Updates from: 04/15/2023 01:48:26
Category Microsoft Docs article Related commit history on GitHub Change details
business-premium Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/index.md
You are your organization's first and best defense against hackers and cyberatta
| What to do | How to do it | |:|:|
-| **Fortify your environment** <br/> (Tasks your admin completes.) | [**1. Sign in and set up your environment**](m365bp-setup-overview.md). Complete the basic setup process for Microsoft 365 for your business or campaign. Add users, assign licenses, and configure your domain to work with Microsoft 365.<br/><br/>[**2. Boost your security protection**](m365bp-security-overview.md). Set up critical front-line security measures to prevent cyberattacks. Set up multi-factor authentication (MFA), protect your admin accounts, and protect against malware and other threats. |
+| **Fortify your environment** <br/> (Tasks your admin completes.) | [**1. Sign in and set up your environment**](m365bp-setup-overview.md). Complete the basic setup process for Microsoft 365 for your business or campaign. Add users, assign licenses, and configure your domain to work with Microsoft 365.<br/><br/>[**2. Boost your security protection**](m365bp-security-overview.md). Set up critical front-line security measures to prevent cyberattacks. Set up multi-factor authentication (MFA), protect your admin accounts, and protect against malware and other threats. Plan for your unmanaged and managed devices. |
| **Train your team**.<br/>(Tasks everyone does.) | [**3. Set up unmanaged (BYOD) devices**](m365bp-protect-pcs-macs.md). Set up all the unmanaged ("bring your own device," also referred to as BYOD) devices so they're safely part of the ecosystem.<br/><br/>[**4. Use email securely**](m365bp-protect-email-overview.md). Know what to watch for in your email, and take the necessary steps to protect yourself from attacks.<br/><br/>[**5. Collaborate and share securely**](m365bp-collaborate-share-securely.md). Share files with others and collaborate more securely with Microsoft Teams, SharePoint, and OneDrive. | | **Safeguard managed devices**. <br/>(Tasks your admin or security team does.) | [**6. Set up and secure managed devices**](m365bp-protect-devices.md). Enroll and secure company devices so they monitored and protected from threats. |
business-premium M365bp Avoid Phishing And Attacks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-avoid-phishing-and-attacks.md
description: "Protect against phishing and other attacks with Microsoft 365 Busi
In addition to the protection Microsoft 365 Business Premium offers against attacks, there are other measures all members must take to defend the organization. Make sure everyone understands the following concepts: - **Spam or junk mail**. There are many reasons you might receive junk e-mail and not all junk mail is the same. However, you can reduce what gets through to you, and thus reduce the risks of attacks, by filtering out junk mail.- - **Phishing**. A phishing scam is an email that seems legitimate but is an attempt to get your personal information or steal your money.- - **Spoofing**. Scammers can also use a technique called spoofing to make it appear as if you've received an email from yourself. - - **Malware** is malicious software that can be installed on your computer, usually installed after you've clicked a link or opened a document from an email. There are various types of malware (for example, ransomware, when your computer is taken over), but you don't want to have any of them. > [!TIP]
For more information, see [reporting junk and phishing emails](https://support.o
### Avoid phishing - Never reply to an email that asks you to send personal or account information.-- If you receive an email that looks suspicious or asks you for this type of information, never click links that supposedly take you to a company website.
+- If you receive an email that looks suspicious or asks you for this type of information, never click links that supposedly take you to a company website
- Never open any file attached to a suspicious-looking email. - If the email appears to come from a company, contact the company's customer service via phone or web browser to see if the email is legitimate. - Search the web for the email subject line followed by the word hoax to see if anyone else has reported this scam.
business-premium M365bp Collaborate Share Securely https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-collaborate-share-securely.md
audience: Admin
Previously updated : 01/18/2023 Last updated : 04/14/2023 ms.localizationpriority: medium - M365-Campaigns
description: "An overview on how to collaborate and share files and communicate
:::image type="content" source="media/mission5.png" alt-text="Diagram with Collaborate And Share Securely highlighted.":::
-Now that you're protected by the Microsoft 365 Apps, your next mission is to set up secure file sharing and communication. The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it. Your organization depends on protecting your data and information, which means that you want to protect your files by all means possible.
+The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it. Your organization depends on protecting your data and information, which means that you want to protect your files by all means possible. Your next mission is to set up secure file sharing and communication.
Your objectives are to:
business-premium M365bp Devices Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-devices-overview.md
Title: "Set Up unmanaged devices overview"
+ Title: "Set up unmanaged devices overview"
f1.keywords: - NOCSH
audience: Admin
Previously updated : 01/18/2023 Last updated : 04/14/2023 ms.localizationpriority: medium - M365-Campaigns
description: "An overview of how to set up all the bring-your-own devices (BYOD)
:::image type="content" source="media/mission3.png" alt-text="Diagram with Set Up Unmanaged Devices highlighted.":::
-Every device is a possible attack avenue into your network and must be monitored and managed properly, even those devices that are personally owned but used for work. In this critical mission, train everyone to protect their bring-your-own devices (BYODs). Unmanaged devices can pose a risk to your organization. It's important to help everyone get their devices protected as soon as possible.
+Every device, whether [managed or unmanaged](m365bp-managed-unmanaged-devices.md), is a possible attack avenue into your network. Fortunately, there are steps that everyone can take to protect their devices. In this critical mission, train everyone to protect unmanaged devices (also referred to as bring-your-own devices, or BYODs). It's important to help everyone get their devices protected as soon as possible.
+
+> [!NOTE]
+> This article applies primarily to unmanaged (or BYOD) devices. Guidance for protecting managed devices is available here: [Set up and secure managed devices](m365bp-protect-devices.md).
+>
+> [Learn more about managed and unmanaged devices](m365bp-managed-unmanaged-devices.md).
Your objectives are to:
business-premium M365bp Increase Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-increase-protection.md
If your users are allowed to share their calendars, see [these instructions](htt
Proceed to: -- [Set up unmanaged (BYOD) devices](m365bp-devices-overview.md)
+- [Secure managed and unmanaged devices](m365bp-managed-unmanaged-devices.md)
- [Protect all email](m365bp-protect-email-overview.md) - [Collaborate and share securely](m365bp-collaborate-share-securely.md)-- [Set up and secure managed devices](m365bp-protect-devices.md)
business-premium M365bp Install Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-install-office-apps.md
description: "How to install Office on all devices in Microsoft 365 Business Pre
# Install Microsoft 365 apps on all devices Okay, you've set up Microsoft 365 Business Premium, and now you can require users to install individual Microsoft 365 apps on their Mac, PC, or mobile devices. This is something your users should do to be part of the front lines and help protect the org against attack.
-
+
+> [!NOTE]
+> This article applies primarily to unmanaged (or BYOD) devices. Microsoft 365 admins can manage Microsoft 365 installation options instead. To learn more, see the following articles:
+> - [Managed and unmanaged devices](m365bp-managed-unmanaged-devices.md).
+> - [Manage Microsoft 365 installation options in the Microsoft 365 admin center](/DeployOffice/manage-software-download-settings-office-365).
++ ## Watch: Install Microsoft 365 apps > [!VIDEO https://www.microsoft.com/videoplayer/embed/acce002c-0756-4b64-ac5d-2198ee96a9b1?autoplay=false]
business-premium M365bp Managed Unmanaged Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-managed-unmanaged-devices.md
+
+ Title: Secure managed and unmanaged devices
+description: Identify personal, unmanaged devices and company-owned devices, and learn how to secure them.
+++ Last updated : 04/14/2023+++
+ms.localizationpriority: medium
+
+- M365-Campaigns
+- m365solution-smb
+- highpri
+- m365-security
+- tier1
+
+search.appverid: MET150
+f1.keywords: NOCSH
+audience: Admin
++
+# Secure managed and unmanaged devices
+
+An important part of your security strategy is protecting the devices your employees use to access company data. Such devices include computers, tablets, and phones. Your organization's IT or security team, along with device users, can take steps to protect data and managed or unmanaged devices.
+
+- *Managed devices* are typically company-owned devices that are usually set up and configured by your company's IT or security team.
