Updates from: 04/22/2023 03:31:50
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
Check out [Microsoft 365 small business help](https://go.microsoft.com/fwlink/?l
Microsoft 365 or Office 365 subscription comes with a set of admin roles that you can assign to users in your organization using the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers.
-The <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> lets you manage Azure AD roles and Microsoft Intune roles. However, these roles are a subset of the roles available in the Azure AD portal and the Intune admin center.
- > [!TIP] > If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.
Check out this video and others on our [YouTube channel](https://go.microsoft.co
## Before you begin
-Looking for the full list of detailed Azure AD role descriptions you can manage in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>? Check out Administrator role permissions in Azure Active Directory. [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).
+The <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> lets you manage Azure AD roles and Microsoft Intune roles. However, these roles are a subset of the roles available in the Azure AD portal and the Intune admin center.
+
+For the full list of detailed Azure AD role descriptions you can manage in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, check out Administrator role permissions in the [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) topic.
-Looking for the full list of detailed Intune role descriptions you can manage in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>? Check out [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
+For the full list of detailed Intune role descriptions you can manage in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, check out [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
For more information on assigning roles in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, see [Assign admin roles](assign-admin-roles.md).
Because admins have access to sensitive data and files, we recommend that you fo
| Recommendation | Why is this important? | | :- | :- | | Have 2 to 4 Global Admins | Global Admins have almost unlimited access to your organization's settings and most of its data. We recommend you limit the number of Global Admins as much as possible. A Global Admin may inadvertently lock their account and require a password reset. Either another Global Admin or a Privileged Authentication Admin can reset a Global Admin's password. Therefore, we recommend you have at least either one more Global Admin or a Privileged Authentication Admin in the event a Global Admin locks their account. |
-| Assign the *least permissive* role | Assigning the *least permissive* role means giving admins only the access they need to get the job done. For example, if you want someone to reset employee passwords you shouldn't assign the unlimited global admin role, you should assign a limited admin role, like Password admin or Helpdesk admin. This will help keep your data secure. |
-| Require multi-factor authentication for admins | It's actually a good idea to require MFA for all of your users, but admins should definitely be required to use MFA to sign in. MFA makes users enter a second method of identification to verify they're who they say they are. Admins can have access to much of customer and employee data and if you require MFA, even if the admin's password gets compromised, the password is useless without the second form of identification. <br><br>When you turn on MFA, the next time the user signs in, they'll need to provide an alternate email address and phone number for account recovery. <br> [Set up multi-factor authentication](../security-and-compliance/set-up-multi-factor-authentication.md) |
+| Assign the *least permissive* role | Assigning the *least permissive* role means giving admins only the access they need to get the job done. For example, if you want someone to reset employee passwords you shouldn't assign the unlimited global admin role, you should assign a limited admin role, like Password admin or Helpdesk admin. |
+| Require multi-factor authentication for admins | It's actually a good idea to require MFA for all of your users, but admins should definitely be required to use MFA to sign in. MFA makes users use a second method of identification to verify their identity. Admins can have access to much of customer and employee data. If you require MFA, even if the admin's password gets compromised, the password is useless without the second method of identification. <br><br>When you turn on MFA, the next time the user signs in, they'll need to provide an alternate email address and phone number for account recovery. <br> [Set up multi-factor authentication](../security-and-compliance/set-up-multi-factor-authentication.md) |
-If you get a message in the admin center telling you that you don't have permissions to edit a setting or page, it's because you're assigned a role that doesn't have that permission.
+If you get a message in the admin center that you don't have permissions to edit a setting or page, it's because you're assigned a role that doesn't have that permission.
## Commonly used Microsoft 365 admin center roles
You'll probably only need to assign the following roles in your organization. By
||| |Billing admin | Assign the Billing admin role to users who make purchases, manage subscriptions and service requests, and monitor service health. <br><br> Billing admins also can:<br> - Manage all aspects of billing <br> - Create and manage support tickets in the Azure portal <br> | |Exchange admin | Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups, and Exchange Online. <br><br> Exchange admins can also:<br> - Recover deleted items in a user's mailbox <br> - Set up "Send As" and "Send on behalf" delegates <br> |
-|Global admin | Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. <br><br> Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins. <br><br> Only global admins can:<br> - Reset passwords for all users <br> - Add and manage domains <br> - Unblock another global admin <br> <br> **Note:** The person who signed up for Microsoft online services automatically becomes a Global admin. |
+|Global admin | Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. <br><br> Giving too many users global access is a security risk and we recommend that you have between two and four Global admins. <br><br> Only global admins can:<br> - Reset passwords for all users <br> - Add and manage domains <br> - Unblock another global admin <br> <br> **Note:** The person who signed up for Microsoft online services automatically becomes a Global admin. |
|Global reader | Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings. | |Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal. <br><br> Groups admins can:<br> - Create, edit, delete, and restore Microsoft 365 groups <br> - Create and update group creation, expiration, and naming policies <br> - Create, edit, delete, and restore Azure Active Directory security groups| |Helpdesk admin | Assign the Helpdesk admin role to users who need to do the following:<br> - Reset passwords <br> - Force users to sign out <br> - Manage service requests <br> - Monitor service health <br> <br> **Note**: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. |
You'll probably only need to assign the following roles in your organization. By
## Delegated administration for Microsoft Partners
-If you're working with a Microsoft partner, you can assign them admin roles. They, in turn, can assign users in your company, or their company, admin roles. You might want them to do this, for example, if they're setting up and managing your online organization for you.
+If you're working with a Microsoft partner, you can assign them admin roles. They, in turn, can assign users in your company, or their company, admin roles. You may want to assign admin roles to partners if they're setting up and managing your online organization for you.
A partner can assign these roles:
A partner can assign these roles:
- **Helpdesk Agent** Privileges equivalent to a helpdesk admin.
-Before the partner can assign these roles to users, you must add the partner as a delegated admin to your account. This process is initiated by an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For instructions, see [Authorize or remove partner relationships](../misc/add-partner.md).
+Before the partner can assign these roles to users, you must add the partner as a delegated admin to your account. The partner has to be an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For instructions, see [Authorize or remove partner relationships](../misc/add-partner.md).
## Related content
admin Delete A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/delete-a-user.md
Before you begin, think about what you want to do with the user's email and OneD
|:--|:--| |Product licenses <br/> |You can remove the license from the user and remove it from your subscriptions to stop paying for that license. If you select this option, the license will be removed automatically from your subscriptions. <br/><br/> **You can't remove the license** if you bought it through a Partner or volume licensing. If you're paying for an annual plan or if you're in the middle of a billing cycle, you won't be able to remove the license from your subscription until your commitment is completed. <br/> | |OneDrive content <br/> |If the user saved their files to OneDrive, you can give another user access to these files. <br/><br/> You'll need to move the files you want to keep within the retention period that is set for OneDrive files. **By default, the retention period is 30 days.** If you don't move the files within the retention period after deleting the user, the OneDrive for the deleted user is moved to the site collection recycle bin, where it is kept for 93 days. During this time, users will no longer be able to access any shared content in the OneDrive. To restore the OneDrive, you need to use PowerShell. For info, see [Restore a deleted OneDrive](/onedrive/restore-deleted-onedrive).<br/><br/> To increase the number of days that you retain OneDrive files for deleted accounts, see [Set the OneDrive retention for deleted users](/onedrive/set-retention). <br/><br/> **Important!** If the deleted user used a personal computer to download files from SharePoint and OneDrive, there's no way for you to wipe those files they stored on their computer. They will continue to have access to any files that were synced from OneDrive. |
-|Email <br/> | Giving another user access to the deleted user's email will convert the deleted user's mailbox to a shared mailbox. The new mailbox owner can then access the mailbox and monitor for new email. You'll also have the following options: <br/> <br/>Change the display name - We recommend changing the display name so that it will be easy to identify the shared mailbox in the **Active users** list. <br/> <br/> Turn on automatic replies - We've already written a polite automatic reply for you. You can send different automatic replies to people within your organization and people from outside your organization. <br/> <br/> [Remove any existing calendar permissions](/powershell/module/exchange/remove-mailboxfolderpermission?view=exchange-ps) using PowerShell. <br/> <br/> Clean up aliases - Aliases are additional email addresses for users. Some organizations don't use them, so if you don't have any you don't need to do anything else here. If the user does have aliases, we recommend removing them so that you can reuse those email addresses. Otherwise, you can't reuse those email addresses until the retention period for deleted mailboxes has passed. By default, a deleted mailbox is recoverable for 30 days. For more information, see [Delete or restore user mailboxes in Exchange Online](/exchange/recipients-in-exchange-online/delete-or-restore-mailboxes#delete-a-user-mailbox). <br/> |
+|Email <br/> | Giving another user access to the deleted user's email will convert the deleted user's mailbox to a shared mailbox. The new mailbox owner can then access the mailbox and monitor for new email. You'll also have the following options: <br/> <br/>Change the display name - We recommend changing the display name so that it will be easy to identify the shared mailbox in the **Active users** list. <br/> <br/> Turn on automatic replies - We've already written a polite automatic reply for you. You can send different automatic replies to people within your organization and people from outside your organization. <br/> <br/> [Remove any existing calendar permissions](/powershell/module/exchange/remove-mailboxfolderpermission) using PowerShell. <br/> <br/> Clean up aliases - Aliases are additional email addresses for users. Some organizations don't use them, so if you don't have any you don't need to do anything else here. If the user does have aliases, we recommend removing them so that you can reuse those email addresses. Otherwise, you can't reuse those email addresses until the retention period for deleted mailboxes has passed. By default, a deleted mailbox is recoverable for 30 days. For more information, see [Delete or restore user mailboxes in Exchange Online](/exchange/recipients-in-exchange-online/delete-or-restore-mailboxes#delete-a-user-mailbox). <br/> |
|Active Directory <br/> |If your business uses **Active Directory** that is synchronizing with Azure AD, you need to delete the user account from Active Directory. You can't do it through Microsoft 365. For instructions, see [Delete a User Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753730(v=ws.11)). <br/> | ### Get started
Later when you go through the steps to add another person to your business, you'
## Delete many users at the same time
-See the [Remove-MsolUser](/powershell/module/msonline/remove-msoluser) PowerShell cmdlet.
+See the [Remove-MgUser](/powershell/module/microsoft.graph.users/remove-mguser) PowerShell cmdlet.
## Fix issues with deleting a user
admin Set Password To Never Expire https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/set-password-to-never-expire.md
This article is for people who set password expiration policy for a business, sc
You must be a [global admin or password administrator](about-admin-roles.md) to perform these steps.
-A global admin for a Microsoft cloud service can use the [Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2) to set passwords not to expire for specific users. You can also use [AzureAD](/powershell/module/Azuread) cmdlets to remove the never-expires configuration or to see which user passwords are set to never expire.
+A global admin for a Microsoft cloud service can use the [Microsoft Graph Powershell](/powershell/microsoftgraph/overview) to set passwords not to expire for specific users, remove the never-expire configuration or see which users' passwords are set to never expire.
This guide applies to other providers, such as Intune and Microsoft 365, which also rely on Azure AD for identity and directory services. Password expiration is the only part of the policy that can be changed. ## How to check the expiration policy for a password
-For more information about the Get-AzureADUser command in the AzureAD module, see the reference article [Get-AzureADUser](/powershell/module/Azuread/Get-AzureADUser).
+For more information about the Get-MgUser command in the AzureAD module, see the reference article [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser).
Run one of the following commands: - To see if a single user's password is set to never expire, run the following cmdlet by using the UPN (for example, *user@contoso.onmicrosoft.com*) or the user ID of the user you want to check: ```powershell
- Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
+ Get-MGuser -UserId <user id or UPN> -Property UserPrincipalName, PasswordPolicies | Select-Object UserPrincipalName,@{
N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } ```
Run one of the following commands:
Example: ```powershell
- Get-AzureADUser -ObjectId userUPN@contoso.com | Select-Object UserprincipalName,@{
+ Get-MGuser -UserId userUPN@contoso.com -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{
N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } ```
Run one of the following commands:
- To see the **Password never expires** setting for all users, run the following cmdlet: ```powershell
- Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
+ Get-MGuser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{
N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } ```
Run one of the following commands:
- To get a report of all the users with PasswordNeverExpires in Html on the desktop of the current user with name **ReportPasswordNeverExpires.html** ```powershell
- Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
+ Get-MGuser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{
N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html ```
Run one of the following commands:
- To get a report of all the users with PasswordNeverExpires in CSV on the desktop of the current user with name **ReportPasswordNeverExpires.csv** ```powershell
- Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
+ Get-MGuser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{
N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv
Run one of the following commands:
- To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user: ```powershell
- Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration
+ Update-MgUser -UserId <user ID> -PasswordPolicies DisablePasswordExpiration -PassThru
``` - To set the passwords of all the users in an organization to never expire, run the following cmdlet: ```powershell
- Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration
+ Get-MGuser -All | Update-MgUser -PasswordPolicies DisablePasswordExpiration -PassThru
``` > [!WARNING]
Run one of the following commands:
- To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user: ```powershell
- Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None
+ Update-MgUser -UserId <user ID> -PasswordPolicies None -PassThru
``` - To set the passwords of all users in the organization so that they expire, use the following cmdlet: ```powershell
- Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None
+ Get-MGuser -All | Update-MgUser -PasswordPolicies None -PassThru
``` ## Related content
admin Select Domain To Use For Email From Microsoft 365 Products https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/select-domain-to-use-for-email-from-microsoft-365-products.md
description: "Let Microsoft send notification messages from an email address wit
# Select the domain to use for email from Microsoft 365 products
-> [!NOTE]
-> The following feature will be rolling out to public preview shortly, and may currently not be available to you.
- <b>In this article</b>: - [Configure the "Send email notifications from your domain" setting](#configure-the-send-email-notifications-from-your-domain-setting) - [Supported Products](#supported-products)
admin Message Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/message-center.md
If administration is distributed across your organization, you may not want or n
2. In the **Custom View** tab, make sure that the check box is selected for each service that you want to monitor. Clear the check boxes for the services you want to filter out of your Message center view.
-3. Digest emails are turned on by default and are sent to your primary email address. To stop receiving the weekly digest, clear the **Send me email notifications from message center** check box in he **Email tab**.
+3. Digest emails are turned on by default and are sent to your primary email address. To stop receiving the weekly digest, clear the **Send me email notifications from message center** check box in the **Email tab**.
You can also enter up to two email addresses, separated by a semicolon.
admin Experience Insights Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/experience-insights-dashboard.md
description: "Get a periodic report about how people in your organization use Mi
# Microsoft 365 Experience insights dashboard The Experience insights (preview) dashboard shows you data across usage and sentiment to give you a fuller view of your organization's experience with Microsoft 365.
-Experience insights is optimized for organizations with higher volumes of data so is only available for organizations with 20,000 plus seats. We are working on bringing the experience to smaller organizations in the future. This information and data on the dashboard will help you better understand and improve your users' experience with Microsoft 365. The dashboard shows you data across usage and user sentiment and helps give you a fuller picture of your users' overall experience. You can drill down into specific information such as feature usage for certain apps, exact feedback and Net Promoter Score (NPS) comments, and top help articles viewed by users in your organization. This info can help you identify opportunities to improve usersΓÇÖ Microsoft 365 products and app experiences in your organization.
-
-<!--To learn more about adoption and training for users in your organization, see [Experience insights help article report](experience-insights-help-articles.md). -->
+Experience insights is optimized for organizations with 2000 plus seats. We are working on bringing the experience to smaller organizations in the future. This information and data on the dashboard will help you better understand and improve your users' experience with Microsoft 365. The dashboard shows you data across usage and user sentiment and helps give you a fuller picture of your users' overall experience. You can drill down into specific information such as feature usage for certain apps, exact feedback and Net Promoter Score (NPS) comments, and top help articles viewed by users in your organization. This info can help you identify opportunities to improve usersΓÇÖ Microsoft 365 products and app experiences in your organization.
## How to get to the Experience insights dashboard
If youΓÇÖre a member of the reports reader role, once you sign into the admin ce
To learn more, see [About admin roles](../add-users/about-admin-roles.md) and [Assign admin roles](../add-users/assign-admin-roles.md).
+## Suggested training
+
+**Suggested training** gives you deeper insights into the Microsoft 365 help and training articles being read by your signed-in users on support.microsoft.com and in-app help panels with these 3 insights:
+
+- **Top viewed articles** for your organization shows you help and training articles that have been getting the most views by people in your organization.
+
+- **Trending across organizations** shows you the help and training topics that are moving up the most in your organizations most viewed list.
+
+- **Commonly viewed together** gives you insights into the additional help articles users in all Microsoft 365 organizations are reading, along with the top viewed and top trending articles. You can use this info to put together and share training packages for your users.
+
+ :::image type="content" source="../../media/suggested-training-overview.png" alt-text="Screenshot: Suggested training data dashboard":::
+
+Use this data to decide which help articles and training resources to share with your users about these products and apps, or make sure your helpdesk is aware of these areas so they can answer any user questions. If your org doesnΓÇÖt have enough views on help and training articles, youΓÇÖll see data from other Microsoft 365 organizations.
+ ## Apps and services data The **Apps and services** data section shows you a unified view across usage and sentiment in your organization to give you an at-a-glance understanding of your users' experience with Microsoft 365. Select an app or service to get additional details, such as comments submitted through feedback and NPS surveys, or the top Microsoft 365 help articles your users viewed. You can also favorite the apps or services in the list so that you can more easily view them.
The chart information gives you insight into the apps and services that you want
**Product usage** is the percentage of people who are actively using the products that are enabled for them to use. Use this data to make decisions on where to optimize product assignments.
-**In-product feedback** Is the total number of feedback response from within the app or service that were initiated and submitted by your users. Use this data to gauge the success and satisfaction people have with the apps. [Learn more](feedback-user-control.md)
+**In-product feedback** Is the total number of feedback responses from within the app or service that were initiated and submitted by your users. Use this data to gauge the success and satisfaction people have with the apps. [Learn more](feedback-user-control.md)
**NPS survey response volume** is the total number of responses to the Net Promoter Score (NPS) survey. By default, Microsoft sends the survey to 5% of your users and asks ΓÇ£Would you recommend this product?ΓÇ¥ Use this data to gauge user satisfaction and to see what people are saying about the app. [Learn more](../manage/manage-feedback-product-insights.md)
For the first time, you can now see what articles your users are consuming on Su
## Additional resources
-<!-- :::image type="content" source="../../media/additional-resources.png" alt-text="Screenshot: Image showing additional resources you can select"::: -->
- ### View your organization's Adoption Score Adoption Score supports the journey to digital transformation with insights about how your organization uses Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and technology experience measurements and can be compared to benchmarks from organizations similar in size to yours. For more information on Adoption Score, read, [Adoption Score](../adoption/adoption-score.md).
admin Set Up Multi Factor Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication.md
If you have been using [baseline Conditional Access policies](/azure/active-dire
If your organization has more granular sign-in security needs, Conditional Access policies can offer you more control. Conditional Access lets you create and define policies that react to sign in events and request additional actions before a user is granted access to an application or service. > [!IMPORTANT]
-> Turn off both per-user MFA and Security defaults before you enable Conditional Access policies.
+> Do not forget to disable per-user MFA after you have enabled Conditional Access policies. This is important as it will result in inconsistent user experience.
Conditional Access is available for customers who have purchased Azure AD Premium P1, or licenses that include this, such as Microsoft 365 Business Premium, and Microsoft 365 E3. For more information, see [create a Conditional Access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa).
admin Migrate Data Business Standard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/simplified-signup/migrate-data-business-standard.md
Follow the steps in this article to move your OneDrive, Outlook and Teams data t
## Move files to OneDrive for business
-This section describes how to move the files stored in your Microsoft 365 personal account to your Microsoft 365 business account. With both OneDrive accounts synced to your device, you can easily drag and drop the files between two OneDrive folders.
+Learn how to move the files stored in your Microsoft 365 personal account to your Microsoft 365 business account. With both OneDrive accounts synced to your device, you can easily drag and drop the files between two OneDrive folders. For the steps, check out [Migrate your OneDrive files](https://support.microsoft.com/office/7fb28cad-7e25-451f-8b4b-2d1a71e5c0e9).
-1. Select the OneDrive white cloud icon in the Windows notification area and make sure your OneDrive personal account is synced to your device.
+## Set up Outlook for email
- :::image type="content" source="../../media/ssu-onedrive-icons.png" alt-text="Screenshot: Select white cloud icon in the Windows notification area":::
+Learn how to set up Outlook for the first time or migrate your email, contacts and calendar items. Check out the following topics:
- > [!NOTE]
- > You might need to select the **Show hidden icons** arrow next to the notification area to see the OneDrive icon. If the icon doesn't appear in the notification area, OneDrive might not be running. Select **Start**, type OneDrive in the search box, and then select OneDrive in the search results.
+- [Set up Outlook for Microsoft 365 for business email](../setup/setup-outlook.md)
-2. To add your new business account, select **Help & Settings** > **Settings**.
+- [Export emails, contacts, and calendar items to Outlook using a .pst file](https://support.microsoft.com/office/14252b52-3075-4e9b-be4e-ff9ef1068f91)
- :::image type="content" source="../../media/ssu-onedrive-help-settings.png" alt-text="Screenshot: Select Help & Settings to add an account":::
-
-3. In **Settings**, select **Account** > **Add an account**.
-
-4. When OneDrive Setup starts, enter your new business account, and then select **Sign in**.
-
- :::image type="content" source="../../media/ssu-setup-onedrive.png" alt-text="Screenshot: Enter your email address on the OneDrive set up page":::
-
- > [!NOTE]
- > If you haven't set up OneDrive with your current Microsoft 365 personal account before, follow the steps above to set up your personal account on your device and sync your files before moving to the next steps.
-
-### Drag and drop files in OneDrive
-
-With both your Microsoft 365 personal and business accounts synced to your device, you can now move your files from your personal OneDrive folder to your new business OneDrive folder.
-
-1. In File Explorer, open your synced OneDrive folder that contains your files.
-
-2. Select and drag the files you want from your OneDrive personal folder to your new OneDrive business folder.
-
- :::image type="content" source="../../media/ssu-onedrive-files-to-work-folder.png" alt-text="Screenshot: Drag and drop files to you new OneDrive for business folder":::
-
-### Notes about moving files from OneDrive personal to OneDrive for work
--- If youΓÇÖre moving a large number of files, we recommend that you move files in batches of no more than 100 files each.--- Files you move from OneDrive personal to OneDrive for work are recognized as new files, and as a result, these files donΓÇÖt retain metadata details such as Modified and Modified By.--- If you shared files in OneDrive before, you'll need to share these files again in your new OneDrive for work after you move them. Also, once you share these files, we recommend that you delete the original files from OneDrive. This way, people wonΓÇÖt be able to refer to out-of-date copies of files youΓÇÖd shared with them earlier.-
-## Step: Set up Outlook for email
-
-1. On the Windows Start menu, search for Outlook, and select it.
-
- (If you're using a Mac, open Outlook from the toolbar or locate it using the Finder.)
-
- If you've just installed Outlook, on the Welcome page, select **Next**.
-
-2. Choose **File** \> **Info** \> **Add Account**.
-
-3. Enter your Microsoft email address and select **Connect**.
-
-## Watch: Set up Outlook for email
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/9fe86884-8a83-42cc-bca9-61a12e6dad31?autoplay=false]
-
-More at [Set up Outlook for email](https://support.microsoft.com/office/f5bf0cd1-e1f3-4b0d-a022-ecab17efe86f).
-
-### Import email
-
-If you were using Outlook with another email account, you can import your previous email, calendar, and contacts into your new Microsoft account.
-
-1. **Export your old email**
-
- In Outlook, choose **File** \> **Open &amp; Export** \> **Import/Export**.
-
- Select **Export to a File** and then follow the steps to export your Outlook Data File (.pst) and any subfolders.
-
-2. **Import your old email**
-
- In Outlook, choose **File** \> **Open &amp; Export** \> **Import/Export** again.
-
- This time, select **Import from another program or file** and follow the steps to import the backup file you created when you exported your old email.
-
-### Watch: Import and redirect email
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/40f7df36-9e24-44e5-8791-e9ed0dd8fd21?autoplay=false]
-
-More at [Import email with Outlook](https://support.microsoft.com/office/6a3771d4-4c1d-4a25-92a6-0b8e476335de).
-
-You can also use Exchange admin center to import everyone's email. For more information, see [migrate multiple email accounts](/Exchange/mailbox-migration/mailbox-migration).
+- [Import email, contacts, and calendar from an Outlook .pst file](https://support.microsoft.com/topic/431a8e9a-f99f-4d5f-ae48-ded54b3440ac)
## Move data from your personal Microsoft Teams account to new Teams for work account
Once you have your new Microsoft Teams account for work set up, you can recreate
### Migrating contacts To migrate your contacts from your personal Teams account, find the contact's email address and add the user to your new Teams account for work.-
-## Related content
-
-[Import or migrate email from Gmail or another email provider to Microsoft 365](../setup/migrate-email-and-contacts-admin.md)
-
-<!--## Download desktop apps
-
-Download Microsoft 365 apps by following the steps in this article.
-
-1. Open any of your Microsoft 365 apps, like Word, Excel or PowerPoint, select your profile icon and then **Sign in with a different account**. Follow the steps and choose **Next** to set up Outlook.
-
-2. Open Outlook, enter your new email address, and select **Connect**. Follow the steps and choose **Next** to set up OneDrive.
-
-3. Select the OneDrive cloud icon from your taskbar and follow the steps to move your files to your new OneDrive for Business folder. Select **Next** to set up Microsoft Teams.
-
-4. Open Teams, select your profile icon, and then **Add work or school account**. Follow the steps to add your new account to Teams. Select **I'm done** when Teams is set up.-->
-
-<!--## Next steps
-
-## Accept a new invitation to change your personal email account to a business email account
-
-Your email looks like this to set up your business user account. When you get this email, you'll have to complete a few steps before you can start using your new user account.
-
-(**Add screenshot here**)
-
-1. From the invitation email, select **Accept**.
-
-2. On the **Join Microsoft 365 Business...** page, select **Next**.
-
-3. On the Sign up page, make sure you use the email used in the invitation email, and create a password. Select **Create account**.
-
-3. Choose **Accept** on the **Terms and Conditions** page.
-
-1. On the Review permissions page, choose **Accept**.
-
-1. On the Welcome to Microsoft 365 page, you can download Office desktop and mobile apps, and set up OneDrive.-->
admin Whats New In Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/whats-new-in-preview.md
And if you'd like to know what's new with other Microsoft cloud
- [Microsoft 365 updates](/OfficeUpdates/) - [How to check Windows release health](/windows/deployment/update/check-release-health)
+## April 2023
+
+The **Suggested training** feature is part of the Experience Insights dashboard and gives you deeper insights into the Microsoft 365 help and training articles being read by your signed-in users on support.microsoft.com and in-app help panels with these 3 insights:
+
+- **Top viewed articles** for your organization shows you help and training articles that have been getting the most views by people in your organization.
+
+- **Trending across organizations** shows you the help and training topics that are moving up the most in your organizations most viewed list.
+
+- **Commonly viewed together** gives you insights into the additional help articles users in all Microsoft 365 organizations are reading, along with the top viewed and top trending articles. You can use this info to put together and share training packages for your users.
+
+ :::image type="content" source="../media/exp-insights-dashboard.png" alt-text="Experience insights dashboard":::
+
+Use this data to decide which help articles and training resources to share with your users about these products and apps, or make sure your helpdesk is aware of these areas so they can answer any user questions. If your org doesnΓÇÖt have enough views on help and training articles, youΓÇÖll see data from other Microsoft 365 organizations.
+
+There are a couple of ways to get the Experience insights dashboard page:
+
+- If youΓÇÖre a member of the Global admin or Global reader roles, when you log in to the Microsoft 365 admin center, youΓÇÖll see a one-time prompt to go to the Experience insights (preview) dashboard. You can access it at any time by selecting Experience insights (preview) from the admin home page.
+
+- If youΓÇÖre a member of the Reports reader role or the User Experience success manager roles, once you sign into the admin center, youΓÇÖll automatically go to the Experience insights (preview) dashboard page. You can switch back to the admin center Dashboard view by selecting that option in the top right.
+
+ :::image type="content" source="../media/exp-insights-dashboard2.png" alt-text="Screenshot: How to get to the insights dashboard":::
+
+For more information, check out [Microsoft 365 Experience insights dashboard](misc/experience-insights-dashboard.md).
+ ## December 2022 ### Advanced deployment guides for Microsoft 365
With our new separate page of search results, you can explore a more comprehensi
Previously, you could only tag priority accounts by searching for them using the person's name, e-mail address or job title. With this update, you can now search for people to add to priority accounts in a distribution list. This allows you to bulk add people in an efficient way and reduces the time needed to tag individual people in your organization. - You can tag up to 50 users from a distribution list as priority accounts in a single action. - Additional information about the user like department and job title has been introduced on the Priority Accounts page. - You can only tag user accounts within distribution lists, and not the list itself. Users who have already been tagged wonΓÇÖt show up in your distribution list search.-
-## March 2022
-
-### Microsoft 365 Lighthouse GA
-
-Small and medium businesses often rely on trusted IT partners to manage their IT environments. WeΓÇÖre making it easier for partners to secure customers at scale with the general availability of [Microsoft 365 Lighthouse](https://aka.ms/March1SMBPartnerBlog), a multi-tenant administration portal for Managed Service Providers (MSPs). Microsoft 365 Lighthouse provides a complete experience for customers by empowering their partners to quickly identify and act on threats, anomalous sign-ins, and device compliance alerts to keep them safe.
--
-Microsoft 365 Lighthouse is an IT partner service only, and itΓÇÖs available to partners who are enrolled in the Cloud Solution Provider (CSP) program and are managing customers who have up to 1000 licensed users with Microsoft 365 Business Premium, Microsoft 365 E3, or Microsoft Defender for Business (in preview) subscriptions. If youΓÇÖre a Microsoft CSP-enrolled IT Partner, Microsoft 365 Lighthouse is available at no cost to your organization and is designed to help your business scale and grow. Check out the [Microsoft 365 Lighthouse help library](../lighthouse/m365-lighthouse-overview.md) for more information.
-
-To get started using Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](../lighthouse/m365-lighthouse-sign-up.md). To learn more about Microsoft 365 Lighthouse, Defender for Business, and Microsoft 365 Business Premium, [join us for our Partner webinar series](https://aka.ms/M365MDBSeries).
-
-## February 2022
-
-### Net promoter score (NPS) survey insights
-
-You can now view NPS survey data and insights from your users in the Microsoft 365 admin center. With this new feature you can obtain actionable insights from NPS survey responses from your end users, and achieve higher end user delight by addressing any issues and concerns.
-
-In the admin center, go to **Health** > **Product feedback** > **NPS survey insights**.
--
-We've identified the common themes from user feedback. Then we used machine learning models techniques to train the data sets and automatically organize the feedback into Top Topics.
-
-There are nine topics available. Look out for more topics in future updates.
--
-The NPS survey insight dashboard also contains these three new reports and pivots:
--- NPS monthly NPS trend volume for the last 12 months-- Able to identify passives, promoters, and detractors-- NPS volume per platform and app-
-To provide you with a better experience using the NPS survey insight dashboard:
--- Encourage your end users to submit feedback-- Confirm in-product surveys policies are enabled-- Improve diagnosis by turning on Windows Error Reporting-
-Learn more at [Microsoft product NPS feedback and insights for your organization](manage/manage-feedback-product-insights.md).
-
-> [!NOTE]
-> If you're interested in joining our design sessions, send us an email at: prosight@microsoft.com
-
-### Microsoft 365 admin center video training
-
-We've updated our Microsoft 365 admin center video training. Go to the [Admin training video library](https://go.microsoft.com/fwlink/?linkid=2197659) page to learn how to set up and manage Microsoft 365 for your business.
--
-## July 2021
-
-### Microsoft 365 admin center search
-
-You can now search for incident IDs in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2091030" target="_blank">Microsoft 365 admin center</a>. You may learn about current incidents through social media, industry publications or from other admins. You can now go to the admin center to look up more details about the incident and to understand the impact to your organization. Just search for the incident ID in the admin center.
--
-### Support ticket insight for Premier organizations
-
-We've added 2 graphs called **Volume trend** and **Volume trend by product** to give you visual insights about your support volume.
-
-The liner graph under **Volume trend** tab highlights the trend if support cases are increasing or decreasing for your organization month over month. You can hover on the graph to check the number of support cases created in each month.
--
-The **Volume trend by product** graph shows the top 3 products of each month with the highest support cases. We've enabled filtering in the table and you can now filter the results by **Product**, **Severity**, and **Date**.
--
-We've also added 2 new fields, **Severity** and **Closed Date** in the **View Service Request** table to give you more insights about your tickets.
--
-To check out these updates in <a href="https://go.microsoft.com/fwlink/p/?linkid=2166757" target="_blank">Microsoft 365 admin center</a>, go to **Support** > **View Service requests** in left navigation pane.
-
-## June 2021
-
-### Microsoft 365 admin center search
-
-We've added a couple of new categories to Search functionality.
--- You can now search for Microsoft 365 admin roles in global search and quickly view and manage role assignments from any page. For example, search for **Intune administrator**.--- You can now find simplified setup experiences through global search. This can help you and your team quickly get started with how to use new features. For example, search for **set password to never expire**.-
-To learn more about search in the admin center, see [Search in the Microsoft 365 admin center](manage/search-in-the-mac.md).
bookings Custom Domain Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/custom-domain-support.md
You can specify which domain will be used from the domain list for Bookings usin
For example: Booking pages can be created with a domain ΓÇ£contoso.comΓÇ¥ instead of ΓÇ£contoso.onmicrosoft.comΓÇ¥
-You're also allowed to configure a domain for specific users. When users with the custom OWA policy create a Booking calendar, it will be created with the custom domain, and not the default domain.
+You can also configure a domain for specific users. When users with the custom OWA policy create a Booking calendar, it will be created with the custom domain, and not the default domain.
To use these features, you'll need to run commands using Exchange Online PowerShell with Global admin access. For more information on running Exchange Online cmdlets, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps&preserve-view=true).
You'll need to run the following commands using Exchange Online PowerShell.
1. Check the current default domain using the command below: ```PowerShell
- Get-OwaMailboxPolicy -Identity <OwaMailboxPolicy-Default> | Fl BookingsMailboxDomain
+ Get-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default | Fl BookingsMailboxDomain
``` 5. Change current default domain to new domain. ```PowerShell
- Set-OwaMailboxPolicy -Identity < OwaMailboxPolicy-Default > -BookingsMailboxDomain "<newdomain>"
+ Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BookingsMailboxDomain "<newdomain>"
``` This would change the default policy of all users and allow them to create a booking calendar with the new domain.
business-premium M365bp Upgrade Windows 10 Pro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-upgrade-windows-10-pro.md
audience: Admin-+ - tier1 - m365-security Previously updated : 09/15/2022 Last updated : 04/20/2023 localization_priority: Normal search.appverid: - MET150
You can choose from several methods to upgrade:
- [Use Windows Update](#use-windows-update) (recommended for most users) - [Upgrade your device using the Microsoft Software Download site](#upgrade-your-device-using-the-microsoft-software-download-site) - [Create installation media from the Microsoft Software Download site](#create-installation-media-from-the-microsoft-software-download-site)-- [Purchase Windows 10 or 11 Pro to upgrade from Windows 10 Home](#purchase-windows-10-or-11-pro-to-upgrade-from-windows-10-home)
+- [Purchase Windows 10 or 11 Pro to upgrade from Windows 10 Home](#purchase-windows-10-or-11-pro-to-upgrade-from-windows-10-or-11-home)
## Use Windows Update
You can choose from several methods to upgrade:
> [!NOTE] > If you have Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you upgrade those devices to Windows Pro 10.
-## Purchase Windows 10 or 11 Pro to upgrade from Windows 10 Home
+## Purchase Windows 10 or 11 Pro to upgrade from Windows 10 or 11 Home
-*Select this option for devices that are running Windows 10 Home.*
+*Select this option for devices that are running Windows 10 or 11 Home. Note that Microsoft 365 Business Premium does not include free upgrade rights from Windows 10 or 11 Home to Windows 10 or 11 Pro.*
1. On a Windows device, open the Microsoft Store app.
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
f1.keywords:
Previously updated : 04/04/2023 Last updated : 04/17/2023 audience: Admin
To run the policy in simulation mode:
Make sure you have [created the retention labels](file-plan-manager.md#create-retention-labels) you want to apply to items.
+> [!NOTE]
+> Now in preview, you can extend your auto-labeling of retention labels to images. For more information, see [Learn about optical character recognition in Microsoft Purview](ocr-learn-about.md).
+ ## How to create an auto-apply retention label policy Decide before you create your retention label policy whether it will be **adaptive** or **static**. For more information, see [Adaptive or static policy scopes for retention](retention.md#adaptive-or-static-policy-scopes-for-retention). If you decide to use an adaptive policy, you must create one or more adaptive scopes before you create your retention label policy, and then select them during the create retention label policy process. For instructions, see [Configuration information for adaptive scopes](purview-adaptive-scopes.md#configure-adaptive-scopes).
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
audience: Admin Previously updated : 03/13/2023 Last updated : 04/17/2023 ms.localizationpriority: high - purview-compliance
Use the following table to help you identify the differences in behavior for the
|Restrict by location|No |Yes | |Conditions: Sharing options and additional options for email|No |Yes | |Conditions: Exceptions|No |Yes (email only) |
+|Support for images|No |[Yes](ocr-learn-about.md) |
|Recommendations, policy tooltip, and user overrides|Yes |No | |Simulation mode|No |Yes | |Exchange attachments checked for conditions|No | Yes|
Make sure you're aware of the prerequisites before you configure auto-labeling p
- To auto-label files in SharePoint and OneDrive: - You have [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md). - At the time the auto-labeling policy runs, the file mustn't be open by another process or user. A file that's checked out for editing falls into this category.- - If you plan to use [sensitive information types](sensitive-information-type-learn-about.md): - The sensitive information types you select will apply only to content that's created or modified after these information types are [created or modified](audit-log-activities.md#sensitive-information-types-activities). This restriction applies to all custom sensitive information types and any new built-in information types. - To test new custom sensitive information types, create them before you create your auto-labeling policy, and then create new documents with sample data for testing.
compliance Archive Partner Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-partner-third-party-data.md
You can work with a Microsoft Partner to import and archive data from a third-pa
Here's an overview of the process and the steps necessary to work with a Microsoft Partner to import third-party data.
-[Step 1: Find a third-party data partner](#step-1-find-a-third-party-data-partner)
-
-[Step 2: Create and configure a third-party data mailbox](#step-2-create-and-configure-a-third-party-data-mailbox-in-microsoft-365)
-
-[Step 3: Configure user mailboxes for third-party data](#step-3-configure-user-mailboxes-for-third-party-data)
-
-[Step 4: Provide your partner with information](#step-4-provide-your-partner-with-information)
-
-[Step 5: Register the third-party data connector in Azure Active Directory](#step-5-register-the-third-party-data-connector-in-azure-active-directory)
+- [Step 1: Find a third-party data partner](#step-1-find-a-third-party-data-partner)
+- [Step 2: Create and configure a third-party data mailbox](#step-2-create-and-configure-a-third-party-data-mailbox-in-microsoft-365)
+- [Step 3: Configure user mailboxes for third-party data](#step-3-configure-user-mailboxes-for-third-party-data)
+- [Step 4: Provide your partner with information](#step-4-provide-your-partner-with-information)
+- [Step 5: Register the third-party data connector in Azure Active Directory](#step-5-register-the-third-party-data-connector-in-azure-active-directory)
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
The following illustration and description explain how the third-party data impo
![How the third-party data import process works.](../media/5d4cf8e9-b4cc-4547-90c8-d12d04a9f0e7.png) 1. Customer works with their partner of choice to configure a connector that will extract items from the third-party data source and then import those items to Microsoft 365.- 2. The partner connector connects to third-party data sources via a third-party API (on a scheduled or as-configured basis) and extracts items from the data source. The partner connector converts the content of an item to an email message format. See the [More information](#more-information) section for a description of the message-format schema.- 3. Partner connector connects to the Azure service in Microsoft 365 by using Exchange Web Service (EWS) via a well-known end point.- 4. Items are imported into the mailbox of a specific user or into a "catch-all" third-party data mailbox. Whether an item is imported into a specific user mailbox or to the third-party data mailbox is based on the following criteria: 1. **Items that have a user ID that corresponds to a user account:** If the partner connector can map the user ID of the item in the third-party data source to a specific user ID in Microsoft 365, the item is copied to the **Purges** folder in the user's Recoverable Items folder. Users can't access items in the Purges folder. However, you can use eDiscovery tools to search for items in the Purges folder.- 1. **Items that don't have a user ID that corresponds to a user account:** If the partner connector can't map the user ID of an item to a specific user ID, the item is copied to the **Inbox** folder of the third-party data mailbox. Importing items to the inbox allows you or someone in your organization to sign in to the third-party mailbox to view and manage these items, and see if any adjustments need to be made in the partner connector configuration. ## Step 1: Find a third-party data partner
A key component for archiving third-party data in Microsoft 365 is finding and w
The following sections list the Microsoft partners (and the third-party data sources they support) that are participating in the program for archiving third-party data in Microsoft 365.
-[17a-4 LLC](#17a-4-llc)
-
-[ArchiveSocial](#archivesocial)
-
-[Veritas](#veritas)
-
-[OpenText](#opentext)
-
-[Smarsh](#smarsh)
-
-[Verba](#verba)
+- [17a-4 LLC](#17a-4-llc)
+- [ArchiveSocial](#archivesocial)
+- [Veritas](#veritas)
+- [OpenText](#opentext)
+- [Smarsh](#smarsh)
+- [Verba](#verba)
### 17a-4 LLC [17a-4 LLC](https://www.17a-4.com) supports the following third-party data sources: - BlackBerry- - Bloomberg Data Streams- - Cisco Jabber- - FactSet- - HipChat- - InvestEdge- - LivePerson- - MessageLabs Data Streams- - OpenText- - Oracle/ATG 'click-to-call' Live Help--- Pivot IMTRADER-
+- Pivot IMTRADE
- Microsoft SharePoint- - MindAlign- - Sitrion One (Newsgator)- - Skype for Business (Lync/OCS)- - Skype for Business Online (Lync Online)- - SQL Databases- - Squawker- - Thomson Reuters Eikon Messenger ### ArchiveSocial
The following sections list the Microsoft partners (and the third-party data sou
[ArchiveSocial](https://www.archivesocial.com) supports the following third-party data sources: - Facebook- - Flickr- - Instagram- - LinkedIn- - Pinterest- - Twitter- - YouTube- - Vimeo ### Veritas
The following sections list the Microsoft partners (and the third-party data sou
[Veritas](https://www.globanet.com) supports the following third-party data sources: - AOL with Pivot Client- - BlackBerry Call Logs (v5, v10, v12)- - BlackBerry Messenger (v5, v10, v12)- - BlackBerry PIN (v5, v10, v12)- - BlackBerry SMS (v5, v10, v12)- - Bloomberg Chat- - Bloomberg Mail- - Box- - CipherCloud for Salesforce Chatter- - Cisco IM &amp; Presence Server (v10, v10.5.1 SU1, v11.0, v11.5 SU2)- - Cisco Webex Teams- - Citrix Workspace &amp; ShareFile- - CrowdCompass- - Custom-delimited text files- - Custom XML files- - Facebook (Pages)- - Factset- - FXConnect- - ICE Chat/YellowJacket- - Jive- - Macgregor XIP- - Microsoft Exchange Server- - Microsoft OneDrive for Business- - Microsoft Teams- - Microsoft Yammer- - Mobile Guard- - Pivot- - Salesforce Chatter- - Skype for Business Online- - Skype for Business, versions 2007 R2 - 2016 (on-premises)- - Slack Enterprise Grid- - Symphony- - Thomson Reuters Eikon- - Thomson Reuters Messenger- - Thomson Reuters Dealings 3000 / FX Trading- - Twitter- - UBS Chat- - YouTube ### OpenText
The following sections list the Microsoft partners (and the third-party data sou
[OpenText](https://www.opentext.com/what-we-do/products/opentext-product-offerings-catalog/rebranded-products/daegis) supports the following third-party data sources: - Axs Encrypted- - Axs Exchange- - Axs Local Archive- - Axs PlaceHolder- - Axs Signed- - Bloomberg- - Thomson Reuters ### Smarsh
The following sections list the Microsoft partners (and the third-party data sou
[Smarsh](https://www.smarsh.com) supports the following third-party data sources: - AIM- - American Idol- - Apple Juice- - AOL with Pivot client- - Ares- - Bazaar Voice- - Bear Share- - Bit Torrent- - BlackBerry Call Logs (v5, v10, v12)- - BlackBerry Messenger (v5, v10, v12)- - BlackBerry PIN (v5, v10, v12)- - BlackBerry SMS (v5, v10, v12)- - Bloomberg Mail- - CellTrust- - Chat Import- - Chat Real Time Logging and Policy- - Chatter- - Cisco IM &amp; Presence Server (v9.0.1, v9.1, v9.1.1 SU1, v10, v10.5.1 SU1)- - Cisco Unified Presence Server (v8.6.3, v8.6.4, v8.6.5)- - Collaboration Import- - Collaboration Real Time Logging- - Direct Connect- - Facebook- - FactSet- - FastTrack- - Gnutella- - Google+- - GoToMyPC- - Hopster- - HubConnex- - IBM Connections (v3.0.1, v4.0, v4.5, v4.5 CR3, v5)- - IBM Connections Chat Cloud- - IBM Connections Social Cloud- - IBM SameTime Advanced 8.5.2 IFR1- - IBM SameTime Communicate 9.0- - IBM SameTime Community (v8.0.2, v8.5.1 IFR2, v8.5.2 IFR1, v9.1)- - IBM SameTime Complete 9.0- - IBM SameTime Conference 9.0- - IBM SameTime Meeting 8.5.2 IFR1- - ICE/YellowJacket- - IM Import- - IM Real Time Logging and Policy- - Indii Messenger- - Instant Bloomberg- - IRC- - Jive- - Jive 6 Real Time Logging (v6, v7)- - Jive Import- - JXTA- - LinkedIn- - Microsoft Lync (2010, 2013)- - MFTP- - Microsoft Lync 2013 Voice- - Microsoft SharePoint (2010, 2013)- - Microsoft SharePoint Online- - Microsoft UC (Unified Communications)- - MindAlign- - Mobile Guard- - MSN- - My Space- - NEONetwork- - Microsoft 365 Lync Dedicated- - Microsoft 365 Shared IM- - Pinterest- - Pivot- - QQ- - Skype for Business 2015- - SoftEther- - Symphony- - Thomson Reuters Eikon- - Thomson Reuters Messenger- - Tor- - TTT- - Twitter- - WinMX- - Winny- - Yahoo- - Yammer- - YouTube ### Verba
The following sections list the Microsoft partners (and the third-party data sou
[Verba](https://www.verba.com) supports the following third-party data sources: - Avaya Aura Video- - Avaya Aura Voice- - Avtec Radio- - Bosch/Telex Radio- - BroadSoft Video- - BroadSoft Voice- - Centile Voice- - Cisco Jabber IM- - Cisco UC Video- - Cisco UC Voice- - Cisco UCCX/UCCE Video- - Cisco UCCX/UCCE Voice- - ESChat Radio- - Geoman Contact Expert- - IP Trade Voice- - Luware LUCS Contact Center- - Microsoft UC (Unified Communications)- - Mitel MiContact Center for Lync (prairieFyre)- - Oracle / Acme Packet Session Border Controller Video- - Oracle / Acme Packet Session Border Controller Voice- - Singtel Mobile Voice- - SIPREC Video--- SIPREC Voice-
+- SIPREC Voice
- Skype for Business / Lync IM- - Skype for Business / Lync Video- - Skype for Business / Lync Voice- - Speakerbus Voice- - Standard SIP/H.323 Video- - Standard SIP/H.323 Voice- - Truphone Voice- - TwistedPair Radio- - Windows Desktop Computer Screen ## Step 2: Create and configure a third-party data mailbox in Microsoft 365
Here are the steps for creating and configuring a third-party data mailbox for i
- Enable the archive mailbox; see [Enable archive mailboxes](enable-archive-mailboxes.md) and [Enable auto-expanding archiving](enable-autoexpanding-archiving.md). This lets you free-up storage space in the primary mailbox by setting up an archive policy that moves third-party data items to the archive mailbox. This provides you with up to 1.5 TB of storage for third-party data.
- - Place the third-party data mailbox on Litigation Hold. You can also apply a Microsoft 365 retention policy in the security and compliance center. Placing this mailbox on hold retains third-party data items (indefinitely or for a specified duration) and prevent them from being purged from the mailbox. See one of the following topics:
+ - Place the third-party data mailbox on Litigation Hold. You can also apply a Microsoft 365 retention policy in the Microsoft Purview compliance portal. Placing this mailbox on hold retains third-party data items (indefinitely or for a specified duration) and prevent them from being purged from the mailbox. See one of the following topics:
- [Place a mailbox on Litigation Hold](./ediscovery-create-a-litigation-hold.md)
The next step is to configure user mailboxes to support third-party data. Comple
2. Place user mailboxes on Litigation Hold or apply a Microsoft 365 retention policy; see one of the following topics: - [Place a mailbox on Litigation Hold](./ediscovery-create-a-litigation-hold.md)- - [Learn about retention policies and retention labels](retention.md) As previously stated, when you place mailboxes on hold, you can set a duration for how long to hold items from the third-party data source or you can choose to hold items indefinitely.
To revoke consent for a third-party data connector, you can delete the applicati
Date: Tue, 02 Feb 2016 22:55:33 GMT ``` -- You can use the Content Search tool in the security and compliance center to search for items that were imported to mailboxes from a third-party data source. To search specifically for these imported items, you can use the following message property-value pairs in the keyword box for a Content Search.
+- You can use the Content Search tool in the Microsoft Purview compliance portal to search for items that were imported to mailboxes from a third-party data source. To search specifically for these imported items, you can use the following message property-value pairs in the keyword box for a Content Search.
- **`kind:externaldata`**: Use this property-value pair to search all third-party data types. For example, to search for items that were imported from a third-party data source and contained the word "contoso" in the Subject property of the imported item, you would use the keyword query `kind:externaldata AND subject:contoso`.
To revoke consent for a third-party data connector, you can delete the applicati
For more information about using Content Search and creating keyword search queries, see: - [Content Search](ediscovery-content-search.md)- - [Keyword queries and search conditions for Content Search](ediscovery-keyword-queries-and-search-conditions.md)
compliance Archive Twitter Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-twitter-data.md
This article contains the step-by-step process to deploy a connector that uses t
- Select the checkbox to allow the connector app to sign in to Twitter.
- - Add the OAuth redirect Uri using the following format: **\<connectorserviceuri>/Views/TwitterOAuth**, where the value of *connectorserviceuri* is the Azure app service URL for your organization; for example, https://twitterconnector.azurewebsites.net/Views/TwitterOAuth.
+ - Add the OAuth redirect Uri using the following format: **\<connectorserviceuri>/Views/TwitterOAuth**, where the value of *connectorserviceuri* is the Azure app service URL for your organization.
![Allow connector app to sign in to Twitter and add OAuth redirect Uri.](../media/TCimage32.png)
The Twitter developer app is now ready to use.
- In the **Name** box, type a name for the connector, such as **Twitter help handle**.
- - In the **Connector URL** box, type or paste the Azure app service URL; for example `https://twitterconnector.azurewebsites.net`.
+ - In the **Connector URL** box, type or paste the Azure app service URL.
- In the **Password** box, type or paste the value of the APISecretKey that you created in Step 2.
compliance Communication Compliance Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-policies.md
f1.keywords:
Previously updated : 04/14/2023 Last updated : 04/17/2023 audience: Admin f1_keywords:
Communication compliance policies using classifiers inspect and evaluate message
### Optical character recognition (OCR)
+> [!NOTE]
+> Microsoft Purview includes [OCR (preview) settings](ocr-learn-about.md) for Microsoft Purview Insider Risk Management, Microsoft Purview Data Loss Prevention, Microsoft Purview Data Loss Management, and autolabeling. You can use the OCR (preview) settings to provide image-scanning capabilities for those solutions and technologies. Communication compliance has its own built-in OCR scanning functionality as described below and doesnΓÇÖt support the OCR (preview) settings at this time.
+ Configure built-in or custom communication compliance policies to scan and identify printed or handwritten text from images that may be inappropriate in your organization. Integrated [Azure Cognitive Services and optical scanning support](/azure/cognitive-services/computer-vision/overview-ocr) for identifying text in images help analysts and investigators detect and act on instances where inappropriate conduct may be missed in communications that is primarily non-textual. You can enable optical character recognition (OCR) in new policies from templates, custom policies, or update existing policies to expand support for processing embedded images and attachments. When enabled in a policy created from a policy template, automatic scanning is supported for embedded or attached images in email and Microsoft Teams chat messages. For images embedded in document files, OCR scanning isn't supported. For custom policies, one or more conditional settings associated with keywords, built-in classifiers, or sensitive info types must be configured in the policy to enable the selection of OCR scanning.
compliance Compliance Extensibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-extensibility.md
f1.keywords:
Previously updated : 08/18/2020 Last updated : 04/18/2023 audience: Admin
Microsoft Purview solutions help organizations intelligently assess their compli
There are two key building blocks for compliance extensibility: - **Data connectors**. Use to import and archive non-Microsoft data so you can apply Microsoft 365 protection and governance capabilities to third-party data.- - **APIs**. Enables programmatic access to Microsoft Purview capabilities. [!INCLUDE [purview-preview](../includes/purview-preview.md)]
For guidance and requirements for third-party data connectors, see the "Data con
## APIs
-Microsoft Purview and Microsoft Priva APIs are available in the Microsoft Information Protection SDK, Microsoft Graph API, and the Office 365 Management Activity API. Some compliance APIs are part of a new set of security and compliance APIs that enable developers for Microsoft 365 customers, independent software vendors, system integrators, and managed security service providers to build high-value security and compliance solutions.
+Microsoft Purview and Microsoft Priva APIs are available in the Microsoft Information Protection SDK, Microsoft Graph API, and the Office 365 Management Activity API. Some compliance APIs are part of a new set of security and compliance APIs that enable developers for Microsoft 365 customers, independent software publishers, system integrators, and managed security service providers to build high-value security and compliance solutions.
To learn more about how to access Graph APIs, see [Overview of Microsoft Graph](/graph/overview).
To learn more, see [Microsoft Graph APIs for subject rights request](/graph/api/
### Microsoft Information Protection (MIP) SDK
-The MIP SDK exposes the labeling and protection services from Microsoft 365 security and compliance centers to third-party applications and services. Developers can use the SDK to build native support for applying labels and protection to files. Developers can determine which actions should be taken when specific labels are detected, and reason over MIP-encrypted information.
+The MIP SDK exposes the labeling and protection services from the Microsoft Purview compliance portal to third-party applications and services. Developers can use the SDK to build native support for applying labels and protection to files. Developers can determine which actions should be taken when specific labels are detected, and reason over MIP-encrypted information.
