Updates from: 03/08/2024 08:03:28
Category Microsoft Docs article Related commit history on GitHub Change details
microsoft-365-copilot-overview Microsoft 365 Copilot Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-overview.md
Copilot for Microsoft 365 is available as an add-on plan with one of the followi
- Microsoft 365 E5 - Microsoft 365 E3-- Office 365 E3
+- Office 365 E3
- Office 365 E5-- Microsoft 365 A5 for faculty-- Microsoft 365 A3 for faculty-- Office 365 A5 for faculty-- Office 365 A3 for faculty - Microsoft 365 Business Standard - Microsoft 365 Business Premium
+- Microsoft 365 A5 for faculty*
+- Microsoft 365 A3 for faculty*
+- Office 365 A5 for faculty*
+- Office 365 A3 for faculty*
+
+*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only.
You can use the [Microsoft Copilot for Microsoft 365 setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) in the Microsoft 365 admin center to assign the required licenses to users. For more information, see [Assign licenses to users in the Microsoft 365 admin center](/microsoft-365/admin/manage/assign-licenses-to-users) and [Microsoft Copilot for Microsoft 365 requirements](microsoft-365-copilot-requirements.md).
microsoft-365-copilot-requirements Microsoft 365 Copilot Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-requirements.md
Copilot for Microsoft 365 is available as an add-on plan with one of the followi
- Microsoft 365 E5 - Microsoft 365 E3-- Office 365 E3
+- Office 365 E3
- Office 365 E5-- Microsoft 365 A5 for faculty-- Microsoft 365 A3 for faculty-- Office 365 A5 for faculty-- Office 365 A3 for faculty - Microsoft 365 Business Standard - Microsoft 365 Business Premium
+- Microsoft 365 A5 for faculty*
+- Microsoft 365 A3 for faculty*
+- Office 365 A5 for faculty*
+- Office 365 A3 for faculty*
+
+*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only.
You can use the [Microsoft Copilot for Microsoft 365 setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) in the Microsoft 365 admin center to assign the required licenses to users. For more information, see [Assign licenses to users in the Microsoft 365 admin center](/microsoft-365/admin/manage/assign-licenses-to-users).
microsoft-365-copilot-setup Microsoft 365 Copilot Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-setup.md
Your users must have one of the following base licenses to be eligible for a Cop
- Microsoft 365 E3 - Office 365 E3 - Office 365 E5-- Microsoft 365 A5 for faculty-- Microsoft 365 A3 for faculty-- Office 365 A5 for faculty-- Office 365 A3 for faculty - Microsoft 365 Business Standard - Microsoft 365 Business Premium
+- Microsoft 365 A5 for faculty*
+- Microsoft 365 A3 for faculty*
+- Office 365 A5 for faculty*
+- Office 365 A3 for faculty*
+
+*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only.
>[!NOTE] > Customers with Education or Business subscriptions that do not include Teams can still purchase Copilot for Microsoft 365 licenses.
admin Microsoft 365 Copilot Usage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md
You can see the following summary charts in this report
- Microsoft 365 E3 - Office 365 E3 - Office 365 E5-- Microsoft 365 A5 for faculty-- Microsoft 365 A3 for faculty-- Office 365 A5 for faculty-- Office 365 A3 for faculty - Microsoft 365 Business Standard - Microsoft 365 Business Premium
+- Microsoft 365 A5 for faculty*
+- Microsoft 365 A3 for faculty*
+- Office 365 A5 for faculty*
+- Office 365 A3 for faculty*
+
+*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only.
**Users on an eligible update channel** This number is the sum of all users who are enrolled in Current Channel or Monthly Enterprise Channel for app updates in your organization and could be assigned with a Copilot license.
In Recommendations, the recommended action card highlights [Microsoft Copilot Da
You can see the following summary charts in this report as default view: The definitions for Enabled Users and Active Users metrics are the same as provided earlier.
You can switch between Summary view and Trend view.
In the hover status in Summary view, you can see the selected time frame and data refresh time. When switching to Trend view, you can select one product in the dropdown list to see daily usage. :::image type="content" alt-text="Screenshot showing the hover status for Microsoft 365 Copilot adoption chart." source="../../media/copilot-usage-hover-status.png":::
You can view a table list to show each Copilot for Microsoft 365 enabled userΓÇÖ
Select **Choose columns** to add or remove columns from the table. >[!NOTE] > All up last activity date and last activity date per app are reflecting different narratives now. All up last activity date is reflecting the historical last activity date no matter what period is selected on the page, while last activity date per app is reflecting the last activity date within the selected time period; hence, if there is no activity in selected time period, the last activity date per app will be empty. We are planning to make them consistent to reflect the historical last activity date narrative and will provide update once itΓÇÖs done.
bookings Bookings Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/bookings-overview.md
- scotvorg - highpri - essentials-overview
+- essentials-security
description: "An overview of the Microsoft Bookings app, which includes a web-based booking calendar and integrates with Outlook to optimize your staffΓÇÖs calendar and give your customers flexibility to book appointments."
Bookings is made up of these components:
- A web app that contains a set of web-based, business-facing pages where Bookings calendar owners and administrators within an organization can define appointment types and details, manage staff schedules and availability, set business hours, and customize how appointments are scheduled. These pages allow for versatility and the ability to customize a Bookings calendar to fit the diverse needs of the person or organization.
+## Bookings data and compliance
+
+All Bookings data is stored within the Microsoft 365 platform and in Exchange Online. Bookings follows all data storage policies that are set by Microsoft, which are the same policies that all Microsoft 365 apps follow. Bookings uses shared mailboxes in Exchange to store customer, staff, service, and appointment details. Compliance policies for shared mailboxes in Exchange also apply for Bookings mailboxes. All customer data (including information provided by customers when booking) is captured in Bookings and is stored within the app, thus it's stored within Exchange Online.
+ ## Before you begin Microsoft Bookings is available in the following subscriptions:
enterprise External Domain Name System Records https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/external-domain-name-system-records.md
These DNS records apply only to tenants in Teams-only mode, for hybrid tenants,
|DNS record|Purpose|Value to use| |||| |**SRV** <br/> **(Federation)**|Allows your Office 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation.|**Domain:** \<domain> <br/> **Service:** sipfederationtls <br/> **Protocol:** TCP <br/> **Priority:** 100 <br/> **Weight:** 1 <br/> **Port:** 5061 <br/> **Target:** sipfed.online.lync.com <br/> **Note:** If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record. |
-|**SRV** <br/> **(SIP)**|It may be needed by Teams-only tenants that use Skype for Business Online phones for Teams.|**Domain:** \<domain> <br/> **Service:** sip <br/> **Protocol:** TLS <br/> **Priority:** 100 <br/> **Weight:** 1 <br/> **Port:** 443 <br/> **Target:** sipdir.online.lync.com|
-|**CNAME** <br/> **(Lyncdiscover)**|Required by Teams-only tenants to support PowerShell cmdlets that still use Skype for Business Online infrastructure for management.|**Alias:** lyncdiscover.\<domain> <br/> **Target:** webdir.online.lync.com|
- ## External DNS records required for Office 365 Single Sign-On <a name="BKMK_ReqdCore"> </a>
lighthouse M365 Lighthouse Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-whats-new.md
Previously updated : 2/16/2024 Last updated : 3/07/2024 audience: Admin
We're continuously adding new features to [Microsoft 365 Lighthouse](m365-lighth
> > To see which new features are currently available in your partner tenant, go to the **Home** page of Microsoft 365 Lighthouse, and then either select the **What's new** link in the upper-right corner of the page or select **What's new** on the **What's new & learning resources** card.
+## March 2024
+
+### Feedback and support widget
+
+We've made it easier for you to give us feedback. Check out the new feedback and support widget in the lower-right corner of the Lighthouse portal. Make a suggestion, report a problem, or give a compliment by simply selecting the widget. Share your comments today through our enhanced feedback tool and let us know how Lighthouse is working for you.
+ ## January 2024 ### Track upcoming subscription renewals
security Collect Diagnostic Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md
Title: Collect diagnostic data of Microsoft Defender Antivirus
-description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
+description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus.
ms.localizationpriority: medium Previously updated : 02/02/2024- Last updated : 03/07/2024+
search.appverid: met150
**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+- Microsoft Defender Antivirus
+
+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
+ This article describes how to collect diagnostic data that's used by Microsoft support and engineering teams when they help troubleshoot issues with Microsoft Defender Antivirus. > [!NOTE]
On at least two devices that are experiencing the same issue, obtain the `.cab`
c. Specify administrator credentials or approve the prompt.
-2. Navigate to the directory for Microsoft Defender Antivirus. By default, it's `C:\Program Files\Windows Defender`.
+1. Navigate to the directory for Microsoft Defender Antivirus:
- > [!NOTE]
- > If you're running an [updated Microsoft Defender antimalware platform version](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform), run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
+ `cd C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`
-3. Type the following command, and then press **Enter**
+ Where `<version>` is the actual version that starts with `4.18.2xxxx.x`
+
+1. Type the following command, and then press **Enter**
```Dos mpcmdrun.exe -GetFiles
On at least two devices that are experiencing the same issue, obtain the `.cab`
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
-> [!NOTE]
-> If you have a problem with Update compliance, send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
->
-> I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
->
-> I have provided at least 2 support .cab files at the following location:
->
-> \<accessible share, including access details such as password\>
->
-> My OMS workspace ID is:
->
-> Please contact me at:
- ## Redirect diagnostic data to a UNC share To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter.
security Configure Device Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-connectivity.md
Title: Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint
-description: Learn how to use a streamlined domain or static IP ranges during onboarding when connecting devices to Microsoft Defender for Endpoint
+description: Learn how to use a streamlined domain or static IP ranges during onboarding when connecting devices to Microsoft Defender for Endpoint
ms.localizationpriority: medium
- m365-security - tier1-+ search.appverid: MET150 audience: ITPro Previously updated : 02/01/2024 Last updated : 03/07/2024 # Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint
Last updated 02/01/2024
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - [!Include[Prerelease information](../../includes/prerelease.md)] > [!NOTE] >The streamlined onboarding method is currently in public preview. Make sure to review the prerequisites to confirm requirements and supported operating systems. - The Microsoft Defender for Endpoint service may require the use of proxy configurations to report diagnostic data and communicate data to the service. Prior to the availability of the streamlined connectivity method, other URLs were required and Defender for Endpoint static IP ranges weren't supported. For more information on full MDE connectivity processes, see [STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md). This article describes the streamlined device connectivity method and how to onboard new devices to use a simpler deployment and management of Defender for Endpoint cloud connectivity services. For more information on migrating previously onboarded devices, see [Migrating devices to streamlined connectivity](migrate-devices-streamlined.md).