+- *Unmanaged devices*, also referred to as bring-your-own devices, or *BYOD*, tend to be personally owned devices that employees set up and use. Unmanaged devices can be onboarded and protected just like managed devices. Or, if you prefer, users can take steps to protect their BYOD devices themselves.
+
+## [**Managed devices**](#tab/Managed)
+
+To protect managed devices, your organization's IT or security team can:
+
+- **Use Windows Autopilot to get a user's Windows device ready for first use**. With Autopilot you can install business critical apps, apply policies, and enable features like BitLocker before the device is given to a user. You can also use Autopilot to reset reset, repurpose, and recover Windows devices. To learn more, see [Windows Autopilot](/mem/autopilot/windows-autopilot).
+- **Upgrade Windows devices from previous versions of Windows to Windows 10 Pro or Windows 11 Pro**. Before onboarding, Windows client devices should be running Windows 10 Pro or Enterprise, or Windows 11 Pro or Enterprise. If your organization has Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you to upgrade those devices at no additional cost. To learn more, see [Upgrade Windows devices to Windows 10 or 11 Pro](m365bp-upgrade-windows-10-pro.md).
+- **Onboard devices and protect them with [mobile threat defense](../security/defender-business/mdb-mtd.md) capabilities**. Microsoft Defender for Business is included with Microsoft 365 Business Premium. It includes advanced protection from ransomware, malware, phishing, and other threats. If you prefer to use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) instead, you can use Intune to enroll and manage devices. To learn more, see [Onboard devices to Microsoft Defender for Business](m365bp-onboard-devices-mdb.md).
+- **View and monitor device health in the Microsoft 365 Defender portal** ([https://security.microsoft.com](https://security.microsoft.com)). You can view details, such as health state and exposure level for all onboarded devices. You can also take actions, such as running an antivirus scan or starting an automated investigation on a device that has detected threats or vulnerabilities. To learn more, see [Monitor onboarded devices](m365bp-device-states.md) and [Review detected threats](m365bp-review-threats-take-action.md).
+
+For their part in protecting managed devices, users can:
+
+- **Use the Microsoft Authenticator app to sign in**. The Microsoft Authenticator app works with all accounts that use multi-factor authentication (MFA). To learn more, see [Download and install the Microsoft Authenticator app](https://support.microsoft.com/en-us/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a).
+- **Join their devices to your organization's network**. Users can follow a process to register their device, set up MFA, and complete the sign-in process using their account. To learn more, see [Join your work device to your work or school network](https://support.microsoft.com/en-us/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973).
+- **Make sure antivirus/antimalware software is installed and up to date on all devices**. Once devices are onboarded, antivirus, antimalware, and other threat protection capabilities are configured for those devices. Users are prompted to install updates as they come in. To learn more, see See [Keep your PC up to date](https://support.microsoft.com/en-us/windows/keep-your-pc-up-to-date-de79813c-7919-5fed-080f-0871c7bd9bde).
+
+To learn more about protecting managed devices, see [Set up and secure managed devices](m365bp-protect-devices.md).
+
+## [**BYOD**](#tab/BYOD)
+
+To protect unmanaged (BYOD) devices, your organization's IT or security team can:
+
+- **Encourage users to keep their antivirus protection turned on and up to date**. Devices should have the latest technology and features needed to protect against new malware and attack techniques. Microsoft regularly releases security intelligence updates and product updates. To learn more, see [Microsoft Defender Antivirus security intelligence and product updates](../security/defender-endpoint/microsoft-defender-antivirus-updates.md).
+- **Onboard devices and protect them with [mobile threat defense](../security/defender-business/mdb-mtd.md) capabilities**. Or, if you prefer to use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), you can use Intune to enroll and manage devices. To learn more, see [Onboard devices to Microsoft Defender for Business](m365bp-onboard-devices-mdb.md).
+- **View and monitor device health in the Microsoft 365 Defender portal** ([https://security.microsoft.com](https://security.microsoft.com)). You can view details, such as health state and exposure level for onboarded devices. You can also take actions, such as running an antivirus scan or starting an automated investigation on a device that has detected threats or vulnerabilities. To learn more, see [Monitor onboarded devices](m365bp-device-states.md) and [Review detected threats](m365bp-review-threats-take-action.md).
+
+For their part in protecting unmanaged devices, users can:
+
+- **Turn on encryption and firewall protection**. Disk encryption protects data when devices are lost or stolen. Firewall protection helps protect devices from unwanted contact initiated by other computers when you're connected to the Internet or a network. To learn more, see [Protect unmanaged Windows PCs and Macs in Microsoft 365 Business Premium](m365bp-protect-pcs-macs.md).
+- **Make sure antivirus/antimalware software is installed and up to date on all devices**. To learn more, see [Stay protected with Windows Security](https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963).
+- **Keep their devices up to date with operating system and application updates**. To learn more, see [Keep your PC up to date](https://support.microsoft.com/en-us/windows/keep-your-pc-up-to-date-de79813c-7919-5fed-080f-0871c7bd9bde).
+
+To learn more about protecting unmanaged devices, see [Set up unmanaged (BYOD) devices](m365bp-devices-overview.md).
+++
+## Next steps
+
+- [Set up BYOD devices](m365bp-devices-overview.md) or [Set up and secure managed devices](m365bp-protect-devices.md)
+- [Use email securely](m365bp-protect-email-overview.md)
+- [Collaborate and share securely](m365bp-collaborate-share-securely.md)
business-premium M365bp Protect Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protect-devices.md
audience: Admin
Previously updated : 10/18/2022 Last updated : 04/14/2023 ms.localizationpriority: medium - M365-Campaigns
description: "An overview for how to set up and secure managed devices from secu
**Welcome to your final critical mission**! Here, you'll onboard and implement protection for all the managed devices in your organization. Microsoft Defender for Business capabilities now included in Microsoft 365 Business Premium can help ensure that your organization's devices are protected from ransomware, malware, phishing, and other threats. When you're done completing your objectives, you can rest assured, knowing you've done your part to protect your organization!
+> [!NOTE]
+> This article applies primarily to managed devices. Guidance for protecting unmanaged devices is available here: [Set up unmanaged (BYOD) devices](m365bp-devices-overview.md).
+>
+> [Learn more about managed and unmanaged devices](m365bp-managed-unmanaged-devices.md).
++ Your objectives are to: - [Upgrade Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro to Windows 10 or 11 Pro](m365bp-upgrade-windows-10-pro.md). - [Onboard devices to Defender for Business and apply security policies](m365bp-onboard-devices-mdb.md). - [Use Windows Autopilot to set up and configure new devices, or to reset, repurpose, and recover devices](/mem/autopilot/windows-autopilot).-- [Install Microsoft 365 Apps](../admin/setup/install-applications.md) on any devices that don't already have Microsoft 365 apps
+- [Manage Microsoft 365 installation options for devices](/DeployOffice/manage-software-download-settings-office-365)
Once these objectives have been achieved, your overall mission to protect your organization against cyberattacks and other cybersecurity threats is a success! Now, make sure to set up your response teams to deal with any situation that may arise while defending the integrity of the system. See your next steps!
business-premium M365bp Protect Pcs Macs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protect-pcs-macs.md
audience: Admin
Previously updated : 09/15/2022 Last updated : 04/14/2023 ms.localizationpriority: medium - M365-Campaigns
description: "Protect unmanaged or bring-your-own devices (BYOD) from cyberattac
# Protect unmanaged Windows PCs and Macs in Microsoft 365 Business Premium
-This objective is focused on creating protection for any unmanaged Windows 10 PCs and Macs not enrolled in Microsoft Intune. It is very likely your small business or campaign may have staff who bring their own devices (BYOD), and these devices are not managed. BYOD include personally-owned phones, tablets, and PCs.
+This objective is focused on creating protection for any unmanaged Windows 10 PCs and Macs that are not enrolled in Microsoft Intune or onboarded to Microsoft Defender for Business. It is very likely your small business or campaign may have staff who bring their own devices (BYOD), such as personally owned phones, tablets, and PCs.
> [!NOTE]
-> BYOD users must each install and run the Company Portal app to enroll these devices and receive access to company resources.
+> This article applies primarily to unmanaged (or BYOD) devices. Guidance for protecting managed devices is available here: [Set up and secure managed devices](m365bp-protect-devices.md).
