Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
microsoft-365-copilot-page | Microsoft 365 Copilot Page | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-page.md | -description: "Learn about the Copilot page in the Microsoft 365 admin center." +description: "Learn about the Copilot page and how you can manage Copilot for Microsoft 365 settings in the Microsoft 365 admin center." # Manage Microsoft Copilot for Microsoft 365 with the Copilot page -You can manage Microsoft Copilot for Microsoft 365 through the Microsoft 365 admin center by using the Copilot page. Use the Copilot page to review licensing, get the latest information, and to view additional resources. You can also manage how users in your organization interact with Microsoft Copilot for Microsoft 365, Security Copilot, and more. +You can manage Copilot for Microsoft 365 through the Microsoft 365 admin center by going to the Settings tab on the Copilot page. Manage how users in your organization interact with Copilot for Microsoft 365, Copilot for Security, and more. ## Before you begin -- Your organization must have purchased Copilot licenses to access the Copilot page in the Microsoft 365 admin center. While you don't need a license assigned to your admin account, you must have these licenses present within the organization for the Copilot page to be visible. For more information, see [Get started with Microsoft Copilot for Microsoft 365](microsoft-365-copilot-setup.md).+- Your organization must have purchased Copilot licenses to access the Settings tab on the Copilot page in the Microsoft 365 admin center. While you don't need a license assigned to your admin account, you must have these licenses present within the organization for the Copilot page to be visible. For more information, see [Get started with Microsoft Copilot for Microsoft 365](microsoft-365-copilot-setup.md). - You must be a Global Administrator to access the Copilot page. For more information, see [About admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles). -## How to get to the Copilot page +## How to get to the Settings tab on the Copilot page 1. Sign in to the Microsoft 365 admin center. 2. In the left navigation, select **Copilot**. -## How can I use the Copilot page? +3. Select the **Settings** tab. -In this dashboard, you can access essential resources to help your organization use Copilot effectively: +## Settings :::image type="content" source="media/copilot-page-settings.png" alt-text="Screenshot showing the Copilot page in the Microsoft 365 admin center." lightbox="media/copilot-page-settings.png"::: To turn on or turn off Copilot for Microsoft 365 in Bing, Edge, and Windows, fol Microsoft Copilot for Microsoft 365 is powered by an advanced processing and orchestration engine that seamlessly integrates Microsoft 365 apps, Microsoft Graph, and large language models (LLMs) to turn your words into the most powerful productivity tool. While Copilot is already able to use the apps and data within the Microsoft 365 ecosystem, many users still depend on various external tools and services for work management and collaboration. You can extend Microsoft Copilot for Microsoft 365 by building a plugin or by connecting to an external data source. -This control navigates you to the Integrated App settings to control how non-Microsoft apps and first party apps can work with Microsoft Copilot for Microsoft 365. +This control allows you to control how non-Microsoft apps and first party apps can work with Microsoft Copilot for Microsoft 365. ### Improved responses with web content in Copilot for Microsoft 365 This control allows you to enable or disable CopilotΓÇÖs ability to access the public web to get the latest information available when responding to prompts. Note that this is a separate control from Copilot with commercial data protection. Learn more about [how to Manage access to web content in Copilot for Microsoft 365 responses](manage-public-web-access.md). -### Data Security and Compliance +### Data, Security, and Compliance -This link navigates you to the Microsoft Purview compliance portal where you can manage sensitivity labels, retention policies, Copilot interactions, audit records for Copilot, search Copilot interactions, and configure how Microsoft Copilot for Microsoft 365 interacts and references protected documents. Learn more about [how to protect and manage Microsoft Copilot for Microsoft 365 interactions with Microsoft Purview](/purview/ai-microsoft-purview). +This link navigates you to the Microsoft Purview compliance portal where you can manage sensitivity labels, retention policies, Copilot interactions, audit records for Copilot, search Copilot interactions, and configure how Copilot for Microsoft 365 interacts and references protected documents. Learn more about [how to protect and manage Microsoft Copilot for Microsoft 365 interactions with Microsoft Purview](/purview/ai-microsoft-purview). -### Security Copilot +### Microsoft Copilot for Security -This link directs you to the Security Copilot portal to manage settings. Security Copilot is a separate product and license from Microsoft Copilot for Microsoft 365. If purchased, you can use this link to navigate to Microsoft Security Copilot settings page. To learn more, see [Microsoft Security Copilot](/security-copilot/). +This link directs you to the Copilot for Security portal to manage settings. Copilot for Security is a separate product and license from Copilot for Microsoft 365. If purchased, you can use this link to navigate to Copilot for Security settings page. To learn more, see [Copilot for Security](/copilot/security/). -### Latest info +### Copilot for Microsoft 365 feedback logs -You can get the latest information on Copilot by viewing the top three latest updates in the Message Center. To view a list of all Copilot posts for your organization, you can use this page to visit the Message Center. +When users have an issue and aren't able to send feedback logs to Microsoft, you can submit feedback logs on their behalf. The data will include prompts and generated responses, relevant content samples, and additional log file. Using this feature to send feedback logs will temporarily override any user level feedback policy. -### Microsoft Copilot for Microsoft 365 resources --You can view additional resources for Microsoft Copilot for Microsoft 365 to help you learn more. HereΓÇÖs a list of resources you can access through the Copilot page: --- [Microsoft Copilot for Microsoft 365 documentation](index.yml)--- [End user help and learning](https://support.microsoft.com/copilot)--- [Responsible AI Principles and Approach \| Microsoft AI](https://www.microsoft.com/ai/principles-and-approach/)--- [Frequently asked questions about the Microsoft Copilot for Microsoft 365 Early Access Program for businesses](https://support.microsoft.com/office/frequently-asked-questions-about-the-microsoft-365-copilot-early-access-program-for-businesses-6630289c-3e93-4065-8350-fdecadb5a1f3)+To learn more, see [Provide user feedback for Microsoft Copilot for Microsoft 365](provide-feedback.md). |
microsoft-365-copilot-setup | Microsoft 365 Copilot Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-setup.md | Your users must have one of the following base licenses to be eligible for a Cop >[!NOTE] > Customers with Education or Business subscriptions that do not include Teams can still purchase Copilot for Microsoft 365 licenses. -- **Microsoft 365 Apps** desktop applications such as Word, Excel, PowerPoint, Outlook, and Teams. Copilot will be available in web versions of the apps when a license is assigned.To get started with the implementation process, see [Deployment guide for Microsoft 365 Apps](/deployoffice/deployment-guide-microsoft-365-apps).+- **Microsoft 365 Apps** desktop applications such as Word, Excel, PowerPoint, Outlook, and Teams. Copilot will be available in web versions of the apps when a license is assigned. To get started with the implementation process, see [Deployment guide for Microsoft 365 Apps](/deployoffice/deployment-guide-microsoft-365-apps). - **OneDrive Account** You need to have a OneDrive account for several features within Copilot for Microsoft 365, such as saving and sharing your files. For more information, see [Sign in or create an account for OneDrive](https://support.microsoft.com/office/video-sign-in-or-create-an-account-for-onedrive-3adf09fd-90e3-4420-8c4e-b55e2cde40d2?ui=en-us&rs=en-us&ad=us). Your users must have one of the following base licenses to be eligible for a Cop Microsoft Copilot for Microsoft 365 provides the ability for users to find and access their content through natural language prompting. Copilot ensures data security and privacy by adhering to existing obligations and integrating with your organization's policies. It utilizes your Microsoft Graph content with the same access controls as other Microsoft 365 services. To get the most out of Copilot, you should consider optimizing data and content for Search, to ensure optimal secure access. To learn more about privacy with Microsoft Copilot for Microsoft 365, see [Data, Privacy, and Security for Microsoft Copilot for Microsoft 365](microsoft-365-copilot-privacy.md). -### Applying principles of Just Enough Access +## Applying principles of Just Enough Access From the SharePoint admin center, you can review SharePoint site access to check permissions and access to ensure data is secure, prioritizing sites that contain sensitive information. You can check on site privacy by going to Active Sites, then selecting a site, a With an eligible license, you can set up auto-classifiers for content on a SharePoint site by going to the site, selecting the Settings icon on the top right, going to Library Settings, and adjusting default sensitivity labels. This feature ensures that content created or edited inherits this label. Content that is moved to the site without appropriate labels will trigger a notification. +### Copilot and multiple account access ++Copilot features for Excel, Word, PowerPoint, and OneNote will work seamlessly for users who have multiple Microsoft accounts (work/school account or personal account) signed into a single Windows session when one of those accounts has a Copilot Pro or Copilot for Microsoft 365 license assigned. For example, when a user on their work machine with a Copilot for Microsoft 365 license opens a document from their personal OneDrive, they'll be able to use Copilot in the document. Or when a Copilot Pro user signs in on their work device with their Microsoft account (MSA), they'll be able to use Copilot with Office files stored on their OneDrive or in SharePoint document libraries. ++As an admin, you can turn off a user's ability to add a Microsoft account to their work device, which prevents these users with Copilot Pro from being able to see Copilot features with their Microsoft 365 apps on their work device. For steps on how to do this, see [Set up tenant restrictions](/entra/external-id/tenant-restrictions-v2). You'll need to set up tenant restriction policies for each of the Microsoft 365 apps. ++If you'd like to prevent Entra IDs from your tenant being used on non-managed machines which may have access to Copilot, you can use Conditional Access to prevent access to tenant resources on non-compliant devices. ++>[!NOTE] +> In sovereign tenants where Copilot for Microsoft 365 is not available, even if a device has multiple accounts signed in and one of those accounts has Copilot, users will still be blocked from using Copilot features. + ### Configure advanced policies with Microsoft Purview :::image type="content" source="media/purview-labels-sensitivity.png" alt-text="Screenshot showing the Microsoft Purview screen for sensitivity labels." lightbox="media/purview-labels-sensitivity.png"::: For more information on data security and compliance configurations using Micros Review your privacy settings for Microsoft 365 Apps because those settings might have an effect on the availability of Microsoft Copilot for Microsoft 365 features. For more information, see [Microsoft Copilot for Microsoft 365 and policy settings for connected experiences](microsoft-365-copilot-privacy.md#microsoft-copilot-for-microsoft-365-and-policy-settings-for-connected-experiences). ++ ## Update channels Microsoft Copilot for Microsoft 365 will follow Microsoft 365 Apps' standard practice for deployment and updates, being available in all update channels, except for Semi-Annual Enterprise Channel. Preview channels include Current Channel (Preview) and Beta Channel. Production channels include Current Channel and then Monthly Enterprise Channel. Preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels). |
admin | Capabilities | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/capabilities.md | +- basic-mobility-security search.appverid: - MET150 description: "Basic Mobility and Security helps you secure and manage mobile devices with policies that control access to organization Microsoft 365 email and documents." |
admin | Choose Between Basic Mobility And Security And Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md | +- basic-mobility-security description: "Basic Mobility and Security is part of the Microsoft 365 plans, while Microsoft Intune is a standalone product included with certain Microsoft 365 plans." Microsoft Intune and built-in Basic Mobility and Security both give you the abil |WiFi profiles |Provision a native WiFi profile on the device. |No|Yes| |VPN profiles |Provision a native VPN profile on the device. |No|Yes| |Mobile application management |Deploy your internal line-of-business apps and from apps stores to users. |No|Yes|-|Mobile application protection |Enable your users to securely access corporate information using the Microsoft 365 mobile app and line-of-business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed approved for corporate data. Works even if the devices aren't enrolled to Basic Mobility and Security. See Protect app data using MAM policies. |No|Yes| +|Mobile application protection |Enable your users to securely access corporate information using the Microsoft 365 mobile app and line-of-business apps they know. This help ensure security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed approved for corporate data. Works even if the devices aren't enrolled to Basic Mobility and Security. See Protect app data using MAM policies. |No|Yes| |Managed browser |Enable more secure web browsing using the Edge app. |No|Yes| |Zero touch enrollment programs (AutoPilot) |Enroll large numbers of corporate-owned devices, while simplifying user setup. |No|Yes| -In addition to features listed in the preceding table, Basic Mobility and Security and Intune both include a set of remote actions that send commands to devices over the internet. For example, you can remove Microsoft 365 data from an employeeΓÇÖs device while leaving personal data in place (retire), remove Microsoft 365 apps from an employee's device (wipe), or reset a device to its factory settings (full wipe). +In addition to features listed in the preceding table, Basic Mobility and Security and Intune both include a set of remote actions that send commands to devices over the internet. For example, you can: ++- remove Microsoft 365 data from an employeeΓÇÖs device while leaving personal data in place (retire). +- remove Microsoft 365 apps from an employee's device (wipe). +- reset a device to its factory settings (full wipe). -Basic Mobility and Security remote actions include retire, wipe and full wipe. For more information on Basic Mobility and Security actions, see [capabilities of Basic Mobility and Security](capabilities.md). +Basic Mobility and Security remote actions include retire, wipe, and full wipe. For more information on Basic Mobility and Security actions, see [capabilities of Basic Mobility and Security](capabilities.md). -With Intune you have the following set of actions: +With Intune, you have the following set of actions: - [Autopilot reset](/mem/autopilot/windows-autopilot-reset) (Windows only) - [Bitlocker key recovery](https://support.microsoft.com/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6) (Windows only) |
admin | Create An Apns Certificate For Ios Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/create-an-apns-certificate-for-ios-devices.md | +- AdminSurgePortfolio +- basic-mobility-security description: "To manage iOS devices such as iPads and iPhones in Basic Mobility and Security, begin by creating an APNs certificate." |
admin | Create Device Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/create-device-security-policies.md | +- basic-mobility-security description: "Use Basic Mobility and Security to create device policies that protect your organization information." If you want to exclude some people from conditional access checks on their mobil When you apply a policy to user devices, the impact on each device varies somewhat among device types. See the following table for examples of the impact of policies on different devices. -|**Security Policy**|**Android**|**Samsung KNOX**|**iOS**|**Notes**| +| Security Policy | Android | Samsung KNOX | iOS | Notes | |:--|:--|:--|:--|:--| |Require encrypted backup|No|Yes|Yes|iOS encrypted backup required.| |Block cloud backup|Yes|Yes|Yes|Block Google backup on Android (grayed out), cloud backup on supervised iOS.| When you apply a policy to user devices, the impact on each device varies somewh When you delete a policy or remove a user from a group to which the policy was deployed, the policy settings, Microsoft 365 email profile and cached emails might be removed from the user's device. See the following table to see what is removed for the different device types. -|**What's removed**|**iOS**|**Android (including Samsung KNOX**| +| What's removed | iOS | Android (including Samsung KNOX) | |:--|:--|:--| |Managed email profiles<sup>1</sup>|Yes|No| |Block cloud backup|Yes|No| |
admin | Enroll Your Mobile Device | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/enroll-your-mobile-device.md | +- basic-mobility-security search.appverid: - MET150 description: "Before you can use Microsoft 365 services with your device, you might need to first enroll it in Basic Mobility and Security for Microsoft 365." |
admin | Manage Device Access Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/manage-device-access-settings.md | - - AdminSurgePortfolio - - has-azure-ad-ps-ref - - azure-ad-ref-level-one-done +- AdminSurgePortfolio +- has-azure-ad-ps-ref +- azure-ad-ref-level-one-done +- basic-mobility-security search.appverid: - MET150 description: "For devices you can't manage with Basic Mobility and Security, block Exchange ActiveSync app access to email and use Microsoft Graph PowerShell to get details about org devices." description: "For devices you can't manage with Basic Mobility and Security, blo # Manage device access settings in Basic Mobility and Security -If you're using Basic Mobility and Security, there might be devices that you can't manage with Basic Mobility and Security. If so, you should block Exchange ActiveSync app access to Microsoft 365 email for mobile devices that aren't supported by Basic Mobility and Security. This helps secure your organization information across more devices. +If you're using Basic Mobility and Security, there might be devices that you can't manage with Basic Mobility and Security. If so, you should block Exchange ActiveSync app access to Microsoft 365 email for mobile devices that aren't supported by Basic Mobility and Security. Blocking Exchange ActiveSync app access helps secure your organization information across more devices. Use these steps: For more info on these steps, see [Connect to Microsoft 365 with PowerShell](/po 2. A popup will open for you to sign in. Provide the credentials of your Administrative Account and log in. -3. If your account has the necessary permissions you'll see "Welcome To Microsoft Graph!" in the Powershell window. +3. If your account has the necessary permissions, you see "Welcome To Microsoft Graph!" in the Powershell window. ### Step 3: Make sure you're able to run PowerShell scripts First, save the script to your computer. } ``` -2. Save it as a Windows PowerShell script file by using the file extension .ps1; for example, Get-MgGraphDeviceOwnership.ps1. +2. Save it as a Windows PowerShell script file by using the file extension ".ps1". For example, Get-MgGraphDeviceOwnership.ps1. > [!NOTE] > The script is also available for download on [Github](https://github.com/Raindrops-dev/RAIN-MicrosoftGraphPowershellCode/blob/main/Get-MgGraphDeviceOwnership.ps1). First, save the script to your computer. .\Get-GraphUserDeviceComplianceStatus.ps1 -users $user -Export ``` -The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to specify the file name and path of the CSV. +The information is exported to your Windows Desktop as a CSV file. You can specify the file name and path of the CSV. ### Run the script to get device information for a group of users |
admin | Manage Enrolled Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/manage-enrolled-devices.md | +- basic-mobility-security search.appverid: - MET150 description: "Sign in to Microsoft 365 and set up Basic Mobility and Security to use the built-in mobile device management to secure and manage your users' mobile devices." |
admin | Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/overview.md | +- basic-mobility-security search.appverid: - MET150 description: "Manage and secure mobile devices connected to your Microsoft 365 organization by setting up and using Basic Mobility and Security." |
admin | Set Up | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/set-up.md | +- basic-mobility-security search.appverid: - MET150 description: "Set up Basic Mobility and Security to secure and manage your users' mobile devices by performing actions such as remotely wiping a device." |
admin | Turn Off | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/turn-off.md | +- AdminSurgePortfolio +- basic-mobility-security description: "Remove groups or policies to turn off Basic Mobility and Security." |
admin | Wipe Mobile Device | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/wipe-mobile-device.md | +- basic-mobility-security search.appverid: - MET150 description: "Use built-in Basic Mobility and Security to remove information from enrolled devices." |
admin | Add Or Remove Members From Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/add-or-remove-members-from-groups.md | Title: "Add or remove members from Microsoft 365 groups" Last updated 02/18/2020 f1.keywords: NOCSH--++ audience: Admin |
admin | Compare Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/compare-groups.md | Title: Compare types of groups in Microsoft 365 Last updated 07/18/2023 f1.keywords: CSH---+++ audience: Admin |
admin | Create Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/create-groups.md | Title: "Create a group in the admin center" Last updated 02/18/2020 f1.keywords: CSH---+++ audience: Admin |
admin | Explain Groups Knowledge Worker | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/explain-groups-knowledge-worker.md | Title: "Explaining Microsoft 365 Groups to your users" Last updated 07/20/2020 f1.keywords: NOCSH--++ audience: Admin |
admin | Group Mailbox Size Management | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/group-mailbox-size-management.md | Title: Microsoft 365 Group mailbox size management description: Learn about the group mailbox size management in Microsoft 365.-+ audience: ITPro ms.localizationpriority: medium search.appverid: Last updated 08/03/2022--++ # Microsoft 365 group mailbox size management |
admin | Manage Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/manage-groups.md | Title: "Manage a group in the admin center" Last updated 02/18/2020 f1.keywords: NOCSH--++ audience: Admin |
admin | Manage Guest Access In Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/manage-guest-access-in-groups.md | Title: "Manage guest access in Microsoft 365 groups" Last updated 02/18/2020 f1.keywords: NOCSH--++ audience: Admin |
admin | Office 365 Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/office-365-groups.md | Title: "Overview of Microsoft 365 Groups for administrators" Last updated 02/18/2020 f1.keywords: NOCSH---+++ audience: Admin |
admin | Ownerless Groups Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/ownerless-groups-teams.md | Title: "Manage ownerless Microsoft 365 groups and teams" Last updated 04/04/2022 f1.keywords: NOCSH---+++ audience: Admin |
admin | Restore Deleted Group | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/restore-deleted-group.md | Title: "Restore a deleted Microsoft 365 group" Last updated 02/18/2020 f1.keywords: CSH---+++ audience: Admin |
enterprise | Portallaunchscheduler | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md | Title: Launch your portal using the Portal launch scheduler -+ Last updated 11/11/2020 audience: Admin |
enterprise | Cross Tenant Onedrive Migration Step7 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration-step7.md | Title: OneDrive Cross-Tenant User Data Migration Step 7 -+ Last updated 10/13/2023 recommendations: true audience: ITPro |
enterprise | Cross Tenant Onedrive Migration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration.md | Title: Cross-tenant OneDrive migration overview -+ Last updated 10/13/2023 recommendations: true audience: ITPro |
enterprise | Cross Tenant Sharepoint Bulk Site Migration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-bulk-site-migration.md | Title: Performing Bulk SharePoint site Cross-tenant migrations (preview) -+ Last updated 10/13/2023 recommendations: true audience: ITPro |
enterprise | External Guest Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/external-guest-access.md | Title: IT Admins - Overview of external collaboration options in Microsoft 365--++ Last updated 01/17/2024 audience: ITPro |
enterprise | Internet Sites In Microsoft Azure Using Sharepoint Server 2013 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/internet-sites-in-microsoft-azure-using-sharepoint-server-2013.md | Title: "Internet Sites in Microsoft Azure using SharePoint Server 2013" -+ Last updated 12/15/2017 audience: ITPro |
enterprise | Manage Folders And Rules Feature | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-folders-and-rules-feature.md | Title: "Manage Folders and Rules feature in Microsoft 365 Groups"---+++ Last updated 08/18/2022 audience: Admin |
enterprise | Manage Microsoft 365 Groups With Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-groups-with-powershell.md | Title: "Manage Microsoft 365 Groups with PowerShell"--++ Last updated 9/29/2023 audience: Admin |
enterprise | Microsoft Azure Architectures For Sharepoint 2013 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-azure-architectures-for-sharepoint-2013.md | Title: "Microsoft Azure Architectures for SharePoint 2013" -+ Last updated 12/15/2017 audience: ITPro |