Devices must meet specific prerequisites to use the streamlined connectivity met
**Defender Antivirus versions (macOS/Linux)** -- [macOS supported versions](microsoft-defender-endpoint-mac.md) with MDE product version 101.23102.*+-- [Linux supported versions](microsoft-defender-endpoint-linux.md) with MDE product version 101.23102.*+
+- [macOS supported versions](microsoft-defender-endpoint-mac.md) with MDE product version 101.24022.*+
+- [Linux supported versions](microsoft-defender-endpoint-linux.md) with MDE product version 101.24022.*+
**Supported Operating Systems**
Devices must meet specific prerequisites to use the streamlined connectivity met
- Windows Server 2019 - Windows Server 2022 - Windows Server 2012 R2, Server 2016 R2, fully updated running Defender for Endpoint modern unified solution (installation through MSI).-- [macOS supported versions](microsoft-defender-endpoint-mac.md) with MDE product version 101.23102.*+-- [Linux supported versions](microsoft-defender-endpoint-linux.md) with MDE product version 101.23102.*+
+- [macOS supported versions](microsoft-defender-endpoint-mac.md) with MDE product version 101.24022.*+
+- [Linux supported versions](microsoft-defender-endpoint-linux.md) with MDE product version 101.24022.*+
> [!IMPORTANT] > - **Devices running on MMA agent are not supported** on the streamlined connectivity method and will need to continue using the standard URL set (Windows 7, Windows 8.1, Windows Server 2008 R2 MMA, Server 2012 & 2016 R2 not upgraded to modern unified agent).
security Microsoft Defender Antivirus Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md
Title: Microsoft Defender Antivirus security intelligence and product updates
description: Manage how Microsoft Defender Antivirus receives protection and product updates. ms.localizationpriority: high Previously updated : 02/27/2024 Last updated : 03/07/2024 audience: ITPro
Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-
> [!NOTE] > Updates are released under the following KBs:
+>
> - Microsoft Defender Antivirus: KB2267602 > - System Center Endpoint Protection: KB2461484
All our updates contain
- Serviceability improvements - Integration improvements (Cloud, [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender))
+### February-2024 (Engine: 1.1.24020.9 | Platform: 4.18.24020.xx)
+
+- Security intelligence update version: **1.407.46.0**
+- Release date: **March 6, 2024** (Engine) / **To be confirmed** (Platform)
+- Platform: **4.18.24020.xx** (*version number coming soon*)
+- Engine: **1.1.24020.9**
+- Support phase: **Security and Critical Updates**
+
+#### What's new
+
+- Improved support for virtualizing while compressing or decompressing zip files
+- Improved reporting in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for block-only remediations
+
+#### Known issues
+
+- None
+ ### January-2024 (Platform: 4.18.24010.12 | Engine: 1.1.24010.10) - Security intelligence update version: **1.405.702.0**
All our updates contain
- Microsoft Defender Antivirus now caches the Mark of the Web (MoTW) Alternative Data Stream (ADS) for better performance while scanning. - Fixed an issue that occurred in [attack surface reduction](attack-surface-reduction-rules-reference.md) in warn mode when removing scan results from the real-time protection cache. - Performance improvement added for `OneNote.exe`.-- Cloud-based entries are regularly removed from the persistent user mode cache in Windows Defender to prevent a uncommon issue where a user could still add a certificate, based on an Indicator of compromise (IoC), to the cache after a file with that certificate had already been added via cloud signature.
+- Cloud-based entries are regularly removed from the persistent user mode cache in Windows Defender to prevent an uncommon issue where a user could still add a certificate, based on an Indicator of compromise (IoC), to the cache after a file with that certificate had already been added via cloud signature.
- The Sense onboarding event is now sent in passive mode for operating systems with the old Sense client. - Improved performance for logs created/accessed by powershell. - Improved performance for folders included in [Controlled folder access(CFA)](controlled-folders.md) when accessing network files.
All our updates contain
#### What's new - Fixed PowerShell cmdlet [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) to show the correct date/time for `AntivirusSignatureLastUpdated`-- Resolved deadock issue that occurred on systems with multiple filter drivers reading a file when the file is copied
+- Resolved deadlock issue that occurred on systems with multiple filter drivers reading a file when the file is copied
- Added the `InitializationProgress` field to [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) output - Fixed installation failure on Windows Server 2016 due to existing Defender EventLog registry key - Added the ability to have [quick scans](schedule-antivirus-scans.md) ignore Microsoft Defender Antivirus exclusions - Fixed remediation for long running [on-demand scans](run-scan-microsoft-defender-antivirus.md) where the service may have been restarted - Fixed an issue with Microsoft Defender Vulnerability Management to allow the execution of a [blocked application](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps) when the [warn option](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps#block-or-warn-mitigation-action) is selected - Added support for managing schedule day/time for [signature updates in Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#updates) and [Defender for Endpoint security settings management](/mem/intune/protect/mde-security-integration) -- Fixed non-standard signature path loading across platforms ([Windows](microsoft-defender-antivirus-windows.md), [Mac](microsoft-defender-endpoint-mac.md), [Linux](microsoft-defender-endpoint-linux.md), [Android](microsoft-defender-endpoint-android.md), and [iOS](microsoft-defender-endpoint-ios.md)) -- Improved handling of cached detections in [attack surface reduction](overview-attack-surface-reduction.md) capabilities -- Improved performance for enumerating virtual memory ranges -
-#### Known issues
--- None-
-### October-2023 (Platform: 4.18.23100.2009 | Engine: 1.1.23100.2009)
--- Security intelligence update version: **1.401.3.0**-- Release date: **November 3, 2023 (Engine) / November 6, 2023 (Platform)**-- Platform: **4.18.23100.2009**-- Engine: **1.1.23100.2009**-- Support phase: **Security and Critical Updates**-
-#### What's new
--- Improved processing of environment variables in protected folders list for [controlled folder access](controlled-folders.md)-- Improved performance of [on-access scanning](configure-advanced-scan-types-microsoft-defender-antivirus.md) of files with Mark of the Web (MoTW)-- Added support for Active Directory device groups with [device control](device-control-overview.md)-- Fixed an issue so that [ASROnlyPerRuleExclusions](/windows/client-management/mdm/defender-csp#configurationasronlyperruleexclusions) don't apply during an engine reboot-- [Microsoft Defender Core service](microsoft-defender-antivirus-windows.md#microsoft-defender-core-service) is generally available for consumer devices and is coming soon for business customers.-- Fixed an issue with device control so that device control policies remain enforced when a platform update requires a reboot-- Improved performance of [device control for printing scenarios](device-control-policies.md)-- Fixed truncation issue in the output of [MpCmdRun.exe -scan](command-line-arguments-microsoft-defender-antivirus.md) (processing Unicode characters)
+- Fixed non-standard signature path loading across platforms ([Windows](microsoft-defender-antivirus-windows.md), [Mac](microsoft-defender-endpoint-mac.md), [Linux](microsoft-defender-endpoint-linux.md), [Android](microsoft-defender-endpoint-android.md), and [iOS](microsoft-defender-endpoint-ios.md))
+- Improved handling of cached detections in [attack surface reduction](overview-attack-surface-reduction.md) capabilities
+- Improved performance for enumerating virtual memory ranges
#### Known issues
security Microsoft Defender Antivirus Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md
For [Microsoft Endpoint Data Loss Prevention](/purview/endpoint-dlp-getting-star
To enhance your endpoint security experience, Microsoft is releasing the Microsoft Defender Core service to help with the stability and performance of Microsoft Defender Antivirus. For customers who are using Microsoft Endpoint Data Loss Prevention in the small, medium, and enterprise business sectors, Microsoft is splitting the codebase to its own service.
-The Microsoft Defender Core service is releasing with [Microsoft Defender Antivirus platform version 4.18.23110.2009](microsoft-defender-antivirus-updates.md#october-2023-platform-418231002009--engine-11231002009).
+The Microsoft Defender Core service is releasing with [Microsoft Defender Antivirus platform version 4.18.23110.2009](./msda-updates-previous-versions-technical-upgrade-support.md#october-2023-platform-418231002009--engine-11231002009).
- Rollout begins in November 2023 to prerelease customers, with plans to release to all enterprise customers in the coming months.
security Msda Updates Previous Versions Technical Upgrade Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md
search.appverid: met150
Microsoft regularly releases [security intelligence updates and product updates for Microsoft Defender Antivirus](microsoft-defender-antivirus-updates.md). It's important to keep Microsoft Defender Antivirus up to date. When a new package version is released, support for the previous two versions is reduced to technical support only. Versions that are older than the previous two versions are listed in this article and are provided for technical upgrade support only.
+## October-2023 (Platform: 4.18.23100.2009 | Engine: 1.1.23100.2009)
+
+- Security intelligence update version: **1.401.3.0**
+- Release date: **November 3, 2023 (Engine) / November 6, 2023 (Platform)**
+- Platform: **4.18.23100.2009**
+- Engine: **1.1.23100.2009**
+- Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Improved processing of environment variables in protected folders list for [controlled folder access](controlled-folders.md)
+- Improved performance of [on-access scanning](configure-advanced-scan-types-microsoft-defender-antivirus.md) of files with Mark of the Web (MoTW)
+- Added support for Active Directory device groups with [device control](device-control-overview.md)
+- Fixed an issue so that [ASROnlyPerRuleExclusions](/windows/client-management/mdm/defender-csp#configurationasronlyperruleexclusions) don't apply during an engine reboot
+- [Microsoft Defender Core service](microsoft-defender-antivirus-windows.md#microsoft-defender-core-service) is generally available for consumer devices and is coming soon for business customers.
+- Fixed an issue with device control so that device control policies remain enforced when a platform update requires a reboot
+- Improved performance of [device control for printing scenarios](device-control-policies.md)
+- Fixed truncation issue in the output of [MpCmdRun.exe -scan](command-line-arguments-microsoft-defender-antivirus.md) (processing Unicode characters)
+
+### Known issues
+
+- None
+ ## September-2023 (Platform: 4.18.23090.2008 | Engine: 1.1.23090.2007)
-
+ - Security intelligence update version: **1.399.44.0** - Release date: **October 3, 2023 (Engine) | October 4, 2023 (Platform)** - Platform: **4.18.23090.2008** - Engine: **1.1.23090.2007** - Support phase: **Technical upgrade support (only)**
-
+ ### What's new - Fixed automatic remediation during on demand scans involving archives with multiple threats
security Advanced Hunting Emailurlinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `NetworkMessageId` | `string` | Unique identifier for the email, generated by Microsoft 365 | | `Url` | `string` | Full URL in the email subject, body, or attachment | | `UrlDomain` | `string` | Domain name or host name of the URL |
+| `UrlLocation` | `string` | Indicates which part of the email the URL is located |
| `ReportId` | `string` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
+> [!TIP]
+> To hunt for attacks based on URLs embedded within QR codes, users can leverage the UrlLocation column having "QRCode" as an identifier for URLs extracted from QR codes.
+ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md)
security Managed Detection And Response Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/managed-detection-and-response-xdr.md
Title: Managed detection and response description: Defender Experts for XDR provides actionable managed response to your security operations center (SOC) teams.
-keywords: XDR, extended detection and response, managed detection and response in defender experts for XDR, experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, Managed response in Teams
+keywords: XDR, extended detection and response, managed detection and response in defender experts for XDR, experts for xdr, managed response faq, managed threat hunting, managed detection and response (MDR) service, Managed response in Teams, guided response
ms.mktglfcycl: deploy
- essentials-manage search.appverid: met150 Previously updated : 02/12/2024 Last updated : 03/07/2024 # Managed detection and response
You could obtain visibility into incidents in your SIEM or ITSM application by u
After configuring a connector, the updates by Defender Experts to an incident's **Status**, **Assigned to**, **Classification**, and **Determination** fields in Microsoft Defender XDR can be synchronized with the third-party SIEM or ITSM applications, depending on how the field mapping has been implemented. To illustrate, you can take a look at the [connector available from Sentinel to ServiceNow](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Servicenow/StoreApp). - ### See also -- [Get started with Microsoft Defender Experts for XDR](get-started-xdr.md)
+- [Understanding and managing Defender Experts for XDR incident notifications](faq-incident-notifications-xdr.md)
+- [Understanding managed response](faq-managed-response.md)
- [Get real-time visibility with Defender Experts for XDR reports](reports-xdr.md)-- [Communicating with experts in the Microsoft Defender Experts for XDR service](communicate-defender-experts-xdr.md) [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Advanced Delivery Policy Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-delivery-policy-configure.md
Messages that are identified by the advanced delivery policy aren't security thr
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.
+ - [Microsoft Defender XDR Unified role based access control (RBAC)](../defender/manage-rbac.md) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.
- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md) and [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Create, modify, or remove configured settings in the advanced delivery policy_: Membership in the **Security Administrator** role groups in Email & collaboration RBAC <u>and</u> membership in the **Organization Management** role group in Exchange Online RBAC. - _Read-only access to the advanced delivery policy_: Membership in the **Global Reader** or **Security Reader** role groups in Email & collaboration RBAC. - **View-Only Organization Management** in Exchange Online RBAC.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy
If your MX record doesn't point to Microsoft 365, the IP address in the `Authent
> > - Create a dedicated [send connector](/exchange/mail-flow/mail-routing/connector-selection) that doesn't authenticate the phishing simulation messages as internal. > - Configure the phishing simulation to bypass the Exchange Server infrastructure and route mail directly to your Microsoft 365 MX record (for example, contoso-com.mail.protection.outlook.com).
-> - Although you can set intra-organization message scanning to None in [anti-spam policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure#use-the-microsoft-defender-portal-to-create-anti-spam-policies) we don't recommend this option because it affects other email messages.
+> - Although you can set intra-organization message scanning to None in [anti-spam policies](anti-spam-policies-configure.md#use-the-microsoft-defender-portal-to-create-anti-spam-policies) we don't recommend this option because it affects other email messages.
> > If you're using the [Built-in protection preset security policy](preset-security-policies.md#profiles-in-preset-security-policies) or your custom Safe Links policies have the setting **Do not rewrite URLs, do checks via SafeLinks API only** enabled, time of click protection doesn't treat phishing simulation links in email as threats in Outlook on the web, Outlook for iOS and Android, Outlook for Windows v16.0.15317.10000 or later, and Outlook for Mac v16.74.23061100 or later. If you're using older versions of Outlook, consider disabling the **Do not rewrite URLs, do checks via SafeLinks API only** setting in custom Safe Links policies. >
security Air About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-about.md
You need to be assigned permissions to use AIR. You have the following options:
- Membership in the **Organization Management**, **Security Administrator**, **Security Operator**, **Security Reader**, or **Global Reader** role groups. and - Membership in a role group with the **Search and Purge** role assigned. By default, this role is assigned to the **Data Investigator** and **Organization Management** role groups. Or, you can [create a custom role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) to assign the **Search and Purge** role.-- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles):
+- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal):
- _Set up AIR features_ Membership in the **Global Administrator** or **Security Administrator** roles. - _Start an automated investigation_ or _Approve or reject recommended actions_: - Membership in the **Global Administrator**, **Security Administrator**, **Security Operator**, **Security Reader**, or **Global Reader** roles.
security Air User Automatic Feedback Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-user-automatic-feedback-response.md
This article explains how to enable and customize automatic feedback response fo
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Security Administrator** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## Use the Microsoft Defender portal to configure automatic feedback response
security Alert Policies Defender Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/alert-policies-defender-portal.md
In Microsoft 365 organizations with mailboxes in Exchange Online, alert policies
- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): - _Create and manage alert policies in the Threat management category_: Membership in the **Organization Management** or **Security Administrator** role groups. - _View alerts in the Threat management_ category: Membership in the **Security Reader** role group.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
For information about other alert policy categories, see [Permissions required to view alerts](/purview/alert-policies#rbac-permissions-required-to-view-alerts).
security Anti Malware Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-policies-configure.md
You can configure anti-malware policies in the Microsoft Defender portal or in P
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- For our recommended settings for anti-malware policies, see [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings).
security Anti Phishing Mdo Impersonation Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-mdo-impersonation-insight.md
Admins can use the impersonation insight in the Microsoft Defender portal to qui
- **Security Administrator** - **Security Reader** - **Global Reader**
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Security Reader**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Security Reader**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection isn't enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md) and [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users).
security Anti Phishing Policies About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-about.md
description: Admins can learn about the anti-phishing policies that are availabl
search.appverid: met150 Previously updated : 12/21/2023 Last updated : 3/7/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
The following spoof settings are available in anti-phishing policies in EOP and
> - Disabling anti-spoofing protection only disables _implicit_ spoofing protection from [composite authentication](email-authentication-about.md#composite-authentication) checks. For information about how _explicit_ [DMARC](email-authentication-dmarc-configure.md) checks are affected by anti-spoofing protection and the configuration of the source domain's DMARC policy (`p=quarantine` or `p=reject` in the DMARC TXT record), see the [Spoof protection and sender DMARC policies](#spoof-protection-and-sender-dmarc-policies) section. - **Unauthenticated sender indicators**: Available in the **Safety tips & indicators** section only when spoof intelligence is turned on. See the details in the next section.-- **Actions**: For messages from blocked spoofed senders (automatically blocked by spoof intelligence or manually blocked in the Tenant Allow/Block list), you can also specify the action to take on the messages:
+- **Actions**: For messages from blocked spoofed senders (automatically blocked by spoof intelligence ([composite authentication](email-authentication-about.md#composite-authentication) failure plus malicious intent) or manually blocked in the Tenant Allow/Block list), you can also specify the action to take on the messages:
- **Move messages to the recipients' Junk Email folders**: This is the default value. The message is delivered to the mailbox and moved to the Junk Email folder. For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md). - **Quarantine the message**: Sends the message to quarantine instead of the intended recipients. For information about quarantine, see the following articles: - [Quarantine in Microsoft 365](quarantine-about.md)
security Anti Phishing Policies Eop Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure.md
For anti-phishing policy procedures in organizations with Microsoft Defender for
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- For our recommended settings for anti-phishing policies in Defender for Office 365, see [Anti-phishing policy in Defender for Office 365 settings](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365).
security Anti Phishing Policies Mdo Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure.md
For anti-phishing policy procedures in organizations without Defender for Office
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- For our recommended settings for anti-phishing policies in Defender for Office 365, see [Anti-phishing policy in Defender for Office 365 settings](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365).
security Anti Phishing Protection Spoofing About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about.md
ms.localizationpriority: high
description: Admins can learn about the anti-spoofing features that are available in Exchange Online Protection (EOP), which can help mitigate against phishing attacks from spoofed senders and domains. Previously updated : 06/09/2023 Last updated : 3/7/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
The following anti-spoofing technologies are available in EOP:
Defender for Office 365 organizations can also use Real-time detections (Plan 1) or Threat Explorer (Plan 2) to view information about phishing attempts. For more information, see [Microsoft 365 threat investigation and response](office-365-ti.md).
+> [!TIP]
+> It's important to understand that a [composite authentication](email-authentication-about.md#composite-authentication) failure doesn't directly result in a message being blocked. Our system using a holistic evaluation strategy that considers the overall suspicious nature of a message along with composite authentication results. This method is designed to mitigate the risk of incorrectly blocking legitimate email from domains that might not strictly adhere to email authentication protocols. This balanced approach helps distinguish genuinely malicious email from message senders that simply fail to conform to standard email authentication practices.
+ ## How spoofing is used in phishing attacks Spoofed senders in messages have the following negative implications for users:
security Anti Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md
You can configure anti-spam policies in the Microsoft Defender portal or in Powe
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- For our recommended settings for anti-spam policies, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
security Anti Spoofing Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence.md
The rest of this article explains how to use the spoof intelligence insight in t
- **Organization Management** - **Security Administrator** <u>and</u> **View-Only Configuration** or **View-Only Organization Management**. - _Read-only access to the spoof intelligence insight_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- For our recommended settings for anti-phishing policies, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).
security App Guard For Office Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/app-guard-for-office-install.md
Microsoft Defender Application Guard for Office (Application Guard for Office) h
### Licensing requirements - Microsoft 365 E5 or Microsoft 365 E5 Security-- [Safe Documents in Microsoft 365](/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about)
+- [Safe Documents in Microsoft 365](safe-documents-in-e5-plus-security-about.md)
### Minimum hardware requirements
You can also submit feedback from within Word, Excel, and PowerPoint if the issu
Application Guard for Office is integrated with Microsoft Defender for Endpoint to provide monitoring and alerting on malicious activity that happens in the isolated environment.
-[Safe Documents in Microsoft E365 E5](/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about) is a feature that uses Microsoft Defender for Endpoint to scan documents opened in Application Guard for Office. For an additional layer of protection, users can't leave Application Guard for Office until the results of the scan have been determined.
+[Safe Documents in Microsoft E365 E5](safe-documents-in-e5-plus-security-about.md) is a feature that uses Microsoft Defender for Endpoint to scan documents opened in Application Guard for Office. For an additional layer of protection, users can't leave Application Guard for Office until the results of the scan have been determined.
## Limitations and considerations
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
Watch this short video to learn more about Attack simulation training.
- For more information about the availability of Attack simulation training across different Microsoft 365 subscriptions, see [Microsoft Defender for Office 365 service description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): You need membership in one of the following roles:
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): You need membership in one of the following roles:
- **Global Administrator** - **Security Administrator** - **Attack Simulation Administrators**<sup>\*</sup>: Create and manage all aspects of attack simulation campaigns.
security Audit Log Search Defender Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/audit-log-search-defender-portal.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations \ Security data \ Security data basics (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Compliance Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Compliance Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Compliance Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## Open audit log search
security Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md
A campaign might be short-lived, or could span several days, weeks, or months wi
- **Organization Management** - **Security Administrator** - **Security Reader**
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## Campaigns page in the Microsoft Defender portal
security Configuration Analyzer For Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md
The configuration analyzer also checks the following non-policy settings:
- _Use the configuration analyzer and update the affected security policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to the configuration analyzer_: Membership in the **Global Reader** or **Security Reader** role groups. - [Exchange Online permissions](/Exchange/permissions-exo/permissions-exo): Membership in the **View-Only Organization Management** role group gives read-only access to the configuration analyzer.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## Use the configuration analyzer in the Microsoft Defender portal
security Connection Filter Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connection-filter-policies-configure.md
This article describes how to configure the default connection filter policy in
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Modify policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- To find the source IP addresses of the email servers (senders) that you want to allow or block, you can check the connecting IP (**CIP**) header field in the message header. To view a message header in various email clients, see [View internet message headers in Outlook](https://support.microsoft.com/office/cd039382-dc6e-4264-ac74-c048563d212c).
security Connectors Remove Blocked https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-remove-blocked.md
For more information about compromised _user accounts_ and how to remove them fr
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Remove connectors from the Restricted entities page_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to the Restricted entities page_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- Before you follow the procedures in this article to remove a connector from the **Restricted entities** page, be sure to follow the required steps to regain control of the connector as described in [Respond to a compromised connector](connectors-detect-respond-to-compromise.md).
security Email Authentication About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-about.md
ms.localizationpriority: high
description: Admins can learn how email authentication (SPF, DKIM, DMARC) works and how Microsoft 365 uses traditional email authentication and composite email authentication to identify messages as spoofing, or pass messages that would otherwise be identified as spoofing. Previously updated : 1/29/2024 Last updated : 3/7/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
Authentication-Results:
These values are explained at [Authentication-results message header](message-headers-eop-mdo.md#authentication-results-message-header).
-Admins and users can examine the message headers to discover how Microsoft 365 identified the sender as spoofed or legitimate.
+Admins and users can examine the message headers to discover how Microsoft 365 identified the sender as a suspicious spoofed sender or legitimate.
+
+> [!TIP]
+> It's important to understand that a composite authentication failure doesn't directly result in a message being blocked. Our system using a holistic evaluation strategy that considers the overall suspicious nature of a message along with composite authentication results. This method is designed to mitigate the risk of incorrectly blocking legitimate email from domains that might not strictly adhere to email authentication protocols. This balanced approach helps distinguish genuinely malicious email from message senders that simply fail to conform to standard email authentication practices.
The following examples focus on the results of email authentication only (the `compauth` value and reason). Other Microsoft 365 protection technologies can identify messages that pass email authentication as spoofed, or identify messages that fail email authentication as legitimate.
+- **Scenario**: The domain in the SPF record or the DKIM signature doesn't match the domain in the From address.
