allow people to click through Protected View even if Safe Documents identified the file as malicious** <br/><br/> _AllowSafeDocsOpen_|Off <br/><br/> `$false`|Off <br/><br/> `$false`|This setting is related to Safe Documents.|
#### Safe Attachments policy settings
In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchang
|Security feature name|Default in custom|Built-in protection|Standard|Strict|Comment| ||::|::|::|::||
-|**Safe Attachments unknown malware response** <p> _Enable_ and _Action_|**Off** <p> `-Enable $false` and `-Action Block`|**Block** <p> `-Enable $true` and `-Action Block`|**Block** <p> `-Enable $true` and `-Action Block`|**Block** <p> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|
-|**Quarantine policy** (_QuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|When you create a new Safe Attachments policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by Safe Attachments (AdminOnlyAccessPolicy). <p> Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
-|**Redirect attachment with detected attachments** : **Enable redirect** <p> _Redirect_ <p> _RedirectAddress_|Not selected and no email address specified. <p> `-Redirect $false` <p> _RedirectAddress_ is blank (`$null`)|Not selected and no email address specified. <p> `-Redirect $false` <p> _RedirectAddress_ is blank (`$null`)|Selected and specify an email address. <p> `$true` <p> an email address|Selected and specify an email address. <p> `$true` <p> an email address|Redirect messages to a security admin for review. <p> **Note**: This setting is not configured in the **Standard**, **Strict**, or **Built-in protection** preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in new Safe Attachments policies that you create.|
-|**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <p> _ActionOnError_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Safe Attachments unknown malware response** <br/><br/> _Enable_ and _Action_|**Off** <br/><br/> `-Enable $false` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|
+|**Quarantine policy** (_QuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|When you create a new Safe Attachments policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by Safe Attachments (AdminOnlyAccessPolicy). <br/><br/> Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|
+|**Redirect attachment with detected attachments** : **Enable redirect** <br/><br/> _Redirect_ <br/><br/> _RedirectAddress_|Not selected and no email address specified. <br/><br/> `-Redirect $false` <br/><br/> _RedirectAddress_ is blank (`$null`)|Not selected and no email address specified. <br/><br/> `-Redirect $false` <br/><br/> _RedirectAddress_ is blank (`$null`)|Selected and specify an email address. <br/><br/> `$true` <br/><br/> an email address|Selected and specify an email address. <br/><br/> `$true` <br/><br/> an email address|Redirect messages to a security admin for review. <br/><br/> **Note**: This setting is not configured in the **Standard**, **Strict**, or **Built-in protection** preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in new Safe Attachments policies that you create.|
+|**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <br/><br/> _ActionOnError_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
### Safe Links settings
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/se
|Security feature name|Default|Built-in protection|Comment| ||::|::||
-|**Block the following URLs** <p> _ExcludedUrls_|Blank <p> `$null`|Blank <p> `$null`|We have no specific recommendation for this setting. <p> For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links).
-|**Use Safe Links in Office 365 apps** <p> _EnableSafeLinksForO365Clients_|On <p> `$true`|On <p> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).|
-|**Do not track when users click protected links in Office 365 apps** <p> _TrackClicks_|On <p> `$false`|Off <p> `$true`|Turning off this setting (setting _TrackClicks_ to `$true`) tracks user clicks in supported Office 365 apps.|
-|**Do not let users click through to the original URL in Office 365 apps** <p> _AllowClickThrough_|On <p> `$false`|On <p> `$false`|Turning on this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL in supported Office 365 apps.|
+|**Block the following URLs** <br/><br/> _ExcludedUrls_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|We have no specific recommendation for this setting. <br/><br/> For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links).