enterprise | Sharepoint Server 2013 Disaster Recovery In Microsoft Azure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/sharepoint-server-2013-disaster-recovery-in-microsoft-azure.md | Title: "SharePoint Server 2013 Disaster Recovery in Microsoft Azure" -+ Last updated 04/17/2018 audience: ITPro |
loop | Loop Compliance Summary | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-compliance-summary.md | Last updated 08/21/2023 Title: "Summary of governance, lifecycle and compliance capabilities for Loop experiences" ---+++ recommendations: true audience: Admin f1.keywords: |
loop | Loop Components Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-components-configuration.md | Last updated 08/21/2023 Title: "Manage Loop components in OneDrive and SharePoint" --++ recommendations: true audience: Admin |
loop | Loop Components Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-components-teams.md | Title: Overview of Loop components in the Microsoft 365 ecosystem---+++ audience: Admin |
loop | Loop Data Integrations Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-data-integrations-configuration.md | Last updated 02/22/2024 Title: "Configuring external data integrations for Loop experiences" ---+++ recommendations: true audience: Admin f1.keywords: |
loop | Loop Preview Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-preview-configuration.md | Last updated 02/29/2024 Title: "Manage Loop app preview" --++ recommendations: true audience: Admin |
loop | Loop Workspaces Storage Permission | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-workspaces-storage-permission.md | Title: Overview of Loop workspaces storage and permissions---+++ audience: Admin |
security | Edr In Block Mode | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md | description: Learn about endpoint detection and response in block mode -+ audience: ITPro ms.localizationpriority: medium - - next-gen - - mde-edr - - admindeeplinkDEFENDER Previously updated : 01/12/2024+- next-gen +- mde-edr +- admindeeplinkDEFENDER Last updated : 04/11/2024 - m365-security - tier2 This recommendation is primarily for devices using an active non-Microsoft antiv ## What is EDR in block mode? -[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. +[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode is available in Defender for Endpoint Plan 2. > [!IMPORTANT] > EDR in block mode cannot provide all available protection when Microsoft Defender Antivirus real-time protection is in passive mode. Some capabilities that depend on Microsoft Defender Antivirus to be the active antivirus solution will not work, such as the following examples: When EDR in block mode is turned on, and a malicious artifact is detected, Defen ## Enable EDR in block mode > [!IMPORTANT]-> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode. -> Starting with [platform version 4.18.2202.X](microsoft-defender-antivirus-updates.md), you can now set EDR in block mode to target specific device groups using Intune CSPs. You can continue to set EDR in block mode tenant-wide in the [Microsoft Defender portal](https://security.microsoft.com). -> EDR in block mode is primarily recommended for devices that are running Microsoft Defender Antivirus in passive mode (a non-Microsoft antivirus solution is installed and active on the device). +> - Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode. +> - Defender for Endpoint Plan 2 licenses are required. +> - Beginning with [platform version 4.18.2202.X](microsoft-defender-antivirus-updates.md), you can set EDR in block mode to target specific device groups using Intune CSPs. You can continue to set EDR in block mode tenant-wide in the [Microsoft Defender portal](https://security.microsoft.com). +> - EDR in block mode is primarily recommended for devices that are running Microsoft Defender Antivirus in passive mode (a non-Microsoft antivirus solution is installed and active on the device). <a name='microsoft-365-defender'></a> -### Microsoft Defender XDR +### Microsoft Defender portal 1. Go to the Microsoft Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) and sign in. The following table lists requirements for EDR in block mode: ||| |Permissions|You must have either the Global Administrator or Security Administrator role assigned in [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). For more information, see [Basic permissions](basic-permissions.md).| |Operating system|Devices must be running one of the following versions of Windows: <br/>- Windows 11<br/>- Windows 10 (all releases)<br/>- Windows Server 2019 or later<br/>- Windows Server, version 1803 or later<br/>- Windows Server 2016 and Windows Server 2012 R2 (with the [new unified client solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution))|-|Microsoft Defender for Endpoint|Devices must be onboarded to Defender for Endpoint. See the following articles: <br/>- [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)<br/>- [Onboard devices and configure Microsoft Defender for Endpoint capabilities](onboard-configure.md)<br/>- [Onboard Windows servers to the Defender for Endpoint service](configure-server-endpoints.md)<br/>- [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution)<br/>(See [Is EDR in block mode supported on Windows Server 2016 and Windows Server 2012 R2?](edr-block-mode-faqs.yml)) | +|Microsoft Defender for Endpoint Plan 2|Devices must be onboarded to Defender for Endpoint. See the following articles: <br/>- [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)<br/>- [Onboard devices and configure Microsoft Defender for Endpoint capabilities](onboard-configure.md)<br/>- [Onboard Windows servers to the Defender for Endpoint service](configure-server-endpoints.md)<br/>- [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution)<br/>(See [Is EDR in block mode supported on Windows Server 2016 and Windows Server 2012 R2?](edr-block-mode-faqs.yml)) | |Microsoft Defender Antivirus|Devices must have Microsoft Defender Antivirus installed and running in either active mode or passive mode. [Confirm Microsoft Defender Antivirus is in active or passive mode](edr-block-mode-faqs.yml).| |Cloud-delivered protection|Microsoft Defender Antivirus must be configured such that [cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md).| |Microsoft Defender Antivirus platform|Devices must be up to date. To confirm, using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. <br/><br/> To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).| The following table lists requirements for EDR in block mode: ## See also - [Endpoint detection and response (EDR) in block mode frequently asked questions (FAQ)](edr-block-mode-faqs.yml)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Host Firewall Reporting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md | Title: Host firewall reporting in Microsoft Defender for Endpoint description: Host and view firewall reporting in Microsoft Defender portal. ms.localizationpriority: medium Previously updated : 01/31/2023 Last updated : 04/11/2024 audience: ITPro If you're a Global or security administrator, you can now host firewall reportin ## What do you need to know before you begin? -- You must be running Windows 10 or later, Windows Server 2012 R2 or later.- > [!NOTE] - > For Windows2012 R2 and Windows Server 2016 to appear in Firewall reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution). -- To onboard devices to the Microsoft Defender for Endpoint service, see [here](onboard-configure.md).-- For <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> to start receiving the data, you must enable **Audit Events** for Windows Defender Firewall with Advanced Security:+- Your devices must be running Windows 10 or later, or Windows Server 2012 R2 or later. For Windows Server 2012 R2 and Windows Server 2016 to appear in firewall reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution). ++- To onboard devices to the Microsoft Defender for Endpoint service, see [onboarding guidance](onboard-configure.md). ++- For the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) to start receiving data, you must enable **Audit Events** for Windows Defender Firewall with Advanced Security. See the following articles: + - [Audit Filtering Platform Packet Drop](/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop) - [Audit Filtering Platform Connection](/windows/security/threat-protection/auditing/audit-filtering-platform-connection)-- Enable these events by using Group Policy Object Editor, Local Security Policy, or the auditpol.exe commands. For more information, see [here](/windows/win32/fwp/auditing-and-logging).- - The two PowerShell commands are: ++- Enable these events by using Group Policy Object Editor, Local Security Policy, or the auditpol.exe commands. For more information, see [documentation about auditing and logging](/windows/win32/fwp/auditing-and-logging). The two PowerShell commands are as follows: + - `auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable` - `auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable` -```powershell -param ( - [switch]$remediate -) -try { -- $categories = "Filtering Platform Packet Drop,Filtering Platform Connection" - $current = auditpol /get /subcategory:"$($categories)" /r | ConvertFrom-Csv - if ($current."Inclusion Setting" -ne "failure") { - if ($remediate.IsPresent) { - Write-Host "Remediating. No Auditing Enabled. $($current | ForEach-Object {$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})" - $output = auditpol /set /subcategory:"$($categories)" /failure:enable - if($output -eq "The command was successfully executed.") { - Write-Host "$($output)" - exit 0 - } - else { - Write-Host "$($output)" - exit 1 - } - } - else { - Write-Host "Remediation Needed. $($current | ForEach-Object {$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})." - exit 1 - } - } --} -catch { - throw $_ -} -``` + Here's an example query: ++ ```powershell + param ( + [switch]$remediate + ) + try { ++ $categories = "Filtering Platform Packet Drop,Filtering Platform Connection" + $current = auditpol /get /subcategory:"$($categories)" /r | ConvertFrom-Csv + if ($current."Inclusion Setting" -ne "failure") { + if ($remediate.IsPresent) { + Write-Host "Remediating. No Auditing Enabled. $($current | ForEach-Object {$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})" + $output = auditpol /set /subcategory:"$($categories)" /failure:enable + if($output -eq "The command was successfully executed.") { + Write-Host "$($output)" + exit 0 + } + else { + Write-Host "$($output)" + exit 1 + } + } + else { + Write-Host "Remediation Needed. $($current | ForEach-Object {$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})." + exit 1 + } + } ++ } + catch { + throw $_ + } + ``` ## The process > [!NOTE]-> Make sure to follow the instructions from the section above and properly configure your devices for the early preview participation. +> Make sure to follow the instructions from previous the section and properly configure your devices to participate in the preview program. -- After enabling the events, Microsoft Defender XDR will start to monitor the data, which includes: +- After events are enabled, Microsoft Defender for Endpoint begins to monitor data, which includes: - Remote IP - Remote Port - Local Port - Local IP - Computer Name - Process across inbound and outbound connections-- Admins can now see Windows host firewall activity [here](https://security.microsoft.com/firewall).- - Additional reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI. ++- Admins can now see Windows host firewall activity [here](https://security.microsoft.com/firewall). Additional reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI. + - It can take up to 12 hours before the data is reflected. ## Supported scenarios - [Firewall reporting](#firewall-reporting)-- [From "Computers with a blocked connection" to device](#from-computers-with-a-blocked-connection-to-device)-- [Drill into advanced hunting (preview refresh)](#drill-into-advanced-hunting-preview-refresh)+- [From "Computers with a blocked connection" to device](#from-computers-with-a-blocked-connection-to-device) (requires Defender for Endpoint Plan 2) +- [Drill into advanced hunting (preview refresh)](#drill-into-advanced-hunting-preview-refresh) (requires Defender for Endpoint Plan 2) ### Firewall reporting These reports can also be accessed by going to **Reports** > **Security Report** ### From "Computers with a blocked connection" to device +> [!NOTE] +> This feature requires Defender for Endpoint Plan 2. + Cards support interactive objects. You can drill into the activity of a device by clicking on the device name, which will launch the Microsoft Defender portal in a new tab, and take you directly to the **Device Timeline** tab. :::image type="content" source="media/firewall-reporting-blocked-connection.png" alt-text="The Computers with a blocked connection page" lightbox="media/firewall-reporting-blocked-connection.png"::: After clicking on the **Filters** button on the upper right-hand corner of the v ### Drill into advanced hunting (preview refresh) -Firewall reports support drilling from the card directly into **Advanced Hunting** by clicking the **Open Advanced hunting** button. The query will be pre-populated. +> [!NOTE] +> This feature requires Defender for Endpoint Plan 2. ++Firewall reports support drilling from the card directly into **Advanced Hunting** by clicking the **Open Advanced hunting** button. The query is prepopulated. :::image type="content" source="media/firewall-reporting-advanced-hunting.png" alt-text="The Open Advanced hunting button" lightbox="media/firewall-reporting-advanced-hunting.png"::: |
security | Advanced Hunting Deviceevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceevents-table.md | |
security | Advanced Hunting Devicefileevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefileevents-table.md | |
security | Advanced Hunting Deviceimageloadevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceimageloadevents-table.md | |
security | Advanced Hunting Devicenetworkevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table.md | |
security | Advanced Hunting Deviceprocessevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table.md | |
security | Advanced Hunting Deviceregistryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceregistryevents-table.md | |
security | Advanced Hunting Microsoft Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-microsoft-defender.md | In the unified portal, you can query any data in any workload that you can curre ### Connect a workspace -In Microsoft Defender, you can connect workspaces by selecting **Connect a workspace** in the top banner. This button appears if you're eligible to onboard a Microsoft Sentinel workspace onto the unified Microsoft Defender portal. Follow the steps in: **[Onboarding a workspace](https://aka.ms/onboard-microsoft-sentinel)**. --## Unified advanced hunting +In Microsoft Defender, you can connect workspaces by selecting **Connect a workspace** in the top banner. This button appears if you're eligible to onboard a Microsoft Sentinel workspace onto the unified Microsoft Defender portal. Follow the steps in: **[Onboarding a workspace](https://aka.ms/onboard-microsoft-sentinel)**. After connecting your Microsoft Sentinel workspace and Microsoft Defender XDR advanced hunting data, you can start querying Microsoft Sentinel data from the advanced hunting page. For an overview of advanced hunting features, read [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md). -### What to expect for Defender XDR tables streamed to Microsoft Sentinel +## What to expect for Defender XDR tables streamed to Microsoft Sentinel - **Use tables with longer data retention period in queries** ΓÇô Advanced hunting follows the maximum data retention period configured for the Defender XDR tables (see [Understand quotas](advanced-hunting-limits.md#understand-advanced-hunting-quotas-and-usage-parameters)). If you stream Defender XDR tables to Microsoft Sentinel and have a data retention period longer than 30 days for said tables, you can query for the longer period in advanced hunting. - **Use Kusto operators you've used in Microsoft Sentinel** ΓÇô In general, queries from Microsoft Sentinel work in advanced hunting, including queries that use the `adx()` operator. There might be cases where IntelliSense warns you that the operators in your query don't match the schema, however, you can still run the query and it should still be executed successfully.-- **Use the time filter dropdown instead of setting the time span in the query** ΓÇô If you are filtering ingestion of Defender XDR tables to Sentinel instead of streaming the tables as is, do not filter the time in the query as this might generate incomplete results. If you set the time in the query, the streamed, filtered data from Sentinel will be used because it usually has the longer data retention period. If you would like to make sure you are querying all Defender XDR data for up to 30 days, use the time filter dropdown provided in the query editor instead. +- **Use the time filter dropdown instead of setting the time span in the query** ΓÇô If you're filtering ingestion of Defender XDR tables to Sentinel instead of streaming the tables as is, don't filter the time in the query as this might generate incomplete results. If you set the time in the query, the streamed, filtered data from Sentinel is used because it usually has the longer data retention period. If you would like to make sure you're querying all Defender XDR data for up to 30 days, use the time filter dropdown provided in the query editor instead. - **View `SourceSystem` and `MachineGroup` columns for Defender XDR data that have been streamed from Microsoft Sentinel** ΓÇô Since the columns `SourceSystem` and `MachineGroup` are added to Defender XDR tables once they're streamed to Microsoft Sentinel, they also appear in results in advanced hunting in Defender. However, they remain blank for Defender XDR tables that weren't streamed (tables that follow the default 30-day data retention period). -### Where to find your Microsoft Sentinel data +## Where to find your Microsoft Sentinel data You can use advanced hunting KQL (Kusto Query Language) queries to hunt through Microsoft Defender XDR and Microsoft Sentinel data. When you open the advanced hunting page for the first time after connecting a workspace, you can find many of that workspace's tables organized by solution after the Microsoft Defender XDR tables under the **Schema** tab. When you open the advanced hunting page for the first time after connecting a wo Likewise, you can find the functions from Microsoft Sentinel in the **Functions** tab, and your shared and sample queries from Microsoft Sentinel can be found in the **Queries** tab inside folders marked **Sentinel**. -### View schema information +## View schema information To learn more about a schema table, select the vertical ellipses ( ![kebab icon](../../media/ah-kebab.png) ) to the right of any schema table name under the **Schema** tab, then select **View schema**. In the unified portal, in addition to viewing the schema column names and descriptions, you can also view: In the unified portal, in addition to viewing the schema column names and descri :::image type="content" source="../../media/advanced-hunting-unified-view-schema.png" alt-text="Screenshot of the schema information pane in the Microsoft Defender portal" lightbox="../../media/advanced-hunting-unified-view-schema.png"::: -### Use functions +## Use functions To use a function from Microsoft Sentinel, go to the **Functions** tab and scroll until you find the function that you want. Double-click the function name to insert the function in the query editor. For editable functions, more options are available when you select the vertical - **Delete** ΓÇô deletes the function -### Use saved queries +## Use saved queries To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scroll until you find the query that you want. Double-click the query name to load the query in the query editor. For more options, select the vertical ellipses ( ![kebab icon](../../media/ah-kebab.png) ) to the right of the query. From here, you can perform the following actions: For Microsoft Defender XDR data, you can take further action by selecting the ch - The Microsoft Sentinel `SecurityAlert` table is replaced by `AlertInfo` and `AlertEvidence` tables, which both contain all the data on alerts. While SecurityAlert isn't available in the schema tab, you can still use it in queries using the advanced hunting editor. This provision is made so as not to break existing queries from Microsoft Sentinel that use this table. - Guided hunting mode is supported for Defender XDR data only. - Custom detections, links to incidents, and take actions capabilities are supported for Defender XDR data only.-- Bookmarks aren't supported in the advanced hunting experience. They are supported in the **Microsoft Sentinel > Threat management > Hunting** feature.+- Bookmarks aren't supported in the advanced hunting experience. They're supported in the **Microsoft Sentinel > Threat management > Hunting** feature. - If you're streaming Defender XDR tables to Log Analytics, there might be a difference between the`Timestamp` and `TimeGenerated` columns. In case the data arrives to Log Analytics after 48 hours, it's being overridden upon ingestion to `now()`. Therefore, to get the actual time the event happened, we recommend relying on the `Timestamp` column.-- The Microsoft Graph API for running an advanced hunting query does not support querying data from Microsoft Sentinel yet. +- The Microsoft Graph API for running an advanced hunting query doesn't support querying data from Microsoft Sentinel yet. |
security | Onboarding Defender Experts For Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/onboarding-defender-experts-for-hunting.md | Select **Ask Defender Experts** directly inside the Microsoft 365 security porta ### Required permissions for submitting inquiries in the Ask Defender Experts panel -You need to select the following permissions before submitting inquires to our Defender experts. For more details about role-based access control (RBAC) permissions, see: [Microsoft Defender for Endpoint and Microsoft Defender XDR RBAC permissions](/microsoft-365/security/defender/compare-rbac-roles#map-defender-for-endpoint-and-defender-vulnerability-management-permissions-to-the-microsoft-defender-xdr-rbac-permissions). +You need to select one of the following permissions before submitting inquires to our Defender experts. For more details about role-based access control (RBAC) permissions, see: [Microsoft Defender for Endpoint and Microsoft Defender XDR RBAC permissions](/microsoft-365/security/defender/compare-rbac-roles#map-defender-for-endpoint-and-defender-vulnerability-management-permissions-to-the-microsoft-defender-xdr-rbac-permissions). |**Product name**|**Product RBAC permission**| |||| |
security | Advanced Delivery Policy Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-delivery-policy-configure.md | Use the _advanced delivery policy_ in EOP to prevent inbound messages _in these Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as **Phishing simulation** or **SecOps mailbox** system overrides. Admins can use these values to filter and analyze messages in the following experiences: -- [Threat Explorer (Explorer) or Real-time detections in Defender for Office 365](threat-explorer-real-time-detections-about.md): Admin can filter on **System override source** and select either **Phishing simulation** or **SecOps Mailbox**.-- The [Email entity Page in Threat Explorer/Real-time detections](mdo-email-entity-page.md): Admin can view a message that was allowed by organization policy by either **SecOps mailbox** or **Phishing simulation** under **Tenant override** in the **Override(s)** section.+- [Threat Explorer (Explorer) or Real-time detections in Defender for Office 365](threat-explorer-real-time-detections-about.md): Admins can filter on **System override source** and select **Phishing simulation** or **SecOps Mailbox**. +- The [Email entity page](mdo-email-entity-page.md): Admins can view a message that was allowed by organization policy by **SecOps mailbox** or **Phishing simulation** under **Tenant override** in the **Override(s)** section. - The [Threat protection status report](reports-email-security.md#threat-protection-status-report): Admin can filter by **view data by System override** in the drop down menu and select to see messages allowed due to a phishing simulation system override. To see messages allowed by the SecOps mailbox override, you can select **chart breakdown by delivery location** in the **chart breakdown by reason** dropdown list. - [Advanced hunting in Microsoft Defender for Endpoint](../defender-endpoint/advanced-hunting-overview.md): Phishing simulation and SecOps mailbox system overrides are options within OrgLevelPolicy in EmailEvents. - [Campaign Views](campaigns.md): Admin can filter on **System override source** and select either **Phishing simulation** or **SecOps Mailbox**. |
security | Anti Spam Spam Vs Bulk About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-spam-vs-bulk-about.md | EmailEvents This query allows admins to identify wanted and unwanted senders. If a bulk sender has a BCL score that's more than the bulk threshold, admins can [report the sender's messages to Microsoft for analysis](submissions-admin.md#report-good-email-to-microsoft). This action also adds the sender as an allow entry in the Tenant Allow/Block List. -Organizations without Defender for Office 365 Plan 2 can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free. Use the 90-day Defender for Office 365 evaluation at <https://security.microsoft.com/atpEvaluation>. Learn about who can sign up and trial terms [here](try-microsoft-defender-for-office-365.md) or you can use the [Threat protection status report](reports-email-security.md#threat-protection-status-report) to identify wanted and unwanted bulk senders: +Organizations without Defender for Office 365 Plan 2 can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free. Use the 90-day Defender for Office 365 evaluation at <https://security.microsoft.com/atpEvaluation>. Learn about who can sign up and trial terms [here](try-microsoft-defender-for-office-365.md). ++If you have Defender for Office 365 Plan 1 or Plan 2, you can use the [Threat protection status report](reports-email-security.md#threat-protection-status-report) to identify wanted and unwanted bulk senders: 1. Open the **Threat protection status** report at one of the following URLs: - **EOP**: <https://security.microsoft.com/reports/TPSAggregateReport> Organizations without Defender for Office 365 Plan 2 can try the features in Mic When you're finished in the **Filters** flyout, select **Apply**. -4. In Defender for Office 365 Plan 2, select a bulk message to investigate, and then select email entity to learn more about the sender. +4. Back on the **Threat protection status** page, select one of the bulk messages from the details table below the chart by clicking anywhere in the row other than the check box next to the first column. ++ In the message details flyout that opens, select :::image type="icon" source="../../medi). 5. After you identify wanted and unwanted bulk senders, adjust the bulk threshold in the default anti-spam policy and in custom anti-spam policies. If some bulk senders don't fit within your bulk threshold, [report the messages to Microsoft for analysis](submissions-admin.md#report-good-email-to-microsoft). |