+>
+> [Learn more about managed and unmanaged devices](m365bp-managed-unmanaged-devices.md).
-It's critical that you ensure your frontline users follow these guidelines so that minimum security capabilities are configured on all the BYOD devices.
+It's critical that you ensure users follow these guidelines so that minimum security capabilities are configured on all the BYOD devices.
## [Windows 10 or 11](#tab/Windows10-11)
business-premium M365bp Security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-security-overview.md
Your objectives are to:
- [Turn on MFA](m365bp-conditional-access.md). - [Protect your admin accounts](m365bp-protect-admin-accounts.md). - [Protect against malware and other threats](m365bp-increase-protection.md).-
-Once you've achieved these objectives, proceed to [Set up unmanaged (BYOD) devices](m365bp-devices-overview.md).
+- [Secure managed and unmanaged devices](m365bp-managed-unmanaged-devices.md).
business-premium M365bp Setup Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-setup-overview.md
description: "Start the setup process of Microsoft 365 Business Premium or Micro
Your first critical mission is to complete your initial setup process right away. Let's get you going!
-[:::image type="content" source="medi)
Your objective is to:
business-premium Send Encrypted Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/send-encrypted-email.md
Before individuals send email with confidential or sensitive information, they s
- **Sensitivity labels:** If your organization requires it, you can set up sensitivity labels that you apply to your files and email to keep them compliant with your organization's information protection policies. When you set a label, the label persists with your email, even when it's sent &mdash; for example, by appearing as a header to your message.
-![Diagram of an email with callouts for labels and encryption.](../media/m365-campaign-email-encrypt.png)
+ ![Diagram of an email with callouts for labels and encryption.](../media/m365-campaign-email-encrypt.png)
## Set it up
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
Make sure you're aware of the prerequisites before you configure auto-labeling p
- Simulation mode: - Auditing for Microsoft 365 must be turned on. If you need to turn on auditing or you're not sure whether auditing is already on, see [Turn audit log search on or off](audit-log-enable-disable.md).
- - To view file or email contents in the source view, you must have the **Data Classification Content Viewer** role, which is included in the **Content Explorer Content Viewer** role group, or **Information Protection** and **Information Protection Investigators** role groups. Without the required role, you don't see the preview pane when you select an item from the **Matched Items** tab. Global admins don't have this role by default.
+ - To view file or email contents in the source view, you must have the **Data Classification Content Viewer** role, which is included in the **Content Explorer Content Viewer** role group, or **Information Protection** and **Information Protection Investigators** role groups. Without the required role, you don't see the preview pane when you select an item from the **Items to review** tab. Global admins don't have this role by default.
- To auto-label files in SharePoint and OneDrive: - You have [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md).
Finally, you can use simulation mode to provide an approximation of the time nee
12. For the **Summary** page: Review the configuration of your auto-labeling policy and make any changes that needed, and complete the configuration.
-Now on the **Information protection** > **Auto-labeling** page, you see your auto-labeling policy in the **Simulation** or **Off** section, depending on whether you chose to run it in simulation mode or not. Select your policy to see the details of the configuration and status (for example, **Policy simulation is still running**). For policies in simulation mode, select the **Matched items** tab to see which emails or documents matched the rules that you specified.
+Now on the **Information protection** > **Auto-labeling** page, you see your auto-labeling policy in the **Simulation** or **Off** section, depending on whether you chose to run it in simulation mode or not. Select your policy to see the details of the configuration and status (for example, **Policy simulation is still running**). For policies in simulation mode, select the **Items to review** tab to see which emails or documents matched the rules that you specified.
You can modify your policy directly from this interface: - For a policy in the **Off** section, select the **Edit policy** button. -- For policy in the **Simulation** section, select the **Edit policy** option at the top of the page, from either tab:
+- For policy in the **Simulation** section, select the **Edit policy** option at the top of the page, from either tab.
![Edit auto-labeling policy option.](../media/auto-labeling-edit.png)
compliance Communication Compliance Alerts Best Practices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-alerts-best-practices.md
f1.keywords:
Previously updated : 02/28/2023 Last updated : 04/14/2023 audience: Admin f1_keywords:
Consider using the Adult images classifier instead of the Racy images classifier
## Filter email blasts
-You can [filter out email messages](communication-compliance-configure.md#step-5-required-create-a-communication-compliance-policy) that are generic and intended for mass communication. For example, filter out spam, newsletters, and so on.
+You can [filter out email messages](communication-compliance-policies.md#filter-email-blasts) that are generic and intended for mass communication. For example, filter out spam, newsletters, and so on. [Learn about the Email blast senders report](communication-compliance-reports-audits.md#detailed-reports)
## Filter out email signatures/disclaimers
compliance Communication Compliance Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-policies.md
f1.keywords:
Previously updated : 03/20/2023 Last updated : 04/14/2023 audience: Admin f1_keywords:
If you enter multiple conditions, Microsoft 365 uses all the conditions together
If you want to reduce the amount of content to review, you can specify a percentage of all the communications governed by a communication compliance policy. A real-time, random sample of content is selected from the total percentage of content that matches chosen policy conditions. If you want reviewers to review all items, you can configure **100%** in a communication compliance policy.
+### Filter email blasts
+
+Use the **Filter email blasts** setting to exclude messages sent from email blast services. Messages that match the conditions you specify won't generate alerts. This includes bulk email, such as newsletters, as well as spam, phishing, and malware. When this option is selected, you can view a [report](communication-compliance-reports-audits.md#detailed-reports) that lists the bulk email senders that were filtered out.
+
+> [!NOTE]
+> The list of senders is filtered before the content is analyzed so there might be senders that don't match the content conditions. In other words, there might be extra senders in the report.
+ ## Alert policies After you configure a policy, a corresponding alert policy is automatically created and alerts are generated for messages that match conditions defined in the policy. It may take up to 24 hours after creating a policy start to receive alerts from activity indicators. By default, all policy matches alert triggers are assigned a severity level of medium in the associated alert policy. Alerts are generated for a communication compliance policy once the aggregation trigger threshold level is met in the associated alert policy. A single email notification is sent once every 24 hours for any alerts, regardless of the number of individual messages that match policy conditions. For example, Contoso has an inappropriate content policy enabled and for January 1st, there were 100 policy matches that generated six alerts. A single email notification for the six alerts is sent at end of January 1st.
compliance Communication Compliance Reports Audits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-reports-audits.md
f1.keywords:
Previously updated : 03/31/2023 Last updated : 04/14/2023 audience: Admin f1_keywords:
Use the *Export* option to create a .csv file containing the report details for
- **Third-party sources**: Sensitive information types detected for activities associated with third-party connectors configured in your organization. To view the breakdown of third-party sources for a specific sensitive information type in the report, hover your mouse over the value for the sensitive information type in the Third-party source column. - **Other**: Sensitive information types used for internal system processing. Selecting or deselecting this source for the report won't affect any values.
+- **Email blast senders**: Review and export the list of senders of email blast messages that were filtered out from your communication compliance policies to reduce "noise." [**Filter email blasts** is a communication compliance policy setting](communication-compliance-policies.md#filter-email-blasts). The Email blast senders report includes the following fields:
+
+ - Policy name
+ - Policy last modified date
+ - Sender
+ - Number of mails filtered
+ ### Message details report Create custom reports and review details for messages contained in specific policies on the **Policies** tab. These reports can be used for all-up reviews of messages and for creating a report snapshot for the status of messages for a customizable time period. After creating a report, you can view and download the details report as a .csv file on the **Message details reports** tab.
security Configure Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md
ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium Previously updated : 01/01/2023 Last updated : 04/14/2023
To configure and validate exclusions, see the following:
> > Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+> [!NOTE]
+> Exclusions directly impact the ability for Microsoft Defender Antivirus to block, remediate or inspect events related to the files, folders or processes that are added to the exclusion list. This means that features which are directly dependent on the AV engine such as protection against malware, file IOCs and certificate IOCs will not be effective. Furthermore, the **Network Protection** and **Attack Surface Reduction (ASR) Rules** are also impacted by process exclusions specifically, meaning that a process exclusion on any platform will result in Network Protection or ASR being unable to inspect traffic or enforce rules for that specific process.