High-level MIP SDK use cases include: - A line-of-business application that applies classification labels to files on export.- - A CAD/CAM design application that provides native support for sensitivity labels.- - A cloud access security broker or data loss prevention solution that can encrypt data with Azure Information Protection. To learn more about the MIP SDK, prerequisites, additional scenarios, and samples, see [MIP SDK Overview](/information-protection/develop/overview).
For the licensing requirements for eDiscovery (Premium) and the API, see the "eD
### Microsoft Graph API for Teams Export
-Enterprise Information Archiving (EIA) for Microsoft Teams is a key scenario for our customers as it allows them to solve for regulatory requirements. In addition to our built-in capabilities for archiving content in Microsoft Teams, customers and partners can now use Teams Export APIs to solve for custom application and integration scenarios. The Teams Export APIs support bulk-export (up to 200 requests per second/per app/per tenant) of Teams messages and message attachments. Deleted messages are also accessible by the API for up to 30 days after they are deleted. For more information about these Teams Export APIs and how to use them in your applications, see [Export content with the Microsoft Teams Export APIs](/microsoftteams/export-teams-content).
+Enterprise Information Archiving (EIA) for Microsoft Teams is a key scenario for our customers as it allows them to solve for regulatory requirements. In addition to our built-in capabilities for archiving content in Microsoft Teams, customers and partners can now use Teams Export APIs to solve for custom application and integration scenarios. The Teams Export APIs support bulk-export (up to 200 requests per second/per app/per tenant) of Teams messages and message attachments. Deleted messages are also accessible by the API for up to 30 days after they're deleted. For more information about these Teams Export APIs and how to use them in your applications, see [Export content with the Microsoft Teams Export APIs](/microsoftteams/export-teams-content).
For the licensing requirements for the use of the Teams Export APIs, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
compliance Compliance Manager Quickstart https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-quickstart.md
- Title: "Microsoft Purview Compliance Manager quickstart guide"-- NOCSH--- Previously updated : 01/01/2023----- purview-compliance-- m365solution-compliancemanager-- m365initiative-compliance-- tier1--- MOE150-- MET150
-description: "Use the Compliance Manager quickstart guide to help you along your journey of understanding, getting set up, and using Compliance Manager."
--
-# Compliance Manager quickstart
-
-**In this article:** Use this quickstart guide to help you along your journey of using Microsoft Purview Compliance Manager to manage your organizationΓÇÖs compliance with regulations, policies, and standards.
-
-Compliance Manager provides intelligent and actionable data upon your first visit. Compliance Manager also has advanced capabilities for scaling your compliance when youΓÇÖre ready. Available assessments depend on your licensing agreement; [learn more](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
-
-Whether youΓÇÖre coming to Compliance Manager for the first time, or are ready to use some of the advanced features, this guide can support you along your journey.
--
-## First visit: get to know Compliance Manager
-
-Compliance Manager is located in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>. Your organization's global administrator will need to [set up user permissions and assign roles](compliance-manager-setup.md#set-user-permissions-and-assign-roles) before you start using Compliance Manager.
-
-The first time you visit Compliance Manager, you'll see a compliance score for your organization. Compliance Manager is already assessing your current Microsoft 365 environment against the data protection baseline. The best way to start getting familiar with Compliance Manager is to understand what it's showing you, its key elements, and how to customize your dashboard.
-
-Our [Compliance Manager overview page](compliance-manager.md) is the best first stop for a comprehensive review of what Compliance Manager is and how it works. You may also want to jump right to key sections of our documentation using the links below:
--- [Understand your compliance score](compliance-manager.md#understanding-your-compliance-score)-- [Overview of key elements: controls, assessments, templates, and improvement actions](compliance-manager.md#key-elements-controls-assessments-templates-improvement-actions)-- [Understand the Compliance Manager dashboard](compliance-manager-setup.md#understand-the-compliance-manager-dashboard)-- [Filter your dashboard view](compliance-manager-setup.md#filtering-your-dashboard-view)-- [Learn about improvement actions](compliance-manager-setup.md#improvement-actions-page)-- [Understand assessments](compliance-manager.md#assessments)-- [Do a quick check of your environment using the Configuration Analyzer for Microsoft Purview](compliance-manager-mcca.md)-
-## Ramping up: configure Compliance Manager to manage your compliance activities
-
-Once you're familiar with the basics, it's time to set up things to meet your organization's needs. You can start working with assessments and taking improvement actions to implement controls and improve your compliance score. Knowing how to perform all the activities at this stage can help your organization comply and demonstrate compliance with regulations across your industry and region. Visit the links below to dive in:
--- [Choose a pre-built assessment to create and manage your first assessment](compliance-manager-assessments.md)-- [Understand how to use templates for building assessments](compliance-manager-templates.md)-- [Perform implementation and testing work on improvement actions to complete controls in your assessments](compliance-manager-improvement-actions.md)-- [Better understand how different actions impact your compliance score](compliance-score-calculation.md)-
-## Scaling up: use advanced functionality to meet your custom needs
-
-When you're comfortable managing assessments in Compliance Manager, you can work with templates to modify a Compliance Manager assessment with your own actions and controls. You can also create your own custom assessment. Custom assessments are helpful for:
--- Managing compliance for non-Microsoft 365 products such as third-party apps and services, on-premises applications, and other assets.-- Managing your own custom or business-specific compliance controls.-
-You can also set up automated testing of all or a subset of improvement actions. Visit the links below to understand more advanced functionality in Compliance
--- [Extend a Compliance Manager template by adding your own controls and improvement actions](compliance-manager-templates-extend.md)-- [Create your own custom template](compliance-manager-templates-create.md)-- [Modify an existing template to add or remove controls and actions](compliance-manager-templates-modify.md)-- [Set up automated testing of improvement actions](compliance-manager-setup.md#testing-source-for-automated-testing)-- [Reassign improvement actions to another user](compliance-manager-setup.md#reassign-improvement-actions-to-another-user)
compliance Compliance Manager Templates Create https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-create.md
- Title: "Create assessment templates in Microsoft Purview Compliance Manager"-- NOCSH--- Previously updated : 01/18/2023------ purview-compliance-- m365solution-compliancemanager-- m365initiative-compliance-- tier1-- MOE150-- MET150
-description: "Learn how to create a custom assessment template in Microsoft Purview Compliance Manager using a formatted Excel file."
--
-# Create a custom assessment template
-
-To create your own new template for custom assessments in Compliance Manager, you'll use a specially formatted Excel spreadsheet to assemble the necessary control data. After completing the spreadsheet, you will import it into Compliance Manager.
--
-## Required roles
-
-Only users who hold a Global Administrator or Compliance Manager Administration role can create and modify templates. Learn more about [roles and permissions](compliance-manager-setup.md#set-user-permissions-and-assign-roles).
-
-## Create new template in Compliance Manager
-
-1. Start by creating a formatted Excel file that contains your template's data. Get detailed instructions at [Format assessment template data with Excel](compliance-manager-templates-format-excel.md).
-1. When your Excel file is ready, go to your **assessment templates** page in Compliance Manager and select **Create new template**. A template creation wizard will open.
-1. Choose the type of template you want to create. In this case, select **Create a custom template**, then select **Next**.
-1. At the **Upload file** screen, select **Browse** to find and upload your formatted Excel file containing all the required template data.
-1. If there are no problems with your file, the name of the file uploaded will be displayed. Select **Next** to continue. (If you need to change the file, select **Upload a different file**).
- - If thereΓÇÖs an error with your file, an error message at the top explains whatΓÇÖs wrong. YouΓÇÖll need to fix your file and upload it again. Errors will result if your spreadsheet is formatted improperly, or if thereΓÇÖs invalid information in certain fields.
-1. The **Review and finish** screen shows the number of improvement actions and controls and the maximum score for the template. When ready to approve, select **Create template.** (If you need to make changes, select **Back**.)
-1. The last screen confirms a new template has been created. Select **Done** to exit the wizard.
-1. YouΓÇÖll arrive at your new templateΓÇÖs details page, where you can [create your assessment](compliance-manager-assessments.md#create-assessments).
-
-### Modifying your templates
-
-You can make changes to a template after you create it; for example, to add or remove an improvement action, or to change an action's name or other information. Visit [Modify assessment templates](compliance-manager-templates-modify.md) for detailed instructions.
compliance Compliance Manager Templates Extend https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-extend.md
- Title: "Extend assessment templates in Microsoft Purview Compliance Manager"-- NOCSH--- Previously updated : 01/18/2023------ purview-compliance-- m365solution-compliancemanager-- m365initiative-compliance-- tier1-- MOE150-- MET150
-description: "Understand how to extend a Microsoft template in Microsoft Purview Compliance Manager to add and modify controls."
--
-# Extend assessment templates built by Microsoft
-
-Compliance Manager offers the option to add your own controls and improvement actions to an existing template created by Microsoft. This process is called **extending** a template. To extend a template, you'll use specific instructions listed on this page for modifying template data, depending on whether youΓÇÖre extending Microsoft assessment templates or universal assessment templates.
--
-## Extend Microsoft assessment templates
-
-When you extend a Microsoft template, such as one created for use with Microsoft 365, it can still receive updates released by Microsoft. Updates may happen when there are changes to the related regulation or product (see [Accept updates to assessments](compliance-manager-assessments.md#accept-updates-to-assessments)).
-
-### Prepare template data and create extension
-
-To prepare, youΓÇÖll need to assemble a specially formatted Excel spreadsheet to import the necessary template data. The Excel files follow the same format outlined on [Format assessment template data with Excel](compliance-manager-templates-format-excel.md), but there are special requirements for extensions. See these additional points to help prevent errors:
--- Your spreadsheet should contain only the actions and controls you want to add to the assessment.-- The spreadsheet canΓÇÖt contain any of the controls or actions that already exist in the assessment you want to modify.-- Consider including ΓÇ£extensionΓÇ¥ in your templateΓÇÖs title, for example, ΓÇ£GDPR ΓÇô [your company name] extension.ΓÇ¥ This makes it easier to identify in the list on your **assessment templates** page as distinct from the standard Microsoft-provided template or a custom template with a similar name.-
-After you format your spreadsheet, follow the steps below.
-
-1. Go to your **Assessment templates** page and select **Create new template**. A template creation wizard will open.
-
-2. Choose the type of template you want to create. In this case, select **Extend a Microsoft template**, then **Select Microsoft template**.
-
-3. A template selection flyout pane appears on the right side of your screen, showing a list of all templates and their status of active or inactive. Your **activated templates** counter shows how many templates are currently in use out of the total number available to use. If youΓÇÖre over your limit, a message bar will provide notice.
-
-4. A template selection flyout pane appears on the right side of your screen. Use **Search** to apply filters for locating the template you want
-
-5. Once you locate your template, select the radio button to the left of its name, then select **Save**.
-
-6. The next screen shows the template you selected. If correct, select **Next**. (If incorrect, choose **Select a different template** to choose again.)
-
-7. At the **Upload file** screen, select **Browse** to find and upload your formatted Excel file containing all the required template data.
-
-8. If there are no problems with your file, the next screen shows the name of the file uploaded. Select **Next** to continue (if you need to change the file, select **Upload a different file**).
-
- - If thereΓÇÖs a problem with your file, an error message at the top explains whatΓÇÖs wrong. YouΓÇÖll need to fix and re-upload your file. Errors will result if your spreadsheet is formatted improperly, or if thereΓÇÖs invalid information in certain fields.
-
-9. The **Review and finish** screen shows the number of improvement actions and controls and the maximum score for the template. When ready to approve, select **Next**. (If you need to make changes, select **Upload a different file**.)
-
-10. The last screen confirms a new template has been created. Select **Done** to exit the wizard.
-
-11. YouΓÇÖll arrive at your new templateΓÇÖs details page. From here you can create your assessment by selecting **Create assessment**. For guidance, see [Build and manage assessments](compliance-manager-assessments.md#create-assessments).
-
-## Extend universal assessment templates
-
-Universal versions of templates can also be extended to customize your product-specific assessments. You will receive a special extension template when you create an assessment using a universal template and the assessment has a unique product and certification combination. This file can be modified to meet your needs. For guidance on how to edit the template, see the instructions on [modifying a template](compliance-manager-templates-modify.md).
-
-When editing a universal template, all content in the template can be changed, but doing so will break inheritance with the parent template. This means that it will no longer automatically receive updates from Microsoft if the parent template is refreshed.
compliance Compliance Manager Templates Format Excel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-format-excel.md
- Title: "Format assessment template data in Excel for Microsoft Purview Compliance Manager"-- NOCSH--- Previously updated : 01/01/2023------ purview-compliance-- m365solution-compliancemanager-- m365initiative-compliance-- tier1-- MOE150-- MET150
-description: "Understand how to work with Excel data for assessment templates in Microsoft Purview Compliance Manager."
--
-# Format assessment template data in Excel for Microsoft Purview Compliance Manager
-
-When [creating](compliance-manager-templates-create.md), [modifying](compliance-manager-templates-modify.md), or [extending](compliance-manager-templates-extend.md) assessment templates in Compliance Manager, you will work with Excel spreadsheets that use a specific format and schema. These specifications must be followed for the files to import correctly.
--
-## Download example spreadsheet
-
-To view a sample spreadsheet, [download an example file](https://go.microsoft.com/fwlink/?linkid=2124865). You can use this for reference to create your own file.
-
-If you plan to modify an existing template, start by viewing the templateΓÇÖs details in Compliance Manager and downloading its Excel file.
-
-## Spreadsheet format
-
-The Excel spreadsheet contains four tabs, three of which are required:
-
-1. [Template](#template-tab) (required)
-2. [ControlFamily](#controlfamily-tab) (required)
-3. [Actions](#actions-tab) (required)
-4. [Dimensions](#dimensions-tab) (optional)
-
-When filling out your spreadsheet with template data, the spreadsheet **must include the tabs in the order listed above**, otherwise your data won't successfully import to a template.
-
-### Template tab
-
-The **Template** tab is required. The information in this tab provides metadata about the template. There are four required columns. The columns must retain the order on the Excel sheet as listed below. You can add your own column **after** the four columns to provide your own dimensions. If you do this, be sure to add them to the **Dimensions** tab.
--- **title**: This is the title for your template, which must be unique. It can't share a name with another template you have in Compliance Manager, including your own templates or a Compliance Manager template.--- **product**: This is a required dimension. List the product associated with the template.--- **certification**: This is the regulation you're using for the template.--- **inScopeServices**: These are the services within the product that this assessment addresses (for example, if you listed Office 365 as the product, Microsoft Teams could be an in-scope service). You can list multiple services separated by two semi-colons.-
-> [!NOTE]
-> The data you insert in the **product** and **certification** cells can't be edited after you import the spreadsheet to create or customize a template. Also, a group can't contain two assessments that have the same **product/certification** combination. You can have multiple templates with the same product/certification combination.
-
-### ControlFamily tab
-
-The **ControlFamily** tab is required. The required columns in this tab, which must follow the order provided in the sample spreadsheet, are:
--- **controlName**: This is the control name from the certification, standard, or regulation, which is typically some type of ID. Control names must be unique within a template. You can't have multiple controls with the same name in the spreadsheet.--- **controlFamily**: Provide a word or phrase for the controlFamily, which identifies a broad grouping of controls. A controlFamily doesn't have to be unique; it can be listed more than once in a spreadsheet. The same controlFamily can also be listed in multiple templates, though they have no relation to each other. Every controlFamily must be mapped to at least one control.--- **controlTitle**: Provide a title for the control. Whereas the controlName is a reference code, the title is a rich text format typically seen in the regulations.--- **controlDescription**: Provide a description of the control.--- **controlActionTitle**: This field relates your control to one or more actions, listed by their actionTitle. You can add multiple actions by separating them with two semi-colons with no space in between. Every control you list must include at least one existing action, and the action may be defined in the **Actions** tab of the same spreadsheet, be in a different template, or be created by Microsoft. Different controls can reference the same action.-
-### Actions tab
-
-The **Actions** tab is required. It designates improvement actions managed by your organization and not those of Microsoft, which already exist in Compliance Manager. The required columns for this tab, which must follow the order provided in the sample spreadsheet, are:
--- **actionTitle**: This is the title for your action and is a required field. The title you provide must be unique. **Important**: if you reference an action you own that already exists (such as in another template) and you modify any of its elements in the subsequent columns, those changes will propagate to the same action in other templates.--- **implementationType**: In this required field, list one of the following three implementation types:
- 1) **Operational** - actions implemented by people and processes to protect the confidentiality, integrity, and availability of organizational systems, assets, data, and personnel (example: security awareness and training).
- 2) **Technical** - actions completed by using technology and mechanisms contained in the hardware, software, or firmware components of the information system to protect the confidentiality, integrity, and availability of organizational systems and data (example: multi-factor authentication).
- 3) **Documentation** - actions implemented through documented policies and procedures establishing and defining the controls required to protect the confidentiality, integrity, and availability of organizational systems, assets, data, and personnel (example: an information security policy).
--- **actionScore**: In this required field, provide a numeric score value for your action. The value must be a whole number ranging from 1 to 99; it cannot be 0, null, or blank. The higher the number, the greater its value toward improving your compliance posture. The image below demonstrates how Compliance Manager scores controls:-
- ![Compliance Manager controls point values.](../media/compliance-score-action-scoring.png "Compliance Manager controls point values")
--- **actionDescriptionTitle**: This is the title of the description and is required. This description title allows you to have the same action in multiple templates and surface a different description in each template. This field helps you clarify what template the description is referencing. In most cases, you can put the name of the template you're creating in this field.--- **actionDescription**: Provide a description of the action. You can apply formatting such as bold text and hyperlinks. This is required field.--- **dimension-Action Purpose**: This is an optional field. If you include it, the header must include the "dimension-" prefix. Any dimensions you include here will be used as filters in Compliance Manager and appear on the improvement actions details page in Compliance Manager.-
-### Dimensions tab
-
-The **Dimensions** tab is optional. However, if you reference a dimension elsewhere, you need to specify it here if it does not exist in a template you've already created or in a Microsoft template. The columns for this tab are listed below:
--- **dimensionKey**: list as "product", "certifications," "action purpose"-- **dimensionValue**: examples: Office 365, HIPPA, Preventative, Detective-
-When you export an existing template, the exported spreadsheet will have the **Dimensions** tab, which lists all the dimensions used in the template.
compliance Compliance Manager Templates Modify https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-modify.md
- Title: "Modify assessment templates in Microsoft Purview Compliance Manager"-- NOCSH--- Previously updated : 01/18/2023------ purview-compliance-- m365solution-compliancemanager-- m365initiative-compliance-- tier1-- MOE150-- MET150
-description: "Understand how to modify assessment templates in Microsoft Purview Compliance Manager."
--
-# Modify a custom assessment template
-
-If you want to modify a custom template you created, you'll follow a process similar to the [template creation](compliance-manager-templates-create.md) process of uploading a [formatted Excel file](compliance-manager-templates-format-excel.md) containing your template data. However, there are key details to know as you format your Excel file to change to existing template data. **We recommend you review these instructions carefully to ensure you don't overwrite any existing data that you want to retain.**
-
-> [!NOTE]
-> This template modification process can only be used for a custom template you have created. If you want to add controls or actions to a Compliance Manager template that Microsoft created, follow the instructions to [extend a Microsoft template](compliance-manager-templates-extend.md).
--
-## Steps to modify a template
-
-1. In Compliance Manager, go to the **Assessment templates** page. Select the template you want to modify, which will bring up its details page.
-2. Select **Export to Excel** in the upper right corner. An Excel file with all your template data will download. Save the file to your local machine.
-3. Edit your Excel file. Depending on which data you need to modify, jump to a section below for the instructions you need:
--- [Edit the main template attributes](#edit-the-main-template-attributes)-- [Add an improvement action](#add-an-improvement-action)-- [Edit an improvement action's information](#edit-an-improvement-actions-information)-- [Change an improvement action's name](#change-an-improvement-actions-name)-- [Remove an improvement action](#remove-an-improvement-action)-- [Remove a control](#remove-a-control)-
-4. When you're done editing your Excel file, save it to your local machine. You'll complete the process by re-uploading the Excel file using the [upload modified template information instructions](#modify-template-info-in-compliance-manager) below.
-
-### Edit the main template attributes
-
-On the **Templates** tab, you can edit anything in the **title** column, the **inScopeServices** column, and in any other column you may have added. However, you can't edit anything in the **product** or **certification** columns.
-
-### Add an improvement action
-
-1. Go to the **Actions** tab. Add your information in the required fields in the first empty row underneath your existing actions.
-2. Go to your **ControlFamily** tab. Find the row containing the control your improvement action maps to. Add your new action to the **controlActionTitle** column in that row (remember to separate multiple actions in this field with two semi-colons, no space in between).
-3. Save your spreadsheet.
-
-### Edit an improvement action's information
-
-You can change any improvement action's information *except for its title*. You can edit any cell from columns B onward, and when you import the file back into the template, the improvement actions in that template will now contain the updated data.
-
-You cannot edit the **actionTitle** (column A) because if you do, Compliance Manager considers this to be a new improvement action. If you want to change an improvement action's name, see the instructions immediately below.
-
-### Change an improvement action's name
-
-If you want to change the name of an improvement action, you have to explicitly designate in the spreadsheet that you are replacing an existing name with a new name. Follow these steps:
-
-1. In the **Actions** tab of your spreadsheet, add a new column to the spreadsheet after column A.
-2. In this new column, which is now column B, put as its header in row 1: **oldActionTitle**.
-3. Copy the contents of column A and paste them into column B. This puts your existing improvement action titles, which are what you want to change, into column B.
-4. In column A, **actionTitle**, delete the old name and replace it with the new name for your improvement action.
-
-Note that action titles, both for your improvement actions and for Microsoft actions, must be written in English in order to be recognized when referenced in controls.
-
-### Remove an improvement action
-
-To remove an improvement action from a template, you'll need to remove it from every control that references it. Follow the steps below to modify your spreadsheet:
-
-1. On the **ControlFamily** tab, search for for the title of the improvement action you want to remove.
-2. Delete the improvement action's title in the cells where it appears. If the improvement action is the only action on that row, delete the entire row (which removes the control).
-3. On the **Actions** tab, delete the row that contains the improvement action you're deleting.
-4. Save your spreadsheet.
-
-When you import your spreadsheet back into the template, your improvement action will be removed from the template.
-
-Removing an improvement action from a template does not completely remove the improvement action from Compliance Manager. That action can still be referenced by another template.
-
-### Remove a control
-
-To remove a control, modify your spreadsheet by following the steps below, then re-import your spreadsheet:
-
-1. On the **ControlFamily** tab, find the control you want to remove in the **controlName** column.
-2. Delete the row for that control.
- - If this deleted control contains improvement actions that aren't referenced by any other control, you'll need to remove those improvement actions from the **Actions** tab. Otherwise, you'll receive a validation error.
-
-3. Save your spreadsheet.
-
-When you import your spreadsheet back into the template, your control will be removed from the template.
-
-## Modify template info in Compliance Manager
-
-After your Excel file is completed and saved, follow these steps.
-
-1. Open the assessment template page again and select your template. At your template's details page, select **Modify template** to initiate the modification wizard.
-2. At the **Upload file** screen, select **Browse** to find and upload your Excel file.
-3. If there are no problems with your file, the next screen shows the name of the file uploaded. Select **Next** to continue (if you need to change the file, select **Upload a different file**).
- - If there's a problem with your file, an error message at the top explains what's wrong. You'll need to fix your file and upload it again. Errors will result if your spreadsheet is formatted improperly, or if there's invalid information in certain fields.
-
-4. The **Review and finish** screen shows the number of improvement actions and controls and the maximum score for the template. When ready to approve, select **Next**.
-5. The last screen confirms that the template has been modified. Select **Done** to exit the wizard.
-
-Your template will now include the changes you made. Any assessments that use this modified template will now show pending updates, and you'll need to accept the updates to the assessments to reflect the changes made in the template. Learn more about [updates to assessments](compliance-manager-assessments.md#accept-updates-to-assessments).
-
-> [!NOTE]
-> If you use Compliance Manager in a language other than English, you'll notice that some text appears in English when you export a template to Excel. The titles of actions (both your improvement actions and, where applicable, Microsoft actions) must be in English to be recognized by controls. If you make changes to an action title, be sure to write it in English so that the file imports correctly.
compliance Compliance Manager Templates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates.md
f1.keywords:
Previously updated : 01/01/2023 Last updated : 04/21/2023 audience: Admin
description: "Understand how to use and manage templates for building assessment
# Learn about assessment templates in Compliance Manager
-**In this article:** Understand **how templates work** and **how to manage them** from your assessment templates page. Get instructions for **creating** new templates, **extending** and **modifying** existing templates, **formatting your template data with Excel**, and exporting template **reports**.
+**In this article:** Understand **how templates work** and **how to manage them** from your assessment templates page.
> [!IMPORTANT] > The assessment templates that are included by default for your organization depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager).
For further details, see [Compliance Manager licensing guidance](/office365/serv
The assessment templates page in Compliance Manager displays a list of templates and key details about them. The list includes templates provided by Compliance Manager as well as any templates your organization has modified or created. You can apply filters to find a template based on certification, product scope, country, industry, who created it, and whether the template is enabled for assessment creation.
-Select a template from its row to bring up its details page. This page contains a description of the template and further information about certification, scope, and controls details. From this page you can select the appropriate buttons to create an assessment, export the template data to Excel, or modify the template.
-
-## Create an assessment template
-
-To create your own new template for custom assessments in Compliance Manager, you'll use a specially formatted Excel spreadsheet to assemble the necessary control data. After completing the spreadsheet, you will import it into Compliance Manager. To learn more, see [Create an assessment template](compliance-manager-templates-create.md).
-
-## Modify an assessment template
-
-When working with assessments in Compliance Manager, you may want to modify an assessment template that you've created. The process is similar to the template creation process in that you'll upload a formatted Excel file with your template data. To learn more about how to make changes and how to preserve data you still want to maintain, see [Modify an assessment template](compliance-manager-templates-modify.md).
-
-## Extend an assessment template
-
-Compliance Manager offers the option to add your own controls and improvement actions to an existing template. This process is called extending a template. To extend a template, you will use special instructions for adding to template data, depending on whether you're extending Microsoft assessment templates or universal assessment templates. To learn more, see [Extend an assessment template](compliance-manager-templates-extend.md).
-
-## Format assessment template data in Excel
-
-When creating, modifying, or extending assessment templates in Compliance Manager, you will work with Excel spreadsheets that use a specific format and schema. These specifications must be followed for the files to import correctly. To learn more, see [Format assessment template data in Excel](compliance-manager-templates-format-excel.md).
-
-## Export a template
-
-You can export an Excel file that contains all of a template's data. You'll need to export a template in order to modify it, since this will be the Excel file you edit and upload in the [modification process](compliance-manager-templates-modify.md). You can also export a template for reference if you want to use data from it while constructing a new custom template.
-
-To export your template, go to your template details page and select the **Export to Excel** button.
-
-Note that when exporting a template you extended from a Compliance Manager template, the exported file will only contain the attributes you added to the template. The exported file wonΓÇÖt include the original template data provided by Microsoft. To get such a report, see the instructions for [exporting an assessment report](compliance-manager-assessments.md#export-an-assessment-report).
+Select a template from its row to bring up its details page. This page contains a description of the template and further information about certification, scope, and controls details. From this page you can select the appropriate buttons to create an assessment, export the template data to Excel, or modify the template.
compliance Compliance Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager.md
f1.keywords:
Previously updated : 01/01/2023 Last updated : 04/21/2023 audience: Admin
When creating assessments, youΓÇÖll assign them to a group. You can configure gr
### Templates
-Compliance Manager provides templates to help you quickly create assessments. You can modify these templates to create an assessment optimized for your needs. You can also build a custom assessment by creating a template with your own controls and actions. For example, you may want a template to cover an internal business process control, or a regional data protection standard that isnΓÇÖt covered by one of our 325+ pre-built assessment templates.
-
-##### Learn more
+Compliance Manager provides over 350 templates to help you quickly create assessments.
[View the list of assessment templates provided by Compliance Manager](compliance-manager-templates-list.md).
-[Get detailed instructions for creating and modifying templates for assessments](compliance-manager-templates.md).
+[Learn more about assessment templates](compliance-manager-templates.md).
### Improvement actions
compliance Create Activity Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-activity-alerts.md
You can create an activity alert that will send you an email notification when u
**Why use activity alerts instead of searching the audit log?** There might be certain kinds of activity or activity performed by specific users that you really want to know about. Instead of having to remember to search the audit log for those activities, you can use activity alerts to have Microsoft 365 send you an email message when users perform those activities. For example, you can create an activity alert to notify you when a user deletes files in SharePoint, or you can create an alert to notify you when a user permanently deletes messages from their mailbox. The email notification sent to you includes information about which activity was performed and the user who performed it. > [!NOTE]
-> Activity alerts are being deprecated. We recommend that you start using alert policies in the security and compliance center instead of creating new activity alerts. Alert policies provide additional functionality such as the ability to create an alert policy that triggers an alert when any user performs a specified activity, and displaying alerts on the **View alerts** page in the security and compliance center. For more information, see [Alert policies](alert-policies.md).
+> Activity alerts are being deprecated. We recommend that you start using alert policies in the Microsoft Purview compliance portal instead of creating new activity alerts. Alert policies provide additional functionality such as the ability to create an alert policy that triggers an alert when any user performs a specified activity, and displaying alerts on the **View alerts** page in the Microsoft Purview compliance portal. For more information, see [Alert policies](alert-policies.md).
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
compliance Device Onboarding Offboarding Macos Jamfpro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-offboarding-macos-jamfpro.md
You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions l
## Before you begin - Make sure your [macOS devices are managed through JAMF pro](https://www.jamf.com/resources/product-documentation/jamf-pro-installation-guide-for-mac/) and are associated with an identity (Azure AD joined UPN) through JAMF Connect or Intune.-- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge. ## Onboard devices into Microsoft Purview solutions using JAMF Pro
compliance Device Onboarding Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-overview.md
If you already have devices onboarded into [Microsoft Defender for Endpoint](/wi
In this deployment scenario, you'll onboard Windows 10 or Windows 11 devices that have not been onboarded yet.
-1. Open the [Microsoft Purview compliance portal](https://compliance.microsoft.com). Choose **Settings** > **Enable device monitoring**.
-
- > [!NOTE]
- > While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.
-
-2. Open the Microsoft Purview Compliance portal settings page and choose **Turn on Windows device monitoring**.
-
-3. Choose **Device management** to open the **Devices** list.
+1. Open the [Microsoft Purview compliance portal](https://compliance.microsoft.com). Choose **Settings** > **Device onboarding** > **Devices**.
> [!NOTE]
-> If you have previously deployed Microsoft Defender for Endpoint, all the devices that were onboarded during that process will be listed in the **Devices** list. There is no need to onboard them again.
+> If you have previously deployed Microsoft Defender for Endpoint, all the devices that were onboarded during that process will be listed in the **Devices** list. There is no need to onboard them again. While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.
+
+2. Choose **Turn on device onboarding**.
-4. Choose **Onboarding** to begin the onboarding process.
+3. Choose **Onboarding** to begin the onboarding process.
5. Choose the way you want to deploy to these additional devices from the **Deployment method** list and then **download package**.
You can check the **Configuration status** and the **Policy sync status** of all
|||| |Updated |Device health parameters are enabled and correctly set. |Device has been updated with the current versions of policies. | |Not updated | You need to enable the configuration settings for this device. Follow the procedures in [Microsoft Defender Antivirus always-on protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)|This device has not synced the latest policy updates. If the policy update was made within the last 2 hours, wait for the policy to reach your device. |
-|Not available | Device properties are not available in the device list. This is could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded. |Device properties are not available in the device list. This is could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded.|
+|Not available | Device properties are not available in the device list. This could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded. |Device properties are not available in the device list. This could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded.|
It can take up to 2 hours for the sync status to get reflected on the dashboard. Devices must be online for the policy update to happen. If the status isn't updating, check the last time the device was seen.
+Required KB for this Preview Feature: [KB5023773](https://support.microsoft.com/topic/march-21-2023-kb5023773-os-builds-19042-2788-19044-2788-and-19045-2788-preview-5850ac11-dd43-4550-89ec-9e63353fef23).
## See also
compliance Dlp Conditions And Exceptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-conditions-and-exceptions.md
To configure the sender address location at a DLP rule level, the parameter is *
|Any email attachment's content could not be scanned|condition: *DocumentIsUnsupported* <br/><br/>exception: *ExceptIf DocumentIsUnsupported*|n/a|Messages where an attachment isn't natively recognized by Exchange Online.| |Any email attachment's content didn't complete scanning|condition: *ProcessingLimitExceeded* <br/><br/> exception: *ExceptIfProcessingLimitExceeded*|n/a|Messages where the rules engine couldn't complete the scanning of the attachments. You can use this condition to create rules that work together to identify and process messages where the content couldn't be fully scanned.| |Document name contains words|condition: *DocumentNameMatchesWords* <br/><br/> exception: *ExceptIfDocumentNameMatchesWords*|Words|Messages where an attachment's file name matches any of the specified words.|
-|Document name matches patterns|condition: *DocumentNameMatchesPatterns* <br/><br/> exception: *ExceptIfDocumentNameMatchesPatterns*|Patterns|Messages where an attachment's file name contains text patterns that match the specified regular expressions.|
+|Document name matches patterns|condition: *DocumentNameMatchesPatterns* <br/><br/> exception: *ExceptIfDocumentNameMatchesPatterns*|Patterns|Messages where an attachment's file name contains text patterns that match the specified regular expressions. This is discontinued for SharePoint and OneDrive workloads. Existing rules can't be modified and new rules can't be created. Existing customers can continue to use this condition.|
|Document property is|condition: *ContentPropertyContainsWords* <br/><br/> exception: *ExceptIfContentPropertyContainsWords*|Words|Messages with documents where an attachment's custom property matches the given value.| |Document size equals or is greater than|condition: *DocumentSizeOver* <br/><br/> exception: *ExceptIfDocumentSizeOver*|Size|Messages where any attachment is greater than or equal to the specified value.| |Any attachment's content includes any of these words|condition: *DocumentContainsWords* <br/><br/> exception: *ExceptIfDocumentContainsWords*|`Words`|Messages where an attachment contains the specified words.|
compliance Dlp Migration Assistant For Symantec Use https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migration-assistant-for-symantec-use.md
If you see an error on welcome screen after selecting **Get Started**, follow th
3. Check if you're running the tool in admin mode using **Run as administrator** option while starting the application. 4. Check if your PowerShell module path is set correctly using these steps: 1. Go to edit system environment variables.
- 2. Add this path in PsModulePath system variable: `C:\Program Files\PowerShell\7\Modules`.
+ 2. Add this path in PsModulePath user variable: `C:\Program Files\PowerShell\7\Modules`.
3. Move this up and keep at top. 4. Restart the tool in admin mode.
compliance Dlp Policy Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-reference.md
The available context options change depending on which location you choose. If
- Content contains - Content is shared from Microsoft 365 - Document created by-- Document created by member of
+- Document created by member of (currently deprecated for customers not already using this condition)
- Document name contains words or phrases-- Document name matches patterns-- Document size over
+- Document size equals or is greater than
+- Document name matches patterns (currently deprecated for customers not already using this condition)
- Document property is - File extension is
The available context options change depending on which location you choose. If
- Content contains - Content is shared from Microsoft 365 - Document created by-- Document created by member of
+- Document created by member of (currently deprecated for customers not already using this condition)
- Document name contains words or phrases-- Document name matches patterns-- Document size over
+- Document size equals or is greater than
+- Document name matches patterns (currently deprecated for customers not already using this condition)
- Document property is - File extension is
+- Document is shared
##### Conditions Teams chat and channel messages supports
This table shows the DLP blocking and notification behavior for policies that ar
|- **Content is shared from Microsoft 365** </br>- **only with people inside my organization** | No actions are configured |- **User notifications** set to **On** </br>- **Notify users in Office 365 service with a policy tip** is selected </br>- **Notify the user who sent, shared, or last modified the content** is selected | - **Send an alert to admins when a rule match occurs** set to **On** </br>- **Send alert every time an activity matches the rule** is selected </br>- **Use email incident reports to notify you when a policy match occurs** set to **On** |- Notifications are sent when a file is uploaded | |- **Content is shared from Microsoft 365** </br>- **with people outside my organization** | - **Restrict access or encrypt the content in Microsoft 365 locations** is selected </br>- **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files** is selected </br>- **Block only people outside your organization** is selected |- **User notifications** set to **On** </br>- **Notify users in Office 365 service with a policy tip** is selected </br>- **Notify the user who sent, shared, or last modified the content** is selected | - **Send an alert to admins when a rule match occurs** set to **On** </br>- **Send alert every time an activity matches the rule** is selected </br>- **Use email incident reports to notify you when a policy match occurs** set to **On** | - Access to a sensitive file is blocked as soon as it's uploaded </br>- Notifications sent when content is shared from Microsoft 365 with people outside my organization | |- **Content is shared from Microsoft 365** </br>- **with people outside my organization** | - **Restrict access or encrypt the content in Microsoft 365 locations** is selected </br>- **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files** is selected </br>- **Block everyone** is selected | - **User notifications** set to **On** </br>- **Notify users in Office 365 service with a policy tip** is selected </br>- **Notify the user who sent, shared, or last modified the content** is selected | - **Send an alert to admins when a rule match occurs** set to **On** </br>- **Send alert every time an activity matches the rule** is selected </br>- **Use email incident reports to notify you when a policy match occurs** set to **On** |Notifications are sent when a file is shared with an external user and an external user access that file. |
-|- **Content is shared from Microsoft 365** </br>- **with people outside my organization** |- **Restrict access or encrypt the content in Microsoft 365 locations** is selected </br>- **Block only people who were given access to the content through the "Anyone with the link" option** is selected. | - **User notifications** set to **On** </br>- **Notify users in Office 365 service with a policy tip** is selected. </br>- **Notify the user who sent, shared, or last modified the content** is selected |- **Send an alert to admins when a rule match occurs** set to **On** </br>- **Send alert every time an activity matches the rule** is selected </br>- **Use email incident reports to notify you when a policy match occurs** set to **On** |Notifications are sent as soon as a file is uploaded |
+|- **Content is shared from Microsoft 365** |- **Restrict access or encrypt the content in Microsoft 365 locations** is selected </br>- **Block only people who were given access to the content through the "Anyone with the link" option** is selected. | - **User notifications** set to **On** </br>- **Notify users in Office 365 service with a policy tip** is selected. </br>- **Notify the user who sent, shared, or last modified the content** is selected |- **Send an alert to admins when a rule match occurs** set to **On** </br>- **Send alert every time an activity matches the rule** is selected </br>- **Use email incident reports to notify you when a policy match occurs** set to **On** |Notifications are sent as soon as a file is uploaded |
### User overrides
compliance Dlp Policy Tips Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-tips-reference.md
DLP policy tips in Outlook Web Access are supported for all the conditions, and
Currently, Outlook 2013 and later supports showing policy tips for policies that contain these conditions: For E3 licensed users-- Content contains (works only for Sensitive information types. Sensitivity labels aren't supported)
+- Content contains Sensitive information types (preconfigured SITs and custom SITs)
- Content is shared For E5 licensed users (preview)
All the conditions work for emails authored in Outlook client app, where they'll
## Outlook 2013 and later and Office apps on Desktop support showing policy tips for only some sensitive information types
-For E5 customers, DLP policy tips will be shown in Outlook 2013 and later and Office apps, for policies that use:
+For E3 licensed users, DLP policy tips are shown in Outlook 2013 and later for pre-configured SITs and custom SITs.
+
+For E5 licensed users, DLP policy tips will be shown in Outlook 2013 and later, for policies that use: (preview)
- [Preconfigured sensitive information types](sensitive-information-type-entity-definitions.md) (SITs) - Custom SITs
Custom sensitive information types will also be detected in addition to the abov
|**App and platform**|**DLP policy tip support**|**Sensitive information types supported**|**Predicates and actions supported**|**Comments**| |:--|:--|:--|:--|:--|
-|**Outlook On the Web**|:::image type="icon" source="../media/rightmrk.png" border="false":::|all|subset||
-|**Outlook Win32 (ver. 2105 build 14026.20000 and semi-annual channel ver. 2102 build 13801.20862)**|:::image type="icon" source="../media/rightmrk.png" border="false":::|subset|subset|See [Outlook 2013 and later supports showing policy tips for only some conditions](#outlook-2013-and-later-supports-showing-policy-tips-for-only-some-conditions) and [Outlook 2013 and later and Office apps on Desktop support showing policy tips for only some sensitive information types](#outlook-2013-and-later-and-office-apps-on-desktop-support-showing-policy-tips-for-only-some-sensitive-information-types) for details on support for sensitive information types and DLP conditions and actions supported for showing DLP policy tips on Outlook Win32.|
+|**Outlook On the Web**|:::image type="icon" source="../media/rightmrk.png" border="false":::|Exact Data match SITs|subset||
+|**Outlook Win32 (ver. 2105 build 14026.20000 and semi-annual channel ver. 2102 build 13801.20862)**|:::image type="icon" source="../media/rightmrk.png" border="false":::|all SITS are supported for E5 users; pre-configured SITs and customer SITs are supported for E3 users|subset|See [Outlook 2013 and later supports showing policy tips for only some conditions](#outlook-2013-and-later-supports-showing-policy-tips-for-only-some-conditions) and [Outlook 2013 and later and Office apps on Desktop support showing policy tips for only some sensitive information types](#outlook-2013-and-later-and-office-apps-on-desktop-support-showing-policy-tips-for-only-some-sensitive-information-types) for details on support for sensitive information types and DLP conditions and actions supported for showing DLP policy tips on Outlook Win32.|
|**Outlook Mobile (iOS, Android)/Outlook Mac**|:::image type="icon" source="../media/crsmrk.png" border="false":::|none|none|DLP policy tips aren't supported on Outlook mobile|
+|**Outlook Mac**|:::image type="icon" source="../media/crsmrk.png" border="false":::|none|none|DLP policy tips are not supported on Outlook for Mac|
|**SharePoint Online/OneDrive for Business Web client**|:::image type="icon" source="../media/rightmrk.png" border="false":::|all|all SPO/ODB predicates and actions in DLP|| |**SharePoint Win32/ OneDrive for Business Win32 client**|:::image type="icon" source="../media/crsmrk.png" border="false":::|none|none|DLP policy tips aren't supported on SharePoint or OneDrive desktop client apps| |**Word, Excel, PowerPoint Web Client**|:::image type="icon" source="../media/rightmrk.png" border="false":::|all|all SPO/ODB predicates and actions in DLP|DLP policy tip is supported if the document is hosted on SPO or ODB web app and the DLP policy is already stamped.|
compliance Document Fingerprinting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-fingerprinting.md
Currently, you can create a document fingerprint only in [Security & Compliance
DLP uses Sensitive information types(SIT) to detect sensitive content. To create a custom SIT based on a document fingerprint, use the **New-DlpSensitiveInformationType** cmdlet. The following example creates a new document fingerprint named ΓÇ£Contoso Customer ConfidentialΓÇ¥ based on the file C:\My Documents\Contoso Customer Form.docx.
-```powershell
-$Employee_Template = ([System.IO.File]::ReadAllBytes('C:\My Documents\Contoso Employee Template.docx'))
-$Employee_Fingerprint = New-DlpFingerprint -FileData $Employee_Template -Description "Contoso Employee Template"
-```
- ```powershell $Employee_Form = ([System.IO.File]::ReadAllBytes('C:\My Documents\Contoso Customer Form.docx'))
compliance Ediscovery Acknowledge Hold Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-acknowledge-hold-notification.md
Title: "Acknowledge a hold notification"
-description: Learn how to use eDiscovery (Premium) to send and follow up on legal hold notifications through email, as well as monitor obligation status.
+description: Learn how to use eDiscovery (Premium) to send and follow up on legal hold notifications through email and monitor obligation status.
f1.keywords: - NOCSH
Based on the configuration of your legal hold notification, your custodians may
- **Issuance notice:** The first notice sent to your custodian. This notice will contain your issuance instructions and the hold notice appended to the end of your message. - **Reminder notice:** If enabled, a reminder notice will be sent to your custodians based on the specified frequency and interval. The reminders will continue to be sent either until the custodian has acknowledged their notice or until the number of reminders have been exhausted. - **Escalation notice:** If enabled, an escalation notice will be sent to your custodian and their manager after the reminder notices have been exhausted. The system will automatically send escalation notices until the specified number of escalations have been completed or until the custodian acknowledges their hold notification.-- **Reissue notice:** During the course of an investigation, if the contents of the hold notice are updated, then the updated notice will automatically be sent to the custodian.-- **Release notice:** When a custodian is released from the case, they'll be sent the release notice.
+- **Reissue notice:** During an investigation, if the contents of the hold notice are updated, then the updated notice will automatically be sent to the custodian.
+- **Release notice:** When a custodian is released from the case, they'll be sent the release notice.
## Compliance Portal
compliance Ediscovery Add Data To Review Set From Another Review Set https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-add-data-to-review-set-from-another-review-set.md
Title: "Add data from one review set to another"
-description: "Learn how to select documents from one review set and work with them individually in another set in an Microsoft Purview eDiscovery (Premium) case."
+description: "Learn how to select documents from one review set and work with them individually in another set in a Microsoft Purview eDiscovery (Premium) case."
f1.keywords: - NOCSH
compliance Ediscovery Add Or Remove Members From A Case https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-add-or-remove-members-from-a-case.md
You can add or remove members to manage who can access the case. However, before
## Removing members from a case
-Only an [eDiscovery Administrator](ediscovery-assign-permissions.md) can remove members from a case. Even if you are assigned to the eDiscovery Manager role group or initially created the case, you won't be able to remove yourself or other members from a case unless you are also an eDiscovery Administrator. To remove yourself or other members from a case, contact an eDiscovery Administrator in your organization.
+Only an [eDiscovery Administrator](ediscovery-assign-permissions.md) can remove members from a case. Even if you're assigned to the eDiscovery Manager role group or initially created the case, you won't be able to remove yourself or other members from a case unless you're also an eDiscovery Administrator. To remove yourself or other members from a case, contact an eDiscovery Administrator in your organization.
compliance Ediscovery Collection Statistics Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-collection-statistics-reports.md
The **Summary** tab for committed collections contains several sections that pro
#### Collection overview (preview)
-The **Collection overview (preview)** section on the **Summary** tab of a committed review set contains information about how items were found, retrieved, and processed as part of the collection. The information in this section is a summary of the information gathered and displayed during the initial collection estimate and includes information gathered and processed during the collection committal to the the review set. You can use the information in this section to help improve understanding on how the final collection data evolves from the estimate data during collection committal and processing.
+The **Collection overview (preview)** section on the **Summary** tab of a committed review set contains information about how items were found, retrieved, and processed as part of the collection. The information in this section is a summary of the information gathered and displayed during the initial collection estimate and includes information gathered and processed during the collection committal to the review set. You can use the information in this section to help improve understanding on how the final collection data evolves from the estimate data during collection committal and processing.
This information is segmented and displayed in the following sub-sections:
This information is segmented and displayed in the following sub-sections:
|**Item type**|**Item type description**| |:|:| | Items with hits | Estimated number of items found by search. |
- | Review set duplicates | Items that are already in the same review set are not collected. |
- | Search duplicates | Duplicate instances of the same items are not collected. |
+ | Review set duplicates | Items that are already in the same review set aren't collected. |
+ | Search duplicates | Duplicate instances of the same items aren't collected. |
| All versions | All versions of items in SharePoint are collected. | | Historical versions | Historical versions maintained by SharePoint are collected. | | Cloud attachments | Cloud attachments are identified and collected from SharePoint links. |
The **Collection parameters** section on the **Summary** tab of a committed revi
## Data sources tab for collections
-The **Data sources** tab contains information about custodial and non-custodial data sources. The **Custodial data sources** section displays the all custodial data sources for each custodian included in the collection. The **Non-custodial data sources** section displays the all non-custodial data sources for the collection. The data source information displayed here is also available on the main **Data sources** tab for each case.
+The **Data sources** tab contains information about custodial and non-custodial data sources. The **Custodial data sources** section displays the all custodial data sources for each custodian included in the collection. The **Non-custodial data sources** section displays the all non-custodial data sources for the collection. The data source information displayed is also available on the main **Data sources** tab for each case.
## Search statistics tab for collections
compliance Ediscovery Data Spillage Search And Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-data-spillage-search-and-purge.md
You can also create a new role group that aligns with your organizational needs.
An eDiscovery case provides an effective way to manage your data spillage investigation. You can add members to the role group that you created in Step 1, add the role group as a member of new a eDiscovery case, perform iterative searches to find the spilled data, export a report to share, track the status of the case, and then refer back to the details of the case if needed. Consider establishing a naming convention for eDiscovery cases used for data spillage incidents, and provide as much information as you can in the case name and description so you can locate and refer to in the future if necessary.
-To create a new case, you can use eDiscovery in the security and compliance center. See "Create a new case" in [Get started with eDiscovery (Standard)](ediscovery-standard-get-started.md#step-3-create-a-ediscovery-standard-case).
+To create a new case, you can use eDiscovery in the Microsoft Purview compliance portal. See "Create a new case" in [Get started with eDiscovery (Standard)](ediscovery-standard-get-started.md#step-3-create-a-ediscovery-standard-case).
## Step 3: Search for the spilled data
For more information about exporting reports, see [Export a Content Search repor
To further investigate if email with spilled data was shared, you can optionally query the message trace logs with the sender information and the date range information that you gathered in Step 4. The retention period for message trace is 30 days for real-time data and 90 days for historical data.
-You can use Message trace in the security and compliance center or use the corresponding cmdlets in Exchange Online PowerShell. It's important to note that message tracing doesn't offer full guarantees on the completeness of data returned. For more information about using Message trace, see:
+You can use Message trace in the Microsoft Purview compliance portal or use the corresponding cmdlets in Exchange Online PowerShell. It's important to note that message tracing doesn't offer full guarantees on the completeness of data returned. For more information about using Message trace, see:
- [Message trace in the Security & Compliance Center](../security/office-365-security/message-trace-scc.md) - [New Message Trace in Security & Compliance Center](https://techcommunity.microsoft.com/t5/exchange-team-blog/new-message-trace-in-office-365-security-038-compliance-center/ba-p/607893)
If you changed any mailbox configuration in Step 6 to prepare the mailboxes befo
If the keywords in the search query that you created and used in Step 3 contains some of all of the actual spilled data, you should delete the search query to prevent further data spillage.
-1. In the security and compliance center, open the eDiscovery case, go to the **Search** page, and select the appropriate content search.
+1. In the Microsoft Purview compliance portal, open the eDiscovery case, go to the **Search** page, and select the appropriate content search.
2. On the flyout page, select **Delete**.
compliance Ediscovery Delete Items In The Recoverable Items Folder Of Mailboxes On Hold https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold.md
# Delete items in the Recoverable Items folder of cloud-based mailboxes on hold
-The Recoverable Items folder for an Exchange Online mailbox exists to protect from accidental or malicious deletions. It's also used to store items that are retained and accessed by compliance features, such as holds and eDiscovery searches. However, in some situations organizations might have data that's been unintentionally retained in the Recoverable Items folder that they must delete. For example, a user might unknowingly send or forward an email message that contains sensitive information or information that may have serious business consequences. Even if the message is permanently deleted, it might be retained indefinitely because a legal hold has been placed on the mailbox. This scenario is known as *data spillage* because data has been unintentionally *spilled* into Office 365. In these situations, you can delete items in a user's Recoverable Items folder for an Exchange Online mailbox, even if that mailbox is placed on hold with one of the different hold features in Office 365. These types of holds include Litigation Holds, In-Place Holds, eDiscovery holds, and retention policies created in the security and compliance center in Office 365 or Microsoft 365.
+The Recoverable Items folder for an Exchange Online mailbox exists to protect from accidental or malicious deletions. It's also used to store items that are retained and accessed by compliance features, such as holds and eDiscovery searches. However, in some situations organizations might have data that's been unintentionally retained in the Recoverable Items folder that they must delete. For example, a user might unknowingly send or forward an email message that contains sensitive information or information that may have serious business consequences. Even if the message is permanently deleted, it might be retained indefinitely because a legal hold has been placed on the mailbox. This scenario is known as *data spillage* because data has been unintentionally *spilled* into Office 365. In these situations, you can delete items in a user's Recoverable Items folder for an Exchange Online mailbox, even if that mailbox is placed on hold with one of the different hold features in Office 365. These types of holds include Litigation Holds, In-Place Holds, eDiscovery holds, and retention policies created in the Microsoft Purview compliance portal.
This article explains how admins can delete items from the Recoverable Items folder for cloud-based mailboxes that are on hold. This procedure involves disabling access to the mailbox and disabling single item recovery, disabling the Managed Folder Assistant from processing the mailbox, temporarily removing the hold, deleting items from the Recoverable Items folder, and then reverting the mailbox to its previous configuration. Here's the process:
compliance Ediscovery Manage Legal Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-manage-legal-investigations.md
# Manage legal investigations in Microsoft 365
-Organizations have many reasons to respond to a legal case involving certain executives or other employees in your organization. This might involve quickly finding and retaining for further investigation-specific information in email, documents, instant messaging conversations, and other content locations used by people in their day-to-day work tasks. You can perform these and many other similar activities by using the eDiscovery case tools in the security and compliance center.
+Organizations have many reasons to respond to a legal case involving certain executives or other employees in your organization. This might involve quickly finding and retaining for further investigation-specific information in email, documents, instant messaging conversations, and other content locations used by people in their day-to-day work tasks. You can perform these and many other similar activities by using the eDiscovery case tools in the Microsoft Purview compliance portal.
**Want to know how Microsoft manages its eDiscovery investigations?** Here's a [technical white paper](https://go.microsoft.com/fwlink/?linkid=852161) you can download that explains how we use the same search and investigation tools to manage our internal eDiscovery workflow.
compliance Ediscovery Search For And Delete Email Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-search-for-and-delete-email-messages.md
For more information, see [New-ComplianceSearchAction](/powershell/module/exchan
After the message is purged and moved to the Purges folder, the message is retained until the hold duration expires. If the hold duration is unlimited, then items are retained until the hold is removed or the hold duration is changed. -- **Why is the search and remove workflow divided among different security and compliance center role groups?**
+- **Why is the search and remove workflow divided among different Microsoft Purview compliance portal role groups?**
As previously explained, a person has to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role to search mailboxes. To delete messages, a person has to be a member of the Organization Management role group or be assigned the Search And Purge management role. This makes it possible to control who can search mailboxes in the organization and who can delete messages.
compliance Insider Risk Management Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md
f1.keywords:
Previously updated : 02/21/2023 Last updated : 04/17/2023 audience: itpro - highpri
For step-by-step instructions to turn on auditing, see [Turn audit log search on
## Step 3 (optional): Enable and view insider risk analytics insights
-Insider tisk management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. This evaluation may also help you determine needs for additional licensing or future optimization of existing policies. Analytics scan results may take up to 48 hours before insights are available as reports for review. To learn more about analytics insights, see [Insider risk management settings: Analytics](insider-risk-management-settings.md#analytics) and check out the [Insider Risk Management Analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help understand how analytics can help accelerate the identification of potential insider risks and help you to quickly take action.
