-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard will help you better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-> The information and data on the Microsoft 365 Experience insights dashboard helps you to better understand and improve your users' overall experience with Microsoft 365. [Learn more](https://learn.microsoft.com/microsoft-365/admin/misc/experience-insights-dashboard).

-Starting with version 2.1.0, the Microsoft 365 support integration app introduces a new feature that allows creating ServiceNow incidents when a Microsoft Service Health Incident is published for your tenant. This feature seeks to empower IT teams, taking care of creating incidents in ServiceNow when Microsoft publishes new service health incidents.

-Whenever there is an update to the Microsoft Service Health Incident, the app will post the same updates to the ServiceNow incident created for it. Additionally, you can choose to have the app automatically close out the created ServiceNow incident when the Microsoft service health incident is resolved, or you can opt to manually close them out.

-Here are how the properties on the Microsoft service health incident will map to the properties on the ServiceNow incident.

- - If the ServiceNow incident is manually resolved/closed by a user and this setting is enabled, then the app will discontinue to post updates to that incident.

- - If the ServiceNow incident is resolved automatically, then the app will discontinue to post updates to that incident.

- - The ServiceNow incident will be resolved with the following settings:

-| Field | Value |

-| | |

-| Resolution code | Closed/Resolved by Caller |

-| Resolution note | The Microsoft service health incident was resolved on <date_time>. Please refer to the incident details in the Microsoft 365 Support tab for more information. |

-*This documentation was made with AI assistance.*

-## Hide external contacts from the shared address book>

-The migration assistant supports migrating DLP policies from Symantec versions 15.0 through 15.7 maintenance packs included.

-The Service Trust Portal has documents that, given the nature of their content, are available for users with specific permissions. Users with Tenant Admin, Compliance Viewer role or the user set in database are able to see the restricted documents.

-There's no limit to the number of sensitivity labels that you can create and publish, with one exception: If the label applies encryption that specifies the users and permissions, there's a maximum of 500 labels supported with this configuration. However, as a best practice to lower admin overheads and reduce complexity for your users, try to keep the number of labels to a minimum. Real-world deployments have proved effectiveness to be noticeably reduced when users have more than five main labels or more than five sublabels per main label.

-12 digits

-12 digits

-nine digits that start with a "9" and contain a "7" or "8" as the fourth digit, optionally formatted with spaces or dashes

-After your exact data match (EDM) sensitive information type (SIT) has been created and an hour after verifying that your sensitive information table has finished uploading and indexing, you can test that it detects the information you want to detect by using the test function in the sensitive information types section in the Compliance center.

-

->[!NOTE:]

->Changes in an already created EDM SIT can take some time to propagate across the system. If you are making changes in an EDM sensitive information type for troubleshooting detection issues, make sure to wait at least one hour after making those changes before using the test function to validate their impact.

-2. Select your EDM SIT from the list and then select **Test** in the flyout pane. This option is only present under sensitive information types.

-

-5. Alternatively, you can use the following PowerShell cmdlet:

- When you create a or edit an EDM sensitive information type, or the primary SIT on which an EDM type is based, all new content and content thatΓÇÖs modified after the changes to the SITs will be crawled for text that matches the new definitions, but preexisting content wonΓÇÖt be crawled until modified or reindexed.

-To force re-crawling of existing content in a SharePoint site or library or in OneDrive, follow the instructions in [Manually request crawling and reindexing of a site, a library or a list](/sharepoint/crawl-site-content).

-You can see where your EDM SIT is being used and how accurate it is in production by using them in policies:

-1. Tune your policies as appropriate.

-Once you're satisfied with the results of your testing and tuning, your EDM based custom SIT is ready for use in information protection policies, like:

-|No matches found | Test the SIT you used when you configured the primary element in each of your patterns. This will confirm that the SIT is able to match the examples in the item. Using an incorrectly defined SIT as the classification element of an EDM Sensitive information type is the most common cause for detection failures in EDM. |

-|An EDM SIT with primary elements and no secondary elements defined detects items, but doesn't detect, or detects fewer matches than expected when primary and secondary elements are required. | If values in a column used for secondary evidence are not composed of a single word or strings that don't contain spaces, commas, or other word separators, you will need to associate them with a sensitive info type that uses either a REGEX designed to detect multi-word strings that follow the desired pattern (e.g. a fixed number of consecutive words that start with an uppercase character), or a keyword dictionary that lists all the unique values in that column. For example, if there's an additional evidence column for a person's city or residence, you can create a list with all the unique city names from the table and use it to create a dictionary-based sensitive information type. Use this SIT as the classification element for the corresponding column in your EDM sensitive info type by exporting and editing the EDM SIT definition in XML. See [Create a rule package manually](sit-get-started-exact-data-match-create-rule-package.md#create-a-rule-package-manually).|

