Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
admin | Onedrive For Business Usage Ww | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/onedrive-for-business-usage-ww.md | For example, the OneDrive card on the dashboard gives you a high-level view of t You can view the usage in the OneDrive report by choosing the **Usage** tab. -![Microsoft 365 reports - Microsoft OneDrive usage report.](../../media/3cdaf2fb-1817-479b-a0e1-2afa228690cf.png) Select **Choose columns** to add or remove columns from the report. -![OneDrive usage report - choose columns.](../../media/9ee80f25-cfe3-411d-8e31-08f1507d18c1.png) You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. The **OneDrive usage** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you select a particular day in the report, the table will show data for up to 28 days from the current date (not the date the report was generated). -|Item|Description| +|Metric|Definition| |:--|:--|-|**Metric**|**Definition**| |URL |The web address for the user's OneDrive. Note: URL will be empty temporarily. | |Deleted |The deletion status of the OneDrive. It takes at least seven days for accounts to be marked as deleted. | |Owner |The username of the primary administrator of the OneDrive. | The **OneDrive usage** report can be viewed for trends over the last 7 days, 30 |Active files | The number of active files within the time period. NOTE: If files were removed during the specified time period for the report, the number of active files shown in the report may be larger than the current number of files in the OneDrive. > Deleted users will continue to appear in reports for 180 days. | |Storage used (MB) |The amount of storage the OneDrive uses in MB. | | Site ID | The site ID of the site. |-||| -> [!NOTE] ++> [!IMPORTANT] > The report only includes users who have a valid OneDrive license.++>[!NOTE] +> The OneDrive site URL may not be displayed in related usage reports. To display the site URL, you can use PowerShell. To follow the steps, see [Use PowerShell to resolve site URLs](resolve-site-urls.md). |
admin | Resolve Site Urls | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/resolve-site-urls.md | + + Title: "Use PowerShell to resolve site URLs in reports" +++ Last updated : 03/08/2024+audience: Admin +++ms.localizationpriority: medium ++- Tier2 +- scotvorg +- M365-subscription-management +- Adm_O365 +- Adm_NonTOC +++description: "Learn about using PowerShell to resolve site URLs in reports for the Microsoft 365 admin center." +++# Use PowerShell to resolve site URLs in reports ++This article covers how to use PowerShell to display site URLs in reports. ++## How it works ++The Graph API provides an API that allows you to list all the sites within an organization. To use this API, you need to have an application with the Sites.Read.All permission. ++The script invokes this API endpoint to get the mapping between site IDs and site URLs, and then adds the site URLs into the exported CSV reports. ++### Why not use delegated permissions? ++- The /sites/getAllSites API only accepts application permissions. ++- The /sites?search=\* API accepts delegated permissions, but it doesnΓÇÖt return all the sites, even using an admin account. ++## Steps ++To display site URLs using PowerShell, follow these steps. ++### Create an Entra ID Application ++1. Go to [Microsoft Entra admin center](https://entra.microsoft.com/) **>** Applications **>** App registrations. ++2. On the App registrations page, select **New registrations**. ++3. Pick a name for this application, and use the default configuration to register the app. ++Remember, the **client id** and **tenant id** are displayed in the appΓÇÖs **Essentials** section. +++### Add Graph API permission to the app ++In the new applicationΓÇÖs **Request API permissions** page, add the Sites.Read.All permission. +++Then, grant admin consent. +++### Create a client secret ++In the new applicationΓÇÖs **Certificates & secrets** section, create a new client secret. Then, store the **secretΓÇÖs value** in a safe and secure place. +++### Download the reports in Microsoft 365 admin center ++Download the site details report on the two report pages and put the CSV report files under a local folder. ++Before downloading the reports, make sure to turn off the privacy setting for user details. For details, see [Microsoft 365 admin center activity reports](activity-reports.md). ++For SharePoint site usage, go to the [SharePoint site usage page in the Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/reportsUsage/SharePointSiteUsageV1). ++For OneDrive site usage, go to the [OneDrive site usage page in the Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/reportsUsage/OneDriveSiteUsage). ++### Update the reports with site URLs ++To update the reports with site URLs, execute the PowerShell script. ++ ```PowerShell + .\Update-Report.ps1 -**tenantId** {tenant id above} -**clientId** {client id above} -**reportPaths** @("file path for report \#1", "file path for report \#2") + ``` ++To view the full Update-Report PowerShell script, see [Update-Report PowerShell](#update-report-powershell-script). ++The script will ask you to enter the **secretΓÇÖs value** created above. +++After executing the script, new versions of the reports are created with site URLs added. +++### Clean up the environment ++To clean up the environment, go back to the application's **Certificates & secrets** page and delete the secret that was created earlier. ++>[!TIP] +> Use SSD (Solid State Drive) to improve the IO performance. +> Execute the script on a machine with enough free/unused memory. The cache takes roughly 2GB for the 15 million sites. ++## Update-Report PowerShell script ++The following is the PowerShell script for Update-Report. ++ ```PowerShell + [Parameter(Mandatory=$true)] + [string]$tenantId, + [Parameter(Mandatory=$true)] + [string]$clientId, + [Parameter(Mandatory=$false)] + [string[]]$reportPaths +) ++function Get-AccessToken { + param( + [Parameter(Mandatory=$true)] + [string]$tenantId, + [Parameter(Mandatory=$true)] + [string]$clientId, + [Parameter(Mandatory=$true)] + [System.Security.SecureString]$clientSecret, + [Parameter(Mandatory=$false)] + [string]$scope = "https://graph.microsoft.com/.default" + ) ++ $tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" + $tokenRequest = @{ + client_id = $clientId + scope = $scope + client_secret = ConvertFrom-SecureString $clientSecret -AsPlainText + grant_type = "client_credentials" + } ++ $tokenResponse = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $tokenRequest + return $tokenResponse.access_token +} + ``` ++### Prepare the cache and client secret ++ ```PowerShell +if ($reportPaths.Count -eq 0) { + Write-Host "Please provide at least one report path" -ForegroundColor Red + exit +} +$cache = New-Object 'System.Collections.Generic.Dictionary[[String],[String]]' +$clientSecret = Read-Host "Please enter client secret" -AsSecureString + ``` ++### Fetch site info from Graph API ++ ```PowerShell +Write-Host +Write-Host "Getting information for all the sites..." -ForegroundColor Cyan ++$uri = "https://graph.microsoft.com/v1.0/sites/getAllSites?`$select=sharepointIds&`$top=10000" +while ($uri -ne $null) { ++ Write-Host $uri ++ $isSuccess = $false + while (-not $isSuccess) { + try { + $accessToken = Get-AccessToken -tenantId $tenantId -clientId $clientId -clientSecret $clientSecret + $restParams = @{Headers=@{Authorization="Bearer $accessToken"}} + } + catch { + Write-Host "Retrying... $($_.Exception.Message)" -ForegroundColor Yellow + continue + } + try { + $sites = Invoke-RestMethod $uri @restParams + $isSuccess = $true + } + catch { + if ($_.Exception.Response -and $_.Exception.Response.Headers['Retry-After']) { + $retryAfter = [int]$_.Exception.Response.Headers['Retry-After'] + Write-Output "Waiting for $retryAfter seconds before retrying..." -ForegroundColor Yellow + Start-Sleep -Seconds $retryAfter + } + Write-Host "Retrying... $($_.Exception.Message)" -ForegroundColor Yellow + continue + } + } ++ $sites.value | ForEach-Object { + $cache[$_.sharepointIds.siteId] = $_.sharepointIds.siteUrl + } ++ $uri = $sites."