-description: "Learn about the Copilot page in the Microsoft 365 admin center."

-You can manage Microsoft Copilot for Microsoft 365 through the Microsoft 365 admin center by using the Copilot page. Use the Copilot page to review licensing, get the latest information, and to view additional resources. You can also manage how users in your organization interact with Microsoft Copilot for Microsoft 365, Security Copilot, and more.

-## How to get to the Copilot page

-## How can I use the Copilot page?

-In this dashboard, you can access essential resources to help your organization use Copilot effectively:

-This control navigates you to the Integrated App settings to control how non-Microsoft apps and first party apps can work with Microsoft Copilot for Microsoft 365.

-### Data Security and Compliance

-This link navigates you to the Microsoft Purview compliance portal where you can manage sensitivity labels, retention policies, Copilot interactions, audit records for Copilot, search Copilot interactions, and configure how Microsoft Copilot for Microsoft 365 interacts and references protected documents. Learn more about [how to protect and manage Microsoft Copilot for Microsoft 365 interactions with Microsoft Purview](/purview/ai-microsoft-purview).

-### Security Copilot

-This link directs you to the Security Copilot portal to manage settings. Security Copilot is a separate product and license from Microsoft Copilot for Microsoft 365. If purchased, you can use this link to navigate to Microsoft Security Copilot settings page. To learn more, see [Microsoft Security Copilot](/security-copilot/).

-### Latest info

-You can get the latest information on Copilot by viewing the top three latest updates in the Message Center. To view a list of all Copilot posts for your organization, you can use this page to visit the Message Center.

-### Microsoft Copilot for Microsoft 365 resources

-You can view additional resources for Microsoft Copilot for Microsoft 365 to help you learn more. HereΓÇÖs a list of resources you can access through the Copilot page:

-### Applying principles of Just Enough Access

-|Mobile application protection |Enable your users to securely access corporate information using the Microsoft 365 mobile app and line-of-business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed approved for corporate data. Works even if the devices aren't enrolled to Basic Mobility and Security. See Protect app data using MAM policies. |No|Yes|

-In addition to features listed in the preceding table, Basic Mobility and Security and Intune both include a set of remote actions that send commands to devices over the internet. For example, you can remove Microsoft 365 data from an employeeΓÇÖs device while leaving personal data in place (retire), remove Microsoft 365 apps from an employee's device (wipe), or reset a device to its factory settings (full wipe).

-Basic Mobility and Security remote actions include retire, wipe and full wipe. For more information on Basic Mobility and Security actions, see [capabilities of Basic Mobility and Security](capabilities.md).

-With Intune you have the following set of actions:

-|**Security Policy**|**Android**|**Samsung KNOX**|**iOS**|**Notes**|

-|**What's removed**|**iOS**|**Android (including Samsung KNOX**|

- - AdminSurgePortfolio

- - has-azure-ad-ps-ref

- - azure-ad-ref-level-one-done

-If you're using Basic Mobility and Security, there might be devices that you can't manage with Basic Mobility and Security. If so, you should block Exchange ActiveSync app access to Microsoft 365 email for mobile devices that aren't supported by Basic Mobility and Security. This helps secure your organization information across more devices.

-3. If your account has the necessary permissions you'll see "Welcome To Microsoft Graph!" in the Powershell window.

-2. Save it as a Windows PowerShell script file by using the file extension .ps1; for example, Get-MgGraphDeviceOwnership.ps1.

-The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to specify the file name and path of the CSV.

- - next-gen

- - mde-edr

- - admindeeplinkDEFENDER

-[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode.

-> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode.

-> Starting with [platform version 4.18.2202.X](microsoft-defender-antivirus-updates.md), you can now set EDR in block mode to target specific device groups using Intune CSPs. You can continue to set EDR in block mode tenant-wide in the [Microsoft Defender portal](https://security.microsoft.com).

-> EDR in block mode is primarily recommended for devices that are running Microsoft Defender Antivirus in passive mode (a non-Microsoft antivirus solution is installed and active on the device).

-### Microsoft Defender XDR

-|Microsoft Defender for Endpoint|Devices must be onboarded to Defender for Endpoint. See the following articles: <br/>- [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)<br/>- [Onboard devices and configure Microsoft Defender for Endpoint capabilities](onboard-configure.md)<br/>- [Onboard Windows servers to the Defender for Endpoint service](configure-server-endpoints.md)<br/>- [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution)<br/>(See [Is EDR in block mode supported on Windows Server 2016 and Windows Server 2012 R2?](edr-block-mode-faqs.yml)) |

- > [!NOTE]

- > For Windows2012 R2 and Windows Server 2016 to appear in Firewall reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution).