+ Keep the following points in mind when you're defining exclusions: - Exclusions are technically a protection gap. Consider all your options when defining exclusions. Other options can be as simple as making sure the excluded location has the appropriate access-control lists (ACLs) or setting policies to audit mode at first.
security Configure Process Opened File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
description: You can exclude files from scans if they've been opened by a specif
keywords: Microsoft Defender Antivirus, process, exclusion, files, scans
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
- m365-security - tier2 search.appverid: met150 Previously updated : 04/08/2021 Last updated : 04/14/2023 # Configure exclusions for files opened by processes
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, in
By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) are merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence if there are conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+
+> [!NOTE]
+> **Network Protection** and **Attack Surface Reduction (ASR) Rules** are directly impacted by process exclusions on all platforms, meaning that a process exclusion on any OS (Windows, MacOS, Linux) will result in Network Protection or ASR being unable to inspect traffic or enforce rules for that specific process.
## Configure the list of exclusions for files opened by specified processes
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
Microsoft Defender for Endpoint has the capability of detecting unmanaged and ma
## Web Protection and VPN
-By default, Defender for Endpoint on iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Note that Anti-phishing and custom indicators (URL and IP addresses) are supported as part of Web Protection. Web Content Filtering is currently not supported on mobile platforms.
+By default, Defender for Endpoint on iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Note that Anti-phishing and custom indicators (URL and Domain) are supported as part of Web Protection. IP based custom indicators are currently not supported on iOS. Web Content Filtering is currently not supported on mobile platforms (Android and iOS).
Defender for Endpoint on iOS uses a VPN in order to provide this capability. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device.
This configuration is available for both the enrolled (MDM) devices as well as u
## Configure Network Protection
-Network protection in Microsoft Defender for endpoint is disabled by default. Admins can use the following steps to configure Network Protection. This configurations is available for both enrolled devices through MDM config and unenrolled devices through MAM config.
+Network protection in Microsoft Defender for endpoint is disabled by default. Admins can use the following steps to configure Network Protection. This configuration is available for both enrolled devices through MDM config and unenrolled devices through MAM config.
> [!NOTE] > Only one policy should be created for Network Protection, either MDM or MAM.
Follow the below steps for setting up MDM configuration for enrolled devices for
1. In targeted app choose **Microsoft Defender for Endpoint**. 1. In the Settings page, choose configuration settings format **Use configuration designer**. 1. Add 'DefenderNetworkProtectionEnable' as the configuration key, value type as 'String' and value as 'true' to enable Network Protection. (Network protection is disabled by default.)
- :::image type="content" source="images/np-mdmconfig-key.png" alt-text="Add mdm configuration policy." lightbox="images/np-mdmconfig-key.png":::
+ :::image type="content" source="images/np-mdmconfig-key.png" alt-text="Screenshot that shows the add mdm configuration policy." lightbox="images/np-mdmconfig-key.png":::
1. For other configurations related to Network protection, add the following keys, choose the corresponding value type and value. | Key | Value Type | Default (true-enable, false-disable) | Description |
Customers can now enable privacy control for the phish report sent by Microsoft
- Users will see a toggle for **Unsafe Site Info**. - This toggle is only visible if Admin has set **DefenderExcludeURLInReport = true**. - If enabled by Admin, Users can decide if they want to send the unsafe site info to their Organization or not.
- - By default its set to `true`, the unsafe site information will be sent.
- - If user toggles it to `false`, the unsafe site details will not be sent.
+ - By default, it's set to `false`. The unsafe site information will not be sent.
+ - If user toggles it to `true`, the unsafe site details will be sent.
Turning the above privacy controls on or off will not impact the device compliance check or conditional access.
Follow the steps below to create a compliance policy against jailbroken devices.
Defender for Endpoint on iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](/microsoft-365/security/defender-endpoint/manage-indicators). > [!NOTE]
-> Defender for Endpoint on iOS supports creating custom indicators only for IP addresses and URLs/domains.
+> Defender for Endpoint on iOS supports creating custom indicators only for URLs and domains. IP based custom indicators is not supported on iOS.
>
-> For iOS, no alerts are generated on Microsoft 365 Defender when the URL or IP set in the indicator is accessed.
+> For iOS, no alerts are generated on Microsoft 365 Defender when the URL or domain set in the indicator is accessed.
## Configure vulnerability assessment of apps
Defender for Endpoint on iOS supports vulnerability assessments of apps only for
:::image type="content" source="images/tvm-app-sync-toggle.png" alt-text="App sync toggleSup" lightbox="images/tvm-app-sync-toggle.png":::
+> [!NOTE]
+> To get the list of all the apps including unmanaged apps, the admin has to enable **Send full application inventory data on personally owned iOS/iPadOS devices** in the Intune Admin Portal for the supervised devices marked as "Personal".
+> For the supervised devices marked as "Corporate" in the Intune Admin Portal, the admin need not enable **Send full application inventory data on personally owned iOS/iPadOS devices**.
+ ### On an Unsupervised Device 1. To enable the feature in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint Security** > **Microsoft Defender for Endpoint** > **Enable App sync for iOS/iPadOS devices**. :::image type="content" source="images/tvm-app-sync-toggle.png" alt-text="App sync toggle" lightbox="images/tvm-app-sync-toggle.png":::
-1. To get the list of all the apps including un-managed apps, Enable the toggle **Send full application inventory data on personally owned iOS/iPad OS Devices**.
+1. To get the list of all the apps including unmanaged apps, enable the toggle **Send full application inventory data on personally owned iOS/iPadOS devices**.
:::image type="content" source="images/tvm-full-app-data.png" alt-text="Full App Data" lightbox="images/tvm-full-app-data.png":::
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
Admins can create or use quarantine policies with more restrictive or less restr
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Bulk email threshold & spam properties**|||||
-|**Bulk email threshold** <br/><br/> _BulkThreshold_|7|6|5|For details, see [Bulk complaint level (BCL) in EOP](anti-spam-bulk-complaint-level-bcl-about.md).|
+|**Bulk email threshold** <br><br> _BulkThreshold_|7|6|5|For details, see [Bulk complaint level (BCL) in EOP](anti-spam-bulk-complaint-level-bcl-about.md).|
|_MarkAsSpamBulkMail_|`On`|`On`|`On`|This setting is only available in PowerShell.| |**Increase spam score** settings|Off|Off|Off|All of these settings are part of the Advanced Spam Filter (ASF). For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.| |**Mark as spam** settings|Off|Off|Off|Most of these settings are part of ASF. For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.|
-|**Contains specific languages** <br/><br/> _EnableLanguageBlockList_ <br/><br/> _LanguageBlockList_|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.|
-|**From these countries** <br/><br/> _EnableRegionBlockList_ <br/><br/> _RegionBlockList_|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.|
+|**Contains specific languages** <br><br> _EnableLanguageBlockList_ <br><br> _LanguageBlockList_|**Off** <br><br> `$false` <br><br> Blank|**Off** <br><br> `$false` <br><br> Blank|**Off** <br><br> `$false` <br><br> Blank|We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.|
+|**From these countries** <br><br> _EnableRegionBlockList_ <br><br> _RegionBlockList_|**Off** <br><br> `$false` <br><br> Blank|**Off** <br><br> `$false` <br><br> Blank|**Off** <br><br> `$false` <br><br> Blank|We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.|
|**Test mode** (_TestModeAction_)|**None**|**None**|**None**|This setting is part of ASF. For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.| |**Actions**|||||