+|**Use Safe Links in Office 365 apps** <br/><br/> _EnableSafeLinksForO365Clients_|On <br/><br/> `$true`|On <br/><br/> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).|
+|**Do not track when users click protected links in Office 365 apps** <br/><br/> _TrackClicks_|On <br/><br/> `$false`|Off <br/><br/> `$true`|Turning off this setting (setting _TrackClicks_ to `$true`) tracks user clicks in supported Office 365 apps.|
+|**Do not let users click through to the original URL in Office 365 apps** <br/><br/> _AllowClickThrough_|On <br/><br/> `$false`|On <br/><br/> `$false`|Turning on this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL in supported Office 365 apps.|
#### Safe Links policy settings
In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new
|Security feature name|Default in custom|Built-in protection|Standard|Strict|Comment| ||::|::|::|::||
-|**Protection settings**||||||
-|**Select the action for unknown potentially malicious URLs in messages** <p> _IsEnabled_|**Off** <p> `$false`|**On** <p> `$true`|**On** <p> `$true`|**On** <p> `$true`||
-|**Select the action for unknown or potentially malicious URLs within Microsoft Teams** <p> _EnableSafeLinksForTeams_|**Off** <p> `$false`|**On** <p> `$true`|**On** <p> `$true`|**On** <p> `$true`||
-|**Apply real-time URL scanning for suspicious links and links that point to files** <p> _ScanUrls_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
-|**Wait for URL scanning to complete before delivering the message** <p> _DeliverMessageAfterScan_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
-|**Apply Safe Links to email messages sent within the organization** <p> _EnableForInternalSenders_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
-|**Do not track user clicks** <p> _DoNotTrackUserClicks_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|Turning off this setting (setting _DoNotTrackUserClicks_ to `$false`) tracks users clicks.|
-|**Do not let users click through to the original URL** <p> _DoNotAllowClickThrough_|Not selected <p> `$false`|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|Turning on this setting (setting _DoNotAllowClickThrough_ to `$true`) prevents click through to the original URL.|
-|**Display the organization branding on notification and warning pages** <p> _EnableOrganizationBranding_|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|Not selected <p> `$false`|We have no specific recommendation for this setting. <p> Before you turn on this setting, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.|
-|**Do not rewrite URLs, do checks via Safe Links API only** <p> _DisableURLRewrite_|Not selected <p> `$false`|Selected <p> `$true`|Not selected <p> `$false`|Not selected <p> `$false`||
-|**Do not rewrite the following URLs** <p> _DoNotRewriteUrls_|Not selected <p> blank|Not selected <p> blank|Not selected <p> blank|Not selected <p> blank|We have no specific recommendation for this setting. For more information, see ["Do not rewrite the following URLs" lists in Safe Links policies](safe-links.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies).|
+|**URL & click protection settings**||||||
+|**Action on potentially malicious URLs within Emails**||||||
+|**On: Safe Links checks a list of known, malicious links when users click links in email** <br/><br/> _EnableSafeLinksForEmail_|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Apply Safe Links to email messages sent within the organization** <br/><br/> _EnableForInternalSenders_|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Apply real-time URL scanning for suspicious links and links that point to files** <br/><br/> _ScanUrls_|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Wait for URL scanning to complete before delivering the message** <br/><br/> _DeliverMessageAfterScan_|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Do not rewrite URLs, do checks via Safe Links API only** <br/><br/> _DisableURLRewrite_|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`||
+|**Do not rewrite the following URLs in email** <br/><br/> _DoNotRewriteUrls_|Not selected <br/><br/> blank|Not selected <br/><br/> blank|Not selected <br/><br/> blank|Not selected <br/><br/> blank|We have no specific recommendation for this setting. For more information, see ["Do not rewrite the following URLs" lists in Safe Links policies](safe-links.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies).|
+|**Action for potentially malicious URLs in Microsoft Teams**||||||
+|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams** <br/><br/> _EnableSafeLinksForTeams_|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Click protection settings**||||||
+|**Track user clicks** <br/><br/> _TrackUserClicks_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Let users click through to the original URL** <br/><br/> _AllowClickThrough_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Turning off this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL.|
+|**Display the organization branding on notification and warning pages** <br/><br/> _EnableOrganizationBranding_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting. <br/><br/> Before you turn on this setting, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.|
|**Notification**||||||
-|**How would you like to notify your users?**|**Use the default notification text**|**Use the default notification text**|**Use the default notification text**|**Use the default notification text**|We have no specific recommendation for this setting. <p> You can select **Use custom notification text** (_CustomNotificationText_) to enter customized notification text to use. You can also select **Use Microsoft Translator for automatic localization** (_UseTranslatedNotificationText_) to translate the custom notification text into the user's language.
+|**How would you like to notify your users?**|**Use the default notification text**|**Use the default notification text**|**Use the default notification text**|**Use the default notification text**|We have no specific recommendation for this setting. <br/><br/> You can select **Use custom notification text** (_CustomNotificationText_) to enter customized notification text to use. You can also select **Use Microsoft Translator for automatic localization** (_UseTranslatedNotificationText_) to translate the custom notification text into the user's language.