-|DLP or auto-labeling rules that require multiple matches don't trigger |Check that the proximity requirements for both your EDM type and the base sensitive information types are met. For example, if the maximum distance of between the primary element and supporting keywords is 300 characters, but the keywords are only present in the first row of a long table, only the first few rows of matching values are likely to meet the proximity requirements. Modify your SIT definitions to support more relaxed proximity rules or use the anywhere in the document option for the additional evidence conditions. |

-EDM-based classification enables you to create custom sensitive information types that refer to exact values in a database of sensitive information. The database can be refreshed daily, and contain up to 100 million rows of data. So as employees, patients, or clients come and go, and records change, your custom sensitive information types remain current and applicable. And, you can use EDM-based classification with policies, such as [Microsoft Purview data loss prevention policies](dlp-learn-about-dlp.md) or [Microsoft Cloud App Security file policies](/cloud-app-security/data-protection-policies).

-The sensitive information source table contains the values that the EDM SIT will look for. It is made up of columns and rows. The column headers are the field names, the rows are an instance of item and each cell contains the values for that item instance for that field.

-When the primary element is found in a scanned item, EDM will then look for *secondary* or supporting elements. Secondary elements don't need to follow a pattern unless they contain multiple tokens (which requires association to a SIT, similar to primary elements), but do need to be within a certain proximity to the primary element.

-These limits apply to all sensitive information types (SIT) except exact data match sensitive information types which support up to 100.

-> We support up to 100 exact data match (EDM) evaluations. Policies that use EDM SITs should not be written with a **min** or **max** instance count value greater than 100.

-To ensure high performance and lower latency, there are limitations in custom SITs configurations.

-|maximum number of custom SITs created through the Compliance center| 500 |

-|maximum length of regular expression| 1024 characters|

-|maximum length for a given term in a keyword list| 50 characters|

-|maximum number of terms in keyword list| 2048|

-|maximum number of distinct regexes per sensitive information type| 20|

-|maximum size of a keyword dictionary (post compression)| 1MB (~1,000,000 characters)|

-|maximum number of keyword dictionary based SITs in a tenant| 50 |

-|maximum number of MIP+MIG ppolicies in a tenant| 10,000 |

-|maximum number of DLP rules in a policy | Limited by the size of policy (100KB) |

-|maximum number of DLP rules in a tenant | 600 |

-|maximum size of an individual DLP rule | 80KB |

-|maximum size of a DLP policy | 100KB |

-|GIR evidence limit | 100 with each SIT evidence in proportion of occurence |

-The SIT instance count limit applies when SITs are used in these solutions:

-For a scanned item to satisfy rule criteria, the number of unique instances of a SIT in any single item must fall between the min and max values. This is called the **Instance count**.

- - 1 to 500

- - 1 to 500 - Use this when you want to set a specific upper limit that is 500 or less on the number of instances of a SIT in an item.

- - Any - Use `Any` when you want the unique instance count criteria to be satisfied when an undefined number of unique instances of a SIT are found in a scanned item and that number of unique instances meets or exceeds the minimum number of unique instances value. In other words, the unique instance count criteria are met as long as the min value is met.

-This article walks you through the steps to modify and remove an existing custom sensitive information type in the Compliance center.

-## Modify custom sensitive information types in the Compliance Center

-1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type from the list that you want to modify choose **Edit**.

-## Remove custom sensitive information types in the Compliance Center

-> Before your remove a custom sensitive information type, verify that no DLP policies or Exchange mail flow rules (also known as transport rules) still reference the sensitive information type.

-1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type from the list that you want to remove.

-2. In the fly-out that opens, choose **Delete**.

-> If you have a copy of the XML file (for example, you just created and imported it), you can skip to the next step to modify the XML file.

-1. If you don't already know it, run the [Get-DlpSensitiveInformationTypeRulePackage](/powershell/module/exchange/get-dlpsensitiveinformationtype) cmdlet to find the name of the custom rule package:

-Sensitive information types in the XML file and other elements in the file are described earlier in this topic.

-description: Learn how to modify an edm schema to use configurable match.

- > The underlying custom sensitive information type or built in sensitive information type used to detect the general regex pattern must support detection of the variations inputs listed with ignoredDelimiters. For example, the built in U.S. social security number (SSN) sensitive information type can detect variations in the data that include dashes, spaces, or lack of spaces between the grouped numbers that make up the SSN. As a result, the only delimiters that are relevant to include in EDMΓÇÖs ignoredDelimiters for SSN data are: dash and space.

- Here is a sample schema that simulates case insensitive match by creating the extra columns needed to recognize case variations in the sensitive data.