+Insider risk management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. This evaluation may also help you determine needs for additional licensing or future optimization of existing policies. Analytics scan results may take up to 48 hours before insights are available as reports for review. To learn more about analytics insights, see [Insider risk management settings: Analytics](insider-risk-management-settings.md#analytics) and check out the [Insider Risk Management Analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help understand how analytics can help accelerate the identification of potential insider risks and help you to quickly take action.
To enable insider risk analytics, you must be a member of the *Insider Risk Management*, *Insider Risk Management Admins*, or Microsoft 365 *Global admin* role group. Complete the following steps to enable insider risk analytics:
Having visual context is crucial for security teams during forensic investigatio
See the [Get started with insider risk management forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure) article for step-by-step guidance to configure forensic evidence for your organization.
+### Configure optical character recognition (optional)
+
+Microsoft Purview can scan for sensitive content in documents to help protect those documents from inappropriate exposure. When you enable optical character recognition (OCR) in Microsoft Purview, data classifiers, such as sensitive information types and trainable classifiers, can also detect characters in stand-alone images. After configuring OCR settings (preview), your existing insider risk policies will be applied to both images and documents.
+
+For the OCR preview, insider risk management supports scanning in the following locations: Windows endpoint devices, SharePoint Online, and Teams. Exchange Online and OneDrive are not supported for the preview.
+
+OCR settings do not apply to forensic evidence clips in insider risk management.
+
+[Learn more about setting up OCR scanning and pay-as-you-go billing](ocr-learn-about.md).
+ ## Step 5 (required): Configure insider risk settings [Insider risk settings](insider-risk-management-settings.md) apply to all insider risk management policies, regardless of the template you choose when creating a policy. Settings are configured using the **Insider risk settings** control located at the top of all insider risk management tabs. These settings control privacy, indicators, intelligent detections, and more.
Insider risk management policies include assigned users and define which types o
If you've selected other policy templates, custom triggering events aren't supported. The built-in policy triggering events apply and you'll continue to Step 23 without defining policy attributes.
-14. If you've selected the *Data leaks by risky users* or *Security policy violations by risky users* templates, you'll see options on the **Triggers for this policy** page for integration with communication compliance and HR data connector events. You have the choice to assign risk scores when users send messages that contain potentially threatening, harassing, or discriminatory language or to bring users into the the policy scope after risky user events are reported in your HR system. If you select the **Risk triggers from communication compliance (preview)** option, you can accept the default communication compliance policy (automatically created), choose a previously created policy scope for this trigger, or create another scoped policy. If you select **HR data connector events**, you must configure a HR data connector for your organization.
+14. If you've selected the *Data leaks by risky users* or *Security policy violations by risky users* templates, you'll see options on the **Triggers for this policy** page for integration with communication compliance and HR data connector events. You have the choice to assign risk scores when users send messages that contain potentially threatening, harassing, or discriminatory language or to bring users into the policy scope after risky user events are reported in your HR system. If you select the **Risk triggers from communication compliance (preview)** option, you can accept the default communication compliance policy (automatically created), choose a previously created policy scope for this trigger, or create another scoped policy. If you select **HR data connector events**, you must configure an HR data connector for your organization.
15. Select **Next** to continue. 16. If you've selected the *Data leaks* or *Data leaks by priority users* templates and have selected the **User performs an exfiltration activity and associated indicators**, you can choose custom or default thresholds for the indicator triggering events that you've selected. Choose either the **Use default thresholds (Recommended)** or **Use custom thresholds for the triggering events**. 17. Select **Next** to continue.
compliance Ocr Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ocr-learn-about.md
+
+ Title: "Learn about optical character recognition in Microsoft Purview (preview)"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++ Last updated : 04/18/2023
+ms.localizationpriority: medium
+
+- tier1
+- purview-compliance
+search.appverid:
+- MOE150
+- MET150
+description: How to implement this preview of optical character recognition (OCR) within MS Purview.
++
+# Learn about optical character recognition in Microsoft Purview (preview)
+
+Optical character recognition (OCR) scanning enables Microsoft Purview to scan content in images for sensitive information. An optional feature, OCR scanning is first enabled at the tenant level. Once enabled, you select the locations where you want to scan images. Image scanning is available for Exchange, SharePoint, OneDrive, Teams, and Windows devices. Once the OCR settings are configured, your existing policies for data loss prevention (DLP), records management, and insider risk management (IRM) are applied to images and text-based content. For example, say that you've configured the DLP condition *content contains sensitive information* and included a data classifier such as the "Credit Card" sensitive information type (SIT). In this case, Microsoft Purview scans for credit card numbers in both text and images at all of the chosen locations.
+
+> [!IMPORTANT]
+> By default, Exchange and Teams can be configured for OCR. To enable OCR for SharePoint, OneDrive, and Devices, **[sign up here]( https://forms.office.com/r/vudjYnaUM6)**.
+
+## Workflow at a glance
++
+| Phase | What's needed|
+|-|--|
+|**Phase 1:** Create Azure subscription if needed | If your organization doesn't already have an Azure pay-as-you-go subscription for your tenant, your Global admin needs to start by creating an [Azure account](/azure/cloud-adoption-framework/ready/azure-best-practices/initial-subscriptions). |
+|**Phase 2:** Set up pay-as-you-go billing to enable OCR. | Your Global or SharePoint admin must follow the instructions in [Configure Microsoft Syntex for pay-as-you-go billing in Azure](/syntex/syntex-azure-billing.md) to add a subscription for OCR. |
+|**Phase 3:** Configure OCR scanning settings | The Compliance admin for your organization configures the OCR settings for your tenant.|
++
+### Phase 1: Prerequisites
+
+To use OCR scanning, your organization's Global admin needs to verify that an Azure pay-as-you-go subscription is in place. If not, they need to set that up, following the instructions in [Create your initial Azure subscriptions](/azure/cloud-adoption-framework/ready/azure-best-practices/initial-subscriptions)
+
+### Phase 2: Configure billing
+
+When you enable OCR, all sensitive information types and trainable classifiers can detect characters that are in images.
+
+Because it's an optional feature, your Global admin must set up pay-as-you-go billing to enable OCR. Refer to the instructions in [Configure Microsoft Syntex for pay-as-you-go billing in Azure](/microsoft-365/syntex/syntex-azure-billing) to add a subscription for OCR.
+
+> [!NOTE]
+> When you go to the Microsoft Syntex billing page to sign up for your OCR subscription, you do **not** need to also sign up for Microsoft Syntex.
+>
+> You can find OCR pay-as-you-go pricing information on the [Configure Microsoft Syntex for pay-as-you-go billing in Azure](/microsoft-365/syntex/syntex-azure-billing) page.
+
+#### Charges ####
+
+The charge for using OCR is $1.00 for every 1,000 items scanned. Each image scanned counts as one transaction. This means that stand-alone images (JPEG, JPG, PNG, BMP, or TIFF) each count as a single transaction. It also means that *each page* in a PDF file is charged separately. For example, if there are 10 pages in a PDF file, an OCR scan of the PDF file counts as 10 separate scans.
+
+To view your bill, follow the instructions described in [Monitor your Microsoft Syntex pay-as-you-go usage](/microsoft-365/syntex/syntex-azure-billing#monitor-your-microsoft-syntex-pay-as-you-go-usage).
+
+#### Estimate your bill ####
+
+When you first start using OCR, limit usage to just a few people and applicable workloads. After a short while, you can view your bill in Azure and see the usage statistics & charges for each day. From there, you can extrapolate the costs for your full set of users. In addition, you can use the "workload" tag in Azure cost management to see the breakdown of usage per workload.
+
+### Phase 3: Configure your OCR settings
+
+1. In the Microsoft Purview compliance portal, go to **Settings**.
+2. Select **Optical character recognition (OCR) (preview)** to enter your OCR configuration settings.
+3. Select the locations where you wish to scan images. Then, for each location and solution, define the scope (users/groups/sites) for the OCR. Supported locations and solutions are listed in the following table.
+
+> [!NOTE]
+> For information on OCR functionality in Microsoft Purview Communication Compliance, see **[Create and manage communication compliance policies](communication-compliance-policies.md#optical-character-recognition-ocr)**.
+
+| Location | Supported Solutions |
+|--|-|
+| Exchange | Data loss prevention <sup>1</sup><br> <br> Information protection: [Auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange)<sup>1</sup> <br> <br> Records management: [Auto-apply retention label policies](apply-retention-labels-automatically.md#automatically-apply-a-retention-label-to-retain-or-delete-content)<sup>2</sup> |
+| SharePoint sites | Data loss prevention <br><br> Insider risk management<sup>3</sup> <br><br> Records management: [Auto-apply retention label policies](apply-retention-labels-automatically.md#automatically-apply-a-retention-label-to-retain-or-delete-content)<sup>2</sup> |
+| OneDrive accounts | Data loss prevention <br><br> Records management: [Auto-apply retention label policies](apply-retention-labels-automatically.md#automatically-apply-a-retention-label-to-retain-or-delete-content)<sup>2</sup> |
+| Teams chat and channel messages | Data loss prevention <br> <br> Insider risk management<sup>3</sup> |
+| Devices | Data loss prevention <br> <br> Insider risk management<sup>3</sup> |
+
+<sup>1</sup> Supports outgoing emails only.<br>
+<sup>2</sup> Supports keywords and sensitive information types.<br>
+<sup>3</sup> Considers sensitive information types and trainable classifiers present in images for risk scoring.<br>
+
+<br>
+
+## What file types are supported?
+
+This functionality supports scanning images in the following file types, with the noted requirements:
+
+| Supported file types | Image requirements |
+|-||
+| JPEG, JPG, PNG, BMP, TIFF, and PDF (image only) | **File sizes:** Image files must be no larger than 20 MB for Exchange and Teams. For SharePoint, OneDrive, and Windows endpoints, the maximum image file size is 50 MB. <br><br> **Image resolution:** Image resolution must be at least 50 x 50 pixels and not larger than 16,000 x 16,000 px. |
+
+> [!IMPORTANT]
+>
+> - Only images with machine-typed text are supported.
+> - Only images uploaded after OCR has been enabled are scanned.
+> - Only stand-alone images are scanned.
+> - SharePoint and OneDrive support only the following file types: JPEG, JPG, PNG, and BMP.
+> - Data loss prevention policy tips are not supported for images in Exchange.
+> - Scanning images in compressed/archive files isn't supported.
+> - If you [exclude a path](dlp-configure-endpoint-settings.md#file-path-exclusions) in the endpoint data loss prevention settings, OCR will not scan images in those folders.
+> - When OCR is turned on for Windows devices, the devices start sending messages to the cloud for scanning. The default bandwidth limit is [1024 MB of data per device per day](dlp-configure-endpoint-settings.md#advanced-classification-scanning-and-protection). OCR stops scanning images once this daily limit is reached. If you want to continue scanning images, you can increase the bandwidth limit.
++
+<br>
+
+## What languages are supported?
+OCR scanning supports more than [150 languages](https://azure.microsoft.com/cognitive-services/computer-vision/language-support).
+
+## Summary
+- You can subscribe to OCR scanning without subscribing to Microsoft Syntex.
+- Configuring OCR occurs at the tenant level, so once OCR is configured, they're available to the entire Microsoft Purview stack.
+- You don't need to create separate data classifiers for OCR. Once OCR is configured, existing [sensitive information types](sensitive-information-type-learn-about.md#learn-about-sensitive-information-types), [exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types), [trainable classifiers](classifier-learn-about.md#learn-about-trainable-classifiers), and [fingerprint SITs](document-fingerprinting.md#document-fingerprinting) scan images as well as documents and emails.
+
+## See also
+
+- [Learn about data loss prevention](dlp-learn-about-dlp.md#learn-about-data-loss-prevention)
+- [Learn about insider risk management](insider-risk-management.md#learn-about-insider-risk-management)
+- [Learn about records management](data-lifecycle-management.md#learn-about-data-lifecycle-management)
compliance Privileged Access Management Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privileged-access-management-configuration.md
Users submitting and responding to privileged access management requests must be
> [!IMPORTANT] > Office 365 Advanced Compliance is no longer sold as a standalone subscription. When current subscriptions expire, customers should transition to one of the subscriptions above, which contain the same or additional compliance features.
-If you don't have an existing Office 365 Enterprise E5 plan and want to try privileged access management, you can [add Microsoft 365](/office365/admin/try-or-buy-microsoft-365) to your existing Office 365 subscription or [sign up for a trial](https://www.microsoft.com/microsoft-365/enterprise) of Microsoft 365 Enterprise E5.
+If you don't have an existing Office 365 Enterprise E5 plan and want to try privileged access management, you can [add Microsoft 365](/microsoft-365/commerce/try-or-buy-microsoft-365) to your existing Office 365 subscription or [sign up for a trial](https://www.microsoft.com/microsoft-365/enterprise) of Microsoft 365 Enterprise E5.
## Enable and configure privileged access management
New-ElevatedAccessApprovalPolicy -Task 'Exchange\New-MoveRequest' -ApprovalType
### Requesting elevation authorization to execute privileged tasks
-Requests for privileged access are valid for up to 24 hours after the request is submitted. If not approved or denied, the requests expire and access is not approved.
+Requests for privileged access are valid for up to 24 hours after the request is submitted. If not approved or denied, the requests expire and access isn't approved.
#### In the Microsoft 365 Admin Center
Deny-ElevatedAccessRequest -RequestId a4bc1bdf-00a1-42b4-be65-b6c63d6be279 -Comm
## Delete a privileged access policy in Office 365
-If it is no longer needed in your organization, you can delete a privileged access policy.
+If it's no longer needed in your organization, you can delete a privileged access policy.
### In the Microsoft 365 admin center
If it is no longer needed in your organization, you can delete a privileged acce
### In Exchange Management PowerShell
-To delete a privileged access policy, run the following command in Exchange Online Powershell:
+To delete a privileged access policy, run the following command in Exchange Online PowerShell:
```PowerShell Remove-ElevatedAccessApprovalPolicy -Identity <identity GUID of the policy you want to delete>
Remove-ElevatedAccessApprovalPolicy -Identity <identity GUID of the policy you w
## Disable privileged access in Office 365
-If needed, you can disable privileged access management for your organization. Disabling privileged access does not delete any associated approval policies or approver groups.
+If needed, you can disable privileged access management for your organization. Disabling privileged access doesn't delete any associated approval policies or approver groups.
### In the Microsoft 365 admin center
If needed, you can disable privileged access management for your organization. D
### In Exchange Management PowerShell
-To disable privileged access, run the following command in Exchange Online Powershell:
+To disable privileged access, run the following command in Exchange Online PowerShell:
```PowerShell Disable-ElevatedAccessControl
compliance Protect Documents That Have Fci Or Other Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/protect-documents-that-have-fci-or-other-properties.md
One rule blocks access to content where the **Personally Identifiable Informatio
Doing the steps in the previous sections will create a DLP policy that will quickly detect content with that property, but only if that content is newly uploaded (so that the content's indexed), or if that content is old but just edited (so that the content's re-indexed).
-To detect content with that property everywhere, you may want to manually request that your library, site, or site collection be re-indexed, so that the DLP policy is aware of all the content with that property. In SharePoint Online, content is automatically crawled based on a defined crawl schedule. The crawler picks up content that has changed since the last crawl and updates the index. If you need your DLP policy to protect content before the next scheduled crawl, you can take these steps.
+To detect content with that property everywhere, you may want to manually request that your library, site, or site collection be re-indexed, so that the DLP policy is aware of all the content with that property. In SharePoint Online, content is automatically crawled when content is edited. Specific SharePoint sites can't be manually re-indexed.
> [!CAUTION]
-> Re-indexing a site can cause a massive load on the search system. Don't re-index your site unless your scenario absolutely requires it.
+> Re-indexing a site for DLP scenarios is not possible.
For more information, see [Manually request crawling and re-indexing of a site, a library or a list](/sharepoint/crawl-site-content).
compliance Retention Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-settings.md
By choosing the settings for retaining and deleting content, your policy for ret
### Retaining content for a specific period of time
-When you configure a retention label or policy to retain content, you choose to retain items for a specific number of days, months (assumes 30 days for a month), or years. Or alternatively, retain the items forever. The retention period isn't calculated from the time the policy was assigned, but according to the start of the retention period specified.
+When you configure a retention label or policy to retain content in the compliance portal, you choose to retain items for a specific number of days, months (assumes 30 days), or years (assumes 365 days). Or alternatively, retain the items forever. The retention period isn't calculated from the time the policy was assigned, but according to the start of the retention period specified.
For the start of the retention period, you can choose when the content was created or, supported only for files and the SharePoint, OneDrive, and Microsoft 365 Groups, when the content was last modified. For retention labels, you can start the retention period from the content was labeled, and when an event occurs.
With these concatenated settings, users will be able to delete the item from the
- If the replacement label marks the item as a record or regulatory record but can't be applied because the file is currently checked out, the relabel process is retried when the file is checked back in again, or checkout is discarded. -- As a known issue for this preview, a replacement label is visible to users in Outlook only when that label is included in a published label policy for the same location, or it's configured for delete-only.
+- A replacement label is visible to users in Outlook only when that label is included in a published label policy for the same location, or it's configured for delete-only.
##### Configuration paths for relabeling
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
f1.keywords:
Previously updated : 02/27/2023 Last updated : 04/19/2023 audience: Admin
Exchange public folders, Skype, Teams and Yammer messages don't support retentio
An email or document can have only a single retention label applied to it at a time. A retention label can be applied [manually](create-apply-retention-labels.md#manually-apply-retention-labels) by an end user or admin, or automatically by using any of the following methods: -- [Auto-apply label policy](apply-retention-labels-automatically.md)
+- [Auto-apply retention label policy](apply-retention-labels-automatically.md)
- [Document understanding model for Microsoft Syntex](../contentunderstanding/apply-a-retention-label-to-a-model.md)-- [Default label for SharePoint](create-apply-retention-labels.md#applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set) or [Outlook](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)
+- [Default retention label for SharePoint](create-apply-retention-labels.md#applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set) or [Outlook](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)
- [Outlook rules](create-apply-retention-labels.md#automatically-applying-a-retention-label-to-email-by-using-rules)
+- [Power Automate compliance action](/power-automate/overview-cloud) of **Apply a retention label on the item**
+
+If there are multiple auto-apply retention label policies that could apply a retention label, and the content meets the conditions of multiple policies, the retention label for the oldest auto-apply retention label policy (by date created) is selected.
For standard retention labels (they don't mark items as a [record or regulatory record](records-management.md#records)): - Admins and end users can manually change or remove an existing retention label that's applied on content. -- When content already has a retention label applied, the existing label won't be automatically removed or replaced by another retention label with two possible exceptions:-
- - The existing label is configured to automatically apply a different retention label at the end of the retention period.
+- When items already have a retention label applied, the existing label won't be automatically removed or replaced by another retention label with the following exceptions:
- - The existing label was applied as a default label. When you use a default label, there are some scenarios when it can be replaced by another default label, or automatically removed.
+ - At the end of the retention period, the existing label is configured to automatically [apply a different retention label](retention-settings.md#relabeling-at-the-end-of-the-retention-period), or the existing label is configured to [run a Power Automate flow](retention-label-flow.md) with the compliance action of **Relabel an item at the end of retention**.
- For more information about the label behavior when it's applied by using a default label:
+ - You use the Power Automate compliance action of **Apply a retention label on the item**. If the item already has a retention label applied, it will be replaced.
+
+ - The existing label was applied as a default label. When you use a default label, there are some scenarios when it can be replaced by another default label, or automatically removed.
- - Default label for SharePoint: [Label behavior when you use a default label for SharePoint](create-apply-retention-labels.md#label-behavior-when-you-use-a-default-label-for-sharepoint)
- - Default label for Outlook: [Applying a default retention label to an Outlook folder](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)
+ For more information about the label behavior when it's applied by using a default label:
+ - Default label for SharePoint: [Label behavior when you use a default label for SharePoint](create-apply-retention-labels.md#label-behavior-when-you-use-a-default-label-for-sharepoint)
+ - Default label for Outlook: [Applying a default retention label to an Outlook folder](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)
+
+For retention labels that mark items as a record or a regulatory record:
+
+- These retention labels are never automatically changed during their configured retention period.
-- If there are multiple auto-apply label policies that could apply a retention label, and content meets the conditions of multiple policies, the retention label for the oldest auto-apply label policy (by date created) is applied.
+- Only admins for the container can manually change or remove retention labels that mark items as a record, but can't manually change or remove retention labels that mark items as a regulatory record. For more information, see [Compare restrictions for what actions are allowed or blocked](records-management.md#compare-restrictions-for-what-actions-are-allowed-or-blocked).
-When retention labels mark items as a record or a regulatory record, these labels are never automatically changed during their configured retention period. Only admins for the container can manually change or remove retention labels that mark items as a record, but not regulatory records. For more information, see [Compare restrictions for what actions are allowed or blocked](records-management.md#compare-restrictions-for-what-actions-are-allowed-or-blocked).
+- At the end of the retention period, an existing label can be replaced if it's configured to mark items as a record and automatically [apply a different retention label](retention-settings.md#relabeling-at-the-end-of-the-retention-period) or to [run a Power Automate flow](retention-label-flow.md) with the compliance action of **Relabel an item at the end of retention**. You can't use these relabeling methods if the existing label is configured to mark items as a regulatory record.
#### Monitoring retention labels
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
If you need to disable the PDF support in Office apps for Word, Excel, and Power
- **Use the Sensitivity feature in Office to apply sensitivity labels to PDFs**
-Set the value to **0**.
+Configure this setting to be **Disabled**.
Deploy this setting by using Group Policy, or by using the [Cloud Policy service for Microsoft 365](/DeployOffice/overview-office-cloud-policy-service).
compliance Sensitivity Labels Versions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-versions.md
Previously updated : 04/13/2023 Last updated : 04/20/2023 audience: Admin
The numbers listed are the minimum Office application versions required for each
|Capability |Outlook for Windows |Outlook for Mac |Outlook on iOS |Outlook on Android |Outlook on the web | |--|-:|-||-|-|
-|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: Rolling out to 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |
+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |
|Manually apply, change, or remove label <br /> - [Files and emails](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ |16.21+ | 4.7.1+ | 4.0.39+ | Yes | |Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)| Current Channel: Rolling out to 2302+ |16.70+ <sup>\*</sup> |Under review |Under review |Yes | |[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ |16.21+ |4.7.1+ |4.0.39+ |Yes |
The numbers listed are the minimum Office application versions required for each
|[Apply a sensitivity label to emails automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types |Current Channel: 2009+ <br /><br> Monthly Enterprise Channel: 2009+ <br /><br> Semi-Annual Enterprise Channel: 2102+ |16.44+ <sup>\*</sup> |Under review |Under review |Yes | |[Apply a sensitivity label to emails automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers |Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ |16.49+ |Under review |Under review |Yes | |[Different settings for default label and mandatory labeling](sensitivity-labels-office-apps.md#outlook-specific-options-for-default-label-and-mandatory-labeling) |Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ |16.43+ <sup>\*</sup> |4.2111+ |4.2111+ |Yes |
-|[PDF support](sensitivity-labels-office-apps.md#pdf-support) |Current Channel: 2205+ <br /><br> Monthly Enterprise Channel: 2205+ <br /><br> Semi-Annual Enterprise Channel: Under review| Under review |Under review |Under review |Under review |
-|[Apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) |Current Channel: 2211+ <br /><br> Monthly Enterprise Channel: 2211+ <br /><br> Semi-Annual Enterprise Channel: 2302+ | 16.61+ <sup>\*</sup> |4.2226+ |4.2203+ |Rolling out |
-|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) |Current Channel: Rolling out to 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |In preview (4.2313+) |Under review |
-|[Display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Preview: [Current Channel (Preview)](https://office.com/insider) <sup>\*</sup> |Under review |In preview (4.2313+) |Under review |
+|[PDF support](sensitivity-labels-office-apps.md#pdf-support) |Current Channel: 2205+ <br /><br> Monthly Enterprise Channel: 2205+ <br /><br> Semi-Annual Enterprise Channel: 2302+| Under review |Under review |Under review |Under review |
+|[Apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) |Current Channel: 2211+ <br /><br> Monthly Enterprise Channel: 2211+ <br /><br> Semi-Annual Enterprise Channel: 2302+ | 16.61+ <sup>\*</sup> |4.2226+ |4.2203+ |Yes |
+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) |Current Channel: 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Preview: [Beta](https://support.google.com/googleplay/work/answer/7042126) |Under review |
+|[Display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Preview: [Current Channel (Preview)](https://office.com/insider) <sup>\*</sup> |Under review |Preview: [Beta](https://support.google.com/googleplay/work/answer/7042126) |Under review |
|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
-|[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) |Current Channel: 2301+ <br /><br> Monthly Enterprise Channel: Under review <br /><br> Semi-Annual Enterprise Channel: Under review |Rolling out: 16.70+ <sup>\*</sup> | Rolling out: 4.2309+ |Rolling out: 4.2309+ |Yes |
+|[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) |Current Channel: 2303+ <br /><br> Monthly Enterprise Channel: Under review <br /><br> Semi-Annual Enterprise Channel: 2302+ |Rolling out: 16.70+ <sup>\*</sup> | Rolling out: 4.2309+ |Rolling out: 4.2309+ |Yes |
|[Preventing oversharing as DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview)|Preview: [Current Channel (Preview)](https://office.com/insider) |Under review |Under review |Under review |Under review | |[Label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments) |Current Channel: Rolling out to 2303+ <br /><br> Monthly Enterprise Channel: 2304+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
f1.keywords:
Previously updated : 04/13/2023 Last updated : 04/20/2023 audience: Admin
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
## April 2023
+### Data lifecycle management and records management
+
+- **In preview**: Scan for sensitive information in images with support for [optical character recognition](ocr-learn-about.md) when you use auto-apply retention label policies.
+
+### Data loss prevention
+
+- **In preview**: Scan for sensitive information in images with support for [optical character recognition](ocr-learn-about.md)
+
+### Insider risk management
+
+- **In preview**: Scan for sensitive information in images with support for [optical character recognition](ocr-learn-about.md).
+ ### Sensitivity labels - **General availability (GA)**: [Default sensitivity label for a SharePoint document library](sensitivity-labels-sharepoint-default-label.md) - **General availability (GA)**: Outlook for Mac [displays label colors](sensitivity-labels-office-apps.md#label-colors) - **General availability (GA)**: Rolling out to Current Channel as a parity feature for the AIP add-in, built-in labeling for Windows supports [label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments).-- **Rolling out**: [Apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) using Outlook on the web.
+- **General availability (GA)**: [Apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) using Outlook on the web.
+- **In preview**: Scan for sensitive information in images with support for [optical character recognition](ocr-learn-about.md) when you use auto-labeling policies for Exchange.
- **Change of version for AIP add-in disabled by default**: For the Monthly Enterprise Channel only, the AIP add-in for Office apps is disabled by default in version 2303. For the Current Channel and Semi-Annual Enterprise Channel, the AIP add-in is still disabled by default in version 2302. - **Retirement notification for the AIP add-in for Office apps**: The AIP add-in will [retire April 2024](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/retirement-notification-for-the-azure-information-protection/ba-p/3791908). Although the add-in remains in maintenance mode until then, if you haven't already done so, we encourage you to [migrate to the labels built into Office](sensitivity-labels-aip.md).
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- **Improvements that support Power Automate flows**: Now rolling out to support the scenario of [customizing what happens at the end of the retention period](retention-label-flow.md), the existing Power Automate compliance actions have been renamed to more accurately describe their purpose. **Apply label on the item** is renamed **Relabel an item at the end of retention**, and **Deletes the item** is renamed **Deletes an item at the end of retention**. Additionally: - New compliance action to [improve the resilience of your flow](retention-label-flow.md#add-resilience-to-your-flow). - The trigger action **When the retention period expires** is renamed **When an item reaches the end of its retention period**.
- - New compliance action of **Apply a retention label on the item** to apply a retention label independently from this scenario, as if manually applying a label. The label doesn't need to be published and the retention label is applied immediately.
+ - New compliance action of **Apply a retention label on the item** to apply a retention label independently from this scenario, as if manually applying a label. The label doesn't need to be published and the retention label is applied immediately. Just like manually applying a retention label, an existing retention label will be overwritten.
### Data loss prevention
frontline Ehr Connector Troubleshoot Setup Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-connector-troubleshoot-setup-configuration.md
appliesto:
- Microsoft 365 for frontline workers description: Use this guidance to help you troubleshoot common setup and configuration issues for the Teams Electronic Health Record (EHR) connector. Previously updated : 01/11/2023 Last updated : 04/21/2023 # Troubleshoot Microsoft Teams EHR connector setup and configuration
Contact an admin in your organization to either grant you admin access or set up
### My organization wants to share the FHIR base URL with other organizations in my network
-Organizations in a healthcare network, such as a hospital with regional branches or related medical offices, might want to share an FHIR base URL. If you want to share your FHIR base URL, please email us at [TeamsForHealthcare](mailto:teamsforhealthcare@service.microsoft.com).
+If you want to share your FHIR base URL, email us with the FHIR base URL you would like to share at [TeamsForHealthcare](mailto:teamsforhealthcare@service.microsoft.com).
## Virtual Desktop Infrastructure (VDI) support
lighthouse M365 Lighthouse Apps Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-apps-page-overview.md
Previously updated : 03/10/2023 Last updated : 04/19/2023 audience: Admin
The data only reflects fully managed Windows devices. Data on Bring Your Own Dev
## Requirements
-Devices must be enrolled in Microsoft Intune. For more information on enrollment, see [What is Endpoint analytics?](/mem/analytics/overview) Once a device is enrolled, the Apps page will automatically populate with data. It may take up to 48 hours to see updates.
+Devices must be enrolled in Microsoft Intune. For more information on enrollment, see [What is Endpoint analytics?](/mem/analytics/overview) Once a device is enrolled, the Apps page automatically populates with data. It may take up to 48 hours to see updates.
> [!NOTE] > If data doesnΓÇÖt show up for a specific application, verify that the policy is enabled. From the tenantΓÇÖs deployment plan, under **Set up device enrollment**, verify that **Device health monitoring policy** is compliant. If not compliant, deploy the policy.
The App performance tab also includes the following options:
## Related content [What is Endpoint analytics?](/mem/analytics/overview) (article)\
-[Application reliability in endpoint analytics](/mem/analytics/app-reliability) (article)
+[Application reliability in endpoint analytics](/mem/analytics/app-reliability) (article)\
+[Overview of the Device health page in Microsoft 365 Lighthouse](m365-lighthouse-device-health-overview.md) (article)
lighthouse M365 Lighthouse Device Health Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-device-health-overview.md
Previously updated : 03/10/2023 Last updated : 04/19/2023 audience: Admin
The Device health page provides a subset of device analytics offered through End
## Requirements
-Devices must be enrolled in Microsoft Intune. For more information on enrollment, see [What is Endpoint analytics?](/mem/analytics/overview) Once a device is enrolled, the Device health page will automatically populate with data. It may take up to 48 hours to see updates.
+Devices must be enrolled in Microsoft Intune. For more information on enrollment, see [What is Endpoint analytics?](/mem/analytics/overview) Once a device is enrolled, the Device health page automatically populates with data. It may take up to 48 hours to see updates.
> [!NOTE]
The Devices tab also includes the following options:
## Related content [What is Endpoint analytics?](/mem/analytics/overview) (article)\
-[Scores, baselines, and insights in Endpoint Analytics](/mem/analytics/scores) (article)
+[Scores, baselines, and insights in Endpoint Analytics](/mem/analytics/scores) (article)\
+[Overview of the Apps page in Microsoft 365 Lighthouse](m365-lighthouse-apps-page-overview.md) (article)
security Compare Mdb M365 Plans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/compare-mdb-m365-plans.md
Defender for Business brings the enterprise-grade capabilities of Defender for E
|Feature/capability|[Defender for Business](mdb-overview.md)<br/>(standalone)|[Defender for Endpoint Plan 1](../defender-endpoint/defender-endpoint-plan-1.md)<br/>(for enterprise customers) |[Defender for Endpoint Plan 2](../defender-endpoint/microsoft-defender-endpoint.md)<br/>(for enterprise customers) | ||||| |[Centralized management](../defender-endpoint/manage-atp-post-migration.md)<br/>(see note 1 below) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|
-|[Simplified client configuration](mdb-simplified-configuration.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| | |
+|[Simplified client configuration](mdb-setup-configuration.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| | |
|[Microsoft Defender Vulnerability Management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md) <br/>(see note 2 below)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |[Next-generation protection](../defender-endpoint/next-generation-protection.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|
security Get Defender Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/get-defender-business.md
ms.localizationpriority: medium Previously updated : 02/14/2023 Last updated : 04/19/2023 f1.keywords: NOCSH
When you use Defender for Business, you'll work with two main portals: the Micro
## Next steps -- Proceed to [Step 2: Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md)
+- Proceed to [Step 2: Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).
security Mdb Configure Security Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md
Use this article as a guide to managing your security policies and settings.
## Choose where to manage security policies and devices
-Defender for Business features a [simplified configuration process](mdb-simplified-configuration.md) that helps streamline the setup and configuration process. If you select the simplified configuration process, you can view and manage your security policies in the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)). However, you're not limited to this option. If you've been using Microsoft Intune, you can keep using Intune.
+Defender for Business features a simplified configuration process) that helps streamline the setup and configuration process. If you select the simplified configuration process, you can view and manage your security policies in the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)). However, you're not limited to this option. If you've been using Microsoft Intune, you can keep using Intune.
The following table can help you choose where to manage your security policies and devices. | Option | Description | |:|:| | **Use the Microsoft 365 Defender portal** (*recommended*) | The Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) is a one-stop shop for managing your company's devices, security policies, and security settings. You can access your security policies and settings, use the [Microsoft Defender Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) all in one place. <br/><br/>If you're using Intune, devices that you onboard to Defender for Business and your security policies are visible in the Intune admin center. To learn more, see the following articles:<br/>- [How default settings in Defender for Business correspond to settings in Microsoft Intune](mdb-next-gen-configuration-settings.md#how-default-settings-in-defender-for-business-correspond-to-settings-in-microsoft-intune)<br/>- [Firewall in Defender for Business](mdb-firewall.md) |
-| **Use Intune** | If your company is already using Intune to manage security policies, you can continue using it to manage your devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). <br/><br/>If you decide to switch to the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md), you'll be prompted to delete any existing security policies in Intune to avoid [policy conflicts](mdb-troubleshooting.yml) later. |
+| **Use Intune** | If your company is already using Intune to manage security policies, you can continue using it to manage your devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). <br/><br/>If you decide to switch to the [simplified configuration process in Defender for Business](mdb-setup-configuration.md), you'll be prompted to delete any existing security policies in Intune to avoid [policy conflicts](mdb-troubleshooting.yml) later. |
> [!IMPORTANT] > If you're managing security policies in the Microsoft 365 Defender portal, you can *view* those policies in the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)), where they're listed as **Antivirus** or **Firewall** policies. When you view your firewall policies in the admin center, you'll see two policies listed: one policy for firewall protection and another for custom rules.
security Mdb Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-email-notifications.md
ms.localizationpriority: medium Previously updated : 07/19/2022 Last updated : 04/19/2023 f1.keywords: NOCSH - m365-security
To view or edit email notification settings for your company, follow these steps
Proceed to: -- [Step 4: Onboard devices to Defender for Business](mdb-onboard-devices.md)
+- [Step 5: Onboard devices to Defender for Business](mdb-onboard-devices.md)
security Mdb Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-started.md
Use the navigation bar on the left side of the screen to access your incidents,
## Next steps -- [Use the setup wizard in Defender for Business](mdb-use-wizard.md) - [See the overall setup and configuration process](mdb-setup-configuration.md)
security Mdb Next Gen Configuration Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-next-gen-configuration-settings.md
The following security settings are preconfigured in Defender for Business:
## How default settings in Defender for Business correspond to settings in Microsoft Intune
-The following table describes settings that are preconfigured for Defender for Business and how those settings correspond to what you might see in Intune. If you're using the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md), you don't need to edit these settings.
+The following table describes settings that are preconfigured for Defender for Business and how those settings correspond to what you might see in Intune. If you're using the [simplified configuration process in Defender for Business](mdb-setup-configuration.md), you don't need to edit these settings.
| Setting | Description | |||
security Mdb Onboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md
After you've onboarded a device, you can run a quick phishing test to make sure
## Next steps - If you have other devices to onboard, select the tab for those devices ([Windows 10 and 11, Mac, Servers, or Mobile devices](#what-to-do)), and follow the guidance on that tab.-- If you're done onboarding devices, proceed to [Step 5: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md).-- Also consider [Setting up email notifications](mdb-email-notifications.md) for your security team.
+- If you're done onboarding devices, proceed to [Step 6: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md).
security Mdb Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-overview.md
With Defender for Business, you can help protect the devices and data your busin
- **Learn how to set up your threat protection capabilities**. - [See the trial user guide: Defender for Business](trial-playbook-defender-business.md).
- - [Learn about the simplified configuration process](mdb-simplified-configuration.md).
- [See how to set up and configure Defender for Business](mdb-setup-configuration.md). - **Help you get started using Defender for Business**, starting with the Microsoft 365 Defender portal.
With Defender for Business, you can help protect the devices and data your busin
## Next steps - [Try the interactive guide: Get started with Defender for Business](https://aka.ms/MDB-GetStartedGuide)-- [Learn more about the simplified configuration process in Defender for Business](mdb-simplified-configuration.md)
+- [Learn more about the simplified configuration process in Defender for Business](mdb-setup-configuration.md)
- [Find out how to get Defender for Business](get-defender-business.md) - [Get an overview of Microsoft 365 Business Premium](../../business-premium/index.md)
security Mdb Setup Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-setup-configuration.md
ms.localizationpriority: medium Previously updated : 02/14/2023 Last updated : 04/20/2023 f1.keywords: NOCSH
# Set up and configure Microsoft Defender for Business
-Defender for Business provides a streamlined setup and configuration experience, designed especially for the small and medium-sized business. Use this article as a guide.
+This article describes the overall setup process for Defender for Business. The process includes:
+
+- Getting Defender for Business and assigning licenses to users.
+- Assigning permissions to your security team and configuring email notifications about new alerts or vulnerabilities.
+- Onboarding devices and configuring your security policies and settings.
+
+## Setup options
+
+When you're ready to set up and configure Defender for Business, you can choose from several options:
+
+- **Use the setup wizard** to grant access to your security team, set up email notifications for your security team, onboard your company's Windows devices, and apply default security settings to those devices; or
+- **Work through the setup process manually**, step by step, and complete the setup steps yourself.
+
+> [!NOTE]
+> Using the setup wizard is optional. If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own.
+
+## [**Setup wizard**](#tab/Wizard)
+
+> [!IMPORTANT]
+> You must be a global administrator to run the setup wizard. See [Security roles and permissions in Defender for Business](mdb-roles-permissions.md).
+>
+> Make sure to [add users](mdb-add-users.md) (especially members of your security team) before you run the setup wizard.
+
+## How to start the setup wizard
+
+In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Assets** > **Devices**. The setup wizard is designed to run one time, and it resembles the following image:
++
+## The setup wizard flow
+
+The setup wizard is designed to help you set up and configure Defender for Business quickly and efficiently. It walks you through the following steps:
+
+1. **Assign user permissions**. In this step, you grant your security team access to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This portal is where you and your security team will manage your security capabilities, view alerts, and take any needed actions on detected threats. Portal access is granted through roles that imply certain permissions. [Learn more about roles and permissions](mdb-roles-permissions.md).
+
+ In Defender for Business, members of your security team can be assigned one of the following three roles:<br/>
+
+ - **Global Admin**: A global admin can view and edit all settings across your Microsoft 365 tenant. The global admin does the initial setup and configuration for your company's Microsoft 365 subscription.
+ - **Security Administrator**: A security administrator can view and edit security settings, and take action when threats are detected.
+ - **Security Reader**: A security reader can view information in reports, but can't change any security settings.
+
+2. **Set up email notifications**. In this step, you can set up email notifications for your security team. Then, when an alert is generated or a new vulnerability is discovered, your security team won't miss it even if they're away from their desk. [Learn more about email notifications](mdb-email-notifications.md).
+
+3. **Onboard and configure Windows devices**. In this step, you can onboard your company's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one. [Learn more about onboarding devices to Defender for Business](mdb-onboard-devices.md).
+
+ - **If you're not using Intune**, you can onboard devices in the Microsoft 365 Defender portal.
+ - **If you're already using Microsoft Intune**, and your company has devices enrolled in Intune, you can continue using Intune. See [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).
+
+4. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can also create your own security policies. See [View and edit your security policies and settings](mdb-configure-security-settings.md).
+
+ > [!NOTE]
+ > If you're already using Intune to manage your devices and security policies, you can continue using it. See [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).
+
+## What is automatic onboarding?
+
+Automatic onboarding is a simplified way to onboard Windows devices to Defender for Business. Automatic onboarding is only available for Windows devices that are already enrolled in Microsoft Intune.
+
+While you're using the setup wizard, the system will detect whether Windows devices are already enrolled in Intune. You'll be asked if you want to use automatic onboarding for all or some of those devices. You can onboard all Windows devices at once, or select specific devices to start with, and then add more devices later.
+
+To onboard other devices, see [Onboard devices to Defender for Business](mdb-onboard-devices.md).
> [!TIP]
-> If you used the [setup wizard](mdb-use-wizard.md), then you've already completed several steps of your basic setup process. In this case, you can:
-> - [Onboard more devices](mdb-onboard-devices.md)
-> - [Configure your security policies and settings](mdb-configure-security-settings.md)
-> - [Visit your Microsoft Defender Vulnerability Management dashboard](mdb-view-tvm-dashboard.md)
+> - We recommend selecting the "all devices enrolled" option. That way, when Windows devices are enrolled in Intune later on, they'll be onboarded to Defender for Business automatically.
+> - If you've been managing security policies and settings in the Intune admin center, we recommend switching to the Microsoft 365 Defender portal to manage your devices, policies, and settings. To learn more, see [Choose where to manage security policies and devices](mdb-configure-security-settings.md#choose-where-to-manage-security-policies-and-devices).
+
+## [**Manual setup**](#tab/Manual)
## The setup and configuration process
-The following diagram depicts the overall setup and configuration process for Defender for Business.
+If you're setting up Defender for Business manually, here's the overall process you'll follow:
-> [!TIP]
-> If you used the setup wizard, then you've likely already completed steps 1-3, and possibly step 4.
+1. **Get Defender for Business**. Start a trial or paid subscription today. You can choose from the standalone version of Defender for Business, or get it as part of Microsoft 365 Business Premium. See [Get Microsoft Defender for Business](get-defender-business.md). And, if you're planning to onboard servers, see [How to get Microsoft Defender for Business servers](get-defender-business-servers.md).
+
+2. **Add users and assign licenses**. Assign a license for Defender for Business (or Microsoft 365 Business Premium) to each member of your organization to protect their devices. You'll also want to make sure multifactor authentication is enabled for all users. See [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).
+3. **Assign roles and permissions to your security team**. People on your security team need certain permissions to perform tasks, such as reviewing detected threats & remediation actions, viewing & editing policies, onboarding devices, and using reports. You can grant these permissions through roles. See [Assign roles and permissions](mdb-roles-permissions.md).
-| Step | Article | Description |
-|||--|
-| 1 | [Get Defender for Business](get-defender-business.md) | Start a trial or paid subscription today. You can choose from the standalone version of Defender for Business, or get it as part of Microsoft 365 Business Premium. See [Get Microsoft Defender for Business](get-defender-business.md). |
-| 2 | [Add users and assign licenses](mdb-add-users.md) | Assign a license for Defender for Business (or Microsoft 365 Business Premium) to each member of your organization to protect their devices. You'll also want to make sure multifactor authentication is enabled for all users. See [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md). |
-| 3 | [Assign security roles](mdb-roles-permissions.md) | People on your security team need certain permissions to perform tasks, such as reviewing detected threats & remediation actions, viewing & editing policies, onboarding devices, and using reports. You can grant these permissions through roles. See [Assign roles and permissions](mdb-roles-permissions.md). <br/><br/>You can also set up email notifications to let your security team know about incidents and vulnerabilities as they arise. See [Set up email notifications](mdb-email-notifications.md). |
-| 4 | [Onboard devices](mdb-onboard-devices.md) | You can onboard devices by downloading a script from the Microsoft 365 Defender portal, and then running that script on devices to onboard. Or, if your subscription includes Microsoft Intune, you can use it to enroll devices. See [Onboard devices to Defender for Business](mdb-onboard-devices.md). |
-| 5 | [Review and edit your security settings and policies](mdb-configure-security-settings.md) | You can choose from several options to configure your security settings and policies, such as the [simplified configuration process](mdb-simplified-configuration.md) in Defender for Business or Microsoft Intune. See [Configure your security settings and policies](mdb-configure-security-settings.md). |
+4. **Set up email notifications for your security team**. As alerts are generated, or new vulnerabilities are discovered, people on your security team will be notified automatically. See [Set up email notifications](mdb-email-notifications.md).
+
+5. **Onboard devices to Defender for Business**. The sooner you get your devices onboarded, the sooner they're protected by Defender for Business. You can onboard devices by downloading a script from the Microsoft 365 Defender portal, and then running that script on devices to onboard. Or, if your subscription includes Microsoft Intune, you can use it to enroll devices. See [Onboard devices to Defender for Business](mdb-onboard-devices.md).
+
+6. **Set up and review your security policies and settings**. Some security policies and settings are preconfigured with default settings in Defender for Business. Other policies, such as web content filtering and attack surface reduction rules, must be set up. See [Configure your security settings and policies](mdb-configure-security-settings.md).
> [!IMPORTANT] > If you have Microsoft 365 Business Premium, you have additional capabilities to set up and configure. See [Microsoft 365 Business Premium ΓÇô productivity and cybersecurity for small business](../../business-premium/index.md).
+
+ ## Next steps
-1. [Get and provision Defender for Business](get-defender-business.md).
-2. [Add users and assign licenses](mdb-add-users.md).
-3. [Assign security roles and permissions for your security team](mdb-roles-permissions.md).
-4. [Onboard devices](mdb-onboard-devices.md).
-5. [View and edit your security policies and settings](mdb-configure-security-settings.md).
+- [Onboard more devices](mdb-onboard-devices.md)
+- [View and edit your security policies and settings](mdb-configure-security-settings.md)
+- [View your reports](mdb-reports.md)
security Mdb Simplified Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-simplified-configuration.md
- Title: The simplified configuration process in Microsoft Defender for Business
-description: Defender for Business saves your business time with a simplified configuration process. See how it works and protects your business from day one.
------ Previously updated : 01/26/2023---- SMB-- m365-security-- m365-initiative-defender-business-- tier1--
-# The simplified configuration process in Microsoft Defender for Business
-
-Microsoft Defender for Business features a simplified configuration process designed especially for small and medium-sized businesses. A wizard-like experience takes the guesswork out of onboarding and managing devices. **We recommend using the simplified configuration process, but you're not limited to this option**.
-
-To onboard devices and configure security settings for your company's devices, you can choose from these experiences:
--- The simplified configuration process in Microsoft Defender for Business; or-- Use Microsoft Intune.-
-## What to do
-
-1. [Review your setup and configuration options](#review-your-setup-and-configuration-options).
-2. [Proceed to your next steps](#next-steps).
-
-## Review your setup and configuration options
-
-The following table describes each experience.
-
-| Portal experience | Description |
-|||
-| The simplified configuration experience in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | The simplified configuration experience includes a [wizard-like experience](mdb-use-wizard.md) to help you set up and configure Defender for Business. Simplified configuration also includes default security settings and policies to help protect your company's devices as soon as they're onboarded to Defender for Business. You can view and edit your default policies to suit your business needs. To learn more, see [View or edit device policies in Microsoft Defender for Business](mdb-view-edit-policies.md).<br/><br/>With the simplified experience, your security team uses the Microsoft 365 Defender portal as a one-stop shop to: <br/>- Set up and configure Defender for Business <br/>- View and manage incidents <br/>- Respond to and mitigate threats <br/>- View reports <br/>- Review pending or completed actions |
-| The Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) | Microsoft Intune is a cloud-based mobile device management (MDM) and mobile application management (MAM) provider for apps and devices. If you're already using Intune, you can continue to use it to manage devices such as mobile phones, tablets, and laptops. See [Microsoft Intune: Device management](/mem/intune/fundamentals/what-is-device-management). |
-
-## Next steps
--- If you're ready to start your trial subscription, see [Trial user guide: Microsoft Defender for Business](trial-playbook-defender-business.md).-- If you're ready to use the simplified setup experience, see [Use the setup wizard in Microsoft Defender for Business](mdb-use-wizard.md).-- If you want to see the overall setup process, see [Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md).
security Mdb Use Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-use-wizard.md
- Title: Use setup wizard in Microsoft Defender for Business
-description: Defender for Business makes setup easy with a wizard that runs the first time you use Defender for Business. See how the setup wizard works.
------ Previously updated : 02/14/2023---- SMB-- m365-security-- m365-initiative-defender-business-- tier1---
-# Use the setup wizard in Microsoft Defender for Business
-
-Defender for Business was designed to save small and medium-sized businesses time and effort. For example, you can complete your initial setup and configuration process using a setup wizard. The setup wizard guides you through granting access to your security team, setting up email notifications for your security team, and onboarding your company's Windows devices.
-
-> [!TIP]
-> Using the setup wizard is optional. You can choose to work through the setup and configuration process manually. To learn more, see:
-> - [What happens if I don't use the wizard?](#what-happens-if-i-dont-use-the-wizard)
-> - [How to set up and configure Defender for Business](mdb-setup-configuration.md)
-
-## How to start the setup wizard
-
-The setup wizard is designed to run the first time someone in your company signs into the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
-
-If your company has been using [Microsoft 365 Business Premium](../../business-premium/index.md), the Defender for Business setup wizard will run the first time someone goes to **Assets** > **Devices**.
-
-The setup wizard start screen looks like the following image:
--
-## The setup wizard flow
-
-> [!IMPORTANT]
-> You must be a global administrator to run the setup wizard. The person who signed up your company for Microsoft 365 or for Defender for Business is a global administrator by default.
-
-The setup wizard is designed to help you set up and configure Defender for Business quickly and efficiently. The wizard walks you through the following steps:
-
-1. **Assign user permissions**. In this step, you grant your security team access to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This portal is where you and your security team will manage your security capabilities, view alerts, and take any needed actions on detected threats. Portal access is granted through roles that imply certain permissions.
-
- In Defender for Business, members of your security team can be assigned one of the following three roles:<br/>
-
- - **Global Admin**: A global admin can view and edit all settings across your Microsoft 365 tenant. The global admin does the initial setup and configuration for your company's Microsoft 365 subscription.
- - **Security Administrator**: A security administrator can view and edit security settings, and take action when threats are detected.
- - **Security Reader**: A security reader can view information in reports, but can't change any security settings.
-
- [Learn more about roles and permissions](mdb-roles-permissions.md).
-
-2. **Set up email notifications**. In this step, you can set up email notifications for your security team. Then, when an alert is generated or a new vulnerability is discovered, your security team won't miss it even if they're away from their desk. [Learn more about email notifications](mdb-email-notifications.md).
-
-3. **Onboard and configure Windows devices**. In this step, you can onboard your company's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one. [Learn more about onboarding devices to Defender for Business](mdb-onboard-devices.md).
-
- - **If you're not using Intune**, you can onboard devices in the Microsoft 365 Defender portal.
- - **If you're already using Microsoft Intune**, and your company has devices enrolled in Intune, you can continue using Intune. See [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).
-
-4. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can also create your own security policies. See [View and edit your security policies and settings](mdb-configure-security-settings.md).
-
- > [!NOTE]
- > If you're already using Intune to manage your devices and security policies, you can continue using it. See [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).
--
-## What is automatic onboarding?
-
-Automatic onboarding is a simplified way to onboard Windows devices to Defender for Business. Automatic onboarding is only available for Windows devices that are already enrolled in Microsoft Intune.
-
-While you're using the setup wizard, the system will detect whether Windows devices are already enrolled in Intune. You'll be asked if you want to use automatic onboarding for all or some of those devices. You can onboard all Windows devices at once, or select specific devices to start with, and then add more devices later.
-
-To onboard other devices, see [Onboard devices to Defender for Business](mdb-onboard-devices.md).
-
-> [!TIP]
-> - We recommend selecting the "all devices enrolled" option. That way, when Windows devices are enrolled in Intune later on, they'll be onboarded to Defender for Business automatically.
-> - If you've been managing security policies and settings in the Intune admin center, we recommend switching to the Microsoft 365 Defender portal to manage your devices, policies, and settings. To learn more, see [Choose where to manage security policies and devices](mdb-configure-security-settings.md#choose-where-to-manage-security-policies-and-devices).
-
-## What happens if I don't use the wizard?
-
-Using the setup wizard is optional. If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own.
-
-See [Set up and configure Defender for Business](mdb-setup-configuration.md) to walk through these steps:
-
-1. **[Assign roles and permissions](mdb-roles-permissions.md)** so your security team can access and use the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
-
-2. **[Set up email notifications for your security team](mdb-email-notifications.md)** so they're in the loop about new alerts or vulnerabilities.
-
-3. **[Onboard devices](mdb-onboard-devices.md)** so they're protected by Defender for Business.
-
-4. **[Manage your security policies](mdb-configure-security-settings.md)**, which include next-generation protection, firewall protection, and web content filtering.
-
-## Next steps
--- [Onboard more devices to Defender for Business](mdb-onboard-devices.md)-- [View and edit your security policies and settings in Defender for Business](mdb-configure-security-settings.md)
security Trial Playbook Defender Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/trial-playbook-defender-business.md
The Microsoft 365 Defender portal ([https://security.microsoft.com](https://secu
### Step 3: Use the setup wizard in Defender for Business (recommended)
-Defender for Business was designed to save small and medium-sized businesses time and effort. You can do initial setup and configuration through a setup wizard. The setup wizard helps you grant access to your security team, set up email notifications for your security team, and onboard your company's Windows devices. **[Use the setup wizard](mdb-use-wizard.md)**.
+Defender for Business was designed to save small and medium-sized businesses time and effort. You can do initial setup and configuration through a setup wizard. The setup wizard helps you grant access to your security team, set up email notifications for your security team, and onboard your company's Windows devices. **[Use the setup wizard](mdb-setup-configuration.md)**.
> [!NOTE] > You can only use the setup wizard once.
Defender for Business was designed to save small and medium-sized businesses tim
#### Setup wizard flow: what to expect > [!TIP]
-> **Using the setup wizard is optional.** (See [What happens if I don't use the wizard?](mdb-use-wizard.md#what-happens-if-i-dont-use-the-wizard)). If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own. See [Step 4: Set up and configure Defender for Business](#step-4-set-up-and-configure-defender-for-business).
+> **Using the setup wizard is optional.** If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own. See [Step 4: Set up and configure Defender for Business](#step-4-set-up-and-configure-defender-for-business).
1. **[Assign user permissions](mdb-roles-permissions.md#view-or-edit-role-assignments)**. Grant your security team access to the Microsoft 365 Defender portal.