## Related articles
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
The following table describes scenarios for Safe Links in Microsoft 365 and Offi
Safe Links scans incoming email for known malicious hyperlinks. Scanned URLs are rewritten using the Microsoft standard URL prefix: `https://nam01.safelinks.protection.outlook.com`. After the link is rewritten, it's analyzed for potentially malicious content.
-After Safe Links rewrites a URL, the URL remains rewritten even if the message is *manually* forwarded or replied to (both to internal and external recipients). Additional links that are added to the forwarded or replied-to message are not rewritten. However, in the case of *automatic* forwarding by Inbox rules or SMTP forwarding, the URL will not be rewritten in the message that's intended for the final recipient *unless* that recipient is also protected by Safe Links, or the URL had already been rewritten in a previous communication. As long as Safe Links is enabled, URLs are still scanned prior to delivery, regardless of whether they were rewritten or not. Unwrapped URLs will also still be checked by a client-side API call to Safe Links at the time of click in Outlook for Desktop version 16.0.12513 or later.
+After Safe Links rewrites a URL, the URL remains rewritten even if the message is _manually_ forwarded or replied to (both to internal and external recipients). Additional links that are added to the forwarded or replied-to message are not rewritten. However, in the case of _automatic_ forwarding by Inbox rules or SMTP forwarding, the URL will not be rewritten in the message that's intended for the final recipient _unless_ that recipient is also protected by Safe Links, or the URL had already been rewritten in a previous communication. As long as Safe Links is enabled, URLs are still scanned prior to delivery, regardless of whether they were rewritten or not. Unwrapped URLs will also still be checked by a client-side API call to Safe Links at the time of click in Outlook for Desktop version 16.0.12513 or later.
The settings in Safe Links policies that apply to email messages are described in the following list: -- **Select the action for unknown potentially malicious URLs in messages**: Enables or disables Safe Links scanning in email messages. The recommended value is **On**. Turning on this setting results in the following actions.-
+- **On: Safe Links checks a list of known, malicious links when users click links in email**: Enables or disables Safe Links scanning in email messages. The recommended value is selected (on), and results in the following actions:
- Safe Links scanning is enabled in Outlook (C2R) on Windows. - URLs are rewritten and users are routed through Safe Links protection when they click URLs in messages. - When clicked, URLs are checked against a list of known malicious URLs and the ["Block the following URLs" list](#block-the-following-urls-list-for-safe-links). - URLs that don't have a valid reputation are detonated asynchronously in the background. -- **Apply real-time URL scanning for suspicious links and links that point to files**: Enables real-time scanning of links, including links in email messages that point to downloadable content. The recommended value is enabled.
+ The following settings are available only if Safe Links scanning is on in email messages:
+
+ - **Apply Safe Links to email messages sent within the organization**: Enables or disables Safe Links scanning on messages sent between internal senders and internal recipients within the same Exchange Online organization. The recommended value is selected (on).
+
+ - **Apply real-time URL scanning for suspicious links and links that point to files**: Enables real-time scanning of links, including links in email messages that point to downloadable content. The recommended value is selected (on).
+ - **Wait for URL scanning to complete before delivering the message**:
- - Enabled: Messages that contain URLs are held until scanning is finished. Messages are delivered only after the URLs are confirmed to be safe. This is the recommended value.
- - Disabled: If URL scanning can't complete, deliver the message anyway.
+ - Selected (on): Messages that contain URLs are held until scanning is finished. Messages are delivered only after the URLs are confirmed to be safe. This is the recommended value.
+ - Not selected (off): If URL scanning can't complete, deliver the message anyway.
-- **Apply Safe Links to email messages sent within the organization**: Enables or disables Safe Links scanning on messages sent between internal senders and internal recipients within the same Exchange Online organization. The recommended value is enabled.
+ - **Do not rewrite URLs, do checks via SafeLinks API only**: If this setting is enabled, no URL wrapping takes place. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it. The recommend value is disabled.
-- **Do not track user clicks**: Enables or disables storing Safe Links click data for URLs clicked in email messages. The recommend value is to leave this setting unselected (to track user clicks).
+- **Track user clicks**: Enables or disables storing Safe Links click data for URLs clicked in email messages. The recommend value is to leave this setting selected (track user clicks).