- To update this schema so that EDM uses configurable match use the `caseInsensitive` and `ignoredDelimiters` flags. Here's how that looks:

- > If your organization has set up [Customer Key for Microsoft 365 at the tenant level (public preview)](customer-key-tenant-level.md#overview-of-customer-key-for-microsoft-365-at-the-tenant-level-public-preview), Exact data match will make use of its encryption functionality automatically. This is available only to E5 licensed tenants in the Commercial cloud.

- > Optionally, you can run a validation against your csv file before uploading by running:

- > For more information on all the EdmUploadAgent.exe supported parameters, run

-9. Open Command Prompt window (as an administrator) and run the following command to hash and upload your sensitive data:

-|**Last updated:** 01/03/2023 -  [Change Log subscription](https://endpoints.office.com/version/USGOVDoD?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVDoD?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|

-|**Last updated:** 01/03/2023 -  [Change Log subscription](https://endpoints.office.com/version/USGOVGCCHigh?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVGCCHigh?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|

-**Last updated:** 01/03/2023 -  [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)

-|**Last updated:** 01/31/2023 - |

-A Blue Yonder Workforce Management instance should only be mapped to one team at any given time in a connection.

-However, when you use PowerShell or Microsoft 365 admin center to set up a connection, itΓÇÖs possible to map an instance to more than one team. We recommend that you avoid mapping an instance to multiple teams as it can result in syncing issues and unexpected behavior.

-A UKG Dimensions instance should only be mapped to one team at any given time in a connection.

-However, when you use PowerShell or Microsoft 365 admin center to set up a connection, itΓÇÖs possible to map an instance to more than one team. We recommend that you avoid mapping an instance to multiple teams as it can result in syncing issues and unexpected behavior.

-|WFM instance | This term refers to a team within your Blue Yonder WFM system, which is different than a team in Microsoft Teams. |

-## For those who use Ansible, Chef, or Puppet

-```bash

-Automating with Puppet: Cron jobs and scheduled tasks

-You can use advanced hunting queries to gain visibility on browser extensions in your organization. Find details about the browser extensions installed per device in the **DeviceTVMBrowserExtensions** table, or browser extension related information, including extensions permission information in the **DeviceTVMBrowserExtensionsKB** table.

-All other identified suspicious activities are summarized in a table in the **Threat categories** section of the report. The columns represent the different threat attack tactics and categories to help you visualize what an activity is trying to achieve in each attack phase so you can plan the corresponding containment and remediation actions.

-

-For more information, see See [Remediation actions in Microsoft 365 Defender](m365d-remediation-actions.md).

-> Experts on Demand is included in your Defender Experts for Hunting subscription with monthly allocations. However, it's not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

-|Feature|Anti-phishing policies in EOP|Anti-phishing policies in Defender for Office 365|

-|Automatically created default policy|||

-|Create custom policies|||

-|Common policy settings^\*|||

-|Spoof settings|||

-|First contact safety tip|||

-|Impersonation settings|||

-|Advanced phishing thresholds|||

-^\* In the default policy, the policy name, and description are read-only (the description is blank), and you can't specify who the policy applies to (the default policy applies to all recipients).

-The **Show first contact safety tip** settings is available in EOP and Defender for Office 365 organizations, and has no dependency on spoof intelligence or impersonation protection settings. The safety tip is shown to recipients in the following scenarios:

-> [!NOTE]

-> If the message has multiple recipients, whether the tip is shown and to whom is based on a majority model. If the majority of recipients have never or don't often receive messages from the sender, then the affected recipients will receive the **Some people who received this message...** tip. If you're concerned that this behavior exposes the communication habits of one recipient to another, you should not enable the first contact safety tip and continue to use mail flow rules instead.

-> Impersonation protection looks for domains that are similar. For example, if your domain is contoso.com, we check for different top-level domains (.com, .biz, etc.) as impersonation attempts, but also domains that are even somewhat similar. For example, contosososo.com or contoabcdef.com might be seen as impersonation attempts of contoso.com.

-An impersonated domain might otherwise be considered legitimate (registered domain, configured email authentication records, etc.), except its intent is to deceive recipients.

-The following impersonation settings are only available in anti-phishing policies in Defender for Office 365:

- You can use protected users to add internal and external sender email addresses to protect from impersonation. This list of **senders** that are protected from user impersonation is different from the list of **recipients** that the policy applies to (all recipients for the default policy; specific recipients as configured in the **Users, groups, and domains** setting in the [Common policy settings](#common-policy-settings) section).

- > [!NOTE]

- > In each anti-phishing policy, you can specify a maximum of 350 protected users (sender email addresses). You can't specify the same protected user in multiple policies. So, regardless of how many policies apply to a recipient, the maximum number of protected users (sender email addresses) for each individual recipient is 350. For more information about policy priority and how policy processing stops after the first policy is applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

- By default, no sender email addresses are configured for impersonation protection in **Users to protect**. Therefore, by default, no sender email addresses are covered by impersonation protection, either in the default policy or in custom policies.