- - The two PowerShell commands are:

-```powershell

-param (

- [switch]$remediate

-)

-try {

- $categories = "Filtering Platform Packet Drop,Filtering Platform Connection"

- $current = auditpol /get /subcategory:"$($categories)" /r | ConvertFrom-Csv

- if ($current."Inclusion Setting" -ne "failure") {

- if ($remediate.IsPresent) {

- Write-Host "Remediating. No Auditing Enabled. $($current | ForEach-Object {$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})"

- $output = auditpol /set /subcategory:"$($categories)" /failure:enable

- if($output -eq "The command was successfully executed.") {

- Write-Host "$($output)"

- exit 0

- }

- else {

- Write-Host "$($output)"

- exit 1

- }

- }

- else {

- Write-Host "Remediation Needed. $($current | ForEach-Object {$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})."

- exit 1

- }

- }

-}

-catch {

- throw $_

-}

-```

-> Make sure to follow the instructions from the section above and properly configure your devices for the early preview participation.

- - Additional reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.

-Firewall reports support drilling from the card directly into **Advanced Hunting** by clicking the **Open Advanced hunting** button. The query will be pre-populated.

-In Microsoft Defender, you can connect workspaces by selecting **Connect a workspace** in the top banner. This button appears if you're eligible to onboard a Microsoft Sentinel workspace onto the unified Microsoft Defender portal. Follow the steps in: **[Onboarding a workspace](https://aka.ms/onboard-microsoft-sentinel)**.

-## Unified advanced hunting

-### What to expect for Defender XDR tables streamed to Microsoft Sentinel

-### Where to find your Microsoft Sentinel data

-### View schema information

-### Use functions

-### Use saved queries

-You need to select the following permissions before submitting inquires to our Defender experts. For more details about role-based access control (RBAC) permissions, see: [Microsoft Defender for Endpoint and Microsoft Defender XDR RBAC permissions](/microsoft-365/security/defender/compare-rbac-roles#map-defender-for-endpoint-and-defender-vulnerability-management-permissions-to-the-microsoft-defender-xdr-rbac-permissions).

-Organizations without Defender for Office 365 Plan 2 can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free. Use the 90-day Defender for Office 365 evaluation at <https://security.microsoft.com/atpEvaluation>. Learn about who can sign up and trial terms [here](try-microsoft-defender-for-office-365.md) or you can use the [Threat protection status report](reports-email-security.md#threat-protection-status-report) to identify wanted and unwanted bulk senders:

-4. In Defender for Office 365 Plan 2, select a bulk message to investigate, and then select email entity to learn more about the sender.

-description: Admins can learn about the Email entity page in Microsoft Defender for Office 365. This page show many details about email messages. For example, email headers, threat detection details, the latest and original delivery locations, delivery actions, and IDs (for example, the Network message ID and the associated Alert Id).

-# The Email entity page

-Microsoft 365 organizations that have [Microsoft Defender for Office 365](mdo-about.md) included in their subscription or purchased as an add-on have a 360-degree view of email using the **Email entity page**. This go-to email page was created to enhance information delivered throughout Defender for Office 365 and Microsoft Defender XDR.

-See email details in the experiences below, including [previewing and downloading the email](#email-preview-and-download-for-cloud-mailboxes), the email headers *with the option to copy*, Detection details, Threats detected, Latest and Original delivery locations, Delivery actions, and IDs like Alert ID, Network Message ID and more.

-## Where to find the Email email entity page

-The :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** action is available in the Microsoft Defender portal wherever you find details about email messages. For example:

- - Verify the **All email** view is selected \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry.

- - Select the **Malware** view \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry.

- - Select the **Phish** view \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry.

- **Open email entity** is available at the top of the Subject details flyout that opens. For more information, see [Email view for the details area of the All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer).

-> [!NOTE]

-> The permissions needed to view and use this page are the same as to view **Explorer**. The admin must be a member of Global admin or global reader, or Security admin or Security Reader. For more information, see [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md).

-## How to read the email entity page

-The structure is designed to be easy to read and navigate through at a glance. Various tabs along the top of the page allow you to investigate in more detail. Here's how the layout works:

-1. The most required fields are on the left side of the fly-out. These details are 'sticky', meaning they're anchored to the left no matter the tab you navigate to in the rest of the fly-out.