@odata.nextLink" ++ Write-Host "Total sites received: $($cache.Count)" +} + ``` ++### Update the report using cached site info ++ ```PowerShell +foreach ($reportPath in $reportPaths) { + Write-Host + Write-Host "Updating report $($reportPath) ..." -ForegroundColor Cyan ++ $outputPath = "$($reportPath)_$([Math]::Floor((Get-Date -UFormat %s))).csv" + $writer = [System.IO.StreamWriter]::new($outputPath) + $reader = [System.IO.StreamReader]::new($reportPath) + $rowCount = 0 ++ while ($null -ne ($line = $reader.ReadLine())) { + $rowCount++ ++ $columns = $line.Split(",") + $siteId = $columns[1] ++ $_guid = New-Object System.Guid + if ([System.Guid]::TryParse($siteId, [ref]$_guid)) { + $siteUrl = $cache[$siteId] + $columns[2] = $siteUrl + $line = $columns -join "," + } + + $writer.WriteLine($line) ++ if ($rowCount%1000 -eq 0) { + Write-Host "Processed $($rowCount) rows" + } + } + $writer.Close() + $reader.Close() ++ Write-Host "Processed $($rowCount) rows" + Write-Host "Report updated: $($outputPath)" -ForegroundColor Cyan +} + ``` ++### Finalize ++```PowerShell +Write-Host +Read-Host "Press any key to exit..." + ``` ++## Additional option for small-scale scenarios ++For smaller scale scenarios, admins with appropriate access can use the SharePoint REST API or Microsoft Graph API to retrieve information about site IDs referenced in affected reports. The SharePoint REST API can be used to retrieve information about a specific site ID. ++For example, the following SharePoint REST API request retrieves information about the Contoso site with site ID 15d43f38-ce4e-4f6b-bac6-766ece1fbcb4: ++`https://contoso.sharepoint.com/_api/v2.1/sites/contoso.sharepoint.com,15d43f38-ce4e-4f6b-bac6-766ece1fbcb4` ++The Microsoft Graph API can be used to list SharePoint sites or retrieve information about a specific site ID. For details, see [site resource type](/graph/api/resources/site). ++For example: ++- `https://graph.microsoft.com/v1.0/sites?search=*&$select=sharepointIds` +- `https://graph.microsoft.com/v1.0/sites/{siteId}` ++The Microsoft Graph API can also be used to retrieve information about a given user's OneDrive for Business site. For details, see [drive resource type](/graph/api/resources/drive). ++For example: ++- `https://graph.microsoft.com/v1.0/users/{userId}/drives?$select=sharepointIds` |
admin | Sharepoint Site Usage Ww | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/sharepoint-site-usage-ww.md | The **SharePoint site usage** report can be viewed for trends over the last 7 da |Company link count |The number of times documents or folders are shared using "People in org with the link" on the site. | |Secure link for guest count |The number of times documents or folders are shared using "specific people" on the site. | |Secure link for member count |The number of times documents or folders are shared using "specific people" on the site. |-|Root Web Template |The template used for creating the site. <br/> NOTE: If you want to filter the data by different site types, then export the data and use the Root Web Template column. | +|Root Web Template |The template used for creating the site. **NOTE**: If you want to filter the data by different site types, then export the data and use the Root Web Template column. | | Site ID | The site ID of the site. | -Note that you may see differences between the sites listed above and those listed on the [Active sites page](https://go.microsoft.com/fwlink/?linkid=2185220) in the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219), from Sites > Active sites because the certain site templates and URLs are not included as Active Sites. See [Manage sites in the SharePoint admin center](/sharepoint/manage-sites-in-new-admin-center) for more information. - +>[!NOTE] +> The SharePoint site URL may not be displayed in related usage reports. To display the site URL, you can use PowerShell. To follow the steps, see [Use PowerShell to resolve site URLs](resolve-site-urls.md). ++Note that you may see differences between the sites listed above and those listed on the [Active sites page](https://go.microsoft.com/fwlink/?linkid=2185220) in the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219), from Sites > Active sites because the certain site templates and URLs are not included as Active Sites. See [Manage sites in the SharePoint admin center](/sharepoint/manage-sites-in-new-admin-center) for more information. |
admin | Viva Insights Activity | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/viva-insights-activity.md | Title: "Microsoft 365 admin center Viva Insights activity reports" Previously updated : 02/22/2022 Last updated : 02/29/2024 audience: Admin As a Microsoft 365 admin, the Reports dashboard shows you the activity overview For example, you can understand the adoption of Viva Insights by looking at the active users. Additionally, you can find a deployment guide to further boost adoption in your organization. -## How do I get to the to the Viva Insights activity report? +## How do I get to the Viva Insights activity report? 1. In the admin center, go to the **Reports**, and then select **Usage**. 2. Find **Viva Insights activity**. -## Interpret the Microsoft 365 Apps usage report +## Interpret the Microsoft 365 Apps usage report You can get a view into your user's Viva Insights activity by looking at the **Active users chart**. The Viva Insights active user chart can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. You can get a view into your user's Viva Insights activity by looking at the **A **Active users** are users that have engaged with at least one Viva Insights feature that day. This includes dwelling for more than 20 seconds on any Viva Insight email, clicking or taking an action on any Insights surfacing, or visiting the Viva Insights app in Teams, Outlook add-in, or web dashboards. ## View the Viva Insights deployment guide+ You can click **Boost adoption of Viva Insights** to view the [Viva Insights Deployment guide](/viva/insights/personal/setup/deployment-guide). |
admin | Stay On Top Of Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/stay-on-top-of-updates.md | With Microsoft 365, you receive new product updates and features as they become > [!NOTE] > You need to be a global administrator to make changes to release preferences.++## Learn about Microsoft 365 previews ++Microsoft 365 releases some features in public preview or private preview to customers. These features are being actively developed and may not be complete. ++During the ΓÇÿPrivate previewΓÇÖ phase, a controlled testing environment is provided that is limited to a small group of customers. Features in private preview are typically more restricted and evaluated by a select set of users. Access to private preview features is usually by invitation only, directly from the product team responsible for the feature or service. Private preview allows for more confidential testing due to the smaller group size. Microsoft provides support for private preview features. It can be seen as a focused, exclusive testing phase before broader public preview. ++During the ΓÇÿPublic previewΓÇÖ phase, Microsoft releases certain features to a broader audience for testing and feedback. These features are made available to a wider group of customers and can be tested and used in production environments. However, they may have restricted or limited functionality and may only apply to specific platforms. Public preview features are actively being developed and may not be complete. Microsoft encourages users to provide feedback during this phase, and public preview features are fully supported by Microsoft. Some features may be available only in selected geographic regions or specific cloud environments. + |