URL click tracking for links in email messages sent between internal senders and internal recipients is currently not supported. -- **Do not allow users to click through to original URL**: Allows or blocks users from clicking through the [warning page](#warning-pages-from-safe-links) to the original URL. The recommend value is enabled.
+- **Let users click through to the original URL**: Allows or blocks users from clicking through the [warning page](#warning-pages-from-safe-links) to the original URL. The recommend value is disabled.
- **Display the organization branding on notification and warning pages**: This option shows your organization's branding on warning pages. Branding helps users identify legitimate warnings, because default Microsoft warning pages are often used by attackers. For more information about customized branding, see [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md). -- **Do not rewrite the following URLs**: Leaves URLs as they are. Keeps a custom list of safe URLs that don't need scanning. The list is unique for each Safe Links policy. For more information about the **Do not rewrite the following URLs** list, see the ["Do not rewrite the following URLs" lists in Safe Links policies](#do-not-rewrite-the-following-urls-lists-in-safe-links-policies) section later in this article.- For more information about the recommended values for Standard and Strict policy settings for Safe Links policies, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). -- **Do not rewrite URLs, do checks via SafeLinks API only**: If this setting is enabled, no URL wrapping takes place. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it. The recommend value is disabled.
-
- **Recipient filters**: You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions: - **The recipient is** - **The recipient domain is**
security Set Up Safe Links Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-links-policies.md
You can also use the procedures in this article to create Safe Links policies th
> > You configure the global settings for Safe Links protection **outside** of Safe Links policies. For instructions, see [Configure global settings for Safe Links in Microsoft Defender for Office 365](configure-global-settings-for-safe-links.md). >
-> Admins should consider the different configuration settings for Safe Links. One of the available options is to include user identifiable information in Safe Links. This feature enables *Security Ops teams* to investigate potential user compromise, take corrective action, and limit costly breaches.
+> Admins should consider the different configuration settings for Safe Links. One of the available options is to include user identifiable information in Safe Links. This feature enables security operations (SecOps)teams to investigate potential user compromise, take corrective action, and limit costly breaches.
You can configure Safe Links policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates
- **Wait for URL scanning to complete before delivering the message**: Select this option to wait for real-time URL scanning to complete before delivering the message. - **Apply Safe Links to email messages sent within the organization**: Select this option to apply the Safe Links policy to messages between internal senders and internal recipients. - **Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Select **On** to enable Safe Links protection for links in Teams. Note that this setting might take up to 24 hours to take effect.
- - **Do not track user clicks**: Leave this setting unselected to enable the tracking user clicks on URLs in email messages.
- - **Do not allow users to click through to original URL**: Select this option to block users from clicking through to the original URL in [warning pages](safe-links.md#warning-pages-from-safe-links).
+ - **Track user clicks**: Leave this option selected to enable the tracking user clicks on URLs in email messages.
+ - **Let users click through to the original URL**: Clear this option to block users from clicking through to the original URL in [warning pages](safe-links.md#warning-pages-from-safe-links).
- **Do not rewrite the following URLs**: Allows access the specified URLs that would otherwise be blocked by Safe Links. In the box, type the URL or value that you want, and then click **Add**. Repeat this step as many times as necessary.
Creating a Safe Links policy in PowerShell is a two-step process:
To create a safe links policy, use this syntax: ```PowerShell
-New-SafeLinksPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-IsEnabled <$true | $false>] [-EnableSafeLinksForTeams <$true | $false>] [-ScanUrls <$true | $false>] [-DeliverMessageAfterScan <$true | $false>] [-EnableForInternalSenders <$true | $false>] [-DoNotAllowClickThrough <$true | $false>] [-DoNotTrackUserClicks <$true | $false>] [-DoNotRewriteUrls "Entry1","Entry2",..."EntryN"]
+New-SafeLinksPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-EnableSafeLinksForEmail <$true | $false>] [-EnableSafeLinksForTeams <$true | $false>] [-ScanUrls <$true | $false>] [-DeliverMessageAfterScan <$true | $false>] [-EnableForInternalSenders <$true | $false>] [-AllowClickThrough <$true | $false>] [-TrackUserClicks <$true | $false>] [-DoNotRewriteUrls "Entry1","Entry2",..."EntryN"]
``` > [!NOTE]
This example creates a safe links policy named Contoso All with the following va
- Turn on real-time scanning of clicked URLs, including clicked links that point to files. - Wait for URL scanning to complete before delivering the message. - Turn on URL scanning and rewriting for internal messages.-- Track user clicks related to Safe Links protection (we aren't using the _DoNotTrackUserClicks_ parameter, and the default value is $false, which means user clicks are tracked).