-|**Spam** detection action <br/><br/> _SpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Spam** <br/><br/> _SpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if spam detections are quarantined.|
-|**High confidence spam** detection action <br/><br/> _HighConfidenceSpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Hight confidence spam** <br/><br/> _HighConfidenceSpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if high confidence spam detections are quarantined.|
-|**Phishing** detection action <br/><br/> _PhishSpamAction_|**Move message to Junk Email folder**<sup>\*</sup> <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|<sup>\*</sup> The default value is **Move message to Junk Email folder** in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is **Quarantine message** in new anti-spam policies that you create in the Microsoft 365 Defender portal.|
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Phishing** <br/><br/> _PhishQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if phishing detections are quarantined.|
-|**High confidence phishing** detection action <br/><br/> _HighConfidencePhishAction_|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.|
-|**Quarantine policy** for **High confidence phishing** <br/><br/> _HighConfidencePhishQuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||
-|**Bulk** detection action <br/><br/> _BulkSpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Bulk** <br/><br/> _BulkQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if bulk detections are quarantined.|
-|**Retain spam in quarantine for this many days** <br/><br/> _QuarantineRetentionPeriod_|15 days|30 days|30 days|This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-about.md).|
-|**Enable spam safety tips** <br/><br/> _InlineSafetyTipsEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|Enable zero-hour auto purge (ZAP) for phishing messages <br/><br/> _PhishZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|Enable ZAP for spam messages <br/><br/> _SpamZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Spam** detection action <br><br> _SpamAction_|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Quarantine message** <br><br> `Quarantine`||
+|**Quarantine policy** for **Spam** <br><br> _SpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if spam detections are quarantined.|
+|**High confidence spam** detection action <br><br> _HighConfidenceSpamAction_|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`||
+|**Quarantine policy** for **Hight confidence spam** <br><br> _HighConfidenceSpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if high confidence spam detections are quarantined.|
+|**Phishing** detection action <br><br> _PhishSpamAction_|**Move message to Junk Email folder**<sup>\*</sup> <br><br> `MoveToJmf`|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`|<sup>\*</sup> The default value is **Move message to Junk Email folder** in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is **Quarantine message** in new anti-spam policies that you create in the Microsoft 365 Defender portal.|
+|**Quarantine policy** for **Phishing** <br><br> _PhishQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if phishing detections are quarantined.|
+|**High confidence phishing** detection action <br><br> _HighConfidencePhishAction_|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`|Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.|
+|**Quarantine policy** for **High confidence phishing** <br><br> _HighConfidencePhishQuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||
+|**Bulk** detection action <br><br> _BulkSpamAction_|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Quarantine message** <br><br> `Quarantine`||
+|**Quarantine policy** for **Bulk** <br><br> _BulkQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if bulk detections are quarantined.|
+|**Retain spam in quarantine for this many days** <br><br> _QuarantineRetentionPeriod_|15 days|30 days|30 days|This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-about.md).|
+|**Enable spam safety tips** <br><br> _InlineSafetyTipsEnabled_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|Enable zero-hour auto purge (ZAP) for phishing messages <br><br> _PhishZapEnabled_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|Enable ZAP for spam messages <br><br> _SpamZapEnabled_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
|**Allow & block list**|||||
-|Allowed senders <br/><br/> _AllowedSenders_|None|None|None||
-|Allowed sender domains <br/><br/> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <br/><br/> Use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list-about.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|
-|Blocked senders <br/><br/> _BlockedSenders_|None|None|None||
-|Blocked sender domains <br/><br/> _BlockedSenderDomains_|None|None|None||
+|Allowed senders <br><br> _AllowedSenders_|None|None|None||
+|Allowed sender domains <br><br> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <br><br> Use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list-about.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|
+|Blocked senders <br><br> _BlockedSenders_|None|None|None||
+|Blocked sender domains <br><br> _BlockedSenderDomains_|None|None|None||
┬╣ As described in [Full access permissions and quarantine notifications](quarantine-policies.md#full-access-permissions-and-quarantine-notifications), your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
Admins can create or use quarantine policies with more restrictive or less restr
For more information about Advanced Spam Filter (ASF) settings in anti-spam policies, see [Advanced Spam Filter (ASF) settings in EOP](anti-spam-policies-asf-settings-about.md).
-|Security feature name|Default|Recommended<br/>Standard|Recommended<br/>Strict|Comment|
+|Security feature name|Default|Recommended<br>Standard|Recommended<br>Strict|Comment|
||::|::|::||
-|**Image links to remote sites** <br/><br/> _IncreaseScoreWithImageLinks_|Off|Off|Off||
-|**Numeric IP address in URL** <br/><br/> _IncreaseScoreWithNumericIps_|Off|Off|Off||
-|**URL redirect to other port** <br/><br/> _IncreaseScoreWithRedirectToOtherPort_|Off|Off|Off||
-|**Links to .biz or .info websites** <br/><br/> _IncreaseScoreWithBizOrInfoUrls_|Off|Off|Off||
-|**Empty messages** <br/><br/> _MarkAsSpamEmptyMessages_|Off|Off|Off||
-|**Embed tags in HTML** <br/><br/> _MarkAsSpamEmbedTagsInHtml_|Off|Off|Off||
-|**JavaScript or VBScript in HTML** <br/><br/> _MarkAsSpamJavaScriptInHtml_|Off|Off|Off||
-|**Form tags in HTML** <br/><br/> _MarkAsSpamFormTagsInHtml_|Off|Off|Off||
-|**Frame or iframe tags in HTML** <br/><br/> _MarkAsSpamFramesInHtml_|Off|Off|Off||
-|**Web bugs in HTML** <br/><br/> _MarkAsSpamWebBugsInHtml_|Off|Off|Off||
-|**Object tags in HTML** <br/><br/> _MarkAsSpamObjectTagsInHtml_|Off|Off|Off||
-|**Sensitive words** <br/><br/> _MarkAsSpamSensitiveWordList_|Off|Off|Off||
-|**SPF record: hard fail** <br/><br/> _MarkAsSpamSpfRecordHardFail_|Off|Off|Off||
-|**Sender ID filtering hard fail** <br/><br/> _MarkAsSpamFromAddressAuthFail_|Off|Off|Off||
-|**Backscatter** <br/><br/> _MarkAsSpamNdrBackscatter_|Off|Off|Off||
-|**Test mode** <br/><br/> _TestModeAction_)|None|None|None|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](anti-spam-policies-asf-settings-about.md#enable-disable-or-test-asf-settings).|
+|**Image links to remote sites** <br><br> _IncreaseScoreWithImageLinks_|Off|Off|Off||
+|**Numeric IP address in URL** <br><br> _IncreaseScoreWithNumericIps_|Off|Off|Off||
+|**URL redirect to other port** <br><br> _IncreaseScoreWithRedirectToOtherPort_|Off|Off|Off||
+|**Links to .biz or .info websites** <br><br> _IncreaseScoreWithBizOrInfoUrls_|Off|Off|Off||
+|**Empty messages** <br><br> _MarkAsSpamEmptyMessages_|Off|Off|Off||
+|**Embed tags in HTML** <br><br> _MarkAsSpamEmbedTagsInHtml_|Off|Off|Off||
+|**JavaScript or VBScript in HTML** <br><br> _MarkAsSpamJavaScriptInHtml_|Off|Off|Off||
+|**Form tags in HTML** <br><br> _MarkAsSpamFormTagsInHtml_|Off|Off|Off||
+|**Frame or iframe tags in HTML** <br><br> _MarkAsSpamFramesInHtml_|Off|Off|Off||
+|**Web bugs in HTML** <br><br> _MarkAsSpamWebBugsInHtml_|Off|Off|Off||
+|**Object tags in HTML** <br><br> _MarkAsSpamObjectTagsInHtml_|Off|Off|Off||
+|**Sensitive words** <br><br> _MarkAsSpamSensitiveWordList_|Off|Off|Off||
+|**SPF record: hard fail** <br><br> _MarkAsSpamSpfRecordHardFail_|Off|Off|Off||
+|**Sender ID filtering hard fail** <br><br> _MarkAsSpamFromAddressAuthFail_|Off|Off|Off||
+|**Backscatter** <br><br> _MarkAsSpamNdrBackscatter_|Off|Off|Off||
+|**Test mode** <br><br> _TestModeAction_)|None|None|None|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](anti-spam-policies-asf-settings-about.md#enable-disable-or-test-asf-settings).|
#### EOP outbound spam policy settings
For more information about the default sending limits in the service, see [Sendi
> [!NOTE] > Outbound spam policies are not part of Standard or Strict preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in the default outbound spam policy or custom outbound spam policies that you create.