enterprise | Manage Passwords With Microsoft 365 Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-passwords-with-microsoft-365-powershell.md | Title: "Manage passwords with PowerShell" + Title: "Manage passwords with Microsoft Graph PowerShell" Previously updated : 11/12/2020 Last updated : 03/07/2024 audience: Admin search.appverid: - scotvorg - Ent_O365+- must-keep f1.keywords: - CSH -description: "Learn how to use PowerShell to manage passwords." + - azure-ad-ref-level-one-done +description: "Learn how to use Microsoft Graph PowerShell to manage passwords." -# Manage passwords with PowerShell +# Manage passwords with Microsoft Graph PowerShell *This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.* -You can use PowerShell for Microsoft 365 as an alternative to the Microsoft 365 admin center to manage passwords in Microsoft 365. +You can use Microsoft Graph PowerShell as an alternative to the Microsoft 365 admin center to manage passwords in Microsoft 365. -When a command block in this article requires that you specify variable values, use these steps. +>[!NOTE] +> The Azure Active Directory module is being replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). -1. Copy the command block to the clipboard and paste it into Notepad or the PowerShell Integrated Script Environment (ISE). -2. Fill in the variable values and remove the "<" and ">" characters. -3. Run the commands in the PowerShell window or the PowerShell ISE. +First, use a **Microsoft Entra DC admin**, **Cloud Application Admin**, or **Global admin** account to [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md). -## Use the Azure Active Directory PowerShell for Graph module --First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module). --### Set a password --Use these commands to specify a password for a user account. +Managing passwords for a user requires the **User.ReadWrite.All** permission scope or one of the other permissions listed in the ['Assign license' Graph API reference page](/graph/api/user-assignlicense). ```powershell-$userUPN="<user account sign in name, such as belindan@contoso.com>" -$newPassword="<new password>" -$secPassword = ConvertTo-SecureString $newPassword -AsPlainText -Force -Set-AzureADUserPassword -ObjectId $userUPN -Password $secPassword -``` -### Force a user to change their password --Use these commands to set a password and force a user to change their new password. --```powershell -$userUPN="<user account sign in name, such as belindan@contoso.com>" -$newPassword="<new password>" -$secPassword = ConvertTo-SecureString $newPassword -AsPlainText -Force -Set-AzureADUserPassword -ObjectId $userUPN -Password $secPassword -EnforceChangePasswordPolicy $true +Connect-Graph -Scopes User.ReadWrite.All ``` Use these commands to set a password and force a user to change their new password the next time they sign in. Use these commands to set a password and force a user to change their new passwo $userUPN="<user account sign in name, such as belindan@contoso.com>" $newPassword="<new password>" $secPassword = ConvertTo-SecureString $newPassword -AsPlainText -Force-Set-AzureADUserPassword -ObjectId $userUPN -Password $secPassword -ForceChangePasswordNextLogin $true -``` --## Use the Microsoft Azure Active Directory module for Windows PowerShell --First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell). --### Set a password --Use these commands to specify a password for a user account. --```powershell -$userUPN="<user account sign in name>" -$newPassword="<new password>" -Set-MsolUserPassword -UserPrincipalName $userUPN -NewPassword $newPassword -``` --### Force a user to change their password --Use these commands to force a user to change their password. --```powershell -$userUPN="<user account sign in name>" -Set-MsolUserPassword -UserPrincipalName $userUPN -ForceChangePassword $true +Update-MgUser -UserId $userUPN -PasswordProfile @{ ForceChangePasswordNextSignIn = $true; Password = $newPassword } ``` ## See also |
security | Safety Scanner Download | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/safety-scanner-download.md | |
security | Troubleshoot Reporting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md | - Title: Troubleshoot problems with reporting tools for Microsoft Defender Antivirus -description: Identify and solve common problems when attempting to report in Microsoft Defender Antivirus protection status in Update Compliance ----------- m365-security-- tier3-- mde-ngp Previously updated : 02/18/2024---# Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance ----**Applies to:** -- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Business-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)-- Microsoft Defender Antivirus--**Platforms** -- Windows-- Windows Server--> [!IMPORTANT] -> On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Intune family of products](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune), which allows finer control over security features and updates. --You can use Microsoft Defender Antivirus with Update Compliance. You'll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender for Endpoint portal](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx). --When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues. --Typically, the most common indicators of a problem are: --- You only see a small number or subset of all the devices you were expecting to see-- You do not see any devices at all-- The reports and information you do see is outdated (older than a few days)--For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see [Microsoft Defender Antivirus events](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/). --There are three steps to troubleshooting these problems: --1. Confirm that you have met all prerequisites -2. Check your connectivity to the Windows Defender cloud-based service -3. Submit support logs --> [!IMPORTANT] -> It typically takes 3 days for devices to start appearing in Update Compliance. --## Confirm prerequisites --In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Microsoft Defender Antivirus: -->[!div class="checklist"] -> -> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender Antivirus to disable itself](microsoft-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance. -> - [Cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md). -> - Endpoints can [connect to the Microsoft Defender Antivirus cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud) -> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). -> - It has been 3 days since all requirements have been met --"You can use Microsoft Defender Antivirus with Update Compliance. You'll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" --If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. --> [!div class="nextstepaction"] -> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data.md) --> [!TIP] -> If you're looking for Antivirus related information for other platforms, see: -> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) -> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) -> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) -> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) -> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) -> - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) --> [!TIP] -> **Performance tip** Due to a variety of factors (examples listed below) Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues; some examples are: -> -> - Top paths that impact scan time -> - Top files that impact scan time -> - Top processes that impact scan time -> - Top file extensions that impact scan time -> - Combinations ΓÇô for example: -> - top files per extension -> - top paths per extension -> - top processes per path -> - top scans per file -> - top scans per file per process -> -> You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. -> See: [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md). -> --## Related topics --- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)-- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) |