+- Track user clicks related to Safe Links protection (we aren't using the _TrackUserClicks_ parameter, and the default value is $true).
- Do not allow users to click through to the original URL. ```PowerShell
-New-SafeLinksPolicy -Name "Contoso All" -IsEnabled $true -EnableSafeLinksForTeams $true -ScanUrls $true -DeliverMessageAfterScan $true -EnableForInternalSenders $true -DoNotAllowClickThrough $true
+New-SafeLinksPolicy -Name "Contoso All" -EnableSafeLinksForEmail $true -EnableSafeLinksForTeams $true -ScanUrls $true -DeliverMessageAfterScan $true -EnableForInternalSenders $true -AllowClickThrough $false
``` For detailed syntax and parameter information, see [New-SafeLinksPolicy](/powershell/module/exchange/new-safelinkspolicy).
security Try Microsoft Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md
+
+ Title: Try Microsoft Defender for Office 365
+description:
+keywords:
+f1.keywords:
+ - NOCSH
+++
+audience: ITPro
+
+ms.localizationpriority: medium
+search.appverid:
+ - MET150
+ - MOE150
+
+ - M365-security-compliance
+
+ms.technology: mdo
+++
+# Try Microsoft Defender for Office 365
+
+> [!NOTE]
+> The feature that's described by this article is in Preview, is not available in all organizations, and is subject to change.
+
+The unified **Trials** portal in the Microsoft 365 Defender portal provides a single point of entry for the formerly separate Trial and Evaluate experiences for Microsoft Defender for Office 365. The intent is to allow you to try the features of Defender for Office 365 Plan 2 for 30 days before you fully commit to it. But, there are differences in the evaluation experiences based on the nature of your Microsoft 365 organization:
+
+- You already have Microsoft 365 mailboxes, but you're currently using a third-party service or device for email protection. Mail from the internet flows through the protection service before delivery into your Microsoft 365 organization. Microsoft 365 protection is as low as possible (it's never completely off; for example, malware protection is always enforced).
+
+ ![Mail flows from the internet through the third-party protection service or device before delivery into Microsoft 365.](../../media/mdo-migration-before.png)
+
+ In these environments, you can only try Defender for Office 365 in *audit* mode. You don't need to change your mail flow (MX records) to try Defender for Office 365.
+
+- You already have a Microsoft 365 organization. Mail from the internet flows directly Microsoft 365, but your current subscription has only [Exchange Online Protection (EOP)](exchange-online-protection-overview.md) or [Defender for Office 365 Plan 1](overview.md#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet).
+
+ ![Mail flows from the internet into Microsoft 365, with protection from EOP and/or Defender for Office 365 Plan 1.](../../media/mdo-trial-mail-flow.png)
+
+ In these environments, you can try Defender for Office 365 in *audit* mode or in *blocking mode*.
+
+You're invited to start your trial in various Defender for Office 365 feature locations in the Microsoft 365 Defender portal at <https://security.microsoft.com>. The centralized location to start your trial is on the **Trials** page at <https://security.microsoft.com/atpEvaluation>.
+
+The rest of this article explains the difference between audit mode blocking mode, how to configure evaluations, and other details.
+
+## Overview of Defender for Office 365
+
+Defender for Office 365 helps organizations secure their enterprise by offering a comprehensive slate of capabilities. For more information, see [Microsoft Defender for Office 365](defender-for-office-365.md).
+
+You can also learn more about Defender for Office 365 at this [interactive guide](https://aka.ms/MS365D.InteractiveGuide).
+
+![Microsoft Defender for Office 365 conceptual diagram.](../../media/microsoft-defender-for-office-365.png)
+
+## Policies in blocking mode or audit mode
+
+When you evaluate Defender for Office 365, the policies that control protection features in Microsoft 365 are present:
+
+- **Exchange Online Protection (EOP)**: No new or special policies are created. Existing EOP policies are able to act on messages (for example, send messages to the Junk Email folder or to quarantine):
+
+ - [Anti-malware policies](anti-malware-protection.md)
+ - [Inbound anti-spam protection](anti-spam-protection.md)
+ - [Anti-spoofing protection in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings)
+
+ The default policies for these features are always on, apply to all recipients, and are always applied last (after any custom policies).