Defender for Business was designed to save small and medium-sized businesses tim
3. **[Onboard and configure Windows devices](mdb-onboard-devices.md)**. Onboarding devices right away helps protect those devices from day one. > [!NOTE]
- > When you use the setup wizard, the system detects if you have Windows devices that are already enrolled in Intune. You'll be asked if you want to use automatic onboarding for all or some of those devices. You can onboard all Windows devices at once or select specific devices at first and then add more devices later. [Learn more about automatic onboarding](mdb-use-wizard.md#what-is-automatic-onboarding).
+ > When you use the setup wizard, the system detects if you have Windows devices that are already enrolled in Intune. You'll be asked if you want to use automatic onboarding for all or some of those devices. You can onboard all Windows devices at once or select specific devices at first and then add more devices later.
To onboard other devices, see [Step 4: Set up and configure Defender for Business](#step-4-set-up-and-configure-defender-for-business).
security Get Agent Details https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Get-agent-details.md
+
+ Title: Get scan agent by ID
+description: Learn how to use the get agent details api
+keywords: apis, graph api, supported apis, agent details, definition
+
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- m365-security
+- tier3
+++
+search.appverid: met150
Last updated : 12/15/2022++
+# Get scan agent ID
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+> Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
++++
+## API description
+
+Retrieves the details for a specified agent by its ID.
+
+## Limitations
+
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).
+
+Permission type|Permission|Permission display name
+:|:|:
+Application|Machine.Read.All| Read all scan information.
+Delegated (work or school account)|Machine.Read.All|Read all scan information.
+
+> [!NOTE]
+> When obtaining a token using user credentials:
+>
+> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](user-roles.md) for more information)
+
+## HTTP request
+
+```http
+GET /api/DeviceAuthenticatedScanAgents
+```
+
+## Request headers
+
+Name|Type|Description
+:|:|:
+Authorization|String|Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 - OK response code with the details of the specified agent.
+
+## Example request
+
+Here's an example of the request.
+
+```http
+GET https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanAgents/7f3d76a6976818553e996875dc91f55df6b26625
+```
+
+## Response example
+
+```json
+{
+"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#DeviceAuthenticatedScanAgents/$entity",
+ "value": [
+ {
+ "id": "47df41a0c-asad-4fd6d3-bbea-a93dbc0bfcaa_4edd75b2407a5b64d704b4e53d74f15",
+ "machineId": "4ejh675b240118fbehiuiy5b64d704b4e53d15",
+ "lastSeen": "2022-05-08T12:18:41.538203Z",
+ "computerDnsName": "TEST_DOMAIN",
+ "AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571",
+ "ScannerSoftwareVersion": "7.1.1",
+ "LastCommandExecutionTimestamp": "2022-05-08T12:18:41.538203Z",
+ "mdeClientVersion": "10.8295.22621.1195"
+ },
+ ]
+}
+
+```
security Get Scan History By Definition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Get-scan-history-by-definition.md
Last updated 12/15/2022
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+> Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
[!Include[Prerelease information](../../includes/prerelease.md)]
security Add A New Scan Definition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-a-new-scan-definition.md
In the request body, supply a JSON object with the following parameters:
Parameter|Type|Description :|:|:
-ScanDefinitionIds|String|The scan Id. **Required**.
+scanType|Enum|The type of scan. Possible values are: "Windows", "Network". **Required**.
+scanName|String|Name of the scan. **Required**.
+isActive|Boolean|Status of whether the scan actively running. **Required**.
+target|String| A comma separated list of targets to scan, either IP addresses or hostnames. **Required**.
+intervalInHours|Int|The interval at which the scan runs. **Required**.
+targetType|String|The target type in the target field. Possible types are "IP Address" or "Hostname". Default value is IP Address. **Required**.
+scannerAgent|Object|machine Id. **Required**.
+scanAuthenticationParams|Object|An object representing the authentication parameters, see [Authentication parameters object properties](./get-authenticated-scan-properties.md#authentication-parameters-object-properties) for expected fields. This property is mandatory when creating a new scan and is optional when updating a scan.
## Response
-If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
+If successful, this method returns 200 - Ok response code and the new or updated scan definition in the response body.
## Example request to add a new scan
POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinit
"targetType": "Ip", "scannerAgent": { "machineId": "eb663a27ae9d032f61bc268a79eedf14c4b90f77",
- "machineName": "DESKTOP-TEST",
+},
"scanAuthenticationParams": { "@odata.type": "#microsoft.windowsDefenderATP.api.WindowsAuthParams", "type": "Kerberos", "username": "username", "domain": "password", "isGmsaUser": true
- },
- },
- },
- {
-"scanType": "Network",
-"scanName": "Test Network scan",
-"isActive": true,
-"target": "127.0.0.1",
-"intervalInHours": 1,
-"targetType": "Ip",
-"scannerAgent": {
- "machineId": "eb663a27678ik2f61bc268a79eeasdf450f77",
- "machineName": "DESKTOP-TEST",
-"scanAuthenticationParams": {
- "@odata.type": "#microsoft.windowsDefenderATP.api.SnmpAuthParams",
- "type": "AuthPriv",
- "username": "username",
- "authProtocol": "authProtocol",
- "authPassword": "authPassword",
- "privProtocol": "privProtocol",
- "privPassword": "privPassword",
- "communityString": "community-string"
- },
- },
- }
+ }
+}
```
-## Example request to delete scans
-
-Here's an example of a request that deletes scans.
+## Example response
-```http
-POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/BatchDelete
-```
+Here's an example of the response.
```json
-{
- "ScanDefinitionIds": ["td32f17af-5cc2-4e4e-964a-4c4ef7d216e2", "ab32g20af-5dd2-4a5e-954a-4c4ef7d216e2"],
+ {
+"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#DeviceAuthenticatedScanDefinitions/$entity",
+ "id": "289224fb-1686-472c-9751-5555960854ca",
+ "scanType": "Windows",
+ "scanName": "Test Windows scan",
+ "isActive": true,
+ "target": "127.0.0.1",
+ "orgId": "0335a792-18d2-424b-aeed-559567054570",
+ "intervalInHours": 1,
+ "createdBy": "username@test.com",
+ "targetType": "Ip",
+ "scanAuthenticationParams": null,
+ "scannerAgent": {
+ "id": "0335a792-18d2-424b-aeed-559567054570_ eb663a27ae9d032f61bc268a79eedf14c4b90f77",
+ "machineId": "eb663a27ae9d032f61bc268a79eedf14c4b90f77",
+ "machineName": "DESKTOP-TEST",
+ "lastSeen": "2023-01-04T09:40:03.2787058Z",
+ "assignedApplicationId": "ae4a5cde-b4a1-4b76-8635-458b2cf15752",
+ "scannerSoftwareVersion": "7.6.0.0",
+ "lastCommandExecutionTimestamp": "2023-01-04T09:33:16Z",
+ "mdeClientVersion": "10.8295.22621.1010"
+ },
+ "latestScan": {
+ "status": null,
+ "failureReason": null,
+ "executionDateTime": null
+ }
+ } ```
POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinit
Here's an example of a request that updates a scan. ```http
-PATCH https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/a07c400a-f8e1-4329-ae66-7d3be65df0ec
-
+PATCH https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/289224fb-1686-472c-9751-5555960854ca
``` ```json {
-"scanName": "Test Network scan",
-"intervalInHours": 8,
-"isActive": "True",
+"scanName": "Test Update Windows scan",
+"isActive": false,
+"target": "127.0.0.2,127.0.0.3",
+"intervalInHours": 1,
"targetType": "Ip",
-"target": "10.5.0.8",
"scanAuthenticationParams": {
- "@odata.type": "#microsoft.windowsDefenderATP.api.SnmpAuthParams",
+ "@odata.type": "#microsoft.windowsDefenderATP.api.WindowsAuthParams",
"type": "Kerberos", "username": "username", "domain": "password", "isGmsaUser": true }
+ }
+
+```
+
+## Response example
+
+Here's an example of the response.
+
+```json
+{
+ "@odata.context": "https://localhost:1059/api/$metadata#DeviceAuthenticatedScanDefinitions/$entity",
+ "id": "289224fb-1686-472c-9751-5555960854ca",
+ "scanType": "Windows",
+ "scanName": "Test Update Windows scan",
+ "isActive": false,
+ "target": "127.0.0.2,127.0.0.3",
+ "orgId": "0335a792-18d2-424b-aeed-559567054570",
+ "intervalInHours": 1,
+ "createdBy": "userName@microsoft.com",
+ "targetType": "Ip",
+ "scanAuthenticationParams": null,
+ "scannerAgent": {
+ "id": "0335a792-18d2-424b-aeed-559567054570_eb663a27ae9d032f61bc268a79eedf14c4b90f77",
+ "machineId": "eb663a27ae9d032f61bc268a79eedf14c4b90f77",
+ "machineName": "DESKTOP-TEST",
+ "lastSeen": "2023-01-04T09:40:03.2787058Z",
+ "assignedApplicationId": "ae4a5cde-b4a1-4b76-8635-458b2cf15752",
+ "scannerSoftwareVersion": "7.6.0.0",
+ "lastCommandExecutionTimestamp": "2023-01-04T09:33:16Z",
+ "mdeClientVersion": "10.8295.22621.1010"
+ },
+ "latestScan": {
+ "status": null,
+ "failureReason": null,
+ "executionDateTime": null
+ }
+}
+
+```
+
+## Example request to delete scans
+
+Here's an example of a request that deletes scans.
+
+```http
+POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/BatchDelete
+```
+
+```json
+{
+ "ScanDefinitionIds": ["td32f17af-5cc2-4e4e-964a-4c4ef7d216e2", "ab32g20af-5dd2-4a5e-954a-4c4ef7d216e2"],
} ```
security Apis Intro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/apis-intro.md
You can access Defender for Endpoint API with **Application Context** or **User
For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md). +
+>[!TIP]
+>When more than one query request is required to retrieve all the results, Microsoft Graph returns an `@odata.nextLink` property in the response that contains a URL to the next page of results. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
++ ## Related topics - [Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
security Configure Endpoints Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md
You'll need to know the exact Linux distros and macOS versions that are compatib
## Onboarding non-Windows devices
-You'll need to take the following steps to onboard non-Windows devices:
+You can choose to onboard non-Windows devices through Microsoft Defender for Endpoint or through a third-party solution. You'll need to take the following steps:
-1. Select your preferred method of onboarding:
+1. Select your preferred method of onboarding:
+ - To onboard macOS devices using Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac).
+ - To onboard Linux devices using Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux).
+ - To onboard non-windows devices using third party solution:
+ 1. In the navigation pane, select **Partners and APIs > Connected Applications**. Make sure the third-party solution is listed.
+ 2. In the **Connected Applications** page, select the partner that supports your non-Windows devices.
+ 3. Select **View** to open the partner's page. Follow the instructions provided on the page.
+ 4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
- - For macOS devices, you can choose to onboard through Microsoft Defender for Endpoint or through a third-party solution. For more information, see [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac).
-
- - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.
- 1. In the navigation pane, select **Partners and APIs** \> **Partner Applications** . Make sure the third-party solution is listed.
- 2. In the **Partner Applications** page, select the partner that supports your non-Windows devices.
- 3. Click **View** to open the partner's page. Follow the instructions provided on the page.
- 4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
2. Run a detection test by following the instructions of the third-party solution.
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
Configure the static proxy using the Group Policy available in Administrative Te
``` > [!NOTE]
->
+
+> If you are using static proxy setting on devices that are otherwise completely offline, meaning the operating system is unable to connect for the online certificate revocation list or Windows Update, then it is required to add the additional registry setting SSLOptions with a dword value of 0. Parent registry path location for "SSLOptions" is "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet"
+ > For resiliency purposes and the real-time nature of cloud-delivered protection, Microsoft Defender Antivirus will cache the last known working proxy. Ensure your proxy solution does not perform SSL inspection. This will break the secure cloud connection. > > Microsoft Defender Antivirus will not use the static proxy to connect to Windows Update or Microsoft Update for downloading updates. Instead, it will use a system-wide proxy if configured to use Windows Update, or the configured internal update source according to the [configured fallback order](manage-protection-updates-microsoft-defender-antivirus.md).
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
Title: Enable attack surface reduction rules
description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium audience: ITPro
- tier2 search.appverid: met150 Previously updated : 1/11/2023 Last updated : 04/20/2023 # Enable attack surface reduction rules
You can also exclude ASR rules from triggering based on certificate and file has
> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. > If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](attack-surface-reduction-rules-deployment-test.md#step-1-test-asr-rules-using-audit).
-You can specify individual files or folders (using folder paths or fully qualified resource names). An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service continues to trigger events until the service is stopped and restarted.
+You can specify individual files or folders (using folder paths or the full path to the file to be excluded). An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service continues to trigger events until the service is stopped and restarted.
For information about per-rule exclusions, see the section titled **Configure ASR rules per-rule exclusions** in the article [Test attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-test.md)
security Get All Scan Agents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-scan-agents.md
Last updated 12/14/2022
**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)
+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+> Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
[!Include[Prerelease information](../../includes/prerelease.md)]
Here is an example of the response.
"AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571", "ScannerSoftwareVersion": "7.1.1", "LastCommandExecutionTimestamp": "2022-05-08T12:18:41.538203Z",
+ "mdeClientVersion": "10.8295.22621.1195"
}, { "id": "47d41a0c-1dfd-46d3-bbea-a93dbc0bfcaa_eb663a27ae9d032f61bc268oiu4c4b90f77",
Here is an example of the response.
"AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571", "ScannerSoftwareVersion": "7.1.1", "LastCommandExecutionTimestamp": "2022-12-19T20:29:04.8242449Z",
+ "mdeClientVersion": "10.8295.22621.1010"
}, ] }
security Get All Scan Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-scan-definitions.md
Last updated 12/14/2022
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
+> Want to experience Microsoft Defender Vulnerability Management? Find out how to [sign up for a free trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).
[!Include[Prerelease information](../../includes/prerelease.md)]
Here is an example of the response.
"AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571", "ScannerSoftwareVersion": "7.1.1", "LastCommandExecutionTimestamp": "2021-12-19T20:29:04.8242449Z",
+ "mdeClientVersion": "10.8295.22621.1195"
}, "latestScan": { "status": "Fail",
Here is an example of the response.
"AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571", "ScannerSoftwareVersion": "7.1.1", "LastCommandExecutionTimestamp": "2022-12-21T14:34:19.5698988Z",
+ "mdeClientVersion": "10.8295.22621.1195"
}, "latestScan": { "status": "Fail",
security Get Authenticated Scan Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-authenticated-scan-properties.md
Method|Description
[Get all scan definitions](get-all-scan-definitions.md)|List all scan definitions. [Add, delete or update a scan definition](add-a-new-scan-definition.md)|Add, delete, or update a new scan definition. [Get all scan agents](get-all-scan-agents.md)|List all scan agents.
+[Get scan agent by Id](../defender-endpoint/Get-agent-details.md)| Retrieves the details for a specified agent by its Id.
[Get scan history by definition](get-scan-history-by-definition.md)|List scan definition history. [Get scan history by session](get-scan-history-by-session.md)|List scan history for a session.
Learn more about [Windows authenticated scan](../defender-vulnerability-manageme
## Properties
-Property ID|Data type|Description
+Property|Data type|Description
:|:|: id|String| Scan ID. scanType|Enum|The type of scan. Possible values are: "Windows", "Network".
intervalInHours|Int|The interval at which the scan runs.
createdBy|String| Unique identity of the user that created the scan. targetType|String|The target type in the target field. Possible types are "IP Address" or "Hostname". Default value is IP Address. target|String| A comma separated list of targets to scan, either IP addresses or hostnames.
-scanAuthenticationParams|Object|Set of authenticated scan objects, contains: authentication type, username, password. See [Get all scan definitions](./get-all-scan-definitions.md).
-scannerAgent|Object|Set of scanner agent objects, contains: ID, device ID, device name, the date and time (in UTC) the device was last seen, assigned application ID, scanner software version, and the date and time (in UTC) the scanner agent was last executed. See [Get all scan definitions](./get-all-scan-definitions.md).
-latestScan|Object|Latest scan object contains: scan status, failure, the date and time (in UTC) the scan was executed. See [Get all scan definitions](./get-all-scan-definitions.md).
+scanAuthenticationParams|Object|An object representing the authentication parameters, see [Authentication parameters object properties](#authentication-parameters-object-properties) for expected fields. This property is mandatory when creating a new scan and is optional when updating a scan.
+scannerAgent|Object|An object representing the scanner agent, contains the machine Id of the scanning device.
+
+### Authentication parameters object properties
+
+Property|Data type|Description and 
+:|:|:
+@odata.type|Enum|The scan type authentication parameters. Possible values are: "#microsoft.windowsDefenderATP.api.SnmpAuthParams" for "Network" scan type, and "#microsoft.windowsDefenderATP.api.WindowsAuthParams" for "Windows" scan type.
+type|Enum|The authentication method. Possible values vary based on @odata.type property. <br/> - If @odata.type is "SnmpAuthParams", possible values are "CommunityString", "NoAuthNoPriv", "AuthNoPriv", "AuthPriv". <br/> - If @odata.type is "WindowsAuthParams" possible values are "Kerberos" or "Negotiate".
+KeyVaultUrl|String (Optional)|An optional property that specifies from which KeyVault the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.
+KeyVaultSecretName|String (Optional)|An optional property that specifies KeyVault secret name from which the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.
+Domain|String (Optional)|Domain name when using "WindowsAuthParams".
+Username|String (Optional)|Username when using "WindowsAuthParams" or the username when choosing "SnmpAuthParams" with any type other than "CommunityString".
+IsGMSAUser|Boolean (Optional)|Must be set to true when choosing "WindowsAuthParams".
+CommunityString|String (Optional)|Community string to use when choosing "SnmpAuthParams" with "CommunityString"
+AuthProtocol|String (Optional)|Auth protocol to use with "SnmpAuthParams" and "AuthNoPriv" or "AuthPriv". Possible values are "MD5", "SHA1".
+AuthPassword|String (Optional)|Auth password to use with "SnmpAuthParams" and "AuthNoPriv" or "AuthPriv".
+PrivProtocol|String (Optional)|Priv protocol to use with "SnmpAuthParams" and "AuthPriv". Possible values are "DES", "3DES", "AES".
+PrivPassword|String (Optional)|Priv password to use with "SnmpAuthParams" and "AuthPriv".
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
This article is updated frequently to let you know what's new in the latest rele
- [What's new in Defender for Endpoint on macOS](mac-whatsnew.md) - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md)
+<details>
+ <summary> April-2023 (Build: 101.98.58 | Release version: 30.123022.19858.0)</summary>
+
+&ensp;Released: **April 20,2023**<br/>
+&ensp;Published: **April 20, 2023**<br/>
+&ensp;Build: **101.98.58**<br/>
+&ensp;Release version: **30.123022.19858.0**<br/>
+&ensp;Engine version: **1.1.20000.2**<br/>
+&ensp;Signature version: **1.381.3067.0**<br/>
+
+**What's new**
+
+- There are multiple fixes and new changes in this release
+ - Logging and error reporting improvements for auditd.
+ - Handle failure in reload of auditd configuration.
+ - Handling for empty auditd rule files during MDE install.
+ - Engine Update to 1.1.20000.2 and Signatures Ver: 1.381.3067.0.
+ - Addressed a health issue in mdatp which occur due to selinux denials.
+ - Bug fixes.
+
+**Known issues**
+
+- While upgrading mdatp to version 101.94.13 or later, you may notice that health is false, with health_issues as "no active supplementary event provider". This may happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following commands can help you to identify such auditd rules (commands need to be run as super user). Please take backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures.
+
+```bash
+echo -c >> /etc/audit/rules.d/audit.rules
+augenrules --load
+```
+
+- While upgrading from mdatp version 101.75.43 or 101.78.13, you may encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at [System hang due to blocked tasks in fanotify code](https://access.redhat.com/solutions/2838901).
+
+There are two ways to mitigate this upgrade issue:
+
+1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.
+
+Example:
+```bash
+sudo apt purge mdatp
+sudo apt-get install mdatp
+```
+
+2. As an alternative you can follow the instructions to [uninstall](/microsoft-365/security/defender-endpoint/linux-resources#uninstall), then [install](/microsoft-365/security/defender-endpoint/linux-install-manually#application-installation) the latest version of the package.
+
+If you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrading.
+Caution: Some customers (<1%) experience issues with this method.
+
+ ```bash
+sudo mdatp config real-time-protection --value=disabled
+sudo systemctl disable mdatp
+```
+</details>
++ <details> <summary> March-2023 (Build: 101.98.30 | Release version: 30.123012.19830.0)</summary>
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
If you experience any installation failures, refer to [Troubleshooting installat
- 2.6.32-754.43.1.el6.x86_64 - 2.6.32-754.47.1.el6.x86_64 - 2.6.32-754.48.1.el6.x86_64
+ - 2.6.32-754.49.1.el6.x86_64
- 2.6.32-754.6.3.el6.x86_64 - 2.6.32-754.9.1.el6.x86_64
security Raw Data Export Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-event-hub.md
Title: Stream Microsoft Defender for Endpoint events to Azure Event Hubs
-description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Event Hub.
+description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Event Hubs.
keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing ms.mktglfcycl: deploy
Last updated 12/18/2020
6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
+> [!NOTE]
+> Leaving Event Hubs name as empty will create an event hub for each category in the selected namespace. Event Hubs namespaces have a limit of 10 Event Hubs if you are not using a Dedicated Event Hubs Cluster.
+ In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab \> copy the text under **Resource ID**: :::image type="content" source="images/event-hub-resource-id.png" alt-text="The Event Hubs resource Id-1" lightbox="images/event-hub-resource-id.png":::
security Switch To Mde Phase 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md
Title: Migrate to Microsoft Defender for Endpoint - Onboard description: Move to Microsoft Defender for Endpoint. Onboard devices and then uninstall your non-Microsoft solution.
-keywords: migration, Microsoft Defender for Endpoint, edr
- migrationguides - admindeeplinkDEFENDER Previously updated : 04/10/2023 Last updated : 04/20/2023 search.appverid: met150
To verify that your onboarded devices are properly connected to Defender for End
## Step 3: Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
-Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use one of several methods, as described in the following table:
+Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode by using PowerShell.
-|Method|What to do|
-|||
-|PowerShell|1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run following PowerShell cmdlet: `Get-MpComputerStatus|select AMRunningMode`. <br/><br/>3. Review the results. You should see **Passive mode**.|
-|Windows Security app|1. On a Windows device, open the Windows Security app.<br/><br/>2. Select **Virus & threat protection**.<br/><br/>3. Under **Who's protecting me?** select **Manage providers**.<br/><br/>4. On the **Security providers** page, under **Antivirus**, look for **Microsoft Defender Antivirus is turned on**.|
-|Task Manager|1. On a Windows device, open the Task Manager app.<br/><br/>2. Select the **Details** tab. Look for **MsMpEng.exe** in the list.|
+1. On a Windows device, open Windows PowerShell as an administrator.
+
+2. Run the following PowerShell cmdlet: `Get-MpComputerStatus|select AMRunningMode`.
+
+3. Review the results. You should see **Passive mode**.
> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
> To learn more about passive mode and active mode, see [More details about Microsoft Defender Antivirus states](microsoft-defender-antivirus-compatibility.md#more-details-about-microsoft-defender-antivirus-states). ### Set Microsoft Defender Antivirus on Windows Server to passive mode manually
security Web Content Filtering https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md
Before trying out this feature, make sure you meet the requirements described in
|:|:| | Subscription | Your subscription must include one of the following:<br/>- [Windows 10/11 Enterprise E5](/windows/deployment/deploy-enterprise-licenses)<br/>- [Microsoft 365 E5](https://www.microsoft.com/microsoft-365/enterprise/e5?activetab=pivot%3aoverviewtab)<br/>- Microsoft 365 E5 Security<br/>- [Microsoft 365 E3](https://www.microsoft.com/microsoft-365/enterprise/e3?activetab=pivot%3aoverviewtab)<br/>- [Microsoft Defender for Endpoint Plan 1 or Plan 2](../defender/eval-defender-endpoint-overview.md)<br/>- [Microsoft Defender for Business](../defender-business/mdb-overview.md)<br/>- [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium)| | Portal access | You must have access to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. |
-| Operating system | Your organization's devices must be running one of the following operating systems with the [latest antivirus/antimalware updates](microsoft-defender-antivirus-updates.md): <br/>- Windows 11<br/>- Windows 10 Anniversary Update (version 1607) or later |
+| Operating system | Your organization's devices must be running one of the following operating systems with the [latest antivirus/antimalware updates](microsoft-defender-antivirus-updates.md): <br/>- Windows 11<br/>- Windows 10 Anniversary Update (version 1607) or later <br/>- For information on MacOS availability, see [Network Protection for MacOS](network-protection-macos.md)<br/>- For information on Linux availability, see [Network Protection for Linux](network-protection-linux.md)|
| Related protection | [Windows Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) and [network protection](network-protection.md) must be enabled on your organization's devices. | ## Data handling
security Windows Authenticated Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/windows-authenticated-scan.md
- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
[!include[Prerelease information](../../includes/prerelease.md)] > [!NOTE] > To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
-Authenticated scan for Windows provides the ability to run scans on unmanaged Windows devices. You can remotely target by IP ranges or hostnames and scan Windows services by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities.
+Authenticated scan for Windows provides the ability to run scans on unmanaged Windows devices. You can remotely target by IP ranges or hostnames and scan Windows services by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities. By default, the scan will run every four hours with options to change this interval or have it only run once.
-This is applicable for devices that don't have the Defender Vulnerability Management or Defender for Endpoint agent deployed.
+Security administrators can then see the latest security recommendations and review recently discovered vulnerabilities for the targeted device in the [Microsoft 365 Defender portal](https://security.microsoft.com).
> [!TIP] > Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).
You can use APIs to create a new scan and view all existing configured scans in
- [Get all scan definitions](../defender-endpoint/get-all-scan-definitions.md) - [Add, delete or update a scan definition](../defender-endpoint/add-a-new-scan-definition.md) - [Get all scan agents](../defender-endpoint/get-all-scan-agents.md)
+- [Get scan agent by Id](../defender-endpoint/Get-agent-details.md)
- [Get scan history by definition](../defender-endpoint/get-scan-history-by-definition.md) - [Get scan history by session](../defender-endpoint/get-scan-history-by-session.md)
security Advanced Hunting Urlclickevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-urlclickevents-table.md
Last updated 04/27/2022
- Microsoft 365 Defender
-The `UrlClickEvents` table in the advanced hunting schema contains information about [Safe Links](../office-365-security/safe-links-about.md) clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps.
+The `UrlClickEvents` table in the advanced hunting schema contains information about [Safe Links](../office-365-security/safe-links-about.md) clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps. UrlClickEvents is currently in public preview for Microsoft 365 Commercial customers and not available yet for GCC, GCC High, or DoD.
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
UrlClickEvents
- [Proactively hunt for threats](advanced-hunting-overview.md) - [Safe Links in Microsoft Defender for Office 365](../office-365-security/safe-links-about.md)-- [Take action on advanced hunting query results](advanced-hunting-take-action.md)
+- [Take action on advanced hunting query results](advanced-hunting-take-action.md)
security Investigate Dlp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-dlp.md
To investigate Microsoft Purview Data Loss Prevention incidents in the Microsoft
- Microsoft 365 E5/A5 Information Protection and Governance > [!NOTE]
-> When you are licensed and eligible for this feature, DLP alerts will automatically flow into Microsoft 365 Defender. Open a support case if you want to disable this feature.
+> When you are licensed and eligible for this feature, DLP alerts will automatically flow into Microsoft 365 Defender. Open a support case if you want to disable this feature. If you disable this feature the behavior will be reverted to DLP alerts surfacing in the Defender portal as Microsoft Defender for Office alerts.
## DLP investigation experience in the Microsoft 365 Defender portal
security Microsoft Threat Actor Naming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/microsoft-threat-actor-naming.md
Use the following reference table below to understand how our previously publicl
|DEV-0832|Vanilla Tempest|Financially motivated|| |DEV-0950|Lace Tempest|Financially motivated|FIN11, TA505|
-A [downloadable version of the threat actor mapping](https://download.microsoft.com/download/4/5/2/45208247-c1e9-432d-a9a2-1554d81074d9/microsoft-threat-actor-list.xlsx) is also available.
- Read our announcement about the new taxonomy for more information: [https://aka.ms/threatactorsblog](https://aka.ms/threatactorsblog) ## Putting intelligence into the hands of security professionals [Intel profiles in Microsoft Defender Threat Intelligence](../defender/defender-threat-intelligence.md) bring crucial threat actor insights directly into defenders' hands so that they can get the context they need as they prepare for and respond to threats.
-Additionally, to further operationalize the threat intelligence you get from Microsoft, the Microsoft Defender Threat Intelligence Intel Profiles API provides the most up-to-date threat actor infrastructure visibility in the industry today, enabling threat intelligence and security operations (SecOps) teams to streamline their advanced threat hunting and analysis workflows. Learn more about this API in the documentation: [Use the threat intelligence APIs in Microsoft Graph (preview)](/graph/api/resources/security-threatintelligence-overview).
+Additionally, to further operationalize the threat intelligence you get from Microsoft, the Microsoft Defender Threat Intelligence Intel Profiles API provides the most up-to-date threat actor infrastructure visibility in the industry today, enabling threat intelligence and security operations (SecOps) teams to streamline their advanced threat hunting and analysis workflows. Learn more about this API in the documentation: [Use the threat intelligence APIs in Microsoft Graph (preview)](/graph/api/resources/security-threatintelligence-overview).
+
+## Resources
+
+Use the following query on Microsoft 365 Defender and other Microsoft security products supporting the Kusto query language (KQL) to get information about a threat actor using the old name, new name, or industry name:
+
+```kusto
+let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json"] with(format="multijson", ingestionMapping='[{"Column":"PreviousName","Properties":{"Path":"$.Previous name"}},{"Column":"NewName","Properties":{"Path":"$.New name"}},{"Column":"Origin","Properties":{"Path":"$.Origin/Threat"}},{"Column":"OtherNames","Properties":{"Path":"$.Other names"}}]');
+let GetThreatActorAlias = (Name: string) {
+TANames
+| where Name =~ NewName or Name =~ PreviousName or OtherNames has Name
+};
+GetThreatActorAlias("ZINC")
+```
+The following files containing the comprehensive mapping of old threat actor names with their new names are also available:
+
+- [JSON format](https://github.com/microsoft/mstic/blob/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json)
+- [downloadable Excel](https://download.microsoft.com/download/4/5/2/45208247-c1e9-432d-a9a2-1554d81074d9/microsoft-threat-actor-list.xlsx)
security Anti Malware Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-policies-configure.md
You can configure anti-malware policies in the Microsoft 365 Defender portal or
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
-2. On the **Anti-malware** page, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to open the new anti-malware policy wizard.
+2. On the **Anti-malware** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to open the new anti-malware policy wizard.
3. On the **Name your policy** page, configure these settings: - **Name**: Enter a unique, descriptive name for the policy. - **Description**: Enter an optional description for the policy.
- When you're finished on the **Name your policy** page, click **Next**.
+ When you're finished on the **Name your policy** page, select **Next**.
4. On the **Users and domains** page, identify the internal recipients that the policy applies to (recipient conditions): - **Users**: The specified mailboxes, mail users, or mail contacts.
You can configure anti-malware policies in the Microsoft 365 Defender portal or
- The specified Microsoft 365 Groups. - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.
You can configure anti-malware policies in the Microsoft 365 Defender portal or
> > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.
- When you're finished on the **Users and domains** page, click **Next**.
+ When you're finished on the **Users and domains** page, select **Next**.
5. On the **Protection settings** page, configure the following settings:
You can configure anti-malware policies in the Microsoft 365 Defender portal or
- **Customize notifications for messages from external senders** section: If you previously selected **Notify an admin about undelivered messages from external senders**, use the **Subject** and **Message** boxes that appear in this section to specify the subject and message body of admin notification messages.
- When you're finished on the **Protection settings** page, click **Next**.
+ When you're finished on the **Protection settings** page, select **Next**.
-6. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+6. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review** page, click **Submit**.
+ When you're finished on the **Review** page, select **Submit**.
-7. On the **Created new anti-malware policy** page, you can click the links to view the policy, view anti-malware policies, and learn more about anti-malware policies.
+7. On the **Created new anti-malware policy** page, you can select the links to view the policy, view anti-malware policies, and learn more about anti-malware policies.
- When you're finished on the **Created new anti-malware policy** page, click **Done**.
+ When you're finished on the **Created new anti-malware policy** page, select **Done**.
Back on the **Anti-malware** page, the new policy is listed.
On the **Anti-malware** page, the following properties are displayed in the list
- **On** or **Off** for other anti-malware policies. - **Priority**: For more information, see the [Set the priority of custom anti-malware policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-malware-policies) section.
-To change the list of policies from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific anti-malware policies. Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of policies to a CSV file.
-Select a policy by clicking anywhere other than the check box next to the name to open the details flyout for the policy.
+Select a policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
> [!TIP]
-> To see details about other anti-malware policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other anti-malware policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
## Use the Microsoft 365 Defender portal to take action on anti-malware policies
In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to
- **Disable selected policies**. - **Delete selected policies**.
- :::image type="content" source="../../media/anti-malware-policies-main-page.png" alt-text="The Anti-malware page with a policy select and the More actions control expanded." lightbox="../../media/anti-malware-policies-main-page.png":::
+ :::image type="content" source="../../media/anti-malware-policies-main-page.png" alt-text="The Anti-malware page with a policy selected and the More actions control expanded." lightbox="../../media/anti-malware-policies-main-page.png":::
- Select the policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens: - Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)
The actions are described in the following subsections.
### Use the Microsoft 365 Defender portal to modify anti-malware policies
-After you select the default anti-malware policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-malware policies](#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies) section earlier in this article.
+After you select the default anti-malware policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-malware policies](#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.
-For the anti-malware policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. You can click :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
+For the anti-malware policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
### Use the Microsoft 365 Defender portal to enable or disable custom anti-malware policies
You can't enable or disable the anti-malware policies that are associated with S
After you select an enabled custom anti-malware policy (the **Status** value is **On**), use either of the following methods to disable it: -- **On the Anti-malware** page: Click :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Disable selected policies**.-- **In the details flyout of the policy**: Click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the flyout.
+- **On the Anti-malware** page: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Disable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the flyout.
After you select a disabled custom anti-malware policy (the **Status** value is **Off**), use either of the following methods to enable it: -- **On the Anti-malware** page: Click :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Enable selected policies**.-- **In the details flyout of the policy**: Click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the flyout.
+- **On the Anti-malware** page: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Enable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the flyout.
On the **Anti-malware** page, the **Status** value of the policy is now **On** or **Off**.
On the **Anti-malware** page, the **Status** value of the policy is now **On** o
Anti-malware policies are processed in the order that they're displayed on the **Anti-malware** page: - The anti-malware policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).-- The anti-malware policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The anti-malware policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled).
- Custom anti-malware policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). - By default, a new policy is created with a priority that's lower than the lowest existing custom policy (the first is 0, the next is 1, etc.).
Anti-malware policies are processed in the order that they're displayed on the *
Anti-malware protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-After you select the custom anti-malware policy by clicking anywhere other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
+After you select the custom anti-malware policy by clicking anywhere in the row other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
- The custom policy with the **Priority** value **0** on the **Anti-malware** page has the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** action at the top of the details flyout. - The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout. - If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.
-When you're finished in the policy details flyout, click **Close**.
+When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-malware** page, the order of the policy in the list matches the updated **Priority** value.
You can't remove the default anti-malware policy or the anti-malware policies na
After you select the custom anti-malware policy, use either of the following methods to remove it: - **On the Anti-malware** page: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Delete selected policies**.-- **In the details flyout of the policy**: Click :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout.
-Click **Yes** in the warning dialog that opens.
+Select **Yes** in the warning dialog that opens.
On the **Anti-malware** page, the deleted policy is no longer listed. ## Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-malware policies
-For more information about anti-spam policies in PowerShell, see [Anti-malware policies in the Microsoft 365 Defender portal vs PowerShell](anti-malware-protection-about.md#anti-malware-policies-in-the-microsoft-365-defender-portal-vs-powershell).
+In PowerShell, the basic elements of an anti-malware policy are:
+
+- **The malware filter policy**: Specifies the recipient notification, sender and admin notification, ZAP, and the common attachments filter settings.
+- **The malware filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.
+
+The difference between these two elements isn't obvious when you manage anti-malware policies in the Microsoft 365 Defender portal:
+
+- When you create an anti-malware policy in the Defender portal, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.
+- When you modify an anti-malware policy in the Defender portal, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (recipient notification, sender and admin notification, ZAP, and the common attachments filter) modify the associated malware filter policy.
+- When you remove an anti-malware policy from the Defender portal, the malware filter rule and the associated malware filter policy are removed at the same time.
+
+In Exchange Online PowerShell or standalone EOP PowerShell, the difference between malware filter policies and malware filter rules is apparent. You manage malware filter policies by using the **\*-MalwareFilterPolicy** cmdlets, and you manage malware filter rules by using the **\*-MalwareFilterRule** cmdlets.
+
+- In PowerShell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.
+- In PowerShell, you modify the settings in the malware filter policy and the malware filter rule separately.
+- When you remove a malware filter policy from PowerShell, the corresponding malware filter rule isn't automatically removed, and vice versa.
### Use PowerShell to create anti-malware policies
security Anti Malware Protection About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection-about.md
description: Admins can learn about anti-malware protection and anti-malware pol
Previously updated : 1/31/2023 Last updated : 4/19/2023 # Anti-malware protection in EOP
Anti-malware policies control the settings and notification options for malware
For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-### Anti-malware policies in the Microsoft 365 Defender portal vs PowerShell
-
-The basic elements of an anti-malware policy are:
--- **The malware filter policy**: Specifies the recipient notification, sender and admin notification, ZAP, and the common attachments filter settings.-- **The malware filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.-
-The difference between these two elements isn't obvious when you manage anti-malware policies in the Microsoft 365 Defender portal:
--- When you create an anti-malware policy, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.-- When you modify an anti-malware policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (recipient notification, sender and admin notification, ZAP, and the common attachments filter) modify the associated malware filter policy.-- When you remove an anti-malware policy, the malware filter rule and the associated malware filter policy are removed.-
-In Exchange Online PowerShell or standalone EOP PowerShell, the difference between malware filter policies and malware filter rules is apparent. You manage malware filter policies by using the **\*-MalwareFilterPolicy** cmdlets, and you manage malware filter rules by using the **\*-MalwareFilterRule** cmdlets.
--- In PowerShell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.-- In PowerShell, you modify the settings in the malware filter policy and the malware filter rule separately.-- When you remove a malware filter policy from PowerShell, the corresponding malware filter rule isn't automatically removed, and vice versa.-
-### Default anti-malware policy
+## Default anti-malware policy
Every organization has a built-in anti-malware policy named Default that has these properties: -- The policy is applied to all recipients in the organization, even though there's no malware filter rule (recipient filters) associated with the policy.-- The policy has the custom priority value **Lowest** that you can't modify (the policy is always applied last). Any custom anti-malware policies that you create always have a higher priority than the policy named Default. - The policy is the default policy (the **IsDefault** property has the value `True`), and you can't delete the default policy.
+- The policy is automatically applied to all recipients in the organization, and you can't turn it off.
+- The policy is always applied last (the **Priority** value is **Lowest** and you can't change it. Any custom anti-malware policies that you create are always applied before the default policy (custom anti-malware policies always have a higher priority than the default policy).
+
security Anti Phishing Policies Eop Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure.md
For anti-phishing policy procedures in organizations with Microsoft Defender for
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
-2. On the **Anti-phishing** page, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to open the new anti-phishing policy wizard.
+2. On the **Anti-phishing** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to open the new anti-phishing policy wizard.
3. On the **Policy name** page, configure these settings: - **Name**: Enter a unique, descriptive name for the policy. - **Description**: Enter an optional description for the policy.
- When you're finished on the **Policy name** page, click **Next**.
+ When you're finished on the **Policy name** page, select **Next**.
4. On the **Users, groups, and domains** page, identify the internal recipients that the policy applies to (recipient conditions): - **Users**: The specified mailboxes, mail users, or mail contacts.
For anti-phishing policy procedures in organizations with Microsoft Defender for
- The specified Microsoft 365 Groups. - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.
For anti-phishing policy procedures in organizations with Microsoft Defender for
> > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.
- When you're finished on the **Users, groups, and domains** page, click **Next**.
+ When you're finished on the **Users, groups, and domains** page, select **Next**.
5. On the **Phishing threshold & protection** page, use the **Enable spoof intelligence** check box to turn spoof intelligence on or off. This setting is selected by default, and we recommend that you leave it selected. You specify the action to take on messages from blocked spoofed senders on the next page.
For anti-phishing policy procedures in organizations with Microsoft Defender for
> [!NOTE] > You don't need to turn off spoof intelligence if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
- When you're finished on the **Phishing threshold & protection** page, click **Next**.
+ When you're finished on the **Phishing threshold & protection** page, select **Next**.
6. On the **Actions** page, configure the following settings:
For anti-phishing policy procedures in organizations with Microsoft Defender for
To turn on a setting, select the check box. To turn it off, clear the check box.
- When you're finished on the **Actions** page, click **Next**.
+ When you're finished on the **Actions** page, select **Next**.
-7. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+7. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review** page, click **Submit**.
+ When you're finished on the **Review** page, select **Submit**.
-8. On the **New anti-phishing policy created** page, you can click the links to view the policy, view anti-phishing policies, and learn more about anti-phishing policies.
+8. On the **New anti-phishing policy created** page, you can select the links to view the policy, view anti-phishing policies, and learn more about anti-phishing policies.
- When you're finished on the **New anti-phishing policy created** page, click **Done**.
+ When you're finished on the **New anti-phishing policy created** page, select **Done**.
Back on the **Anti-phishing** page, the new policy is listed.
On the **Anti-phishing** page, the following properties are displayed in the lis
- **On** or **Off** for other anti-spam policies. - **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section.
-To change the list of policies from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
Use :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the policies by **Time range** (creation date) or **Status**.
Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" bor
Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of policies to a CSV file.
-Select a policy by clicking anywhere other than the check box next to the name to open the details flyout for the policy.
+Select a policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
> [!TIP]
-> To see details about other anti-phishing policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other anti-phishing policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
## Use the Microsoft 365 Defender portal to take action on anti-phishing policies
Select a policy by clicking anywhere other than the check box next to the name t
- **Disable selected policies**. - **Delete selected policies**.
- :::image type="content" source="../../media/anti-phishing-policies-main-page.png" alt-text="The Ati-phishing page with a policy select and the More actions control expanded." lightbox="../../media/anti-phishing-policies-main-page.png":::
+ :::image type="content" source="../../media/anti-phishing-policies-main-page.png" alt-text="The Anti-phishing page with a policy selected and the More actions control expanded." lightbox="../../media/anti-phishing-policies-main-page.png":::
- Select the policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens: - Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)
The actions are described in the following subsections.
### Use the Microsoft 365 Defender portal to modify anti-phishing policies
-After you select the default anti-phishing policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
+After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.
-For the anti-phishing policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. You can click :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
+For the anti-phishing policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
### Use the Microsoft 365 Defender portal to enable or disable custom anti-phishing policies
You can't enable or disable the anti-phishing policies that are associated with
After you select an enabled custom anti-phishing policy (the **Status** value is **On**), use either of the following methods to disable it: -- **On the Anti-phishing page**: Click :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Disable selected policies**.-- **In the details flyout of the policy**: Click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the flyout.
+- **On the Anti-phishing page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Disable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the flyout.
After you select a disabled custom anti-phishing policy (the **Status** value is **Off**), use either of the following methods to enable it: -- **On the Anti-phishing page**: Click :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Enable selected policies**.-- **In the details flyout of the policy**: Click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the flyout.
+- **On the Anti-phishing page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Enable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the flyout.
On the **Anti-phishing** page, the **Status** value of the policy is now **On** or **Off**.
On the **Anti-phishing** page, the **Status** value of the policy is now **On**
Anti-phishing policies are processed in the order that they're displayed on the **Anti-phishing** page: - The anti-phishing policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).-- The anti-phishing policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The anti-phishing policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled).
- Custom anti-phishing policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). - By default, a new policy is created with a priority that's lower than the lowest existing custom policy (the first is 0, the next is 1, etc.).
Anti-phishing policies are processed in the order that they're displayed on the
Anti-phishing protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-After you select the custom anti-phishing policy by clicking anywhere other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
+After you select the custom anti-phishing policy by clicking anywhere in the row other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
- The custom policy with the **Priority** value **0** on the **Anti-Phishing** page has the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** action at the top of the details flyout. - The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout. - If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.
-When you're finished in the policy details flyout, click **Close**.
+When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-phishing** page, the order of the policy in the list matches the updated **Priority** value.
You can't remove the default anti-phishing policy or the anti-phishing policies
After you select the custom anti-phishing policy, use either of the following methods to remove it: - **On the Anti-phishing page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Delete selected policies**.-- **In the details flyout of the policy**: Click :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout.
-Click **Yes** in the warning dialog that opens.
+Select **Yes** in the warning dialog that opens.
On the **Anti-phishing** page, the deleted policy is no longer listed.
security Anti Phishing Policies Mdo Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure.md
description: Admins can learn how to create, modify, and delete the advanced ant
search.appverid: met150 Previously updated : 4/18/2023 Last updated : 4/21/2023 # Configure anti-phishing policies in Microsoft Defender for Office 365
For anti-phishing policy procedures in organizations without Defender for Office
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
-2. On the **Anti-phishing** page, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to open the new anti-phishing policy wizard.
+2. On the **Anti-phishing** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to open the new anti-phishing policy wizard.
3. On the **Policy name** page, configure these settings: - **Name**: Enter a unique, descriptive name for the policy. - **Description**: Enter an optional description for the policy.
- When you're finished on the **Policy name** page, click **Next**.
+ When you're finished on the **Policy name** page, select **Next**.
4. On the **Users, groups, and domains** page, identify the internal recipients that the policy applies to (recipient conditions): - **Users**: The specified mailboxes, mail users, or mail contacts.
For anti-phishing policy procedures in organizations without Defender for Office
- The specified Microsoft 365 Groups. - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.
For anti-phishing policy procedures in organizations without Defender for Office
> > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.
- When you're finished on the **Users, groups, and domains** page, click **Next**.
+ When you're finished on the **Users, groups, and domains** page, select **Next**.
5. On the **Phishing threshold & protection** page, configure the following settings:
For anti-phishing policy procedures in organizations without Defender for Office
- **Impersonation**: These settings are conditions for the policy that identify specific senders to look for (individually or by domain) in the From address of inbound messages. For more information, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
- - **Enable users to protect**: This setting isn't selected by default. To turn on user impersonation protection, select the check box, and then click the **Manage (nn) sender(s)** link. You identify the action for user impersonation detections on the next page.
+ - **Enable users to protect**: This setting isn't selected by default. To turn on user impersonation protection, select the check box, and then select the **Manage (nn) sender(s)** link. You identify the action for user impersonation detections on the next page.
You identify the internal and external senders to protect by the combination of their display name and email address.
- Click :::image type="icon" source="../../media/m365-cc-sc-add-internal-icon.png" border="false"::: **Add user**. In the **Add user** flyout that opens, do the following steps:
+ Select :::image type="icon" source="../../media/m365-cc-sc-add-internal-icon.png" border="false"::: **Add user**. In the **Add user** flyout that opens, do the following steps:
- - **Internal users**: Click in the **Add a valid email** box or start typing the user's email address. Select the email address in the **Suggested contacts** drop down list that appears. The user's display name is added to the **Add a name** (which you can change). When you're finished selecting the user, click **Add**.
+ - **Internal users**: Click in the **Add a valid email** box or start typing the user's email address. Select the email address in the **Suggested contacts** drop down list that appears. The user's display name is added to the **Add a name** box (which you can change). When you're finished selecting the user, select **Add**.
- **External users**: Type the external user's full email address in the **Add a valid email** box, and then select the email address in the **Suggested contacts** drop down list that appears. The email address is also added in the **Add a name** box (which you can change to a display name).
- The users you added are listed on the **Add user** flyout by **Name** and **Email address**. To remove a user, click :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false":::.
+ The users you added are listed on the **Add user** flyout by **Name** and **Email address**. To remove a user, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: next to the entry.
- When you're finished on the **Add user** flyout, click **Add** to return to the **Manage senders for impersonation protection** flyout where the users you selected are now listed by **Display name** and **Sender email address**.
+ When you're finished on the **Add user** flyout, select **Add**.
- To change the list of users from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+ Back on the **Manage senders for impersonation protection** flyout, the users you selected are listed by **Display name** and **Sender email address**.
- Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find users on the flyout.
-
- To remove a user, select them selecting the round check box that appears next to their **Display name**, and then click the :::image type="icon" source="../../media/m365-cc-sc-remove-selected-users-icon.png" border="false"::: action that appears.
+ To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
- When you're finished on the **Manage senders for impersonation protection** flyout, click **Done** to return to the **Phishing threshold & protection** page.
+ Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find entries on the flyout.
+
+ To add entries, select :::image type="icon" source="../../media/m365-cc-sc-add-internal-icon.png" border="false"::: **Add user** and repeat the previous steps.
+
+ To remove entries, do either of the following steps:
+
+ - Select one or more entries by selecting the round check box that appears in the blank area next to the display name value.
+ - Select all entries at once by selecting the round check box that appears in the blank area next to the **Display name** column header.
+
+ When you're finished on the **Manage senders for impersonation protection** flyout, select **Done** to return to the **Phishing threshold & protection** page.
> [!NOTE] > You can specify a maximum of 350 users for user impersonation protection in each anti-phishing policy.
For anti-phishing policy procedures in organizations without Defender for Office
> User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt. > > You might get the error "The email address already exists" if you try to add a user to user impersonation protection when that email address is already specified for user impersonation protection in another anti-phishing policy. This error occurs only in the Defender portal. You won't get the error if you use the corresponding _TargetedUsersToProtect_ parameter in the **New-AntiPhishPolicy** or **Set-AntiPhishPolicy** cmdlets in Exchange Online PowerShell.
- >
- > If Microsoft 365 system messages from the following senders are identified as impersonation attempts, you can add the senders to the trusted senders list:
- >
- > - `noreply@email.teams.microsoft.com`
- > - `noreply@emeaemail.teams.microsoft.com`
- > - `no-reply@sharepointonline.com`
- **Enable domains to protect**: This setting isn't selected by default. To turn on domain impersonation protection, select the check box, and then configure one or both of the following settings that appear. You identify the action for domain impersonation detections on the next page.
- - **Include the domains I own**: To turn on this setting, select the check box. To view the domains that you own, click **View my domains**.
+ - **Include the domains I own**: To turn on this setting, select the check box. To view the domains that you own, select **View my domains**.
- - **Include custom domains**: To turn on this setting, select the check box, and then click the **Manage (nn) custom domain(s)** link. In the **Manage custom domains for impersonation protection** flyout that opens, do the following steps:
+ - **Include custom domains**: To turn on this setting, select the check box, and then select the **Manage (nn) custom domain(s)** link. In the **Manage custom domains for impersonation protection** flyout that opens, do the following steps:
- Click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add domains**.
+ Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add domains**.
In the **Add custom domains** flyout that appears, click in the **Domain** box, enter a domain value, and then select the value that's displayed below the box. Repeat this step as many times as necessary.
- The domains you added are listed on the **Add custom domains** flyout. To remove the domain, click :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ The domains you added are listed on the **Add custom domains** flyout. To remove the domain, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
- When you're finished on the **Add custom domains** flyout, click **Add domains** to return to the **Manage custom domains for impersonation protection** flout where the domains you entered are now listed.
+ When you're finished on the **Add custom domains** flyout, select **Add domains**
- To change the list of domains from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+ Back on the **Manage custom domains for impersonation protection** flyout, the domains you entered are listed.
- Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find domains on the flyout.
-
- To remove a domain, select it by selecting the round check box that appears next to the domain, and then click the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears.
+ To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
- When you're finished on the **Manage custom domains for impersonation protection** flyout, click **Done** to return to the **Phishing threshold & protection** page.
+ Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find entries on the flyout.
- - **Add trusted senders and domains**: Specify impersonation protection exceptions for the policy by clicking on **Manage (nn) trusted sender(s) and domain(s)**. On the **Manage custom domains for impersonation protection** flyout that opens, configure the following settings:
+ To add entries, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add domains** and repeat the previous steps.
+
+ To remove entries, do either of the following steps:
+
+ - Select one or more entries by selecting the round check box that appears in the blank area next to the domain value.
+ - Select all entries at once by selecting the round check box that appears in the blank area next to the **Domains** column header.
+
+ When you're finished on the **Manage custom domains for impersonation protection** flyout, select **Done** to return to the **Phishing threshold & protection** page.
+
+ - **Add trusted senders and domains**: Specify impersonation protection exceptions for the policy by selecting **Manage (nn) trusted sender(s) and domain(s)**. On the **Manage custom domains for impersonation protection** flyout that opens, you enter senders on the **Sender** tab and domains on the **Domain** tab.
> [!NOTE] > The maximum number of trusted sender and domain entries is 1024.
- - **Senders**: Verify the **Sender** tab is selected and then click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add senders**. In the **Add trusted senders** flyout that opens, enter an email address in the **Add a valid email** box, and then click **Add**. Repeat this step as many times as necessary. To remove an existing entry, click :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: for the entry.
+ - **Sender** tab: Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add senders**.
+
+ In the **Add trusted senders** flyout that opens, enter an email address in the **Add a valid email** box, and then select **Add**. Repeat this step as many times as necessary. To remove an existing entry, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: for the entry.
+
+ When you're finished on the **Add trusted senders** flyout, select **Add**.
+
+ Back on the **Sender** tab, the senders you entered are listed.
+
+ To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+
+ Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find entries on the flyout.
+
+ To add entries, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add senders** and repeat the previous steps.
+
+ To remove entries, do either of the following steps:
+
+ - Select one or more entries by selecting the round check box that appears in the blank area next to the sender value.
+ - Select all entries at once by selecting the round check box that appears in the blank area next to the **Sender** column header.
+
+ When you're finished on the **Sender** tab of the **Manage custom domains for impersonation protection** flyout, select the **Domain** tab to add domains, or select **Done** to return to the **Phishing threshold & protection** page.
+
+ > [!TIP]
+ > If Microsoft 365 system messages from the following senders are identified as impersonation attempts, you can add the senders to the trusted senders list:
+ >
+ > - `noreply@email.teams.microsoft.com`
+ > - `noreply@emeaemail.teams.microsoft.com`
+ > - `no-reply@sharepointonline.com`
+
+ - **Domain** tab: Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add domains**. In the **Add trusted domains** flyout that opens, enter domain in the **Domain** box, and then select the domain in drop down list that appears. Repeat this step as many times as necessary. To remove an existing entry, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: for the entry.
+
+ When you're finished on the **Add trusted domains** flyout, select **Add domains**.