security | Defender For Office 365 Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md | For more information on what's new with other Microsoft Defender security produc ## February 2024 -- **Hunting and responding to QR code-based attacks**: Security teams will now be able to see the URLs extracted from QR codes with "QR code" as URL source in Email Entity URL tab, and "QRCode" in "UrlLocation" column of EmailUrlInfo table in Advanced Hunting. Users can also filter for emails having URLs embedded within QR codes using "URL Source" filter in Threat Explorer which now supports "QR code" option.+- **Hunting and responding to QR code-based attacks**: Security teams are now able to see the URLs extracted from QR codes with **QR code** as URL source on the **URL** tab of the [Email entity page](mdo-email-entity-page.md), and **QRCode** in the **UrlLocation** column of **EmailUrlInfo** table in [Advanced Hunting](../defender/advanced-hunting-overview.md). You can also filter for email with URLs embedded within QR codes using the **URL Source** filter value **QR code** in the **All email**, **Malware**, and **Phish** views in [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md). ## January 2024 For more information on what's new with other Microsoft Defender security produc ## July 2022 -- [Introducing actions into the email entity page](mdo-email-entity-page.md): Admins can take preventative, remediation, and submission actions from the email entity page.+- [Introducing actions into the Email entity page](mdo-email-entity-page.md): Admins can take preventative, remediation, and submission actions from the Email entity page. ## June 2022 For more information on what's new with other Microsoft Defender security produc - [Submit user reported messages to Microsoft for analysis](submissions-admin.md#submit-user-reported-messages-to-microsoft-for-analysis): Configure a reporting mailbox to intercept user-reported messages without sending the messages to Microsoft for analysis. -- View the associated alerts for [user reported messages](submissions-admin.md#actions-for-user-reported-messages-in-defender-for-office-365-plan-2) and [admin submissions](submissions-admin.md#actions-for-admin-submissions-in-defender-for-office-365-plan-2): View the corresponding alert for each user reported phish message and admin email submission.+- View the associated alerts for [user reported messages](submissions-admin.md#actions-for-user-reported-messages-in-defender-for-office-365) and [admin submissions](submissions-admin.md#actions-for-admin-submissions-in-defender-for-office-365): View the corresponding alert for each user reported phishing message and admin email submission. - [Configurable impersonation protection custom users and domains and increased scope within Preset policies](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/configurable-impersonation-protection-and-scope-for-preset/ba-p/3294459): - (Choose to) Apply Preset Strict/Standard policies to entire organization and avoid the hassle of selecting specific recipient users, groups, or domains, thereby securing all recipient users of your organization. |
security | Mdo Email Entity Page | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md | Title: The email entity page in Defender for Office 365 + Title: The Email entity page in Defender for Office 365 f1.keywords: - NOCSH Previously updated : 2/22/2024 Last updated : 4/12/2024 audience: ITPro -description: Admins can learn about the Email entity page in Microsoft Defender for Office 365. This page show many details about email messages. For example, email headers, threat detection details, the latest and original delivery locations, delivery actions, and IDs (for example, the Network message ID and the associated Alert Id). +description: Admins can learn about the Email entity page in Microsoft Defender for Office 365. This page shows many details about email messages. For example, email headers, threat detection details, the latest and original delivery locations, delivery actions, and IDs (for example, the Network message ID and the associated Alert ID). search.appverid: met150 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a> -# The Email entity page +# The Email entity page in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -Microsoft 365 organizations that have [Microsoft Defender for Office 365](mdo-about.md) included in their subscription or purchased as an add-on have a 360-degree view of email using the **Email entity page**. This go-to email page was created to enhance information delivered throughout Defender for Office 365 and Microsoft Defender XDR. +Microsoft 365 organizations that have [Microsoft Defender for Office 365](mdo-about.md) included in their subscription or purchased as an add-on have the _Email entity page_. The Email entity page in the Microsoft Defender portal contains highly detailed information about an email message and any related entities. ++This article explains the information and actions on the Email entity page. ++## Permissions and licensing for the Email entity page ++To use the Email entity page, you need to be assigned permissions. The permissions and licensing are the same as Threat Explorer (Explorer) and Real-time detections. For more information, see [Permissions and licensing for Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#permissions-and-licensing-for-threat-explorer-and-real-time-detections). ++## Where to find the Email entity page ++There are no direct links to the **Email entity** page from the top levels of the Defender portal. Instead, the :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** action is available at the top of the email details flyout in many Defender for Office 365 features. This email details flyout is known as _the Email summary panel_, and contains a summarized subset of the information on the Email entity page. The email summary panel is identical across Defender for Office 365 features. For more information, see the [The Email summary panel](#the-email-summary-panel) section later in this article. ++The Email summary panel with the :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** action is available in the following locations: ++- From the **Advanced hunting** page at <https://security.microsoft.com/v2/advanced-hunting>: In the **Results** tab of an email-related query, click on the **NetworkMessageId** value of an entry in the table. ++- *From the **Alerts** page at <https://security.microsoft.com/alerts>: For alerts with the **Detection source** value **MDO** or the **Product names** value **Microsoft Defender for Office 365**, select the entry by clicking on the **Alert name** value. In the alert details page that opens, select the message from the **Messages list** section. ++- From the **Threat protection status** report at <https://security.microsoft.com/reports/TPSEmailPhishReportATP>: + - Select **View data by Email \> Phish** and any of the available **Chart breakdown** selections. In the details table below the chart, select the entry by clicking anywhere in the row other than the check box next to the first column. + - Select **View data by Email \> Malware** and any of the available **Chart breakdown** selections. In the details table below the chart, select the entry by clicking anywhere in the row other than the check box next to the first column. + - Select **View data by Email \> Spam** and any of the available **Chart breakdown** selections. In the details table below the chart, select the entry by clicking anywhere in the row other than the check box next to the first column. ++- From the **Explorer** page at <https://security.microsoft.com/threatexplorerv3> (Threat Explorer) or from the **Real-time detections** page at <https://security.microsoft.com/realtimereportsv3>. Use one of the following methods: + - In Threat Explorer, verify the **All email** view is selected \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry. + - In Threat Explorer or Real-time detections, select the **Malware** view \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry. + - In Threat Explorer or Real-time detections, select the **Phish** view \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry. ++- From the **Incidents** page at <https://security.microsoft.com/incidents>: For incidents with the **Product names** value **Microsoft Defender for Office 365**, select the incident by clicking on the **Incident name** value. In the incident details page that opens, select the **Evidence and responses** tab (view). In the **All evidence** tab and the **Entity type** value **Email** or the **Emails** tab, select the entry by clicking anywhere in the row other than the check box. ++- From the **Quarantine** page at <https://security.microsoft.com/quarantine>: Verify the **Email** tab is selected \> select an entry by clicking anywhere in the row other than the check box. ++- From the **Submissions** page at <https://security.microsoft.com/reportsubmission>: + - Select the **Emails** tab \> select an entry by clicking anywhere in the row other than the check box. + - Select the **User reported** tab \> select an entry by clicking anywhere in the row other than the check box. ++## What's on the Email entity page +++The details pane on the left side of the page contains collapsible sections with details about the message. These sections remain constant as long as you're on the page. The available sections are: ++- **Tags** section. Shows any user tags (including Priority account) that are assigned to senders or recipients. For more information about user tags, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). +- **Detection details** section: + - **Original Threats** + - **Original delivery location**: + - **Deleted Items folder** + - **Dropped** + - **Delivered failed** + - **Inbox folder** + - **Junk Email folder** + - **External** + - **Quarantine** + - **Unknown** + - **Latest Threats** + - **Latest delivery location**: The location of the message after system actions on the message (for example, [ZAP](zero-hour-auto-purge.md)), or admin actions on the message (for example, [Move to Deleted Items](threat-explorer-threat-hunting.md#email-remediation)). User actions on the message (for example, deleting or archiving the message) aren't shown, so this value doesn't guarantee the _current location_ of the message. ++ > [!TIP] + > There are scenarios where **Original delivery location**/**Latest delivery location** and/or **Delivery action** have the value **Unknown**. For example: + > + > - The message was delivered (**Delivery action** is **Delivered**), but an Inbox rule moved the message to a default folder other than the Inbox or Junk Email folder (for example, the Draft or Archive folder). + > - ZAP attempted to move the message after delivery, but the message wasn't found (for example, the user moved or deleted the message). ++ - **Detection technology**: + - **Advanced filter**: Phishing signals based on machine learning. + - **Campaign**: Messages identified as part of a [campaign](campaigns.md). + - **File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis. + - **File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations. + - **File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations. + - **Fingerprint matching**: The message closely resembles a previous detected malicious message. + - **General filter**: Phishing signals based on analyst rules. + - **Impersonation brand**: Sender impersonation of well-known brands. + - **Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). + - **Impersonation user**: Impersonation of protected senders that you specified in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) or learned through mailbox intelligence. + - **Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). + - **Mixed analysis detection**: Multiple filters contributed to the message verdict. + - **Spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md). + - **Spoof external domain**: Sender email address spoofing using a domain that's external to your organization. + - **Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization. + - **URL detonation**: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis. + - **URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations. + - **URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations. + - **Delivery action**: + - **Delivered** + - **Junked** + - **Blocked** + - **Primary Override : Source** + - Values for **Primary override**: + - **Allowed by organization policy** + - **Allowed by user policy** + - **Blocked by organization policy** + - **Blocked by user policy** + - **None** + - Values for **Primary override source**: + - **3rd Party Filter** + - **Admin initiated time travel** (ZAP) + - **Antimalware policy block by file type** + - **Antispam policy settings** + - **Connection policy** + - **Exchange transport rule** + - **Exclusive mode (User override)** + - **Filtering skipped due to on-prem organization** + - **IP region filter from policy** + - **Language filter from policy** + - **Phishing Simulation** + - **Quarantine release** + - **SecOps Mailbox** + - **Sender address list (Admin Override)** + - **Sender address list (User override)** + - **Sender domain list (Admin Override)** + - **Sender domain list (User override)** + - **Tenant Allow/Block List file block** + - **Tenant Allow/Block List sender email address block** + - **Tenant Allow/Block List spoof block** + - **Tenant Allow/Block List URL block** + - **Trusted contact list (User override)** + - **Trusted domain (User override)** + - **Trusted recipient (User override)** + - **Trusted senders only (User override)** +- **Email details** section: + - **Directionality**: + - **Inbound** + - **Intra-irg** + - **Outbound** + - **Recipient (To)**<sup>\*</sup> + - **Sender**<sup>\*</sup> + - **Time received** + - **Internet Message ID**<sup>\*</sup>: Available in the **Message-ID** header field in the message header. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets). + - **Network Message ID**<sup>\*</sup>: A GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header field in the message header. + - **Cluster ID** + - **Language** ++ <sup>\*</sup> The :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy to clipboard** action is available to copy the value. ++The tabs (views) along the top of the page allow you to investigate email efficiently. These views are described in the following subsections. ++### Timeline view ++The **Timeline** view shows the delivery and post-delivery events that happened to the message. ++The following message event information is available in the view. Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected. ++- **Timeline** (date/time of the event) +- **Source**: For example: **System**, **Admin, or **User**. +- **Event types** +- **Result** +- **Threats** +- **Details** ++If nothing happened to the message after delivery, the message is likely to have only one row in the **Timeline** view with the **Event types** value **Original delivery**. For example: ++- The **Result** value is **Inbox folder - Delivered**. +- The **Result** value is **Junk email folder - Delivered to Junk** +- The **Result** value is **Quarantine - Blocked**. ++Subsequent actions to the message by users, admins, or Microsoft 365 add more rows to the view. For example: ++- The **Event types** value is **ZAP** and the **Result** value is **Message moved to Quarantine by ZAP**. +- The **Event types** value is **Quarantine Release** and the **Result** value is **Message was successfully released from Quarantine**. ++Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find information on the page. Type text in the box and then press the ENTER key. ++Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the data in the view to a CSV file. The default filename is **- Microsoft Defender.csv** and the default location is the **Downloads** folder. If a file with that name already exists, the filename is appended with a number (for example, **- Microsoft Defender(1).csv**). +++### Analysis view ++The **Analysis** view contains information that helps you analyze the message in depth. The following information is available in this view: ++- **Threat detection details** section: Information about threats detected in the message: + - **Threats**: The primary threat is indicated by :::image type="icon" source="../../media/m365-cc-sc-primary-threat-icon.png" border="false"::: **Primary threat**. + - **Confidence level**: Values are **High**, **Medium**, or **Low**. + - **Priority account protection**: Values are **Yes** or **No**. For more information, see [Configure and review priority account protection in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md). +- **Email detection details** section: Information about protection features or overrides that affected the message: + - **All Overrides**: All organization or user settings that had the possibility to alter the intended delivery location of the message. For example, if the message matched a mail flow rule and a block entry in the [Tenant Allow/Block List](tenant-allow-block-list-about.md), both settings are listed here. The **Primary Override : Source** property value identifies the setting that actually affected the delivery of the message. + - **Primary Override : Source**: Shows the organization or user setting that altered the intended delivery location of the message (allowed instead of blocked, or blocked instead of allowed). For example: + - The message was blocked by a mail flow rule. + - The message was allowed due to an entry in the user's [Safe Senders list](configure-junk-email-settings-on-exo-mailboxes.md). + - **Exchange transport rules** (mail flow rules): If the message was affected by mail flow rules, the rule names and GUID vales are shown. Actions taken on messages by mail flow rules occur before spam and phishing verdicts. ++ The :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy to clipboard** action is available to copy the rule GUID. For more information about mail flow rules, see [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules). ++ The **Go to Exchange admin center** link opens the **Rules** page in the new Exchange admin center at <https://admin.exchange.microsoft.com/#/transportrules>. ++ - **Connector**: If the message was delivered through an Inbound connector, the connector name is shown. For more information about connectors, see [Configure mail flow using connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow). + - **Bulk complaint level (BCL)**: A higher BCL value indicates the message is more likely to be spam. For more information, see [Bulk complaint level (BCL) in EOP](anti-spam-bulk-complaint-level-bcl-about.md). + - **Policy**: If a policy type is listed here (for example, **Spam**), select **Configure** :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: to open the related policy page (for example, the **Anti-spam policies** page at <https://security.microsoft.com/antispam>). + - **Policy action** + - **Alert ID**: Select the Alert ID value to open the details page for the alert (as if you found and selected the alert from the **Alerts** page at <https://security.microsoft.com/alerts>). The :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy to clipboard** action is also available to copy the Alert ID value. + - **Policy type** + - **Client type**: Shows the type of client that sent the message (for example, REST) + - **Email size** + - **Data loss prevention rules** +- **Sender-Recipient details** section: Details about the message sender and some recipient information: + - **Sender display name** + - **Sender address**<sup>\*</sup> + - **Sender IP** + - **Sender domain name**<sup>\*</sup> + - **Domain creation date**: A recently created domain and other message signals can identify the message as suspicious. + - **Domain owner** + - **Sender MAIL FROM address**<sup>\*</sup> + - **Sender MAIL FROM domain name**<sup>\*</sup> + - **Return-Path** + - **Return-Path domain** + - **Location** + - **Recipient domain**<sup>\*</sup> + - **To**: Shows the first 5,000 characters of any email addresses in the To field of the message. + - **Cc**: Shows the first 5,000 characters of any email addresses in the Cc field of the message. + - **Distribution list**: Shows the distribution group (distribution list) if the recipient received the email as a member of the list. The top level distribution group is shown for nested distribution groups. + - **Forwarding**: Indicates whether the message was [automatically forwarded to an external email address](outbound-spam-policies-external-email-forwarding.md). The forwarding user and the forwarding type are shown (mail flow rules, Inbox rules, or SMTP forwarding). ++ <sup>\*</sup> The :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy to clipboard** action is available to copy the value. ++- **Authentication** section: Details about [email authentication](email-authentication-about.md) results: + - **[Domain-based Message Authentication (DMARC)](email-authentication-dmarc-configure.md)** + - `Pass`: The DMARC check for the message passed. + - `Fail`: The DMARC check for the message failed. + - `BestGuessPass`: The DMARC TXT record for the domain doesn't, but if one existed, the DMARC check for the message would have passed. + - None: Indicates that no DMARC TXT record exists for the sending domain in DNS. + - **[DomainKeys identified mail (DKIM)](email-authentication-dkim-configure.md)**: Values are: + - `Pass`: The DKIM check for the message passed. + - `Fail (reason)`: The DKIM check for the message failed. For example, the message wasn't DKIM signed or the DKIM signature wasn't verified. + - `None`: The message wasn't DKIM signed. This result might or might not indicate that the domain has a DKIM record, or that the DKIM record doesn't evaluate to a result. This result only indicates that this message wasn't signed. + - **[Sender Policy Framework (SPF)](email-authentication-spf-configure.md)**: Values are: + - `Pass (IP address)`: The SPF check found the message source is valid for the domain. + - `Fail (IP address)`: The SPF check found the message source isn't valid for the domain, and the enforcement rule in the SPF record is `-all` (hard fail). + - `SoftFail (reason)`: The SPF check found the message source isn't valid for the domain, and the enforcement rule in the SPF record is `~all` (soft fail). + - `Neutral`: The SPF check found the message source isn't valid for the domain, and the enforcement rule in the SPF record is `?all` (neutral). + - `None`: The domain doesn't have an SPF record, or the SPF record doesn't evaluate to a result. + - `TempError`: The SPF check encountered a temporary error (for example, a DNS error). The same check later might succeed. + - `PermError`: The SPF check encountered a permanent error. For example, the domain has a [badly formatted SPF record](email-authentication-spf-configure.md#troubleshooting-spf-txt-records). + - **Composite authentication**: SPF, DKIM, DMARC, and other information determines if the message sender (the From address) is authentic. For more information, see [Composite authentication](email-authentication-about.md#composite-authentication). +- **Related entities** section: Information about attachments and URLs in the message: + - **Entity**: Selecting **Attachments** or **URLs** takes you to the Attachments view or the URL view of the Email entity page for the message. + - **Total count** + - **Threats found**: The values are **Yes** or **No**. +- Message details area: + - **Plain-text email header** tab: Contains the entire message header in plain text. Select :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy message header** to copy the message header. Select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Microsoft Message Header Analyzer** to open the Message Header Analyzer at <https://mha.azurewebsites.net/pages/mha.html>. Paste the copied message header into the page, and then select **Analyze headers** for details about the message headers and values. + - **To** tab: Shows the first 5,000 characters of any email addresses in the To field of the message. + - **Cc** tab: Shows the first 5,000 characters of any email addresses in the Cc field of the message. +++### Attachments view -See email details in the experiences below, including [previewing and downloading the email](#email-preview-and-download-for-cloud-mailboxes), the email headers *with the option to copy*, Detection details, Threats detected, Latest and Original delivery locations, Delivery actions, and IDs like Alert ID, Network Message ID and more. +The **Attachments** view shows information about all file attachments in the message, and the scanning results of those attachments. -## Where to find the Email email entity page +The following attachment information is available in this view. Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected. -The :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** action is available in the Microsoft Defender portal wherever you find details about email messages. For example: +- **Attachment filename**: If you click on the filename value +- **File type** +- **File size** +- **File extension** +- **Threat** +- **Malware family** +- **Attachment SHA256**: The :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy to clipboard** action is available to copy the SHA256 value. +- **Details** -- Advanced Hunting-- Alerts-- Reporting-- Action Center-- **Threat Explorer** (**Explorer**) on the **Explorer** page at <https://security.microsoft.com/threatexplorerv3> or **Real-time detections** on the **Real-time detections** page at <https://security.microsoft.com/realtimereportsv3>, use one of the following methods:- - Verify the **All email** view is selected \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry. - - Select the **Malware** view \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry. - - Select the **Phish** view \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry. +Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find information on the page. Type text in the box and then press the ENTER key. - **Open email entity** is available at the top of the Subject details flyout that opens. For more information, see [Email view for the details area of the All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer). +Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the data in the view to a CSV file. The default filename is **- Microsoft Defender.csv** and the default location is the **Downloads** folder. If a file with that name already exists, the filename is appended with a number (for example, **- Microsoft Defender(1).csv**). -- **Quarantine**: On the **Quarantine** page at <https://security.microsoft.com/quarantine> \> verify the **Email** tab is selected \> select an entry by clicking anywhere in the row other than the check box. **Open email entity** is available at the top of the details flyout that opens. For more information, see [View quarantined email details](quarantine-admin-manage-messages-files.md#view-quarantined-email-details).-- **Admin email submissions**: On the **Submissions** page at <https://security.microsoft.com/reportsubmission> \> select the **Emails** tab \> select an entry by clicking anywhere in the row other than the check box. **Open email entity** is available at the top of the details flyout that opens. For more information, see [View email attachment admin submissions to Microsoft](submissions-admin.md#view-email-attachment-admin-submissions-to-microsoft).-- **User reported email submissions**: On the **Submissions** page at <https://security.microsoft.com/reportsubmission> \> select the **User reported** tab \> select an entry by clicking anywhere in the row other than the check box. **Open email entity** is available at the top of the details flyout that opens. For more information, see [View user reported messages to Microsoft](submissions-admin.md#view-user-reported-messages-to-microsoft).++#### Attachment details ++If you select an entry in the **Attachments** view by clicking on the **Attachment filename** value, a details flyout opens that contains the following information: ++- **Deep analysis** tab: Information is available on this tab if [Safe Attachments](safe-attachments-about.md) scanned (detonated) the attachment. You can identify these messages in Threat Explorer by using the query filter **Detection technology** with the value **File detonation**. ++ - **Detonation chain** section: Safe Attachments detonation of a single file can trigger multiple detonations. The _detonation chain_ tracks the path of detonations, including the original malicious file that caused the verdict, and all other files affected by the detonation. These attached files might not be directly present in the email. But, including the analysis is important to determining why the file was found to be malicious. ++ If no detonation chain information is available, the value **No detonation tree** is shown. Otherwise, you can select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to download the detonation chain information to a CSV file. The default filename is **Detonation chain.csv** and the default location is the **Downloads** folder. If a file with that name already exists, the filename is appended with a number (for example, **Detonation chain(1).csv**). The CSV file contains the following information: + - **Top**: The top level file. + - **Level1**: The next level file. + - **Level2**: The next level file. + - and so on. ++ The detonation chain and the CSV file might show just the top level item if none of the entities linked to it were found to be problematic or were detonated. ++ - **Summary** section: If no detonation summary information is available, the value **No detonation summary** is shown. Otherwise, the following detonation summary information is available: + - **Analysis time** + - **Verdict**: The verdict on the attachment itself. + - **More info**: The file size in bytes. + - **Indicators of compromise** ++ - **Screenshots section**: Show any screenshots that were captured during detonation. No screenshots are captured for container files like ZIP or RAR that contain other files. + + If no detonation screenshots are available, the value **No screenshots to display** is shown. Otherwise, select the link to view the screenshot. + - **Behavior details** section: Shows the exact events that took place during detonation, and problematic or benign observations that contain URLs, IPs, domains, and files that were found during detonation. There might not be any behavior details for container files like ZIP or RAR that contain other files. -> [!NOTE] -> The permissions needed to view and use this page are the same as to view **Explorer**. The admin must be a member of Global admin or global reader, or Security admin or Security Reader. For more information, see [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md). + If no behavior details information is available, the value **No detonation behaviors** is shown. Otherwise, you can select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to download the behavioral details information to a CSV file. The default filename is **Behavior details.csv** and the default location is the **Downloads** folder. If a file with that name already exists, the filename is appended with a number (for example, **Behavior details(1).csv**). The CSV file contains the following information: + - **Time** + - **Behavior** + - **Behavior property** + - **Process (PID)** + - **Operation** + - **Target** + - **Details** + - **Result** +- **File info** tab: The **File details** section contains the following information: + - **File name** + - **SHA256** + - **File size** (in bytes) -## How to read the email entity page +When you're finished in the file details flyout, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: **Close**. -The structure is designed to be easy to read and navigate through at a glance. Various tabs along the top of the page allow you to investigate in more detail. Here's how the layout works: -1. The most required fields are on the left side of the fly-out. These details are 'sticky', meaning they're anchored to the left no matter the tab you navigate to in the rest of the fly-out. +#### Block attachments from the Attachments view - :::image type="content" source="../../media/email-entities-3-left-panel.png" alt-text="The Graphic of the email entity page with the left side highlighted" lightbox="../../media/email-entities-3-left-panel.png"::: +If you select an entry in the **Attachments** view by selecting the check box next to the filename, the :::image type="icon" source="../../medi#block-entries-in-the-tenant-allowblock-list). Selecting **Block** starts the **Take action** wizard: -2. On the top-right corner are the actions that can be taken on an email. Any actions that can be taken through **Explorer** are also available through email entity page. +1. On the **Choose actions** page, configure one of following settings in the **Block file** section: + - **Never expire** on: This is the default value :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::. + - **Never expire** off: Slide the toggle to off :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: and then select a date in the **Remove on** box. - :::image type="content" source="../../media/email-entities-5-preview.png" alt-text="The Graphic of the email entity page with the right side highlighted" lightbox="../../media/email-entities-5-preview.png"::: + When you're finished on the **Choose actions** page, select **Next**. -3. Deeper analysis can be done by sorting through the rest of the page. Check the email detection details, email authentication status, and header. This area should be looked on a case-by-case basis, but the info in these tabs is available for any email. +2. On the **Choose target entities** page, verify the file that you want to block is selected, and then select **Next**. - :::image type="content" source="../../media/email-entities-4-middle-panel.png" alt-text="The main panel of the page which includes the email header and authentication status" lightbox="../../media/email-entities-4-middle-panel.png"::: +3. On the **Review and submit** page, configure the following settings: + - **Remediation name**: Enter a unique name to track the status in the Action center. + - **Description**: Enter an optional description. -### How to use the email entity page tabs + When you're finished on the **Review and submit** page, select **Submit**. -The tabs along the top of the entity page allow you to investigate email efficiently. +### URL view -1. **Timeline**: The timeline view for an email (per **Explorer** timeline) shows the original delivery to post-delivery events that happen on an email. For emails that have no post-delivery actions, the view shows the original delivery row in timeline view. Events like: Zero-hour auto purge (ZAP), Remediations, User and Admin submissions, Quarantine information, URL clicks and more, from sources like: system, admin, and user, show up here, in the order in which they occurred. -2. **Analysis**: Analysis shows fields that help admins analyze an email in depth. For cases where admins need to understand more about detection, sender / recipient, and email authentication details, they should use the Analysis tab. Links for Attachments and URLs are also found on this page, under 'Related Entities'. Both attachments and identified threats are numbered here, and clicking takes you straight to the Attachments and URL pages. This tab also has a View header option to *show the email header*. Admins can compare any detail from email headers, side by side with information on the main panel, for clarity. -3. **Attachments**: This examines attachments found in the email with other details found on attachments. The number of attachments shown is currently limited to 10. Notice that detonation details for attachments found to be malicious is also shown here. -4. **URLs**: This tab lists URLs found in the email with other details about the URLs. The number of URLs is limited to 10 right now, but these 10 are prioritized to show *malicious URLs first*. Prioritization saves you time and guess-work. The URLs that were found to be malicious and detonated are also shown here. -5. **Similar emails**: This tab lists all emails similar to the *network message id + recipient* combination specific to this email. Similarity is based on the *body of the message*, only. The determinations made on mails to categorize them as 'similar' don't include a consideration of *attachments*. +The **URL** view shows information about all URLs in the message, and the scanning results of those URLs. -## Available on the email entity page +The following attachment information is available in this view. Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected. -Here are some helpful specifics to get started. +- **URL** +- **Threat** +- **Source** +- **Details** -### Email preview and download for Cloud mailboxes +Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find information on the page. Type text in the box and then press the ENTER key. -Admins can preview and download emails in Cloud mailboxes, ***if*** the mails are still accessible to Microsoft in an Exchange Online mailbox. In case of a soft delete (by an admin, or user), or ZAP (to quarantine), the emails are no longer present in the Exchange Online mailbox. In that case, admins won't be able to preview or download those specific emails. Emails that were dropped, or where delivery failed, never made it into the mailbox and as a result, admins won't be able to preview or download those emails either. +Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the data in the view to a CSV file. The default filename is **- Microsoft Defender.csv** and the default location is the **Downloads** folder. If a file with that name already exists, the filename is appended with a number (for example, **- Microsoft Defender(1).csv**). -> [!IMPORTANT] -> Previewing and downloading emails requires a special role called **Preview**. You can assign this role in the following locations: -> -> - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Raw data (email & collaboration)/Email & collaboration content (read)**. -> - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Data Investigator** or **eDiscovery Manager** role groups. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) and add the **Preview** role to it. -### Detonation details +#### URL details -These details are specific to email attachments and URLs. Users can see these details by going to Explorer and applying the *detection technology* filter set to file detonation or URL detonation. Emails filtered for file detonation will contain a malicious file with detonation details, and those filtered for URLs contain a malicious URL and its detonation details. +If you select an entry in the **URL** view by clicking on the **URL** value, a details flyout opens that contains the following information: -Users see enriched detonation details for known malicious attachments or URLs found in their emails, which got detonated for their specific tenant. It includes the Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated. +- **Deep analysis** tab: Information is available on this tab if [Safe Links](safe-links-about.md) scanned (detonated) the URL. You can identify these messages in Threat Explorer by using the query filter **Detection technology** with the value **URL detonation**. -1. *Detonation chain*. A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs affected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious. + - **Detonation chain** section: Safe Links detonation of a single URL can trigger multiple detonations. The _detonation chain_ tracks the path of detonations, including the original malicious URL that caused the verdict, and all other URLs affected by the detonation. These URLs might not be directly present in the email. But, including the analysis is important to determining why the URL was found to be malicious. - > [!NOTE] - > This may show just the top level item if none of the entities linked to it were found to be problematic, or were detonated. + If no detonation chain information is available, the value **No detonation tree** is shown. Otherwise, you can select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to download the detonation chain information to a CSV file. The default filename is **Detonation chain.csv** and the default location is the **Downloads** folder. If a file with that name already exists, the filename is appended with a number (for example, **Detonation chain(1).csv**). The CSV file contains the following information: + - **Top**: The top level file. + - **Level1**: The next level file. + - **Level2**: The next level file. + - and so on. -1. *Detonation Summary* gives a basic summary for detonation such as *analysis time*, the time when detonation occurred, OS and application, the operating system and application in which the detonation occurred, file size, and verdict reason. -1. *Screenshots* show the screenshots captured during detonation. There can be multiple screenshots during detonation. No screenshots are captured for - - Container type files like .zip or .rar. - - If a URL opens into a link that directly downloads a file. However, you'll see the downloaded file in the detonation chain. -1. *Behavior Details* are an export that shows behavior details like exact events that took place during detonation, and observables that contain URLs, IPs, domains, and files that were found during detonation (and can either be problematic or benign). Be aware, there may be no behavior details for: - - Container files like .zip or .rar that are holding other files. + The detonation chain and the CSV file might show just the top level item if none of the entities linked to it were found to be problematic or were detonated. + - **Summary** section: If no detonation summary information is available, the value **No detonation summary** is shown. Otherwise, the following detonation summary information is available: + - **Analysis time** + - **Verdict**: The verdict on the URL itself. -### Other features that make the Email entity page helpful + - **Screenshots section**: Show any screenshots that were captured during detonation. No screenshots are captured if the URL opens into a link that directly downloads a file. However, you see the downloaded file in the detonation chain. + + If no detonation screenshots are available, the value **No screenshots to display** is shown. Otherwise, select the link to view the screenshot. -*Tags*: These are tags applied to users. If the user is a recipient, admins will see a *recipient* tag. Likewise, if the user is a sender, a *sender* tag. This appears in the left side of the email entities page (in the part that's described as *sticky* and, thus, anchored to the page). + - **Behavior details** section: Shows the exact events that took place during detonation, and problematic or benign observations that contain URLs, IPs, domains, and files that were found during detonation. -*Latest delivery location*: The latest delivery location is the location where an email landed after system actions like ZAP, or admin actions like Move to Deleted Items, finish. Latest delivery location isn't intended to inform admins of the message's *current* location. For example, if a user deletes a message, or moves it to archive, the delivery location won't be updated. However, if a system action has taken place and updated the location (like a ZAP resulting in an email moving to quarantine) this would update the Latest delivery location to quarantine. + If no behavior details information is available, the value **No detonation behaviors** is shown. Otherwise, you can select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to download the behavioral details information to a CSV file. The default filename is **Behavior details.csv** and the default location is the **Downloads** folder. If a file with that name already exists, the filename is appended with a number (for example, **Behavior details(1).csv**). The CSV file contains the following information: + - **Time** + - **Behavior** + - **Behavior property** + - **Process (PID)** + - **Operation** + - **Target** + - **Details** + - **Result** +- **URL info** tab: The **URL details** section contains the following information: + - **URL** + - **Threat** -*Email details*: Details required for a deeper understanding of email available in the *Analysis* tab. +When you're finished in the file details flyout, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: **Close**. -- *Exchange mail flow rules (also known as transport rules)*: These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. Mail flow rules are created and modified in the Exchange admin center at <https://admin.exchange.microsoft.com/#/transportrules>, but if any mail flow rule applies to a message, the rule name and GUID will be shown here. Valuable information for tracking purposes. -- *Primary Override: Source*: Primary override and source refer to the tenant or user setting which impacted the delivery of the email, overriding the delivery location given by the system (as per the threat and detection technology). As an example, this could be an email blocked due to a tenant configured mail flow rule or an email allowed due to an end-user setting for Safe Senders.+#### Block URLs from the URL view -- *All Overrides*: All Overrides refer to the list of overrides (tenant or user settings) that was applied on the email, which may or may not have impacted the delivery of an email. As an example, if a tenant configured mail flow rule, as well as a tenant configured policy setting (for example, from the Tenant Allow/Block List), is applied to an email, then both will be listed in this field. You can check the primary override field to determine the setting that impacted the delivery of the email.+If you select an entry in the **URL** view by selecting the check box next to the filename, the :::image type="icon" source="../../medi#block-entries-in-the-tenant-allowblock-list). Selecting **Block** starts the **Take action** wizard: -- *Bulk Complaint Level (BCL)*: The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (the natural result if the email is likely to be spam).+1. On the **Choose actions** page, configure one of following settings in the **Block URL** section: + - **Never expire** on: This is the default value :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::. + - **Never expire** off: Slide the toggle to off :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: and then select a date in the **Remove on** box. -- *Spam Confidence Level (SCL)*: The spam confidence level (SCL) of the message. A higher value indicates the message is more likely to be spam.+ When you're finished on the **Choose actions** page, select **Next**. -- *Client type*: Indicates the Client type from which the email was sent like REST.+2. On the **Choose target entities** page, verify the URL that you want to block is selected, and then select **Next**. -- *Forwarding*: For scenarios with autoforwarding, it indicates the forwarding user as well as the forwarding type like ETR or SMTP forwarding.+3. On the **Review and submit** page, configure the following settings: + - **Remediation name**: Enter a unique name to track the status in the Action center. + - **Description**: Enter an optional description. -- *Distribution list*: Shows the distribution list, if the recipient received the email as a member of the list. It shows the top level distribution list if there are nested distribution lists involved.+ When you're finished on the **Review and submit** page, select **Submit**. -- *To, Cc*: Indicates the addresses that are listed in To, Cc fields of an email. The information in these fields is restricted to 5000 characters.+## Similar emails view -- *Domain Name*: Is the sender domain name.+The **Similar emails** view shows other email messages that have the same message body fingerprint as this message. Matching criteria in other messages doesn't apply for this view (for example, file attachment fingerprints). -- *Domain Owner*: Specifies the owner of the sending domain.+The following attachment information is available in this view. Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected. -- *Domain Location*: Specifies the location of the sending domain.+- **Date** +- **Subject** +- **Recipient** +- **Sender** +- **Sender IP** +- **Override** +- **Delivery action** +- **Delivery location** -- *Domain Created Date*: Specifies the date of creation of the sending domain. A newly created domain is something you could be cautious of if other signals indicate some suspicious behavior.+Use :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the entries by **Start date** and **End date**. -*Email Authentication*: Email authentication methods used by Microsoft 365 include SPF, DKIM, and DMARC. +Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find information on the page. Type text in the box and then press the ENTER key. -- Sender Policy Framework (**SPF**): Describes results for SPF check for the message. Possible values can be:- - Pass (IP address): The SPF check for the message passed and includes the sender's IP address. The client is authorized to send or relay email on behalf of the sender's domain. - - Fail (IP address): The SPF check for the message failed, and includes the sender's IP address. This is sometimes called hard fail. - - Softfail (reason): The SPF record designated the host as not being allowed to send but is in transition. - - Neutral: The SPF record explicitly states that it doesn't assert whether the IP address is authorized to send. - - None: The domain doesn't have an SPF record, or the SPF record doesn't evaluate to a result. - - Temperror: A temporary error has occurred. For example, a DNS error. The same check later might succeed. - - Permerror: A permanent error has occurred. For example, the domain has a badly formatted SPF record. +Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the data in the view to a CSV file. The default filename is **- Microsoft Defender.csv** and the default location is the **Downloads** folder. If a file with that name already exists, the filename is appended with a number (for example, **- Microsoft Defender(1).csv**). -- DomainKeys Identified Mail (**DKIM**):- - Pass: Indicates the DKIM check for the message passed. - - Fail (reason): Indicates the DKIM check for the message failed and why. For example, if the message wasn't signed or the signature wasn't verified. - - None: Indicates that the message wasn't signed. This may or may not indicate that the domain has a DKIM record or the DKIM record doesn't evaluate to a result, only that this message wasn't signed. -- Domain-based Message Authentication, Reporting, and Conformance (**DMARC**):- - Pass: Indicates the DMARC check for the message passed. - - Fail: Indicates the DMARC check for the message failed. - - Bestguesspass: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed. - - None: Indicates that no DMARC TXT record exists for the sending domain in DNS. +### Actions on the Email entity page -*Composite Authentication*: This is a value used by Microsoft 365 to combine email authentication like SPF, DKIM, and DMARC, to determine if the message is authentic. It uses the *From:* domain of the mail as the basis of evaluation. +The following actions are available at the top of the Email entity page: -## Actions you can take on the Email entity Page +- :::image type="icon" source="../../medi#remediate-using-take-action). +- :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Email preview**¹ ² +- :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options**: + - :::image type="icon" source="../../medi#view-quarantined-email). + - :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download email**¹ ² -Security teams can take email actions. For example: + > [!TIP] + > **Download email** isn't available for messages that were quarantined. Instead, [download a password protected copy of the message from quarantine](quarantine-admin-manage-messages-files.md#download-email-from-quarantine). -- Soft delete and hard delete.-- Move to junk.-- Move to inbox.-- Trigger an investigation.-- Submit to Microsoft for review in line.+¹ The **Email preview** and **Download email** actions require the **Preview** role. You can assign this role in the following locations: -You can also trigger **Tenant level block** actions for files, URLs, or senders from the Email entity page. +- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Raw data (email & collaboration)/Email & collaboration content (read)**. +- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Data Investigator** or **eDiscovery Manager** role groups. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Preview** role assigned, and add the users to the custom role group. -You'll be able to select **Take actions** from the top right corner of the entity page and this will open the Action wizard for you to select the specific action you need. +² You can preview or download email messages that are available in Microsoft 365 mailboxes. Examples of when messages are no longer available in mailboxes include: -> [!TIP] -> We're adding the ability to take multiple actions together. You can take email remediation actions, create submissions, tenant level block actions (block senders, domains, files, and URLs), investigative actions, and proposed remediation from the **same panel**. Actions are now contextual and grouped together depending on the **latest location of the email message**. ---In the existing Action wizard you can take email actions, create email submissions, block senders and sender domains, take investigative actions, and do two step approval (add to remediation) in the same flyout. The flyout follows a consistent flow for ease of use. The Action wizard uses the same system as Explorer actions (for example, for Delete, Submissions, and Investigation actions). You can see and track these actions in the Unified action center at <https://security.microsoft.com/action-center/history> (for deleted emails), on the Submission page at <https://security.microsoft.com/reportsubmission> (for submissions), and in the Tenant Allow/Block List at <https://security.microsoft.com/tenantAllowBlockList> page (for block entries). --> [!TIP] -> These enhancements bring the following benefits: -> -> - SecOps can now select multiple actions together in the single flow. -> - We grouped actions together for a logical grouping of good (false positive) and bad (false negative) message actions. -> - Actions are contextual in nature in the same panel. For example, if the message is in already in Inbox, the **Move to Inbox** action is grayed out. -> -> There are no changes to the action permissions. --We're also bringing tenant-level blocks for URLs and attachments to the respective **Email entity**, **URL**, and **Attachments** tabs. After approval, you can track the block entries for URLs and attachments on the **URLs** and **Files** tabs on the **Tenant Allow/Block List** page. ---See [permissions](mdo-portal-permissions.md) required to take these actions. --### The Email summary panel --The email summary panel is a summarized view of the full email entity page. It contains standardized details about the email (for example, detections), as well as context-specific information (for example, for Quarantine or Submissions metadata). The email summary panel replaces the traditional email flyouts throughout Microsoft Defender for Office 365. +- The message was dropped before delivery or delivery failed. +- The message was _soft deleted_ (deleted from the Deleted items folder, which moves the message to the Recoverable Items\Deletions folder). +- ZAP moved the message to quarantine. -> [!NOTE] -> To view all the components, click on the **Open email entity** link to open the full email entity page. +## The Email summary panel -The email summary panel is divided into the following sections: +The _Email summary panel_ is the email details flyout that's available in many features in Exchange Online Protection (EOP) and Defender for Office 365. The Email summary panel contains standardized summary information about the email message taken from the full details that are available on the Email entity page in Defender for Office 365. -- *Delivery details*: Contains information about threats and corresponding confidence level, detection technologies, and original and latest delivery location.+Where to find the Email summary panel is described in the [Where to find the Email entity page](#where-to-find-the-email-entity-page) section earlier in this article. The rest of this section describes the information that's available on the Email summary panel across all features. -- *Email details*: Contains information about email properties like sender name, sender address, time received, authentication details, and other several other details.--- *URLs*: By default, you see 3 URLs and their corresponding threats. You can always select **View all URLs** to expand and see all URLs and export them.--- *Attachments*: By default, you see 3 attachments. You can always select **View all attachments** to expand and see all attachments.--In addition to the above sections, you also see sections specific to few experiences that are integrated with the summary panel: --- Submissions:-- - *Submission details*: Contains information about the specific submissions such as: - - Date submitted - - Subject - - Submission type - - Reason for submitting - - Submission ID - - Submitted by -- - *Result details*: Messages that are submitted are reviewed. You can see the result of your submission as well as any recommended next steps. --- Quarantine:+> [!TIP] +> The Email summary panel is available from the **Action center** page at <https://security.microsoft.com/action-center/> on the **Pending** or **History** tabs. Select an action with the **Entity type** value **Email** by clicking anywhere in the row other than the check box or the **Investigation ID** value. The details flyout that opens is the Email summary panel, but :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** isn't available at the top of the flyout. - - *Quarantine details*: Contains quarantine-specific details. For more information, see [Manage quarantined messages](quarantine-admin-manage-messages-files.md#view-quarantined-email-details). +The following message information is available at the top of the Email summary panel: - - Expires: The date/time when the message is automatically and permanently deleted from quarantine. - - Released to: All email addresses (if any) to which the message has been released. - - Not yet released to: All email addresses (if any) to which the message hasn't yet been released. +- The title of the flyout is the message Subject value. +- The number of attachments and links in the message (not present in all features). +- Any user tags that are assigned to the recipients of the message (including the Priority account tag). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md) +- The actions that are available at the top of the flyout depend on where you opened the Email summary panel. The available actions are described in the individual feature articles. - - *Quarantine actions*: For more information on different quarantine actions, see [Manage quarantined messages](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-email). +> [!TIP] +> To see details about other messages without leaving the Email summary panel of the current message, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++The following sections are available on the Email summary panel for all features (it doesn't matter where you opened the Email summary panel from): ++- **Delivery details** section: + - **Original threats** + - **Latest threats** + - **Original location** + - **Latest delivery location** + - **Delivery action** + - **Detection technologies** + - **Primary override : Source** ++- **Email details** section: + - **Sender display name** + - **Sender address** + - **Sender email from address** + - **Sent on behalf of** + - **Return path** + - **Sender IP** + - **Location** + - **Recipient(s)** + - **Time received** + - **Directionality** + - **Network message ID** + - **Internet message ID** + - **Campaign ID** + - **DMARC** + - **DKIM** + - **SPF** + - **Composite authentication** ++- **URLs** section: Details about any URLs in the message: + - **URL** + - **Threat** status ++ If the message has more than three URLs, select **View all URLs** to see all of them. ++- **Attachments** section: Details about any file attachments in the message: + - **Attachment name** + - **Threat** + - **Detection tech / Malware family** ++ If the message has more than three attachments, select **View all attachments** to see all of them. + |
security | Mdo Sec Ops Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md | The following permissions (roles and role groups) are available in Defender for - **Exchange Online** and **Email & collaboration**: Roles and role groups that grant permission specific to Microsoft Defender for Office 365. The following roles aren't available in Microsoft Entra ID, but can be important for security teams: - - **Preview** role (Email & collaboration): Assign this role to team members who need to preview or download email messages as part of investigation activities. Allows users to preview and download email messages from cloud mailboxes using [Threat Explorer (Explorer) or Real-time detections](threat-explorer-real-time-detections-about.md#about-threat-explorer-and-real-time-detections-in-microsoft-defender-for-office-365) and the [Email entity page](mdo-email-entity-page.md#email-preview-and-download-for-cloud-mailboxes). + - **Preview** role (Email & collaboration): Assign this role to team members who need to preview or download email messages as part of investigation activities. Allows users to preview and download email messages from cloud mailboxes using [Threat Explorer (Explorer) or Real-time detections](threat-explorer-real-time-detections-about.md#about-threat-explorer-and-real-time-detections-in-microsoft-defender-for-office-365) and the [Email entity page](mdo-email-entity-page.md). By default, the **Preview** role is assigned only to the following role groups: |
security | Mdo Support Teams About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-support-teams-about.md | In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams pro - **Teams messages in quarantine**: As with email messages that are identified as malware or high confidence phishing, only admins are able to manage Teams messages that are quarantined by ZAP for Teams by default. For more information, see [Manage quarantined Teams messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages). -- The **Teams Message Entity Panel** is a single place to store all Teams message metadata for immediate SecOps review. Any threats coming from Teams chats, group chats, meeting chats, and other channels can be found in one place as soon as they're assessed. For more information, see [Teams Message Entity Panel for Microsoft Teams](teams-message-entity-panel.md).+- The **Teams message entity panel** is a single place to store all Teams message metadata for immediate SecOps review. Any threats coming from Teams chats, group chats, meeting chats, and other channels can be found in one place as soon as they're assessed. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md). - **Attack simulation training using Teams messages**: To ensure users are resilient to phishing attacks in Microsoft Teams, admins can configure phishing simulations using Teams messages instead of email messages. For more information, see [Microsoft Teams in Attack simulation training](attack-simulation-training-teams.md). |
security | Priority Accounts Turn On Priority Account Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection.md | To view the results of priority account protection in Threat Explorer, do the fo ### Email entity page -The email entity page is available from many locations in the Defender portal, including **Threat Explorer** (also known as **Explorer**). For more information, see [The Email entity page](mdo-email-entity-page.md). +The Email entity page is available from many locations in the Defender portal, including **Threat Explorer** (also known as **Explorer**). For more information, see [The Email entity page](mdo-email-entity-page.md). On the Email entity page, select the **Analysis** tab. **Priority account protection** is listed in the **Threat detection details** section. |
security | Quarantine Admin Manage Messages Files | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md | After you find a specific quarantined message, select the message to view detail > [!TIP] > On mobile devices, the previously described controls are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**. >-> :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png"::: +> :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Screenshot of selecting a quarantined message and then selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png"::: ### View quarantined email details After you find a specific quarantined message, select the message to view detail In the details flyout that opens, the following information is available: + > [!TIP] + > The actions that are available at the top of the flyout are described in [Take action on quarantined email](#take-action-on-quarantined-email). + > + > To see details about other quarantined messages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. + - **Quarantine details** section: - **Received**: The date/time when the message was received. - **Expires**: The date/time when the message is automatically and permanently deleted from quarantine. In the details flyout that opens, the following information is available: Recipient email addresses always resolve to the primary email address, even if the message was sent to a [proxy address](/exchange/recipients-in-exchange-online/manage-user-mailboxes/add-or-remove-email-addresses). - - **Released to**: All email addresses (if any) to which the message has been released. -- **Delivery details** section:- - **Threats** - - **Delivery action** - - **Original location** - - **Latest delivery location** - - **Detection technologies** - - **Primary override** -- **Email details** section:- - **Sender display name** - - **Sender address** - - **SMTP Mail From address** - - **Sent on behalf of** - - **Return path** - - **Sender IP** - - **Location** - - **Recipients** - - **Time received** - - **Directionality** - - **Network message ID** - - **Internet message ID** - - **Campaign ID** - - **DMARC** - - **DKIM** - - **SPF** - - **Composite authentication** -- **URLs** section-- **Attachments** section-+ - **Released to** or **Not yet released to**: If the message requires review by an admin before it's released: + - **Released to**: Email addresses of recipients that the message was released to. + - **Not yet released to**: Email addresses of recipients that the message hasn't been released to. ++The rest of the details flyout contains the **Delivery details**, **Email details**, **URLs**, and **Attachments** sections that are part of the _Email summary panel_. For more information, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel). + To take action on the message, see the next section. To take action on the message, see the next section. - Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out. - :::image type="content" source="../../media/quarantine-message-selected-message-actions.png" alt-text="Available actions after you select a quarantined message on the Email tab of the Quarantine page." lightbox="../../media/quarantine-message-selected-message-actions.png"::: + :::image type="content" source="../../media/quarantine-message-selected-message-actions.png" alt-text="Screenshot of the available actions after you select the check box of a quarantined message on the Email tab on the Quarantine page." lightbox="../../media/quarantine-message-selected-message-actions.png"::: - Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens. - :::image type="content" source="../../media/quarantine-message-details-flyout-actions.png" alt-text="Available actions in the details flyout of a selected message." lightbox="../../media/quarantine-message-details-flyout-actions.png"::: + :::image type="content" source="../../media/quarantine-message-details-flyout-actions.png" alt-text="Screenshot of the available actions in the details flyout that opens after you select a quarantined message on the Email tab of the Quarantine page." lightbox="../../media/quarantine-message-details-flyout-actions.png"::: Using either method to select the message, many actions are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** or **More options**. After you select the quarantined message, the available actions are described in > > - When you select the message by selecting the check box, all actions are under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**: >-> :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png"::: +> :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Screenshot of selecting a quarantined message and selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png"::: > > - When you select the message by clicking anywhere in the row other than the check box, description text isn't available on some of the action icons in the details flyout. But, the actions and their order is the same as on a PC: >-> :::image type="content" source="../../media/quarantine-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions being highlighted" lightbox="../../media/quarantine-message-details-flyout-mobile-actions.png"::: +> :::image type="content" source="../../media/quarantine-message-details-flyout-mobile-actions.png" alt-text="Screenshot of the details of a quarantined message with available actions highlighted." lightbox="../../media/quarantine-message-details-flyout-mobile-actions.png"::: #### Release quarantined email Accept or change the downloaded file details, and then select **Save**. Back on the **Download file** flyout, select **Done**. -#### Actions for quarantined email messages in Defender for Office 365 Plan 2 +#### Actions for quarantined email messages in Defender for Office 365 -In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), the following actions are also available in the details flyout of a selected message: +In organizations with Microsoft Defender for Office 365 (add-on licenses or included in subscriptions like Microsoft 365 E5 or Microsoft 365 Business Premium), the following actions are also available in the details flyout of a selected message: -- :::image type="icon" source="../../medi#how-to-read-the-email-entity-page).+- :::image type="icon" source="../../medi#whats-on-the-email-entity-page). -- :::image type="icon" source="../../medi#actions-you-can-take-on-the-email-entity-page).+- :::image type="icon" source="../../medi#actions-on-the-email-entity-page). #### Take action on multiple quarantined email messages When you select multiple quarantined messages on the **Email** tab by selecting - [Download email from quarantine](#download-email-from-quarantine) ### Find who deleted a quarantined message After you find a specific quarantined file, select the file to view details abou In the details flyout that opens, the following information is available: - **File details** section: - **File Name** To take action on the file, see the next section. After you select the quarantined file, the available actions in the file details flyout that opens are described in the following subsections. #### Release quarantined files from quarantine When you select multiple quarantined files on the **Files** tab by selecting the - [Delete quarantined files from quarantine](#delete-quarantined-files-from-quarantine) - [Download quarantined files from quarantine](#download-quarantined-files-from-quarantine) ## Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages -Quarantine in Microsoft Teams is available only in organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5) +> [!TIP] +> [Zero-hour auto purge (ZAP) in Microsoft Teams](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams) is currently in Preview, isn't available in all organizations, and is subject to change. ++Quarantine in Microsoft Teams is available only in organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5). When a potentially malicious chat message is detected in Microsoft Teams, zero-hour auto purge (ZAP) removes the message and quarantines it. Admins can view and manage these quarantined Teams messages. The message is quarantined for 30 days. After that the Teams message is permanently removed. This feature is enabled by default. -### View quarantined messages in Microsoft Teams +### View quarantined Teams messages In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>. - On the **Teams messages** tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal** and then selecting :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>): Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" bor After you find a specific quarantined Teams message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message). -### View quarantined message details in Microsoft Teams +### View quarantined Teams message details -1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>. +On the **Teams messages** tab of the **Quarantine** page, select the quarantined message by clicking anywhere in the row other than the check box next to the first column. -2. On the **Teams messages** tab, select the quarantined message by clicking anywhere in the row other than the check box. +The following message information is available at the top of the details flyout: -In the details flyout that opens, the following information is available: +- The title of the flyout is the subject or the first 100 characters of the Teams message. +- The **Quarantine reason** value. +- The number of links in the message. +- The available actions are described in the [Take action on quarantined Teams messages](#take-action-on-quarantined-teams-messages) section. +> [!TIP] +> To see details about other quarantined Teams messages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. -- **Quarantine details** section: Includes quarantine reason, expiry date, quarantine policy type, and other information.-- **Message details** section: Includes the primary threat reason, date and time of the message sent, and the sender address. Also includes the Teams message ID and the detection technology.-- **Sender** section: Includes the sender name, their domain location, and whether the sender is from outside the organization.-- **Participants** section: The names and email IDs of all the people who received the same message.-- **URLs** section: Includes the details of any malicious URLs that were detected in the chat message.+The next section in the details flyout is related to quarantined Teams messages: -To take action on the message, see the next section. +- **Quarantine details** section: + - **Expires** + - **Time received** + - **Quarantine reason** + - **Release status** + - **Policy type**: The value is **None**. + - **Policy name**: The value is **Teams Protection Policy**. + - **Quarantine policy** -> [!TIP] -> To see details about other quarantined messages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. +The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams mMessage entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md). -### Take action on quarantined messages in Microsoft Teams +When you're finished in the details flyout, select **Close**. -1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>. -2. On the **Teams messages** tab, select the quarantined message by using either of the following methods: +### Take action on quarantined Teams messages - - Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out. +In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>. - :::image type="content" source="../../media/quarantine-teams-message-selected-message-actions.png" alt-text="Available actions after you select a quarantined message on the Teams message tab of the Quarantine page." lightbox="../../media/quarantine-teams-message-selected-message-actions.png"::: +On the **Teams messages** tab, select the quarantined message by using either of the following methods: - - Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens. +- Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out. ++ :::image type="content" source="../../media/quarantine-teams-message-selected-message-actions.png" alt-text="Screenshot of the available actions after you select the check box of a quarantined Teams message on the Teams message tab of the Quarantine page." lightbox="../../media/quarantine-teams-message-selected-message-actions.png"::: ++- Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens. - :::image type="content" source="../../media/admin-quarantine-teams-actions-details.png" alt-text="Screenshot of the actions menu for messages in quarantine." lightbox="../../media/admin-quarantine-teams-actions-details.png"::: + :::image type="content" source="../../media/quarantine-teams-details-flyout-actions.png" alt-text="Screenshot of the available actions in the details flyout that opens after you select a quarantined Teams message from the Teams messages tab of the Quarantine page." lightbox="../../media/quarantine-teams-details-flyout-actions.png"::: - Using either method to select the message, some actions are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**. +Using either method to select the message, some actions are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**. After you select the quarantined message, the available actions are described in the following subsections. After you select the Teams message, use either of the following methods to previ - **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: :::image type="icon" source="../../media/m365-cc-sc-preview-message-icon.png" border="false"::: **Preview message**. In the flyout that opens, choose one of the following tabs:- - **Source**: Shows the HTML version of the message body with all links disabled. - - **Plain text**: Shows the message body in plain text. ++- **Source**: Shows the HTML version of the message body with all links disabled. +- **Plain text**: Shows the message body in plain text. #### Report Teams messages to Microsoft for review from quarantine When you select multiple quarantined messages on the **Teams messages** tab by s - [Report Teams messages to Microsoft for review from quarantine](#report-teams-messages-to-microsoft-for-review-from-quarantine) - [Download Teams messages from quarantine](#download-teams-messages-from-quarantine) #### Approve or deny release requests from users for quarantined Teams messages |