- :::image type="content" source="../../media/email-entities-3-left-panel.png" alt-text="The Graphic of the email entity page with the left side highlighted" lightbox="../../media/email-entities-3-left-panel.png":::

-2. On the top-right corner are the actions that can be taken on an email. Any actions that can be taken through **Explorer** are also available through email entity page.

- :::image type="content" source="../../media/email-entities-5-preview.png" alt-text="The Graphic of the email entity page with the right side highlighted" lightbox="../../media/email-entities-5-preview.png":::

-3. Deeper analysis can be done by sorting through the rest of the page. Check the email detection details, email authentication status, and header. This area should be looked on a case-by-case basis, but the info in these tabs is available for any email.

- :::image type="content" source="../../media/email-entities-4-middle-panel.png" alt-text="The main panel of the page which includes the email header and authentication status" lightbox="../../media/email-entities-4-middle-panel.png":::

-### How to use the email entity page tabs

-The tabs along the top of the entity page allow you to investigate email efficiently.

-1. **Timeline**: The timeline view for an email (per **Explorer** timeline) shows the original delivery to post-delivery events that happen on an email. For emails that have no post-delivery actions, the view shows the original delivery row in timeline view. Events like: Zero-hour auto purge (ZAP), Remediations, User and Admin submissions, Quarantine information, URL clicks and more, from sources like: system, admin, and user, show up here, in the order in which they occurred.

-2. **Analysis**: Analysis shows fields that help admins analyze an email in depth. For cases where admins need to understand more about detection, sender / recipient, and email authentication details, they should use the Analysis tab. Links for Attachments and URLs are also found on this page, under 'Related Entities'. Both attachments and identified threats are numbered here, and clicking takes you straight to the Attachments and URL pages. This tab also has a View header option to *show the email header*. Admins can compare any detail from email headers, side by side with information on the main panel, for clarity.

-3. **Attachments**: This examines attachments found in the email with other details found on attachments. The number of attachments shown is currently limited to 10. Notice that detonation details for attachments found to be malicious is also shown here.

-4. **URLs**: This tab lists URLs found in the email with other details about the URLs. The number of URLs is limited to 10 right now, but these 10 are prioritized to show *malicious URLs first*. Prioritization saves you time and guess-work. The URLs that were found to be malicious and detonated are also shown here.

-5. **Similar emails**: This tab lists all emails similar to the *network message id + recipient* combination specific to this email. Similarity is based on the *body of the message*, only. The determinations made on mails to categorize them as 'similar' don't include a consideration of *attachments*.

-## Available on the email entity page

-Here are some helpful specifics to get started.

-### Email preview and download for Cloud mailboxes

-Admins can preview and download emails in Cloud mailboxes, ***if*** the mails are still accessible to Microsoft in an Exchange Online mailbox. In case of a soft delete (by an admin, or user), or ZAP (to quarantine), the emails are no longer present in the Exchange Online mailbox. In that case, admins won't be able to preview or download those specific emails. Emails that were dropped, or where delivery failed, never made it into the mailbox and as a result, admins won't be able to preview or download those emails either.

-> [!IMPORTANT]

-> Previewing and downloading emails requires a special role called **Preview**. You can assign this role in the following locations:

->

-> - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Raw data (email & collaboration)/Email & collaboration content (read)**.

-> - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Data Investigator** or **eDiscovery Manager** role groups. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) and add the **Preview** role to it.

-### Detonation details

-These details are specific to email attachments and URLs. Users can see these details by going to Explorer and applying the *detection technology* filter set to file detonation or URL detonation. Emails filtered for file detonation will contain a malicious file with detonation details, and those filtered for URLs contain a malicious URL and its detonation details.

-Users see enriched detonation details for known malicious attachments or URLs found in their emails, which got detonated for their specific tenant. It includes the Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated.

-1. *Detonation chain*. A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs affected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious.

- > [!NOTE]

- > This may show just the top level item if none of the entities linked to it were found to be problematic, or were detonated.

-1. *Detonation Summary* gives a basic summary for detonation such as *analysis time*, the time when detonation occurred, OS and application, the operating system and application in which the detonation occurred, file size, and verdict reason.

-1. *Screenshots* show the screenshots captured during detonation. There can be multiple screenshots during detonation. No screenshots are captured for

- - Container type files like .zip or .rar.