+
+ Back on the **Domain** tab, the domains you added are now listed.
- When you're finished on the **Add trusted senders** flyout, click **Add** to return to the **Senders** tab of the **Manage custom domains for impersonation protection** flyout where the senders you added are now listed on the **Senders** tab.
+ To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
- To change the list of senders from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+ Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find entries on the tab.
- Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find senders on the tab.
-
- To remove a sender, select them by selecting the round check box that appears next to their email address, and then click the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears.
+ To add entries, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add domains** and repeat the previous steps.
- - **Domains**: Select the **Domain** tab and then click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add domains**. In the **Add trusted domains** flyout that opens, enter domain in the **Domain** box, and then select the domain in drop down list that appears. Repeat this step as many times as necessary. To remove an existing entry, click :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: for the entry.
+ To remove entries, do either of the following steps:
- When you're finished on the **Add trusted domains** flyout, click **Add domains** to return to the **Domains** tab of the **Manage custom domains for impersonation protection** flyout where the domains you added are now listed.
+ - Select one or more entries by selecting the round check box that appears in the blank area next to the domain value.
+ - Select all entries at once by selecting the round check box that appears in the blank area next to the **Domain** column header.
- To change the list of domains from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
- Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find domains on the tab.
-
- To remove a domain, select it by selecting the round check box that appears next to the domain and then click the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears.
+ When you're finished on the **Domain** tab of the **Manage custom domains for impersonation protection** flyout, select the **Sender** tab to add senders, or select **Done** to return to the **Phishing threshold & protection** page.
> [!NOTE] > Trusted domain entries don't include subdomains of the specified domain. You need to add an entry for each subdomain.
- When you're finished on the **Manage custom domains for impersonation protection** flyout, click **Done**to return to the **Phishing threshold & protection** page.
+ When you're finished on the **Manage custom domains for impersonation protection** flyout, select **Done**to return to the **Phishing threshold & protection** page.
- **Enable mailbox intelligence**: This setting is selected by default, and we recommend that you leave it selected. To turn off mailbox intelligence, clear the check box.
For anti-phishing policy procedures in organizations without Defender for Office
> [!NOTE] > You don't need to turn off spoof intelligence if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
- When you're finished on the **Phishing threshold & protection** page, click **Next**.
+ When you're finished on the **Phishing threshold & protection** page, select **Next**.
6. On the **Actions** page, configure the following settings:
For anti-phishing policy procedures in organizations without Defender for Office
To turn on a setting, select the check box. To turn it off, clear the check box.
- When you're finished on the **Actions** page, click **Next**.
+ When you're finished on the **Actions** page, select **Next**.
-7. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+7. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review** page, click **Submit**.
+ When you're finished on the **Review** page, select **Submit**.
-8. On the **New anti-phishing policy created** page, you can click the links to view the policy, view anti-phishing policies, and learn more about anti-phishing policies.
+8. On the **New anti-phishing policy created** page, you can select the links to view the policy, view anti-phishing policies, and learn more about anti-phishing policies.
- When you're finished on the **New anti-phishing policy created** page, click **Done**.
+ When you're finished on the **New anti-phishing policy created** page, select **Done**.
Back on the **Anti-phishing** page, the new policy is listed.
On the **Anti-phishing** page, the following properties are displayed in the lis
- **Always on** for the default anti-phishing policy. - **On** or **Off** for other anti-spam policies. - **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section.
-To change the list of policies from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
-Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the policies by **Time range** (creation date) or **Status**.
+Select ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the policies by **Time range** (creation date) or **Status**.
Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and a corresponding value to find specific anti-phishing policies. Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of policies to a CSV file.
-Select a policy by clicking anywhere other than the check box next to the name to open the details flyout for the policy.
+Select a policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
> [!TIP]
-> To see details about other anti-phishing policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other anti-phishing policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
## Use the Microsoft 365 Defender portal to take action on anti-phishing policies
Select a policy by clicking anywhere other than the check box next to the name t
- **Disable selected policies**. - **Delete selected policies**.
- :::image type="content" source="../../media/anti-phishing-policies-main-page.png" alt-text="The Ati-phishing page with a policy select and the More actions control expanded." lightbox="../../media/anti-phishing-policies-main-page.png":::
+ :::image type="content" source="../../media/anti-phishing-policies-main-page.png" alt-text="The Anti-phishing page with a policy selected and the More actions control expanded." lightbox="../../media/anti-phishing-policies-main-page.png":::
- Select the policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:
- - Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)
+ - Modify policy settings by selecting **Edit** in each section (custom policies or the default policy)
- :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** or :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** (custom policies only) - :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** or :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** (custom policies only) - :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)
The actions are described in the following subsections.
### Use the Microsoft 365 Defender portal to modify anti-phishing policies
-After you select the default anti-phishing policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
+After you select the default anti-phishing policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.
-For the anti-phishing policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. You can click :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
+For the anti-phishing policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
### Use the Microsoft 365 Defender portal to enable or disable custom anti-phishing policies
You can't enable or disable the anti-phishing policies that are associated with
After you select an enabled custom anti-phishing policy (the **Status** value is **On**), use either of the following methods to disable it: -- **On the Anti-phishing page**: Click :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Disable selected policies**.-- **In the details flyout of the policy**: Click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the flyout.
+- **On the Anti-phishing page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Disable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the flyout.
After you select a disabled custom anti-phishing policy (the **Status** value is **Off**), use either of the following methods to enable it: -- **On the Anti-phishing page**: Click :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Enable selected policies**.-- **In the details flyout of the policy**: Click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the flyout.
+- **On the Anti-phishing page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Enable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the flyout.
On the **Anti-phishing** page, the **Status** value of the policy is now **On** or **Off**.
On the **Anti-phishing** page, the **Status** value of the policy is now **On**
Anti-phishing policies are processed in the order that they're displayed on the **Anti-phishing** page: - The anti-phishing policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).-- The anti-phishing policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The anti-phishing policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled).
- Custom anti-phishing policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). - By default, a new policy is created with a priority that's lower than the lowest existing custom policy (the first is 0, the next is 1, etc.).
Anti-phishing policies are processed in the order that they're displayed on the
Anti-phishing protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-After you select the custom anti-phishing policy by clicking anywhere other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
+After you select the custom anti-phishing policy by clicking anywhere in the row other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
- The custom policy with the **Priority** value **0** on the **Anti-Phishing** page has the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** action at the top of the details flyout. - The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout. - If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.
-When you're finished in the policy details flyout, click **Close**.
+When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-phishing** page, the order of the policy in the list matches the updated **Priority** value.
You can't remove the default anti-phishing policy or the anti-phishing policies
After you select the custom anti-phishing policy, use either of the following methods to remove it: - **On the Anti-phishing page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Delete selected policies**.-- **In the details flyout of the policy**: Click :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout.
-Click **Yes** in the warning dialog that opens.
+Select **Yes** in the warning dialog that opens.
On the **Anti-phishing** page, the deleted policy is no longer listed.
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
To verify that you've successfully configured anti-phishing policies in Defender for Office 365, do any of the following steps: -- On the **Anti-phishing** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/antiphishing>, verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
+- On the **Anti-phishing** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/antiphishing>, verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking anywhere in the row other than the check box next to the name and viewing the details in the flyout that appears.
- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, and run the following command and verify the settings:
security Anti Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md
description: Admins can learn how to view, create, modify, and delete anti-spam policies in Exchange Online Protection (EOP). Previously updated : 4/19/2023 Last updated : 4/21/2023 # Configure anti-spam policies in EOP
You can configure anti-spam policies in the Microsoft 365 Defender portal or in
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
-2. On the **Anti-spam policies** page, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** **Create policy** and then select **Inbound** from the drop down list to start the new anti-spam policy wizard.
+2. On the **Anti-spam policies** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** **Create policy** and then select **Inbound** from the drop down list to start the new anti-spam policy wizard.
3. On the **Name your policy** page, configure these settings: - **Name**: Enter a unique, descriptive name for the policy. - **Description**: Enter an optional description for the policy.
- When you're finished on the **Name your policy** page, click **Next**.
+ When you're finished on the **Name your policy** page, select **Next**.
4. On the **Users, groups, and domains** page, identify the internal recipients that the policy applies to (recipient conditions): - **Users**: The specified mailboxes, mail users, mail contacts or mail enabled public folders.
You can configure anti-spam policies in the Microsoft 365 Defender portal or in
- The specified Microsoft 365 Groups. - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- Click in the appropriate box, start typing a value, and then select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ Click in the appropriate box, start typing a value, and then select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.
You can configure anti-spam policies in the Microsoft 365 Defender portal or in
> > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.
- When you're finished on the **Users, groups, and domains** page, click **Next**.
+ When you're finished on the **Users, groups, and domains** page, select **Next**.
5. On the **Bulk email threshold & spam properties** page, configure the following settings:
You can configure anti-spam policies in the Microsoft 365 Defender portal or in
<sup>\*</sup> The **Contains specific languages** and **from these countries** settings aren't part of ASF.
- - **Contains specific languages**: Click the box and select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages appears. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ - **Contains specific languages**: Select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages appears. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
- - **From these countries***: Click the box and select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a country in the box. A filtered list of supported countries appears. When you find the country that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ - **From these countries***: Select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a country in the box. A filtered list of supported countries appears. When you find the country that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
- When you're finished on the **Bulk email threshold & spam properties** page, click **Next**.
+ When you're finished on the **Bulk email threshold & spam properties** page, select **Next**.
6. On the **Actions** page, configure the following settings:
You can configure anti-spam policies in the Microsoft 365 Defender portal or in
> [!NOTE] > End-user spam notifications have been replaced by _quarantine notifications_ in quarantine policies. Quarantine notifications contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts). For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- When you're finished on the **Actions** page, click **Next**.
+ When you're finished on the **Actions** page, select **Next**.
7. On the **Allow & block list** page, you can configure message senders by email address or email domain who are allowed to skip spam filtering.
You can configure anti-spam policies in the Microsoft 365 Defender portal or in
The steps to add entries to any of the lists are the same:
- 1. Click the link for the list that you want to configure:
- - **Allowed** \> **Senders**: Click **Manage (nn) sender(s)**.
- - **Allowed** \> **Domains**: Click **Allow domains**.
- - **Blocked** \> **Senders**: Click **Manage (nn) sender(s)**.
- - **Blocked** \> **Domains**: Click **Block domains**.
+ 1. Select the link for the list that you want to configure:
+ - **Allowed** \> **Senders**: Select **Manage (nn) sender(s)**.
+ - **Allowed** \> **Domains**: Select **Allow domains**.
+ - **Blocked** \> **Senders**: Select **Manage (nn) sender(s)**.
+ - **Blocked** \> **Domains**: Select **Block domains**.
2. In the flyout that opens, do the following steps:
- 1. Click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add senders** or **Add domains**.
- 2. In the **Add senders** or **Add domains** flyout that appears, enter the sender's email address in the **Sender** box or the domain in the **Domain** box. As you're typing, the value appears below the box. When you're finished typing the email address or domain, select the value below the box.
- 3. Repeat the previous step as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ 1. Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add senders** or **Add domains**.
+ 2. In the **Add senders** or **Add domains** flyout that opens, enter the sender's email address in the **Sender** box or the domain in the **Domain** box. As you're typing, the value appears below the box. When you're finished typing the value, select the value below the box.
+ 3. Repeat the previous step as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
- When you're finished in the **Add senders** or **Add domains** flyout, click **Add senders** or **Add domains**.
+ When you're finished in the **Add senders** or **Add domains** flyout, select **Add senders** or **Add domains**.
- Back on the first flyout, the senders or domains that you added are listed on the flyout. To remove an entry from this flyout, select the sender or domain by selecting the round check box that appears next to the entry, and then click the :::image type="icon" source="../../media/m365-cc-sc-remove-selected-users-icon.png" border="false"::: action that appears.
+ Back on the first flyout, the senders or domains that you added are listed.
- To change the list of entries from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+ To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
- Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find senders or domains on the flyout.
+ Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find entries on the flyout.
- When you're finished on the flyout, click **Done**.
+ To add entries, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add senders** or **Add domains** and repeat the previous steps.
- Back on the **Allow & block list** page, click **Next** when you're read to continue.
+ To remove entries, do either of the following steps:
-8. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+ - Select one or more entries by selecting the round check box that appears in the blank area next to the sender or domain value.
+ - Select all entries at once by selecting the round check box that appears in the blank area next to the column header.
- When you're finished on the **Review** page, click **Create**.
+ When you're finished on the flyout, select **Done** to return to the **Allow & block list** page.
-9. On the **New anti-spam policy created** page, you can click the links to view the policy, view anti-spam policies, and learn more about anti-spam policies.
+ When you're finished on the **Allow & block list** page, select **Next**.
- When you're finished on the **New anti-spam policy created** page, click **Done**.
+8. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
+
+ When you're finished on the **Review** page, select **Create**.
+
+9. On the **New anti-spam policy created** page, you can select the links to view the policy, view anti-spam policies, and learn more about anti-spam policies.
+
+ When you're finished on the **New anti-spam policy created** page, select **Done**.
Back on the **Anti-spam policies** page, the new policy is listed.
On the **Anti-spam policies** page, the following properties are displayed in th
- **Custom anti-spam policy** - Blank for the default anti-spam policy (for example, **Anti-spam inbound policy (Default)**).
-To change the list of policies from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific policies.
-Select an anti-spam policy by clicking anywhere other than the check box next to the name to open the details flyout for the policy.
+Select an anti-spam policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
> [!TIP]
-> To see details about other anti-spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other anti-spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
## Use the Microsoft 365 Defender portal to take action on anti-spam policies
The actions are described in the following subsections.
### Use the Microsoft 365 Defender portal to modify anti-spam policies
-After you select the default anti-spam policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article.
+After you select the default anti-spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.
-For the anti-spam policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. You can click :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
+For the anti-spam policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
### Use the Microsoft 365 Defender portal to enable or disable anti-spam policies
You can't disable the default anti-spam policy (it's always enabled).
You can't enable or disable the anti-spam policies that are associated with Standard and Strict preset security policies. You enable or disable the Standard or Strict preset security policies on the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies>.
-After you select an enabled custom anti-spam policy (the **Status** value is **On**) by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the policy details flyout.
+After you select an enabled custom anti-spam policy (the **Status** value is **On**) by clicking anywhere in the row other than the check box next to the name, select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the policy details flyout.
-After you select a disabled custom anti-spam policy (the **Status** value is **Off**) by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the policy details flyout.
+After you select a disabled custom anti-spam policy (the **Status** value is **Off**) by clicking anywhere in the row other than the check box next to the name, select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the policy details flyout.
-When you're finished in the policy details flyout, click **Close**.
+When you're finished in the policy details flyout, select **Close**.
On the **Anti-spam policies** page, the **Status** value of the policy is now **On** or **Off**.
On the **Anti-spam policies** page, the **Status** value of the policy is now **
Anti-spam policies are processed in the order that they're displayed on the **Anti-spam policies** page: - The anti-spam policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).-- The anti-spam policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The anti-spam policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled).
- Custom anti-spam policies are applied next in priority order (if they're enabled): - A lower priority value indicates a higher priority (0 is the highest). - By default, a new anti-spam policy is created with a priority that's lower than the lowest existing custom anti-spam policy (the first is 0, the next is 1, etc.).
Anti-spam policies are processed in the order that they're displayed on the **An
Anti-spam protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-After you select the custom anti-spam policy by clicking anywhere other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
+After you select the custom anti-spam policy by clicking anywhere in the row other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
- The custom policy with the **Priority** value **0** on the **Anti-spam policies** page has the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** action at the top of the details flyout. - The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout. - If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.
-When you're finished in the policy details flyout, click **Close**.
+When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-spam policies** page, the order of the policy in the list matches the updated **Priority** value.
Back on the **Anti-spam policies** page, the order of the policy in the list mat
You can't remove the default anti-spam policy or the anti-spam policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md).
-After you select the custom anti-spam policy by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout, and then click **Yes** in the warning dialog that opens.
+After you select the custom anti-spam policy by clicking anywhere in the row other than the check box next to the name, select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout, and then select **Yes** in the warning dialog that opens.
On the **Anti-spam policies** page, the deleted policy is no longer listed.
security Attack Simulation Training End User Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-end-user-notifications.md
The following information is shown for each notification<sup>\*</sup>:
- **Modified by** - **Last modified time**
-Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, all available columns are selected.
+Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
> [!TIP] > The **Γï«** (**Actions** control) is associated with the **Notifications** column. If you remove that column from view, the **Γï«** control goes away.
Click a column header to sort by that column. To add or remove columns, click ![
- Remove columns from the view. - Zoom out in your web browser.
-To find a notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+To find a notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
-To group the notifications by type, click ![Group icon.](../../media/m365-cc-sc-group-icon.png) **Group** and then select **Notification type**. To ungroup the notifications, select **None**.
+To group the notifications by type, select :::image type="icon" source="../../media/m365-cc-sc-group-icon.png" border="false"::: **Group** and then select **Notification type**. To ungroup the notifications, select **None**.
-On the **Tenant notifications** tab only, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) to filter the notifications by one or more languages.
+On the **Tenant notifications** tab only, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: to filter the notifications by one or more languages.
When you select a notification from the list, a details flyout appears with the following information:
When you select a notification from the list, a details flyout appears with the
- **Simulation status** - **End by**
-On the details flyout from the **Tenant notifications** tab only, click **Edit notification** to modify the notification.
+On the details flyout from the **Tenant notifications** tab only, select **Edit notification** to modify the notification.
## Create end-user notifications 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> **End user notifications** \> and then select the **Tenant notifications** tab. To go directly to the **Content library** tab where you can select **End user notifications**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
-2. On the **Tenant notifications** tab, click ![Create new icon.](../../media/m365-cc-sc-create-icon.png) **Create new** to start the new end-user notification wizard.
+2. On the **Tenant notifications** tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create new** to start the new end-user notification wizard.
> [!NOTE]
- > At any point after you name the notification during the new end-user notification wizard, you can click **Save and close** to save your progress and continue later. The incomplete notification has the **Status** value **Draft**. You can pick up where you left off by selecting the end-user notification from the list and then clicking the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** icon that appears.
+ > At any point after you name the notification during the new end-user notification wizard, you can select **Save and close** to save your progress and continue later. The incomplete notification has the **Status** value **Draft**. You can pick up where you left off by selecting the end-user notification from the list and then clicking the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears.
> > You can also create end-user notifications during the creation of simulations and simulation automations. For more information, see [Create a simulation: Select end user notifications](attack-simulation-training-simulations.md#select-end-user-notifications) and [Create a simulation automation: Select end user notifications](attack-simulation-training-simulation-automations.md#select-end-user-notifications).
On the details flyout from the **Tenant notifications** tab only, click **Edit n
- **Name**: Enter a unique name. - **Description**: Enter an optional description.
- When you're finished n the **Define details** page, click **Next**.
+ When you're finished n the **Define details** page, select **Next**.
-4. On the **Define content** page, the only setting that's available is the **Add content in business language** button. When you click it, an **Add content in default language** flyout opens that contains the following settings:
+4. On the **Define content** page, the only setting that's available is the **Add content in business language** button. When you select it, an **Add content in default language** flyout opens that contains the following settings:
- **From display name**: Enter the display name of the sender. - **From email address**: Enter the email address of the sender. - **Select the language of the email**: Select a language from the list.
On the details flyout from the **Tenant notifications** tab only, click **Edit n
- Training assignment: **Training assignment notification** - Training reminder: **Training reminder notification**
- - **Import email**: You can optionally click this button and then click **Choose file** to import an existing plain text message file.
+ - **Import email**: You can optionally select this button and then select **Choose file** to import an existing plain text message file.
- Email content area: Two tabs are available:
- - **Text** tab: A rich text editor is available to create the notification. To see the typical font and formatting settings, toggle **Formatting controls** to ![Toggle on.](../../media/scc-toggle-on.png) **On**.
+ - **Text** tab: A rich text editor is available to create the notification. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
The following controls are also available on the **Text** tab:
On the details flyout from the **Tenant notifications** tab only, click **Edit n
|**Insert training duration**|`${trainingDuration}`| |**Insert training details**|`${trainingDetails}`|
- - **Use from default**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the notification back to the default text and layout of the template, click **Reset to default**.
+ - **Use from default**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the notification back to the default text and layout of the template, select **Reset to default**.
- **Code** tab: You can view and modify the HTML code directly. You can preview the results by clicking the **Preview email** button at the top of the page.
- When you're finished in new end-user notification wizard, click **Save**.
+ When you're finished in new end-user notification wizard, select **Save**.
- Back on the **Define content** page, the notification you created is listed on the page. In the **Action** colum, you can click ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** or ![Preview icon.](../../media/m365-cc-sc-eye-icon.png) **Preview** to edit or view the notification.
+ Back on the **Define content** page, the notification you created is listed on the page. In the **Action** colum, you can select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** or :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **Preview** to edit or view the notification.
- Click ![Add translation icon.](../../media/m365-cc-sc-create-icon.png) **Add translation** to create up to 11 more translations of the notification in other languages (12 translations total).
+ Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add translation** to create up to 11 more translations of the notification in other languages (12 translations total).
Other than the flyout title changing to **Add translation**, the same options are available as the the **Add content in default language** flyout in the first notification you created. Now the **Mark this as default language** check box is available to select. Only one translation of the notification can be the default language.
- When two or more translations of the notification are listed on the **Define content** page, the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** icon is available in the **Actions** column to delete any notification translations that aren't designated as the default language.
+ When two or more translations of the notification are listed on the **Define content** page, the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** icon is available in the **Actions** column to delete any notification translations that aren't designated as the default language.
- When you're finished on the **Define content** page, click **Next**.
+ When you're finished on the **Define content** page, select **Next**.
5. On the **Review notification** page, you can review the details of your notification.
- You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+ You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review notification** page, click **Submit**.
+ When you're finished on the **Review notification** page, select **Submit**.
6. On the **New training assignment notification created** page, you can use the links to create a new notification, launch a simulation, or view all notifications.
- When you're finished on the **New training assignment notification created** page, click **Done**.
+ When you're finished on the **New training assignment notification created** page, select **Done**.
7. Back on the **Tenant notifications** tab in **End user notifications**, the notification that you created is now listed.
You can't modify built-in notifications on the **Global notifications** tab. You
To modify an existing custom notification on the **Tenant notifications** tab, do one of the following steps: -- Select the notification from the list by clicking the check box next to the name. Click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** icon that appears.-- Click **Γï«** (**Actions**) next to the **Notifications** value, and then select ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit**.-- Select the notification from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, click **Edit notification** at the bottom of the flyout.
+- Select the notification from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears.
+- Select **Γï«** (**Actions**) next to the **Notifications** value, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
+- Select the notification from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, select **Edit notification** at the bottom of the flyout.
The end-user notification wizard opens with the settings and values of the selected notification. The steps are the same as described in the [Create end-user notifications](#create-end-user-notifications) section.
The end-user notification wizard opens with the settings and values of the selec
To copy an existing notification on the **Tenant notifications** or **Global notifications** tabs, do one of the following steps: -- Select the notification from the list by clicking the check box, and then click the ![Create a copy icon.](../../media/m365-cc-sc-edit-icon.png) **Create a copy** icon that appears.-- Click **Γï«** (**Actions**) next to the **Notifications** value, and then select ![Create a copy icon.](../../media/m365-cc-sc-edit-icon.png) **Create a copy**.
+- Select the notification from the list by clicking the check box, and then select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Create a copy** action that appears.
+- Select **Γï«** (**Actions**) next to the **Notifications** value, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Create a copy**.
When you copy a custom notification on the **Tenant notifications** tab, a copy of the notification named "\<OriginalName\> - Copy" is added to the list.
-When you copy a built-in notification on the **Global notifications** tab, a **Create copy** dialog appears. The dialog confirms that a copy of the notification has been created, and is available on the **Tenant notifications** tab. If you click **Go to Tenant notification** you're taken to the **Tenant notifications** tab, where the copied built-in notification is named "\<OriginalName\> - Copy" is available. If you click **Stay here** in the dialog, you return to the **Global notifications** tab.
+When you copy a built-in notification on the **Global notifications** tab, a **Create copy** dialog appears. The dialog confirms that a copy of the notification has been created, and is available on the **Tenant notifications** tab. If you select **Go to Tenant notification** you're taken to the **Tenant notifications** tab, where the copied built-in notification is named "\<OriginalName\> - Copy" is available. If you select **Stay here** in the dialog, you return to the **Global notifications** tab.
After the copy is created, you can modify it as [previously described](#modify-end-user-notifications).
You can't remove built-in notifications from the **Global notifications** tab. Y
To remove an existing custom notification from the **Tenant notifications** tab, do one of the following steps: -- Select the notification from the list by clicking the check box next to the name, and then click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** icon that appears.-- Click **Γï«** (**Actions**) next to the **Notifications** value, and then select ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete**.
+- Select the notification from the list by clicking the check box next to the name, and then select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears.
+- Select **Γï«** (**Actions**) next to the **Notifications** value, and then select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete**.
-In the confirmation dialog tht opens, click **Delete**.
+In the confirmation dialog tht opens, select **Delete**.
## Related links
security Attack Simulation Training Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md
The following summary information is also shown on the card:
:::image type="content" source="../../media/attack-sim-training-overview-behavior-impact-card.png" alt-text="The Behavior impact on compromise rate card on the Overview tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-overview-behavior-impact-card.png":::
-To see a more detailed report, click **View simulations and training efficacy report**. This report is explained [later in this article](#training-efficacy-tab-for-the-attack-simulation-report).
+To see a more detailed report, select **View simulations and training efficacy report**. This report is explained [later in this article](#training-efficacy-tab-for-the-attack-simulation-report).
### Attack simulation report
The details table below the chart shows the following information:
You can sort the results by clicking on an available column header.
-Click **Customize columns** to remove the columns that are shown. When you're finished, click **Apply**.
+Select **Customize columns** to remove the columns that are shown. When you're finished, select **Apply**.
-Use ![Search icon](../../media/m365-cc-sc-search-icon.png) **Search** box to filter the results by **Simulation name** or **Simulation Technique**. Wildcards aren't supported.
+Use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by **Simulation name** or **Simulation Technique**. Wildcards aren't supported.
-If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
+If you select the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
#### User coverage tab for the Attack simulation report
The details table below the chart shows the following information:
- **Count of clicked** - **Count of compromised**
-You can sort the results by clicking on an available column header. Click **Customize columns** to remove the columns that are shown.
+You can sort the results by clicking on an available column header. Select **Customize columns** to remove the columns that are shown.
-Use ![Search icon](../../media/m365-cc-sc-search-icon.png) **Search** box to filter the results by **Username** or **Email address**. Wildcards aren't supported.
+Use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by **Username** or **Email address**. Wildcards aren't supported.
-If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
+If you select the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
#### Training completion tab for the Attack simulation report
The details table below the chart shows the following information:
- **Date completed** - **All trainings**
-You can sort the results by clicking on an available column header. Click **Customize columns** to remove the columns that are shown.
+You can sort the results by clicking on an available column header. Select **Customize columns** to remove the columns that are shown.
-Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the chart and details table by the **Status** values of the trainings: **Completed**, **In progress**, or **All**.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the chart and details table by the **Status** values of the trainings: **Completed**, **In progress**, or **All**.
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Use ![Search icon](../../media/m365-cc-sc-search-icon.png) **Search** box to filter the results by **Username** or **Email address**. Wildcards aren't supported.
+Use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by **Username** or **Email address**. Wildcards aren't supported.
-If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
+If you select the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
#### Repeat offenders tab for the Attack simulation report
The details table below the chart shows the following information:
- **Simulation types** - **Simulations**
-You can sort the results by clicking on an available column header. Click **Customize columns** to remove the columns that are shown.
+You can sort the results by clicking on an available column header. Select **Customize columns** to remove the columns that are shown.
-Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the chart and details table by some or all of the simulation type values:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the chart and details table by some or all of the simulation type values:
- **Credential Harvest** - **Malware Attachment** - **Link in Attachment** - **Link to Malware**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Use ![Search icon](../../media/m365-cc-sc-search-icon.png) **Search** box to filter the results by any of the column values. Wildcards aren't supported.
+Use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by any of the column values. Wildcards aren't supported.
-If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
+If you select the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
## Simulation report in Attack simulation training To view the details of in-progress or completed simulations, use either of the following methods: - On the **Overview** tab at <https://security.microsoft.com/attacksimulator?viewid=overview>, select a simulation from the [Recent simulations card](#recent-simulations-card).-- On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, select a simulation by clicking anywhere other than the check box next to the name.
+- On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, select a simulation by clicking anywhere in the row other than the check box next to the name.
The page that opens contains **Report**, **Users** and **Details** tabs that contain information about the simulation. The rest of this section describes the insights and reports that are available on the **Report** tab.
security Attack Simulation Training Landing Pages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-landing-pages.md
The following information is shown for each landing page<sup>\*</sup>:
- **Created time** - **Modified by**
-Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, all available columns are selected.
+Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
> [!TIP] > The **Γï«** (**Actions** control) is associated with the **Name** column. If you remove that column from view, the **Γï«** control goes away.
Click a column header to sort by that column. To add or remove columns, click ![
- Remove columns from the view. - Zoom out in your web browser.
-To find a landing page in the list, type part of the landing page name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+To find a landing page in the list, type part of the landing page name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
-Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the landing pages by **Language** or **Status**.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the landing pages by **Language** or **Status**.
When you select a landing page from the list by clicking anywhere in the row other than the check box next to the name, a details flyout appears with the following information:
In custom landing pages only, an **Edit landing page** link is available at the
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Phish landing pages**. To go directly to the **Content library** tab where you can select **Phish landing pages**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
-2. On the **Tenant landing pages** tab, click ![Create new icon.](../../media/m365-cc-sc-create-icon.png) **Create new** to start the new landing page wizard.
+2. On the **Tenant landing pages** tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create new** to start the new landing page wizard.
> [!NOTE]
- > At any point after you name the landing page during the new landing page wizard, you can click **Save and close** to save your progress and continue later. The incomplete landing page has the **Status** value **Draft**. You can pick up where you left off by selecting the landing page from the list and then clicking the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** icon that appears.
+ > At any point after you name the landing page during the new landing page wizard, you can select **Save and close** to save your progress and continue later. The incomplete landing page has the **Status** value **Draft**. You can pick up where you left off by selecting the landing page from the list and then clicking the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears.
> > You can also create landing pages during the creation of simulations and simulation automations. For more information, see [Create a simulation: Select a landing page](attack-simulation-training-simulations.md#select-a-landing-page) and [Create a simulation automation: Select a landing page](attack-simulation-training-simulation-automations.md#select-a-landing-page).
In custom landing pages only, an **Edit landing page** link is available at the
- **Name**: Enter a unique, descriptive name for the landing page. - **Description**: Enter an optional description.
- When you're finished on the **Define details for phish landing page** page, click **Next**.
+ When you're finished on the **Define details for phish landing page** page, select **Next**.
-4. On the **Configure landing page** page, click **Define content in preferred language**. In the **Add content in default language** flyout that opens, configure the following settings:
+4. On the **Configure landing page** page, select **Define content in preferred language**. In the **Add content in default language** flyout that opens, configure the following settings:
- **Select the language for the landing page**: Select one of the 29+ available languages. - **Mark this as default language**: For the first landing page you create, this setting is selected and unchangeable. - Landing page content: Two tabs are available:
- - **Text** tab: A rich text editor is available to create the landing page. To see the typical font and formatting settings, toggle **Formatting controls** to ![Toggle on.](../../media/scc-toggle-on.png) **On**.
+ - **Text** tab: A rich text editor is available to create the landing page. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
The following controls are also available on the **Text** tab:
In custom landing pages only, an **Edit landing page** link is available at the
|**Insert Payload content**|`${EmailContent}`| |**Insert Date**|`${date|MM/dd/yyyy|offset}`|
- - **Import from library**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the landing page back to the default text and layout of the template, click **Reset to default**.
+ - **Import from library**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the landing page back to the default text and layout of the template, select **Reset to default**.
- **Code** tab: You can view and modify the HTML code directly. You can preview the results by clicking the **Preview phish landing page** button at the top of the page.
- When you're finished on the **Add content in default language** flyout, click **Save**.
+ When you're finished on the **Add content in default language** flyout, select **Save**.
- Back on the **Configure landing page** page, the landing page you created is now listed. In the **Action** colum, you can click ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** or ![Preview icon.](../../media/m365-cc-sc-eye-icon.png) **Preview** to edit or view the landing page.
+ Back on the **Configure landing page** page, the landing page you created is now listed. In the **Action** colum, you can select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** or :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **Preview** to edit or view the landing page.
- Click ![Add translation icon.](../../media/m365-cc-sc-create-icon.png) **Add translation** to create additional translations of the landing page in other languages.
+ Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add translation** to create additional translations of the landing page in other languages.
Other than the flyout title changing to **Add translation**, the same options are available as the the **Add content in default language** flyout in the first landing page you created. Now the **Mark this as default language** check box is available to select. Only one translation of landing page can be the default language.
- When two or more translations of the landing page are listed on the **Configure landing page** page, the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** icon is available in the **Actions** column to delete any landing page translations that aren't designated as the default language.
+ When two or more translations of the landing page are listed on the **Configure landing page** page, the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** icon is available in the **Actions** column to delete any landing page translations that aren't designated as the default language.
- When you're finished on the **Configure landing page** page, click **Next**.
+ When you're finished on the **Configure landing page** page, select **Next**.
-5. On the **Review landing page** page, you can review your selections. Click **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+5. On the **Review landing page** page, you can review your selections. Select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review landing page** page, click **Submit**, and then click **Done** on the confirmation page.
+ When you're finished on the **Review landing page** page, select **Submit**, and then select **Done** on the confirmation page.
-6. Back on the **Tenant landing pages** tab of the **Select phish landing page**, select the landing page you created by selecting the check box next to the **Name**, and then click **Next**.
+6. Back on the **Tenant landing pages** tab of the **Select phish landing page**, select the landing page you created by selecting the check box next to the **Name**, and then select **Next**.
## Modify landing pages
You can't modify built-in landing pages on the **Global landing pages** tab. You
To modify an existing custom landing page on the **Tenant landing pages** tab, do one of the following steps: -- Select the landing page from the list by clicking the check box next to the name. Click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** icon that appears.-- Click **Γï«** (**Actions**) next to the **Name** value of the landing page, and then select ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit**.-- Select the landing page from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, click **Edit landing page** at the bottom of the flyout.
+- Select the landing page from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears.
+- Select **Γï«** (**Actions**) next to the **Name** value of the landing page, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
+- Select the landing page from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, select **Edit landing page** at the bottom of the flyout.
The landing page wizard opens with the settings and values of the selected landing page. The steps are the same as described in the [Create landing pages](#create-landing-pages) section.
The landing page wizard opens with the settings and values of the selected landi
To copy an existing landing page on the **Tenant landing pages** or **Global landing pages** tabs, do one of the following steps: -- Select the landing page from the list by clicking the check box, and then click the ![Create a copy icon.](../../media/m365-cc-sc-edit-icon.png) **Create a copy** icon that appears.-- Click **Γï«** (**Actions**) next to the **Name** value of the landing page, and then select ![Create a copy icon.](../../media/m365-cc-sc-edit-icon.png) **Create a copy**.
+- Select the landing page from the list by clicking the check box, and then select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Create a copy** action that appears.
+- Select **Γï«** (**Actions**) next to the **Name** value of the landing page, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Create a copy**.
When you copy a custom landing page on the **Tenant landing pages** tab, a copy of the landing page named "\<OriginalName\> - Copy" is added to the list.
-When you copy a built-in landing page on the **Global landing pages** tab, a **Create copy** dialog appears. The dialog confirms that a copy of the landing page has been created, and is available on the **Tenant landing pages** tab. If you click **Go to Tenant landing page** you're taken to the **Tenant landing pages** tab, where the copied built-in landing page is named "\<OriginalName\> - Copy" is available. If you click **Stay here** in the dialog, you return to the **Global landing pages** tab.
+When you copy a built-in landing page on the **Global landing pages** tab, a **Create copy** dialog appears. The dialog confirms that a copy of the landing page has been created, and is available on the **Tenant landing pages** tab. If you select **Go to Tenant landing page** you're taken to the **Tenant landing pages** tab, where the copied built-in landing page is named "\<OriginalName\> - Copy" is available. If you select **Stay here** in the dialog, you return to the **Global landing pages** tab.
After the copy is created, you can modify it as [previously described](#modify-landing-pages).
You can't remove built-in landing pages from the **Global landing pages** tab. Y
To remove an existing custom landing page from the **Tenant landing pages** tab, do one of the following steps: -- Select the landing page from the list by clicking the check box next to the name, and then click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** icon that appears.-- Click **Γï«** (**Actions**) next to the **Name** value of the landing page, and then select ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete**.
+- Select the landing page from the list by clicking the check box next to the name, and then select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears.
+- Select **Γï«** (**Actions**) next to the **Name** value of the landing page, and then select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete**.
-In the confirmation dialog tht opens, click **Delete**.
+In the confirmation dialog tht opens, select **Delete**.
## Related links
security Attack Simulation Training Login Pages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-login-pages.md
The following information is shown for each login page:
- **Created by**: For built-in login pages, the value is **Microsoft**. For custom login pages, the value is the UPN of the user who created the login page. - **Last modified**
-Click a column header to sort by that column. To remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**.
+Select a column header to sort by that column. To remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**.
-To find a login page in the list, type part of the login page name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+To find a login page in the list, type part of the login page name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
-Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the login pages by **Language** or **Status**.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the login pages by **Language** or **Status**.
When you select a login page from the list by clicking anywhere in the row other than the check box next to the name, a details flyout appears with the following information: -- ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** is available only in custom login pages on the **Tenant login pages** tab.-- ![Mark as default icon.](../../medi). If the login page is already the default, ![Mark as default icon.](../../media/m365-cc-sc-set-as-default-icon.png) **Mark as default** isn't available.
+- :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** is available only in custom login pages on the **Tenant login pages** tab.
+- :::image type="icon" source="../../medi). If the login page is already the default, :::image type="icon" source="../../media/m365-cc-sc-set-as-default-icon.png" border="false"::: **Mark as default** isn't available.
- **Preview** tab: View the login page as users will see it. **Page 1** and **Page 2** links are available at the bottom of the page for two-page login pages. - **Details** tab: View details about the login page: - **Description**
When you select a login page from the list by clicking anywhere in the row other
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Login pages**. To go directly to the **Content library** tab where you can select **Login pages**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
-2. On the **Tenant login pages** tab, click ![Create new icon.](../../media/m365-cc-sc-create-icon.png) **Create new** to start the new login page wizard.
+2. On the **Tenant login pages** tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create new** to start the new login page wizard.
> [!NOTE]
- > At any point after you name the login page during the new login page wizard, you can click **Save and close** to save your progress and continue later. The incomplete login page has the **Status** value **Draft**. You can pick up where you left off by selecting the login page from the list and then clicking the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** icon that appears.
+ > At any point after you name the login page during the new login page wizard, you can select **Save and close** to save your progress and continue later. The incomplete login page has the **Status** value **Draft**. You can pick up where you left off by selecting the login page from the list and then clicking the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears.
> > You can also create login pages during the creation of simulations or simulation automations. For more information, see [Create a simulation: Select a payload and login page](attack-simulation-training-simulations.md#select-a-payload-and-login-page) and [Create a simulation automation: Select payloads and login pages](attack-simulation-training-simulation-automations.md#select-payloads-and-login-pages).
When you select a login page from the list by clicking anywhere in the row other
- **Name**: Enter a unique name. - **Description**: Enter an optional description.
- When you're finished on the **Define details for login page** page, click **Next**.
+ When you're finished on the **Define details for login page** page, select **Next**.
4. On the **Configure login page** page, configure the following settings:
When you select a login page from the list by clicking anywhere in the row other
- **Create a two-page login**: If you don't select this option, the login page is one page. If you select this option, **Page 1** and **Page 2** tabs appear for you to configure separately. - Login page content area: Two tabs are available:
- - **Text** tab: A rich text editor is available to create the login page. To see the typical font and formatting settings, toggle **Formatting controls** to ![Toggle on.](../../media/scc-toggle-on.png) **On**.
+ - **Text** tab: A rich text editor is available to create the login page. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
The following controls are also available on the **Text** tab:
When you select a login page from the list by clicking anywhere in the row other
|**Insert City**|`${city}`| |**Insert Date**|`${date|MM/dd/yyyy|offset}`|
- - **Use from default**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the login page back to the default text and layout of the template, click **Reset to default**.
+ - **Use from default**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the login page back to the default text and layout of the template, select **Reset to default**.
- - **Add compromise button**: Available on one-page logins or on **Page 2** of two-page logins. Click this link to add the compromise button to the login page. The default text on the button is **Submit**, but you can change it.
+ - **Add compromise button**: Available on one-page logins or on **Page 2** of two-page logins. Select this link to add the compromise button to the login page. The default text on the button is **Submit**, but you can change it.
- - **Add Next button**: Available only on **Page 1** of two-page logins. Click this link to add the 'Next' button to the login page. The default text on the button is **Next**, but you can change it.
+ - **Add Next button**: Available only on **Page 1** of two-page logins. Select this link to add the 'Next' button to the login page. The default text on the button is **Next**, but you can change it.
- **Code** tab: You can view and modify the HTML code directly. You can preview the results by clicking the **Preview email** button at the top of the page.
- When you're finished on the **Review login page** page, click **Next**.
+ When you're finished on the **Review login page** page, select **Next**.
5. On the **Review login page** page, you can review the details of your login page.
- You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+ You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review login page** page, click **Submit**.
+ When you're finished on the **Review login page** page, select **Submit**.
6. On the **New login page \<Name\> created** page, you can use the links to create a new login page, launch a simulation, or view all login pages.
- When you're finished on the **New login page \<Name\> created** page, click **Done**.
+ When you're finished on the **New login page \<Name\> created** page, select **Done**.
7. Back on the **Tenant login pages** tab in **Login pages**, the login page that you created is now listed.
You can't modify built-in login pages on the **Global login pages** tab. You can
To modify an existing custom login page on the **Tenant login pages** tab, do one of the following steps: -- Select the login page from the list by clicking the check box next to the name. Click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** icon that appears.-- Click **Γï«** (**Actions**) next to the **Name** value of the login page, and then select ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit**.-- Select the login page from the list by clicking anywhere in the row other than the check box next to the name. In the details flyout that opens, click ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit**.
+- Select the login page from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears.
+- Select **Γï«** (**Actions**) next to the **Name** value of the login page, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
+- Select the login page from the list by clicking anywhere in the row other than the check box next to the name. In the details flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
The login page wizard opens with the settings and values of the selected login page. The steps are the same as described in the [Create login pages](#create-login-pages) section.
The login page wizard opens with the settings and values of the selected login p
To copy an existing login page on the **Tenant login pages** or **Global login pages** tabs, do one of the following steps: -- Select the login page from the list by clicking the check box next to the name, and then click the ![Create a copy icon.](../../media/m365-cc-sc-edit-icon.png) **Create a copy** icon that appears.-- Click **Γï«** (**Actions**) next to the **Name** value of the login page, and then select ![Create a copy icon.](../../media/m365-cc-sc-edit-icon.png) **Create a copy**.
+- Select the login page from the list by clicking the check box next to the name, and then select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Create a copy** action that appears.
+- Select **Γï«** (**Actions**) next to the **Name** value of the login page, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Create a copy**.
The login page wizard opens with the settings and values of the selected login page. The steps are the same as described in the [Create login pages](#create-login-pages) section.
You can't remove built-in login pages from the **Global login pages** tab. You c
To remove an existing custom login page from the **Tenant login pages** tab, do one of the following steps: -- Select the login page from the list by clicking the check box next to the name, and then click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** icon that appears.-- Click **Γï«** (**Actions**) next to the **Name** value of the login page, and then select ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete**.
+- Select the login page from the list by clicking the check box next to the name, and then select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears.
+- Select **Γï«** (**Actions**) next to the **Name** value of the login page, and then select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete**.
## Make a login page the default
The default login page is the default selection that's used in **Credential Harv
To make a login page the default on the **Tenant login pages** or **Global login pages** tabs, do one of the following steps: -- Click **Γï«** (**Actions**) next to the **Name** value of the login page, and then select ![Mark as default icon.](../../media/m365-cc-sc-set-as-default-icon.png) **Mark as default**.-- Select the login page from the list by clicking anywhere in the row other than the check box next to the name. In the details flyout that opens, click ![Mark as default icon.](../../media/m365-cc-sc-set-as-default-icon.png) **Mark as default**.
+- Select **Γï«** (**Actions**) next to the **Name** value of the login page, and then select :::image type="icon" source="../../media/m365-cc-sc-set-as-default-icon.png" border="false"::: **Mark as default**.
+- Select the login page from the list by clicking anywhere in the row other than the check box next to the name. In the details flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-set-as-default-icon.png" border="false"::: **Mark as default**.
- Select **Make this the default login page** on the **Configure login page** page in the wizard when you [create or modify a login page](#create-login-pages). > [!NOTE]
security Attack Simulation Training Payload Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations.md
To create a payload automation, do the following steps:
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com/>, go to **Email & collaboration** \> **Attack simulation training** \> **Automations** tab \> **Payload automations**. To go directly to the **Automations** tab where you can select **Payload automations**, use <https://security.microsoft.com/attacksimulator?viewid=automations>.
-2. On the **Payload automations** page, click ![Create automation icon.](../../media/m365-cc-sc-create-icon.png) **Create automation** to start the new payload automation wizard.
+2. On the **Payload automations** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create automation** to start the new payload automation wizard.
:::image type="content" source="../../media/attack-sim-training-sim-automations-create.png" alt-text="The Create simulation button on the Payload automations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-sim-automations-create.png"::: > [!NOTE]
- > At any point after you name the payload automation during the new payload automation wizard, you can click **Save and close** to save your progress and continue configuring the payload automation later. The incomplete payload automation has the **Status** value **Draft** in **Payload automations** on the **Automations** tab. You can pick up where you left off by selecting the payload automation and clicking ![Edit payload automation icon.](../../media/m365-cc-sc-edit-icon.png) **Edit automation**.
+ > At any point after you name the payload automation during the new payload automation wizard, you can select **Save and close** to save your progress and continue configuring the payload automation later. The incomplete payload automation has the **Status** value **Draft** in **Payload automations** on the **Automations** tab. You can pick up where you left off by selecting the payload automation and clicking :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit automation**.
> > Currently, payload harvesting is enabled in GCC environments due to data gathering restrictions.
To create a payload automation, do the following steps:
- **Name**: Enter a unique, descriptive name for the payload automation. - **Description**: Enter an optional detailed description for the payload automation.
- When you're finished on the **Automation name** page, click **Next**.
+ When you're finished on the **Automation name** page, select **Next**.
4. On the **Run conditions** page, select the conditions of the real phishing attack that determines when the automation will run.
- Click ![Add condition icon.](../../media/m365-cc-sc-create-icon.png) **Add condition** and then select from one of the following conditions:
+ Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add condition** and then select from one of the following conditions:
- **No. of users targeted in the campaign**: In the boxes that appear, configure the following settings: - **Equal to**, **Less than**, **Greater than**, **Less than or equal to**, or **Greater than or equal to**.
To create a payload automation, do the following steps:
You can use each condition only once. Multiple conditions use AND logic (\<Condition1\> and \<Condition2\>).
- To add another condition, click ![Add condition icon.](../../media/m365-cc-sc-create-icon.png) **Add condition**.
+ To add another condition, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add condition**.
- To remove a condition after you've added it, click ![Remove icon.](../../media/m365-cc-sc-delete-icon.png).
+ To remove a condition after you've added it, select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false":::.
- When you're finished on the **Run conditions** page, click **Next**.
+ When you're finished on the **Run conditions** page, select **Next**.
5. On the **Review automation** page, you can review the details of your payload automation.
- You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+ You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review automation** page, click **Submit**.
+ When you're finished on the **Review automation** page, select **Submit**.
6. On the **New automation created** page, you can use the links to turn on the payload automation or go to the **Simulations** page.
- When you're finished, click **Done**.
+ When you're finished, select **Done**.
7. Back on **Payload automations** in the **Automations** tab, the payload automation that you created is now listed with the **Status** value **Ready**.
To create a payload automation, do the following steps:
You can turn on or turn off payload automations with the **Status** value **Ready**. You can't turn on or turn off incomplete payload automations with the **Status** value **Draft**.
-To turn on a payload automation, select it from the list by clicking the check box next to the name. Click the ![Turn on icon.](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** icon that appears, and then click **Confirm** in the dialog.
+To turn on a payload automation, select it from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** action that appears, and then select **Confirm** in the dialog.
-To turn off a payload automation, select it from the list by clicking the check box next to the name. Click the ![Turn off icon.](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off** icon that appears, and then click **Confirm** in the dialog.
+To turn off a payload automation, select it from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** action that appears, and then select **Confirm** in the dialog.
## Modify payload automations
You can only modify payload automations that are turned off.
To modify an existing payload automation on the **Payload automations** page, do one of the following steps: -- Select the payload automation from the list by clicking the check box next to the name. Click the ![Edit automation icon.](../../media/m365-cc-sc-edit-icon.png) **Edit automation** icon that appears.-- Select the payload automation from the list by clicking anywhere in the row except the check box. In the details flyout that opens, on the **General** tab, click **Edit** in the **Name**, **Description**, or **Run conditions** sections.
+- Select the payload automation from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit automation** action that appears.
+- Select the payload automation from the list by clicking anywhere in the row except the check box. In the details flyout that opens, on the **General** tab, select **Edit** in the **Name**, **Description**, or **Run conditions** sections.
The payload automation wizard opens with the settings and values of the selected payload automation. The steps are the same as described in the [Create payload automations](#create-payload-automations) section. ## Remove payload automations
-To remove a payload automation, select the payload automation from the list by clicking the check box. Click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** icon that appears, and then click **Confirm** in the dialog.
+To remove a payload automation, select the payload automation from the list by clicking the check box. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears, and then select **Confirm** in the dialog.
## Related links
security Attack Simulation Training Payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
The following information is shown for each payload on the **Global payloads** a
- **Status**: Values are: - **Ready** - **Draft**: Available only on the **Tenant payloads** tab.
- - **Archive**: Archived payloads are visible only when **Show archived payloads** is toggled on ![Toggle on icon.](../../media/scc-toggle-on.png).
+ - **Archive**: Archived payloads are visible only when **Show archived payloads** is toggled on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
- **Γï«** (**Actions** control): Take action on the payload. The available actions depend on the **Status** value of the payload as described in the procedure sections. This control always appears at the end of the payload row.
-Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, the only available column that's not selected is **Platform**.
+Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, the only available column that's not selected is **Platform**.
<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
Click a column header to sort by that column. To add or remove columns, click ![
- Remove columns from the view. - Zoom out in your web browser.
-To find a payload in the list, type part of the payload name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+To find a payload in the list, type part of the payload name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
-Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) to filter the payloads by one or of the following values:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: to filter the payloads by one or of the following values:
- **Complexity**: Calculated based on the number of indicators in the payload that indicate a possible attack (spelling errors, urgency, etc.). More indicators are easier to identify as an attack and indicate lower complexity. The available values are: **High**, **Medium**, and **Low**.
Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) to filter the payl
- **Controversial**: The available values are **Yes** or **No**.
-When you're finished configuring filters, click **Apply**, **Cancel**, or ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
When you select a payload by clicking anywhere in the row other than the check box next to the name, a details flyout appears with the following information:
To see payloads that have been archived (the **Status** value is **Archive**), u
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> **Payloads** \> **Tenant payloads** tab. To go directly to the **Content library** tab where you can select **Payloads** and the **Tenant payloads** tab, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
- On the **Tenant payloads** tab, click ![Create a payload icon.](../../media/m365-cc-sc-create-icon.png) **Create a payload** to start the new payload wizard.
+ On the **Tenant payloads** tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create a payload** to start the new payload wizard.
:::image type="content" source="../../media/attack-sim-training-payload-create.png" alt-text="Create a payload on the Tenant payloads tab in Payloads in Attack simulation training in the Microsoft 365 Defender portal." lightbox="../../media/attack-sim-training-payload-create.png"::: > [!NOTE]
- > At any point after you name the payload during the new payload wizard, you can click **Save and close** to save your progress and continue later. The incomplete payload has the **Status** value **Draft**. You can pick up where you left off by selecting the payload and then clicking the ![Edit payload icon.](../../media/m365-cc-sc-edit-icon.png) **Edit payload** icon that appears.
+ > At any point after you name the payload during the new payload wizard, you can select **Save and close** to save your progress and continue later. The incomplete payload has the **Status** value **Draft**. You can pick up where you left off by selecting the payload and then clicking the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit payload** action that appears.
> > You can also create payloads during the creation of simulations. For more information, see [Create a simulation: Select a payload and login page](attack-simulation-training-simulations.md#select-a-payload-and-login-page). 2. On the **Select type** page, the only value that you can currently select is **Email**.
- Click when you finished on the **Select type** page, click **Next**.
+ When you're finished on the **Select type** page, select **Next**.
3. On the **Select technique** page, the available options are the same as on the **Select technique** page in the new simulation wizard: - **Credential Harvest**
To see payloads that have been archived (the **Status** value is **Archive**), u
For more information, see [Simulate a phishing attack with Attack simulation training in Defender for Office 365](attack-simulation-training-simulations.md).
- When you're finished on the **Select technique** page, click **Next**.
+ When you're finished on the **Select technique** page, select **Next**.
4. On the **Payload name** page, configure the following settings: - **Name**: Enter a unique, descriptive name for the payload. - **Description**: Enter an optional detailed description for the payload.
- When you're finished on the **Payload name** page, click **Next**.
+ When you're finished on the **Payload name** page, select **Next**.
5. On the **Configure payload** page, it's time to build your payload. Many of the available settings are determined by the selection you made on the **Select technique** page (for example, links vs. attachments).
To see payloads that have been archived (the **Status** value is **Archive**), u
- **Attachment content** section (**Link in Attachment** technique only).
- A rich text editor is available to create the login page. To see the typical font and formatting settings, toggle **Formatting controls** to ![Toggle on.](../../media/scc-toggle-on.png) **On**.
+ A rich text editor is available to create the login page. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
Use the **Phishing link** control to add the previously selected phishing URL into the attachment.
To see payloads that have been archived (the **Status** value is **Archive**), u
- **Email message** section:
- - You can click **Import email** and then **Choose file** to import an existing plain text message file.
+ - You can select **Import email** and then **Choose file** to import an existing plain text message file.
- Two tabs are available:
- - **Text** tab: A rich text editor is available to create the payload. To see the typical font and formatting settings, toggle **Formatting controls** to ![Toggle on.](../../media/scc-toggle-on.png) **On**.
+ - **Text** tab: A rich text editor is available to create the payload. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
The following controls are also available on the **Text** tab:
To see payloads that have been archived (the **Status** value is **Archive**), u
- **Malware attachment link** (**Link to Malware** technique only): Use this control to name and insert the URL that you previously selected in the **Link for attachment** section.