+- **Result**: The message can fail composite authentication. Despite the composite authentication failure, the message might still be allowed if other assessments don't indicate a suspicious nature:
+
+ ```text
+ Authentication-Results: spf=none (sender IP is 192.168.1.8)
+ smtp.mailfrom=maliciousdomain.com; contoso.com; dkim=pass
+ (signature was verified) header.d=maliciousdomain.com;
+ contoso.com; dmarc=none action=none header.from=contoso.com;
+ compauth=fail reason=001
+ From: chris@contoso.com
+ To: michelle@fabrikam.com
+ ```
+ - **Scenario**: The fabrikam.com domain has no SPF, DKIM, or DMARC records. - **Result**: Messages from senders in the fabrikam.com domain can fail composite authentication:
security Email Authentication Arc Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-arc-configure.md
After an admin adds a trusted ARC sealer in the Defender portal, Microsoft 365 u
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Security Administrator** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## Use the Microsoft Defender portal to add trusted ARC sealers
security Email Authentication Dkim Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-dkim-configure.md
The rest of this article describes the DKIM CNAME records that you need to creat
> [!TIP] > Configuring DKIM signing using a custom domain is a mixture of procedures in Microsoft 365 and procedures at the domain registrar of the custom domain. >
-> We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).
+> We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md).
> > If you're unfamiliar with DNS configuration, contact your domain registrar and ask for help.
Proceed if the domain satisfies these requirements.
6. In another browser tab or window, go to the domain registrar for the domain, and then create the two CNAME records using the information from the previous step.
- We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).
+ We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md).
It takes a few minutes (or possibly longer) for Microsoft 365 to detect the new CNAME records that you created.
If you'd rather use PowerShell to enable DKIM signing of outbound messages using
- **Custom domain**: At the domain registrar for the domain, create the two CNAME records using the information from the previous step.
- We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).
+ We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md).
It takes a few minutes (or possibly longer) for Microsoft 365 to detect the new CNAME records that you created.
As described in [How SPF, DKIM, and DMARC work together to authenticate email me
- [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md) - [Use DMARC to validate email](email-authentication-dmarc-configure.md)
-For mail coming _into_ Microsoft 365, you might also need to configure trusted ARC sealers if you use services that modify messages in transit before delivery to your organization. For more information, see [Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure).
+For mail coming _into_ Microsoft 365, you might also need to configure trusted ARC sealers if you use services that modify messages in transit before delivery to your organization. For more information, see [Configure trusted ARC sealers](email-authentication-arc-configure.md).
security Email Authentication Dmarc Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-dmarc-configure.md
The rest of this article describes the DMARC TXT record that you need to create
> > There are no admin portals or PowerShell cmdlets in Microsoft 365 for you to manage DMARC TXT records in your **custom** domains. Instead, you create the DMARC TXT record at your domain registrar or DNS hosting service (often the same company). >
-> We provide instructions to create the proof of domain ownership TXT record for Microsoft 365 at many domain registrars. You can use these instructions as a starting point to create DMARC TXT records. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).
+> We provide instructions to create the proof of domain ownership TXT record for Microsoft 365 at many domain registrars. You can use these instructions as a starting point to create DMARC TXT records. For more information, see [Add DNS records to connect your domain](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md).
> > If you're unfamiliar with DNS configuration, contact your domain registrar and ask for help.
You can use the following graphic to help troubleshoot DMARC authentication issu
## Next steps
-For mail coming _into_ Microsoft 365, you might also need to configure trusted ARC sealers if you use services that modify messages in transit before delivery to your organization. For more information, see [Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure).
+For mail coming _into_ Microsoft 365, you might also need to configure trusted ARC sealers if you use services that modify messages in transit before delivery to your organization. For more information, see [Configure trusted ARC sealers](email-authentication-arc-configure.md).
security Email Authentication Spf Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-spf-configure.md
The rest of this article describes the SPF TXT records that you need to create f
> [!TIP] > There are no admin portals or PowerShell cmdlets in Microsoft 365 for you to manage SPF records in your domain. Instead, you create the SPF TXT record at your domain registrar or DNS hosting service (often the same company). >
-> We provide instructions to create the proof of domain ownership TXT record for Microsoft 365 at many domain registrars. You can use these instructions as a starting point to create the SPF TXT record value. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).
+> We provide instructions to create the proof of domain ownership TXT record for Microsoft 365 at many domain registrars. You can use these instructions as a starting point to create the SPF TXT record value. For more information, see [Add DNS records to connect your domain](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md).
> > If you're unfamiliar with DNS configuration, contact your domain registrar and ask for help.
As described in [How SPF, DKIM, and DMARC work together to authenticate email me
- [Use DKIM to validate outbound email sent from your custom domain](email-authentication-dkim-configure.md) - [Use DMARC to validate email](email-authentication-dmarc-configure.md)
-For mail coming _into_ Microsoft 365, you might also need to configure trusted ARC sealers if you use services that modify messages in transit before delivery to your organization. For more information, see [Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure).
+For mail coming _into_ Microsoft 365, you might also need to configure trusted ARC sealers if you use services that modify messages in transit before delivery to your organization. For more information, see [Configure trusted ARC sealers](email-authentication-arc-configure.md).
security Mdo Deployment Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-deployment-guide.md
But, the intent of this step is to configure other admins to help you manage the
When it comes to assigning permissions for tasks in EOP and Defender for Office 365, the following options are available: -- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): These permissions apply to all workloads in Microsoft 365 (Exchange Online, SharePoint Online, Microsoft Teams, etc.).
+- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): These permissions apply to all workloads in Microsoft 365 (Exchange Online, SharePoint Online, Microsoft Teams, etc.).
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Most tasks in EOP and Defender for Office 365 are available using Exchange Online permissions. Assigning permissions only in Exchange Online prevents administrative access in other Microsoft 365 workloads. - [Email & collaboration permissions in the Microsoft Defender portal](scc-permissions.md): Administration of some security features in EOP and Defender for Office 365 is available with Email & collaboration permissions. For example: - [Configuration analyzer](configuration-analyzer-for-security-policies.md)
security Mdo Usage Card About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-usage-card-about.md
Usage cards can help determine the following scenarios:
:::image type="content" source="../../medio.png":::
-For members of **Global Administrator** or **Billing Administrator** roles in [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles), following items are available on the card:
+For members of **Global Administrator** or **Billing Administrator** roles in [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal), following items are available on the card:
- **Add more licenses** - **See licensing details**
The details flyout that opens contains the following information from the last 2
**Threat protection status report** takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report).
-**See licensing details** is available for members of the **Global Administrators** or **Security Operator** roles in [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles).
+**See licensing details** is available for members of the **Global Administrators** or **Security Operator** roles in [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal).
## Frequently asked questions
security Message Headers Eop Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-headers-eop-mdo.md
The following table describes the fields and possible values for each email auth
|Field|Description| ||| |`action`|Indicates the action taken by the spam filter based on the results of the DMARC check. For example: <ul><li>`pct.quarantine`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=quarantine`. But, the pct field wasn't set to 100%, and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`pct.reject`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=reject`. But, the pct field wasn't set to 100% and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`permerror`: A permanent error occurred during DMARC evaluation, such as encountering an incorrectly formed DMARC TXT record in DNS. Attempting to resend this message isn't likely to end with a different result. Instead, you might need to contact the domain's owner in order to resolve the issue.</li><li>`temperror`: A temporary error occurred during DMARC evaluation. You might be able to request that the sender resend the message later in order to process the email properly.</li></ul>|
-|`compauth`|Composite authentication result. Used by Microsoft 365 to combine multiple types of authentication (SPF, DKIM, and DMARC), or any other part of the message to determine whether or not the message is authenticated. Uses the From: domain as the basis of evaluation.|
+|`compauth`|Composite authentication result. Used by Microsoft 365 to combine multiple types of authentication (SPF, DKIM, and DMARC), or any other part of the message to determine whether or not the message is authenticated. Uses the From: domain as the basis of evaluation. **Note**: Despite a `compauth` failure, the message might still be allowed if other assessments don't indicate a suspicious nature.|
|`dkim`|Describes the results of the DKIM check for the message. Possible values include: <ul><li>**pass**: Indicates the DKIM check for the message passed.</li><li>**fail (reason)**: Indicates the DKIM check for the message failed and why. For example, if the message wasn't signed or the signature wasn't verified.</li><li>**none**: Indicates that the message wasn't signed. This result might or might not indicate that the domain has a DKIM record or the DKIM record doesn't evaluate to a result.</li></ul>| |`dmarc`|Describes the results of the DMARC check for the message. Possible values include: <ul><li>**pass**: Indicates the DMARC check for the message passed.</li><li>**fail**: Indicates the DMARC check for the message failed.</li><li>**bestguesspass**: Indicates that no DMARC TXT record exists for the domain exists. If the domain had a DMARC TXT record, the DMARC check for the message would have passed.</li><li>**none**: Indicates that no DMARC TXT record exists for the sending domain in DNS.| |`header.d`|Domain identified in the DKIM signature if any. This is the domain that's queried for the public key.|
security Message Trace Defender Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-trace-defender-portal.md
You can use the **View in Explorer** option in the **Message trace search result
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management**, **Compliance Management** or **Help Desk** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Compliance Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Compliance Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## Open message trace
security Outbound Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
You can configure outbound spam policies in the Microsoft Defender portal or in
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- For our recommended settings for outbound spam policies, see [EOP outbound spam policy settings](recommended-settings-for-eop-and-office365.md#eop-outbound-spam-policy-settings).
security Outbound Spam Restore Restricted Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-restore-restricted-users.md
For more information about compromised _connectors_ and how to remove them from
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Remove user accounts from the Restricted entities page_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to the Restricted entities page_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- A sender exceeding the outbound email limits is an indicator of a compromised account. Before you follow the procedures in this article to remove a user from the **Restricted entities** page, be sure to follow the required steps to regain control of the account as described in [Responding to a compromised email account in Office 365](responding-to-a-compromised-email-account.md).
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
The rest of this article how to configure preset security policies.
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Configure preset security policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to preset security policies_: Membership in the **Global Reader** role group.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users
security Priority Accounts Turn On Priority Account Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection.md
This article describes how to confirm that priority account protection is turned
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/Read and manage** or **Authorization and settings/System settings/Read-only**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Security Administrator** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- As previously described, priority account protection is applied to accounts that have the **Priority account** tag applied to them. For instructions, see [Manage and monitor priority accounts](/microsoft-365/admin/setup/priority-accounts).
security Quarantine Admin Manage Messages Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md
Watch this short video to learn how to manage quarantined messages as an admin.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security Data / email quarantine (manage)** (management via PowerShell).
+ - [Microsoft Defender XDR Unified role based access control (RBAC)](../defender/manage-rbac.md) (Affects the Defender portal only, not PowerShell): **Security Data / email quarantine (manage)** (management via PowerShell).
- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): - _Take action on quarantined messages for all users_: Membership in the **Quarantine Administrator**, **Security Administrator**, or **Organization Management** role groups. - _Submit messages from quarantine to Microsoft_: Membership in the **Quarantine Administrator** or **Security Administrator** role groups.
Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" bor
- Sender email address - Subject. Use the entire subject of the message. The search isn't case-sensitive.
-After you've entered the search criteria, press the enter ENTER key to filter the results.
+After you've entered the search criteria, press Enter to filter the results.
> [!NOTE] > The **Search** box searches for quarantined items in the current view (which is limited to 100 items), not all quarantined items. To search all quarantined items, use **Filter** and the resulting **Filters** flyout.
If you don't release or remove a message, it's automatically deleted from quaran
> > Verify that you aren't using third party filtering before you open a support ticket about these issues. >
-> - Inbox rules ([created by users in Outlook](https://support.microsoft.com/c24f5dea-9465-4df4-ad17-a50704d66c59) or by admins using the **\*-InboxRule** cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox.