+
+- **Defender for Office 365**: Policies that are exclusive to Defender for Office 365 are created for your evaluation of Defender for Office 365:
+
+ - [Impersonation protection in anti-phishing policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)
+ - [Safe Attachments for email messages](safe-attachments.md)
+ - [Safe Links for email messages and Microsoft Teams](safe-links.md)
+
+ But, the nature of these policies is different in blocking mode and audit mode:
+
+ - **Audit mode**: Regular policies are created, but the policies are configured only to *detect* threats. Defender for Office 365 detects harmful messages for reporting, but the messages aren't acted upon (for example, detected messages aren't quarantined).
+
+ - **Blocking mode**: Policies are created using the Standard template for [preset security policies](preset-security-policies.md). Defender for Office 365 *detects* and *takes action on* harmful messages (for example, detected messages are quarantined).
+
+ The default and recommended selection is to scope these Defender for Office 365 policies to all users in the organization. But during or after setup, you can change the policy assignment to specific users, groups, or email domains.
+
+**Notes**:
+
+- Safe Links will detonate URLs in mail flow. To prevent specific URLs from being detonated, use the Tenant Allow/Block List. For more information, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
+- Safe Links doesn't wrap URL links in email message bodies.
+- The evaluation policy settings are described in the [Evaluation policy settings](#evaluation-policy-settings) section later in this article.
+
+## Set up an evaluation in audit mode
+
+1. Click **Start evaluation**.
+
+2. In the **Turn on protection** dialog, select **No, I only want reporting**, and then click **Continue**.
+
+3. In the **Select the users you want to include** dialog, configure the following settings:
+
+ - **All users**: This is the default and recommended option.
+ - **Select users**: If you select this option, you need to select who the evaluation applies to:
+ - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
+ - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
+
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+
+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
+
+ > [!NOTE]
+ > You can change these selections after you finish setting up the evaluation.
+
+ When you're finished, click **Continue**.
+
+4. In the **Help us understand your mail flow** dialog, configure the following options:
+
+ - **Share data with Microsoft**: This option is selected by default, but you can clear the check box if you like.
+
+ - One of the following options is automatically selected based on our detection of the MX record for your domain:
+
+ - **I'm using a third-party and/or on-premises service provider**: The MX record for your domain points somewhere other than Microsoft 365. This selection requires the following additional settings after you click **Next**:
+
+ 1. In the **Third party or on-premises settings** dialog, configure the following settings:
+
+ - **Select a third party service provider**: Select one of the following values:
+ - **Barracuda**
+ - **IronPort**
+ - **Mimecast**
+ - **Proofpoint**
+ - **Sophos**
+ - **Symantec**
+ - **Trend Micro**
+ - **Other**
+
+ - **The connector to apply this evaluation to**: Select the connector that's used for mail flow into Microsoft 365.
+
+ [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as *skip listing*) is automatically configured on the connector that you specify.
+
+ When a third-party service or device sits in from of Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages, and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-spoofing-protection.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer.md) and [Automated Investigation & Response (AIR)](automated-investigation-response-office.md)).
+
+ - **List each gateway IP address your messages pass through**: This setting is available only if you selected **Other** for **Select a third party service provider**. Enter a comma-separated list of the IP addresses that are used by the third-party protection service or device to send mail into Microsoft 365.
+
+ When you're finished, click **Next**.
+
+ 2. In the **Exchange mail flow rules** dialog, decide if you need an Exchange Online mail flow rule (also known as a transport rule) that skips spam filtering for incoming messages from the third-party protection service or device.
+
+ It's likely that you already have an SCL=-1 mail flow rule in Exchange Online that allows all inbound mail from the protection service to bypass (most) Microsoft 365 filtering. Many protection services encourage this spam confidence level (SCL) mail flow rule method for Microsoft 365 customers who use their services.
+
+ As explained in the previous step, Enhanced Filtering for Connectors is automatically configured on the connector that you specify as the source of mail from the protection service.