-|Security feature name|Default|Recommended<br/>Standard|Recommended<br/>Strict|Comment|
+|Security feature name|Default|Recommended<br>Standard|Recommended<br>Strict|Comment|
||::|::|::||
-|**Set an external message limit** <br/><br/> _RecipientLimitExternalPerHour_|0|500|400|The default value 0 means use the service defaults.|
-|**Set an internal message limit** <br/><br/> _RecipientLimitInternalPerHour_|0|1000|800|The default value 0 means use the service defaults.|
-|**Set a daily message limit** <br/><br/> _RecipientLimitPerDay_|0|1000|800|The default value 0 means use the service defaults.|
-|**Restriction placed on users who reach the message limit** <br/><br/> _ActionWhenThresholdReached_|**Restrict the user from sending mail until the following day** <br/><br/> `BlockUserForToday`|**Restrict the user from sending mail** <br/><br/> `BlockUser`|**Restrict the user from sending mail** <br/><br/> `BlockUser`||
-|**Automatic forwarding rules** <br/><br/> _AutoForwardingMode_|**Automatic - System-controlled** <br/><br/> `Automatic`|**Automatic - System-controlled** <br/><br/> `Automatic`|**Automatic - System-controlled** <br/><br/> `Automatic`|
-|**Send a copy of outbound messages that exceed these limits to these users and groups** <br/><br/> _BccSuspiciousOutboundMail_ <br/><br/> _BccSuspiciousOutboundAdditionalRecipients_|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. <br/><br/> This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.|
-|**Notify these users and groups if a sender is blocked due to sending outbound spam** <br/><br/> _NotifyOutboundSpam_ <br/><br/> _NotifyOutboundSpamRecipients_|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|Not selected <br/><br/> `$false` <br/><br/> Blank|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|
+|**Set an external message limit** <br><br> _RecipientLimitExternalPerHour_|0|500|400|The default value 0 means use the service defaults.|
+|**Set an internal message limit** <br><br> _RecipientLimitInternalPerHour_|0|1000|800|The default value 0 means use the service defaults.|
+|**Set a daily message limit** <br><br> _RecipientLimitPerDay_|0|1000|800|The default value 0 means use the service defaults.|
+|**Restriction placed on users who reach the message limit** <br><br> _ActionWhenThresholdReached_|**Restrict the user from sending mail until the following day** <br><br> `BlockUserForToday`|**Restrict the user from sending mail** <br><br> `BlockUser`|**Restrict the user from sending mail** <br><br> `BlockUser`||
+|**Automatic forwarding rules** <br><br> _AutoForwardingMode_|**Automatic - System-controlled** <br><br> `Automatic`|**Automatic - System-controlled** <br><br> `Automatic`|**Automatic - System-controlled** <br><br> `Automatic`|
+|**Send a copy of outbound messages that exceed these limits to these users and groups** <br><br> _BccSuspiciousOutboundMail_ <br><br> _BccSuspiciousOutboundAdditionalRecipients_|Not selected <br><br> `$false` <br><br> Blank|Not selected <br><br> `$false` <br><br> Blank|Not selected <br><br> `$false` <br><br> Blank|We have no specific recommendation for this setting. <br><br> This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.|
+|**Notify these users and groups if a sender is blocked due to sending outbound spam** <br><br> _NotifyOutboundSpam_ <br><br> _NotifyOutboundSpamRecipients_|Not selected <br><br> `$false` <br><br> Blank|Not selected <br><br> `$false` <br><br> Blank|Not selected <br><br> `$false` <br><br> Blank|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|
### EOP anti-malware policy settings
Users can't release their own messages that were quarantined as malware, regardl
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Protection settings**|||||
-|**Enable the common attachments filter** <br/><br/> _EnableFileFilter_|Selected <br/><br/> `$true`<sup>\*</sup>|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|For the list of file types in the common attachments filter, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies). <br/><br/> <sup>\*</sup> The common attachments filter is on by default in new anti-malware policies that you create in the Microsoft 365 Defender portal. The common attachments filter is off by default in the default anti-malware policy and in new policies that you create in PowerShell.|
-|Common attachment filter notifications (**When these file types are found**) <br/><br/> _FileTypeAction_|**Reject the message with a non-delivery report (NDR)** <br/><br/> `Reject`|**Reject the message with a non-delivery report (NDR)** <br/><br/> `Reject`|**Reject the message with a non-delivery report (NDR)** <br/><br/> `Reject`||
-|**Enable zero-hour auto purge for malware** <br/><br/> _ZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Quarantine policy** <br/><br/> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||
+|**Enable the common attachments filter** <br><br> _EnableFileFilter_|Selected <br><br> `$true`<sup>\*</sup>|Selected <br><br> `$true`|Selected <br><br> `$true`|For the list of file types in the common attachments filter, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies). <br><br> <sup>\*</sup> The common attachments filter is on by default in new anti-malware policies that you create in the Microsoft 365 Defender portal. The common attachments filter is off by default in the default anti-malware policy and in new policies that you create in PowerShell.|
+|Common attachment filter notifications (**When these file types are found**) <br><br> _FileTypeAction_|**Reject the message with a non-delivery report (NDR)** <br><br> `Reject`|**Reject the message with a non-delivery report (NDR)** <br><br> `Reject`|**Reject the message with a non-delivery report (NDR)** <br><br> `Reject`||
+|**Enable zero-hour auto purge for malware** <br><br> _ZapEnabled_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Quarantine policy** <br><br> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||
|**Admin notifications**|||||
-|**Notify an admin about undelivered messages from internal senders** <br/><br/> _EnableInternalSenderAdminNotifications_ <br/><br/> _InternalSenderAdminAddress_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting.|
-|**Notify an admin about undelivered messages from external senders** <br/><br/> _EnableExternalSenderAdminNotifications_ <br/><br/> _ExternalSenderAdminAddress_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting.|
+|**Notify an admin about undelivered messages from internal senders** <br><br> _EnableInternalSenderAdminNotifications_ <br><br> _InternalSenderAdminAddress_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|We have no specific recommendation for this setting.|
+|**Notify an admin about undelivered messages from external senders** <br><br> _EnableExternalSenderAdminNotifications_ <br><br> _ExternalSenderAdminAddress_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|We have no specific recommendation for this setting.|
|**Customize notifications**||||We have no specific recommendations for these settings.|
-|**Use customized notification text** <br/><br/> _CustomNotifications_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`||
-|**From name** <br/><br/> _CustomFromName_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
-|**From address** <br/><br/> _CustomFromAddress_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
+|**Use customized notification text** <br><br> _CustomNotifications_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`||
+|**From name** <br><br> _CustomFromName_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||
+|**From address** <br><br> _CustomFromAddress_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||
|**Customize notifications for messages from internal senders**||||These settings are used only if **Notify an admin about undelivered messages from internal senders** is selected.|
-|**Subject** <br/><br/> _CustomInternalSubject_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
-|**Message** <br/><br/> _CustomInternalBody_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
+|**Subject** <br><br> _CustomInternalSubject_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||
+|**Message** <br><br> _CustomInternalBody_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||
|**Customize notifications for messages from external senders**||||These settings are used only if **Notify an admin about undelivered messages from external senders** is selected.|
-|**Subject** <br/><br/> _CustomExternalSubject_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
-|**Message** <br/><br/> _CustomExternalBody_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`||
+|**Subject** <br><br> _CustomExternalSubject_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||
+|**Message** <br><br> _CustomExternalBody_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||
### EOP anti-phishing policy settings
Admins can create or use quarantine policies with more restrictive or less restr
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
-|**Enable spoof intelligence** <br/><br/> _EnableSpoofIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Enable spoof intelligence** <br><br> _EnableSpoofIntelligence_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
|**Actions**|||||
-|**If message is detected as spoof** <br/><br/> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). <br/><br/> If you select **Quarantine the message** as the action for the spoof verdict, an **Apply quarantine policy** box is available.|
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Spoof** <br/><br/> _SpoofQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if spoof detections are quarantined.|
-|**Show first contact safety tip** <br/><br/> _EnableFirstContactSafetyTips_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).|
-|**Show (?) for unauthenticated senders for spoof** <br/><br/> _EnableUnauthenticatedSender_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|
-|**Show "via" tag** <br/><br/> _EnableViaTag_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br/><br/> For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|