+> - Inbox rules (created by users in Outlook or by admins by using the **\*-InboxRule** cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox.
> > Admins can use [message trace](message-trace-defender-portal.md) to determine if a released message was delivered to the recipient's Inbox.
When you're finished in the **Filters** flyout, select **Apply**. To clear the f
Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific files by filename. Wildcards aren't supported.
-After you've entered the search criteria, press the enter ENTER key to filter the results.
+After you've entered the search criteria, press Enter to filter the results.
After you find a specific quarantined file, select the file to view details about it and to take action on it (for example, view, release, download, or delete the file).
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
You create and assign quarantine policies in the Microsoft Defender portal or in
- How long messages that were quarantined by anti-spam and anti-phishing protection are held before they expire is controlled by the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) in anti-spam policies. For more information, see the table in [Quarantine retention](quarantine-about.md#quarantine-retention). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)**.
+ - [Microsoft Defender XDR Unified role based access control (RBAC)](../defender/manage-rbac.md) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)**.
- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Quarantine Administrator**, **Security Administrator**, or **Organization Management** role groups. - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
Even if you don't customize quarantine notifications for different languages, se
- **Specify sender address**: Select an existing user for the sender email address of quarantine notifications. The default sender is `quarantine@messaging.microsoft.com`. -- **Use my company logo**: Select this option to replace the default Microsoft logo that's used at the top of quarantine notifications. Before you do this step, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](/microsoft-365/admin/setup/customize-your-organization-theme) to upload your custom logo.
+- **Use my company logo**: Select this option to replace the default Microsoft logo that's used at the top of quarantine notifications. Before you do this step, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo.
A custom logo in a quarantine notification is shown in the following screenshot:
security Real Time Detections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/real-time-detections.md
To view and use Explorer or Real-time detections, you need to be assigned permis
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Full access_: Membership in the **Organization Management** or **Compliance Management** role groups. - _Read-only access_: Membership in the **View-Only Organization Management** or **View-Only Recipients** role groups.-- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## More information
security Reports Email Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md
You need to be assigned permissions before you can view and use the reports that
- **Security Administrator** - **Security Reader** - **Global Reader**-- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, **Security Reader**, or **Global Reader** roles in Microsoft Entra ID gives users the required permissions _and_ permissions for other features in Microsoft 365.
+- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, **Security Reader**, or **Global Reader** roles in Microsoft Entra ID gives users the required permissions _and_ permissions for other features in Microsoft 365.
<sup>\*</sup> Membership in the **Organization Management** role group or in the **Global Administrator** role is required to use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)** or :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)** actions in reports (where available).
If you don't see data in the reports, check the report filters and double-check
- [Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365](configuration-analyzer-for-security-policies.md) - [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md)-- [How do I turn off spam filtering?](/microsoft-365/security/office-365-security/anti-spam-protection-faq#how-do-i-turn-off-spam-filtering-)
+- [How do I turn off spam filtering?](anti-spam-protection-faq.yml#how-do-i-turn-off-spam-filtering-)
## Download and export report information
security Safe Attachments Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md
You configure Safe Attachments policies in the Microsoft Defender portal or in E
- _Read-only access to policies_: Membership in one of the following role groups: - **Global Reader** or **Security Reader** in Email & collaboration RBAC. - **View-Only Organization Management** in Exchange Online RBAC.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- For our recommended settings for Safe Attachments policies, see [Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings).
security Safe Documents In E5 Plus Security About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about.md
Users don't need Defender for Endpoint installed on their local devices to get S
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Configure Safe Documents settings_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to Safe Documents settings_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
### How does Microsoft handle your data?
security Safe Links Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md
You configure Safe Links policies in the Microsoft Defender portal or in Exchang
- _Read-only access to policies_: Membership in one of the following role groups: - **Global Reader** or **Security Reader** in Email & collaboration RBAC. - **View-Only Organization Management** in Exchange Online RBAC.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- For our recommended settings for Safe Links policies, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings).
security Scc Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/scc-permissions.md
Last updated 11/14/2023
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-The [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal), [Microsoft Purview portal](/purview/purview-portal), and the classic Microsoft Purview [compliance](/purview/microsoft-365-compliance-center) and [governance](/purview/use-microsoft-purview-governance-portal) portals have replaced the Security & Compliance Center as the places to manage Microsoft Defender for Office 365 and Microsoft Purview roles and role groups for your organization. For more information about permissions within these portals, see the following articles:
+The [Microsoft Defender portal](../defender/microsoft-365-defender-portal.md), [Microsoft Purview portal](/purview/purview-portal), and the classic Microsoft Purview [compliance](/purview/microsoft-365-compliance-center) and [governance](/purview/use-microsoft-purview-governance-portal) portals have replaced the Security & Compliance Center as the places to manage Microsoft Defender for Office 365 and Microsoft Purview roles and role groups for your organization. For more information about permissions within these portals, see the following articles:
-- [Email & collaboration permissions in the Microsoft Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions)
+- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md)
- [Permissions in the Microsoft Purview portal](/purview/purview-portal) - [Permissions in the Microsoft Purview compliance portal](/purview/microsoft-365-compliance-center-permissions) - [Permissions in the Microsoft Purview governance portal](/purview/roles-permissions)
security Secure By Default https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md
To put it another way: as a security service, we're acting on your behalf to pre
You should only consider using overrides in the following scenarios: -- Phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. To prevent phishing simulation messages from being filtered, see [Configure third-party phishing simulations in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy).-- Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get unfiltered messages (both good and bad). Teams can then review to see if they contain malicious content. For more information, see [Configure SecOps mailboxes in the advanced delivery policy](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
+- Phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. To prevent phishing simulation messages from being filtered, see [Configure third-party phishing simulations in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy).
+- Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get unfiltered messages (both good and bad). Teams can then review to see if they contain malicious content. For more information, see [Configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
- Third-party filters: Secure by default applies only when the MX record for your domain points to Microsoft 365 (contoso.mail.protection.outlook.com). If the MX record for your domain points to another service or device, it's possible to override Secure by default with an Exchange mail flow rule to [bypass spam filtering](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl). When your MX record points to another service or device and you use a bypass spam filtering mail flow rule, messages detected as high confidence phishing by Microsoft 365 anti-spam filtering are delivered to the Inbox. - False positives: To temporarily allow certain messages that are still being blocked by Microsoft, use [admin submissions](submissions-admin.md#report-good-email-to-microsoft). By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire.
security Assess The Impact Of Security Configuration Changes With Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/assess-the-impact-of-security-configuration-changes-with-explorer.md
This step-by-step guide takes you through assessing a change, and exporting the
### Further reading
-Consider using secure presets [Ensuring you always have the optimal security controls with preset security policies](/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies)
+Consider using secure presets [Ensuring you always have the optimal security controls with preset security policies](ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md)
-You can also manage email authentication issues with spoof intelligence [Spoof intelligence insight](/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence)
+You can also manage email authentication issues with spoof intelligence [Spoof intelligence insight](../anti-spoofing-spoof-intelligence.md)
Learn more about email authentication [Email Authentication in Exchange Online Protection](../email-authentication-about.md)
security Deploy And Configure The Report Message Add In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md
Title: How-to deploy and configure the report message add-in
-description: The steps to deploy and configure Microsoft's phish reporting add-in(s) aimed at security administrators.
+description: The steps to deploy and configure Microsoft's phish reporting add-ins aimed at security administrators.
search.product:
Last updated 1/31/2023
The Report Message and Report Phishing add-ins for Outlook make it easy to report phishing to Microsoft and its affiliates for analysis, along with easy triage for admins on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>.
-Depending on whether you are licensed for Defender for Office 365, you'll also get added functionality such as alerting & automated investigation and response (AIR), which will remove the burden from your security operations staff. This guide will walk you through configuring the add-in deployment as recommended by the Microsoft Defender for Office 365 team.
+Depending on whether you're licensed for Defender for Office 365, you also get added functionality such as alerting & automated investigation and response (AIR), which removes the burden from your security operations staff. This guide walks you through configuring the add-in deployment as recommended by the Microsoft Defender for Office 365 team.
## Choose between which add-in to deploy - The Report Phishing add-in provides the option to report only phishing messages - The Report Message add-in provides the option to report junk, not junk (false positive), and phishing messages-- The built-in Report button in Outlook on the web *[Learn More](/microsoft-365/security/office-365-security/submissions-outlook-report-messages)*
+- The built-in Report button in Outlook on the web *[Learn More](../submissions-outlook-report-messages.md)*
-## What you'll need
+## What you need
-- Exchange Online Protection (some features require Defender for Office 365 Plan 2)-- Sufficient permissions (Global admin for add-in deployment, security admin for customization)-- 5-10 minutes to perform the steps below
+- Exchange Online Protection (some features require Defender for Office 365 Plan 2).
+- Sufficient permissions (Global admin for add-in deployment, security admin for customization).
+- 5-10 minutes to perform the steps in this article.
## Deploy the add-in for users
Depending on whether you are licensed for Defender for Office 365, you'll also g
1. On the page that loads, press **Get Apps**. 1. In the page that appears, in the top right Search box, enter **Report Message** or **Report Phishing**, and then select **Search**. 1. Press **Get it now** on your chosen app within the search results (publisher is **Microsoft Corporation**).
-1. On the flyout that appears, select who to deploy the add-in to. If testing you may wish to use a specific group, otherwise configure it for the **entire organization** ΓÇô when you've made a selection press **Next**.
-1. Review the permissions, information and capabilities then press **Next**.
+1. On the flyout that appears, select who to deploy the add-in to. If testing, you might want to use a specific group. Otherwise, configure it for the **entire organization**. After you make a selection, press **Next**.
+1. Review the permissions, information, and capabilities then press **Next**.
1. Press **Finish deployment** (it can take 12-24 hours for the add-in to appear automatically in Outlook clients). ## Configure the add-in for users
Depending on whether you are licensed for Defender for Office 365, you'll also g
## Optional steps ΓÇô configure notifications
-1. On the configuration page from the earlier steps, underneath the **User reporting experience**, configure the before and after reporting pop-ups title and body if desired. The end users will see the before reporting pop up if **Ask me before reporting** is also enabled.
+1. On the configuration page from the earlier steps, underneath the **User reporting experience**, configure the before and after reporting pop-ups title and body if desired. The end users see the before reporting pop-up if **Ask me before reporting** is also enabled.
2. If you wish for notifications to come from an internal organizational mailbox, select **Specify Office 365 email address to use as sender** and search for a valid mailbox in your organization to send the notifications from. 3. Press **Customize notifications** to set up the text sent to reporting users after admin reviews a reported message using Mark & Notify, configure the **Phishing**, **Junk** & **No threats** found options. 4. On the **Footer** tab, select the global footer to be sent for notifications, along with your organization's logo if appropriate. ### Further reading
-Learn more about user reported settings [User reported settings](../submissions-user-reported-messages-custom-mailbox.md)
-
-Enable the report message or report phishing add-in [Enable the Microsoft Report Message or Report Phishing add-ins](../submissions-users-report-message-add-in-configure.md)
+Learn more about user reported settings [User reported settings](../submissions-user-reported-messages-custom-mailbox.md).