+
+ Turning on Enhanced Filtering for Connectors without an SCL=-1 rule for incoming mail from the protection service will vastly improve the detection capabilities of EOP protection features like [spoof intelligence](anti-spoofing-protection.md), and could impact the delivery of those newly-detected message (for example, move to the Junk Email folder or to quarantine). This impact is limited to EOP policies; as previously explained, Defender for Office 365 policies are created in audit mode.
+
+ To create an SCL=-1 mail flow rule or to review your existing rules, click the **Go to Exchange admin center** button on the page. For more information, see [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).
+
+ When you're finished, click **Finish**.
+
+ - **I'm only using Microsoft Exchange Online**: Yhe MX records for your domain point to Microsoft 365. There's nothing left to configure, so click **Finish**.
+
+5. A progress dialog appears as your evaluation is set up. When set up is complete, click **Done**.
+
+## Set up an evaluation in blocking mode
+
+1. Click **Start evaluation**.
+
+2. In the **Turn on protection** dialog, select **Yes, protect my organization by blocking threats**, and then click **Continue**.
+
+3. In the **Select the users you want to include** dialog, configure the following settings:
+
+ - **All users**: This is the default and recommended option.
+ - **Select users**: If you select this option, you need to select who the evaluation applies to:
+ - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
+ - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
+
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+
+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
+
+ > [!NOTE]
+ > You can change these selections after you finish setting up the evaluation.
+
+ When you're finished, click **Continue**.
+
+4. A progress dialog appears as your evaluation is set up. When setup is complete, click **Done**.
+
+## Reporting in audit mode
+
+- The [Threat protection status report](view-email-security-reports.md#threat-protection-status-report) shows detections by Defender for Office 365 in the following views:
+ - [View data by Email \> Malware and Chart breakdown by Detection Technology](view-email-security-reports.md#view-data-by-email--malware-and-chart-breakdown-by-detection-technology)
+ - [View data by Email \> Spam and Chart breakdown by Detection Technology](view-email-security-reports.md#view-data-by-email--spam-and-chart-breakdown-by-detection-technology)
+ - [View data by Email \> Phish and Chart breakdown by Detection Technology](view-email-security-reports.md#view-data-by-email--phish-and-chart-breakdown-by-detection-technology)
+
+- In [Threat Explorer](threat-explorer.md), messages that were detected by the Defender for Office 365 evaluation show the following banner in the details of the entry:
+
+ ![Notification banner in message details that the Defender for Office 365 evaluation detected a malicious email message.](../../media/evalv2-detection-banner.png)
+
+<! This stuff is likely not applicable for V2 reporting >
+
+The **Microsoft Defender for Office 365 evaluation** page at <https://security.microsoft.com/atpEvaluation> consolidates the reporting for the policies in the evaluation:
+
+- Impersonation protection in anti-phishing policies
+- Safe Links
+- Safe Attachments
+
+By default, the charts show data for the last 30 days, but you can filter the date range by clicking ![Calendar icon.](../../media/m365-cc-sc-add-internal-icon.png) **30 days** and selecting from following additional values that are less than 30 days:
+
+- 24 hours
+- 7 days
+- 14 days
+- Custom date range
+
+You can click ![Download icon.](../../media/m365-cc-sc-download-icon.png) **Download** to download the chart data to a .csv file.
+
+## Required permissions
+
+Permissions that are required in **Azure AD** to set up an evaluation of Defender for Microsoft 365 are described in the following list:
+
+- **Create, modify or delete an evaluation**: Security Administrator or Global Administrator.
+- **View evaluation policies and reports**: Security Administrator or Security Reader.