- When you click **Phishing link** or **Malware attachment link**, a dialog opens that asks you to name the link. When you're finished, click **Confirm**.
+ When you select **Phishing link** or **Malware attachment link**, a dialog opens that asks you to name the link. When you're finished, select **Confirm**.
The name value that you specified is added to the message body as a link. On the **Code** tab, the link value is `<a href="${phishingUrl}" target="_blank">Name value you specified</a>`. - **Code** tab: You can view and modify the HTML code directly.
- - **Replace all links in the email message with the phishing link** (**Credential Harvest**, **Link to Malware**, **Drive-by URL**, or **OAuth Consent Grant** techniques only): This toggle can save time by replacing all links in the message with the previously selected **Phishing link** or **Link for attachment** URL. To take this action, toggle the setting to on ![Toggle on icon.](../../media/scc-toggle-on.png).
+ - **Replace all links in the email message with the phishing link** (**Credential Harvest**, **Link to Malware**, **Drive-by URL**, or **OAuth Consent Grant** techniques only): This toggle can save time by replacing all links in the message with the previously selected **Phishing link** or **Link for attachment** URL. To take this action, toggle the setting to on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
- When you're finished on the **Configure payload** page, click **Next**.
+ When you're finished on the **Configure payload** page, select **Next**.
6. The **Add indicators** page is available only if you selected **Credential Harvest**, **Link in Attachment**, **Drive-by URL**, or **OAuth Consent Grant** on the **Select technique** page. Indicators help employees identify the tell-tale signs of phishing messages.
- On the **Add indicators** page, click ![Add indicator icon](../../media/m365-cc-sc-add-internal-icon.png) **Add indicator**. In the flyout that opens, configure the following settings:
+ On the **Add indicators** page, select :::image type="icon" source="../../media/m365-cc-sc-add-internal-icon.png" border="false"::: **Add indicator**. In the flyout that opens, configure the following settings:
- **Select and indicator you would like to use** and **Where do you want to place this indicator on the payload?**:
To see payloads that have been archived (the **Status** value is **Archive**), u
This list is curated to contain the most common clues that appear in phishing messages.
- If you select the email message subject or the message body as the location for the indicator, a **Select text** button appears. Click this button to select the text in the message subject or message body where you want the indicator to appear. When you're finished, click **Select**.
+ If you select the email message subject or the message body as the location for the indicator, a **Select text** button appears. Select this button to select the text in the message subject or message body where you want the indicator to appear. When you're finished, select **Select**.
:::image type="content" source="../../media/attack-sim-training-payloads-add-indicators-select-location.png" alt-text="The Selected text location in the message body to add to an indicator in the new payload wizard in Attack simulation training" lightbox="../../media/attack-sim-training-payloads-add-indicators-select-location.png":::
To see payloads that have been archived (the **Status** value is **Archive**), u
- **Indicator preview**: To see what the current indicator looks like, click anywhere within the section.
- When you're finished in the **Add indicator** flyout, click **Add**
+ When you're finished in the **Add indicator** flyout, select **Add**
Repeat these steps to add multiple indicators. Back on the **Add indicators** page, you can review the indicators you selected:
- - To edit an existing indicator, select it and then click ![Edit indicator icon.](../../media/m365-cc-sc-edit-icon.png) **Edit indicator**.
+ - To edit an existing indicator, select it and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit indicator**.
- - To delete an existing indicator, select it and then click ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete**.
+ - To delete an existing indicator, select it and then select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete**.
- - To move indicators up or down in the list, select the indicator, and then click ![Move up icon.](../../media/m365-cc-sc-increase-icon.png) **Move up** or ![Move down icon.](../../media/m365-cc-sc-decrease-icon.png) **Move down**.
+ - To move indicators up or down in the list, select the indicator, and then select :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Move up** or :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Move down**.
- When you're finished on the **Add indicators** page, click **Next**.
+ When you're finished on the **Add indicators** page, select **Next**.
7. On the **Review payload** page, you can review the details of your payload.
- Click the ![Send a test icon.](../../media/m365-cc-sc-send-icon.png) **Send a test** button to send a copy of the payload email to yourself (the currently logged in user) for inspection.
+ Select the :::image type="icon" source="../../media/m365-cc-sc-send-icon.png" border="false"::: **Send a test** button to send a copy of the payload email to yourself (the currently logged in user) for inspection.
- Click the ![Preview indicator icon.](../../media/m365-cc-sc-open-icon.png) **Preview indicator** button open the payload in a preview flyout. The preview includes all payload indicators that you've created.
+ Select the :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Preview indicator** button open the payload in a preview flyout. The preview includes all payload indicators that you've created.
- On the **Review payload** page, you can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+ On the **Review payload** page, you can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review payload** page, click **Submit**. On the confirmation page that appears, click **Done**.
+ When you're finished on the **Review payload** page, select **Submit**. On the confirmation page that appears, select **Done**.
:::image type="content" source="../../media/attack-sim-training-payloads-review-payload.png" alt-text="The Review payload page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-payloads-review-payload.png"::: 8. On the **New payload created** page, you can use the links to view all simulations or go to the Attack simulation training overview.
- When you're finished on the **New payload created** page, click **Done**.
+ When you're finished on the **New payload created** page, select **Done**.
9. Back on the **Tenant payloads** tab, the payload that you created is now listed with the **Status** value **Ready**.
You can't modify built-in payloads on the **Global payloads** tab. You can only
To modify an existing payload on the **Tenant payloads** tab, do one of the following steps: -- Select the payload by clicking the check box next to the name. Click the ![Edit payload icon.](../../media/m365-cc-sc-edit-icon.png) **Edit payload** icon that appears.-- Select the payload by clicking anywhere in the row other than the check box. In the details flyout that opens, click **Edit payload** at the bottom of the flyout.-- Select the payload by clicking **Γï«** (**Actions**) at the end of the row, and then select ![Edit payload icon.](../../media/m365-cc-sc-edit-icon.png) **Edit**.
+- Select the payload by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit payload** action that appears.
+- Select the payload by clicking anywhere in the row other than the check box. In the details flyout that opens, select **Edit payload** at the bottom of the flyout.
+- Select the payload by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
The payload wizard opens with the settings and values of the selected payload. The steps are the same as described in the [Create payloads](#create-payloads) section.
The payload wizard opens with the settings and values of the selected payload. T
To copy an existing payload on the **Tenant payloads** or **Global payloads** tabs, do one of the following steps: -- Select the payload by clicking the check box next to the name, and then click the ![Copy payload icon.](../../media/m365-cc-sc-edit-icon.png) **Copy payload** icon that appears.-- Select the payload by clicking **Γï«** (**Actions**) at the end of the row, and then select ![Copy payload icon.](../../media/m365-cc-sc-edit-icon.png) **Copy payload**.
+- Select the payload by clicking the check box next to the name, and then select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Copy payload** action that appears.
+- Select the payload by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Copy payload**.
The create payload wizard opens with the settings and values of the selected payload. The steps are the same as described in the [Create payloads](#create-payloads) section.
The create payload wizard opens with the settings and values of the selected pay
You can't delete custom payloads from the **Tenant payloads** tab, but you can archive them.
-To archive an existing payload on the **Tenant payloads** tab, select the payload by clicking **Γï«** (**Actions**) at the end of the row, and then select ![Archive icon.](../../media/m365-cc-sc-archive-icon.png) **Archive**.
+To archive an existing payload on the **Tenant payloads** tab, select the payload by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-archive-icon.png" border="false"::: **Archive**.
-The **Status** value of the payload changes to **Archive**, and the payload is no longer visible on the **Tenant payloads** table when **Show archived payloads** is toggled off ![Toggle off icon.](../../media/scc-toggle-off.png).
+The **Status** value of the payload changes to **Archive**, and the payload is no longer visible on the **Tenant payloads** table when **Show archived payloads** is toggled off :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::.
-To see archived payloads on the **Tenant payloads** tab, toggle **Show archived payloads** to on ![Toggle on icon.](../../media/scc-toggle-on.png).
+To see archived payloads on the **Tenant payloads** tab, toggle **Show archived payloads** to on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
## Restore archived payloads To restore an archive payload on the **Tenant payloads** tab, do the following steps:
-1. Set the **Show archived payloads** toggle to on ![Toggle on icon.](../../media/scc-toggle-on.png).
-2. Select the payload by clicking **Γï«** (**Actions**) at the end of the row, and then select ![Restore icon.](../../media/m365-cc-sc-archive-icon.png) **Restore**.
+1. Set the **Show archived payloads** toggle to on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
+2. Select the payload by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-archive-icon.png" border="false"::: **Restore**.
-After you've restored the archived payload, the **Status** value changes to **Draft**. Toggle **Show archived payloads** to off ![Toggle off icon.](../../media/scc-toggle-off.png) to see the restored payload. To return the payload to the **Status** value **Ready**, [edit the payload](#modify-payloads), review or change the settings, and then click **Submit**.
+After you've restored the archived payload, the **Status** value changes to **Draft**. Toggle **Show archived payloads** to off :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: to see the restored payload. To return the payload to the **Status** value **Ready**, [edit the payload](#modify-payloads), review or change the settings, and then select **Submit**.
## Send a test On the **Tenant payloads** or **Global payloads** tabs, you can send a copy of the payload email to yourself (the currently logged in user) for inspection.
-Select the payload by clicking the check box next to the name, and then click the ![Send a test icon.](../../media/m365-cc-sc-send-icon.png) **Send a test** button that appears.
+Select the payload by clicking the check box next to the name, and then select the :::image type="icon" source="../../media/m365-cc-sc-send-icon.png" border="false"::: **Send a test** button that appears.
## Related links
security Attack Simulation Training Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-settings.md
To remove the training threshold and always assign training, regardless of wheth
## View simulations excluded from reporting
-To view completed simulations that have been excluded from reporting on the **Settings** tab, click the **View all** link in the **Simulations excluded from reporting** section. This link takes you to the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations> where **Show excluded simulations** is automatically toggled on ![Toggle on icon.](../../media/scc-toggle-on.png).
+To view completed simulations that have been excluded from reporting on the **Settings** tab, select the **View all** link in the **Simulations excluded from reporting** section. This link takes you to the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations> where **Show excluded simulations** is automatically toggled on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
On the **Simulations** tab, both excluded _and_ included completed simulations are shown on the **Simulations** tab together. You can tell the difference by the **Status** values (**Excluded** vs. **Completed**)
-If you go directly to the **Simulations** tab and manually toggle **Show excluded simulations** on ![Toggle on icon.](../../media/scc-toggle-on.png), _only_ excluded simulations are shown.
+If you go directly to the **Simulations** tab and manually toggle **Show excluded simulations** on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::, _only_ excluded simulations are shown.
To exclude completed simulations from reporting, see [Exclude completed simulations from reporting](attack-simulation-training-simulations.md#exclude-completed-simulations-from-reporting).
security Attack Simulation Training Simulation Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations.md
By default, the following information is shown for each simulation automation:
- **Last modified** - **Created by**
-Click a column header to sort by that column.
+Select a column header to sort by that column.
-Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to search for the name of an existing simulation.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to search for the name of an existing simulation.
When you select a simulation automation from the list, a details flyout appears with the following information:
To create a simulation automation, do the following steps:
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com/>, go to **Email & collaboration** \> **Attack simulation training** \> **Automations** tab \> **Simulation automations**. or, to go directly to the **Automations** tab where you can select **Simulation automations**, use <https://security.microsoft.com/attacksimulator?viewid=automations>.
-2. On the **Simulation automations** page, click ![Create automation icon.](../../media/m365-cc-sc-create-icon.png) **Create automation** to start the new simulation automation wizard.
+2. On the **Simulation automations** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create automation** to start the new simulation automation wizard.
:::image type="content" source="../../media/attack-sim-training-sim-automations-create.png" alt-text="The Create simulation button on the Simulation automations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-sim-automations-create.png"::: The following sections describe the steps and configuration options to create a simulation automation. > [!NOTE]
- > At any point after you name the simulation automation during the new simulation automation wizard, you can click **Save and close** to save your progress and continue later. The incomplete simulation automation has the **Status** value **Draft**. You can pick up where you left off by selecting the simulation automation from the list and then clicking the ![Edit automation icon.](../../media/m365-cc-sc-edit-icon.png) **Edit automation** icon that appears.
+ > At any point after you name the simulation automation during the new simulation automation wizard, you can select **Save and close** to save your progress and continue later. The incomplete simulation automation has the **Status** value **Draft**. You can pick up where you left off by selecting the simulation automation from the list and then clicking the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit automation** action that appears.
## Name and describe the simulation automation
On the **Automation name** page, configure the following settings:
- **Name**: Enter a unique, descriptive name for the simulation. - **Description**: Enter an optional detailed description for the simulation.
-When you're finished on the **Automation name** page, click **Next**.
+When you're finished on the **Automation name** page, select **Next**.
## Select one or more social engineering techniques
On the **Select social engineering techniques** page, select one or more of the
- **Drive-by URL**: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. - **OAuth Consent Grant**: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
-If you click the **View details** link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique.
+If you select the **View details** link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique.
:::image type="content" source="../../media/attack-sim-training-simulations-select-technique-sim-steps.png" alt-text="The Details flyout for the credential harvest technique on the Select social engineering techniques page" lightbox="../../media/attack-sim-training-simulations-select-technique-sim-steps.png":::
-When you're finished on the **Select social engineering techniques** page, click **Next**.
+When you're finished on the **Select social engineering techniques** page, select **Next**.
## Select payloads and login pages
For the **Credential Harvest** or **Link in Attachment** social engineering tech
On the **Select payloads and login page** page, select one of the following options: - **Manually select**: The rest of this section describes the available options for payloads.-- **Randomize**: There's nothing else to configure on this page, so click **Next** to continue.
+- **Randomize**: There's nothing else to configure on this page, so select **Next** to continue.
The following details are shown for each payload: - **Payload name** - **Source**: For built-in payloads, the value is **Global**. For custom payloads, the value is **Tenant**. - **Technique**: You need to select at least one payload per technique that you selected on the **Select social engineering techniques** page.-- **Language**: The language of the payload content. Microsoft's payload catalog (global) provides payloads in 29+ languages as described in ![Filter payload icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**.
+- **Language**: The language of the payload content. Microsoft's payload catalog (global) provides payloads in 29+ languages as described in :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**.
- **Click rate**: How many people have clicked on this payload. - **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate). - **Simulations launched** counts the number of times this payload was used in other simulations.
-Click a column header to sort by that column.
+Select a column header to sort by that column.
-Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to search for the name of an existing payload.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to search for the name of an existing payload.
-If you click **Filter**, the following filters are available:
+If you select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**, the following filters are available:
- **Source**: The available values are: **Global**, **Tenant**, and **All**.
If you click **Filter**, the following filters are available:
- **Controversial**: The available values are **Yes** or **No**.
-When you're finished configuring filters, click **Apply**, **Cancel**, or ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
If you select a payload from the list by clicking anywhere in the row other than the check box next to the name, details about the payload are shown in a flyout:
To view the complete login page, use the **Page 1** and **Page 2** links at the
:::image type="content" source="../../media/attack-sim-training-simulations-select-payload-details-login-page-tab.png" alt-text="The login page tab in the payload details flyout in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-select-payload-details-login-page-tab.png":::
-To change the login page that's used in the payload, click ![Change login page icon.](../../media/m365-cc-sc-edit-icon.png) **Change login page**.
+To change the login page that's used in the payload, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Change login page**.
On the **Select login page** flyout that opens, The following information is shown for each login page:
On the **Select login page** flyout that opens, The following information is sho
- **Source**: For built-in login pages, the value is **Global**. For custom login pages, the value is **Tenant**. - **Created by**: For built-in login pages, the value is **Microsoft**. For custom login pages, the value is the UPN of the user who created the login page. - **Last modified**-- **Actions**: Click ![Preview icon.](../../media/m365-cc-sc-eye-icon.png) **Preview** to preview the login page.
+- **Actions**: Select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **Preview** to preview the login page.
-To find a login page in the list, type part of the login name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+To find a login page in the list, type part of the login name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
-Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the login pages by **Source** or **Language**.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the login pages by **Source** or **Language**.
:::image type="content" source="../../media/attack-sim-training-simulations-select-payload-select-login-page.png" alt-text="The Select login page in the Login page tab in payload details flyout in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-select-payload-select-login-page.png":::
-To create a new login page, click [Create new icon.](../../medi#create-login-pages).
+To create a new login page, select :::image type="icon" source="../../medi#create-login-pages).
-Back on the **Select login page**, verify the new login page you created is selected, and then click **Save**.
+Back on the **Select login page**, verify the new login page you created is selected, and then select **Save**.
-Back on the payload details flyout, click [Close icon.](../../media/m365-cc-sc-close-icon.png) **Close**.
+Back on the payload details flyout, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Close**.
-When you're finished on the **Select a payload and login page** page, click **Next**.
+When you're finished on the **Select a payload and login page** page, select **Next**.
### Configure OAuth Payload
On the **Configure OAuth payload** page, configure the following settings:
- **App name**: Enter a name for the payload. -- **App logo**: Click **Browse** to select a .png, .jpeg, or .gif file to use. To remove a file after you've selected it, click **Remove**.
+- **App logo**: Select **Browse** to select a .png, .jpeg, or .gif file to use. To remove a file after you've selected it, select **Remove**.
- **Select app scope**: Choose one of the following values: - **Read user calendars**
On the **Configure OAuth payload** page, configure the following settings:
- **Read and write access to user mail** - **Send mail as a user**
-When you're finished on the **Configure OAuth payload** page, click **Next**.
+When you're finished on the **Configure OAuth payload** page, select **Next**.
## Target users On the **Target users** page, select who receives the simulation. Use the following options to select users: -- **Include all users in your organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** icon on the page to find specific users.
+- **Include all users in your organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** icon on the page to find specific users.
> [!TIP] > Although you can't remove users from the list on this page, you can use the next **Exclude users** page to exclude specific users. - **Include only specific users and groups**: At first, no users or groups are shown on the **Targeted users** page. To add users or groups to the simulation, choose one of the following options:
- - ![Add users icon.](../../media/m365-cc-sc-create-icon.png) **Add users**: In the **Add users** flyout that opens, you find and select users and groups to receive the simulation. **Dynamic distribution groups are not supported**. The following search tools are available:
+ - :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add users**: In the **Add users** flyout that opens, you find and select users and groups to receive the simulation. **Dynamic distribution groups are not supported**. The following search tools are available:
- - **Search for users or groups**: If you click in the ![Search for users or groups icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
+ - **Search for users or groups**: If you click in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
- Type three or more characters and then press the ENTER key. Any users or group names that contain those characters are shown in the **User list** section by **Name** and **Email**. - Type less than three characters or no characters and then press the ENTER key. No users are shown in the **User list** section, but you can type three or more characters in the **Search** box to search for users and groups.
On the **Target users** page, select who receives the simulation. Use the follow
When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
- Click the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- **Filter users by categories**: Use the following options:
On the **Target users** page, select who receives the simulation. Use the follow
- **Repeat offenders**: For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold). - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). Use the following options:
- - **Search**: In ![Search by user tags icon.](../../media/m365-cc-sc-search-icon.png) **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
- Select **All user tags**
- - Select existing user tags. If the link is available, click **See all user tags** to see the complete list of available tags.
+ - Select existing user tags. If the link is available, select **See all user tags** to see the complete list of available tags.
- **City**: Use the following options:
- - **Search**: In ![Search by City icon.](../../media/m365-cc-sc-search-icon.png) **Search by City**, you can type part of the City value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by City**, you can type part of the City value and then press Enter. You can select some or all of the results.
- Select **All City**
- - Select existing City values. If the link is available, click **See all Cities** to see the complete list of available City values.
+ - Select existing City values. If the link is available, select **See all Cities** to see the complete list of available City values.
- **Country**: Use the following options:
- - **Search**: In ![Search by Country icon.](../../media/m365-cc-sc-search-icon.png) **Search by Country**, you can type part of the Country value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Country**, you can type part of the Country value and then press Enter. You can select some or all of the results.
- Select **All Country**
- - Select existing City values. If the link is available, click **See all Countries** to see the complete list of available Country values.
+ - Select existing City values. If the link is available, select **See all Countries** to see the complete list of available Country values.
- **Department**: Use the following options:
- - **Search**: In ![Search by Department icon.](../../media/m365-cc-sc-search-icon.png) **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.
- Select **All Department**
- - Select existing Department values. If the link is available, click **See all Departments** to see the complete list of available Department values.
+ - Select existing Department values. If the link is available, select **See all Departments** to see the complete list of available Department values.
- **Title**: Use the following options:
- - **Search**: In ![Search by Title icon.](../../media/m365-cc-sc-search-icon.png) **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.
- Select **All Title**
- - Select existing Title values. If the link is available, click **See all Titles** to see the complete list of available Title values.
+ - Select existing Title values. If the link is available, select **See all Titles** to see the complete list of available Title values.
:::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png":::
On the **Target users** page, select who receives the simulation. Use the follow
The number of values that were used as the search criteria by a specific category is shown next to the category tile (for example, **City 50** or **Priority accounts 10**).
- When you're finished searching by category, click the **Apply(x)** button. The previous **Filter users by categories** options on the **Add users** flyout are replaced by the following information:
+ When you're finished searching by category, select the **Apply(x)** button. The previous **Filter users by categories** options on the **Add users** flyout are replaced by the following information:
- - **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, click the **See all** link to see all filter values
+ - **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, select the **See all** link to see all filter values
- **User list** section: Shows the users or groups that match your category searches. The number of results appears in the **Selected (0/x) users** label. When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
- Click the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- - ![Import icon.](../../media/m365-cc-sc-create-icon.png) **Import**: In the dialog that opens, specify a CSV file that contains one email address per line.
+ - :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Import**: In the dialog that opens, specify a CSV file that contains one email address per line.
After you find a select the CSV file, the users are imported and shown on the **Targeted users** page.
- On the main **Target users** page, you can use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to find selected users. You can also click ![Delete users icon.](../../media/m365-cc-sc-search-icon.png) **Delete** and then **Confirm** in the confirmation dialog to remove specific users.
+ On the main **Target users** page, you can use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find selected users. You can also select :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Delete** and then **Confirm** in the confirmation dialog to remove specific users.
- To add more users and groups, click ![Add users icon.](../../media/m365-cc-sc-create-icon.png) **Add users** or ![Import icon.](../../media/m365-cc-sc-create-icon.png) **Import** on the **Target users** page and repeat the previous steps.
+ To add more users and groups, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add users** or :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Import** on the **Target users** page and repeat the previous steps.
-When you're finished on the **Target users** page, click **Next**.
+When you're finished on the **Target users** page, select **Next**.
## Assign training
Use the following options on the page to assign trainings as part of the simulat
- **No training**: If you select this value, the only option on the page is the **Next** button.
-When you're finished on the **Assign training** page, click **Next**.
+When you're finished on the **Assign training** page, select **Next**.
### Training assignment > [!NOTE] > This page is available only if you selected **Select training courses and modules myself** on the **Assign training** page.
-On the **Training assignment** page, select the trainings that you want to add to the simulation by clicking ![Add trainings icon.](../../media/m365-cc-sc-create-icon.png) **Add trainings**.
+On the **Training assignment** page, select the trainings that you want to add to the simulation by clicking :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add trainings**.
On the **Add training** flyout that opens, use the following tabs to select trainings to include in the simulation:
On either tab, the following information is shown for each training:
- **Training name** - **Source**: The value is **Global**. - **Duration (mins)**-- **Preview**: Click the **Preview** button to see the training.
+- **Preview**: Select the **Preview** button to see the training.
-On either tab, you can use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to find trainings. Type part of the training name and press the ENTER key.
+On either tab, you can use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find trainings. Type part of the training name and press the ENTER key.
-On either tab, select one or more trainings by clicking in the blank area next to the **Training name** column. When you're finished, click **Add**.
+On either tab, select one or more trainings by clicking in the blank area next to the **Training name** column. When you're finished, select **Add**.
Back on the **Training assignment** page, the selected trainings are now listed. The following information is shown for each training:
Back on the **Training assignment** page, the selected trainings are now listed.
- **Assign to**: For each training in the list, you need to select who gets the training by selecting from the following values: - **All users** - One or both of the values **Clicked payload** or **Compromised**.-- **Delete**: Click ![Delete training icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** to remove the training from the simulation.
+- **Delete**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** to remove the training from the simulation.
:::image type="content" source="../../media/attack-sim-training-training-assignment.png" alt-text="The Training assignment page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-training-assignment.png":::
-When you're finished on the **Training assignment** page, click **Next**.
+When you're finished on the **Training assignment** page, select **Next**.
### Select a landing page
Select one of the following options:
The remainder of the **Selecting phish landing page** page has two tabs where you select the landing page to use: - **Global landing pages** tab: Contains the built-in landing pages. When you select a built-in landing page to use by selecting the check box next to name, an **Edit layout** section appears with the following options:
- - **Add logo**: Click **Browse logo image** to find and select a .png, .jpeg, or .gif file. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, click **Remove uploaded logo image**.
+ - **Add logo**: Select **Browse logo image** to find and select a .png, .jpeg, or .gif file. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, select **Remove uploaded logo image**.
- **Select default language**: This setting is required. Select one of the following values: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, and **Dutch**.
- - **Tenant landing pages** tab: Contains any custom landing pages that you've created. To create a new landing page, click ![Create new icon.](../../medi#create-landing-pages).
+ - **Tenant landing pages** tab: Contains any custom landing pages that you've created. To create a new landing page, select :::image type="icon" source="../../medi#create-landing-pages).
On both tabs, the following information is shown for each landing page:
Select one of the following options:
- **Status** - **Linked simulation**
- Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, the only available columns that aren't selected are **Source** and **Created by**.
+ Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, the only available columns that aren't selected are **Source** and **Created by**.
- To find a landing page in the list, type part of the landing page name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ To find a landing page in the list, type part of the landing page name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- Click ![Filter landing page icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the landing pages by language.
+ Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the landing pages by language.
When you select a landing page by clicking on the name, a details flyout opens that shows more information about the landing page: - The **Preview** tab shows what the landing page looks like to users. - The **Details** tab shows the properties of the landing page.
- When you're finished in the landing page details flyout, click **Close**.
+ When you're finished in the landing page details flyout, select **Close**.
On the **Selecting phish landing page** page, select a landing page to use by selecting the check box next to the **Name** column.
Select one of the following options:
If you select **Use a custom URL**, you need to add the URL in the **Enter the custom landing page URL** box that appears. No other options are available on the **Selecting phish landing page** page.
-When you're finished on the **Selecting phish landing page** page, click **Next**.
+When you're finished on the **Selecting phish landing page** page, select **Next**.
## Select end user notifications
On the **Select end user notification** page, select from the following notifica
- **Delivery preferences**: You need to configure the following delivery preferences before you can continue: - For **Microsoft default positive reinforcement notification**, select **Do not deliver**, **Deliver after campaign ends**, or **Deliver during campaign**. - For **Microsoft default training reminder notification**, select **Twice a week** or **Weekly**.
- - **Actions**: If you click ![View icon.](../../media/m365-cc-sc-view-icon.png) **View**, a **Review notification** page opens with the following information:
+ - **Actions**: If you select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View**, a **Review notification** page opens with the following information:
- **Preview** tab: View the notification message as users will see it. - To view the message in different languages, use the **Select language** box. - Use the **Select payload to preview** box to select the notification message for simulations that contain multiple payloads.
On the **Select end user notification** page, select from the following notifica
- **Modified by** - **Last modified**
- When you're finished on the **Review notification** page, click **Close** to return to the **Select end user notification** page.
+ When you're finished on the **Review notification** page, select **Close** to return to the **Select end user notification** page.
-- **Customized end user notifications**: No other configuration options are available on the page. When you click **Next**, you'll need to select a **Training assignment notification**, a **Training reminder notification**, and (optionally) a **Positive reinforcement notification** to use for the simulation as described in the next three subsections.
+- **Customized end user notifications**: No other configuration options are available on the page. When you select **Next**, you'll need to select a **Training assignment notification**, a **Training reminder notification**, and (optionally) a **Positive reinforcement notification** to use for the simulation as described in the next three subsections.
-When you're finished on the **Select end user notification** page, click **Next**.
+When you're finished on the **Select end user notification** page, select **Next**.
### Select a training assignment notification
For more information, see [End-user notifications for Attack simulation training
Do one of the following steps: - **Select an existing notification to use**:
- - To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ - To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
- When you're finished in the notification details flyout, click **Close**.
+ When you're finished in the notification details flyout, select **Close**.
On the **Training assignment notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Click ![Create new icon.](../../medi#create-end-user-notifications).
+- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training assignment notification** for the notification type. When you're finished creating the notification, you return to the **Training assignment notification** page where the new notification now appears in the list for you to select
-When you're finished on the **Training assignment notification** page, click **Next**.
+When you're finished on the **Training assignment notification** page, select **Next**.
### Select a training reminder notification
For more information, see [End-user notifications for Attack simulation training
In **Set frequency for reminder notification**, select **Weekly** or **Twice a week**, and then do one of the following steps: - **Select an existing notification to use**:
- - To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ - To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
- When you're finished in the notification details flyout, click **Close**.
+ When you're finished in the notification details flyout, select **Close**.
On the **Training reminder notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Click ![Create new icon.](../../medi#create-end-user-notifications).
+- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training reminder notification** for the notification type. When you're finished creating the notification, you return to the **Training reminder notification** page where the new notification now appears in the list for you to select.
-When you're finished on the **Training reminder notification** page, click **Next**.
+When you're finished on the **Training reminder notification** page, select **Next**.
### Select a positive reinforcement notification
You have the following options for positive reinforcement notifications:
- Don't use positive reinforcement notifications: Select **Do not deliver** in the **Delivery preferences** section.
- There's nothing else to configure on the page, so you're taken to the [simulation schedule](#simulation-schedule) page when you click **Next**.
+ There's nothing else to configure on the page, so you're taken to the [simulation schedule](#simulation-schedule) page when you select **Next**.
- Use an existing positive reinforcement notification: Select **Deliver after the user reports a phish and campaign ends** or **Deliver immediately after the user reports a phish** in the **Delivery preferences** section.
You have the following options for positive reinforcement notifications:
For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
- To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
- When you're finished in the notification details flyout, click **Close**.
+ When you're finished in the notification details flyout, select **Close**.
On the **Positive reinforcement notification** page, select an existing notification to use by clicking the check box next to the name. -- Create a new positive reinforcement notification to use: Click ![Create new icon.](../../medi#create-end-user-notifications).
+- Create a new positive reinforcement notification to use: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Positive reinforcement notification** for the notification type. When you're finished creating the notification, you return to the **Positive reinforcement notification** page where the new notification now appears in the list for you to select.
-When you're finished on the **Positive reinforcement notification** page, click **Next**.
+When you're finished on the **Positive reinforcement notification** page, select **Next**.
## Simulation schedule
On the **Simulation schedule** page, select one of the following values:
- **Randomized**: You still need to select the schedule on the next page, but the simulations will launch at random times within the schedule. - **Fixed**
-When you're finished, click **Next**.
+When you're finished, select **Next**.
## Schedule details
What you see on the **Schedule details** page depends on whether you selected **
- Use **Select the date you want the automation to end** to select the end date for the simulations. - Use **Enter the number of occurrences of the simulations to run before ending** to enter a value from 1 to 10.
-When you're finished on the **Schedule details** page, click **Next**.
+When you're finished on the **Schedule details** page, select **Next**.
## Launch details
On the **Launch details** page, configure the following additional settings for
- **Send simulation email based upon the user's current time zone setting from Outlook web app** section: By default, **Enable region aware delivery** is not selected.
-When you're finished on the **Launch details** page, click **Next**.
+When you're finished on the **Launch details** page, select **Next**.
## Review simulation automation On the **Review simulation automation** page, you can review the details of your simulation automation.
-You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
-When you're finished on the **Review simulation automation**, click **Submit**.
+When you're finished on the **Review simulation automation**, select **Submit**.
When the simulation automation is created, the page title changes to **New automation created**, where you can use the links to turn on the automation or view all simulation automations.
-When you're finished on the **New automation created** page, click **Done**.
+When you're finished on the **New automation created** page, select **Done**.
Back on the **Simulation automations** page on the **Automations** tab, the simulation automation that you created is now listed with the **Status** value **Inactive**.
To turn on the simulation automation, see the next section.
- You can turn off simulation automations with the **Status** value **Active**. - You can't turn on or turn off incomplete simulation automations with the **Status** value **Draft**.
-To turn on an **Inactive** simulation automation, select it from the list by clicking the check box next to the name. Click the ![Turn on icon.](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** icon that appears, and then click **Confirm** in the dialog. The **Status** value changes to **Active**.
+To turn on an **Inactive** simulation automation, select it from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** action that appears, and then select **Confirm** in the dialog. The **Status** value changes to **Active**.
-To turn off an **Active** simulation automation, select it from the list by clicking the check box next to the name. Click the ![Turn off icon.](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off** icon that appears, and then click **Confirm** in the dialog. The **Status** value changes to **Inactive**.
+To turn off an **Active** simulation automation, select it from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** action that appears, and then select **Confirm** in the dialog. The **Status** value changes to **Inactive**.
## Remove simulation automations
-To remove a simulation automation, select the simulation automation from the list by clicking the check box next to the name. Click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** icon that appears, and then click **Confirm** in the dialog.
+To remove a simulation automation, select the simulation automation from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears, and then select **Confirm** in the dialog.
## Frequently asked questions (FAQ) for simulations automations
security Attack Simulation Training Simulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulations.md
To launch a simulated phishing attack, do the following steps:
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulations** tab. Or, to go directly to the **Simulations** tab, use <https://security.microsoft.com/attacksimulator?viewid=simulations>.
-2. On the **Simulations** tab, select ![Launch a simulation icon.](../../media/m365-cc-sc-create-icon.png) **Launch a simulation** to start the new simulation wizard.
+2. On the **Simulations** tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Launch a simulation** to start the new simulation wizard.
:::image type="content" source="../../media/attack-sim-training-simulations-launch.png" alt-text="The Launch a simulation button on the Simulations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-launch.png"::: The following sections describe the steps and configuration options to create a simulation. > [!NOTE]
- > At any point after you name the simulation during the new simulation wizard, you can click **Save and close** to save your progress and continue later. The incomplete simulation has the **Status** value **Draft**. You can pick up where you left off by selecting the simulation and then clicking the ![Edit simulation icon.](../../media/m365-cc-sc-edit-icon.png) **Edit simulation** icon that appears.
+ > At any point after you name the simulation during the new simulation wizard, you can select **Save and close** to save your progress and continue later. The incomplete simulation has the **Status** value **Draft**. You can pick up where you left off by selecting the simulation and then clicking the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit simulation** action that appears.
## Select a social engineering technique
On the **Select technique** page, select an available social engineering techniq
- **Drive-by URL**: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. - **OAuth Consent Grant**: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
-If you click the **View details** link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique.
+If you select the **View details** link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique.
:::image type="content" source="../../media/attack-sim-training-simulations-select-technique-sim-steps.png" alt-text="The Details flyout for the credential harvest technique on the Select technique page" lightbox="../../media/attack-sim-training-simulations-select-technique-sim-steps.png":::
-When you're finished on the **Select technique** page, click **Next**.
+When you're finished on the **Select technique** page, select **Next**.
## Name and describe the simulation
On the **Name simulation** page, configure the following settings:
- **Name**: Enter a unique, descriptive name for the simulation. - **Description**: Enter an optional detailed description for the simulation.
-When you're finished on the **Name simulation** page, click **Next**.
+When you're finished on the **Name simulation** page, select **Next**.
## Select a payload and login page
The following details are shown for each payload:
- **Payload name** - **Source**: For built-in payloads, the value is **Global**. For custom payloads, the value is **Tenant**.-- **Language**: The language of the payload content. Microsoft's payload catalog (global) provides payloads in 29+ languages as described in ![Filter payload icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**.
+- **Language**: The language of the payload content. Microsoft's payload catalog (global) provides payloads in 29+ languages as described in :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**.
- **Click rate**: How many people have clicked on this payload. - **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate). - **Simulations launched** counts the number of times this payload was used in other simulations.
-To find a payload in the list, type part of the payload name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+To find a payload in the list, type part of the payload name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
-If you click ![Filter payload icon.](../../media/m365-cc-sc-filter-icon.png), the following filters are available:
+If you select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false":::, the following filters are available:
- **Source**: The available values are: **Global**, **Tenant**, and **All**.
If you click ![Filter payload icon.](../../media/m365-cc-sc-filter-icon.png), th
- **Controversial**: The available values are **Yes** or **No**.
-When you're finished configuring filters, click **Apply**, **Cancel**, or ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-If you select a payload by selecting the check box next to the name, a ![Send a test payload icon.](../../media/m365-cc-sc-create-icon.png) **Send a test** button appears above the list of payloads. You can use this button to send a copy of the payload email to yourself (the currently logged in user) for inspection.
+If you select a payload by selecting the check box next to the name, a :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Send a test** button appears above the list of payloads. You can use this button to send a copy of the payload email to yourself (the currently logged in user) for inspection.
-If no payloads are available or if you want to create your own payload, click ![Create a payload icon.](../../medi#create-payloads).
+If no payloads are available or if you want to create your own payload, select :::image type="icon" source="../../medi#create-payloads).
:::image type="content" source="../../media/attack-sim-training-simulations-select-payload.png" alt-text="The Select payload page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-select-payload.png":::
If you select a payload by clicking anywhere in the row other than the check box
:::image type="content" source="../../media/attack-sim-training-simulations-select-payload-details-payload-tab.png" alt-text="The Payload tab in the payload details flyout in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-select-payload-details-payload-tab.png":::
-If the simulation doesn't use **Credential Harvest** or **Link in Attachment** payloads, or if you don't want to view or edit the login page that's used, click **Next** on the **Select payload and login page** page to continue.
+If the simulation doesn't use **Credential Harvest** or **Link in Attachment** payloads, or if you don't want to view or edit the login page that's used, select **Next** on the **Select payload and login page** page to continue.
To select the login page that's used in **Credential Harvest** or **Link in Attachment** payloads, go to the [Select a login page](#select-a-login-page) subsection.
To view the complete login page, use the **Page 1** and **Page 2** links at the
:::image type="content" source="../../media/attack-sim-training-simulations-select-payload-details-login-page-tab.png" alt-text="The login page tab in the payload details flyout in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-select-payload-details-login-page-tab.png":::
-To change the login page that's used in the payload, click ![Change login page icon.](../../media/m365-cc-sc-edit-icon.png) **Change login page**.
+To change the login page that's used in the payload, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Change login page**.
On the **Select login page** flyout that opens, The following information is shown for each login page:
On the **Select login page** flyout that opens, The following information is sho
- **Source**: For built-in login pages, the value is **Global**. For custom login pages, the value is **Tenant**. - **Created by**: For built-in login pages, the value is **Microsoft**. For custom login pages, the value is the UPN of the user who created the login page. - **Last modified**-- **Actions**: Click ![Preview icon.](../../media/m365-cc-sc-eye-icon.png) **Preview** to preview the login page.
+- **Actions**: Select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **Preview** to preview the login page.
-To find a login page in the list, type part of the login page name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+To find a login page in the list, type part of the login page name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
-Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the login pages by **Source** or **Language**.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the login pages by **Source** or **Language**.
:::image type="content" source="../../media/attack-sim-training-simulations-select-payload-select-login-page.png" alt-text="The Select login page in the Login page tab in payload details flyout in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-select-payload-select-login-page.png":::
-To create a new login page, click [Create new icon.](../../medi#create-login-pages).
+To create a new login page, select :::image type="icon" source="../../medi#create-login-pages).
-Back on the **Select login page**, verify the new login page you created is selected, and then click **Save**.
+Back on the **Select login page**, verify the new login page you created is selected, and then select **Save**.
-Back on the payload details flyout, click [Close icon.](../../media/m365-cc-sc-close-icon.png) **Close**.
+Back on the payload details flyout, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Close**.
-When you're finished on the **Select a payload and login page** page, click **Next**.
+When you're finished on the **Select a payload and login page** page, select **Next**.
### Configure OAuth Payload
On the **Configure OAuth payload** page, configure the following settings:
- **App name**: Enter a name for the payload. -- **App logo**: Click **Browse** to select a .png, .jpeg, or .gif file to use. To remove a file after you've selected it, click **Remove**.
+- **App logo**: Select **Browse** to select a .png, .jpeg, or .gif file to use. To remove a file after you've selected it, select **Remove**.
- **Select app scope**: Choose one of the following values: - **Read user calendars**
On the **Configure OAuth payload** page, configure the following settings:
- **Read and write access to user mail** - **Send mail as a user**
-When you're finished on the **Configure OAuth payload** page, click **Next**.
+When you're finished on the **Configure OAuth payload** page, select **Next**.
## Target users On the **Target users** page, select who receives the simulation. Use the following options to select users: -- **Include all users in your organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** icon on the page to find specific users.
+- **Include all users in your organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** icon on the page to find specific users.
> [!TIP] > Although you can't remove users from the list on this page, you can use the next **Exclude users** page to exclude specific users. - **Include only specific users and groups**: At first, no users or groups are shown on the **Targeted users** page. To add users or groups to the simulation, choose one of the following options:
- - ![Add users icon.](../../media/m365-cc-sc-create-icon.png) **Add users**: In the **Add users** flyout that opens, you find and select users and groups to receive the simulation. **Dynamic distribution groups are not supported**. The following search tools are available:
+ - :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add users**: In the **Add users** flyout that opens, you find and select users and groups to receive the simulation. **Dynamic distribution groups are not supported**. The following search tools are available:
- - **Search for users or groups**: If you click in the ![Search for users or groups icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
+ - **Search for users or groups**: If you click in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
- Type three or more characters and then press the ENTER key. Any users or group names that contain those characters are shown in the **User list** section by **Name** and **Email**. - Type less than three characters or no characters and then press the ENTER key. No users are shown in the **User list** section, but you can type three or more characters in the **Search** box to search for users and groups.
On the **Target users** page, select who receives the simulation. Use the follow
When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
- Click the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- **Filter users by categories**: Use the following options:
On the **Target users** page, select who receives the simulation. Use the follow
- **Repeat offenders**: For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold). - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). Use the following options:
- - **Search**: In ![Search by user tags icon.](../../media/m365-cc-sc-search-icon.png) **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
- Select **All user tags**
- - Select existing user tags. If the link is available, click **See all user tags** to see the complete list of available tags.
+ - Select existing user tags. If the link is available, select **See all user tags** to see the complete list of available tags.
- **City**: Use the following options:
- - **Search**: In ![Search by City icon.](../../media/m365-cc-sc-search-icon.png) **Search by City**, you can type part of the City value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by City**, you can type part of the City value and then press Enter. You can select some or all of the results.
- Select **All City**
- - Select existing City values. If the link is available, click **See all Cities** to see the complete list of available City values.
+ - Select existing City values. If the link is available, select **See all Cities** to see the complete list of available City values.
- **Country**: Use the following options:
- - **Search**: In ![Search by Country icon.](../../media/m365-cc-sc-search-icon.png) **Search by Country**, you can type part of the Country value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Country**, you can type part of the Country value and then press Enter. You can select some or all of the results.
- Select **All Country**
- - Select existing City values. If the link is available, click **See all Countries** to see the complete list of available Country values.
+ - Select existing City values. If the link is available, select **See all Countries** to see the complete list of available Country values.
- **Department**: Use the following options:
- - **Search**: In ![Search by Department icon.](../../media/m365-cc-sc-search-icon.png) **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.
- Select **All Department**
- - Select existing Department values. If the link is available, click **See all Departments** to see the complete list of available Department values.
+ - Select existing Department values. If the link is available, select **See all Departments** to see the complete list of available Department values.
- **Title**: Use the following options:
- - **Search**: In ![Search by Title icon.](../../media/m365-cc-sc-search-icon.png) **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.
- Select **All Title**
- - Select existing Title values. If the link is available, click **See all Titles** to see the complete list of available Title values.
+ - Select existing Title values. If the link is available, select **See all Titles** to see the complete list of available Title values.
:::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png":::
On the **Target users** page, select who receives the simulation. Use the follow
The number of values that were used as the search criteria by a specific category is shown next to the category tile (for example, **City 50** or **Priority accounts 10**).
- When you're finished searching by category, click the **Apply(x)** button. The previous **Filter users by categories** options on the **Add users** flyout are replaced by the following information:
+ When you're finished searching by category, select the **Apply(x)** button. The previous **Filter users by categories** options on the **Add users** flyout are replaced by the following information:
- - **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, click the **See all** link to see all filter values
+ - **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, select the **See all** link to see all filter values
- **User list** section: Shows the users or groups that match your category searches. The number of results appears in the **Selected (0/x) users** label. When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
- Click the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- - ![Import icon.](../../media/m365-cc-sc-create-icon.png) **Import**: In the dialog that opens, specify a CSV file that contains one email address per line.
+ - :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Import**: In the dialog that opens, specify a CSV file that contains one email address per line.
After you find a select the CSV file, the users are imported and shown on the **Targeted users** page.
- On the main **Target users** page, you can use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to find selected users. You can also click ![Delete users icon.](../../media/m365-cc-sc-search-icon.png) **Delete** and then **Confirm** in the confirmation dialog to remove specific users.
+ On the main **Target users** page, you can use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find selected users. You can also select :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Delete** and then **Confirm** in the confirmation dialog to remove specific users.
- To add more users and groups, click ![Add users icon.](../../media/m365-cc-sc-create-icon.png) **Add users** or ![Import icon.](../../media/m365-cc-sc-create-icon.png) **Import** on the **Target users** page and repeat the previous steps.
+ To add more users and groups, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add users** or :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Import** on the **Target users** page and repeat the previous steps.
-When you're finished on the **Target users** page, click **Next**.
+When you're finished on the **Target users** page, select **Next**.
## Exclude users
On the **Exclude users** page, you can select **Exclude some of the targeted use
The methods to find and select users are the same as described in the previous section for **Include only specific users and groups**.
-When you're finished on the **Exclude users** page, click **Next**.
+When you're finished on the **Exclude users** page, select **Next**.
## Assign training
Use the following options on the page to assign trainings as part of the simulat
- **No training**: If you select this value, the only option on the page is the **Next** button.
-When you're finished on the **Assign training** page, click **Next**.
+When you're finished on the **Assign training** page, select **Next**.
### Training assignment > [!NOTE] > This page is available only if you selected **Select training courses and modules myself** on the **Assign training** page.
-On the **Training assignment** page, select the trainings that you want to add to the simulation by clicking ![Add trainings icon.](../../media/m365-cc-sc-create-icon.png) **Add trainings**.
+On the **Training assignment** page, select the trainings that you want to add to the simulation by clicking :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add trainings**.
On the **Add training** flyout that opens, use the following tabs to select trainings to include in the simulation:
On either tab, the following information is shown for each training:
- **Training name** - **Source**: The value is **Global**. - **Duration (mins)**-- **Preview**: Click the **Preview** button to see the training.
+- **Preview**: Select the **Preview** button to see the training.
-On either tab, you can use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to find trainings. Type part of the training name and press the ENTER key.
+On either tab, you can use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find trainings. Type part of the training name and press the ENTER key.
-On either tab, select one or more trainings by clicking in the blank area next to the **Training name** column. When you're finished, click **Add**.
+On either tab, select one or more trainings by clicking in the blank area next to the **Training name** column. When you're finished, select **Add**.
Back on the **Training assignment** page, the selected trainings are now listed. The following information is shown for each training:
Back on the **Training assignment** page, the selected trainings are now listed.
- **Assign to**: For each training, you need to select who gets the training by selecting from the following values: - **All users** - One or both of the values **Clicked payload** or **Compromised**.-- **Delete**: Click ![Delete training icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** to remove the training from the simulation.
+- **Delete**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** to remove the training from the simulation.
:::image type="content" source="../../media/attack-sim-training-training-assignment.png" alt-text="The Training assignment page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-training-assignment.png"::: :::image type="content" source="../../media/attack-sim-training-training-assignment.png" alt-text="The Training assignment page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-training-assignment.png":::
-When you're finished on the **Training assignment** page, click **Next**.
+When you're finished on the **Training assignment** page, select **Next**.
## Select a landing page
Select one of the following options:
The remainder of the **Selecting phish landing page** page has two tabs where you select the landing page to use: - **Global landing pages** tab: Contains the built-in landing pages. When you select a built-in landing page to use by selecting the check box next to name, an **Edit layout** section appears with the following options:
- - **Add logo**: Click **Browse logo image** to find and select a .png, .jpeg, or .gif file. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, click **Remove uploaded logo image**.
+ - **Add logo**: Select **Browse logo image** to find and select a .png, .jpeg, or .gif file. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, select **Remove uploaded logo image**.
- **Select default language**: This setting is required. Select one of the following values: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, and **Dutch**.
- - **Tenant landing pages** tab: Contains any custom landing pages that you've created. To create a new landing page, click ![Create new icon.](../../medi#create-landing-pages).
+ - **Tenant landing pages** tab: Contains any custom landing pages that you've created. To create a new landing page, select :::image type="icon" source="../../medi#create-landing-pages).
On both tabs, the following information is shown for each landing page:
Select one of the following options:
- **Status** - **Linked simulation**
- Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, the only available columns that aren't selected are **Source** and **Created by**.
+ Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, the only available columns that aren't selected are **Source** and **Created by**.
- To find a landing page in the list, type part of the landing page name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ To find a landing page in the list, type part of the landing page name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- Click ![Filter landing page icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the landing pages by language.
+ Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the landing pages by language.
When you select a landing page by clicking on the name, a details flyout opens that shows more information about the landing page: - The **Preview** tab shows what the landing page looks like to users. - The **Details** tab shows the properties of the landing page.
- When you're finished in the landing page details flyout, click **Close**.
+ When you're finished in the landing page details flyout, select **Close**.
On the **Selecting phish landing page** page, select a landing page to use by selecting the check box next to the **Name** column.
Select one of the following options:
If you select **Use a custom URL**, you need to add the URL in the **Enter the custom landing page URL** box that appears. No other options are available on the **Selecting phish landing page** page.
-When you're finished on the **Selecting phish landing page** page, click **Next**.
+When you're finished on the **Selecting phish landing page** page, select **Next**.
## Select end user notifications
On the **Select end user notification** page, select from the following notifica
- **Delivery preferences**: You need to configure the following delivery preferences before you can continue: - For **Microsoft default positive reinforcement notification**, select **Do not deliver**, **Deliver after campaign ends**, or **Deliver during campaign**. - For **Microsoft default training reminder notification**, select **Twice a week** or **Weekly**.
- - **Actions**: If you click ![View icon.](../../media/m365-cc-sc-view-icon.png) **View**, a **Review notification** page opens with the following information:
+ - **Actions**: If you select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View**, a **Review notification** page opens with the following information:
- **Preview** tab: View the notification message as users will see it. - To view the message in different languages, use the **Select language** box. - Use the **Select payload to preview** box to select the notification message for simulations that contain multiple payloads.
On the **Select end user notification** page, select from the following notifica
- **Modified by** - **Last modified**
- When you're finished on the **Review notification** page, click **Close** to return to the **Select end user notification** page.
+ When you're finished on the **Review notification** page, select **Close** to return to the **Select end user notification** page.
-- **Customized end user notifications**: No other configuration options are available on the page. When you click **Next**, you'll need to select a **Training assignment notification**, a **Training reminder notification**, and (optionally) a **Positive reinforcement notification** to use for the simulation as described in the next three subsections.
+- **Customized end user notifications**: No other configuration options are available on the page. When you select **Next**, you'll need to select a **Training assignment notification**, a **Training reminder notification**, and (optionally) a **Positive reinforcement notification** to use for the simulation as described in the next three subsections.
-When you're finished on the **Select end user notification** page, click **Next**.
+When you're finished on the **Select end user notification** page, select **Next**.
### Select a training assignment notification
For more information, see [End-user notifications for Attack simulation training
Do one of the following steps: - **Select an existing notification to use**:
- - To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ - To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
- When you're finished in the notification details flyout, click **Close**.
+ When you're finished in the notification details flyout, select **Close**.
On the **Training assignment notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Click ![Create new icon.](../../medi#create-end-user-notifications).
+- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training assignment notification** for the notification type. When you're finished creating the notification, you return to the **Training assignment notification** page where the new notification now appears in the list for you to select
-When you're finished on the **Training assignment notification** page, click **Next**.
+When you're finished on the **Training assignment notification** page, select **Next**.
### Select a training reminder notification
For more information, see [End-user notifications for Attack simulation training
In **Set frequency for reminder notification**, select **Weekly** or **Twice a week**, and then do one of the following steps: - **Select an existing notification to use**:
- - To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ - To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
- When you're finished in the notification details flyout, click **Close**.
+ When you're finished in the notification details flyout, select **Close**.
On the **Training reminder notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Click ![Create new icon.](../../medi#create-end-user-notifications).
+- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training reminder notification** for the notification type. When you're finished creating the notification, you return to the **Training reminder notification** page where the new notification now appears in the list for you to select.
-When you're finished on the **Training reminder notification** page, click **Next**.
+When you're finished on the **Training reminder notification** page, select **Next**.
### Select a positive reinforcement notification
You have the following options for positive reinforcement notifications:
- Don't use positive reinforcement notifications: Select **Do not deliver** in the **Delivery preferences** section.
- There's nothing else to configure on the page, so you're taken to the [Launch details](#configure-the-simulation-launch-details) page when you click **Next**.
+ There's nothing else to configure on the page, so you're taken to the [Launch details](#configure-the-simulation-launch-details) page when you select **Next**.
- Use an existing positive reinforcement notification: Select **Deliver after the user reports a phish and campaign ends** or **Deliver immediately after the user reports a phish** in the **Delivery preferences** section.
You have the following options for positive reinforcement notifications:
For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
- To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
- When you're finished in the notification details flyout, click **Close**.
+ When you're finished in the notification details flyout, select **Close**.
On the **Positive reinforcement notification** page, select an existing notification to use by clicking the check box next to the name. -- Create a new positive reinforcement notification to use: Click ![Create new icon.](../../medi#create-end-user-notifications).
+- Create a new positive reinforcement notification to use: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Positive reinforcement notification** for the notification type. When you're finished creating the notification, you return to the **Positive reinforcement notification** page where the new notification now appears in the list for you to select.
-When you're finished on the **Positive reinforcement notification** page, click **Next**.
+When you're finished on the **Positive reinforcement notification** page, select **Next**.
## Configure the simulation launch details
The default value for **Configure number of days to end simulation after** is 2
If you select **Enable region aware time zone delivery**, the simulated attack messages are delivered to users during their regional working hours.
-When you're finished on the **Launch details** page, click **Next**.
+When you're finished on the **Launch details** page, select **Next**.
## Review simulation details On the **Review simulation** page, you can review the details of the simulation.
-Click the ![Send a test icon.](../../media/m365-cc-sc-send-icon.png) **Send a test** button to send a copy of the payload email to yourself (the currently logged in user) for inspection.
+Select the :::image type="icon" source="../../media/m365-cc-sc-send-icon.png" border="false"::: **Send a test** button to send a copy of the payload email to yourself (the currently logged in user) for inspection.
-You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard to modify the settings.
+You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard to modify the settings.