security | Reports Email Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md | Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord - **Date (UTC)**: **Start date** and **End date**. - **Activity**: **Restricted** or **Suspicious**-- **Tag**: Select **All** or the specified user tag (including priority accounts). For more information, see [User tags](user-tags-about.md).+- **Tag**: Select **All** or the specified user tag (including Priority account). For more information, see [User tags](user-tags-about.md). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. On the **Direction** tab, the :::image type="icon" source="../../media/m365-cc-s ### Mailflow view for the Mailflow status report -The **Mailflow** tab shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. This view uses a horizontal flow diagram (known as a *Sankey* diagram) to provide details on the total email count, and how threat protection features affect this count. +The **Mailflow** tab shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. This view uses a horizontal flow diagram (known as a _Sankey_ diagram) to provide details on the total email count, and how threat protection features affect this count. :::image type="content" source="../../media/mail-flow-status-report-mailflow-view.png" alt-text="The Mailflow view in the Mailflow status report." lightbox="../../media/mail-flow-status-report-mailflow-view.png"::: Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. +If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains summarized information that's also available on the [Email entity page in Defender for Office 365](mdo-email-entity-page.md) for the message. For details about the information in the Email summary panel, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel). ++In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report: ++- :::image type="icon" source="../../medi). +- :::image type="icon" source="../../medi#remediate-using-take-action). + On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available. ### View data by Email \> Spam and Chart breakdown by Detection Technology Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. +If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains summarized information that's also available on the [Email entity page in Defender for Office 365](mdo-email-entity-page.md) for the message. For details about the information in the Email summary panel, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel). ++In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report: ++- :::image type="icon" source="../../medi). +- :::image type="icon" source="../../medi#remediate-using-take-action). + On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available. ### View data by Email \> Malware and Chart breakdown by Detection Technology Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. +If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains summarized information that's also available on the [Email entity page in Defender for Office 365](mdo-email-entity-page.md) for the message. For details about the information in the Email summary panel, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel). ++In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report: ++- :::image type="icon" source="../../medi). +- :::image type="icon" source="../../medi#remediate-using-take-action). + On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available. ### Chart breakdown by Policy type Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. +If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains summarized information that's also available on the [Email entity page in Defender for Office 365](mdo-email-entity-page.md) for the message. For details about the information in the Email summary panel, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel). ++In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report: ++- :::image type="icon" source="../../medi). +- :::image type="icon" source="../../medi#remediate-using-take-action). + On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available. ### Chart breakdown by Delivery status Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. +If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains summarized information that's also available on the [Email entity page in Defender for Office 365](mdo-email-entity-page.md) for the message. For details about the information in the Email summary panel, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel). ++In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report: ++- :::image type="icon" source="../../medi). +- :::image type="icon" source="../../medi#remediate-using-take-action). + On the **Threat protection status** page, the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available. ### View data by Content \> Malware For each chart, the details table below the chart shows the following informatio Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens: - **Date (UTC)** **Start date** and **End date**-- **Tag**: Select **All** or the specified user tag (including priority accounts). For more information, see [User tags](user-tags-about.md).+- **Tag**: Select **All** or the specified user tag (including Priority account). For more information, see [User tags](user-tags-about.md). When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. |
security | Submissions Admin Review User Reported Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin-review-user-reported-messages.md | To customize the notification email, see the next section. 3. Find the **Email notifications** section and configure one or more of the following settings: - **Results email** section: Select **Customize results email**. In the **Customize admin review email notifications** flyout that opens, configure the following settings on the **Phishing**, **Junk** and **No threats found** tabs:- - **Email body results text**: Enter the custom text to use. You can use different text for **Phishing**, **Junk** and **No threats found**. - - **Email footer text**: Enter the custom message footer text to use. The same text is used for **Phishing**, **Junk** and **No threats found**. + - **Email body results text**: Enter the custom text to use. You can use different text for **Phishing**, **Junk** and **No threats found**. + - **Email footer text**: Enter the custom message footer text to use. The same text is used for **Phishing**, **Junk** and **No threats found**. When you're finished in the **Customize admin review email notifications** flyout, select **Confirm** to return to the **User reported settings** page. |
security | Submissions Admin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md | After a few moments, the allow entry is available on the **URL** tab on the **Te > - When the URL is encountered again during mail flow, [Safe Links](safe-links-about.md) detonation or URL reputation checks and all other URL-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered. > - During selection, all URL-based filters, including [Safe Links](safe-links-about.md) detonation or URL reputation checks are overridden, allowing user access to content at the URL. -### Report Teams messages to Microsoft +### Report Teams messages to Microsoft in Defender for Office 365 Plan 2 -You can't submit Teams messages from the **Teams messages** tab on the **Submissions** page. The only way to submit a Teams message to Microsoft for analysis is to submit a user reported Teams message from the **User reported** tab as described in the [Submit user reported messages to Microsoft for analysis](#submit-user-reported-messages-to-microsoft-for-analysis) section later in this article. +> [!TIP] +> [Submission of Teams message to Microsoft](submissions-teams.md) is currently in Preview, isn't available in all organizations, and is subject to change. ++In Microsoft 365 organizations that have Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), You can't submit Teams messages from the **Teams messages** tab on the **Submissions** page. The only way to submit a Teams message to Microsoft for analysis is to submit a user reported Teams message from the **User reported** tab as described in the [Submit user reported messages to Microsoft for analysis](#submit-user-reported-messages-to-microsoft-for-analysis) section later in this article. The entries on the **Teams messages** tab are the result of submitting user reported Teams message to Microsoft. For more information, see the [View converted admin submissions](#view-converted-admin-submissions) section later in this article. When you're finished on the **Filter** flyout, select **Apply**. To clear the fi Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of entries to a CSV file. -### View Teams admin submissions to Microsoft +#### View email admin submission details ++If you select an entry on the **Emails** tab of the **Submissions** page by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. ++At the top of the details flyout, the following message information is available: ++- The title of the flyout is the message Subject value. +- Any user tags that are assigned to the recipients of the message (including the Priority account tag). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md) +- In Defender for Office 365, the actions that are available at the top of the flyout are described in the [Actions for admin submissions in Defender for Office 365](#actions-for-admin-submissions-in-defender-for-office-365) section. ++> [!TIP] +> To see details about other submissions without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++The next sections in the details flyout are related to email message submissions: ++- **Result details** section: + - **Result**: Contains the **Result** value for the submission. For example: + - **Should not have been blocked** + - **Allowed due to user overrides** + - **Allowed due to a rule** + - **Recommended steps for email submissions**: Contains links to related actions. For example: + - **View Exchange mail flow rules (transport rules)** + - **View this message in Explorer** (Threat Explorer or Real-time detections in Defender for Office 365 only) + - **Search for similar messages in Explorer** (Threat Explorer or Real-time detections in Defender for Office 365 only) ++- **Submission details** section: + - **Date submitted** + - **Submission name** + - **Submission type**: The value is **Email**. + - **Reason for submitting** + - **Submission ID** + - **Submitted by** + - **Submission status** ++- **Allow details** section: Available only for email submissions where the **Result** value is **Allowed due to user overrides** or **Allowed to a rule**: Contains the **Name** (email address) and **Type** (**Sender**) values. ++The rest of the details flyout contains the **Delivery details**, **Email details**, **URLs**, and **Attachments** sections that are part of the _Email summary panel_. For more information, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel). ++When you're finished in the details flyout, select **Close**. ++### View Teams admin submissions to Microsoft in Defender for Office 365 Plan 2 ++> [!TIP] +> [Submission of Teams message to Microsoft](submissions-teams.md) is currently in Preview, isn't available in all organizations, and is subject to change. In the Microsoft Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>. When you're finished on the **Filter** flyout, select **Apply**. To clear the fi Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of entries to a CSV file. +#### View Teams admin submission details ++If you select an entry on the **Teams messages** tab of the **Submissions** page by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. ++At the top of the details flyout, the following message information is available: ++- The title of the flyout is the subject or the first 100 characters of the Teams message. +- The current message verdict. +- The number of links in the message. +- :::image type="icon" source="../../media/m365-cc-sc-view-alert-icon.png" border="false"::: **View alert**. An alert is triggered when an admin submission is created or updated. Selecting this action takes you to the details of the alert. ++> [!TIP] +> To see details about other submissions without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++The next sections in the details flyout are related to Teams submissions: ++- **Submission results** section: + - **Result**: Contains the **Result** value for the submission. For example: + - **Should have been blocked** + - **We did not receive the submission, please fix the problem and resubmit** + - **Recommended steps for email submissions**: Contains links to related actions. For example: + - **View Exchange mail flow rules (transport rules)** ++- **Submission details** section: + - **Date submitted** + - **Submission name** + - **Submission type**: The value is **Teams** + - **Reason for submitting** + - **Submission ID** + - **Submitted by** + - **Submission status** ++The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams mMessage entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md). ++When you're finished in the details flyout, select **Close**. + ### View email attachment admin submissions to Microsoft In the Microsoft Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>. When you're finished on the **Filter** flyout, select **Apply**. To clear the fi Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of entries to a CSV file. +#### View email attachment admin submission details ++If you select an entry on the **Email attachments** tab of the **Submissions** page by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. ++At the top of the details flyout, the following message information is available: ++- The title of the flyout is the filename of the attachment. +- The **Status** and **Result** values of the submission. +- :::image type="icon" source="../../media/m365-cc-sc-view-alert-icon.png" border="false"::: **View alert**. In Defender for Office 365, an alert is triggered when an admin submission is created or updated. Selecting this action takes you to the details of the alert. ++> [!TIP] +> To see details about other submissions without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++The next sections in the details flyout are related to email attachment submissions: ++- **Result details** section: + - **Result**: Contains the **Result** value for the submission. For example: + - **Should have been blocked** + - **Should not have been blocked** + - **Recommended steps for email submissions**: Contains links to related actions. For example: + - **Block URL/file in Tenant Allow/Block List** ++- **Submission details** section: + - **Date submitted** + - **Submission name** + - **Submission type**: The value is **File**. + - **Reason for submitting** + - **Submission ID** + - **Submitted by** + - **Submission status** ++When you're finished in the details flyout, select **Close**. + ### View URL admin submissions to Microsoft In the Microsoft Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>. When you're finished on the **Filter** flyout, select **Apply**. To clear the fi Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of entries to a CSV file. -### Admin submission result details +#### View URL admin submission details -Email messages, Teams messages, email attachments, and URLs that admins submit to Microsoft for analysis are available on the corresponding tabs on the **Submissions** page. +If you select an entry on the **URLs** tab of the **Submissions** page by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. -When you select an entry on the tab by clicking anywhere in the row other than the check box next to the first column, complete information about the original reported item, the status of the reported item, and the analysis results of the reported item are shown in the details flyout that opens: +At the top of the details flyout, the following message information is available: ++- The title of the flyout is the domain of the URL. +- The **Status** and **Result** values of the submission. +- :::image type="icon" source="../../media/m365-cc-sc-view-alert-icon.png" border="false"::: **View alert**. In Defender for Office 365, an alert is triggered when an admin submission is created or updated. Selecting this action takes you to the details of the alert. ++> [!TIP] +> To see details about other submissions without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++The remaining sections in the details flyout are related to URL submissions: ++- **Result details** section: + - **Result**: Contains the **Result** value for the submission. For example: + - **Should have been blocked** + - **Should not have been blocked** + - **Recommended steps for email submissions**: Contains links to related actions. For example: + - **Block URL/file in Tenant Allow/Block List** ++- **Submission details** section: + - **Date submitted** + - **URL** + - **Submission type**: The value is **URL**. + - **Reason for submitting** + - **Submission ID** + - **Submitted by** + - **Submission status** ++- **Allows details** or **Block details** sections: Available only for URL submissions where the URL was blocked or allowed: Contains the **Name** (URL domain) and **Type** (**URL**) values. ++When you're finished in the details flyout, select **Close**. ++### Results from Microsoft ++The analysis results of the reported item are shown in the details flyout that opens when you select an entry on the **Emails**, **Teams messages**, **Email attachments**, or **URLs** tab of the **Submissions** page: - If there was a failure in the sender's email authentication at the time of delivery. - Information about any policies or overrides that could have affected or overridden the message verdict from filtering system. When you select an entry on the tab by clicking anywhere in the row other than t If an override or policy configuration was found, the result should be available in several minutes. If there wasn't a problem in email authentication or delivery wasn't affected by an override or policy, the detonation and feedback from graders could take up to a day. -### Actions for admin submissions in Defender for Office 365 Plan 2 +### Actions for admin submissions in Defender for Office 365 -In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), the following actions are available for admin submissions in the details flyout that opens after you select an entry from the list by clicking anywhere in the row other than the check box: +In organizations with Microsoft Defender for Office 365 (add-on licenses or included in subscriptions like Microsoft 365 E5 or Microsoft 365 Business Premium), the following actions are available for admin submissions in the details flyout that opens after you select an entry from the list by clicking anywhere in the row other than the check box: -- :::image type="icon" source="../../medi#how-to-read-the-email-entity-page).+- :::image type="icon" source="../../medi#whats-on-the-email-entity-page). -- :::image type="icon" source="../../medi#actions-you-can-take-on-the-email-entity-page).+- :::image type="icon" source="../../medi#actions-on-the-email-entity-page). - :::image type="icon" source="../../media/m365-cc-sc-view-alert-icon.png" border="false"::: **View alert**. An alert is triggered when an admin submission is created or updated. Selecting this action takes you to the details of the alert. In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses ## Admin options for user reported messages -Admins can see what users are reporting on the **User reported** tab on the **Submissions** page if the following statements are true: +For email messages, admins can see what users are reporting on the **User reported** tab on the **Submissions** page if the following statements are true: - The [user reported settings](submissions-user-reported-messages-custom-mailbox.md) are turned on. - **Email messages**: You're using supported methods for users to report messages: Admins can see what users are reporting on the **User reported** tab on the **Su - User reported messages that are sent to Microsoft only or to Microsoft and the [reporting mailbox](submissions-user-reported-messages-custom-mailbox.md) appear on the **User reported** tab. Although these messages have already been reported to Microsoft, admins can resubmit the reported messages. - User reported messages that are sent only to the reporting mailbox appear on the **User reported** tab with the **Result** value **Not Submitted to Microsoft**. Admins should report these messages to Microsoft for analysis. +In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), admins can also see [user reported messages in Microsoft Teams in Defender for Office 365 Plan 2](submissions-teams.md) (currently in Preview). ++In organizations with Defender for Office 365 Plan 2 (add-For [user reported messages in Microsoft Teams in Defender for Office 365 Plan 2](submissions-teams.md) (currently in Preview) + In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>. On the **Submissions** page, select the **User reported** tab. To filter the entries, select :::image type="icon" source="../../media/m365-cc-s - **Reported from**: The values **Microsoft** and **Third party**. - **Phish simulation**: The values **Yes** and **No**. - **Converted to admin submission**: The values **Yes** and **No**.-- **Message type**: The values **Email** and **Teams**.-- **Tags**: **All** or select [user tags](user-tags-about.md) from the dropdown list.+- **Message type**: The available values are: + - **Email** + - **Teams message** (Defender for Office 365 Plan 2 only; currently in Preview). +- **Tags**: **All** or select one or more user tags (including Priority account) that are assigned to users. For more information about user tags, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). When you're finished on the **Filter** flyout, select **Apply**. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**. Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" borde For more information about the actions that are available for messages on the **User reported** tab, see the next subsection. +### View user reported email message details ++If you select an email-related entry on the **User reported** tab of the **Submissions** page by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. ++At the top of the details flyout, the following message information is available: ++- The title of the flyout is the message Subject value. +- Any user tags that are assigned to the recipients of the message (including the Priority account tag). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md) +- The actions that are available at the top of the flyout are described in the [Admin actions for user reported messages](#admin-actions-for-user-reported-messages) section. ++> [!TIP] +> To see details about other submissions without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++The next sections in the details flyout are related to user reported submissions: ++- **Result details** section: + - **Result**: Contains the **Result** value for the submission. For example: + - **Should not have been blocked** + - **Allowed due to user overrides** + - **Allowed due to a rule** + - **Recommended steps for email submissions**: Contains links to related actions. For example: + - **View Exchange mail flow rules (transport rules)** + - **View this message in Explorer** (Threat Explorer or Real-time detections in Defender for Office 365 only) + - **Search for similar messages in Explorer** (Threat Explorer or Real-time detections in Defender for Office 365 only) ++- **Reported message details** section: + - **Date submitted** + - **Submission name** + - **Reported reason**. + - **Message reported ID** + - **Reported by** + - **Phish simulation**: The value is **Yes** or **No**. + - **Converted to admin submission**: The value is **Yes** or **No**. For more information, see [View converted admin submissions](#view-converted-admin-submissions). ++The rest of the details flyout contains the **Delivery details**, **Email details**, **URLs**, and **Attachments** sections that are part of the _Email summary panel_. For more information, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel). ++> [!TIP] +> If the **Result** value is **Phish simulation**, the details flyout might contain the following information only: +> +> - **Result details** section +> - **Reported message details** section +> - **Email details** section with the following values: +> - **Network Message ID** +> - **Sender** +> - **Sent date** ++When you're finished in the details flyout, select **Close**. ++### View user reported Teams message details in Defender for Office 365 Plan 2 ++> [!TIP] +> [User reporting of messages in Microsoft Teams](submissions-teams.md#how-users-report-messages-in-teams) is currently in Preview, isn't available in all organizations, and is subject to change. ++In Microsoft 365 organizations that have Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), user reported Teams messages are available on the **User reported** tab of the **Submissions** page. It's easy to find them if you filter the results by the **Message type** value **Teams message**. ++If you select a Teams message entry on the **User reported** tab by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. ++At the top of the details flyout, the following message information is available: ++- The title of the flyout is the subject or the first 100 characters of the Teams message. +- The current message verdict. +- The number of links in the message. +- The available actions are described in the [Admin actions for user reported messages](#admin-actions-for-user-reported-messages) section. ++> [!TIP] +> To see details about other submissions without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++The next sections in the details flyout are related to user reported Teams submissions: ++- **Submission results** section: + - **Result**: Contains the **Result** value for the submission. For example: + - **Should not have been blocked** + - **Not submitted to Microsoft** + - **Recommended steps for email submissions**: Contains links to related actions. For example: + - **View Exchange mail flow rules (transport rules)** ++- **Reported message details** section: + - **Date reported** + - **Submission name** + - **Reported reason**. + - **Message reported ID** + - **Reported by** + - **Phish simulation**: The value is **Yes** or **No**. + - **Converted to admin submission**: The value is **Yes** or **No**. For more information, see [View converted admin submissions](#view-converted-admin-submissions). ++The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams mMessage entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md). ++> [!TIP] +> If the **Result** value is **Phish simulation**, the details flyout might contain the following information only: +> +> - **Result details** section +> - **Reported message details** section +> - **Email details** section with the following values: +> - **Network Message ID** +> - **Sender** +> - **Sent date** ++When you're finished in the details flyout, select **Close**. + ### Admin actions for user reported messages On the **User reported** tab, actions for user reported messages are available on the tab itself or in the details flyout of a selected entry: On the **User reported** tab, actions for user reported messages are available o - :::image type="icon" source="../../media/m365-cc-sc-submit-user-reported-message-icon.png" border="false"::: **[Submit to Microsoft for analysis](#submit-user-reported-messages-to-microsoft-for-analysis)** - :::image type="icon" source="../../media/m365-cc-scc-mark-and-notify-icon.png" border="false"::: **[Mark as and notify](#notify-users-about-admin-submitted-messages-to-microsoft)** - :::image type="icon" source="../../media/m365-cc-sc-view-submission-icon.png" border="false"::: **[View the converted admin submission](#view-converted-admin-submissions)**- - [Actions in Microsoft Defender for Office 365 Plan 2 only](#actions-for-user-reported-messages-in-defender-for-office-365-plan-2): + - [Actions in Microsoft Defender for Office 365 only](#actions-for-user-reported-messages-in-defender-for-office-365): - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** - :::image type="icon" source="../../media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take actions** - :::image type="icon" source="../../media/m365-cc-sc-view-alert-icon.png" border="false"::: **View alert** +[Actions for user reported messages in Defender for Office](#actions-for-user-reported-messages-in-defender-for-office-365) + > [!TIP] > To see details or take action on other user reported messages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. If you select one of these messages by clicking anywhere in the row other than t This action takes you to the corresponding admin submission entry on the appropriate tab (for example, the **Emails** tab). -#### Actions for user reported messages in Defender for Office 365 Plan 2 +#### Actions for user reported messages in Defender for Office 365 -In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), the following actions might also be available in the details flyout of a user reported message on the **User reported** tab: +In organizations with Microsoft Defender for Office 365 (add-on licenses or included in subscriptions like Microsoft 365 E5 or Microsoft 365 Business Premium), the following actions might also be available in the details flyout of a user reported message on the **User reported** tab: -- :::image type="icon" source="../../medi#how-to-read-the-email-entity-page).+- :::image type="icon" source="../../medi#whats-on-the-email-entity-page). -- :::image type="icon" source="../../medi#actions-you-can-take-on-the-email-entity-page).+- :::image type="icon" source="../../medi#actions-on-the-email-entity-page). - :::image type="icon" source="../../media/m365-cc-sc-view-alert-icon.png" border="false"::: **View alert**. An alert is triggered when an admin submission is created or updated. Selecting this action takes you to the details of the alert. |