+
+For more information about Azure AD permissions in the Microsoft 365 Defender portal, see [Azure AD roles in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md#azure-ad-roles-in-the-microsoft-365-defender-portal)
+
+## Evaluation policy settings
+
+The settings in the Defender for Office 365 that are specifically created for the evaluation are described in the following tables:
+
+**Anti-phishing evaluation policy settings**:
+
+|Setting|Value|
+|||
+|AdminDisplayName|Evaluation Policy|
+|AuthenticationFailAction|MoveToJmf|
+|Enabled|True|
+|EnableFirstContactSafetyTips|False|
+|EnableMailboxIntelligence|True|
+|EnableMailboxIntelligenceProtection|True|
+|EnableOrganizationDomainsProtection|False|
+|EnableSimilarDomainsSafetyTips|False|
+|EnableSimilarUsersSafetyTips|False|
+|EnableSpoofIntelligence|True|
+|EnableSuspiciousSafetyTip|False|
+|EnableTargetedDomainsProtection|False|
+|EnableTargetedUserProtection|False|
+|EnableUnauthenticatedSender|True|
+|EnableUnusualCharactersSafetyTips|False|
+|EnableViaTag|True|
+|Guid|GUID value|
+|ImpersonationProtectionState|Manual|
+|IsDefault|False|
+|MailboxIntelligenceProtectionAction|NoAction|
+|MailboxIntelligenceProtectionActionRecipients|{}|
+|MailboxIntelligenceQuarantineTag|DefaultFullAccessPolicy|
+|Name|Evaluation Policy|
+|PhishThresholdLevel|1|
+|RecommendedPolicyType|Evaluation|
+|SpoofQuarantineTag|DefaultFullAccessPolicy|
+|TargetedDomainActionRecipients|{}|
+|TargetedDomainProtectionAction|NoAction|
+|TargetedDomainQuarantineTag|DefaultFullAccessPolicy|
+|TargetedUserActionRecipients|{}|
+|TargetedUserProtectionAction|NoAction|
+|TargetedUserQuarantineTag|DefaultFullAccessPolicy|
+|||
+|AntiPhishPolicyLevelDataList|blank|
+|AntiSpoofEnforcementType|High|
+|AuthenticationSafetyTipText|blank|
+|AuthenticationSoftPassSafetyTipText|blank|
+|EnableAuthenticationSafetyTip|False|
+|EnableAuthenticationSoftPassSafetyTip|False|
+|PolicyTag|blank|
+|SimilarUsersSafetyTipsCustomText|blank|
+|TreatSoftPassAsAuthenticated|True|
+|UnusualCharactersSafetyTipsCustomText|blank|
+|||
+|ExcludedDomains|{}|
+|ExcludedSenders|{}|
+|TargetedDomainsToProtect|{}|
+|TargetedUsersToProtect|{}|
+
+**Safe Attachments evaluation policy settings**:
+
+|Setting|Value|
+|||
+|Action|Allow|
+|ActionOnError|True|
+|AdminDisplayName|Evaluation Policy|
+|ConfidenceLevelThreshold|80|
+|Enable|True|
+|EnableOrganizationBranding|False|
+|Guid|GUID value|
+|IsBuiltInProtection|False|
+|IsDefault|False|
+|Name|Evaluation Policy|
+|OperationMode|Delay|
+|QuarantineTag|AdminOnlyAccessPolicy|
+|RecommendedPolicyType|Evaluation|
+|Redirect|False|
+|RedirectAddress|{}|
+|ScanTimeout|30|
+
+**Safe Links evaluation policy settings**:
+
+|Setting|Value|
+|||
+|AdminDisplayName|Evaluation Policy|
+|AllowClickThrough|False|
+|CustomNotificationText|blank|
+|DeliverMessageAfterScan|True|
+|DisableUrlRewrite|True|
+|DoNotRewriteUrls|{}|
+|EnableForInternalSenders|False|
+|EnableOrganizationBranding|False|
+|EnableSafeLinksForTeams|True|
+|Guid|GUID value|
+|IsBuiltInProtection|False|
+|IsDefault|False|
+|IsEnabled|True|
+|LocalizedNotificationTextList|{}|
+|Name|"EvaluationPolicy"|
+|RecommendedPolicyType|Evaluation|
+|ScanUrls|True|
+|TrackClicks|True|
+|||
+|DoNotAllowClickThrough|blank|
+|DoNotTrackUserClicks|False|
+|EnableSafeLinksForEmail|True|
+|EnableSafeLinksForOffice|True|
+|ExcludedUrls|{}|
+|WhiteListedUrls|blank|
security View Reports For Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-reports-for-mdo.md
The **Top senders and recipients** report show the top recipients for EOP and De
## URL protection report
-The **URL protection report** provides summary and trend views for threats detected and actions taken on URL clicks as part of [Safe Links](safe-links.md). This report will not have click data from users where the Safe Links policy applied has the **Do not track user clicks** option selected.
+The **URL protection report** provides summary and trend views for threats detected and actions taken on URL clicks as part of [Safe Links](safe-links.md). This report will not have click data from users where the Safe Links policy was applied when the **Track user clicks** option is not selected.
To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **URL protection page** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/URLProtectionActionReport>.