-When you're finished on the **Review simulation** page, click **Submit**.
+When you're finished on the **Review simulation** page, select **Submit**.
:::image type="content" source="../../media/attack-sim-training-simulations-review-simulation.png" alt-text="The Review simulation page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-review-simulation.png"::: On the **Simulation has been scheduled for launch** page, you can use the links to go to the Attack simulation training overview or to view all payloads.
-When you're finished on the **Simulation has been scheduled for launch**, click **Done**.
+When you're finished on the **Simulation has been scheduled for launch**, select **Done**.
Back on the **Simulations** tab, the simulation that you created is now listed. The **Status** value depends on your previous selection in the [Configure the simulation launch details](#configure-the-simulation-launch-details) step:
By default, the following information is shown for each simulation<sup>\*</sup>:
- **Excluded** - **Γï«** (**Actions** control): Take action on the simulation. The available actions depend on the **Status** value of the simulation as described in the procedure sections. This control always appears at the end of the row.
-Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, all available columns are selected.
+Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
Click a column header to sort by that column. To add or remove columns, click ![
- Remove columns from the view. - Zoom out in your web browser.
-Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to search for the name of an existing simulation.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to search for the name of an existing simulation.
-Click ![Filter simulation icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the simulations by **Technique** or **Status** (all **Status** values except for **Excluded**).
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the simulations by **Technique** or **Status** (all **Status** values except for **Excluded**).
-When you're finished configuring filters, click **Apply**, **Cancel**, or ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
To see simulations that have been excluded from reporting (the **Status** value is **Excluded**), use the **Show excluded simulations** toggle on the **Simulations** tab.
To see simulations that have been excluded from reporting (the **Status** value
To view details about a simulation, use either of the following methods on the **Simulations** tab: -- Select the simulation by clicking anywhere other than the check box next to the name.-- Select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select ![View report icon.](../../media/m365-cc-sc-eye-icon.png) **View report**.
+- Select the simulation by clicking anywhere in the row other than the check box next to the name.
+- Select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **View report**.
The title of the details page that opens shows the name of the simulation and other information (for example, the status, social engineering technique, and delivery status).
-You can click ![View activity timeline.](../../media/m365-cc-sc-view-activity-timeline-icon.png) **View activity timeline** to see date/time information about the simulation (simulation scheduled, simulation launched, simulation ended, and training due dates).
+You can select :::image type="icon" source="../../media/m365-cc-sc-view-activity-timeline-icon.png" border="false"::: **View activity timeline** to see date/time information about the simulation (simulation scheduled, simulation launched, simulation ended, and training due dates).
The rest of the details page contains the following tabs:
The rest of the details page contains the following tabs:
- **Failed deliveries** - **Username**
- Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. The following additional columns are available:
+ Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. The following additional columns are available:
- **Days out of office** - **Message read on**
The rest of the details page contains the following tabs:
- **Country** - **Manager**
- To change the list of users from normal to compact spacing, click ![Change list spacing to compact or normal icon.](../../media/m365-cc-sc-standard-icon.png) **Change list spacing to compact or normal**, and then select ![Compact list icon.](../../media/m365-cc-sc-compact-icon.png).
+ To change the list of users from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
- If you click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**, the following filters are available:
+ If you select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**, the following filters are available:
- **Compromised**: Select **Yes** or **No**. - **Reported message**: Select **Yes** or **No**.
The rest of the details page contains the following tabs:
- **Training status**: Select **Completed**, **In progress**, **Not started**, or **Not assigned**. - **Assigned trainings**: Select one or more of the following values: **Mass Market Phishing**, **Report Message**, **Web Phishing**, **Anatomy of a Spear Phishing Attack**.
- To find a user in the list, type part of the name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ To find a user in the list, type part of the name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- **Details** tab: Contains details about the simulation in the following sections: - **Description** section:
The rest of the details page contains the following tabs:
- **Training information** section: - **Training name** - **Assign to**
- - **Actions**: Click ![View icon.](../../media/m365-cc-sc-view-icon.png) **View** to see the training.
+ - **Actions**: Select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View** to see the training.
- **Notifications** section: - **Notification name** - **Notification type** - **Delivery frequency**
- - **Actions**: Click ![View icon.](../../media/m365-cc-sc-view-icon.png) **View** to see the notification.
+ - **Actions**: Select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View** to see the notification.
## Take action on simulations
All actions on existing simulations start on the **Simulations** tab. To get the
You can cancel simulations with the **Status** value **In progress** or **Scheduled**.
-To cancel a simulation on the **Simulations** tab, select the simulation by clicking **Γï«** (**Actions**) at the end of the row, select ![Cancel simulation icon.](../../media/m365-cc-sc-close-icon.png) **Cancel simulation**, and then click **Confirm** in the confirmation dialog.
+To cancel a simulation on the **Simulations** tab, select the simulation by clicking **Γï«** (**Actions**) at the end of the row, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Cancel simulation**, and then select **Confirm** in the confirmation dialog.
After you cancel the simulation, the **Status** value changes to **Canceled**.
After you cancel the simulation, the **Status** value changes to **Canceled**.
You can't remove simulations with the **Status** value **In progress**.
-To remove a simulation from the **Simulations** tab, select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Cancel simulation**, and then click **Confirm** in the confirmation dialog.
+To remove a simulation from the **Simulations** tab, select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Cancel simulation**, and then select **Confirm** in the confirmation dialog.
After you remove the simulation, it no longer appears on the **Simulations** tab.
After you remove the simulation, it no longer appears on the **Simulations** tab
The **Exclude** action is available only for simulations with the **Status** value **Competed**.
-To remove a simulation from the **Simulations** tab, select the simulation by clicking **Γï«** (**Actions**) at the end of the row, select ![Exclude icon.](../../media/m365-cc-sc-exclude-icon.png) **Exclude**, and then click **Confirm** in the confirmation dialog.
+To remove a simulation from the **Simulations** tab, select the simulation by clicking **Γï«** (**Actions**) at the end of the row, select :::image type="icon" source="../../media/m365-cc-sc-exclude-icon.png" border="false"::: **Exclude**, and then select **Confirm** in the confirmation dialog.
-After you exclude the completed simulation from reporting, the **Status** value changes to **Excluded**, and the simulation is no longer visible on the **Simulations** tab when the **Show excluded simulations** toggle is off ![Toggle off icon.](../../media/scc-toggle-off.png).
+After you exclude the completed simulation from reporting, the **Status** value changes to **Excluded**, and the simulation is no longer visible on the **Simulations** tab when the **Show excluded simulations** toggle is off :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::.
To see completed simulations that have been excluded from reporting, use either of the following methods: -- On the **Simulations** tab, toggle **Show excluded simulations** to on ![Toggle on icon.](../../media/scc-toggle-on.png). Only excluded simulations are shown.-- On the **Settings** tab at <https://security.microsoft.com/attacksimulator?viewid=setting>, click the **View all** link in the **Simulations excluded from reporting** section. This action takes you to the **Simulations** tab where **Show excluded simulations** is toggled on ![Toggle on icon.](../../medi#view-simulations-excluded-from-reporting).
+- On the **Simulations** tab, toggle **Show excluded simulations** to on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::. Only excluded simulations are shown.
+- On the **Settings** tab at <https://security.microsoft.com/attacksimulator?viewid=setting>, select the **View all** link in the **Simulations excluded from reporting** section. This action takes you to the **Simulations** tab where **Show excluded simulations** is toggled on :::image type="icon" source="../../medi#view-simulations-excluded-from-reporting).
### Include completed simulations in reporting By default, all completed simulations are included in reporting. A simulation is excluded from reporting only if you exclude it as described in the previous section.
-The **Include** action is available only for simulations with the **Status** value **Excluded**, which are visible on the **Simulations** tab only when **Show excluded simulations** is toggled on ![Toggle on icon.](../../media/scc-toggle-on.png).
+The **Include** action is available only for simulations with the **Status** value **Excluded**, which are visible on the **Simulations** tab only when **Show excluded simulations** is toggled on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
To include a completed session in reporting after it has been excluded, do the following steps:
-1. On the **Simulations** tab, set the **Show excluded simulations** toggle to on ![Toggle on icon.](../../media/scc-toggle-on.png).
-2. Select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select ![Include icon.](../../media/m365-cc-sc-include-icon.png) **Exclude**.
+1. On the **Simulations** tab, set the **Show excluded simulations** toggle to on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
+2. Select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-include-icon.png" border="false"::: **Exclude**.
-After you've included the excluded simulation, the **Status** value changes to **Completed**. Toggle **Show excluded simulations** to off ![Toggle off icon.](../../media/scc-toggle-off.png) to see the simulation.
+After you've included the excluded simulation, the **Status** value changes to **Completed**. Toggle **Show excluded simulations** to off :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: to see the simulation.
### View simulation reports For simulations with the **Status** value **In progress** or **Completed**, you can view the report for the simulation by using either of the following methods on the **Simulations** tab: -- Select the simulation by clicking anywhere other than the check box next to the name.-- Select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select ![View report icon.](../../media/m365-cc-sc-eye-icon.png) **View report**.
+- Select the simulation by clicking anywhere in the row other than the check box next to the name.
+- Select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **View report**.
The report page for the simulation opens and contains the following information:
security Attack Simulation Training Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-teams.md
To configure the accounts, do the following steps:
1. Identify or create a user who's a member of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator), or [Attack Simulation Administrator](/azure/active-directory/roles/permissions-reference#attack-simulation-administrator) roles in Azure Active Directory. You need to know the password. 2. Using the account from Step 1, open the Microsoft 365 Defender portal at <https://security.microsoft.com> and go to **Email & collaboration** \> **Attack simulation training** \> **Settings** tab. Or, to go directly to the **Settings** tab, use <https://security.microsoft.com/attacksimulator?viewid=setting>.
-3. On the **Settings** tab, click **Manager user accounts** in the **Teams simulation configuration** section.
-4. In the **Teams simulation configuration** flyout that opens, click **Generate token**. Read the information in the confirmation dialog, and then click **I agree**.
-5. Back on the **Settings** tab, click **Manager user accounts** in the **Teams simulation configuration** section again to reopen the **Teams simulation configuration** flyout. The user account that you were logged in as now appears in the **User accounts available for Teams phishing** section.
+3. On the **Settings** tab, select **Manager user accounts** in the **Teams simulation configuration** section.
+4. In the **Teams simulation configuration** flyout that opens, select **Generate token**. Read the information in the confirmation dialog, and then select **I agree**.
+5. Back on the **Settings** tab, select **Manager user accounts** in the **Teams simulation configuration** section again to reopen the **Teams simulation configuration** flyout. The user account that you were logged in as now appears in the **User accounts available for Teams phishing** section.
-To remove a user from the list, click the round check box that appears next to the user's **Display name** without clicking anywhere else in the row. Click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete** icon that appears, and then click **Delete** in the confirmation dialog.
+To remove a user from the list, select the round check box that appears next to the user's **Display name** without clicking anywhere else in the row. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears, and then select **Delete** in the confirmation dialog.
Or, to prevent the account from being used in Teams simulations but keep the linked simulations history for the account, you can block the account from signing in as described [here](/microsoft-365/admin/add-users/remove-former-employee-step-1).
Teams introduces the following changes to viewing and creating simulations as de
- On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, the **Platform** column shows the value **Teams** for simulations that use Teams messages. -- If you select ![Launch a simulation icon.](../../media/m365-cc-sc-create-icon.png) **Launch a simulation** on the **Simulations** tab to create a simulation, the first page of the new simulation wizard is **Select delivery platform** where you can select **Microsoft Teams**. Selecting **Microsoft Teams** introduces the following changes to the rest of the new simulation wizard:
+- If you select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Launch a simulation** on the **Simulations** tab to create a simulation, the first page of the new simulation wizard is **Select delivery platform** where you can select **Microsoft Teams**. Selecting **Microsoft Teams** introduces the following changes to the rest of the new simulation wizard:
- On the **[Select technique](attack-simulation-training-simulations.md#select-a-social-engineering-technique)** page, the **Malware Attachment** and **Link in Attachment** social engineering techniques aren't available.
- - On the **[Name simulation](attack-simulation-training-simulations.md#name-and-describe-the-simulation)** page, a **Select sender's Microsoft Teams account** section and **Select user account** link are present. Click **Select user account** to find and select the account to use as the source for the Teams message.
+ - On the **[Name simulation](attack-simulation-training-simulations.md#name-and-describe-the-simulation)** page, a **Select sender's Microsoft Teams account** section and **Select user account** link are present. Select **Select user account** to find and select the account to use as the source for the Teams message.
- On the **[Select payload and login page](attack-simulation-training-simulations.md#select-a-payload-and-login-page)**, no payloads are listed by default because there are no built-in payloads for Teams. You need to create a payload for the combination of Teams and the social engineering technique that you selected.
Whether you create a payload on the **Payloads** page of the **Content library**
- On the **Global payloads** and **Tenant payloads** tabs on **Payloads** page of the **Content library** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>, the **Platform** column shows the value **Teams** for payloads that use Teams messages.
- If you click ![Filter payload icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the list of existing payloads, a **Platform** section is available where you can select **Email** and **Teams**.
+ If you select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the list of existing payloads, a **Platform** section is available where you can select **Email** and **Teams**.
As previously described, there are no built-in payloads for Teams, so if you filter by **Status** \> **Teams** on the **Global payloads** tab, the list will be empty. -- If you click ![Create a payload icon.](../../media/m365-cc-sc-create-icon.png) **Create a payload** on the **Tenant payload** tab to create a payload, the first page of the new payload wizard is **Select type** where you can select **Teams**. Selecting **Teams** introduces the following changes to the rest of the new payload wizard:
+- If you select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create a payload** on the **Tenant payload** tab to create a payload, the first page of the new payload wizard is **Select type** where you can select **Teams**. Selecting **Teams** introduces the following changes to the rest of the new payload wizard:
- On the **[Select technique](attack-simulation-training-payloads.md#create-payloads)** page, the **Malware Attachment** and **Link in Attachment** social engineering techniques aren't available for Teams.
Teams introduces the following changes to viewing and creating simulation automa
- **Type**: Currently, this value is always **Social engineering**. - **Platform**: Shows the value **Teams** for payload automations that use Teams messages or **Email** for payload automations that use email messages. -- If you click ![Create automation icon.](../../media/m365-cc-sc-create-icon.png) **Create automation** on the **Simulation automations** page to create a simulation automation, the first page of the new simulation automation wizard is **Select delivery platform** where you can select **Teams**. Selecting **Teams** introduces the following changes to the rest of the new simulation automation wizard:
+- If you select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create automation** on the **Simulation automations** page to create a simulation automation, the first page of the new simulation automation wizard is **Select delivery platform** where you can select **Teams**. Selecting **Teams** introduces the following changes to the rest of the new simulation automation wizard:
- On the [Automation name](attack-simulation-training-simulation-automations.md#name-and-describe-the-simulation-automation) page, the following settings are available for Teams in the **Select method for choosing sender accounts** section:
- - **Manually select**: This value is selected by default. In the **Select sender's Microsoft Teams account** section, click the **Select user account** to find and select the account to use as the source for the Teams message.
+ - **Manually select**: This value is selected by default. In the **Select sender's Microsoft Teams account** section, select the **Select user account** to find and select the account to use as the source for the Teams message.
- **Randomize**: Randomly select from the available accounts to use as the source for the Teams message. - On the **[Select social engineering techniques](attack-simulation-training-simulation-automations.md#select-one-or-more-social-engineering-techniques)** page, the **Malware Attachment** and **Link in Attachment** social engineering techniques aren't available for Teams.
security Attack Simulation Training Training Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-campaigns.md
The **Training** tab lists the Training campaigns that you've created. The list
For more information about the **Status** values, see the [Set the training threshold](#set-the-training-threshold) section later in this article.
-Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, all available columns are selected.
+Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
To create a Training campaign, do the following steps:
The following sections describe the steps and configuration options to create a Training campaign. > [!NOTE]
- > At any point after you name the Training campaign during the new Training campaign wizard, you can click **Save and close** to save your progress and continue later. The incomplete Training campaign has the **Status** value **Draft**. You can pick up where you left off by selecting the Training campaign and then clicking the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** icon that appears.
+ > At any point after you name the Training campaign during the new Training campaign wizard, you can select **Save and close** to save your progress and continue later. The incomplete Training campaign has the **Status** value **Draft**. You can pick up where you left off by selecting the Training campaign and then clicking the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears.
### Name and describe the Training campaign
On the **Name campaign** page, configure the following settings:
- **Name**: Enter a unique name for the Training campaign. - **Description**: Enter an optional description.
-When you're finished on the **Name Training campaign** page, click **Next**.
+When you're finished on the **Name Training campaign** page, select **Next**.
### Target users On the **Target users** page, select who receives the Training campaign. Use the following options to select users: -- **Include all users in my organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** icon on the page to find specific users.
+- **Include all users in my organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** icon on the page to find specific users.
> [!TIP] > Although you can't remove users from the list on this page, you can use the next **Exclude users** page to exclude specific users. - **Include only specific users and groups**: At first, no users or groups are shown on the **Targeted users** page. To add users or groups to the Training campaign, choose one of the following options:
- - **Search for users or groups**: If you click in the ![Search for users or groups icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
+ - **Search for users or groups**: If you click in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
- Type three or more characters and then press the ENTER key. Any users or group names that contain those characters are shown in the **User list** section by **Name** and **Email**. - Type fewer than three characters or no characters and then press the ENTER key. No users are shown in the **User list** section, but you can type three or more characters in the **Search** box to search for users and groups.
On the **Target users** page, select who receives the Training campaign. Use the
When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
- Click the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- **Filter users by categories**: Use the following options:
On the **Target users** page, select who receives the Training campaign. Use the
- **Repeat offenders**: For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold). - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). Use the following options:
- - **Search**: In ![Search by user tags icon.](../../media/m365-cc-sc-search-icon.png) **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
- Select **All user tags**
- - Select existing user tags. If the link is available, click **See all user tags** to see the complete list of available tags.
+ - Select existing user tags. If the link is available, select **See all user tags** to see the complete list of available tags.
- **City**: Use the following options:
- - **Search**: In ![Search by City icon.](../../media/m365-cc-sc-search-icon.png) **Search by City**, you can type part of the City value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by City**, you can type part of the City value and then press Enter. You can select some or all of the results.
- Select **All City**
- - Select existing City values. If the link is available, click **See all Cities** to see the complete list of available City values.
+ - Select existing City values. If the link is available, select **See all Cities** to see the complete list of available City values.
- **Country**: Use the following options:
- - **Search**: In ![Search by Country icon.](../../media/m365-cc-sc-search-icon.png) **Search by Country**, you can type part of the Country value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Country**, you can type part of the Country value and then press Enter. You can select some or all of the results.
- Select **All Country**
- - Select existing City values. If the link is available, click **See all Countries** to see the complete list of available Country values.
+ - Select existing City values. If the link is available, select **See all Countries** to see the complete list of available Country values.
- **Department**: Use the following options:
- - **Search**: In ![Search by Department icon.](../../media/m365-cc-sc-search-icon.png) **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.
- Select **All Department**
- - Select existing Department values. If the link is available, click **See all Departments** to see the complete list of available Department values.
+ - Select existing Department values. If the link is available, select **See all Departments** to see the complete list of available Department values.
- **Title**: Use the following options:
- - **Search**: In ![Search by Title icon.](../../media/m365-cc-sc-search-icon.png) **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.
- Select **All Title**
- - Select existing Title values. If the link is available, click **See all Titles** to see the complete list of available Title values.
+ - Select existing Title values. If the link is available, select **See all Titles** to see the complete list of available Title values.
:::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png":::
On the **Target users** page, select who receives the Training campaign. Use the
The number of values that were used as the search criteria by a specific category is shown next to the category tile (for example, **City 50** or **Priority accounts 10**).
- When you're finished searching by category, click the **Apply(x)** button. The previous **Filter users by categories** options on the **Add users** flyout are replaced by the following information:
+ When you're finished searching by category, select the **Apply(x)** button. The previous **Filter users by categories** options on the **Add users** flyout are replaced by the following information:
- - **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, click the **See all** link to see all filter values
+ - **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, select the **See all** link to see all filter values
- **User list** section: Shows the users or groups that match your category searches. The number of results appears in the **Selected (0/x) users** label. When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
- Click the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- - ![Import icon.](../../media/m365-cc-sc-create-icon.png) **Import**: In the dialog that opens, specify a CSV file that contains one email address per line.
+ - :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Import**: In the dialog that opens, specify a CSV file that contains one email address per line.
After you find a select the CSV file, the users are imported and shown on the **Targeted users** page.
- On the main **Target users** page, you can use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to find selected users. You can also click ![Delete users icon.](../../media/m365-cc-sc-search-icon.png) **Delete** and then **Confirm** in the confirmation dialog to remove specific users.
+ On the main **Target users** page, you can use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find selected users. You can also select :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Delete** and then **Confirm** in the confirmation dialog to remove specific users.
- To add more users and groups, click ![Add users icon.](../../media/m365-cc-sc-create-icon.png) **Add users** or ![Import icon.](../../media/m365-cc-sc-create-icon.png) **Import** on the **Target users** page and repeat the previous steps.
+ To add more users and groups, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add users** or :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Import** on the **Target users** page and repeat the previous steps.
-When you're finished on the **Target users** page, click **Next**.
+When you're finished on the **Target users** page, select **Next**.
### Exclude users
When you're finished on the **Exclude users** page, select **Next**.
On the **Select training modules** page, select one of the following options: -- **Training catalog**: Click :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add trainings**.
+- **Training catalog**: Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add trainings**.
In the **Add Training** flyout that opens, select one or more Training modules to include in the Training campaign by selecting the round check box that appears in the blank area next to the module name, and then clicking **Add**.
On the **Select training modules** page, select one of the following options:
- **Training name** - **Source** - **Duration (mins)**
- - **Delete**: Use the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png"::: **Delete** icon to remove the entry from the list. Click **Confirm** in the confirmation dialog**.
+ - **Delete**: Use the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png"::: **Delete** icon to remove the entry from the list. Select **Confirm** in the confirmation dialog**.
-- **Redirect to a custom URL**: Click :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add trainings**.
+- **Redirect to a custom URL**: Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add trainings**.
In the **Custom training URL** flyout that opens, the following options are available:
On the **Select training modules** page, select one of the following options:
- **Custom training description** - **Custom training duration (in minutes)** (required): The default value is 0, which means there's no specified duration for the training.
- When you're finished on the **Custom training URL** flyout, click **Add**. Information about the custom URL is visible on the **Select courses** page.
+ When you're finished on the **Custom training URL** flyout, select **Add**. Information about the custom URL is visible on the **Select courses** page.
-When you're finished on the **Select courses** page, click **Next**.
+When you're finished on the **Select courses** page, select **Next**.
### Select end user notifications
On the **Select end user notification** page, select from the following notifica
- **Training reminder notification** - **Delivery preferences**: You need to configure the following delivery preferences before you can continue: - For **Microsoft default training only campaign-training reminder notification**, select **Twice a week** or **Weekly**.
- - **Actions**: If you click ![View icon.](../../media/m365-cc-sc-view-icon.png) **View**, a **Review notification** page opens with the following information:
+ - **Actions**: If you select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View**, a **Review notification** page opens with the following information:
- **Preview** tab: View the notification message as users see it. To view the message in different languages, use the **Select notification language** box. - **Details** tab: View details about the notification: - **Notification description**
On the **Select end user notification** page, select from the following notifica
- **Modified by** - **Last modified**
- When you're finished on the **Review notification** page, click **Close** to return to the **Select end user notification** page.
+ When you're finished on the **Review notification** page, select **Close** to return to the **Select end user notification** page.
-- **Customized end user notifications**: No other configuration options are available on the page. When you click **Next**, you need to select a **Training assignment notification** and a **Training reminder notification** to use for the Training campaign as described in the next two subsections.
+- **Customized end user notifications**: No other configuration options are available on the page. When you select **Next**, you need to select a **Training assignment notification** and a **Training reminder notification** to use for the Training campaign as described in the next two subsections.
-When you're finished on the **Select end user notification** page, click **Next**.
+When you're finished on the **Select end user notification** page, select **Next**.
#### Select a training assignment notification
For more information, see [End-user notifications for Attack simulation training
Do one of the following steps: - **Select an existing notification to use**:
- - To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ - To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
- When you're finished in the notification details flyout, click **Close**.
+ When you're finished in the notification details flyout, select **Close**.
On the **Training assignment notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Click ![Create new icon.](../../medi#create-end-user-notifications).
+- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training assignment notification** for the notification type. When you're finished creating the notification, you return to the **Training assignment notification** page where the new notification now appears in the list for you to select
-When you're finished on the **Training assignment notification** page, click **Next**.
+When you're finished on the **Training assignment notification** page, select **Next**.
#### Select a training reminder notification
For more information, see [End-user notifications for Attack simulation training
In **Set frequency for reminder notification**, select **Weekly** or **Twice a week**, and then do one of the following steps: - **Select an existing notification to use**:
- - To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ - To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
- When you're finished in the notification details flyout, click **Close**.
+ When you're finished in the notification details flyout, select **Close**.
On the **Training reminder notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Click ![Create new icon.](../../medi#create-end-user-notifications).
+- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training reminder notification** for the notification type. When you're finished creating the notification, you return to the **Training reminder notification** page where the new notification now appears in the list for you to select.
-When you're finished on the **Training reminder notification** page, click **Next**.
+When you're finished on the **Training reminder notification** page, select **Next**.
### Schedule the Training campaign
On the **Schedule** page, you choose when to start and end the Training campaign
> [!NOTE] > If you clear the **Send training with an end date** check box, no reminder notifications will be send to the targeted users outside of the initial training assignment notice.
-When you're finished on the **Schedule** page, click **Next**.
+When you're finished on the **Schedule** page, select **Next**.
## Review Training campaign details On the **Review** page, you can review the details of the Training campaign.
-Click the ![Send a test icon.](../../media/m365-cc-sc-send-icon.png) **Send a test** button to send a copy of the Training campaign to yourself (the currently signed in user) for inspection.
+Select the :::image type="icon" source="../../media/m365-cc-sc-send-icon.png" border="false"::: **Send a test** button to send a copy of the Training campaign to yourself (the currently signed in user) for inspection.
-You can click **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard to modify the settings.
+You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard to modify the settings.
-When you're finished on the **Review** page, click **Submit**.
+When you're finished on the **Review** page, select **Submit**.
Back on the **Training campaign** tab, the Training campaign that you created is now listed. The **Status** value depends on your previous selection in the [Schedule the Training campaign](#schedule-the-training-campaign) step:
All actions on existing Training campaigns start on the **Training** tab. To get
### View Training campaign details
-To view the details and reports for a Training campaign on the **Training** tab, select the Training campaign by clicking anywhere other than the check box next to the name.
+To view the details and reports for a Training campaign on the **Training** tab, select the Training campaign by clicking anywhere in the row other than the check box next to the name.
A details page for the Training campaign opens with the following tabs:
The **Users** tab shows the following information about the users who were assig
- **Training completion date** - **Username**
-To remove the **Training status** column, click :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png"::: **Customize columns**. By default, the only available column that's not shown is **Department**.
+To remove the **Training status** column, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png"::: **Customize columns**. By default, the only available column that's not shown is **Department**.
-To download the displayed results to a RecordExport.csv file in the local Downloads folder, click :::image type="icon" source="../../media/m365-cc-sc-download-icon.png"::: **Export**.
+To download the displayed results to a RecordExport.csv file in the local Downloads folder, select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png"::: **Export**.
-If you select a user from the list by clicking anywhere other than the round check box that appears in the blank area next to the name, the following user information appears in a details flyout:
+If you select a user from the list by clicking anywhere in the row other than the round check box that appears in the blank area next to the name, the following user information appears in a details flyout:
- **User details** section: - **Company**
If you select a user from the list by clicking anywhere other than the round che
- **Training completed date** > [!TIP]
-> To see details about other users in the Training campaign without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other users in the Training campaign without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
#### Details tab
The **Details** tab of the Training campaign shows the following information:
You can cancel Training campaigns with the **Status** value **In progress** or **Scheduled**.
-To cancel an existing Training campaign on the **Training tab**, select the Training campaign by selecting the check box next to the name, click the :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Cancel** icon that appears, and then click **Confirm** in the confirmation dialog.
+To cancel an existing Training campaign on the **Training tab**, select the Training campaign by selecting the check box next to the name, select the :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Cancel** action that appears, and then select **Confirm** in the confirmation dialog.
After you cancel the Training campaign, the **Status** value changes to **Canceled**.
After you cancel the Training campaign, the **Status** value changes to **Cancel
You can't remove Training campaigns with the **Status** value **In progress** or **Scheduled**.
-To remove an existing Training campaign from the **Training** tab, select the Training campaign by selecting the check box next to the name, click the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** icon that appears, and then click **Confirm** in the confirmation dialog.
+To remove an existing Training campaign from the **Training** tab, select the Training campaign by selecting the check box next to the name, select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears, and then select **Confirm** in the confirmation dialog.
After you remove the Training campaign, it's no longer listed on the **Training** tab.
To set the training threshold on the **Settings** tab, do the following steps:
2. Set the value in days for the training threshold time period. The default value is 90 days. To remove the training threshold and always assign training, set value to 0.
-3. When you're finished on the **Settings** tab, click **Save**.
+3. When you're finished on the **Settings** tab, select **Save**.
security Attack Simulation Training Training Modules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-modules.md
The **Training modules** page shows the following information for each module<su
- **Last assigned date** - **# times used** - **Completion rate**-- **Preview**: Click the **Preview** button in this column to watch the training.
+- **Preview**: Select the **Preview** button in this column to watch the training.
-Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, all available columns are selected.
+Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
Click a column header to sort by that column. To add or remove columns, click ![
- Remove columns from the view. - Zoom out in your web browser.
-To find a Training module in the list, type the name of the module in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box, and then press the ENTER key.
+To find a Training module in the list, type the name of the module in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box, and then press the ENTER key.
-Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the information on the page. The following filters are available in the flyout that opens:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the information on the page. The following filters are available in the flyout that opens:
- **Source** - **Language** - **Add Tags**
-When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-When you select a Training module from the list by clicking anywhere other than the check box next to the name, a details flyout appears with the following information:
+When you select a Training module from the list by clicking anywhere in the row other than the check box next to the name, a details flyout appears with the following information:
- **Description** - **Source** - **Languages** - **Duration**-- **Preview**: Click this button to watch the training.
+- **Preview**: Select this button to watch the training.
- **Active Training campaigns and simulations**: This section shows the following information about active Training campaigns that are using the selected module: - **Name**
security Connection Filter Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connection-filter-policies-configure.md
description: Admins can learn how to configure connection filtering in Exchange Online Protection (EOP) to allow or block emails from email servers. Previously updated : 12/01/2022 Last updated : 4/19/2023 # Configure connection filtering
Last updated 12/01/2022
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use _connection filtering_ and the default connection filter policy to identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are:
+In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, _connection filtering_ and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are:
-- **IP Allow List**: Skip spam filtering for all incoming messages from the source email servers that you specify by IP address or IP address range. For scenarios where spam filtering might still occur on messages from these sources, see the [Scenarios where messages from sources in the IP Allow List are still filtered](#scenarios-where-messages-from-sources-in-the-ip-allow-list-are-still-filtered) section later in this article. For more information about how the IP Allow List should fit into your overall safe senders strategy, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md).
+- **IP Allow List**: Skip spam filtering for all incoming messages from the specified source IP addresses or IP address ranges. All incoming messages are scanned for malware and high-confidence phishing. For other scenarios where spam filtering still occurs on messages from servers in the IP Allow List, see the [Scenarios where messages from sources in the IP Allow List are still filtered](#scenarios-where-messages-from-sources-in-the-ip-allow-list-are-still-filtered) section later in this article. For more information about how the IP Allow List should fit into your overall safe senders strategy, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md).
-- **IP Block List**: Block all incoming messages from the source email servers that you specify by IP address or IP address range. The incoming messages are rejected, aren't marked as spam, and no other filtering occurs. For more information about how the IP Block List should fit into your overall blocked senders strategy, see [Create block sender lists in EOP](create-block-sender-lists-in-office-365.md).
+- **IP Block List**: Block all incoming messages from the specified source IP addresses or IP address ranges. The incoming messages are rejected, aren't marked as spam, and no other filtering occurs. For more information about how the IP Block List should fit into your overall blocked senders strategy, see [Create block sender lists in EOP](create-block-sender-lists-in-office-365.md).
-- **Safe list**: The _safe list_ is a dynamic allow list in the Microsoft datacenter that requires no customer configuration. Microsoft identifies these trusted email sources from subscriptions to various third-party lists. You enable or disable the use of the safe list; you can't configure the source email servers on the safe list. Spam filtering is skipped on incoming messages from the email servers on the safe list.
+- **Safe list**: The _safe list_ in the connection filter policy is a dynamic allow list that requires no customer configuration. Microsoft identifies these trusted email sources from subscriptions to various third-party lists. You enable or disable the use of the safe list; you can't configure the servers in the list. Spam filtering is skipped on incoming messages from the email servers on the safe list.
This article describes how to configure the default connection filter policy in the Microsoft 365 Microsoft 365 Defender portal or in Exchange Online PowerShell. For more information about how EOP uses connection filtering is part of your organization's overall anti-spam settings, see [Anti-spam protection](anti-spam-protection-about.md).
This article describes how to configure the default connection filter policy in
## Use the Microsoft 365 Defender portal to modify the default connection filter policy
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
-2. On the **Anti-spam policies** page, select **Connection filter policy (Default)** from the list by clicking on the name of the policy.
+2. On the **Anti-spam policies** page, select **Connection filter policy (Default)** from the list by clicking anywhere in the row other than the check box next to the name.
-3. In the policy details flyout that appears, configure any of the following settings:
+3. In the policy details flyout that opens, use the **Edit** links to modify the policy settings:
- - **Description** section: Click **Edit name and description**. In the **Edit name and description** flyout that appears, enter optional descriptive text in the **Description** box.
+ - **Description** section: Select **Edit description** to enter a description for the policy in the **Description** box of the **Edit name and description** flyout that opens. You can't modify the name of the policy.
- When you're finished, click **Save**.
+ When you're finished in the **Edit name and description** flyout, select **Save**.
- - **Connection filtering section**: Click **Edit connection filter policy**. In the flyout that appears, configure the following settings:
+ - **Connection filtering** section: Select **Edit connection filter policy**. In the flyout that opens, configure the following settings:
- - **Always allow messages from the following IP addresses or address range**: This setting is the IP Allow list. Click in the box, enter a value, and then press Enter or select the complete value that's displayed below the box. Valid values are
+ - **Always allow messages from the following IP addresses or address range**: This setting is the IP Allow List. Click in the box, enter a value, and then press the ENTER key or select the complete value that's displayed below the box. Valid values are:
- Single IP: For example, 192.168.1.1. - IP range: For example, 192.168.0.1-192.168.0.254. - CIDR IP: For example, 192.168.0.1/25. Valid subnet mask values are /24 through /32. To skip spam filtering for /1 to /23, see the [Skip spam filtering for a CIDR IP outside of the available range](#skip-spam-filtering-for-a-cidr-ip-outside-of-the-available-range) section later in this article.
- Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
-
- To add the IP address or address range, enter the value in the box and then click **Add** ![Add Icon.](../../media/ITPro-EAC-AddIcon.png). To remove an entry, select the entry in **Allowed IP Address** and then click **Remove** ![Remove](../../media/scc-remove-icon.png). When you're finished, click **Save**.
+ Repeat this step as many times as necessary. To remove an existing entry, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the entry.
- **Always block messages from the following IP addresses or address range**: This setting is the IP Block List. Enter a single IP, IP range, or CIDR IP in the box as previously described in the **Always allow messages from the following IP addresses or address range** setting.
- - **Turn on safe list**: Enable or disable the use of the safe list to identify known, good senders that will skip spam filtering. To use the safe list, select the check box.
+ - **Turn on safe list**: Enable or disable the use of the safe list to identify known, good senders that skip spam filtering. To use the safe list, select the check box.
- When you're finished, click **Save**.
+ When you're finished in the flyout, select **Save**.
-4. Back on the policy details flyout, click **Close**.
+4. Back on the policy details flyout, select **Close**.
## Use the Microsoft 365 Defender portal to view the default connection filter policy
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
+
+On the **Anti-spam policies** page, the following properties are displayed in the list of policies:
+
+- **Name**: The default connection filter policy is named **Connection filter policy (Default)**.
+- **Status**: The value is **Always on** for the default connection filter policy.
+- **Priority**: The value is **Lowest** for the default connection filter policy.
+- **Type**: The value is blank for the default connection filter policy.
-2. On the **Anti-spam policies** page, the following properties are displayed in the list of policies:
+To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
- - **Name**: This value is **Connection filter policy (Default)** for the default connection filter policy.
- - **Status**: This value is **Always on** for the default connection filter policy.
- - **Priority**: This value is **Lowest** for the default connection filter policy.
- - **Type**: This value is blank for the default connection filter policy.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific policies.
-3. When you select the default connection filter policy, the policy settings are displayed in a flyout.
+Select the default connection filter policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
## Use Exchange Online PowerShell or standalone EOP PowerShell to modify the default connection filter policy
Use the following syntax:
Set-HostedConnectionFilterPolicy -Identity Default [-AdminDisplayName <"Optional Comment">] [-EnableSafeList <$true | $false>] [-IPAllowList <IPAddressOrRange1,IPAddressOrRange2...>] [-IPBlockList <IPAddressOrRange1,IPAddressOrRange2...>] ```
-**Notes**:
- - Valid IP address or address range values are: - Single IP: For example, 192.168.1.1. - IP range: For example, 192.168.0.1-192.168.0.254.
Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{Add="192.168.2
For detailed syntax and parameter information, see [Set-HostedConnectionFilterPolicy](/powershell/module/exchange/set-hostedconnectionfilterpolicy).
-## How do you know this worked?
+## How do you know these procedures worked?
To verify that you've successfully modified the default connection filter policy, do any of the following steps: -- On the **Anti-spam** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/antispam>, select **Connection filter policy (Default)** from the list by clicking on the name of the policy, and verify the settings.
+- On the **Anti-spam policies** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/antispam>, select **Connection filter policy (Default)** from the list by clicking anywhere in the row other than the check box next to the name, and verify the policy settings in the details flyout that opens.
- In Exchange Online PowerShell or standalone EOP PowerShell, run the following command and verify the settings:
To verify that you've successfully modified the default connection filter policy
The following sections identify additional items that you need to know about when you configure the IP Allow List.
+> [!NOTE]
+> All incoming messages are scanned for malware and high-confidence phishing, regardless of whether the message source is in the IP Allow List.
+ ### Skip spam filtering for a CIDR IP outside of the available range
-As described earlier in this article, you can only use a CIDR IP with the network mask /24 to /32 in the IP Allow List. To skip spam filtering on messages from source email servers in the /1 to /23 range, you need to use Exchange mail flow rules (also known as transport rules). But, we recommend that you don't use the mail flow rule method, because the messages will be blocked if an IP address in the /1 to /23 CIDR IP range appears on any of Microsoft's proprietary or third-party block lists.
+As described earlier in this article, you can only use a CIDR IP with the network mask /24 to /32 in the IP Allow List. To skip spam filtering on messages from source email servers in the /1 to /23 range, you need to use Exchange mail flow rules (also known as transport rules). But, we recommend that you don't use the mail flow rule method, because the messages are blocked if an IP address in the /1 to /23 CIDR IP range appears on any of Microsoft's proprietary or third-party block lists.
Now that you're fully aware of the potential issues, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from these IP addresses skip spam filtering:
Messages from an email server in your IP Allow List are still subject to spam fi
- An IP address in your IP Allow List is also configured in an on-premises, IP-based inbound connector in _any_ tenant in Microsoft 365 (let's call this Tenant A), **and** Tenant A and the EOP server that first encounters the message both happen to be in _the same_ Active Directory forest in the Microsoft datacenters. In this scenario, **IPV:CAL** _is_ added to the message's [anti-spam message headers](message-headers-eop-mdo.md) (indicating the message bypassed spam filtering), but the message is still subject to spam filtering. -- Your tenant that contains the IP Allow List and the EOP server that first encounters the message both happen to be in *different* Active Directory forests in the Microsoft datacenters. In this scenario, **IPV:CAL** *isn't* added to the message headers, so the message is still subject to spam filtering.
+- Your tenant that contains the IP Allow List and the EOP server that first encounters the message both happen to be in _different_ Active Directory forests in the Microsoft datacenters. In this scenario, **IPV:CAL** *isn't* added to the message headers, so the message is still subject to spam filtering.
If you encounter either of these scenarios, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from the problematic IP addresses skip spam filtering:
security Mdo Support Teams About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-support-teams-about.md
The **Teams Message Entity Panel** is one single place to store all of Teams mes
## Enable Microsoft Defender for Teams
-If you're interested in previewing the previously described features for ALL users in your tenant, you can use an Exchange Online PowerShell cmdlet to enable them.
+If you're interested in previewing the previously described features for ALL users in your tenant, you can use an Exchange Online PowerShell cmdlet to enable them. Make sure you have the latest version of the PowerShell module.
After you [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), run the following command to join the Teams preview:
security Outbound Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
You can configure outbound spam policies in the Microsoft 365 Defender portal or
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
-2. On the **Anti-spam policies** page, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create policy** and then select **Outbound** from the drop down list to start the new outbound spam policy wizard.
+2. On the **Anti-spam policies** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create policy** and then select **Outbound** from the drop down list to start the new outbound spam policy wizard.
3. On the **Name your policy page**, configure these settings: - **Name**: Enter a unique, descriptive name for the policy. - **Description**: Enter an optional description for the policy.
- When you're finished on the **Name your policy page**, click **Next**.
+ When you're finished on the **Name your policy page**, select **Next**.
4. On the **Users, groups, and domains** page, identify the internal senders that the policy applies to (conditions): - **Users**: The specified mailboxes, mail users, or mail contacts.
You can configure outbound spam policies in the Microsoft 365 Defender portal or
- The specified Microsoft 365 Groups. - **Domains**: All senders in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.
You can configure outbound spam policies in the Microsoft 365 Defender portal or
> > Likewise, if you use the same sender filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.
- When you're finished on the **Users, groups, and domains**, click **Next**.
+ When you're finished on the **Users, groups, and domains**, select **Next**.
5. On the **Protection settings** page, configure the following settings: - **Message limits** sections: The settings in this section configure the limits for outbound email messages from **Exchange Online** mailboxes:
You can configure outbound spam policies in the Microsoft 365 Defender portal or
- **Send a copy of suspicious outbound that exceed these limits to these users and groups**: This setting adds the specified recipients to the Bcc field of suspicious outbound messages. > [!NOTE]
- > This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.
+ > This setting works only in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.
To enable this setting, select the check box. In the box that appears, click in the box, enter a valid email address, and then press the ENTER key or select the complete value that's displayed below the box.
- Repeat this step as many times as necessary. To remove an existing value, click :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
+ Repeat this step as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
- **Notify these users and groups if a sender is blocked due to sending outbound spam**
You can configure outbound spam policies in the Microsoft 365 Defender portal or
> > - The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in the **Recipient Limits** section. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).
- When you're finished on the **Protection settings** page, click **Next**.
+ When you're finished on the **Protection settings** page, select **Next**.
-6. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+6. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review** page, click **Create**.
+ When you're finished on the **Review** page, select **Create**.
-7. On the **New anti-spam policy created** page, you can click the links to view the policy, view outbound spam policies, and learn more about outbound spam policies.
+7. On the **New anti-spam policy created** page, you can select the links to view the policy, view outbound spam policies, and learn more about outbound spam policies.
- When you're finished on the **New anti-spam policy created** page, click **Done**.
+ When you're finished on the **New anti-spam policy created** page, select **Done**.
Back on the **Anti-spam policies** page, the new policy is listed.
On the **Anti-spam policies** page, the following properties are displayed in th
- **Custom outbound spam policy** - Blank for the default outbound spam policy (for example, **Anti-spam outbound policy (Default)**).
-To change the list of policies from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
+To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific policies.
-Select an outbound spam policy by clicking anywhere other than the check box next to the name to open the details flyout for the policy.
+Select an outbound spam policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
> [!TIP]
-> To see details about other outbound spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other outbound spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
## Use the Microsoft 365 Defender portal to take action on outbound spam policies
The actions are described in the following subsections.
### Use the Microsoft 365 Defender portal to modify outbound spam policies
-After you select the default outbound spam policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create outbound spam policies](#use-the-microsoft-365-defender-portal-to-create-outbound-spam-policies) section earlier in this article.
+After you select the default outbound spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create outbound spam policies](#use-the-microsoft-365-defender-portal-to-create-outbound-spam-policies) section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no sender filters to configure (the policy applies to all senders). But, you can modify all other settings in the policy.
For the default policy, you can't modify the name of the policy, and there are n
You can't disable the default outbound spam policy (it's always enabled).
-After you select an enabled custom outbound spam policy (the **Status** value is **On**) by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the policy details flyout.
+After you select an enabled custom outbound spam policy (the **Status** value is **On**) by clicking anywhere in the row other than the check box next to the name, select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the policy details flyout.
-After you select a disabled custom outbound spam policy (the **Status** value is **Off**) by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the policy details flyout.
+After you select a disabled custom outbound spam policy (the **Status** value is **Off**) by clicking anywhere in the row other than the check box next to the name, select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the policy details flyout.
-When you're finished in the policy details flyout, click **Close**.
+When you're finished in the policy details flyout, select **Close**.
On the **Anti-spam policies** page, the **Status** value of the policy is now **On** or **Off**.
On the **Anti-spam policies** page, the **Status** value of the policy is now **
Outbound spam policies are processed in the order that they're displayed on the **Anti-spam policies** page: -- The outbound spam policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).-- The outbound spam policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).-- Custom outbound spam policies are applied next in priority order (if they're enabled):
+- Custom outbound spam policies are applied in priority order (if they're enabled):
- A lower priority value indicates a higher priority (0 is the highest). - By default, a new outbound spam policy is created with a priority that's lower than the lowest existing custom outbound spam policy (the first is 0, the next is 1, etc.). - No two outbound spam policies can have the same priority value.
Outbound spam policies are processed in the order that they're displayed on the
Outbound spam protection stops for a sender after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-After you select the custom outbound spam policy by clicking anywhere other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
+After you select the custom outbound spam policy by clicking anywhere in the row other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
- The custom policy with the **Priority** value **0** on the **Anti-spam policies** page has the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** action at the top of the details flyout. - The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout. - If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.
-When you're finished in the policy details flyout, click **Close**.
+When you're finished in the policy details flyout, select **Close**.
Back on the **Anti-spam policies** page, the order of the policy in the list matches the updated **Priority** value.
Back on the **Anti-spam policies** page, the order of the policy in the list mat
You can't remove the default outbound spam policy.
-After you select the custom outbound spam policy by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout, and then click **Yes** in the warning dialog that opens.
+After you select the custom outbound spam policy by clicking anywhere in the row other than the check box next to the name, select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout, and then select **Yes** in the warning dialog that opens.
On the **Anti-spam policies** page, the deleted policy is no longer listed.
For detailed syntax and parameter information, see [Get-HostedOutboundSpamFilter
### Use PowerShell to modify outbound spam filter policies
-The same settings are available when you modify a malware filter policy in PowerShell as when you create the policy as described in the [Step 1: Use PowerShell to create an outbound spam filter policy](#step-1-use-powershell-to-create-an-outbound-spam-filter-policy) section earlier in this article.
+The same settings are available when you modify an outbound spam filter policy in PowerShell as when you create the policy as described in the [Step 1: Use PowerShell to create an outbound spam filter policy](#step-1-use-powershell-to-create-an-outbound-spam-filter-policy) section earlier in this article.
> [!NOTE] > You can't rename an outbound spam filter policy (the **Set-HostedOutboundSpamFilterPolicy** cmdlet has no _Name_ parameter). When you rename an outbound spam policy in the Microsoft 365 Defender portal, you're only renaming the outbound spam filter _rule_.
security Quarantine Admin Manage Messages Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md
Watch this short video to learn how to manage quarantined messages as an admin.
In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Email** tab. Or, to go directly to the **Email** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Email>.
-On the **Email** tab, you can decrease the vertical spacing in the list by clicking ![Change list spacing to compact or normal icon.](../../media/m365-cc-sc-standard-icon.png) **Change list spacing to compact or normal** and then selecting ![Compact list icon.](../../media/m365-cc-sc-compact-icon.png) **Compact list**.
+On the **Email** tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal** and then selecting :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
-You can sort the results by clicking on an available column header. Click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
+You can sort the results by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
- **Time received**<sup>\*</sup> - **Subject**<sup>\*</sup>
You can sort the results by clicking on an available column header. Click ![Cust
- **Mail direction** - **Recipient tag**
-To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**. The following filters are available in the **Filters** flyout that opens:
+To filter the results, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**. The following filters are available in the **Filters** flyout that opens:
- **Message ID**: The globally unique identifier of the message.
To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.
- **Transport rule** (mail flow rule) - **Data loss prevention rule**
-When you're finished on the **Filters** flyout, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished on the **Filters** flyout, select **Apply**. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
- Sender email address - Subject. Use the entire subject of the message. The search isn't case-sensitive.
After you've entered the search criteria, press the enter ENTER key to filter th
After you find a specific quarantined message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message). > [!TIP]
-> On mobile devices, the previously described controls are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**.
+> On mobile devices, the previously described controls are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**.
> > :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png":::
In the details flyout that opens, the following information is available:
To take action on the message, see the next section. > [!TIP]
-> To see details about other quarantined messages without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other quarantined messages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
### Take action on quarantined email
To take action on the message, see the next section.
:::image type="content" source="../../media/quarantine-message-details-flyout-actions.png" alt-text="Available actions in the details flyout of a selected message." lightbox="../../media/quarantine-message-details-flyout-actions.png":::
- Using either method to select the message, many actions are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** or **More options**.
+ Using either method to select the message, many actions are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** or **More options**.
After you select the quarantined message, the available actions are described in the following subsections. > [!TIP] > On mobile devices, the action experience is slightly different: >
-> - When you select the message by selecting the check box, all actions are under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**:
+> - When you select the message by selecting the check box, all actions are under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**:
> > :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png"::: >
-> - When you select the message by clicking anywhere other than the check box, description text isn't available on some of the action icons in the details flyout. But, the actions and their order is the same as on a PC:
+> - When you select the message by clicking anywhere in the row other than the check box, description text isn't available on some of the action icons in the details flyout. But, the actions and their order is the same as on a PC:
> > :::image type="content" source="../../media/quarantine-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions being highlighted" lightbox="../../media/quarantine-message-details-flyout-mobile-actions.png":::
If you don't release or remove a message, it's automatically deleted from quaran
After you select the message, use either of the following methods to release it: -- **On the Email tab**: Click ![Release icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release**.-- **In the details flyout of the selected message**: Click ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release email**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-check-mark-icon.png" border="false"::: **Release**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-check-mark-icon.png" border="false"::: **Release email**.
In the **Release email to recipient inboxes** flyout that opens, configure the following options:
In the **Release email to recipient inboxes** flyout that opens, configure the f
- **Remove entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, or a **Specific date** that's less than 30 days. - **Allow entry note**: Enter an optional note that contains additional information.
-When you're finished on the **Release email to recipient inboxes** flyout, click **Release message**.
+When you're finished on the **Release email to recipient inboxes** flyout, select **Release message**.
Back on the **Email** tab, the **Release status** value of the message is **Released**.
If you don't release or remove a message, it's automatically deleted from quaran
After you select the message, use either of the following methods to approve or deny the release request: -- **On the Email tab**: Click ![Approve release icon.](../../media/m365-cc-sc-edit-icon.png) **Approve release** or ![Deny icon.](../../media/m365-cc-sc-edit-icon.png) **Deny**.-- **In the details flyout of the selected message**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** and then select **Approve release** or ![Deny icon.](../../media/m365-cc-sc-edit-icon.png) **Deny release**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Approve release** or :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Deny**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** and then select **Approve release** or :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Deny release**.
-If you click **Approve release**, an **Approve release** flyout opens where you can review information about the message. To approve the request, click **Approve release**. A **Release approved** flyout opens where you can click the link to learn more about releasing messages. Click **Done** when you're finished on the **Release approved** flyout. Back on the **Email** tab, the **Release status** value of the message changes to **Approved**.
+If you select **Approve release**, an **Approve release** flyout opens where you can review information about the message. To approve the request, select **Approve release**. A **Release approved** flyout opens where you can select the link to learn more about releasing messages. Select **Done** when you're finished on the **Release approved** flyout. Back on the **Email** tab, the **Release status** value of the message changes to **Approved**.
-If you click **Deny**, a **Deny release** flyout opens where you can review information about the message. To deny the request, click **Deny release**. A **Release denied** flyout opens where you can click the link to learn more about releasing messages. Click **Done** when you're finished on the **Release denied** flyout. Back on the **Email** tab, the **Release status** value of the message changes to **Denied**.
+If you select **Deny**, a **Deny release** flyout opens where you can review information about the message. To deny the request, select **Deny release**. A **Release denied** flyout opens where you can select the link to learn more about releasing messages. Select **Done** when you're finished on the **Release denied** flyout. Back on the **Email** tab, the **Release status** value of the message changes to **Denied**.
#### Delete email from quarantine
If you don't release or remove a message, it's automatically deleted from quaran
After you select the message, use either of the following methods to remove it: -- **On the Email tab**: Click ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete from quarantine**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete from quarantine**.
In the **Delete (n) messages from quarantine** flyout that opens, use one of the following methods to delete the message: -- Select **Permanently delete the message from quarantine** and then click **Delete**: The message is permanently deleted and isn't recoverable.-- Click **Delete** only: The message is deleted, but is potentially recoverable.
+- Select **Permanently delete the message from quarantine** and then select **Delete**: The message is permanently deleted and isn't recoverable.
+- Select **Delete** only: The message is deleted, but is potentially recoverable.
-After you click **Delete** on the **Delete (n) messages from quarantine** flyout, you return to the **Email** tab where the message is no longer listed.
+After you select **Delete** on the **Delete (n) messages from quarantine** flyout, you return to the **Email** tab where the message is no longer listed.
#### Preview email from quarantine After you select the message, use either of the following methods to preview it: -- **On the Email tab**: Click ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-preview-message-icon.png" border="false"::: **Preview message**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-preview-message-icon.png" border="false"::: **Preview message**.
In the flyout that opens, choose one of the following tabs: - **Source**: Shows the HTML version of the message body with all links disabled.
In the flyout that opens, choose one of the following tabs:
After you select the message, use either of the following methods to view the message headers: -- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message headers**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message headers**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View message headers**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View message headers**.
In the **Message header** flyout that opens, the message header (all header fields) is shown.
-Use ![Copy message header icon.](../../media/m365-cc-sc-copy-icon.png) **Copy message header** to copy the message header to the clipboard.
+Use :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy message header** to copy the message header to the clipboard.
-Click the **Microsoft Message Header Analyzer** link to analyze the header fields and values in depth. Paste the message header into the **Insert the message header you would like to analyze** section (CTRL+V or right-click and choose **Paste**), and then click **Analyze headers**.