- When you add internal or external email addresses to the **Users to protect** list, messages from those **senders** are subject to impersonation protection checks. The message is checked for impersonation **if** the message is sent to a **recipient** that the policy applies to (all recipients for the default policy; **Users, groups, and domains** recipients in custom policies). If impersonation is detected in the sender's email address, the impersonation protections actions for users are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).

- > [!NOTE]

- > You can specify a maximum of 50 custom domains in each anti-phishing policy.

- By default, no sender domains are configured for impersonation protection in **Enable domains to protect**. Therefore, by default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.

- When you add domains to the **Enable domains to protect** list, messages from **senders in those domains** are subject to impersonation protection checks. The message is checked for impersonation **if** the message is sent to a **recipient** that the policy applies to (all recipients for the default policy; **Users, groups, and domains** recipients in custom policies). If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).

- - **Don't apply any action**

- - **Redirect message to other email addresses**: Sends the message to the specified recipients instead of the intended recipients.

- - **Move messages to the recipients' Junk Email folders**: The message is delivered to the mailbox and moved to the Junk Email folder. For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md).

- - **Quarantine the message**: Sends the message to quarantine instead of the intended recipients. For information about quarantine, see the following articles:

- - [Quarantine in Microsoft 365](quarantine-about.md)

- - [Manage quarantined messages and files as an admin in Microsoft 365](quarantine-admin-manage-messages-files.md)

- - [Find and release quarantined messages as a user in Microsoft 365](quarantine-end-user.md)

- If you select **Quarantine the message**, you can also select the quarantine policy that applies to messages that are quarantined by user impersonation or domain impersonation protection. Quarantine policies define what users are able to do to quarantined messages. For more information, see [Quarantine policies](quarantine-policies.md).

- - **Deliver the message and add other addresses to the Bcc line**: Deliver the message to the intended recipients and silently deliver the message to the specified recipients.

- - **Delete the message before it's delivered**: Silently deletes the entire message, including all attachments.

- - **Show tip for impersonated users**: The From address contains an **Enable users to protect** user. Available only if **Enable users to protect** is turned on and configured.

- - **Show tip for impersonated domains**: The From address contains an **Enable domains to protect** domain. Available only if **Enable domains to protect** is turned on and configured.

- - **Show tip for unusual characters**: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in an **Enable users to protect** sender or an **Enable domains to protect** sender domain. Available only if **Enable users to protect** _or_ **Enable domains to protect** is turned on and configured.

- For example, Gabriela Laureano (glaureano@contoso.com) is the CEO of your company, so you add her as a protected sender in the **Enable users to protect** settings of the policy. But, some of the recipients that the policy applies to communicate regularly with a vendor who is also named Gabriela Laureano (glaureano@fabrikam.com). Because those recipients have a communication history with glaureano@fabrikam.com, mailbox intelligence will not identify messages from glaureano@fabrikam.com as an impersonation attempt of glaureano@contoso.com for those recipients.

- To use frequent contacts that were learned by mailbox intelligence (and lack thereof) to help protect users from impersonation attacks, you can turn on **Enable intelligence impersonation protection** after you turn on **Enable mailbox intelligence**.

- > [!NOTE]

- > Mailbox intelligence protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message will be identified as an impersonation attempt by mailbox intelligence.

- - **Don't apply any action**: Note that this value has the same result as turning on **Mailbox intelligence** but turning off **Enable intelligence impersonation protection**.

- - **Redirect message to other email addresses**

- - **Move message to the recipients' Junk Email folders**

- - **Quarantine the message**: If you select this action, you can also select the quarantine policy that applies to messages that are quarantined by mailbox intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).

- - **Deliver the message and add other addresses to the Bcc line**

- - **Delete the message before it's delivered**

- > [!NOTE]

- >

- > - If Microsoft 365 system messages from the following senders are identified as impersonation attempts, you can add the senders to the trusted senders list:

- > - `noreply@email.teams.microsoft.com`

- > - `noreply@emeaemail.teams.microsoft.com`

- > - `no-reply@sharepointonline.com`

- >

- > - Trusted domain entries don't include subdomains of the specified domain. You need to add an entry for each subdomain.

-The chance of false positives (good messages marked as bad) increases as you increase this setting. For information about the recommended settings, see [anti-phishing policy in Microsoft Defender for Office 365 settings](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365).

-As an added benefit, users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): `5.7.1 Your message can't be delivered because one or more recipients are blocked by your organization's tenant allow/block list policy.` The entire message is blocked to all recipients if email is sent to any of the entries in the list.