security | Submissions Report Messages Files To Microsoft | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft.md | User reported messages are also available to admins in the following locations i - [Automated investigation and response (AIR) results](air-view-investigation-results.md) (Defender for Office 365 Plan 2) - [Threat Explorer](threat-explorer-real-time-detections-about.md) (Defender for Office 365 Plan 2) -In Defender for Office 365 Plan 2, admins can also submit messages from the [Email entity page](mdo-email-entity-page.md#actions-you-can-take-on-the-email-entity-page) and from [Alerts](../defender/investigate-alerts.md) in the Defender portal. +In Defender for Office 365, admins can also submit messages from the [Email entity page](mdo-email-entity-page.md#actions-on-the-email-entity-page) and from [Alerts](../defender/investigate-alerts.md) in the Defender portal. Admins can use the sample submission portal at <https://www.microsoft.com/wdsi/filesubmission> to submit other suspected files to Microsoft for analysis. For more information, see [Submit files for analysis](../defender/submission-guide.md). |
security | Teams Message Entity Panel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/teams-message-entity-panel.md | -description: Describes the Teams Message Entity Panel for Microsoft Teams in Microsoft Defender for Office 365, how it does post-breach work like ZAP and Safe Links and gives admins a single pane of glass on Teams chat and channel threats like suspicious URLs. +description: Describes the Teams message entity panel for Microsoft Teams in Microsoft Defender for Office 365 Plan 2, how it does post-breach work like ZAP and Safe Links and gives admins a single pane of glass on Teams chat and channel threats like suspicious URLs.. Last updated 11/16/2023 appliesto: appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> -# The Teams Message Entity Panel for Microsoft Teams in Microsoft Defender for Office 365 +# The Teams message entity panel in Microsoft Defender for Office 365 Plan 2 [!include[Prerelease information](../../includes/prerelease.md)] -The Teams Message Entity Panel in Microsoft Defender for Office 365 puts all Microsoft Teams data about suspicious or malicious chats and channels on a *single, actionable panel*. +Similar to the [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel) for email messages, Microsoft 365 organizations that have Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5) have the _Microsoft Teams message entity panel_ in the Microsoft Defender portal. The Teams message entity panel is a details flyout includes all Microsoft Teams data about suspicious or malicious chats, channels, and group chats on a single, actionable panel. -The Teams Message Entity Panel is the single source of Teams message metadata for Security Operations team (SecOps) review. In other words, you can see and review threats coming from the following locations in one place: +This article explains the information and actions on the Teams message entity panel. -- Chats-- Group chats-- Channels+## Permissions and licensing for the Teams message entity panel -## Use the Teams Message Entity Panel in Microsoft Defender for Office 365 +To use the Email entity page, you need to be assigned permissions. You have the following options: -The Teams Message Entity Panel is available for customers with Microsoft 365 E5 and Microsoft Defender for Office 365 Plan 2 subscriptions across all experiences, including: --- Quarantined Teams messages.-- Admin submission of Teams messages.-- User reported Teams messages.--To access the Teams Message Entity Panel, you need to be assigned permissions. You have the following options: --- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Global Administrator**, **Security Administrator**, or **Quarantine Administrator** role group.+- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Global Administrator**, **Security Administrator**, or **Quarantine Administrator** role groups. - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:- - Membership in the **Global Administrator** or **Security Administrator** roles. + - _Full access_: Membership in the **Global Administrator** or **Security Administrator** roles. - _Read-only access_: Membership in the **Global Reader** or **Security Reader** roles. -To open the Teams Message Entity Panel, do any of the following steps. --### From quarantine --1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>. --2. On the **Teams messages** tab, select the Teams message by clicking anywhere in the row other than the check box. +## Where to find the Teams message entity panel -3. The details flyout that opens is the Teams Message Entity Panel. +There are no direct links to the Teams message entity panel from the top levels of the Defender portal. Instead, the Teams message entity panel is available in the following locations: -### From admin submissions +- From the **Quarantine** page at <https://security.microsoft.com/quarantine>: Select the **Teams message** tab \> select an entry by clicking anywhere in the row other than the check box. The details flyout that opens is the Teams message entity panel. -1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Submissions** page, use <https://security.microsoft.com/reportsubmission?viewid=teams>. +- From the **Submissions** page at <https://security.microsoft.com/reportsubmission>: + - Select the **Teams messages** tab \> select an entry by clicking anywhere in the row other than the check box. + - Select the **User reported** tab \> select a Teams entry by clicking anywhere in the row other than the check box. You can filter the entries by selecting :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** \> **Message type** \> **Teams**. The details flyout that opens is the Teams message entity panel. -2. On the **Teams messages** tab, select the Teams message by clicking anywhere in the row other than the check box. +## What's on the Teams message entity panel -3. The details flyout that opens is the Teams Message Entity Panel. +The following information is available at the top of the Teams message entity panel: -### From user reported messages +- The title of the flyout is the subject or the first 100 characters of the Teams message. +- The current message verdict. +- The number of links in the message. +- The actions that are available at the top of the flyout depend on where you opened the Teams message entity panel. -1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions** \> **User reported** tab. Or, to go directly to the **User reported** tab on the **Submissions** page, use <https://security.microsoft.com/reportsubmission?viewid=user>. +> [!TIP] +> To see details about other Teams messages without leaving the Email summary panel of the current message, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. -2. On the **Teams messages** tab, select the Teams message by clicking anywhere in the row other than the check box. You can filter the messages by selecting :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** \> **Message type** \> **Teams**. +The next sections in the Teams message entity panel depend on where you opened it: -3. The details flyout that opens is the Teams Message Entity Panel. +- [Quarantined Teams messages](quarantine-admin-manage-messages-files.md#view-quarantined-teams-message-details) +- [View Teams admin submission details](submissions-admin.md#view-teams-admin-submission-details) +- [View user reported Teams message details in Defender for Office 365 Plan 2](submissions-admin.md#view-user-reported-teams-message-details-in-defender-for-office-365-plan-2) -## Teams Message Entity Panel walkthrough +The rest of the Teams message entity panel contains the following information, regardless of where you opened it: -The panel is designed for easy use. --Selecting a Teams message across any Microsoft Defender for Office 365 experience opens the Teams Message Entity Panel. The following sections are available: --- **Flyout header**:- - The message subject or the first 100 characters of the body of the message. - - The current message verdict. - - The number of URLs present in the message. -- **Message details**:+- **Message details** section: - **Threats** - **Message location** - **Sender address** - **Time received** - **Detection tech**- - **Teams message ID**: You can use this value as an identifier of a Teams message in Microsoft Defender for Office 365. -- **Sender**:+ - **Teams message ID**: You can use this value as an identifier of a Teams message in Defender for Office 365. ++- **Sender** section: - The sender's name and email address - **Domain** - **External**: The value **Yes** indicates the message was sent between an internal user and an external user.-- **Participants**: Available for messages in chats- - **Conversation type** - - **Chat name** - - **Name and email**: Contains the name and email addresses of all of the participants (including the sender). If there are more than 10 participants, it also links to a secondary panel that lists all the participants in the chat at the time of the suspected threat. -- **Channel details**: Available for messages in channels- - **Conversation type** - - **Conversation name**: Contains the name of the channel. - - **Name and email**: Contains the name and address of the channel. -- **URLs**:++- One of the following sections, depending on whether the message if from a chat or a channel: + - Chat: The **Participants** section: + - **Conversation type** + - **Chat name** + - **Name and email**: Contains the name and email addresses of all of the participants (including the sender). If there are more than 10 participants, it also links to a secondary panel that lists all the participants in the chat at the time of the suspected threat. + - Channel: The **Channel details** section: + - **Conversation type** + - **Conversation name**: Contains the name of the channel. + - **Name and email**: Contains the name and address of the channel. ++- **URLs** section: - **Name and type** Contains the URL from the Teams message. - **Threat** - If there are more than 10 URLs, it also links to a secondary panel that lists all the URLs in the chat and their associated threats. ---In addition to the previous sections, you also see specific sections based on where you open the Teams Message Entity Panel: --### Quarantine --The quarantine actions are available at the top of the panel. For more information on different quarantine actions, see [Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages). --- **Quarantine details**: For more information, see [View quarantined message details in Microsoft Teams](quarantine-admin-manage-messages-files.md#view-quarantined-message-details-in-microsoft-teams).- - **Expires**: The date/time when the message will be automatically and permanently deleted from quarantine. - - **Time received** - - **Quarantine reason**: The reason the message is in quarantine. - - **Release status**: Indicates if the message has been released to all participants that received the message. - - **Policy type**: This value is **None**. - - **Policy name**: This value is **Teams protection policy**. - - **Quarantine policy**: The name of quarantine policy that was applied to the message. --### Admin submissions --For more information, see [View Teams admin submissions to Microsoft](submissions-admin.md#view-teams-admin-submissions-to-microsoft). --- **Submission results**:- - **Result** - - **Recommended steps for email submissions** --- **Submission details**- - **Date submitted** - - **Submission name** - - **Submission type**: The value is **Teams** - - **Reason for submitting** - - **Submission ID** - - **Submitted by** - - **Submission status** --### User reported messages --The actions are available at the top of the panel. For more information, see [Actions for user reported messages in Defender for Office 365 Plan 2](submissions-admin.md#actions-for-user-reported-messages-in-defender-for-office-365-plan-2). --For more information, see [View user reported messages to Microsoft](submissions-admin.md#view-user-reported-messages-to-microsoft). --- **Submission results**:- - **Result** - - **Recommended steps for email submissions** + If the message has more than 10 URLs, select **View all URLs** to see all of them. -- **Reported message details**- - **Date reported** - - **Submission name** - - **Reported reason** - - **Message reported ID** - - **Reported by** - - **Phish simulation** - - **Converted to admin submission** ## For more information |
security | Threat Explorer Email Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-email-security.md | Use the following steps to review phishing messages and search for impersonated You can sort the entries and show more columns as described in [Email view for the details area of the Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections). - If you select the **Subject** or **Recipient** value of an entry in the table, a details flyout opens. For more information, see [Subject details from the Email view of the details area in the Phish view](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-phish-view) and [Recipient details from the Email view of the details area in the Phish view](threat-explorer-real-time-detections-about.md#recipient-details-from-the-email-view-of-the-details-area-in-the-phish-view). + - If you select the **Subject** value of an entry in the table, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains standardized summary information that's also available on the [Email entity page](mdo-email-entity-page.md) for the message. -<! ### Email timeline + For details about the information in the Email summary panel, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel). -The **Email timeline** is a new Explorer feature that improves the hunting experience for admins. It cuts the time spent checking different locations to try to understand the event. When multiple events happen at or close to the same time an email arrives, those events are displayed in a timeline view. Some events that happen to your email post-delivery are captured in the **Special action** column. Admins can combine information from the timeline with the special action taken on the mail post-delivery to get insight into how their policies work, where the mail was finally routed, and, in some cases, what the final assessment was. + For information about the available actions at the top of the Email summary panel for Threat Explorer and Real-time detections, see [Email details from the Email view of the details area in the All email view](threat-explorer-real-time-detections-about.md#email-details-from-the-email-view-of-the-details-area-in-the-all-email-view) (the same actions are also available from the **Phish** view). -For more information, see [Investigate and remediate malicious email that was delivered in Office 365](threat-explorer-investigate-delivered-malicious-email.md). --> + - If you select the **Recipient** value of an entry in the table, a different details flyout opens. For more information, see [Recipient details from the Email view of the details area in the Phish view](threat-explorer-real-time-detections-about.md#recipient-details-from-the-email-view-of-the-details-area-in-the-phish-view). ## Export URL click data |
security | Threat Explorer Investigate Delivered Malicious Email | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email.md | For example, Use the **Delivery Action**, **Original delivery location**, and ** Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to selectively export up to 200,000 filtered or unfiltered results to a CSV file. -<! ### View the timeline of your email --**Email Timeline** is a field in Threat Explorer that makes hunting easier for your security operations team. When multiple events happen at or close to the same time on an email, those events show up in a timeline view. Some events that happen post-delivery to email are captured in the **Special actions** column. Combining information from the timeline of an email message with any special actions that were taken post-delivery gives admins insight into policies and threat handling (such as where the mail was routed, and, in some cases, what the final assessment was). > - ## Remediate malicious email that was delivered After you identify the malicious email messages that were delivered, you can remove them from recipient mailboxes. For instructions, see [Remediate malicious email delivered in Microsoft 365](remediate-malicious-email-delivered-office-365.md). |
security | Threat Explorer Real Time Detections About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about.md | To use Explorer or Real-time detections, you need to be assigned permissions. Yo - _Read-only access_: Membership in the **Security Reader** role group. - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365: - _Full access_: Membership in the **Global Administrator** or **Security Administrator** roles.- - _Search for Exchange mail flow rules (transport rules) by name in Threat Explorer_: Membership in the **Security Admin** or **Security Reader** roles. + - _Search for Exchange mail flow rules (transport rules) by name in Threat Explorer_: Membership in the **Security Administrator** or **Security Reader** roles. - _Read-only access_: Membership in the **Global Reader** or **Security Reader** roles. In the **Subject** value for the entry, the :::image type="icon" source="../../m When you click on the **Subject** or **Recipient** values in an entry, details flyouts open. These flyouts are described in the following subsections. -##### Subject details from the Email view of the details area in the All email view +##### Email details from the Email view of the details area in the All email view -When you select an entry by clicking on the **Subject** value, a details flyout opens with the following information: +When you select the **Subject** value of an entry in the table, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains standardized summary information that's also available on the [Email entity page](mdo-email-entity-page.md) for the message. -> [!TIP] -> To see details about other message subjects without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. --- The number of attachments or links in the message.-- Any [user tags](user-tags-about.md) that are assigned to the recipients of the message.-- The following actions are available:- - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** - - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View header** - - :::image type="icon" source="../../medi#remediate-using-take-action). - - :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options**: - - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Email preview**¹ - - :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download email**¹ -- > [!TIP] - > **Download email** isn't available for messages that were quarantined. Instead, [download a password protected copy of the message from quarantine](quarantine-admin-manage-messages-files.md#download-email-from-quarantine). -- - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View in Explorer** - - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Go hunt** --¹ The **Email preview** and **Download email** actions require the **Preview** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned to the **Data Investigator** and **eDiscovery Manager** role groups. Members of only the **Organization Management** or **Security Administrators** role groups can't open these actions. You can add the members of the groups to the **Data Investigator** and **eDiscovery Manager** role groups, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the same roles as **Organization Management** or **Security Administrator**, and then add the **Search and Purge** role to the custom role group. --- The following sections are available:- - **Delivery details** section: - - **Original threats** - - **Latest threats** - - **Original location** - - **Latest delivery location** - - **Delivery action** - - **Detection technologies** - - **Primary override : Source** - - **Email details** section: - - **Sender display name** - - **Sender address** - - **Sender email from address** - - **Sent on behalf of** - - **Return path** - - **Sender IP** - - **Location** - - **Recipient(s)** - - **Time received** - - **Directionality** - - **Network message ID** - - **Internet message ID** - - **Campaign ID** - - **DMARC** - - **DKIM** - - **SPF** - - **Composite authentication** - - **URLs** section: Details about any URLs in the message: - - **URL** - - **Threat** status -- If the message has more than three URLs, select **View all URLs** to see all of them. -- - **Attachments** section: Details about any file attachments in the message: - - **Attachment name** - - **Threat** - - **Detection tech / Malware family** -- If the message has more than three attachments, select **View all attachments** to see all of them. -+For details about the information in the Email summary panel, see [The Email summary panel in Defender](mdo-email-entity-page.md#the-email-summary-panel). ++The following actions are available at the top of the Email summary panel for Threat Explorer and Real-time detections: ++- :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** +- :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View header** +- :::image type="icon" source="../../medi#remediate-using-take-action). +- :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options**: + - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Email preview**¹ ² + - :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download email**¹ ² ³ + - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View in Explorer** + - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Go hunt**⁴ ++¹ The **Email preview** and **Download email** actions require the **Preview** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned to the **Data Investigator** and **eDiscovery Manager** role groups. By default, members of the **Organization Management** or **Security Administrators** role groups can't do these actions. To allow these actions for the members of those groups, you have the following options: ++- Add the users to the **Data Investigator** or **eDiscovery Manager** role groups. +- [Create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group. ++² You can preview or download email messages that are available in Microsoft 365 mailboxes. Examples of when messages are no longer available in mailboxes include: ++- The message was dropped before delivery or delivery failed. +- The message was _soft deleted_ (deleted from the Deleted items folder, which moves the message to the Recoverable Items\Deletions folder). +- ZAP moved the message to quarantine. ++³ **Download email** isn't available for messages that were quarantined. Instead, [download a password protected copy of the message from quarantine](quarantine-admin-manage-messages-files.md#download-email-from-quarantine). ++⁴ **Go hunt** is available only in Threat Explorer. It isn't available in Real-time detections. ##### Recipient details from the Email view of the details area in the All email view When you select an entry by clicking on the **Recipient** value, a details flyou > [!TIP] > Members of the **Security Administrators** role group in [Email & collaboration permissions](mdo-portal-permissions.md) can't expand the **Recent activity** section. You need to be a member of a role group in [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) that has the **Audit Logs**, **Information Protection Analyst**, or **Information Protection Investigator** roles assigned. By default, those roles are assigned to the **Records Management**, **Compliance Management**, **Information Protection**, **Information Protection Analysts**, **Information Protection Investigators**, and **Organization Management** role groups. You can add the members of **Security Administrators** to those role groups, or you