security | Fixed Reported Inaccuracies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies.md | This article provides information on inaccuracies that have been reported. You c The following tables present the relevant vulnerability information organized by month: +## March 2024 ++Inaccuracy report ID |Description |Fix date | +|:|:|:| +| - | Defender Vulnerability Management doesn't currently support CVE-2023-4966 | 05-Mar-24 +| 47296 | Defender Vulnerability Management doesn't currently support Bitdefender Vulnerabilities - CVE-2017-17408, CVE-2017-17409 & CVE-2017-17410 | 05-Mar-24 + ## February 2024 Inaccuracy report ID |Description |Fix date | Inaccuracy report ID |Description |Fix date | | - | Defender Vulnerability Management doesn't currently support SAP GUI | 21-Feb-24 | 46606 | Defender Vulnerability Management doesn't currently support Postgresql | 21-Feb-24 | 47700 | Defender Vulnerability Management doesn't currently support Adobe Digital Editions | 21-Feb-24-+| 45297 | Fixed inaccuracy in Tera Term vulnerability - CVE-2023-48995 | 22-Feb-24 +| - | Fixed invalid version detections in Control & Control Client | 23-Feb-24 +| - | Added Microsoft Defender Vulnerability Management support to ConnectWise Control vulnerabilities - CVE-2024-1708 & CVE-2024-1709 | 23-Feb-24 +| 43472 | Added correct version details in all FortiClient CVEs | 25-Feb-24 +| 45727 | Added Microsoft Defender Vulnerability Management support to Box Tools & Box for Office products | 26-Feb-24 +| 47045 | Fixed inaccuracy issues in April 2021 GitLab Vulnerabilities | 26-Feb-24 +| 47174 | Added accurate EOS details for SQL Server Editions | 26-Feb-24 +| 46416 | Fixed inaccuracy in Oracle Kernel-uek-modules | 28-Feb-24 ## January 2024 Inaccuracy report ID |Description |Fix date | | - | Added Microsoft Defender Vulnerability Management support to SAP GUI | 30-Jan-24 | - | Added Microsoft Defender Vulnerability Management support to PostgreSQL | 30-Jan-24 | - | Added Microsoft Defender Vulnerability Management support to Adobe Digital Editions | 30-Jan-24+| - | Fixed inaccuracy in Python Anaconda3 | 30-Jan-24 ## December 2023 |
security | Investigate Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md | - - tier2 + - tier2 search.appverid: met150 Last updated 08/04/2023 - Microsoft Defender XDR -The user entity page in Microsoft Defender XDR helps you in your investigation of user identities. The page has all the important information about each identity. If an alert or incident indicates that a user might be compromised or is suspicious, check and investigate the user profile. +The user entity page in Microsoft Defender XDR helps you in your investigation of user identities. The page has all the important information about each identity. If an alert or incident indicates that a user might be compromised or is suspicious, check and investigate the user profile. You can find identity information in the following views: You can find identity information in the following views: - Activity log - Advanced hunting queries - Action center- + A clickable identity link is available in these views that will take you to the **User** page where more details about the user are shown. For example, you can see the details of user accounts identified in the alerts of an incident in the Microsoft Defender portal at **Incidents & alerts** \> ***incident*** \> **Users**. :::image type="content" source="../../media/investigate-users/Fig1-user-incident-overview.png" alt-text="The Users page for an incident in the Microsoft Defender portal." lightbox="../../media/investigate-users/Fig1-user-incident-overview.png"::: This card includes all incidents and alerts, grouped into severities, associated This card includes the calculated investigation priority score breakdown and a two-week trend for an identity, including whether the identity score is on the high percentile for that tenant. -### Active directory account control +### Active directory account control In this card, Defender for Identity surfaces security settings that may need your attentions. You can see important flags about the user, such as if the user can press enter to bypass the password, and if the user has a password that never expires, etc. The timeline represents activities and alerts observed from a user's identity in - **Custom time range picker:** You can choose a timeframe to focus your investigation on the last 24 hours, the last 3 days and so on. Or you can choose a specific timeframe by clicking on **Custom range**. For example: - ![Screenshot that shows how to choose time frame.](media/investigate-users/image.png) - + :::image type="content" source="../../media/image.png" alt-text="Screenshot that shows how to choose time frame." lightbox="../../media/image.png"::: + - **Timeline filters:** In order to improve your investigation experience, you can use the timeline filters: Type (Alerts and/or user's related activities), Alert severity, Activity type, App, Location, Protocol. Each filter depends on the others, and the options in each filter (drop-down) only contains the data that is relevant for the specific user. -- **Export button:** You can export the timeline to a CSV file. Export is limited to the first 5000 records and contains the data as it displays in the UI (same filters and columns). +- **Export button:** You can export the timeline to a CSV file. Export is limited to the first 5000 records and contains the data as it displays in the UI (same filters and columns). - **Customized columns:** You can choose which columns to expose in the timeline by selecting the **Customize columns** button. For example: - ![Screenshot that shows the user's image.](image2.png) + :::image type="content" source="../../media/image2.png" alt-text="Screenshot that shows the user's image." lightbox="../../media/image2.png"::: ### What data types are available? The following data types are available in the timeline:+ - A user's impacted alerts - Active Directory and Microsoft Entra activities - Cloud apps' events The following data types are available in the timeline: ### What information is displayed? The following information is displayed in the timeline:+ - Activity/alert description - Date and time of the activity - Application that performed the activity - Source device/IP address-- [MITRE ATT&CK](https://attack.mitre.org/) techniques +- [MITRE ATT&CK](https://attack.mitre.org/) techniques - Alert status and severity - Country/region where the client IP address is geolocated - Protocol used during the communication The following information is displayed in the timeline: For example: -![Screenshot of the Timeline tab.](media/investigate-users/time.png) > [!NOTE]-> Microsoft Defender XDR can display date and time information using either your local time zone or UTC. The selected time zone will apply to all date and time information shown in the Identity timeline. -> To set the time zone for these features, go to **Settings** > **Security center** > **Time zone**. +> Microsoft Defender XDR can display date and time information using either your local time zone or UTC. The selected time zone will apply to all date and time information shown in the Identity timeline. +> +> To set the time zone for these features, go to **Settings** \> **Security center** \> **Time zone**. ## Remediation actions As needed for in-process incidents, continue your [investigation](investigate-in - [Prioritize incidents](incident-queue.md) - [Manage incidents](manage-incidents.md) --- [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Microsoft 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md | +appliesto: ✅ Microsoft Defender XDR # What is Microsoft Defender XDR? [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -**Applies to:** --- Microsoft Defender XDR- Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. -Here's a list of the different Microsoft Defender XDR products and solutions that Microsoft Defender XDR coordinates with: +Microsoft Defender XDR helps security teams protect and detect their organizations by using information from other Microsoft security products, including: - [**Microsoft Defender for Endpoint**](../defender-endpoint/microsoft-defender-endpoint.md) - [**Microsoft Defender for Office 365**](../office-365-security/mdo-security-comparison.md) Here's a list of the different Microsoft Defender XDR products and solutions tha - [**Microsoft Data Loss Prevention**](/microsoft-365/compliance/dlp-learn-about-dlp) - [**App Governance**](/defender-cloud-apps/app-governance-manage-app-governance) -Note that the coordination of alerts from Microsoft Entra ID Protection (Microsoft Entra IP) to Microsoft Defender XDR is in public preview and may be substantially modified