+Enable the report message or report phishing add-in [Enable the Microsoft Report Message or Report Phishing add-ins](../submissions-users-report-message-add-in-configure.md).
security How To Enable Dmarc Reporting For Microsoft Online Email Routing Address Moera And Parked Domains https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains.md
Last updated 1/31/2023
# How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains
-Best practice for domain email security protection is to protect yourself from spoofing using Domain-based Message Authentication, Reporting, and Conformance (DMARC). Enabling DMARC for your domains should be the first step as described here: [Domain-based Message Authentication, Reporting, and Conformance (DMARC)](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure)
+Best practice for domain email security protection is to protect yourself from spoofing using Domain-based Message Authentication, Reporting, and Conformance (DMARC). Enabling DMARC for your domains should be the first step as described here: [Domain-based Message Authentication, Reporting, and Conformance (DMARC)](../email-authentication-dmarc-configure.md)
This guide is designed to help you configure DMARC for domains not covered by the main DMARC article. These domains include domains that you're not using for email, but could be used by attackers if they remain unprotected:
This guide is designed to help you configure DMARC for domains not covered by th
## Active DMARC for parked domains
-1. Check if SPF is already configured for your parked domain. For instructions, see [Set up SPF to help prevent spoofing - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/email-authentication-spf-configure#how-to-handle-subdomains)
+1. Check if SPF is already configured for your parked domain. For instructions, see [SPF TXT records for custom domains in Microsoft 365](../email-authentication-spf-configure.md#spf-txt-records-for-custom-domains-in-microsoft-365).
1. Contact your DNS Domain provider. 1. Ask to add this DMARC txt record with your appropriate email addresses: `v=DMARC1; p=reject; rua=mailto:d@rua.contoso.com;ruf=mailto:d@ruf.contoso.com`.
Wait until the DNS changes are propagated and try to spoof the configured domain
## More Information
-[Set up SPF to help prevent spoofing](/microsoft-365/security/office-365-security/email-authentication-spf-configure).
+[Set up SPF to help prevent spoofing](../email-authentication-spf-configure.md).
-[Use DMARC to validate email, setup steps](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure).
+[Use DMARC to validate email, setup steps](../email-authentication-dmarc-configure.md).
security How To Handle False Negatives In Microsoft Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365.md
Defender for Office 365 can help you understand why emails are getting delivered
1. Ask end users to report the email as **phishing** or **junk** using Microsoft Message Add-in or Microsoft Phish add-in or the Outlook buttons. 2. End users can also add the sender to the [block senders list](https://support.microsoft.com/office/block-a-mail-sender-b29fd867-cac9-40d8-aed1-659e06a706e4#:~:text=1%20On%20the%20Home%20tab%2C%20in%20the%20Delete,4%20Click%20OK%20in%20both%20open%20dialog%20boxes..) in Outlook to prevent emails from this sender from being delivered to their inbox.
-3. Admins can triage the user reported messages from [User reported tab on the Submissions page](/microsoft-365/security/office-365-security/admin-submission#view-user-reported-messages-to-microsoft).
-4. From those reported messages, admins can **submit to** [Microsoft for analysis](/microsoft-365/security/office-365-security/admin-submission#notify-users-from-within-the-portal) to learn why that email was allowed in the first place.
+3. Admins can triage the user reported messages from [User reported tab on the Submissions page](../admin-submission.md#view-user-reported-messages-to-microsoft).
+4. From those reported messages, admins can **submit to** [Microsoft for analysis](../submissions-admin-review-user-reported-messages.md#notify-users-from-within-the-portal) to learn why that email was allowed in the first place.
5. If needed, while submitting to Microsoft for analysis, admins can [create a block entry for the sender](../tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses) to mitigate the problem. 6. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future. ## Handling malicious emails in junk folder of end users 1. Ask end users to report the email as **phishing** using Microsoft Message Add-in, or Microsoft Phish Add-in, or the Outlook buttons.
-2. Admins can triage the user reported messages from the [User reported tab on the Submissions page](/microsoft-365/security/office-365-security/admin-submission#view-user-reported-messages-to-microsoft).
-3. From those reported messages admins can **submit to** [Microsoft for analysis](/microsoft-365/security/office-365-security/admin-submission#notify-users-from-within-the-portal) and learn why that email was allowed in the first place.
+2. Admins can triage the user reported messages from the [User reported tab on the Submissions page](../submissions-admin.md#view-user-reported-messages-to-microsoft).
+3. From those reported messages admins can **submit to** [Microsoft for analysis](../submissions-admin.md#notify-users-about-admin-submitted-messages-to-microsoft) and learn why that email was allowed in the first place.
4. If needed, while submitting to Microsoft for analysis, admins can [create a block entry for the sender](../tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses) to mitigate the problem. 5. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.
Defender for Office 365 can help you understand why emails are getting delivered
## Handling malicious emails landing in the quarantine folder of admins
-1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files).
+1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](../quarantine-admin-manage-messages-files.md).
2. Admins can submit any malicious, or suspicious messages to Microsoft for analysis, and create a block to mitigate the situation while waiting for verdict. 3. Once the results for submissions are available, read the verdict to learn why the emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.
security How To Handle False Positives In Microsoft Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-positives-in-microsoft-defender-for-office-365.md
Microsoft Defender for Office 365 helps deal with important legitimate business
1. Ask end users to report the email as **not junk** using Microsoft Message Add-in or the Outlook buttons. 2. End users can also add the sender to the [**safe sender list**](https://support.microsoft.com/office/safe-senders-in-outlook-com-470d4ee6-e3b6-402b-8cd9-a6f00eda7339) in Outlook to prevent the email from these senders landing in Junk folder.
-3. Admins can triage the user-reported messages from [the User reported tab on the Submission page](/microsoft-365/security/office-365-security/admin-submission#view-user-reported-messages-to-microsoft).
-4. From those reported messages admins can submit to [**Microsoft for analysis**](/microsoft-365/security/office-365-security/admin-submission#notify-users-from-within-the-portal) and understand why was that email blocked in the first place.
+3. Admins can triage the user-reported messages from [the User reported tab on the Submission page](../submissions-admin.md#view-user-reported-messages-to-microsoft).
+4. From those reported messages admins can submit to [**Microsoft for analysis**](../submissions-admin.md#notify-users-about-admin-submitted-messages-to-microsoft) and understand why was that email blocked in the first place.
5. If needed, while submitting to Microsoft for analysis, admins can judiciously [create an allow entry for the sender](../tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-domains-and-email-addresses) to mitigate the problem. 6. Once the results from the admin submission are available, read it to understand why emails were blocked and how your tenant setup could be improved to *prevent* similar situations from happening in the future.
Microsoft Defender for Office 365 helps deal with important legitimate business
## Handling legitimate emails in quarantine folder of an admin
-1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files).
+1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](../quarantine-admin-manage-messages-files.md).
2. Admins can release the message from quarantine while submitting it to Microsoft for analysis, and create a temporary allow to mitigate the situation. 3. Once the results for submissions are available, admins should read the verdict to understand the reason. - If false positives are due to tenant configuration, admins can correct it to mitigate the issue. - If false positives are due to other factors, Microsoft learns from the submission and similar messages aren't quarantined anymore. For more information, see [Automatic tenant Allow/Block list expiration management](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). > [!NOTE]
-> Admins need to manually release any similar messages that have already been quarantined, as the quarantined messages aren't released automatically. To find and release quarantined messages in bulk, see [Can I release or report more than one quarantined message at a time?](/microsoft-365/security/office-365-security/quarantine-faq#can-i-release-or-report-more-than-one-quarantined-message-at-a-time-).
+> Admins need to manually release any similar messages that have already been quarantined, as the quarantined messages aren't released automatically. To find and release quarantined messages in bulk, see [Can I release or report more than one quarantined message at a time?](../quarantine-faq.yml#can-i-release-or-report-more-than-one-quarantined-message-at-a-time-)
security Reducing Attack Surface In Microsoft Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams.md
Microsoft Teams is a widely used collaboration tool, where many users are now sp
If licensed for Microsoft Defender for Office 365 (free 90-day evaluation available at aka.ms/trymdo) you can ensure seamless protection from zero-day malware and time of click protection within Microsoft Teams.
-[Learn More (SafeLinks)](/microsoft-365/security/office-365-security/safe-links#safe-links-settings-for-microsoft-teams) & [Learn More (Safe Attachments)](/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams) (Detailed Documentation)
+[Learn More (SafeLinks)](../safe-links-about.md#safe-links-settings-for-microsoft-teams) & [Learn More (Safe Attachments)](../safe-attachments-for-spo-odfb-teams-configure.md) (Detailed Documentation)
1. **Login** to the security center's safe attachments configuration page at <https://security.microsoft.com/safeattachmentv2>. 2. Press **Global settings**.
If licensed for Microsoft Defender for Office 365 (free 90-day evaluation availa
6. **Select** a policy, a flyout appears on the left-hand side. 7. Press **Edit protection settings**. 8. Ensure **Safe Links checks a list of known, malicious links when users click links in Microsoft Teams** is checked.
-1. Press **Save**.
-1. In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can decide whether users can report malicious messages in Microsoft Teams. Learn more here. [User reported message settings in Microsoft Teams](/microsoft-365/security/office-365-security/submissions-teams)
+9. Press **Save**.
+10. In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can decide whether users can report malicious messages in Microsoft Teams. Learn more here. [User reported message settings in Microsoft Teams](../submissions-teams.md)
## Restricting channel email messages to approved domains
Note that external organizations must also allow your organization's domain for
Consider configuring access policies to implement Zero Trust identity and device access policies to protect Microsoft Teams chats, groups, and content such as files and calendars.
-Learn more about teams access policies: [Recommended Teams policies - Microsoft 365 for enterprise - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-teams)
+Learn more about teams access policies: [Policy recommendations for securing Teams chats, groups, and files](../zero-trust-identity-device-access-policies-teams.md).
-Security in Microsoft Teams:[Overview of security and compliance - Microsoft Teams | Microsoft Docs](/microsoftteams/security-compliance-overview)
+Security in Microsoft Teams: [Overview of security and compliance - Microsoft Teams | Microsoft Docs](/microsoftteams/security-compliance-overview).
security Track And Respond To Emerging Threats With Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/track-and-respond-to-emerging-threats-with-campaigns.md
Microsoft leverages vast amounts of anti-phishing, anti-spam, and anti-malware d
A campaign might be short-lived, or could span several days, weeks, or months with active and inactive periods. A campaign might be launched against your specific organization, or your organization might be part of a larger campaign across *multiple* companies. > [!TIP]
-> To learn more about the data available within a campaign, read [Campaign Views in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/campaigns).
+> To learn more about the data available within a campaign, read [Campaign Views in Microsoft Defender for Office 365](../campaigns.md).
## Watch the *Exploring campaign views* video
In the event that a campaign has targeted your organization and you'd like to le
## Next steps
-To learn more, read, [Campaign Views in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/campaigns).
+To learn more, read, [Campaign Views in Microsoft Defender for Office 365](../campaigns.md).
security Understand Detection Technology In Email Entity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/understand-detection-technology-in-email-entity.md
# Understanding detection technology in the email entity page of Microsoft Defender for Office 365
-If a threat is detected on the Microsoft Defender for Office 365 [*email entity page*](/microsoft-365/security/office-365-security/mdo-email-entity-page), threat information will display on the left-hand flyout. This panel will also show you the **detection technology** that led to that verdict.
+If a threat is detected on the Microsoft Defender for Office 365 [*email entity page*](../mdo-email-entity-page.md), threat information will display on the left-hand flyout. This panel will also show you the **detection technology** that led to that verdict.
This article is all about helping you **understand the different detection technologies**, how they work, and how to avoid any false alarms. Stay tuned for the Admin Submissions video at the end.
security Understand Overrides In Email Entity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/understand-overrides-in-email-entity.md
Last updated 08/14/2023
# Understanding overrides within the email entity page in Microsoft Defender for Office 365
-Within the Microsoft Defender for Office 365 *[email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page)*, there's a wealth of useful information about an email, including if applicable the **overrides** which affected that message, and potentially the location that the message was delivered or moved to post delivery.
+Within the Microsoft Defender for Office 365 *[email entity page](../mdo-email-entity-page.md)*, there's a wealth of useful information about an email, including if applicable the **overrides** which affected that message, and potentially the location that the message was delivered or moved to post delivery.