+|**If message is detected as spoof** <br><br> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Quarantine the message** <br><br> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). <br><br> If you select **Quarantine the message** as the action for the spoof verdict, an **Apply quarantine policy** box is available.|
+|**Quarantine policy** for **Spoof** <br><br> _SpoofQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if spoof detections are quarantined.|
+|**Show first contact safety tip** <br><br> _EnableFirstContactSafetyTips_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).|
+|**Show (?) for unauthenticated senders for spoof** <br><br> _EnableUnauthenticatedSender_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|
+|**Show "via" tag** <br><br> _EnableViaTag_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br><br> For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|
┬╣ As described in [Full access permissions and quarantine notifications](quarantine-policies.md#full-access-permissions-and-quarantine-notifications), your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
For more information about this setting, see [Advanced phishing thresholds in an
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Phishing email threshold** <br/><br/> _PhishThresholdLevel_|**1 - Standard** <br/><br/> `1`|**3 - More aggressive** <br/><br/> `3`|**4 - Most aggressive** <br/><br/> `4`||
+|**Phishing email threshold** <br><br> _PhishThresholdLevel_|**1 - Standard** <br><br> `1`|**3 - More aggressive** <br><br> `3`|**4 - Most aggressive** <br><br> `4`||
#### Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
Admins can create or use quarantine policies with more restrictive or less restr
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
-|**Enable users to protect** (impersonated user protection) <br/><br/> _EnableTargetedUserProtection_ <br/><br/> _TargetedUsersToProtect_|Not selected <br/><br/> `$false` <br/><br/> none|Selected <br/><br/> `$true` <br/><br/> \<list of users\>|Selected <br/><br/> `$true` <br/><br/> \<list of users\>|We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|
+|**Enable users to protect** (impersonated user protection) <br><br> _EnableTargetedUserProtection_ <br><br> _TargetedUsersToProtect_|Not selected <br><br> `$false` <br><br> none|Selected <br><br> `$true` <br><br> \<list of users\>|Selected <br><br> `$true` <br><br> \<list of users\>|We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|
|**Enable domains to protect** (impersonated domain protection)|Not selected|Selected|Selected||
-|**Include domains I own** <br/><br/> _EnableOrganizationDomainsProtection_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Include custom domains** <br/><br/> _EnableTargetedDomainsProtection_ <br/><br/> _TargetedDomainsToProtect_|Off <br/><br/> `$false` <br/><br/> none|Selected <br/><br/> `$true` <br/><br/> \<list of domains\>|Selected <br/><br/> `$true` <br/><br/> \<list of domains\>|We recommend adding domains (sender domains) that you don't own, but you frequently interact with.|
-|**Add trusted senders and domains** <br/><br/> _ExcludedSenders_ <br/><br/> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|
-|**Enable mailbox intelligence** <br/><br/> _EnableMailboxIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Enable intelligence for impersonation protection** <br/><br/> _EnableMailboxIntelligenceProtection_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|
+|**Include domains I own** <br><br> _EnableOrganizationDomainsProtection_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Include custom domains** <br><br> _EnableTargetedDomainsProtection_ <br><br> _TargetedDomainsToProtect_|Off <br><br> `$false` <br><br> none|Selected <br><br> `$true` <br><br> \<list of domains\>|Selected <br><br> `$true` <br><br> \<list of domains\>|We recommend adding domains (sender domains) that you don't own, but you frequently interact with.|
+|**Add trusted senders and domains** <br><br> _ExcludedSenders_ <br><br> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|
+|**Enable mailbox intelligence** <br><br> _EnableMailboxIntelligence_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Enable intelligence for impersonation protection** <br><br> _EnableMailboxIntelligenceProtection_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|
|**Actions**|||||
-|**If message is detected as an impersonated user** <br/><br/> _TargetedUserProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Quarantine the message** <br/><br/> `Quarantine`|**Quarantine the message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **user impersonation** <br/><br/> _TargetedUserQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if user impersonation detections are quarantined.|
-|**If message is detected as an impersonated domain** <br/><br/> _TargetedDomainProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Quarantine the message** <br/><br/> `Quarantine`|**Quarantine the message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **domain impersonation** <br/><br/> _TargetedDomainQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if domain impersonation detections are quarantined.|
-|**If mailbox intelligence detects an impersonated user** <br/><br/> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **mailbox intelligence impersonation** <br/><br/> _MailboxIntelligenceQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if mailbox intelligence detections are quarantined.|
-|**Show user impersonation safety tip** <br/><br/> _EnableSimilarUsersSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Show domain impersonation safety tip** <br/><br/> _EnableSimilarDomainsSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Show user impersonation unusual characters safety tip** <br/><br/> _EnableUnusualCharactersSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**If message is detected as an impersonated user** <br><br> _TargetedUserProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Quarantine the message** <br><br> `Quarantine`|**Quarantine the message** <br><br> `Quarantine`||
+|**Quarantine policy** for **user impersonation** <br><br> _TargetedUserQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if user impersonation detections are quarantined.|
+|**If message is detected as an impersonated domain** <br><br> _TargetedDomainProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Quarantine the message** <br><br> `Quarantine`|**Quarantine the message** <br><br> `Quarantine`||
+|**Quarantine policy** for **domain impersonation** <br><br> _TargetedDomainQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if domain impersonation detections are quarantined.|
+|**If mailbox intelligence detects an impersonated user** <br><br> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Quarantine the message** <br><br> `Quarantine`||
+|**Quarantine policy** for **mailbox intelligence impersonation** <br><br> _MailboxIntelligenceQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if mailbox intelligence detections are quarantined.|
+|**Show user impersonation safety tip** <br><br> _EnableSimilarUsersSafetyTips_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Show domain impersonation safety tip** <br><br> _EnableSimilarDomainsSafetyTips_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Show user impersonation unusual characters safety tip** <br><br> _EnableUnusualCharactersSafetyTips_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`||
┬╣ As described in [Full access permissions and quarantine notifications](quarantine-policies.md#full-access-permissions-and-quarantine-notifications), your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/se
|Security feature name|Default|Built-in protection|Comment| ||::|::||
-|**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** <br/><br/> _EnableATPForSPOTeamsODB_|Off <br/><br/> `$false`|On <br/><br/> `$true`|To prevent users from downloading malicious files, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](safe-attachments-for-spo-odfb-teams-configure.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).|
-|**Turn on Safe Documents for Office clients** <br/><br/> _EnableSafeDocs_|Off <br/><br/> `$false`|On <br/><br/> `$true`|This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 A5 or Microsoft 365 E5 Security). For more information, see [Safe Documents in Microsoft 365 A5 or E5 Security](safe-documents-in-e5-plus-security-about.md).|
-|**Allow people to click through Protected View even if Safe Documents identified the file as malicious** <br/><br/> _AllowSafeDocsOpen_|Off <br/><br/> `$false`|Off <br/><br/> `$false`|This setting is related to Safe Documents.|
+|**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** <br><br> _EnableATPForSPOTeamsODB_|Off <br><br> `$false`|On <br><br> `$true`|To prevent users from downloading malicious files, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](safe-attachments-for-spo-odfb-teams-configure.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).|
+|**Turn on Safe Documents for Office clients** <br><br> _EnableSafeDocs_|Off <br><br> `$false`|On <br><br> `$true`|This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 A5 or Microsoft 365 E5 Security). For more information, see [Safe Documents in Microsoft 365 A5 or E5 Security](safe-documents-in-e5-plus-security-about.md).|
+|**Allow people to click through Protected View even if Safe Documents identified the file as malicious** <br><br> _AllowSafeDocsOpen_|Off <br><br> `$false`|Off <br><br> `$false`|This setting is related to Safe Documents.|
#### Safe Attachments policy settings
Users can't release their own messages that were quarantined as malware by Safe
|Security feature name|Default in custom|Built-in protection|Standard|Strict|Comment| ||::|::|::|::||
-|**Safe Attachments unknown malware response** <br/><br/> _Enable_ and _Action_|**Off** <br/><br/> `-Enable $false` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|
-|**Quarantine policy** <br/><br/> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||