- - If a URL opens into a link that directly downloads a file. However, you'll see the downloaded file in the detonation chain.

-1. *Behavior Details* are an export that shows behavior details like exact events that took place during detonation, and observables that contain URLs, IPs, domains, and files that were found during detonation (and can either be problematic or benign). Be aware, there may be no behavior details for:

- - Container files like .zip or .rar that are holding other files.

-### Other features that make the Email entity page helpful

-*Tags*: These are tags applied to users. If the user is a recipient, admins will see a *recipient* tag. Likewise, if the user is a sender, a *sender* tag. This appears in the left side of the email entities page (in the part that's described as *sticky* and, thus, anchored to the page).

-*Latest delivery location*: The latest delivery location is the location where an email landed after system actions like ZAP, or admin actions like Move to Deleted Items, finish. Latest delivery location isn't intended to inform admins of the message's *current* location. For example, if a user deletes a message, or moves it to archive, the delivery location won't be updated. However, if a system action has taken place and updated the location (like a ZAP resulting in an email moving to quarantine) this would update the Latest delivery location to quarantine.

-*Email details*: Details required for a deeper understanding of email available in the *Analysis* tab.

-*Email Authentication*: Email authentication methods used by Microsoft 365 include SPF, DKIM, and DMARC.

- - Pass (IP address): The SPF check for the message passed and includes the sender's IP address. The client is authorized to send or relay email on behalf of the sender's domain.

- - Fail (IP address): The SPF check for the message failed, and includes the sender's IP address. This is sometimes called hard fail.

- - Softfail (reason): The SPF record designated the host as not being allowed to send but is in transition.

- - Neutral: The SPF record explicitly states that it doesn't assert whether the IP address is authorized to send.

- - None: The domain doesn't have an SPF record, or the SPF record doesn't evaluate to a result.

- - Temperror: A temporary error has occurred. For example, a DNS error. The same check later might succeed.

- - Permerror: A permanent error has occurred. For example, the domain has a badly formatted SPF record.

- - Pass: Indicates the DKIM check for the message passed.

- - Fail (reason): Indicates the DKIM check for the message failed and why. For example, if the message wasn't signed or the signature wasn't verified.

- - None: Indicates that the message wasn't signed. This may or may not indicate that the domain has a DKIM record or the DKIM record doesn't evaluate to a result, only that this message wasn't signed.

- - Pass: Indicates the DMARC check for the message passed.

- - Fail: Indicates the DMARC check for the message failed.

- - Bestguesspass: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed.

- - None: Indicates that no DMARC TXT record exists for the sending domain in DNS.

-*Composite Authentication*: This is a value used by Microsoft 365 to combine email authentication like SPF, DKIM, and DMARC, to determine if the message is authentic. It uses the *From:* domain of the mail as the basis of evaluation.

-## Actions you can take on the Email entity Page

-Security teams can take email actions. For example:

-You can also trigger **Tenant level block** actions for files, URLs, or senders from the Email entity page.

-You'll be able to select **Take actions** from the top right corner of the entity page and this will open the Action wizard for you to select the specific action you need.

-> [!TIP]

-> We're adding the ability to take multiple actions together. You can take email remediation actions, create submissions, tenant level block actions (block senders, domains, files, and URLs), investigative actions, and proposed remediation from the **same panel**. Actions are now contextual and grouped together depending on the **latest location of the email message**.

-In the existing Action wizard you can take email actions, create email submissions, block senders and sender domains, take investigative actions, and do two step approval (add to remediation) in the same flyout. The flyout follows a consistent flow for ease of use. The Action wizard uses the same system as Explorer actions (for example, for Delete, Submissions, and Investigation actions). You can see and track these actions in the Unified action center at <https://security.microsoft.com/action-center/history> (for deleted emails), on the Submission page at <https://security.microsoft.com/reportsubmission> (for submissions), and in the Tenant Allow/Block List at <https://security.microsoft.com/tenantAllowBlockList> page (for block entries).

-> [!TIP]

-> These enhancements bring the following benefits:

->

-> - SecOps can now select multiple actions together in the single flow.

-> - We grouped actions together for a logical grouping of good (false positive) and bad (false negative) message actions.

-> - Actions are contextual in nature in the same panel. For example, if the message is in already in Inbox, the **Move to Inbox** action is grayed out.

->

-> There are no changes to the action permissions.