This article is all about helping you **understand the different overrides**, how they're triggered, and helpful information for diagnosing when the effect of an override was unexpected, such as an email being blocked when no threats were found. ## Overrides details table
-The following table lists all overrides, a description of what that override means and some starting points for troubleshooting. Not all overrides are honored, depending on the circumstance. For example an email that contains malware is automatically blocked regardless if an end user set the sender as a "safe sender". To learn more about how overrides are applied see [this table](/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined).
+The following table lists all overrides, a description of what that override means and some starting points for troubleshooting. Not all overrides are honored, depending on the circumstance. For example an email that contains malware is automatically blocked regardless if an end user set the sender as a "safe sender". To learn more about how overrides are applied see [this table](../how-policies-and-protections-are-combined.md).
| Override |Description|Notes| | -- | -- | -- | | Third Party Filter |We detected you're using a third party for your MX record and have an SCL-1 transport rule, overriding filtering and Secure by Default.||
-|Admin initiated time travel|Admin triggered investigation, which leads to zero-hour autopurge (ZAP) modifying the delivery location of messages.|[Learn more about ZAP.](/microsoft-365/security/office-365-security/zero-hour-auto-purge)|
-|Antimalware policy block by file type|The file extension for an attachment within the message matched a banned file type listed in the anti-malware policy for the recipient|You may wish to tweak the file extensions listed in the Common attachments filter section of the anti-malware policy. [Learn more.](/microsoft-365/security/office-365-security/anti-malware-policies-configure)|
-|Antispam policy settings|The message matched a custom option in the anti-spam policy for the recipient. For example: "SPF record: hard fail" or "Empty messages".|Check the "Mark as spam" options in the anti-spam policy for the affected recipient. [Learn more.](/microsoft-365/security/office-365-security/anti-spam-policies-configure)|
-|Connection policy|The message originated from an allowed / blocked IP within your connection filter policy.|Check the "Connection filter policy" within the anti-spam policies section of the security portal. [Learn more.](/microsoft-365/security/office-365-security/connection-filter-policies-configure)|
-|Exchange transport rule|The message matched a custom transport rule that affected the final delivery location.|You can use the email entity page, or Exchange message trace to highlight which transport rule was triggered. [Learn more.](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)|
-|Exclusive mode (User override)|The recipient has chosen to mark all messages as spam unless they're received from a sender in their trusted contact list.|The recipient has likely configured: "Don't trust email unless it comes from someone in my Safe Senders and Recipients list" within the Junk email settings in Outlook or OWA. [Learn more.](/powershell/module/exchange/set-mailboxjunkemailconfiguration)|
+|Admin initiated time travel|Admin triggered investigation, which leads to zero-hour autopurge (ZAP) modifying the delivery location of messages.|[Learn more about ZAP.](../zero-hour-auto-purge.md)|
+|Antimalware policy block by file type|The file extension for an attachment within the message matched a banned file type listed in the anti-malware policy for the recipient|You may wish to tweak the file extensions listed in the Common attachments filter section of the anti-malware policy. [Learn more](../anti-malware-policies-configure.md).|
+|Antispam policy settings|The message matched a custom option in the anti-spam policy for the recipient. For example: "SPF record: hard fail" or "Empty messages".|Check the "Mark as spam" options in the anti-spam policy for the affected recipient. [Learn more](../anti-spam-policies-configure.md).|
+|Connection policy|The message originated from an allowed / blocked IP within your connection filter policy.|Check the "Connection filter policy" within the anti-spam policies section of the security portal. [Learn more](../connection-filter-policies-configure.md).|
+|Exchange transport rule|The message matched a custom transport rule that affected the final delivery location.|You can use the email entity page, or Exchange message trace to highlight which transport rule was triggered. [Learn more](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).|
+|Exclusive mode (User override)|The recipient has chosen to mark all messages as spam unless they're received from a sender in their trusted contact list.|The recipient has likely configured: "Don't trust email unless it comes from someone in my Safe Senders and Recipients list" within the Junk email settings in Outlook or OWA. [Learn more](/powershell/module/exchange/set-mailboxjunkemailconfiguration).|
|Filtering skipped due to on-premises organization|The message was marked as nonspam by your Exchange on-premises environment before being delivered to Exchange Online|You should review your on-premises environment to locate the source of the override.|
-|IP region filter from policy|The message was detected as coming from a country/region that an admin has selected to block in the anti-spam policy for the recipient.|Modify the "From these countries/regions" option within the anti-spam policy applied to the affected recipient. [Learn more.](/microsoft-365/security/office-365-security/anti-spam-policies-configure)|
-|Language filter from policy|The message was detected as containing a language that an admin has selected to block in the anti-spam policy for the recipient.|Modify the "Contains specific languages" option within the anti-spam policy to the affected recipient. [Learn more.](/microsoft-365/security/office-365-security/anti-spam-policies-configure)|
-|Phishing simulation|The message met the criteria defined by an administrator to be considered a phishing simulation message.|Criteria are within the "Phishing simulation" tab within Advanced delivery in the security portal. [Learn more.](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure)|
-|Quarantine release| The recipient or an administrator released this message from quarantine.|[Learn more.](/microsoft-365/security/office-365-security/quarantine-end-user)|
-|SecOps Mailbox|The message was sent to the specific security operations mailbox defined by an administrator.|Mailboxes are defined within the "SecOps mailbox" tab within Advanced delivery in the security portal. [Learn more.](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure)|
-|Sender address list (Admin Override)|The message matched an entry in the allowed/blocked senders within the anti-spam policy for the recipient.|Check the "Allowed and blocked senders and domains" section of the relevant anti-spam policy. (allows with this method aren't recommended). [Learn more.](/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365)|
-|Sender address list (User override)|The recipient has manually set this sender address to be delivered to the inbox (allowed) or junk email folder (blocked).|The recipient has likely configured "Safe senders and domains" or "Blocked senders and domains" within the Junk email settings in Outlook or OWA. [Learn more.](/powershell/module/exchange/set-mailboxjunkemailconfiguration)|
-|Sender domain list (Admin Override)|The message matched an entry in the allowed/blocked domains within the anti-spam policy for the recipient.|Check the "Allowed and blocked senders and domains" section of the relevant anti-spam policy. (allows with this method aren't recommended). [Learn more.](/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365)|
-|Sender domain list (User override)|The recipient has manually set the sending domain to be delivered to the inbox (allowed) or junk email folder (blocked).|The recipient has likely configured "Safe senders and domains" or "Blocked senders and domains" within the Junk email settings in Outlook or OWA. [Learn more.](/powershell/module/exchange/set-mailboxjunkemailconfiguration)|
-|Tenant Allow/Block List file|An entry was matched for a file hash listed in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal. [Learn more.](/microsoft-365/security/office-365-security/tenant-allow-block-list-about)|
-|Tenant Allow/Block List sender email address|An entry was matched for a sender address listed in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal.[ Learn more.](/microsoft-365/security/office-365-security/tenant-allow-block-list-about)|
-|Tenant Allow/Block List spoof|An entry was matched for spoof detection in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal. [Learn more.](/microsoft-365/security/office-365-security/tenant-allow-block-list-about)|
-|Tenant Allow/Block List URL| An entry was matched for a URL listed in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal. [Learn more.](/microsoft-365/security/office-365-security/tenant-allow-block-list-about)|
-|Trusted contact list (User override)|The recipient has chosen to mark contacts in their contacts folder as trusted senders automatically.|The recipient has likely configured: "Trust email from my contacts" within the Junk email settings in Outlook or OWA. [Learn more.](/powershell/module/exchange/set-mailboxjunkemailconfiguration)|
-|Trusted domain (User override)|The recipient has added this domain to their safe recipients list within Outlook, emails sent to this domain aren't treated as junk email.|The recipient has likely configured "Safe Recipients" within Outlook's Junk email options. [Learn more.](https://support.microsoft.com/office/block-or-allow-junk-email-settings-48c9f6f7-2309-4f95-9a4d-de987e880e46)|
-|Trusted recipient (User override)|The recipient has added this sender to their safe recipients list within Outlook, emails sent to this sender aren't treated as junk email.|The recipient has likely configured "Safe Recipients" within Outlook's Junk email options. [Learn more.](https://support.microsoft.com/office/block-or-allow-junk-email-settings-48c9f6f7-2309-4f95-9a4d-de987e880e46)|
+|IP region filter from policy|The message was detected as coming from a country/region that an admin has selected to block in the anti-spam policy for the recipient.|Modify the "From these countries/regions" option within the anti-spam policy applied to the affected recipient. [Learn more](../anti-spam-policies-configure.md).|
+|Language filter from policy|The message was detected as containing a language that an admin has selected to block in the anti-spam policy for the recipient.|Modify the "Contains specific languages" option within the anti-spam policy to the affected recipient. [Learn more](../anti-spam-policies-configure.md).|
+|Phishing simulation|The message met the criteria defined by an administrator to be considered a phishing simulation message.|Criteria are within the "Phishing simulation" tab within Advanced delivery in the security portal. [Learn more](../advanced-delivery-policy-configure.md).|
+|Quarantine release| The recipient or an administrator released this message from quarantine.|[Learn more](../quarantine-end-user.md).|
+|SecOps Mailbox|The message was sent to the specific security operations mailbox defined by an administrator.|Mailboxes are defined within the "SecOps mailbox" tab within Advanced delivery in the security portal. [Learn more](../advanced-delivery-policy-configure.md).|
+|Sender address list (Admin Override)|The message matched an entry in the allowed/blocked senders within the anti-spam policy for the recipient.|Check the "Allowed and blocked senders and domains" section of the relevant anti-spam policy. (allows with this method aren't recommended). [Learn more](../create-safe-sender-lists-in-office-365.md).|
+|Sender address list (User override)|The recipient has manually set this sender address to be delivered to the inbox (allowed) or junk email folder (blocked).|The recipient has likely configured "Safe senders and domains" or "Blocked senders and domains" within the Junk email settings in Outlook or OWA. [Learn more](/powershell/module/exchange/set-mailboxjunkemailconfiguration).|
+|Sender domain list (Admin Override)|The message matched an entry in the allowed/blocked domains within the anti-spam policy for the recipient.|Check the "Allowed and blocked senders and domains" section of the relevant anti-spam policy. (allows with this method aren't recommended). [Learn more](../create-safe-sender-lists-in-office-365.md).|
+|Sender domain list (User override)|The recipient has manually set the sending domain to be delivered to the inbox (allowed) or junk email folder (blocked).|The recipient has likely configured "Safe senders and domains" or "Blocked senders and domains" within the Junk email settings in Outlook or OWA. [Learn more](/powershell/module/exchange/set-mailboxjunkemailconfiguration).|
+|Tenant Allow/Block List file|An entry was matched for a file hash listed in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal. [Learn more](../tenant-allow-block-list-about.md).|
+|Tenant Allow/Block List sender email address|An entry was matched for a sender address listed in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal. [Learn more](../tenant-allow-block-list-about.md).|
+|Tenant Allow/Block List spoof|An entry was matched for spoof detection in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal. [Learn more](../tenant-allow-block-list-about.md).|
+|Tenant Allow/Block List URL| An entry was matched for a URL listed in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal. [Learn more](../tenant-allow-block-list-about.md).|
+|Trusted contact list (User override)|The recipient has chosen to mark contacts in their contacts folder as trusted senders automatically.|The recipient has likely configured: "Trust email from my contacts" within the Junk email settings in Outlook or OWA. [Learn more](/powershell/module/exchange/set-mailboxjunkemailconfiguration).|
+|Trusted domain (User override)|The recipient has added this domain to their safe recipients list within Outlook, emails sent to this domain aren't treated as junk email.|The recipient has likely configured "Safe Recipients" within Outlook's Junk email options. [Learn more](https://support.microsoft.com/office/block-or-allow-junk-email-settings-48c9f6f7-2309-4f95-9a4d-de987e880e46).|
+|Trusted recipient (User override)|The recipient has added this sender to their safe recipients list within Outlook, emails sent to this sender aren't treated as junk email.|The recipient has likely configured "Safe Recipients" within Outlook's Junk email options. [Learn more](https://support.microsoft.com/office/block-or-allow-junk-email-settings-48c9f6f7-2309-4f95-9a4d-de987e880e46).|
|Trusted senders only (User override)|This override has same behavior as the Exclusive mode (User override), primarily used in outlook.com.|See "Exclusive mode (User override)"| ## Next steps
-You can find a similar detailed table covering all the different detection technologies at [aka.ms/emailtech](/microsoft-365/security/office-365-security/step-by-step-guides/understand-detection-technology-in-email-entity).