before it's commercially released. Microsoft Entra IP is available to customers only if they already have Microsoft Defender XDR. With the integrated Microsoft Defender XDR solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft Defender XDR takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities. -<a name='microsoft-365-defender-interactive-guide'></a> --## Microsoft Defender XDR interactive guide --In this interactive guide, you'll learn how to protect your organization with Microsoft Defender XDR. You'll see how Microsoft Defender XDR can help you detect security risks, investigate attacks to your organization, and prevent harmful activities automatically. --[Check out the interactive guide](https://aka.ms/M365Defender-InteractiveGuide) - <a name='microsoft-365-defender-protection'></a> ## Microsoft Defender XDR protection Microsoft Defender XDR services protect: - **Identities with Defender for Identity and Microsoft Entra ID Protection** - Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Entra ID Protection uses the learnings Microsoft has acquired from their position in organizations with Microsoft Entra ID, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. - **Applications with Microsoft Defender for Cloud Apps** - Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps. -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4Bzww] - Microsoft Defender XDR's unique cross-product layer augments the individual service components to: - Help protect against attacks and coordinate defensive responses across the services through signal sharing and automated actions. Microsoft Defender XDR's unique cross-product layer augments the individual serv - Automate response to compromise by triggering self-healing for impacted assets through automated remediation. - Enable security teams to perform detailed and effective threat hunting across endpoint and Office data. -Here's an example of how the Microsoft Defender portal correlates all related alerts across products into a single incident. ---Here's an example of the list of related alerts for an incident. ---Here's an example of query-based hunting on top of email and endpoint raw data. -- Microsoft Defender XDR cross-product features include: - **Cross-product single pane of glass in the Microsoft Defender portal** - A central view for all information on detections, impacted assets, automated actions taken, and related evidence in a single queue and a single pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>. |
security | Microsoft Secure Score Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-whats-new.md | The following recommendations have been added as Microsoft Secure Score improvem - Ensure 'Phishing-resistant MFA strength' is required for Administrators. - Ensure custom banned passwords lists are used. -- Ensure 'Microsoft Azure Management' is limited to administrative roles.+- Ensure 'Windows Azure Service Management API' is limited to administrative roles. **Admin Center:** |
security | Reports Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md | Watch this short video to learn how you can use reports to understand the effect The **Mail latency report** shows you an aggregate view of the mail delivery and detonation latency experienced within your Defender for Office 365 organization. Mail delivery times in the service are affected by many factors, and the absolute delivery time in seconds is often not a good indicator of success or a problem. A slow delivery time on one day might be considered an average delivery time on another day, or vice-versa. This report tries to qualify message delivery based on statistical data about the observed delivery times of other messages. -Client side and network latency aren't included. +Client-side latency and network latency aren't included in the results. On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Mail latency report**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/mailLatencyReport>. In the details table below the chart, the following information is available: Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens: - **Date (UTC)**: **Start date** and **End date**-- **Message view**: One of the following values:- - **All messages** - - **Detonated messages**: One of the following values: - - **Inline detonation**: Attachments and links in messages that are fully tested before delivery by Safe Attachments and Safe Links. - - **Asynchronous detonation**: [Dynamic delivery](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies) of attachments in Safe Attachments and links in email tested after delivery by Safe Links. +- **Message view**: Select one of tne of the following values: + - **All email** + - **Detonated email**: After you select this value, select one of the following values that appears: + - **Inline detonation**: Links and attachments in messages are fully tested by Safe Links and Safe Attachments before delivery. + - **Asynchronous detonation**: [Dynamic delivery](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies) of attachments by Safe Attachments and links in email tested by Safe Links after delivery. When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. On the **Mail latency report** page, the :::image type="icon" source="../../medi The **Post-delivery activities** report shows information about email messages that removed from user mailboxes after delivery by zero-hour auto purge (ZAP). For more information about ZAP, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md). -The report shows real-time information, with updated threat information. +The report shows real-time information with updated threat information. On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Post-delivery activities**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/reports/ZapReport>. The details table below the graph shows the following information: Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens: - **Date (UTC)**: **Start date** and **End date**.-- **Verdict**:+- **Updated threat**: Select one ore mor of the following values: - **No threat** - **Spam** - **Phishing** The details table below the chart provides the following near-real-time view of Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens: - **Date (UTC)**: **Start date** and **End date**.-- **Action**: The same URL click protection actions as previously described.+- **Action**: The same URL click protection actions as previously described. By default, **Allowed** and **Allowed by tenant admin** aren't selected. - **Evaluation**: Select **Yes** or **No**. For more information, see [Try Microsoft Defender for Office 365](try-microsoft-defender-for-office-365.md). - **Domains (separated by commas)**: The URL domains listed in the report results. - **Recipients (separated by commas)**-- **Tag**: **All** or the specified user tag (including priority accounts).+- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. On the **URL threat protection** page, the :::image type="icon" source="../../me :::image type="content" source="../../media/url-threat-protection-report-url-click-by-application-view.png" alt-text="The URL click protection action view in the URL protection report" lightbox="../../media/url-threat-protection-report-url-click-by-application-view.png"::: +> [!TIP] +> URL clicks by guest users are available in the report. Guest user accounts might be compromised or access malicious content inside the organization. + The **View data by URL click by application** view shows the number of URL clicks by apps that support Safe Links: - **Email client** Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Date (UTC)**: **Start date** and **End date**. - **Application**: The same click by application values as previously described.-- **Action**+- **Action**: The same values as shown in the [View data by URL click protection action view](#view-data-by-url-click-protection-action-in-the-url-protection-report). By default, **Allowed** and **Allowed by tenant admin** aren't selected. - **Evaluation**: Select **Yes** or **No**. For more information, see [Try Microsoft Defender for Office 365](try-microsoft-defender-for-office-365.md). - **Domains (separated by commas)**: The URL domains listed in the report results. - **Recipients (separated by commas)**-- **Tag**: **All** or the specified user tag (including priority accounts).+- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. On the **URL threat protection** page, the :::image type="icon" source="../../medi#export-report-data)** actions are available. -> [!NOTE] -> URL clicks by guest users are also available in the report. The guest user account could still be compromised or access malicious content inside the organization. - ## Additional reports to view In addition to the reports described in this article, the following tables describe other available reports that are available: |