-We're also bringing tenant-level blocks for URLs and attachments to the respective **Email entity**, **URL**, and **Attachments** tabs. After approval, you can track the block entries for URLs and attachments on the **URLs** and **Files** tabs on the **Tenant Allow/Block List** page.

-See [permissions](mdo-portal-permissions.md) required to take these actions.

-### The Email summary panel

-The email summary panel is a summarized view of the full email entity page. It contains standardized details about the email (for example, detections), as well as context-specific information (for example, for Quarantine or Submissions metadata). The email summary panel replaces the traditional email flyouts throughout Microsoft Defender for Office 365.

-> [!NOTE]

-> To view all the components, click on the **Open email entity** link to open the full email entity page.

-The email summary panel is divided into the following sections:

-In addition to the above sections, you also see sections specific to few experiences that are integrated with the summary panel:

- - *Submission details*: Contains information about the specific submissions such as:

- - Date submitted

- - Subject

- - Submission type

- - Reason for submitting

- - Submission ID

- - Submitted by

- - *Result details*: Messages that are submitted are reviewed. You can see the result of your submission as well as any recommended next steps.

- - *Quarantine details*: Contains quarantine-specific details. For more information, see [Manage quarantined messages](quarantine-admin-manage-messages-files.md#view-quarantined-email-details).

- - Expires: The date/time when the message is automatically and permanently deleted from quarantine.

- - Released to: All email addresses (if any) to which the message has been released.

- - Not yet released to: All email addresses (if any) to which the message hasn't yet been released.

- - *Quarantine actions*: For more information on different quarantine actions, see [Manage quarantined messages](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-email).

- - **Preview** role (Email & collaboration): Assign this role to team members who need to preview or download email messages as part of investigation activities. Allows users to preview and download email messages from cloud mailboxes using [Threat Explorer (Explorer) or Real-time detections](threat-explorer-real-time-detections-about.md#about-threat-explorer-and-real-time-detections-in-microsoft-defender-for-office-365) and the [Email entity page](mdo-email-entity-page.md#email-preview-and-download-for-cloud-mailboxes).

-The email entity page is available from many locations in the Defender portal, including **Threat Explorer** (also known as **Explorer**). For more information, see [The Email entity page](mdo-email-entity-page.md).

-> :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png":::

- - **Released to**: All email addresses (if any) to which the message has been released.

- - **Threats**

- - **Delivery action**

- - **Original location**

- - **Latest delivery location**

- - **Detection technologies**

- - **Primary override**

- - **Sender display name**

- - **Sender address**

- - **SMTP Mail From address**

- - **Sent on behalf of**

- - **Return path**

- - **Sender IP**

- - **Location**

- - **Recipients**

- - **Time received**

- - **Directionality**

- - **Network message ID**

- - **Internet message ID**

- - **Campaign ID**

- - **DMARC**

- - **DKIM**

- - **SPF**

- - **Composite authentication**

- :::image type="content" source="../../media/quarantine-message-selected-message-actions.png" alt-text="Available actions after you select a quarantined message on the Email tab of the Quarantine page." lightbox="../../media/quarantine-message-selected-message-actions.png":::

- :::image type="content" source="../../media/quarantine-message-details-flyout-actions.png" alt-text="Available actions in the details flyout of a selected message." lightbox="../../media/quarantine-message-details-flyout-actions.png":::

-> :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png":::

-> :::image type="content" source="../../media/quarantine-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions being highlighted" lightbox="../../media/quarantine-message-details-flyout-mobile-actions.png":::

-#### Actions for quarantined email messages in Defender for Office 365 Plan 2

-In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), the following actions are also available in the details flyout of a selected message:

-Quarantine in Microsoft Teams is available only in organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5)

-### View quarantined messages in Microsoft Teams

-### View quarantined message details in Microsoft Teams

-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>.

-2. On the **Teams messages** tab, select the quarantined message by clicking anywhere in the row other than the check box.

-In the details flyout that opens, the following information is available:

-To take action on the message, see the next section.

-> [!TIP]

-> To see details about other quarantined messages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.

-### Take action on quarantined messages in Microsoft Teams

-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>.

-2. On the **Teams messages** tab, select the quarantined message by using either of the following methods:

- - Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out.

- :::image type="content" source="../../media/quarantine-teams-message-selected-message-actions.png" alt-text="Available actions after you select a quarantined message on the Teams message tab of the Quarantine page." lightbox="../../media/quarantine-teams-message-selected-message-actions.png":::

- - Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens.