+You can find a similar detailed table covering all the different detection technologies at [aka.ms/emailtech](understand-detection-technology-in-email-entity.md).
security Utilize Microsoft Defender For Office 365 In Sharepoint Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online.md
Microsoft SharePoint Online is a widely used user collaboration and file storage
If you're licensed for Microsoft Defender for Office 365 **(free 90-day evaluation available at aka.ms/trymdo)**, you can ensure seamless protection from zero day malware and time of click protection within Microsoft Teams.
-To learn more, read [Step 1: Use the Microsoft Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure#step-1-use-the-microsoft-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams).
+To learn more, read [Step 1: Use the Microsoft Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../safe-attachments-for-spo-odfb-teams-configure.md#step-1-use-the-microsoft-defender-portal-to-turn-on-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams).
1. Sign in to the [security center's safe attachments configuration page](https://security.microsoft.com/safeattachmentv2). 1. Select **Global settings**.
To learn more, read [Step 1: Use the Microsoft Defender portal to turn on Safe A
By default, users can't open, move, copy, or share malicious files that are detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, the *Download* option is still available and should be *disabled*.
-To learn more, read [Step 2: (*Recommended*) Use SharePoint Online PowerShell to prevent users from downloading malicious files](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).
+To learn more, read [Step 2: (*Recommended*) Use SharePoint Online PowerShell to prevent users from downloading malicious files](../safe-attachments-for-spo-odfb-teams-configure.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).
1. Open and connect to [SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online). 1. Run the following command: **Set-SPOTenant -DisallowInfectedFileDownload $true**. ### Further reading
-[Policy recommendations for securing SharePoint sites and files](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-sharepoint)
+[Policy recommendations for securing SharePoint sites and files](../zero-trust-identity-device-access-policies-sharepoint.md)
security Submissions Admin Review User Reported Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin-review-user-reported-messages.md
Admins can mark messages and notify users of review results only if the user [re
- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Authorization and settings/System settings/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Security Administrator** role groups. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** role group.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- You need access to Exchange Online PowerShell. If your account doesn't have access to Exchange Online PowerShell, you get the following error: *Specify an email address in your domain*. For more information about enabling or disabling access to Exchange Online PowerShell, see the following articles: - [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell)
security Submissions Admin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md
For other ways that **admins** can report messages to Microsoft in the Defender
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Security Administrator** or **Security Reader** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Security Administrator** or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Security Administrator** or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- Admins can submit email messages as old as 30 days if they're still available in the mailbox and haven't been purged by the user or an admin.
security Submissions User Reported Messages Custom Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md
After you verify that the reporting mailbox meets all of these requirements, use
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Security Administrator** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- You need access to Exchange Online PowerShell. If your account doesn't have access to Exchange Online PowerShell, you get the following error: *Specify an email address in your domain*. For more information about enabling or disabling access to Exchange Online PowerShell, see the following articles: - [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell)
security Submissions Users Report Message Add In Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure.md
appliesto:
The Microsoft Report Message and Report Phishing add-ins for Outlook and Outlook on the web (formerly known as Outlook Web App or OWA) makes it easy for users to report false positives and false negatives to Microsoft for analysis. False positives are good email that was blocked or sent to the Junk Email folder. False negatives are unwanted email or phishing that was delivered to the Inbox.
-Microsoft uses these user reported messages to improve the effectiveness of email protection technologies. For example, suppose that people are reporting many messages using the Report Phishing add-in. This information surfaces in the Security Dashboard and other reports. Your organization's security team can use this information as an indication that anti-phishing policies might need to be updated.
+Microsoft uses these user-reported messages to improve the effectiveness of email protection technologies. For example, suppose that people are reporting many messages using the Report Phishing add-in. This information surfaces in the Security Dashboard and other reports. Your organization's security team can use this information as an indication that anti-phishing policies might need to be updated.
The Report Message add-in provides the option to report both spam and phishing messages. The Report Phishing add-in provides the option to report phishing messages only.
-Admins can install and enable the add-ins for the organization. Both add-ins are available through [Centralized Deployment](/microsoft-365/admin/manage/centralized-deployment-of-add-ins). Individual users can install the add-ins for themselves.
+Admins can install and enable the add-ins for the organization. Both add-ins are available through [Centralized Deployment](../../admin/manage/centralized-deployment-of-add-ins.md). Individual users can install the add-ins for themselves.
After the add-in is installed and enabled, users see the following icons based on their Outlook client:
After the add-in is installed and enabled, users see the following icons based o
## What do you need to know before you begin? - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**.
+ - [Microsoft Defender XDR Unified role based access control (RBAC)](../defender/manage-rbac.md) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**.
- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** role group. - [Exchange Online permissions](/Exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** role group.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** role gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** role gives users the required permissions _and_ permissions for other features in Microsoft 365.
-- For organizational installs, the organization needs to be configured to use OAuth authentication. For more information, see [Determine if Centralized Deployment of add-ins works for your organization](/microsoft-365/admin/manage/centralized-deployment-of-add-ins).
+- For organizational installs, the organization needs to be configured to use OAuth authentication. For more information, see [Determine if Centralized Deployment of add-ins works for your organization](../../admin/manage/centralized-deployment-of-add-ins.md).
- The Report Message and Report Phishing add-ins work with most Microsoft 365 subscriptions and the following products: - Outlook on the web
Install and configure the Report Message or Report Phishing add-ins for the orga
- **Entire organization** - **Specific users/groups**: Find and select users and groups in the search box. After each selection, the user or group appears in the **To be added** section that appears below the search box. To remove a selection, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: on the entry.
- - **Email notification**: By default, **Send email notification to assigned users** is selected. Select **View email sample** to open the [Add-in deployment email alerts](/microsoft-365/admin/manage/add-in-deployment-email-alerts) article.
+ - **Email notification**: By default, **Send email notification to assigned users** is selected. Select **View email sample** to open [Add-in deployment email alerts](../../admin/manage/add-in-deployment-email-alerts.md).
> [!div class="mx-imgBorder"] > :::image type="content" source="../../media/microsoft-365-admin-center-deploy-new-app-add-users.png" alt-text="The Add users page of Deploy New App." lightbox="../../media/microsoft-365-admin-center-deploy-new-app-add-users.png":::
security Teams Message Entity Panel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/teams-message-entity-panel.md
The Teams Message Entity Panel is available for customers with Microsoft 365 E5
To access the Teams Message Entity Panel, you need to be assigned permissions. You have the following options: - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Global Administrator**, **Security Administrator**, or **Quarantine Administrator** role group.-- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:
+- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:
- Membership in the **Global Administrator** or **Security Administrator** roles. - _Read-only access_: Membership in the **Global Reader** or **Security Reader** roles.
security Tenant Allow Block List Email Spoof Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure.md
This article describes how admins can manage entries for email senders in the Mi
- **Security Reader** - **View-Only Configuration** - **View-Only Organization Management**
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions *and* permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions *and* permissions for other features in Microsoft 365.
## Domains and email addresses in the Tenant Allow/Block List
security Tenant Allow Block List Files Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure.md
This article describes how admins can manage entries for files in the Microsoft
- **Security Reader** - **View-Only Configuration** - **View-Only Organization Management**
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
- A **Files** tab is available on the **Submissions** page only in organizations with Microsoft Defender XDR or Microsoft Defender for Endpoint Plan 2. For information and instructions to submit files from the **Files** tab, see [Submit files in Microsoft Defender for Endpoint](../defender-endpoint/admin-submissions-mde.md).
security Tenant Allow Block List Urls Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure.md
This article describes how admins can manage entries for URLs in the Microsoft D
- **Security Reader** - **View-Only Configuration** - **View-Only Organization Management**
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions *and* permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions *and* permissions for other features in Microsoft 365.
## Create allow entries for URLs
security User Tags About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md
To see how user tags are part of the strategy to help protect high-impact user a
- _Create, modify, and delete custom user tags_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Apply and remove the Priority account tag from users_: Membership in the **Security Administrator** and **Exchange Admin** role groups. - _Apply and remove existing custom user tags from users_: Membership in the **Organization Management** or **Security Administrator** role groups.
- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** and **Security Administrator** roles gives users the required permissions *and* permissions for other features in Microsoft 365.
+ - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** and **Security Administrator** roles gives users the required permissions *and* permissions for other features in Microsoft 365.
> [!NOTE] > User tag management is controlled by the **Tag Reader** and **Tag Manager** roles.
test-base Chat https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/chat.md
f1.keywords: NOCSH
[!INCLUDE [test-base-deprecation](./includes/test-base-deprecation.md)]
-Test Base Chat, a new feature applying the power of AI, serves as your personal support guide throughout your use of Test Base. Tired of manually searching through documentation or the web to find answers to your application testing questions? Simply initiate a conversation with Test Base Chat anywhere within Test Base to pose your queries. You'll receive tailored step-by-step guidance, complete with links to relevant pages in our [Test Base for Microsoft 365 documentation](/microsoft-365/test-base/). This feature is designed to save you time and eliminate any inconvenience.
+Test Base Chat, a new feature applying the power of AI, serves as your personal support guide throughout your use of Test Base. Tired of manually searching through documentation or the web to find answers to your application testing questions? Simply initiate a conversation with Test Base Chat anywhere within Test Base to pose your queries. You'll receive tailored step-by-step guidance, complete with links to relevant pages in our [Test Base for Microsoft 365 documentation](./index.yml). This feature is designed to save you time and eliminate any inconvenience.
You can open the **Test Base Chat** pane via the icon at the right-hand bottom. > [!div class="mx-imgBorder"] > [![Screenshot of the test base chat button.](Media/testbasechat1.png)](Media/testbasechat1.png#lightbox)
-> [!div class="mx-imgBorder"]
-> [![Screenshot of the test base chat page.](Media/testbasechat2.png)](Media/testbasechat2.png#lightbox)
+![Screenshot of the test base chat page.](Media/testbasechat2.png)
## Privacy
Test Base Chat is built on Microsoft's comprehensive approach to security, compl
## Keep in mind...
-The features described here use an AI system that creates responses based on a prompt. As it's a new system, it may create things you didn't expect. If you find its content to be unexpected or offensive, please send us feedback so we can make it better. Because content generated via AI draws from the [Test Base for Microsoft 365 documentation](/microsoft-365/test-base/), it may contain inaccuracies or sensitive material. Use your own judgment and double check the facts before making decisions or taking action based on the responses.
+The features described here use an AI system that creates responses based on a prompt. As it's a new system, it may create things you didn't expect. If you find its content to be unexpected or offensive, please send us feedback so we can make it better. Because content generated via AI draws from the [Test Base for Microsoft 365 documentation](./index.yml), it may contain inaccuracies or sensitive material. Use your own judgment and double check the facts before making decisions or taking action based on the responses.
We're constantly working to improve our technology to proactively address issues in line with our [responsible AI principles](https://www.microsoft.com/ai/our-approach?activetab=pivot1:primaryr5).