can [create a new role group](/exchange/recipients-in-exchange-online/manage-permissions-for-recipients#use-the-eac-to-assign-permissions-to-individual-mailboxes) with with the **Audit Logs** role assigned. #### URL clicks view for the details area of the All email view in Threat Explorer When you select one or more entries from the list by selecting the check box nex When you click on the **Subject** or **Recipient** values in an entry, details flyouts open. These flyouts are described in the following subsections. -##### Subject details from the Email view of the details area in the Malware view +##### Email details from the Email view of the details area in the Malware view -When you select an entry by clicking on the **Subject** value, a details flyout opens. The information in the flyout is the same as described in [Subject details from the Email view of the details area in the All email view](#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view). +When you select the **Subject** value of an entry in the table, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains standardized summary information that's also available on the [Email entity page](mdo-email-entity-page.md) for the message. -> [!TIP] -> The :::image type="icon" source="../../media/m365-cc-sc-go-hunt-icon.png" border="false"::: **Go hunt** action is available only in Threat Explorer. It isn't available in Real-time detections. +For details about the information in the Email summary panel, see [The Email summary panels](mdo-email-entity-page.md#the-email-summary-panel). ++The available actions at the top of the Email summary panel for Threat Explorer and Real-time detections are described in the [Email details from the Email view of the details area in the All email view](#email-details-from-the-email-view-of-the-details-area-in-the-all-email-view). ##### Recipient details from the Email view of the details area in the Malware view When you select one or more entries from the list by selecting the check box nex When you click on the **Subject** or **Recipient** values in an entry, details flyouts open. These flyouts are described in the following subsections. -##### Subject details from the Email view of the details area in the Phish view +##### Email details from the Email view of the details area in the Phish view -When you select an entry by clicking on the **Subject** value, a details flyout opens. The information in the flyout is the same as described in [Subject details from the Email view of the details area in the All email view](#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view). +When you select the **Subject** value of an entry in the table, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains standardized summary information that's also available on the [Email entity page](mdo-email-entity-page.md) for the message. -> [!TIP] -> The :::image type="icon" source="../../media/m365-cc-sc-go-hunt-icon.png" border="false"::: **Go hunt** action is available only in Threat Explorer. It isn't available in Real-time detections. +For details about the information in the Email summary panel, see [The Email summary panel in Defender for Office 365 features](mdo-email-entity-page.md#the-email-summary-panel). ++The available actions at the top of the Email summary panel for Threat Explorer and Real-time detections are described in the [Email details from the Email view of the details area in the All email view](#email-details-from-the-email-view-of-the-details-area-in-the-all-email-view). ##### Recipient details from the Email view of the details area in the Phish view When you open the query by selecting **Explore** from the **Threat tracker** pag ## More information -- [Threat Explorer collect email details on the email entity page](mdo-email-entity-page.md)+- [Threat Explorer collect email details on the Email entity page](mdo-email-entity-page.md) - [Find and investigate malicious email that was delivered](threat-explorer-investigate-delivered-malicious-email.md) - [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md) - [Threat protection status report](reports-email-security.md#threat-protection-status-report) |
security | Threat Explorer Threat Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-threat-hunting.md | In the **All email**, **Malware**, or **Phish** views in Threat Explorer or Real When you see a suspicious email message, click on the **Subject** value of an entry in the table. The details flyout that opens contains :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** at the top of the flyout. The Email entity page pulls together everything you need to know about the message and its contents so you can determine whether the message is a threat. For more information, see [Email entity page overview](mdo-email-entity-page.md). These actions are available in the **All email**, **Malware**, or **Phish** view - Click on the **Subject** value of an entry in the table. The details flyout that opens contains :::image type="icon" source="../../media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** at the top of the flyout. For more information, see [Remediate using Take action](#remediate-using-take-action). - :::image type="content" source="../../media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png" alt-text="Screenshot of the actions available in the details flyout after you select a Subject value in the Email tab of the details area in the All email view." lightbox="../../media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png"::: + :::image type="content" source="../../media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png" alt-text="Screenshot of the actions available in the email details flyout after you select a Subject value in the Email tab of the details area in the All email view." lightbox="../../media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png"::: #### Remediate using Message actions Selecting an action from the **Start new submission** category in Real-time dete After you click on the **Subject** value of an entry in the details table of the **Email** tab (view), selecting :::image type="icon" source="../../media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** at the top of the flyout opens the **Take action** wizard in a new flyout. The available actions in the **Take action** wizard in Threat Explorer and Real-time detections are listed in the following table: In those views, **Alert ID** is available as a selectable column in the details - [The **Email** view for the details area of the **Malware** view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-malware-view-in-threat-explorer-and-real-time-detections) - [The **Email** view for the details area of the **Phish** view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections) -In the [details flyout that opens when you click on a **Subject** value from one of the entries](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view), the **Alert ID** link is available in the **Email details** section of the flyout. Selecting the **Alert ID** link opens the **View alerts** page at <https://security.microsoft.com/viewalertsv2> with the alert selected and the details flyout open for the alert. +In the [email details flyout that opens when you click on a **Subject** value from one of the entries](threat-explorer-real-time-detections-about.md#email-details-from-the-email-view-of-the-details-area-in-the-all-email-view), the **Alert ID** link is available in the **Email details** section of the flyout. Selecting the **Alert ID** link opens the **View alerts** page at <https://security.microsoft.com/viewalertsv2> with the alert selected and the details flyout open for the alert. ### Tags in Threat Explorer User tags are available in the following locations in Threat Explorer: - **All email** view: - [As a filterable property](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-all-email-view-in-threat-explorer). - [An available column in the **Email** tab (view) of the details area](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer).- - [The **Subject** details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view) + - [The email details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#email-details-from-the-email-view-of-the-details-area-in-the-all-email-view) - **Malware** view: - [As a filterable property](threat-explorer-real-time-detections-about.md#malware-view-in-threat-explorer-and-real-time-detections). - [An available column in the **Email** tab (view) of the details area in the **Malware** view](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-malware-view-in-threat-explorer-and-real-time-detections).- - [[The **Subject** details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view) + - [[The email details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#email-details-from-the-email-view-of-the-details-area-in-the-all-email-view) - **Phish** view: - [As a filterable property](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections). - [An available column in the **Email** tab (view) of the details](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections).- - [[The **Subject** details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view) + - [The email details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#email-details-from-the-email-view-of-the-details-area-in-the-all-email-view) - **URL clicks** view: - [As a filterable property](threat-explorer-real-time-detections-about.md#url-clicks-view-in-threat-explorer). - [An available column in the **Results** tab (view) of the details area in the **URL clicks** view](threat-explorer-real-time-detections-about.md#results-view-for-the-details-area-of-the-url-clicks-view-in-threat-explorer). -<! ### Updated Timeline View --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/tags-urls.png" alt-text="Screenshot of the URL tags." lightbox="../../media/tags-urls.png"::: -> -Learn more by watching [this video](https://www.youtube.com/watch?v=UoVzN0lYbfY&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=4). > - ### Threat information for email messages Pre-delivery and post-delivery actions on email messages are consolidated into a single record, regardless of the different post-delivery events that affected the message. For example: Pre-delivery and post-delivery actions on email messages are consolidated into a - Manual remediation (admin action). - [Dynamic Delivery](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies). -[The **Subject** details flyout from the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view) in the **All email**, **Malware**, or **Phish** views shows the associated threats and the corresponding detection technologies that are associated with the email message. A message can have zero, one, or multiple threats. +[The email details flyout from the **Email** tab (view)](threat-explorer-real-time-detections-about.md#email-details-from-the-email-view-of-the-details-area-in-the-all-email-view) in the **All email**, **Malware**, or **Phish** views shows the associated threats and the corresponding detection technologies that are associated with the email message. A message can have zero, one, or multiple threats. - In the **Delivery details** section, the **Detection technology** property shows the detection technology that identified the threat. **Detection technology** is also available as a chart pivot or a column in the details table for many views in Threat Explorer and Real-time detections. Pre-delivery and post-delivery actions on email messages are consolidated into a > [!TIP] > Verdict analysis might not necessarily be tied to entities. The filters evaluate content and other details of an email message before assigning a verdict. For example, an email message might be classified as phishing or spam, but no URLs in the message are stamped with a phishing or spam verdict. --<!-- ### Updated timeline view (upcoming) --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/Email_Timeline.png" alt-text="Screenshot of the updated Timeline View." lightbox="../../media/Email_Timeline.png"::: --Timeline view identifies all delivery and post-delivery events. It includes information about the threat identified at that point of time for a subset of these events. Timeline view also provides information about any additional action taken (such as ZAP or manual remediation), along with the result of that action. Timeline view information includes: +Select :::image type="icon" source="../../medi). -- **Source:** Source of the event. It can be admin/system/user.-- **Event:** Includes top-level events like original delivery, manual remediation, ZAP, submissions, and Dynamic Delivery.-- **Action:** The specific action that was taken either as part of ZAP or admin action (for example, soft delete).-- **Threats:** Covers the threats (malware, phish, spam) identified at that point of time.-- **Result/Details:** More information about the result of the action, such as whether it was performed as part of ZAP/admin action. > ## Extended capabilities in Threat Explorer In addition to the scenarios outlined in this article, you have more options in - [Threat protection status report](reports-email-security.md#threat-protection-status-report) - [Automated investigation and response in Microsoft Defender XDR](../defender/m365d-autoir.md) - [Trigger an investigation from Threat Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).-- [Investigate emails with the Email Entity Page](mdo-email-entity-page.md) |
security | Trial User Guide Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/trial-user-guide-defender-for-office-365.md | Defender for Office 365 enables you to investigate activities that put people in - [Find suspicious email that was delivered](threat-explorer-investigate-delivered-malicious-email.md#find-suspicious-email-that-was-delivered): Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation. - [Email security scenarios in Threat Explorer and Real-time detections](threat-explorer-threat-hunting.md#email-security-scenarios-in-threat-explorer-and-real-time-detections) -<!-- - #### See campaigns targeting your organization See the bigger picture with Campaign Views in Defender for Office 365, which gives you a view of the attack campaigns targeting your organization and the impact they have on your users. Defender for Office 365 enables you to investigate activities that put people in - [Find suspicious email that was delivered](threat-explorer-investigate-delivered-malicious-email.md#find-suspicious-email-that-was-delivered): Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation. - [Email security scenarios in Threat Explorer and Real-time detections](threat-explorer-threat-hunting.md#email-security-scenarios-in-threat-explorer-and-real-time-detections) -<!-- - #### Convert to Standard Protection at the end of evaluation period When you're ready to turn on Defender for Office 365 policies in production, you can use [Convert to Standard Protection](try-microsoft-defender-for-office-365.md#convert-to-standard-protection) to easily move from audit mode to blocking mode by turning on the [Standard preset security policy](preset-security-policies.md#profiles-in-preset-security-policies), which contains any/all recipients from audit mode. |
security | Try Microsoft Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md | No special reports are created for **blocking mode**, so use the standard report In **audit mode**, you're looking for reports that show detections by the evaluation policies as described in the following list: -- The [Email entity page](mdo-email-entity-page.md) (part of [Threat Explorer](threat-explorer-real-time-detections-about.md)) shows the following banner in message detection details on the **Analysis** tab for **Bad attachment**, **spam url + malware**, **Phish url**, and **impersonation** messages that were detected by the Defender for Office 365 evaluation:+- The [Email entity page](mdo-email-entity-page.md) shows the following banner in message detection details on the **Analysis** tab for **Bad attachment**, **spam url + malware**, **Phish url**, and **impersonation** messages that were detected by the Defender for Office 365 evaluation: :::image type="content" source="../../media/evalv2-detection-banner.png" alt-text="Notification banner in message details that the Defender for Office 365 evaluation detected a malicious email message." lightbox="../../media/evalv2-detection-banner.png"::: |
security | Zero Hour Auto Purge | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md | Currently, ZAP isn't available in private channels. To configure exceptions for ZAP protection for Teams channels, you need the recipient email address. This address is different than the channel email address in the Teams client. -To get the recipient email address to use for exceptions for Teams channel protection, use the **Name and email** value from the **Channel details** section of the Teams Message Entity Panel. For more information, see [The Teams Message Entity Panel in Microsoft Defender for Office 365](teams-message-entity-panel.md). +To get the recipient email address to use for exceptions for Teams channel protection, use the **Name and email** value from the **Channel details** section of the Teams message entity panel. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365](teams-message-entity-panel.md). :::image type="content" source="../../media/teams-message-entity-panel-channel-address.png" alt-text="The correct Teams channel email address from the Teams message entity panel." lightbox="../../media/teams-message-entity-panel-channel-address.png"::: |
solutions | Allow Direct Connect With All Organizations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/allow-direct-connect-with-all-organizations.md | Title: Enable shared channels with all external organizations--++ Last updated 12/08/2023 audience: ITPro |
solutions | Allow Members To Send As Or Send On Behalf Of Group | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/allow-members-to-send-as-or-send-on-behalf-of-group.md | Title: "Allow members to send as or send on behalf of a group" Last updated 07/18/2023 f1.keywords: NOCSH--++ audience: Admin |
solutions | Best Practices Anonymous Sharing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/best-practices-anonymous-sharing.md | Title: Best practices for unauthenticated sharing--++ Last updated 01/03/2024 audience: ITPro |
solutions | Choose Domain To Create Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/choose-domain-to-create-groups.md | Title: "Choose the domain to use when creating Microsoft 365 groups" Last updated 02/18/2020 f1.keywords: NOCSH--++ audience: Admin |
solutions | Collaborate As Team | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-as-team.md | Title: Collaborate with guests in a team (IT Admins)--++ Last updated 07/18/2023 audience: ITPro |
solutions | Collaborate Guests Cross Cloud | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-guests-cross-cloud.md | Title: Collaborate with guests from other Microsoft 365 cloud environments--++ Last updated 09/29/2023 audience: ITPro |
solutions | Collaborate In Site | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-in-site.md | Title: Collaborate with guests in a site (IT Admins)--++ Last updated 07/19/2023 audience: ITPro |
solutions | Collaborate On Documents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-on-documents.md | Title: Collaborate with guests on a document (IT Admins)--++ Last updated 07/18/2023 audience: ITPro |
solutions | Collaborate Teams Direct Connect | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-teams-direct-connect.md | Title: Collaborate with external participants in a shared channel (IT Admins)--++ Last updated 07/18/2023 audience: ITPro |
solutions | Collaborate With People Outside Your Organization | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-with-people-outside-your-organization.md | Title: "Collaborating with people outside your organization"--++ Last updated 11/06/2023 audience: ITPro |
solutions | Collaboration Governance First | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaboration-governance-first.md | Title: Create your collaboration governance plan Last updated 07/27/2023--++ audience: Admin |
solutions | Collaboration Governance Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaboration-governance-overview.md | Title: A collaboration governance framework for Microsoft 365 Last updated 07/27/2023--++ audience: Admin |
solutions | Configure Teams Baseline Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-baseline-protection.md | Title: "Configure teams with baseline protection" f1.keywords: NOCSH--++ Last updated 12/04/2023 audience: ITPro |
solutions | Configure Teams Highly Sensitive Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-highly-sensitive-protection.md | Title: Configure teams with protection for highly sensitive data f1.keywords: NOCSH--++ Last updated 12/08/2023 audience: ITPro |
solutions | Configure Teams Sensitive Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-sensitive-protection.md | Title: Configure teams with protection for sensitive data f1.keywords: NOCSH--++ Last updated 12/08/2023 audience: ITPro |
solutions | Configure Teams Three Tiers Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-three-tiers-protection.md | Title: Configure Teams with three tiers of file sharing security f1.keywords: NOCSH--++ Last updated 12/04/2023 audience: ITPro |
solutions | Create Secure Guest Sharing Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/create-secure-guest-sharing-environment.md | Title: Create a more secure guest sharing environment--++ Last updated 01/02/2024 audience: ITPro |
solutions | End Life Cycle Groups Teams Sites Viva Engage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/end-life-cycle-groups-teams-sites-viva-engage.md | Title: "End of lifecycle options for groups, teams, and Viva Engage" Last updated 08/12/2020--++ audience: Admin |
solutions | Groups Naming Policy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-naming-policy.md | Title: Microsoft 365 Groups and Microsoft Teams naming policy Last updated 02/18/2020 f1.keywords: NOCSH--++ audience: Admin |
solutions | Groups Sharepoint Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-sharepoint-governance.md | Title: SharePoint and Microsoft 365 Groups integration (IT Admins) Last updated 07/27/2023--++ audience: Admin |
solutions | Groups Sharepoint Teams Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-sharepoint-teams-governance.md | Title: Microsoft Teams, SharePoint, and Microsoft 365 Groups integration (IT Admins) Last updated 07/28/2023--++ audience: Admin |
solutions | Groups Teams Access Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-access-governance.md | Title: "Governing access in Microsoft 365 groups, Teams, and SharePoint" Last updated 07/28/2023--++ audience: Admin |
solutions | Limit Invitations From Specific Organization | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/limit-invitations-from-specific-organization.md | Title: Limit who can be invited by an organization--++ Last updated 12/11/2023 audience: ITPro |
solutions | Limit Organizations Where Users Have Guest Accounts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/limit-organizations-where-users-have-guest-accounts.md | Title: "Limit organizations where users can have guest accounts"--++ Last updated 12/11/2023 audience: ITPro |
solutions | Limit Who Can Invite Guests | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/limit-who-can-invite-guests.md | Title: "Limit who can invite guests"--++ Last updated 12/11/2023 audience: ITPro |
solutions | Manage Creation Of Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-creation-of-groups.md | Title: Manage who can create Microsoft 365 Groups f1.keywords: NOCSH-+ Last updated 11/22/2023-+ audience: Admin |
solutions | Microsoft 365 Groups Expiration Policy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/microsoft-365-groups-expiration-policy.md | Title: "Microsoft 365 group expiration policy" Last updated 08/12/2020 f1.keywords: NOCSH--++ audience: Admin |
solutions | Microsoft 365 Guest Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/microsoft-365-guest-settings.md | Title: "Microsoft 365 guest sharing settings reference"--++ Last updated 11/08/2023 audience: ITPro |
solutions | Microsoft 365 Limit Sharing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/microsoft-365-limit-sharing.md | Title: "Limit sharing in Microsoft 365"--++ Last updated 12/15/2023 audience: ITPro |
solutions | Per Group Guest Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/per-group-guest-access.md | Title: "Prevent guests from being added to a specific group" Last updated 12/02/2023--++ audience: Admin |
solutions | Plan External Collaboration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/plan-external-collaboration.md | Title: Plan external collaboration with channel conversations, file collaboration, and shared apps--++ Last updated 12/13/2023 |
solutions | Plan Organization Lifecycle Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/plan-organization-lifecycle-governance.md | Title: Plan organization and lifecycle governance for Microsoft 365 groups and Microsoft Teams Last updated 07/28/2023--++ audience: Admin |
solutions | Setup Secure Collaboration With Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/setup-secure-collaboration-with-teams.md | Title: Set up secure file and document sharing and collaboration with Teams in Microsoft 365--++ Last updated 12/04/2023 ms.audience: ITPro |
solutions | Share Limit Accidental Exposure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/share-limit-accidental-exposure.md | Title: Limit accidental exposure to files when sharing with people outside your organization--++ Last updated 12/11/2023 audience: ITPro |
solutions | Trust Conditional Access From Other Organizations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/trust-conditional-access-from-other-organizations.md | Title: Require conditional access for people outside your organization--++ Last updated 12/08/2023 audience: ITPro |
solutions | Trusted Vendor Onboarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/trusted-vendor-onboarding.md | Title: Onboard trusted vendors to collaborate in Microsoft 365--++ Last updated 08/14/2023 audience: ITPro |
syntex | Adoption Scenarios | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/adoption-scenarios.md | |
syntex | Content Assembly Create Document | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-assembly-create-document.md | |
syntex | Content Processing Create Rules | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-processing-create-rules.md | |
syntex | Create A Content Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/create-a-content-center.md | |