- :::image type="content" source="../../media/admin-quarantine-teams-actions-details.png" alt-text="Screenshot of the actions menu for messages in quarantine." lightbox="../../media/admin-quarantine-teams-actions-details.png":::

- Using either method to select the message, some actions are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**.

- - **Source**: Shows the HTML version of the message body with all links disabled.

- - **Plain text**: Shows the message body in plain text.

-The **Mailflow** tab shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. This view uses a horizontal flow diagram (known as a *Sankey* diagram) to provide details on the total email count, and how threat protection features affect this count.

- - **Email body results text**: Enter the custom text to use. You can use different text for **Phishing**, **Junk** and **No threats found**.

- - **Email footer text**: Enter the custom message footer text to use. The same text is used for **Phishing**, **Junk** and **No threats found**.

-### Report Teams messages to Microsoft

-You can't submit Teams messages from the **Teams messages** tab on the **Submissions** page. The only way to submit a Teams message to Microsoft for analysis is to submit a user reported Teams message from the **User reported** tab as described in the [Submit user reported messages to Microsoft for analysis](#submit-user-reported-messages-to-microsoft-for-analysis) section later in this article.

-### View Teams admin submissions to Microsoft

-### Admin submission result details

-Email messages, Teams messages, email attachments, and URLs that admins submit to Microsoft for analysis are available on the corresponding tabs on the **Submissions** page.

-When you select an entry on the tab by clicking anywhere in the row other than the check box next to the first column, complete information about the original reported item, the status of the reported item, and the analysis results of the reported item are shown in the details flyout that opens:

-### Actions for admin submissions in Defender for Office 365 Plan 2

-In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), the following actions are available for admin submissions in the details flyout that opens after you select an entry from the list by clicking anywhere in the row other than the check box:

-Admins can see what users are reporting on the **User reported** tab on the **Submissions** page if the following statements are true:

- - [Actions in Microsoft Defender for Office 365 Plan 2 only](#actions-for-user-reported-messages-in-defender-for-office-365-plan-2):

-#### Actions for user reported messages in Defender for Office 365 Plan 2

-In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), the following actions might also be available in the details flyout of a user reported message on the **User reported** tab:

-In Defender for Office 365 Plan 2, admins can also submit messages from the [Email entity page](mdo-email-entity-page.md#actions-you-can-take-on-the-email-entity-page) and from [Alerts](../defender/investigate-alerts.md) in the Defender portal.

-description: Describes the Teams Message Entity Panel for Microsoft Teams in Microsoft Defender for Office 365, how it does post-breach work like ZAP and Safe Links and gives admins a single pane of glass on Teams chat and channel threats like suspicious URLs.

-# The Teams Message Entity Panel for Microsoft Teams in Microsoft Defender for Office 365

-The Teams Message Entity Panel in Microsoft Defender for Office 365 puts all Microsoft Teams data about suspicious or malicious chats and channels on a *single, actionable panel*.

-The Teams Message Entity Panel is the single source of Teams message metadata for Security Operations team (SecOps) review. In other words, you can see and review threats coming from the following locations in one place:

-## Use the Teams Message Entity Panel in Microsoft Defender for Office 365

-The Teams Message Entity Panel is available for customers with Microsoft 365 E5 and Microsoft Defender for Office 365 Plan 2 subscriptions across all experiences, including:

-To access the Teams Message Entity Panel, you need to be assigned permissions. You have the following options:

- - Membership in the **Global Administrator** or **Security Administrator** roles.

-To open the Teams Message Entity Panel, do any of the following steps.

-### From quarantine

-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>.

-2. On the **Teams messages** tab, select the Teams message by clicking anywhere in the row other than the check box.

-3. The details flyout that opens is the Teams Message Entity Panel.

-### From admin submissions

-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Submissions** page, use <https://security.microsoft.com/reportsubmission?viewid=teams>.

-2. On the **Teams messages** tab, select the Teams message by clicking anywhere in the row other than the check box.

-3. The details flyout that opens is the Teams Message Entity Panel.

-### From user reported messages

-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions** \> **User reported** tab. Or, to go directly to the **User reported** tab on the **Submissions** page, use <https://security.microsoft.com/reportsubmission?viewid=user>.

-2. On the **Teams messages** tab, select the Teams message by clicking anywhere in the row other than the check box. You can filter the messages by selecting :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** \> **Message type** \> **Teams**.

-3. The details flyout that opens is the Teams Message Entity Panel.