-|**Redirect attachment with detected attachments** : **Enable redirect** <br/><br/> _Redirect_ <br/><br/> _RedirectAddress_|Not selected and no email address specified. <br/><br/> `-Redirect $false` <br/><br/> _RedirectAddress_ is blank (`$null`)|Not selected and no email address specified. <br/><br/> `-Redirect $false` <br/><br/> _RedirectAddress_ is blank (`$null`)|Selected and specify an email address. <br/><br/> `$true` <br/><br/> an email address|Selected and specify an email address. <br/><br/> `$true` <br/><br/> an email address|Redirect messages to a security admin for review. <br/><br/> **Note**: This setting is not configured in the **Standard**, **Strict**, or **Built-in protection** preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in new Safe Attachments policies that you create.|
-|**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <br/><br/> _ActionOnError_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**Safe Attachments unknown malware response** <br><br> _Enable_ and _Action_|**Off** <br><br> `-Enable $false` and `-Action Block`|**Block** <br><br> `-Enable $true` and `-Action Block`|**Block** <br><br> `-Enable $true` and `-Action Block`|**Block** <br><br> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|
+|**Quarantine policy** <br><br> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||
+|**Redirect attachment with detected attachments** : **Enable redirect** <br><br> _Redirect_ <br><br> _RedirectAddress_|Not selected and no email address specified. <br><br> `-Redirect $false` <br><br> _RedirectAddress_ is blank (`$null`)|Not selected and no email address specified. <br><br> `-Redirect $false` <br><br> _RedirectAddress_ is blank (`$null`)|Selected and specify an email address. <br><br> `$true` <br><br> an email address|Selected and specify an email address. <br><br> `$true` <br><br> an email address|Redirect messages to a security admin for review. <br><br> **Note**: This setting is not configured in the **Standard**, **Strict**, or **Built-in protection** preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in new Safe Attachments policies that you create.|
+|**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <br><br> _ActionOnError_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
### Safe Links settings
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/se
|Security feature name|Default|Built-in protection|Comment| ||::|::||
-|**Block the following URLs** <br/><br/> _ExcludedUrls_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|We have no specific recommendation for this setting. <br/><br/> For more information, see ["Block the following URLs" list for Safe Links](safe-links-about.md#block-the-following-urls-list-for-safe-links). <br/><br/> **Note**: You can now manage block URL entries in the [Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.|
+|**Block the following URLs** <br><br> _ExcludedUrls_|Blank <br><br> `$null`|Blank <br><br> `$null`|We have no specific recommendation for this setting. <br><br> For more information, see ["Block the following URLs" list for Safe Links](safe-links-about.md#block-the-following-urls-list-for-safe-links). <br><br> **Note**: You can now manage block URL entries in the [Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.|
#### Safe Links policy settings
In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new
||::|::|::|::|| |**URL & click protection settings**|||||| |**Email**|||||The settings in this section affect URL rewriting and time of click protection in email messages.|
-|**On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default.** <br/><br/> _EnableSafeLinksForEmail_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Apply Safe Links to email messages sent within the organization** <br/><br/> _EnableForInternalSenders_|Selected <br/><br/> `$true`|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Apply real-time URL scanning for suspicious links and links that point to files** <br/><br/> _ScanUrls_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Wait for URL scanning to complete before delivering the message** <br/><br/> _DeliverMessageAfterScan_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Do not rewrite URLs, do checks via Safe Links API only** <br/><br/> _DisableURLRewrite_|Selected<sup>\*</sup> <br/><br/> `$true`|Selected <br/><br/> `$true`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|<sup>\*</sup> In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the _DisableURLRewrite_ parameter is `$false`.|
-|**Do not rewrite the following URLs in email** <br/><br/> _DoNotRewriteUrls_|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|Blank <br/><br/> `$null`|We have no specific recommendation for this setting. <br/><br/> **Note**: Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [allow URL entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-on-the-submissions-page) so URLs are not scanned or wrapped by Safe Links during mail flow _and_ at time of click.|
+|**On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default.** <br><br> _EnableSafeLinksForEmail_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Apply Safe Links to email messages sent within the organization** <br><br> _EnableForInternalSenders_|Selected <br><br> `$true`|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Apply real-time URL scanning for suspicious links and links that point to files** <br><br> _ScanUrls_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Wait for URL scanning to complete before delivering the message** <br><br> _DeliverMessageAfterScan_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Do not rewrite URLs, do checks via Safe Links API only** <br><br> _DisableURLRewrite_|Selected<sup>\*</sup> <br><br> `$true`|Selected <br><br> `$true`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|<sup>\*</sup> In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the _DisableURLRewrite_ parameter is `$false`.|
+|**Do not rewrite the following URLs in email** <br><br> _DoNotRewriteUrls_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`|We have no specific recommendation for this setting. <br><br> **Note**: Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [allow URL entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-on-the-submissions-page) so URLs are not scanned or wrapped by Safe Links during mail flow _and_ at time of click.|
|**Teams**|||||The setting in this section affects time of click protection in Microsoft Teams.|
-|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten.** <br/><br/> _EnableSafeLinksForTeams_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
+|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten.** <br><br> _EnableSafeLinksForTeams_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
|**Office 365 apps**|||||The setting in this section affects time of click protection in Office apps.|
-|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten.** <br/><br/> _EnableSafeLinksForOffice_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office apps](safe-links-about.md#safe-links-settings-for-office-apps).|
+|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten.** <br><br> _EnableSafeLinksForOffice_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office apps](safe-links-about.md#safe-links-settings-for-office-apps).|
|**Click protection settings**||||||
-|**Track user clicks** <br/><br/> _TrackClicks_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Let users click through to the original URL** <br/><br/> _AllowClickThrough_|Selected<sup>\*</sup> <br/><br/> `$true`|Selected <br/><br/> `$true`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|<sup>\*</sup> In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the _AllowClickThrough_ parameter is `$false`.|
-|**Display the organization branding on notification and warning pages** <br/><br/> _EnableOrganizationBranding_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting. <br/><br/> Before you turn on this setting, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.|
+|**Track user clicks** <br><br> _TrackClicks_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||
+|**Let users click through to the original URL** <br><br> _AllowClickThrough_|Selected<sup>\*</sup> <br><br> `$true`|Selected <br><br> `$true`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|<sup>\*</sup> In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the _AllowClickThrough_ parameter is `$false`.|
+|**Display the organization branding on notification and warning pages** <br><br> _EnableOrganizationBranding_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|We have no specific recommendation for this setting. <br><br> Before you turn on this setting, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.|
|**Notification**||||||
-|**How would you like to notify your users?** <br/><br/> _CustomNotificationText_ <br/><br/> _UseTranslatedNotificationText_|**Use the default notification text** <br/><br/> Blank (`$null`) <br/><br/> `$false`|**Use the default notification text** <br/><br/> Blank (`$null`) <br/><br/> `$false`|**Use the default notification text** <br/><br/> Blank (`$null`) <br/><br/> `$false`|**Use the default notification text** <br/><br/> Blank (`$null`) <br/><br/> `$false`|We have no specific recommendation for this setting. <br/><br/> You can select **Use custom notification text** (`-CustomNotificationText "<Custom text>"`) to enter and use customized notification text. If you specify custom text, you can also select **Use Microsoft Translator for automatic localization** (`-UseTranslatedNotificationText $true`) to automatically translate the text into the user's language.|
+|**How would you like to notify your users?** <br><br> _CustomNotificationText_ <br><br> _UseTranslatedNotificationText_|**Use the default notification text** <br><br> Blank (`$null`) <br><br> `$false`|**Use the default notification text** <br><br> Blank (`$null`) <br><br> `$false`|**Use the default notification text** <br><br> Blank (`$null`) <br><br> `$false`|**Use the default notification text** <br><br> Blank (`$null`) <br><br> `$false`|We have no specific recommendation for this setting. <br><br> You can select **Use custom notification text** (`-CustomNotificationText "<Custom text>"`) to enter and use customized notification text. If you specify custom text, you can also select **Use Microsoft Translator for automatic localization** (`-UseTranslatedNotificationText $true`) to automatically translate the text into the user's language.|
## Related articles