security | Reports Email Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md | Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Date (UTC)**: **Start date** and **End date**. - **Activity**: **Restricted** or **Suspicious**-- **Tag**: **All** or the specified user tag (including priority accounts).+- **Tag**: Select **All** or the specified user tag (including priority accounts). For more information, see [User tags](user-tags-about.md). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. On the **Mailflow status report** page, the **Type** tab is selected by default. - **Spam**: Email that's blocked as spam by various filters. - **Edge protection**: Email that's rejected at the edge/perimeter before examination by EOP or Defender for Office 365. - **Rule messages**: Email messages that were quarantined by mail flow rules (also known as transport rules).+- **Data loss prevention**: Email messages that were quarantined by [data loss prevention (DLP) policies](/purview/dlp-learn-about-dlp). The details table below the graph shows the following information: The details table below the graph shows the following information: Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens: - **Date (UTC)**: **Start date** and **End date**.-- **Mail direction**: **Inbound** and **Outbound**.-- **Type**:+- **Mail direction**: Select **Inbound**, **Outbound**, and **Intra-org**. +- **Type**: Select one or more of the following values: - **Good mail** - **Malware** - **Spam** - **Edge protection** - **Rule messages** - **Phishing email**+ - **Data loss prevention** +- **Domain**: Select **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. On the **Type** tab, select **Choose a category for more details** to see more information: -- **Phishing email**: This selection takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report).-- **Malware in email**: This selection takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report).-- **Spam detections**: This selection takes you to the [Spam detections report](reports-email-security.md#spam-detections-report).+- **Phishing email**: This selection takes you to [View data by Email \> Phish and Chart breakdown by Detection Technology](#view-data-by-email--phish-and-chart-breakdown-by-detection-technology) in the Threat protection status report. +- **Malware in email**: This selection takes you to [View data by Email \> Malware and Chart breakdown by Detection Technology](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) in the Threat protection status report. +- **Spam detections**: This selection takes you to [View data by Email \> Spam and Chart breakdown by Detection Technology](#view-data-by-email--spam-and-chart-breakdown-by-detection-technology) in the Threat protection status report. On the ***Type** tab, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)** and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available. On the ***Type** tab, the :::image type="icon" source="../../media/m365-cc-sc-cr On the **Direction** tab, the chart shows the following information for the specified date range: - **Inbound**+- **Intra-org** - **Outbound** Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens: - **Date (UTC)**: **Start date** and **End date**.-- **Mail direction**: **Inbound** and **Outbound**.-- **Type**:+- **Mail direction**: Select **Inbound**, **Outbound**, and **Intra-org**. +- **Type**: Select one or more of the following values: - **Good mail** - **Malware** - **Spam** - **Edge protection** - **Rule messages** - **Phishing email**+ - **Data loss prevention**: Email messages that were quarantined by [data loss prevention (DLP) policies](/purview/dlp-learn-about-dlp). +- **Domain**: Select **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. On the **Direction** tab, select **Choose a category for more details** to see more information: -- **Phishing email**: This selection takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report).-- **Malware in email**: This selection takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report).-- **Spam detections**: This selection takes you to the [Spam Detections report](reports-email-security.md#spam-detections-report).+- **Phishing email**: This selection takes you to [View data by Email \> Phish and Chart breakdown by Detection Technology](#view-data-by-email--phish-and-chart-breakdown-by-detection-technology) in the Threat protection status report. +- **Malware in email**: This selection takes you to [View data by Email \> Malware and Chart breakdown by Detection Technology](#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) in the Threat protection status report. +- **Spam detections**: This selection takes you to [View data by Email \> Spam and Chart breakdown by Detection Technology](#view-data-by-email--spam-and-chart-breakdown-by-detection-technology) in the Threat protection status report. On the **Direction** tab, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create schedule** and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** actions are available. The diagram is organized into the following horizontal bands: - **Edge block**: Messages that were filtered at the edge and identified as Edge Protection. - **Processed**: Messages that were handled by the filtering stack. - Outcomes band:+ - **Data loss prevention block** - **Rule Block**: Messages that were quarantined by Exchange mail flow rules (transport rules). - **Malware block**: Messages that were identified as malware.<sup>\*</sup> - **Phishing block**: Messages that were identified as phishing.<sup>\*</sup> Select a row in the details table to see a further breakdown of the email counts Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens: - **Date (UTC)** **Start date** and **End date**.-- **Direction**: **Inbound** and **Outbound**.+- **Mail direction**: Select **Inbound**, **Outbound**, and **Intra-org**. +- **Domain**: Select **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. The chart shows the following information: - **Pending** - **Completed** -The details table below the graph shows the same information and has the same :::image type="icon" source="../../medi#view-email-admin-submissions-to-microsoft). +The details table below the graph shows the same information and has the same available actions actions as the **Emails** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=email>: ++- :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** +- :::image type="icon" source="../../media/m365-cc-sc-group-icon.png" border="false"::: **Group** +- :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Submit to Microsoft for analysis** ++For more information, see [View email admin submissions to Microsoft](submissions-admin.md#view-email-admin-submissions-to-microsoft). Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens: Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Submitted by** - **Reason for submitting**: - **Not junk**+ - **Appears clean** + - **Appears suspicious** - **Phish** - **Malware** - **Spam** - **Rescan status**: - **Pending** - **Completed**-- **Tags**: For more information about user tags, see [User tags](user-tags-about.md).+- **Tags**: **All** or one or more [user tags](user-tags-about.md). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. -On the **Submissions** report page, the **[Export](#export-report-data)** action is available. +On the **Submissions** page, the **[Export](#export-report-data)** action is available. :::image type="content" source="../../media/submissions-report-page.png" alt-text="The Submissions report page in the Microsoft Defender portal." lightbox="../../media/submissions-report-page.png"::: In the **View data by Overview** view, the following detection information is sh - **Email malware** - **Email phish** - **Email spam**-- **Content malware** (Defender for Office 365 only)+- **Content malware** (Defender for Office 365 only: Files detected by [Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams](anti-malware-protection-for-spo-odfb-teams-about.md) and [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)) No details table is available below the chart. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Date (UTC)** **Start date** and **End date**. - **Detection**: The same values as in the chart. - **Protected by**: **MDO** (Defender for Office 365) and **EOP**.-- **Tag**: **All** or the specified user tag (including priority accounts). For more information about user tags, see [User tags](user-tags-about.md).-- **Direction**:- - **All** - - **Inbound** - - **Outbound** -- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).-- **Policy type**:- - **All** +- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). +- **Direction**: Leave the value **All** or remove it, double-click in the empty box, and then select **Inbound**, **Outbound**, or **Intra-org**. +- **Domain**: Leave the value **All** or remove it, double-click in the empty box, and then select an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). +- **Policy type**: Leave the value **All** or remove it, double-click in the empty box, and then select one of the following values: - **Anti-malware** - **Safe Attachments** - **Anti-phish** Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Priority account protection**: **Yes** and **No**. For more information, see [Configure and review priority account protection in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md). - **Evaluation**: **Yes** or **No**. - **Protected by**: **MDO** (Defender for Office 365) and **EOP**-- **Direction**:- - **All** - - **Inbound** - - **Outbound** -- **Tag**: **All** or the specified user tag (including priority accounts).-- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).-- **Policy type**:- - **All** +- **Direction**: Leave the value **All** or remove it, double-click in the empty box, and then select **Inbound**, **Outbound**, or **Intra-org**. +- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). +- **Domain**: Leave the value **All** or remove it, double-click in the empty box, and then select an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). +- **Policy type**: Select **All** or one of the following values: - **Anti-malware** - **Safe Attachments** - **Anti-phish** - **Anti-spam** - **Mail flow rule** (transport rule) - **Others**-- **Policy name (details table view only)**: **All** or the specified policy.-- **Recipients**+- **Policy name (details table view only)**: Select **All** or a specific policy. +- **Recipients (separated by commas)** When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord If the **Detection** value **Bulk** isn't selected, the slider is grayed-out and bulk detections aren't included in the report. - **Priority account protection**: **Yes** and **No**. For more information, see [Configure and review priority account protection in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md).-- **Direction**:- - **All** - - **Inbound** - - **Outbound** -- **Tag**: **All** or the specified user tag (including priority accounts).-- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).-- **Policy type**:- - **All** +- **Direction**: **All** or enter **Inbound**, **Outbound** and **Intra-org**. +- **Direction**: Leave the value **All** or remove it, double-click in the empty box, and then select **Inbound**, **Outbound**, or **Intra-org**. +- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). +- **Domain**: Leave the value **All** or remove it, double-click in the empty box, and then select an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). +- **Policy type**: Select **All** or one of the following values: - **Anti-malware** - **Safe Attachments** - **Anti-phish** - **Anti-spam** - **Mail flow rule** (transport rule) - **Others**-- **Policy name (details table view only)**: **All** or the specified policy.+- **Policy name (details table view only)**: Select **All** or a specific policy. - **Recipients** When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Priority account protection**: **Yes** and **No**. For more information, see [Configure and review Priority accounts in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md). - **Evaluation**: **Yes** or **No**. - **Protected by**: **MDO** (Defender for Office 365) and **EOP**-- **Direction**:- - **All** - - **Inbound** - - **Outbound** -- **Tag**: **All** or the specified user tag (including priority accounts).-- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).-- **Policy type**:- - **All** +- **Direction**: Leave the value **All** or remove it, double-click in the empty box, and then select **Inbound**, **Outbound**, or **Intra-org**. +- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). +- **Domain**: Leave the value **All** or remove it, double-click in the empty box, and then select an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). +- **Policy type**: Select **All** or one of the following values: - **Anti-malware** - **Safe Attachments** - **Anti-phish** - **Anti-spam** - **Mail flow rule** (transport rule) - **Others**-- **Policy name (details table view only)**: **All** or the specified policy.-- **Recipients**+- **Policy name (details table view only)**: Select **All** or a specific policy. +- **Recipients (separated by commas)** When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Priority account protection**: **Yes** and **No**. For more information, see [Configure and review Priority accounts in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md). - **Evaluation**: **Yes** or **No**. - **Protected by**: **MDO** (Defender for Office 365) and **EOP**-- **Direction**:- - **All** - - **Inbound** - - **Outbound** -- **Tag**: **All** or the specified user tag (including priority accounts).-- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).-- **Policy type**:- - **All** +- **Direction**: Leave the value **All** or remove it, double-click in the empty box, and then select **Inbound**, **Outbound**, or **Intra-org**. +- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). +- **Domain**: Leave the value **All** or remove it, double-click in the empty box, and then select an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). +- **Policy type**: Select **All** or one of the following values: - **Anti-malware** - **Safe Attachments** - **Anti-phish** - **Anti-spam** - **Mail flow rule** (transport rule) - **Others**-- **Policy name (details table view only)**: **All** or the specified policy.-- **Recipients**+- **Policy name (details table view only)**: Select **All** or a specific policy. +- **Recipients (separated by commas)** <sup>\*</sup> Defender for Office 365 only Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Date (UTC)** **Start date** and **End date** - **Detection**: Detection technology values as previously described in this article and at [Detection technologies](/office/office-365-management-api/office-365-management-activity-api-schema#detection-technologies). - **Protected by**: **MDO** (Defender for Office 365) and **EOP**-- **Direction**:- - **All** - - **Inbound** - - **Outbound** -- **Tag**: **All** or the specified user tag (including priority accounts).-- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).-- **Policy type**:- - **All** +- **Direction**: Leave the value **All** or remove it, double-click in the empty box, and then select **Inbound**, **Outbound**, or **Intra-org**. +- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). +- **Domain**: Leave the value **All** or remove it, double-click in the empty box, and then select an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). +- **Policy type**: Select **All** or one of the following values: - **Anti-malware** - **Safe Attachments** - **Anti-phish** - **Anti-spam** - **Mail flow rule** (transport rule) - **Others**-- **Policy name (details table view only)**: **All** or the specified policy.