-## Teams Message Entity Panel walkthrough

-The panel is designed for easy use.

-Selecting a Teams message across any Microsoft Defender for Office 365 experience opens the Teams Message Entity Panel. The following sections are available:

- - The message subject or the first 100 characters of the body of the message.

- - The current message verdict.

- - The number of URLs present in the message.

- - **Teams message ID**: You can use this value as an identifier of a Teams message in Microsoft Defender for Office 365.

- - **Conversation type**

- - **Chat name**

- - **Name and email**: Contains the name and email addresses of all of the participants (including the sender). If there are more than 10 participants, it also links to a secondary panel that lists all the participants in the chat at the time of the suspected threat.

- - **Conversation type**

- - **Conversation name**: Contains the name of the channel.

- - **Name and email**: Contains the name and address of the channel.

- If there are more than 10 URLs, it also links to a secondary panel that lists all the URLs in the chat and their associated threats.

-In addition to the previous sections, you also see specific sections based on where you open the Teams Message Entity Panel:

-### Quarantine

-The quarantine actions are available at the top of the panel. For more information on different quarantine actions, see [Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages).

- - **Expires**: The date/time when the message will be automatically and permanently deleted from quarantine.

- - **Time received**

- - **Quarantine reason**: The reason the message is in quarantine.

- - **Release status**: Indicates if the message has been released to all participants that received the message.

- - **Policy type**: This value is **None**.

- - **Policy name**: This value is **Teams protection policy**.

- - **Quarantine policy**: The name of quarantine policy that was applied to the message.

-### Admin submissions

-For more information, see [View Teams admin submissions to Microsoft](submissions-admin.md#view-teams-admin-submissions-to-microsoft).

- - **Result**

- - **Recommended steps for email submissions**

- - **Date submitted**

- - **Submission name**

- - **Submission type**: The value is **Teams**

- - **Reason for submitting**

- - **Submission ID**

- - **Submitted by**

- - **Submission status**

-### User reported messages

-The actions are available at the top of the panel. For more information, see [Actions for user reported messages in Defender for Office 365 Plan 2](submissions-admin.md#actions-for-user-reported-messages-in-defender-for-office-365-plan-2).

-For more information, see [View user reported messages to Microsoft](submissions-admin.md#view-user-reported-messages-to-microsoft).

- - **Result**

- - **Recommended steps for email submissions**

- - **Date reported**

- - **Submission name**

- - **Reported reason**

- - **Message reported ID**

- - **Reported by**

- - **Phish simulation**

- - **Converted to admin submission**

- If you select the **Subject** or **Recipient** value of an entry in the table, a details flyout opens. For more information, see [Subject details from the Email view of the details area in the Phish view](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-phish-view) and [Recipient details from the Email view of the details area in the Phish view](threat-explorer-real-time-detections-about.md#recipient-details-from-the-email-view-of-the-details-area-in-the-phish-view).

-<! ### Email timeline

-The **Email timeline** is a new Explorer feature that improves the hunting experience for admins. It cuts the time spent checking different locations to try to understand the event. When multiple events happen at or close to the same time an email arrives, those events are displayed in a timeline view. Some events that happen to your email post-delivery are captured in the **Special action** column. Admins can combine information from the timeline with the special action taken on the mail post-delivery to get insight into how their policies work, where the mail was finally routed, and, in some cases, what the final assessment was.

-For more information, see [Investigate and remediate malicious email that was delivered in Office 365](threat-explorer-investigate-delivered-malicious-email.md). -->

-<! ### View the timeline of your email

-**Email Timeline** is a field in Threat Explorer that makes hunting easier for your security operations team. When multiple events happen at or close to the same time on an email, those events show up in a timeline view. Some events that happen post-delivery to email are captured in the **Special actions** column. Combining information from the timeline of an email message with any special actions that were taken post-delivery gives admins insight into policies and threat handling (such as where the mail was routed, and, in some cases, what the final assessment was). >

- - _Search for Exchange mail flow rules (transport rules) by name in Threat Explorer_: Membership in the **Security Admin** or **Security Reader** roles.

-##### Subject details from the Email view of the details area in the All email view

-When you select an entry by clicking on the **Subject** value, a details flyout opens with the following information:

-> [!TIP]

-> To see details about other message subjects without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.

- - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity**

- - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View header**

- - :::image type="icon" source="../../medi#remediate-using-take-action).

- - :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options**:

- - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Email preview**┬╣

- - :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download email**┬╣

- > [!TIP]

- > **Download email** isn't available for messages that were quarantined. Instead, [download a password protected copy of the message from quarantine](quarantine-admin-manage-messages-files.md#download-email-from-quarantine).

- - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View in Explorer**

- - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Go hunt**

-┬╣ The **Email preview** and **Download email** actions require the **Preview** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned to the **Data Investigator** and **eDiscovery Manager** role groups. Members of only the **Organization Management** or **Security Administrators** role groups can't open these actions. You can add the members of the groups to the **Data Investigator** and **eDiscovery Manager** role groups, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the same roles as **Organization Management** or **Security Administrator**, and then add the **Search and Purge** role to the custom role group.

- - **Delivery details** section:

- - **Original threats**

- - **Latest threats**

- - **Original location**

- - **Latest delivery location**

- - **Delivery action**

- - **Detection technologies**

- - **Primary override : Source**

- - **Email details** section:

- - **Sender display name**

- - **Sender address**

- - **Sender email from address**

- - **Sent on behalf of**

- - **Return path**

- - **Sender IP**

- - **Location**

- - **Recipient(s)**

- - **Time received**

- - **Directionality**

- - **Network message ID**

- - **Internet message ID**

- - **Campaign ID**

- - **DMARC**

- - **DKIM**

- - **SPF**

- - **Composite authentication**

- - **URLs** section: Details about any URLs in the message:

- - **URL**

- - **Threat** status

- If the message has more than three URLs, select **View all URLs** to see all of them.

- - **Attachments** section: Details about any file attachments in the message:

- - **Attachment name**

- - **Threat**

- - **Detection tech / Malware family**

- If the message has more than three attachments, select **View all attachments** to see all of them.

-##### Subject details from the Email view of the details area in the Malware view

-When you select an entry by clicking on the **Subject** value, a details flyout opens. The information in the flyout is the same as described in [Subject details from the Email view of the details area in the All email view](#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view).

-> [!TIP]

-> The :::image type="icon" source="../../media/m365-cc-sc-go-hunt-icon.png" border="false"::: **Go hunt** action is available only in Threat Explorer. It isn't available in Real-time detections.

-##### Subject details from the Email view of the details area in the Phish view

-When you select an entry by clicking on the **Subject** value, a details flyout opens. The information in the flyout is the same as described in [Subject details from the Email view of the details area in the All email view](#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view).

-> [!TIP]

-> The :::image type="icon" source="../../media/m365-cc-sc-go-hunt-icon.png" border="false"::: **Go hunt** action is available only in Threat Explorer. It isn't available in Real-time detections.

- :::image type="content" source="../../media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png" alt-text="Screenshot of the actions available in the details flyout after you select a Subject value in the Email tab of the details area in the All email view." lightbox="../../media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png":::

-In the [details flyout that opens when you click on a **Subject** value from one of the entries](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view), the **Alert ID** link is available in the **Email details** section of the flyout. Selecting the **Alert ID** link opens the **View alerts** page at <https://security.microsoft.com/viewalertsv2> with the alert selected and the details flyout open for the alert.

- - [The **Subject** details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view)

- - [[The **Subject** details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view)

- - [[The **Subject** details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view)

-<! ### Updated Timeline View

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="../../media/tags-urls.png" alt-text="Screenshot of the URL tags." lightbox="../../media/tags-urls.png":::

->

-Learn more by watching [this video](https://www.youtube.com/watch?v=UoVzN0lYbfY&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=4). >

-[The **Subject** details flyout from the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view) in the **All email**, **Malware**, or **Phish** views shows the associated threats and the corresponding detection technologies that are associated with the email message. A message can have zero, one, or multiple threats.

-<!-- ### Updated timeline view (upcoming)

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="../../media/Email_Timeline.png" alt-text="Screenshot of the updated Timeline View." lightbox="../../media/Email_Timeline.png":::

-Timeline view identifies all delivery and post-delivery events. It includes information about the threat identified at that point of time for a subset of these events. Timeline view also provides information about any additional action taken (such as ZAP or manual remediation), along with the result of that action. Timeline view information includes:

-<!--

-<!--

-To get the recipient email address to use for exceptions for Teams channel protection, use the **Name and email** value from the **Channel details** section of the Teams Message Entity Panel. For more information, see [The Teams Message Entity Panel in Microsoft Defender for Office 365](teams-message-entity-panel.md).