-- **Recipients**+- **Policy name (details table view only)**: Select **All** or a specific policy. +- **Recipients (separated by commas)** <sup>\*</sup> Defender for Office 365 only On the **Threat protection status** page, the :::image type="icon" source="../.. In the **View data by System override** and **Chart breakdown by Reason** view, the following override reason information is shown in the chart: -- **On-premises skip**-- **IP Allow**+- **Data Loss Prevention**: Email messages that were quarantined by [data loss prevention (DLP) policies](/purview/dlp-learn-about-dlp). - **Exchange transport rule**-- **Organization allowed senders**-- **Organization allowed domains**-- **ZAP not enabled**-- **User Safe Sender**-- **User Safe Domain**-- **Sender Domain List**-- **Trusted Senders List (Outlook)**-- **Trusted Recipient Address List**-- **Trusted Recipient Domain List**-- **Trusted Contact List - Sender in Address Book** - **Exclusive setting (Outlook)**+- **IP Allow** +- **On-premises skip** +- **Organization allowed domains** +- **Organization allowed senders** - **Phishing simulation**: For more information, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](advanced-delivery-policy-configure.md).-- **Third party filter**-- **TABL - URL allowed**-- **TABL - File allowed**+- **Sender Domain List** - **TABL - Both URL and file allowed**-- **TABL Sender email address Allow**-- **TABL - URL blocked**+- **TABL - File allowed** - **TABL - File blocked**+- **TABL - URL allowed** +- **TABL - URL blocked** +- **TABL Sender email address Allow** - **TABL Sender email address block** - **TABL Spoof Block**-- **Data Loss Prevention**+- **Third party filter** +- **Trusted Contact List - Sender in Address Book** +- **Trusted Recipient Address List** +- **Trusted Recipient Domain List** +- **Trusted Senders List (Outlook)** +- **User Safe Domain** +- **User Safe Sender** +- **ZAP not enabled** In the details table below the chart, the following information is available: Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Date (UTC)** **Start date** and **End date** - **Reason**: The same values as the chart.-- **Delivery Location**: **Junk Mail folder not enabled** or **SecOps mailbox**.-- **Direction**:- - **All** - - **Inbound** - - **Outbound** -- **Tag**: **All** or the specified user tag (including priority accounts).-- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).-- **Policy type**: **All**-- **Policy name (details table view only)**: **All**-- **Recipients**+- **Delivery Location**: **Junk Mail folder not enabled** and **SecOps mailbox**. +- **Direction**: Leave the value **All** or remove it, double-click in the empty box, and then select **Inbound**, **Outbound**, or **Intra-org**. +- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). +- **Domain**: Leave the value **All** or remove it, double-click in the empty box, and then select an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). +- **Policy type**: Select **All** or one of the following values: + - **Anti-malware** + - **Safe Attachments** + - **Anti-phish** + - **Anti-spam** + - **Mail flow rule** (transport rule) + - **Others** +- **Policy name (details table view only)**: Select **All** or a specific policy. +- **Recipients (separated by commas)** When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Date (UTC)** **Start date** and **End date** - **Reason**: The same values as in [Chart breakdown by Policy type](#chart-breakdown-by-policy-type)-- **Delivery Location**: **Junk Mail folder not enabled** or **SecOps mailbox**.-- **Direction**:- - **All** - - **Inbound** - - **Outbound** -- **Tag**: **All** or the specified user tag (including priority accounts). For more information about user tags, see [User tags](user-tags-about.md).-- **Domain**: **All** or an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).-- **Policy type**:- - **All** +- **Delivery Location**: **Junk Mail folder not enabled** and **SecOps mailbox**. +- **Direction**: Leave the value **All** or remove it, double-click in the empty box, and then select **Inbound**, **Outbound**, or **Intra-org**. +- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md). +- **Domain**: Leave the value **All** or remove it, double-click in the empty box, and then select an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). +- **Policy type**: Select **All** or one of the following values: - **Anti-malware**- - **Safe Attachments** (Defender for Office 365 only) + - **Safe Attachments** - **Anti-phish** - **Anti-spam** - **Mail flow rule** (transport rule) - **Others**-- **Policy name (details table view only)**: **All**-- **Recipients**+- **Policy name (details table view only)**: Select **All** or a specific policy. +- **Recipients (separated by commas)** When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. On the **Top senders and recipients** page, a larger version of the pie chart is - **Show data for Top phishing recipients** - **Show data for Top malware recipients (MDO)** - **Show data for Top phish recipients (MDO)**+- **Show data for Top intra.org mail senders** +- **Show data for Top intra.org mail recipients** +- **Show data for Top intra.org spam recipients** +- **Show data for Top intra.org malware recipients** +- **Show data for Top intra.org phishing recipients** +- **Show data for Top intra.org phishing recipients (MDO)** +- **Show data for Top intra.org malware recipients (MDO)** Hover over a wedge in the pie chart to see the message count for that specific sender or recipient. For each chart, the details table below the chart shows the following informatio Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens: - **Date (UTC)** **Start date** and **End date**-- **Tag**+- **Tag**: Select **All** or the specified user tag (including priority accounts). For more information, see [User tags](user-tags-about.md). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. To go directly to the **User reported** tab on the **Submissions** page in the D The chart shows the following information: -- **Spam**-- **Phish** - **Not junk**+- **Phish** +- **Spam** -The details table below the graph shows the same information and has the same actions that are available on the **User reported** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user> +The details table below the graph shows the same information and has the same actions that are available on the **User reported** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>: - :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** - :::image type="icon" source="../../media/m365-cc-sc-group-icon.png" border="false"::: **Group** For more information, see [View user reported messages to Microsoft](submissions :::image type="content" source="../../media/user-reported-messages-report.png" alt-text="The user-reported messages report." lightbox="../../media/user-reported-messages-report.png"::: -On the **User reported messages** page, the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** action is available. +On the report page, the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** action is available. :::image type="content" source="../../media/user-reported-messages-report.png" alt-text="The user-reported messages report." lightbox="../../media/user-reported-messages-report.png"::: If you don't see data in the reports, check the report filters and double-check ## Download and export report information -Depending on the report and possibly the specific view in the report, one or more of the following actions might be available on the main report page as previously described: +Depending on the report and the specific view in the report, one or more of the following actions might be available on the main report page as previously described: - :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** - :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)** |