+Select the **Microsoft Message Header Analyzer** link to analyze the header fields and values in depth. Paste the message header into the **Insert the message header you would like to analyze** section (CTRL+V or right-click and choose **Paste**), and then select **Analyze headers**.
#### Report email to Microsoft for review from quarantine After you select the message, use either of the following methods to report the message to Microsoft for analysis: -- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Submit for review icon.](../../media/m365-cc-sc-create-icon.png) **Submit for review**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Submit for review icon.](../../media/m365-cc-sc-create-icon.png) **Submit for review**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Submit for review**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Submit for review**.
In the **Submit to Microsoft for analysis** flyout that opens, configure the following options:
In the **Submit to Microsoft for analysis** flyout that opens, configure the fol
- **Add the network message ID or upload the email file**: Select one of the following options: - **Add the email network message ID**: This value is selected by default, with the corresponding value in the box.
- - **Upload the email file (.msg or eml)**: After you select this option, click the ![Browse files icon.](../../media/m365-cc-sc-import-icon.png)**Browse files** button that appears to find and select the .msg or .eml message file to submit.
+ - **Upload the email file (.msg or eml)**: After you select this option, select the :::image type="icon" source="../../media/m365-cc-sc-import-icon.png" border="false":::**Browse files** button that appears to find and select the .msg or .eml message file to submit.
- **Choose a recipient who had an issue**: Select one (preferred) or more original recipients of the message to analyze the policies that were applied to them.
In the **Submit to Microsoft for analysis** flyout that opens, configure the fol
- **Remove block entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, **90 days**, **Never expire**, or a **Specific date**. - **Block entry note**: Enter an optional note that contains additional information.
-When you're finished on the **Submit to Microsoft for analysis** flyout, click **Submit**.
+When you're finished on the **Submit to Microsoft for analysis** flyout, select **Submit**.
> [!TIP] > Users can report false positives to Microsoft from quarantine, depending on the value of the **Reporting from quarantine** setting in [user reported settings](submissions-user-reported-messages-custom-mailbox.md).
The Block senders action adds the sender of the selected email message to the Bl
After you select the message, use either of the following methods to add the message sender to the Blocked Senders list in **your** mailbox: -- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-block-sender-icon.png" border="false"::: **Block sender**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-block-sender-icon.png" border="false"::: **Block sender**.
-In the **Block sender** flyout that opens, review the information about the sender, and then click **Block**.
+In the **Block sender** flyout that opens, review the information about the sender, and then select **Block**.
> [!TIP] > The organization can still receive mail from the blocked sender. Messages from the sender are delivered to user Junk Email folders or to quarantine. To delete messages from the sender upon arrival, use [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to **Block the message**.
You can send a copy of the quarantined email message, including potentially harm
After you select the message, use either of the following methods to send a copy of it to others: -- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Share email icon.](../../media/m365-cc-sc-share-email-icon.png) **Share email**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Share email icon.](../../media/m365-cc-sc-share-email-icon.png) **Share email**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-share-email-icon.png" border="false"::: **Share email**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-share-email-icon.png" border="false"::: **Share email**.
-In the **Share email with other users** flyout that opens, select one or more recipients to receive a copy of the message. When you're finished, click **Share**.
+In the **Share email with other users** flyout that opens, select one or more recipients to receive a copy of the message. When you're finished, select **Share**.
#### Download email from quarantine After you select the email message, use either of the following methods to download it: -- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Download messages icon.](../../media/m365-cc-sc-download-icon.png) **Download messages**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Download messages icon.](../../media/m365-cc-sc-download-icon.png) **Download message**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download messages**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download message**.
In the **Download file** flyout that opens, enter the following information: - **Reason for downloading file**: Enter descriptive text. - **Create password** and **Confirm password**: Enter a password that's required to open the downloaded message file.
-When you're finished on the **Download file** flyout, click **Download**.
+When you're finished on the **Download file** flyout, select **Download**.
When the download is ready, a **Save As** dialog opens for you to view or change the downloaded filename and location. By default, The .eml message file is saved in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
-Accept or change the downloaded file details, and then click **Save**.
+Accept or change the downloaded file details, and then select **Save**.
-Back on the **Download file** flyout, click **Done**.
+Back on the **Download file** flyout, select **Done**.
#### Take action on multiple quarantined email messages
In organizations with Defender for Office 365, admins can manage files that were
In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Files** tab. Or, to go directly to the **Files** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Files>.
-On the **Files** tab, you can decrease the vertical spacing in the list by clicking ![Change list spacing to compact or normal icon.](../../media/m365-cc-sc-standard-icon.png) **Change list spacing to compact or normal** and then selecting ![Compact list icon.](../../media/m365-cc-sc-compact-icon.png) **Compact list**.
+On the **Files** tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal** and then selecting :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
-You can sort the results by clicking on an available column header. Click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
+You can sort the results by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
- **User**<sup>\*</sup> - **Location**<sup>\*</sup>: The value is **SharePoint** or **OneDrive**.
You can sort the results by clicking on an available column header. Click ![Cust
- **Detected by** - **Modified by time**
-To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**. The following filters are available in the **Filters** flyout that opens:
+To filter the results, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**. The following filters are available in the **Filters** flyout that opens:
- **Time received**: - **Last 24 hours**
To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.
- **Quarantine reason**: The only available value is **Malware**. - **Policy type**: The only available value is **Unknown**.
-When you're finished on the **Filters** flyout, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished on the **Filters** flyout, select **Apply**. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and a corresponding value to find specific files by filename. Wildcards aren't supported.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific files by filename. Wildcards aren't supported.
After you've entered the search criteria, press the enter ENTER key to filter the results.
In the details flyout that opens, the following information is available:
To take action on the file, see the next section. > [!TIP]
-> To see details about other quarantined files without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other quarantined files without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
### Take action on quarantined files
This action isn't available for files that have already been released (the **Rel
If you don't release or delete the file from quarantine, the file is removed from quarantine after the default quarantine retention period expires (as shown in the **Expires** column), but the blocked file remains in SharePoint or OneDrive in the blocked state.
-After you select the file, click ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release file** in the file details flyout that opens.
+After you select the file, select :::image type="icon" source="../../media/m365-cc-sc-check-mark-icon.png" border="false"::: **Release file** in the file details flyout that opens.
-In the **Release files and report them to Microsoft** flyout that opens, view the file details in the **Report files to Microsoft for analysis** section, decide whether to select **Report files to Microsoft for analysis**, and then click **Release**.
+In the **Release files and report them to Microsoft** flyout that opens, view the file details in the **Report files to Microsoft for analysis** section, decide whether to select **Report files to Microsoft for analysis**, and then select **Release**.
-In the **Files have been released** flyout that opens, click **Done**.
+In the **Files have been released** flyout that opens, select **Done**.
-Back on the file details flyout, click **Close**.
+Back on the file details flyout, select **Close**.
Back on the **Files** tab, the **Release status** value of the file is **Released**. #### Download quarantined files from quarantine
-After you select the file, click ![Download file icon.](../../media/m365-cc-sc-download-icon.png) **Download file** in the details flyout that opens.
+After you select the file, select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download file** in the details flyout that opens.
In the **Download file** flyout that opens, enter the following information: - **Reason for downloading file**: Enter descriptive text. - **Create password** and **Confirm password**: Enter a password that's required to open the downloaded file.
-When you're finished on the **Download file** flyout, click **Download**.
+When you're finished on the **Download file** flyout, select **Download**.
When the download is ready, a **Save As** dialog opens for you to view or change the downloaded filename and location. By default, The file is saved in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
-Accept or change the downloaded file details, and then click **Save**.
+Accept or change the downloaded file details, and then select **Save**.
-Back on the **Download file** flyout, click **Done**.
+Back on the **Download file** flyout, select **Done**.
#### Delete quarantined files from quarantine If you don't release or delete the file from quarantine, the file is removed from quarantine after the default quarantine retention period expires (as shown in the **Expires** column), but the blocked file remains in SharePoint or OneDrive in the blocked state.
-After you select the file, click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine** in the details flyout that opens.
+After you select the file, select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete from quarantine** in the details flyout that opens.
Select **Continue** in the warning dialog that opens.
In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to
:::image type="content" source="../../media/admin-quarantine-teams-message-tab.png" alt-text="Screenshot of the Teams messages tab in quarantine." lightbox="../../media/admin-quarantine-teams-message-tab.png":::
-On the **Teams messages** tab, you can decrease the vertical spacing in the list by clicking ![Change list spacing to compact or normal icon.](../../media/m365-cc-sc-standard-icon.png) **Change list spacing to compact or normal** and then selecting ![Compact list icon.](../../media/m365-cc-sc-compact-icon.png) **Compact list**.
+On the **Teams messages** tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal** and then selecting :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
-You can sort the results by clicking on an available column header. Click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
+You can sort the results by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
- **Teams message text**: Contains the subject for the teams message.<sup>\*</sup> - **Time received**: The time the message was received by the recipient.<sup>\*</sup>
You can sort the results by clicking on an available column header. Click ![Cust
- **Recipient address**: Email address of the recipients.<sup>\*</sup> - **Message ID**: Includes the chat message ID.
-To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**. The following filters are available in the **Filters** flyout that opens:
+To filter the results, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**. The following filters are available in the **Filters** flyout that opens:
- **Message ID** - **Sender address**
To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.
- **Quarantine reason**: Available valued are **Malware** and **High confidence phishing**. - **Recipient**: Select **All users** or **Only me**.
-When you're finished on the **Filters** flyout, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished on the **Filters** flyout, select **Apply**. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and a corresponding value to find specific Teams messages. Wildcards aren't supported.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific Teams messages. Wildcards aren't supported.
After you find a specific quarantined Teams message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).
In the details flyout that opens, the following information is available:
To take action on the message, see the next section. > [!TIP]
-> To see details about other quarantined messages without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other quarantined messages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
### Take action on quarantined messages in Microsoft Teams
To take action on the message, see the next section.
:::image type="content" source="../../media/admin-quarantine-teams-actions-details.png" alt-text="Screenshot of the actions menu for messages in quarantine." lightbox="../../media/admin-quarantine-teams-actions-details.png":::
- Using either method to select the message, some actions are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**.
+ Using either method to select the message, some actions are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**.
After you select the quarantined message, the available actions are described in the following subsections.
If you don't release or remove a message, it's automatically deleted from quaran
After you select the message, use either of the following methods to release it: -- **On the Teams messages tab**: Click ![Release icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release**.-- **In the details flyout of the selected message**: Click ![Release icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release**.
+- **On the Teams messages tab**: Select :::image type="icon" source="../../media/m365-cc-sc-check-mark-icon.png" border="false"::: **Release**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-check-mark-icon.png" border="false"::: **Release**.
-In the **Release to all chat participants** flyout that opens, decide whether to select **Submit the message to Microsoft to improve detection (false positive)**, and then click **Release**.
+In the **Release to all chat participants** flyout that opens, decide whether to select **Submit the message to Microsoft to improve detection (false positive)**, and then select **Release**.
#### Delete Teams messages from quarantine
If you don't release or remove a Teams message, it's automatically deleted from
After you select the Teams message, use either of the following methods to remove it: -- **On the Teams messages tab**: Click ![Delete messages icon.](../../media/m365-cc-sc-delete-icon.png) **Delete messages**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**.
+- **On the Teams messages tab**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete messages**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete from quarantine**.
-In the warning dialog that opens, read the information and then click **Continue**.
+In the warning dialog that opens, read the information and then select **Continue**.
Back on the **Teams messages** tab, the message is no longer listed.
Back on the **Teams messages** tab, the message is no longer listed.
After you select the Teams message, use either of the following methods to preview it: -- **On the Teams messages tab**: Click ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.
+- **On the Teams messages tab**: Select :::image type="icon" source="../../media/m365-cc-sc-preview-message-icon.png" border="false"::: **Preview message**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: :::image type="icon" source="../../media/m365-cc-sc-preview-message-icon.png" border="false"::: **Preview message**.
In the flyout that opens, choose one of the following tabs: - **Source**: Shows the HTML version of the message body with all links disabled.
In the flyout that opens, choose one of the following tabs:
After you select the message, use either of the following methods to report the message to Microsoft for analysis: -- **On the Teams messages tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Submit for review icon.](../../media/m365-cc-sc-create-icon.png) **Submit for review**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Submit for review icon.](../../media/m365-cc-sc-create-icon.png) **Submit for review**.
+- **On the Teams messages tab**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Submit for review**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Submit for review**.
-When you click **Submit message**, the message is sent to Microsoft for analysis. You receive an **Item** submitted dialog where you click **OK**.
+When you select **Submit message**, the message is sent to Microsoft for analysis. You receive an **Item** submitted dialog where you select **OK**.
#### Download Teams messages from quarantine After you select the Teams message, use either of the following methods to download it: -- **On the Teams messages tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Download messages icon.](../../media/m365-cc-sc-download-icon.png) **Download messages**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Download messages icon.](../../media/m365-cc-sc-download-icon.png) **Download message**.
+- **On the Teams messages tab**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download messages**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download message**.
In the **Download messages** flyout that opens, enter the following information: - **Reason for downloading file**: Enter descriptive text. - **Create password** and **Confirm password**: Enter a password that's required to open the downloaded message file.
-When you're finished on the **Download file** flyout, click **Download**.
+When you're finished on the **Download file** flyout, select **Download**.
By default, The .html message file is saved in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
-Back on the **Download messages** flyout, click **Done**.
+Back on the **Download messages** flyout, select **Done**.
#### Take action on multiple quarantined Teams messages
security Quarantine End User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-end-user.md
You view and manage your quarantined messages in the Microsoft 365 Defender port
In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Email** tab. Or, to go directly to the **Email** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Email>.
-On the **Email** tab, you can decrease the vertical spacing in the list by clicking ![Change list spacing to compact or normal icon.](../../media/m365-cc-sc-standard-icon.png) **Change list spacing to compact or normal** and then selecting ![Compact list icon.](../../media/m365-cc-sc-compact-icon.png) **Compact list**.
+On the **Email** tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal** and then selecting :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
-You can sort the results by clicking on an available column header. Click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
+You can sort the results by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
- **Time received**<sup>\*</sup> - **Subject**<sup>\*</sup>
You can sort the results by clicking on an available column header. Click ![Cust
- **Mail direction** - **Recipient tag**
-To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**. The following filters are available in the **Filters** flyout that opens:
+To filter the results, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**. The following filters are available in the **Filters** flyout that opens:
- **Message ID**: The globally unique identifier of the message. - **Sender address**
To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.
- **Anti-spam policy** - **Transport rule** (mail flow rule)
-When you're finished on the **Filters** flyout, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+When you're finished on the **Filters** flyout, select **Apply**. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
- Sender email address - Subject. Use the entire subject of the message. The search isn't case-sensitive.
After you've entered the search criteria, press the enter ENTER key to filter th
After you find a specific quarantined message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message). > [!TIP]
-> On mobile devices, the previously described controls are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**.
+> On mobile devices, the previously described controls are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**.
> > :::image type="content" source="../../media/quarantine-user-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and then selecting More on a mobile device." lightbox="../../media/quarantine-user-message-main-page-mobile-actions.png":::
In the details flyout that opens, the following information is available:
- **Policy type** - **Policy name** - **Recipient count**
- - **Recipients**: If the message contains multiple recipients, you might need to click **...** \> **Preview message** or ***...** \> **View message header** to see the complete list of recipients.
+ - **Recipients**: If the message contains multiple recipients, you might need to select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: \> **Preview message** or :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: \> **View message header** to see the complete list of recipients.
- **Email details** section: - **Sender address** - **Time received**
In the details flyout that opens, the following information is available:
To take action on the message, see the next section. > [!TIP]
-> To see details about other quarantined messages without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
+> To see details about other quarantined messages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
## Take action on quarantined email
To take action on the message, see the next section.
:::image type="content" source="../../media/quarantine-user-message-details-flyout-actions.png" alt-text="The available actions in the details flyout of a quarantined message" lightbox="../../media/quarantine-user-message-details-flyout-actions.png":::
- Using either method to select the message, some actions are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** or **More options**.
+ Using either method to select the message, some actions are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** or **More options**.
After you select the quarantined message, the available actions are described in the following subsections. > [!TIP] > On mobile devices, the action experience is slightly different: >
-> - When you select the message by selecting the check box, all actions are under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**:
+> - When you select the message by selecting the check box, all actions are under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**:
> > :::image type="content" source="../../media/quarantine-user-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and then selecting More on a mobile device." lightbox="../../media/quarantine-user-message-main-page-mobile-actions.png"::: >
-> - When you select the message by clicking anywhere other than the check box, most options are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** in the details flyout:
+> - When you select the message by clicking anywhere in the row other than the check box, most options are available under :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** in the details flyout:
> > :::image type="content" source="../../media/quarantine-user-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions shown." lightbox="../../media/quarantine-user-message-details-flyout-mobile-actions.png":::
If you don't release or remove a message, it's automatically deleted from quaran
After you select the message, use either of the following methods to release it (deliver it to your mailbox): -- **On the Email tab**: Click ![Release icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release**.-- **In the details flyout of the selected message**: Click ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release email**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-check-mark-icon.png" border="false"::: **Release**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-check-mark-icon.png" border="false"::: **Release email**.
-In the **Release message to your Inbox** flyout that opens, select **Report message as having no threats** as appropriate, and then click **Release message**.
+In the **Release message to your Inbox** flyout that opens, select **Report message as having no threats** as appropriate, and then select **Release message**.
-When you're finished on the **Release message to your Inbox** flyout, click **Release message**.
+When you're finished on the **Release message to your Inbox** flyout, select **Release message**.
-In the **Messages released to your Inbox** flyout that opens, click **Done**.
+In the **Messages released to your Inbox** flyout that opens, select **Done**.
Back on the **Email** tab, the **Release status** value of the message is **Released**.
If you don't release or remove a message, it's automatically deleted from quaran
After you select the message, use either of the following methods to request its release: -- **On the Email tab**: Click ![Request release icon.](../../media/m365-cc-sc-edit-icon.png) **Request release**.-- **In the details flyout of the selected message**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Request release icon.](../../media/m365-cc-sc-edit-icon.png) **Request release**..
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Request release**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Request release**..
-In the **Request release** flyout that opens, review the information, click **Request release**. In the **Release requested** flyout that opens, click **Done**.
+In the **Request release** flyout that opens, review the information, select **Request release**. In the **Release requested** flyout that opens, select **Done**.
Back on the **Quarantine page**, the **Release status** value of the message is **Release requested**. An admin will review your request and approve it or deny it.
If you don't release or remove a message, it's automatically deleted from quaran
After you select the message, use either of the following methods to remove it: -- **On the Email tab**: Click ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete messages**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete messages**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete from quarantine**.
In the **Delete (n) messages from quarantine** flyout that opens, use one of the following methods to delete the message: -- Select **Permanently delete the message from quarantine** and then click **Delete**: The message is permanently deleted and isn't recoverable.-- Click **Delete** only: The message is deleted, but is potentially recoverable.
+- Select **Permanently delete the message from quarantine** and then select **Delete**: The message is permanently deleted and isn't recoverable.
+- Select **Delete** only: The message is deleted, but is potentially recoverable.
-After you click **Delete** on the **Delete (n) messages from quarantine** flyout, you return to the **Email** tab where the message is no longer listed.
+After you select **Delete** on the **Delete (n) messages from quarantine** flyout, you return to the **Email** tab where the message is no longer listed.
### Preview email from quarantine After you select the message, use either of the following methods to preview it: -- **On the Email tab**: Click ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-preview-message-icon.png" border="false"::: **Preview message**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-preview-message-icon.png" border="false"::: **Preview message**.
In the flyout that opens, choose one of the following tabs: - **Source**: Shows the HTML version of the message body with all links disabled.
In the flyout that opens, choose one of the following tabs:
After you select the message, use either of the following methods to view the message headers: -- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message headers**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message headers**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View message headers**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View message headers**.
In the **Message header** flyout that opens, the message header (all header fields) is shown.
-Use ![Copy message header icon.](../../media/m365-cc-sc-copy-icon.png) **Copy message header** to copy the message header to the clipboard.
+Use :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy message header** to copy the message header to the clipboard.
-Click the **Microsoft Message Header Analyzer** link to analyze the header fields and values in depth. Paste the message header into the **Insert the message header you would like to analyze** section (CTRL+V or right-click and choose **Paste**), and then click **Analyze headers**.
+Select the **Microsoft Message Header Analyzer** link to analyze the header fields and values in depth. Paste the message header into the **Insert the message header you would like to analyze** section (CTRL+V or right-click and choose **Paste**), and then select **Analyze headers**.
### Block email senders from quarantine
The Block senders action adds the message sender to the Blocked Senders list in
After you select the message, use either of the following methods to add the message sender to the Blocked Senders list in your mailbox: -- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**.-- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**.
+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** \> :::image type="icon" source="../../media/m365-cc-sc-block-sender-icon.png" border="false"::: **Block sender**.
+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options** \> :::image type="icon" source="../../media/m365-cc-sc-block-sender-icon.png" border="false"::: **Block sender**.
-In the **Block sender** flyout that opens, review the information about the sender, and then click **Block**.
+In the **Block sender** flyout that opens, review the information about the sender, and then select **Block**.
> [!TIP] > The organization can still receive mail from the blocked sender. Messages from the sender are delivered to user Junk Email folders or to quarantine. To delete messages from the sender upon arrival, an admin can use [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to **Block the message**.
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
You create and assign quarantine policies in the Microsoft 365 Defender portal o
:::image type="content" source="../../medio-quarantine-policy-page.png":::
-2. On the **Quarantine policies** page, click ![Add custom policy icon.](../../media/m365-cc-sc-create-icon.png) **Add custom policy** to start the new quarantine policy wizard.
+2. On the **Quarantine policies** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add custom policy** to start the new quarantine policy wizard.
3. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. The policy name is selectable in drop-down lists in upcoming steps.
- When you're finished on the **Policy name** page, click **Next**.
+ When you're finished on the **Policy name** page, select **Next**.
4. On the **Recipient message access** page, select one of the following values: - **Limited access**: The individual permissions that are included in this permission group are described in the [Appendix](#appendix) section. Basically, users can do anything to their quarantined messages except release them from quarantine without admin approval.
You create and assign quarantine policies in the Microsoft 365 Defender portal o
These permissions and their effect on quarantined messages and in quarantine notifications are described in the [Quarantine policy permission details](#quarantine-policy-permission-details) section later in this article.
- When you're finished on the **Recipient message access** page, click **Next**.
+ When you're finished on the **Recipient message access** page, select **Next**.
5. On the **Quarantine notification** page, select **Enable** to turn on quarantine notifications. > [!NOTE]
- > If you turn on quarantine notifications for **No access** permissions (on the **Recipient message access** page, you selected **Set specific access (Advanced)** \> **Select release action preference** \> blank), users can view their messages in quarantine, but the only available action for the messages is ![View message headers icon.](../../medi#view-email-message-headers).
+ > If you turn on quarantine notifications for **No access** permissions (on the **Recipient message access** page, you selected **Set specific access (Advanced)** \> **Select release action preference** \> blank), users can view their messages in quarantine, but the only available action for the messages is :::image type="icon" source="../../medi#view-email-message-headers).
- When you're finished on the **Quarantine notification** page, click **Next**.
+ When you're finished on the **Quarantine notification** page, select **Next**.
-6. On the **Review policy** page, you can review your selections. Click **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+6. On the **Review policy** page, you can review your selections. Select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- When you're finished on the **Review policy** page, click **Submit**, and then click **Done** in the confirmation page.
+ When you're finished on the **Review policy** page, select **Submit**, and then select **Done** in the confirmation page.
7. On the confirmation page that appears, you can use the links to review quarantined messages or go to the **Anti-spam policies** page in the Defender portal.
- When you're finished on the page, click **Done**.
+ When you're finished on the page, select **Done**.
Back on the **Quarantine policy** page, the policy that you created is now listed. You're ready to assign the quarantine policy to a supported security feature as described in the [Step 2](#step-2-assign-a-quarantine-policy-to-supported-features) section.
New-QuarantinePolicy -Name "<UniqueName>" -EndUserQuarantinePermissionsValue <0
|PermissionToPreview|2|00000010| |PermissionToDelete|1|00000001|
- ┬╣ The value 0 for this permission doesn't hide the ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message header** action in quarantine. If the message is visible to a user in quarantine, the action is always available for the message.
+ ┬╣ The value 0 for this permission doesn't hide the :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View message header** action in quarantine. If the message is visible to a user in quarantine, the action is always available for the message.
┬▓ This permission isn't used (the value 0 or 1 does nothing).
New-QuarantinePolicy -Name "<UniqueName>" -EndUserQuarantinePermissionsValue <0
|Binary value|00011011| |Decimal value to use|27| -- If you set the _ESNEnabled_ parameter to the value `$true` when the value of the _EndUserQuarantinePermissionsValue_ parameter is 0 (**No access** where all permissions are turned off), users can see their messages in quarantine, but the only available action for the messages is ![View message headers icon.](../../medi#view-email-message-headers).
+- If you set the _ESNEnabled_ parameter to the value `$true` when the value of the _EndUserQuarantinePermissionsValue_ parameter is 0 (**No access** where all permissions are turned off), users can see their messages in quarantine, but the only available action for the messages is :::image type="icon" source="../../medi#view-email-message-headers).
This example creates a new quarantine policy named LimitedAccess with quarantine notifications turned on that assigns the Limited access permissions as described in the previous table.
The rest of this step explains how to assign quarantine policies for supported f
1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Ant-spam policies** page, use <https://security.microsoft.com/antispam>. 2. On the **Anti-spam policies** page, use either of the following methods:
- - Select an existing **inbound** anti-spam policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, go to the **Actions** section and then click **Edit actions**.
- - Click ![Create policy icon.](../../media/m365-cc-sc-create-icon.png) **Create policy**, select **Inbound** from the drop down list to start the new anti-spam policy wizard, and then get to the **Actions** page.
+ - Select an existing **inbound** anti-spam policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, go to the **Actions** section and then select **Edit actions**.
+ - Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create policy**, select **Inbound** from the drop down list to start the new anti-spam policy wizard, and then get to the **Actions** page.
3. On the **Actions** page or flyout, every verdict that has the **Quarantine message** action selected also has the **Select quarantine policy** box for you to select a quarantine policy.
Spoof intelligence is available in EOP and Defender for Office 365. User imperso
1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. Or, to go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>. 2. On the **Anti-phishing** page, use either of the following methods:
- - Select an existing anti-phishing policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, click the **Edit** link in the relevant section as described in the next steps.
- - Click ![Create icon.](../../media/m365-cc-sc-create-icon.png) **Create** to start the new anti-phishing policy wizard. The relevant pages are described in the next steps.
+ - Select an existing anti-phishing policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, select the **Edit** link in the relevant section as described in the next steps.
+ - Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to start the new anti-phishing policy wizard. The relevant pages are described in the next steps.
3. On the **Phishing threshold & protection** page or flyout, verify that the following settings are turned on and configured as required: - **Enabled users to protect**: Specify users.
For detailed syntax and parameter information, see [Set-AntiPhishPolicy](/powers
1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-malware** in the **Policies** section. Or, to go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>. 2. On the **Anti-malware** page, use either of the following methods:
- - Select an existing anti-malware policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, go to the **Protection settings** section, and then click the **Edit protection settings**.
- - Click ![Create icon.](../../media/m365-cc-sc-create-icon.png) **Create** to start the new anti-malware policy wizard and get to the **Protection settings** page.
+ - Select an existing anti-malware policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, go to the **Protection settings** section, and then select **Edit protection settings**.
+ - Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to start the new anti-malware policy wizard and get to the **Protection settings** page.
3. On the **Protection settings** page or flyout, view or select a quarantine policy in the **Quarantine policy** box.
For detailed syntax and parameter information, see [Set-MalwareFilterPolicy](/po
1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>. 2. On the **Safe Attachments** page, use either of the following methods:
- - Select an existing Safe Attachments policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, click the **Edit settings** link in **Settings** section.
- - Click ![Create icon.](../../media/m365-cc-sc-create-icon.png) **Create** to start the new Safe Attachments policy wizard and get to the **Settings** page.
+ - Select an existing Safe Attachments policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, select the **Edit settings** link in **Settings** section.
+ - Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to start the new Safe Attachments policy wizard and get to the **Settings** page.
3. On the **Settings** page or flyout, view or select a quarantine policy in the **Quarantine policy** box.
If you'd rather use PowerShell to assign quarantine policies in Safe Attachments
Get-SafeAttachmentPolicy | Format-List Name,Enable,Action,QuarantineTag ``` -- A new Safe Attachments policy in PowerShell requires a safe attachment policy using the **New-SafeAttachmentPolicy** cmdlet (settings), and an exclusive safe attachment rule using the **New-SafeAttachmentRule** cmdlet (recipient filters). For instructions, see [Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Attachments policies](safe-attachments-policies-configure.md#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-safe-attachments-policies).
+- A new Safe Attachments policy in PowerShell requires a safe attachment policy using the **New-SafeAttachmentPolicy** cmdlet (settings), and an exclusive safe attachment rule using the **New-SafeAttachmentRule** cmdlet (recipient filters). For instructions, see [Use Exchange Online PowerShell to configure Safe Attachments policies](safe-attachments-policies-configure.md#use-exchange-online-powershell-to-configure-safe-attachments-policies).
This example creates a safe attachment policy named Research Department that blocks detected messages and uses the custom quarantine policy named ContosoNoAccess that assigns **No access** permissions to the quarantined messages.
To create customized quarantine notifications for up to three languages, do the
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
-2. On the **Quarantine policies** page, click ![Global settings icon.](../../media/m365-cc-sc-gear-icon.png) **Global settings**.
+2. On the **Quarantine policies** page, select :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Global settings**.
3. In the **Quarantine notification settings** flyout that opens, do the following steps:
To create customized quarantine notifications for up to three languages, do the
Although this box is in the middle of the page, you need to select it first. If you enter values in the **Sender display name**, **Subject**, or **Disclaimer** boxes before you select the language value, the other values are removed and you start over when you select the language value.
- 2. Enter values for **Sender display name**, **Subject**, and **Disclaimer**. The values must be unique for each language. If you try to reuse a value in a different language, you'll get an error when you click **Save**.
- 3. Click the **Add** button.
+ 2. Enter values for **Sender display name**, **Subject**, and **Disclaimer**. The values must be unique for each language. If you try to reuse a value in a different language, you'll get an error when you select **Save**.
+ 3. Select the **Add** button.
4. Repeat the previous steps to create a maximum of three customized quarantine notifications based on the recipient's language. An unlabeled box shows the languages that you've configured: :::image type="content" source="../../media/quarantine-tags-esn-customization-selected-languages.png" alt-text="The selected languages in the global quarantine notification settings of quarantine policies." lightbox="../../media/quarantine-tags-esn-customization-selected-languages.png":::
- Click the language value in the box to edit the settings for that language. Click ![Remove selection icon.](../../media/m365-cc-sc-remove-selection-icon.png) to remove the language.
+ Select the language value in the box to edit the settings for that language. Select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: to remove the language.
-4. When you're finished on the **Quarantine notifications** flyout, click **Save**.
+4. When you're finished on the **Quarantine notifications** flyout, select **Save**.
:::image type="content" source="../../medio-quarantine-policy-quarantine-notification-settings.png":::
Even if you don't customize quarantine notifications for different languages, se
- **Send end-user spam notification every (days)**: Select the frequency for quarantine notifications. The default value is 3 days, but you can select 1 to 15 days.
-When you're finished in the **Quarantine notifications flyout**, click **Save**.
+When you're finished in the **Quarantine notifications flyout**, select **Save**.
### Use PowerShell to configure global quarantine notification settings
For detailed syntax and parameter information, see [Set-QuarantinePolicy](/power
3. To view the settings of default or custom quarantine policies, select the policy by clicking anywhere in the row other than the check box next to the name. Details are available in the flyout that opens.
-4. To view the global settings, click **Global settings**
+4. To view the global settings, select **Global settings**
### View quarantine policies in PowerShell
You can't modify the default quarantine policies named AdminOnlyAccessPolicy, De
2. On the **Quarantine policies** page, select the policy by clicking the check box next to the name.
-3. Click the ![Edit policy icon.](../../media/m365-cc-sc-edit-icon.png) **Edit policy** action that appears.
+3. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit policy** action that appears.
The policy wizard opens with the settings and values of the selected quarantine policy. The steps are virtually the same as described in the [Create quarantine policies in the Microsoft 365 Defender portal](#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal) section. The main difference is: you can't rename an existing policy.
For detailed syntax and parameter information, see [Set-QuarantinePolicy](/power
2. On the **Quarantine policies** page, select the policy by clicking the check box next to the name.
-3. Click the ![Delete policy icon.](../../media/m365-cc-sc-delete-icon.png) **Delete policy** action that appears.
+3. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** action that appears.
-4. Click **Remove policy** in the confirmation dialog.
+4. Select **Remove policy** in the confirmation dialog.
### Remove quarantine policies in PowerShell
The relationship between permissions, permissions groups, and the default quaran
|DefaultFullAccessWithNotificationPolicy⁴|Full access|Yes| |NotificationEnabledPolicy⁵|Full access|Yes|
-┬╣ This permission isn't available in the Defender portal. Turning off the permission in PowerShell doesn't affect the availability of the ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message header** action on quarantined messages. If the message is visible to a user in quarantine, the action is always available for the message.
+┬╣ This permission isn't available in the Defender portal. Turning off the permission in PowerShell doesn't affect the availability of the :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View message header** action on quarantined messages. If the message is visible to a user in quarantine, the action is always available for the message.
┬▓ The **Preview** permission is unrelated to the **Review message** action that's available in quarantine notifications.
The effect of **No access** permissions (admin only access) on user capabilities
- **In quarantine notifications**: Users don't receive quarantine notifications for the messages. - **Quarantine notifications turned on**:
- - **On the Quarantine page**: Quarantined messages are visible to users, but the only available action is ![View message headers icon.](../../medi#view-email-message-headers).
+ - **On the Quarantine page**: Quarantined messages are visible to users, but the only available action is :::image type="icon" source="../../medi#view-email-message-headers).
- **In quarantine notifications**: Users receive quarantine notifications, but the only available action is **Review message**. ##### Limited access
The effect of **No access** permissions (admin only access) on user capabilities
If the quarantine policy assigns **Limited access** permissions, users get the following capabilities: - **On the Quarantine page and in the message details in quarantine**: The following actions are available:
- - ![Request release icon.](../../medi#request-the-release-of-quarantined-email) (the difference from **Full access** permissions)
- - ![Delete icon.](../../medi#delete-email-from-quarantine)
- - ![Preview message icon.](../../medi#preview-email-from-quarantine)
- - ![View message headers icon.](../../medi#view-email-message-headers)
- - ![Block sender icon.](../../medi#block-email-senders-from-quarantine)
+ - :::image type="icon" source="../../medi#request-the-release-of-quarantined-email) (the difference from **Full access** permissions)
+ - :::image type="icon" source="../../medi#delete-email-from-quarantine)
+ - :::image type="icon" source="../../medi#preview-email-from-quarantine)
+ - :::image type="icon" source="../../medi#view-email-message-headers)
+ - :::image type="icon" source="../../medi#block-email-senders-from-quarantine)
- **In quarantine notifications**: The following actions are available: - **Review message**
If the quarantine policy assigns **Limited access** permissions, users get the f
If the quarantine policy assigns **Full access** permissions (all available permissions), users get the following capabilities: - **On the Quarantine page and in the message details in quarantine**: The following actions are available:
- - ![Release icon.](../../medi#release-quarantined-email) (the difference from **Limited access** permissions)
- - ![Delete icon.](../../medi#delete-email-from-quarantine)
- - ![Preview message icon.](../../medi#preview-email-from-quarantine)
- - ![View message headers icon.](../../medi#view-email-message-headers)
- - ![Block sender icon.](../../medi#block-email-senders-from-quarantine)
+ - :::image type="icon" source="../../medi#release-quarantined-email) (the difference from **Limited access** permissions)
+ - :::image type="icon" source="../../medi#delete-email-from-quarantine)
+ - :::image type="icon" source="../../medi#preview-email-from-quarantine)
+ - :::image type="icon" source="../../medi#view-email-message-headers)
+ - :::image type="icon" source="../../medi#block-email-senders-from-quarantine)
- **In quarantine notifications**: The following actions are available: - **Review message**
The **Block sender** permission (_PermissionToBlockSender_) allows users to add
If the **Block sender** permission is enabled: -- ![Block sender icon.](../../medi#block-email-senders-from-quarantine) is available on the **Quarantine** page and in the message details in quarantine.
+- :::image type="icon" source="../../medi#block-email-senders-from-quarantine) is available on the **Quarantine** page and in the message details in quarantine.
- **Blocked sender** is available in quarantine notifications. For this permission to work correctly in quarantine notifications, users need to be enabled for remote PowerShell. For instructions, see [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell).
The **Delete** permission (_PermissionToDelete_) allows users to delete their ow
If the **Delete** permission is enabled: -- ![Delete icon.](../../medi#delete-email-from-quarantine) is available on the **Quarantine** page and in the message details in quarantine.
+- :::image type="icon" source="../../medi#delete-email-from-quarantine) is available on the **Quarantine** page and in the message details in quarantine.
- No effect in quarantine notifications. Deleting a quarantined message from the quarantine notification is not possible. If the **Delete** permission is disabled, users can't delete their own messages from quarantine (the action isn't available).
The **Preview** permission (_PermissionToPreview_) allows users to preview their
If the **Preview** permission is enabled: -- ![Preview message icon.](../../medi#preview-email-from-quarantine) is available on the **Quarantine** page and in the message details in quarantine.
+- :::image type="icon" source="../../medi#preview-email-from-quarantine) is available on the **Quarantine** page and in the message details in quarantine.
- No effect in quarantine notifications. Previewing a quarantined message from the quarantine notification isn't possible. The **Review message** action in quarantine notifications takes users to the details flyout of the message in quarantine where they can preview the message. If the **Preview** permission is disabled, users can't preview their own messages in quarantine (the action isn't available).
The **Allow recipients to release a message from quarantine** permission (_Permi
If the **Allow recipients to release a message from quarantine** permission is enabled: -- ![Release icon.](../../medi#release-quarantined-email) is available on the **Quarantine** page and in the message details in quarantine.
+- :::image type="icon" source="../../medi#release-quarantined-email) is available on the **Quarantine** page and in the message details in quarantine.
- **Release** is available in quarantine notifications. If the **Allow recipients to release a message from quarantine** permission is disabled, users can't release their own messages from quarantine or in quarantine notifications (the action isn't available).
The **Allow recipients to request a message to be released from quarantine** per
If the **Allow recipients to request a message to be released from quarantine** permission is enabled: -- ![Request release icon.](../../medi#request-the-release-of-quarantined-email) is available on the **Quarantine** page and in the message details in quarantine.
+- :::image type="icon" source="../../medi#request-the-release-of-quarantined-email) is available on the **Quarantine** page and in the message details in quarantine.
- **Request release** is available in quarantine notifications. If the **Allow recipients to request a message to be released from quarantine** permission is disabled, users can't request the release of their own messages from quarantine or in quarantine notifications (the action isn't available).
security Quarantine Quarantine Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-quarantine-notifications.md
The actions that are available for messages in the quarantine notification depen
- **Review message**: Available for all messages in quarantine notifications.
- Selecting the action takes you to the details flyout of the message in quarantine. It's the same result as going to the **Email** tab on the **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Email>, and selecting the message by clicking anywhere other than the check box next to the first column. For more information, see [View quarantined message details](quarantine-end-user.md#view-quarantined-message-details).
+ Selecting the action takes you to the details flyout of the message in quarantine. It's the same result as going to the **Email** tab on the **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Email>, and selecting the message by clicking anywhere in the row other than the check box next to the first column. For more information, see [View quarantined message details](quarantine-end-user.md#view-quarantined-message-details).
- **Release**: Available for messages that were quarantined by features using a quarantine policy with the **Full access** permission group or the individual **Allow recipients to release a message from quarantine** (_PermissionToRelease_) permission. For example, DefaultFullAccessWithNotificationPolicy, NotificationEnabledPolicy, or custom quarantine policies.
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
description: What are best practices for Exchange Online Protection (EOP) and Defender for Office 365 security settings? What's the current recommendations for standard protection? What should be used if you want to be more strict? And what extras do you get if you also use Defender for Office 365? Previously updated : 4/12/2023 Last updated : 4/20/2023 # Recommended settings for EOP and Microsoft Defender for Office 365 security
This article describes the default settings, and also the recommended Standard a
> > - [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md) > - [About junk email settings in Outlook](configure-junk-email-settings-on-exo-mailboxes.md#about-junk-email-settings-in-outlook)
-> - [Change the level of protection in the Junk Email Filter](https://support.microsoft.com/en-us/office/e89c12d8-9d61-4320-8c57-d982c8d52f6b)
+> - [Change the level of protection in the Junk Email Filter](https://support.microsoft.com/office/e89c12d8-9d61-4320-8c57-d982c8d52f6b)
> - [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md) > - [Create blocked sender lists in EOP](create-block-sender-lists-in-office-365.md)
To create and configure anti-malware policies, see [Configure anti-malware polic
Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
-The policy named AdminOnlyAccessPolicy enforces the historical capabilities for messages that were quarantined as malware as described in the table [here](quarantine-end-user.md).
+The policy named AdminOnlyAccessPolicy enforces the historical capabilities for messages that were quarantined as malware as described in the table [here](quarantine-end-user.md).
Users can't release their own messages that were quarantined as malware, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages.
In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchang
Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
-The **Quarantine policy** value is blank when you create a new Safe Attachments policy in the Defender portal. This blank value means the default quarantine policy named AdminOnlyAccessPolicy is used. This policy enforces the historical capabilities for messages that were quarantined as malware by Safe Attachments as described in the table [here](quarantine-end-user.md).
+The policy named AdminOnlyAccessPolicy enforces the historical capabilities for messages that were quarantined as malware as described in the table [here](quarantine-end-user.md).
Users can't release their own messages that were quarantined as malware by Safe Attachments, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages.
Although there's no default Safe Links policy, the **Built-in protection** prese
#### Global settings for Safe Links > [!NOTE]
-> The global settings for Safe Links are set by the **Built-in protection** preset security policy, but not by the **Standard** or **Strict** preset security policies. Either way, admins can modify these global Safe Links settings at any time.
+> The only available global setting for Safe Links is the "Block the following URLs" list. As of April 1 2023, the "Block the following URLs" list for Safe Links no longer works. For more information, see [MC373880](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC373880). Instead, use [block entries for URLs in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). Messages that are blocked by URL entries in the Tenant Allow/Block List are quarantined as high confidence phishing.
>
-> The **Default** column shows the values before the existence of the **Built-in protection** preset security policy. The **Built-in protection** column shows the values that are set by the **Built-in protection** preset security policy, which are also our recommended values.
-
-To configure these settings, see [Configure global settings for Safe Links in Defender for Office 365](safe-links-policies-global-settings-configure.md).
-
-In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/set-atppolicyforo365) cmdlet for these settings.
-
-|Security feature name|Default|Built-in protection|Comment|
-||::|::||
-|**Block the following URLs** <br><br> _ExcludedUrls_|Blank <br><br> `$null`|Blank <br><br> `$null`|We have no specific recommendation for this setting. <br><br> For more information, see ["Block the following URLs" list for Safe Links](safe-links-about.md#block-the-following-urls-list-for-safe-links). <br><br> **Note**: You can now manage block URL entries in the [Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.|
+> To see and remove any leftover URL entries in the "Block the following URLs list, see [Configure the "Block the following URLs" list for Safe Links in Defender for Office 365](safe-links-policies-global-settings-configure.md).
#### Safe Links policy settings
security Safe Attachments For Spo Odfb Teams About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about.md
description: Learn about Microsoft Defender for Office 365 for files in SharePoint Online, OneDrive for Business, and Microsoft Teams. Previously updated : 12/05/2022 Last updated : 4/20/2023 # Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
Last updated 12/05/2022
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in [Microsoft Defender for Office 365](defender-for-office-365-whats-new.md) provides an additional layer of protection for files that have already been scanned asynchronously by the [common virus detection engine in Microsoft 365](anti-malware-protection-for-spo-odfb-teams-about.md). Safe Attachments for SharePoint, OneDrive, and Microsoft Teams helps detect and block existing files that are identified as malicious in team sites and document libraries.
+In organizations with Microsoft Defender for Office 365, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams provides an additional layer of protection against malware. After files are asynchronously scanned by the [common virus detection engine in Microsoft 365](anti-malware-protection-for-spo-odfb-teams-about.md), Safe Attachments opens files in a virtual environment to see what happens (a process known as _detonation_). Safe Attachments for SharePoint, OneDrive, and Microsoft Teams also helps detect and block existing files that are identified as malicious in team sites and document libraries.
-Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is not enabled by default. To turn it on, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-configure.md).
+Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled by default. To turn it on or off, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-configure.md).
## How Safe Attachments for SharePoint, OneDrive, and Microsoft Teams works
When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled a
:::image type="content" source="../../media/2bba71cc-7ad1-4799-8b9d-d56f923db3a7.png" alt-text="The files in OneDrive for Business with one detected as malicious" lightbox="../../media/2bba71cc-7ad1-4799-8b9d-d56f923db3a7.png":::
-Although the blocked file is still listed in the document library and in web, mobile, or desktop applications, people can't open, copy, move, or share the file. But they can delete the blocked file.
+Although the blocked file is still listed in the document library and in web, mobile, or desktop applications, people can't open, copy, move, or share the file. But, they can delete the blocked file.
Here's an example of what a blocked file looks like on a mobile device:
To learn more about the user experience when a file has been detected as malicio
## View information about malicious files detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
-Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams will show up in [reports for Microsoft Defender for Office 365](reports-defender-for-office-365.md) and in [Explorer (and real-time detections)](threat-explorer-about.md).
+Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams appear in [reports for Microsoft Defender for Office 365](reports-defender-for-office-365.md) and in [Explorer (and real-time detections)](threat-explorer-about.md).
When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine, but only to admins. For more information, see [Manage quarantined files in Defender for Office 365](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-files-in-defender-for-office-365). ## Keep these points in mind -- Defender for Office 365 will not scan every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams. This is by design. Files are scanned asynchronously. The process uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.
+- Defender for Office 365 doesn't scan every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams. This behavior is by design. Files are scanned asynchronously. The process uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.
-- Make sure your SharePoint sites are configured to use the [Modern experience](/sharepoint/guide-to-sharepoint-modern-experience). Defender for Office 365 protection applies whether the Modern experience or the Classic view is used; however, visual indicators that a file is blocked are available only in the Modern experience.
+- Make sure your SharePoint sites are configured to use the [Modern experience](/sharepoint/guide-to-sharepoint-modern-experience). Visual indicators that a file is blocked are available only in the Modern experience.
- Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is part of your organization's overall threat protection strategy, which includes anti-spam and anti-malware protection in Exchange Online Protection (EOP), as well as Safe Links and Safe Attachments in Microsoft Defender for Office 365. To learn more, see [Protect against threats in Office 365](protect-against-threats.md).
security Safe Attachments For Spo Odfb Teams Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure.md
- seo-marvel-apr2020 Previously updated : 12/05/2022 Last updated : 4/20/2023 # Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
Last updated 12/05/2022
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. For more information, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).
+In organizations with Microsoft Defender for Office 365, Safe Attachments for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. For more information, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).
-This article contains the steps for enabling and configuring Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
+You turn on or turn off Safe Attachments for Office 365 for SharePoint, OneDrive, and Microsoft Teams in the Microsoft 365 Defender portal or in Exchange Online PowerShell.
## What do you need to know before you begin? - You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+
+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
+ - To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](mdo-portal-permissions.md). - To use SharePoint Online PowerShell to prevent people from downloading malicious files, you need to be member of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) or [SharePoint Administrator](/azure/active-directory/roles/permissions-reference#sharepoint-administrator) roles in Azure AD.
This article contains the steps for enabling and configuring Safe Attachments fo
## Step 1: Use the Microsoft 365 Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
-2. On the **Safe Attachments** page, click **Global settings**.
+2. On the **Safe Attachments** page, select :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Global settings**.
-3. In the **Global settings** fly out that appears, go to the **Protect files in SharePoint, OneDrive, and Microsoft Teams** section.
+3. In the **Global settings** flyout that opens, go to the **Protect files in SharePoint, OneDrive, and Microsoft Teams** section.
Move the **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** toggle to the right ![Toggle on.](../../media/scc-toggle-on.png) to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
- When you're finished, click **Save**.
+ When you're finished in the **Global settings** flyout, select **Save**.
### Use Exchange Online PowerShell to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
For detailed syntax and parameter information, see [Set-SPOTenant](/powershell/m
## Step 3 (Recommended) Use the Microsoft 365 Defender portal to create an alert policy for detected files
-You can create an alert policy that notifies you and other admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alerts, see [Alert policies](../../compliance/alert-policies.md).
+You can create an alert policy that notifies admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alert policies, see [Alert policies](../../compliance/alert-policies.md).
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Alert policy**. To go directly to the **Alert policy** page, use <https://security.microsoft.com/alertpolicies>.
-2. On the **Alert policy** page, click **New alert policy**.
+2. On the **Alert policy** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **New alert policy** to start the new alert policy wizard.
-3. The **New alert policy** wizard opens in a fly out. On the **Name your alert** page, configure the following settings:
- - **Name**: Type a unique and descriptive name. For example, Malicious Files in Libraries.
- - **Description**: Type an optional description. For example, Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams.
+3. On the **Name your alert, categorize it, and choose a severity** page, configure the following settings:
+ - **Name**: Type a unique and descriptive name. For example, **Malicious Files in Libraries**.
+ - **Description**: Type an optional description. For example, **Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams**.
- **Severity**: Select **Low**, **Medium**, or **High** from the drop down list. - **Category**: Select **Threat management** from the drop down list.
- When you're finished, click **Next**.
+ When you're finished on the **Name your alert, categorize it, and choose a severity** page, select **Next**.
-4. On the **Create alert settings** page, configure the following settings:
- - **What do you want to alert on?** section \> **Activity is** \> Select **Detected malware in file** from the drop down list.
- - **How do you want the alert to be triggered?** section: Leave the default value **Every time an activity matches the rule** selected.
+4. On the **Choose an activity, conditions and when to trigger the alert** page, configure the following settings:
+ - **What do you want to alert on?** section \> **Activity is** \> **Common user activities** section \> Select **Detected malware in file** from the drop down list.
+ - **How do you want the alert to be triggered?** section: Select **Every time an activity matches the rule**.
- When you're finished, click **Next**.
+ When you're finished on the **Choose an activity, conditions and when to trigger the alert** page, select **Next**.
-5. On the **Set your recipients** page, configure the following settings:
- - Verify **Send email notifications** is selected. In the **Email recipients** box, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
+5. On the **Decide if you want to notify people when this alert is triggered** page, configure the following settings:
+ - Verify **Opt-in for email notifications** is selected. In the **Email recipients** box, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
- **Daily notification limit**: Leave the default value **No limit** selected.
- When you're finished, click **Next**.
+ When you're finished on the **Decide if you want to notify people when this alert is triggered** page, select **Next**.
+
+6. On the **Review your settings** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
+
+ In the **Do you want to turn the policy on right away?** section, select **Yes, turn it on right away**.
+
+ When you're finished n the **Review your settings** page, select **Submit**.
-6. On the **Review your settings** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+7. On this page, you can review the alert policy in read-only mode.
- In the **Do you want to turn the policy on right away?** section, leave the default value **Yes, turn it on right away** selected.
+ When you're finished, select **Done**.
- When you're finished, click **Finish**.
+ Back on the **Alert policy** page, the new policy is listed.
### Use Security & Compliance PowerShell to create an alert policy for detected files
For detailed syntax and parameter information, see [New-ActivityAlert](/powershe
For detailed syntax and parameter information, see [Get-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant). -- To verify that you've successfully configured an alert policy for detected files, use any of the following steps:
- - In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Alert policy** \> select the alert policy, and verify the settings.
- - In Microsoft 365 Defender portal PowerShell, replace \<AlertPolicyName\> with the name of the alert policy, run the following command, and verify the property values:
+- To verify that you've successfully configured an alert policy for detected files, use either of the following methods:
+ - In the Microsoft 365 Defender portal at <https://security.microsoft.com/alertpolicies>, select the alert policy, and verify the settings.
+ - In Security & Compliance PowerShell, replace \<AlertPolicyName\> with the name of the alert policy, run the following command, and verify the property values:
```powershell Get-ActivityAlert -Identity "<AlertPolicyName>"
security Safe Attachments Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md
Last updated 4/12/2023
> [!IMPORTANT] > This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365-whats-new.md). If you're a home user looking for information about attachment scanning in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2).
-Safe Attachments is a feature in [Microsoft Defender for Office 365](defender-for-office-365-whats-new.md) that uses a virtual environment to check attachments in inbound email messages after they've been scanned by [anti-malware protection in Exchange Online Protection (EOP)](anti-malware-protection-about.md), but before delivery to recipients. For more information, see [Safe Attachments in Microsoft Defender for Office 365](safe-attachments-about.md).
+In organizations with Microsoft Defender for Office 365, Safe Attachments is an additional layer of protection against malware in messages. After message attachments are scanned by [anti-malware protection in Exchange Online Protection (EOP)](anti-malware-protection-about.md), Safe Attachments opens files in a virtual environment to see what happens (a process known as _detonation_) before the messages are delivered to recipients. For more information, see [Safe Attachments in Microsoft Defender for Office 365](safe-attachments-about.md).
-Although there's no default Safe Attachments policy, the **Built-in protection** preset security policy provides Safe Attachments protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or custom Safe Attachments policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md). You can also use the procedures in this article to create Safe Attachments policies that apply to specific users, group, or domains.
+Although there's no default Safe Attachments policy, the **Built-in protection** preset security policy provides Safe Attachments protection to all recipients by default. Recipients who are specified in the Standard or Strict preset security policies or in custom Safe Attachments policies aren't affected. For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).
-You can configure Safe Attachments policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Defender for Office 365 add-on subscriptions).
+For greater granularity, you can also use the procedures in this article to create Safe Attachments policies that apply to specific users, group, or domains.
-The basic elements of a Safe Attachments policy are:
--- **The safe attachment policy**: Specifies the actions for unknown malware detections, whether to send messages with malware attachments to a specified email address, and whether to deliver messages if Safe Attachments scanning can't complete.-- **The safe attachment rule**: Specifies the priority and recipient filters (who the policy applies to).-
-The difference between these two elements isn't obvious when you manage Safe Attachments policies in the Microsoft 365 Defender portal:
--- When you create a Safe Attachments policy, you're actually creating a safe attachment rule and the associated safe attachment policy at the same time using the same name for both.-- When you modify a Safe Attachments policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the safe attachment rule. All other settings modify the associated safe attachment policy.-- When you remove a Safe Attachments policy, the safe attachment rule and the associated safe attachment policy are removed.-
-In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy and the rule separately. For more information, see the [Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Attachments policies](#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-safe-attachments-policies) section later in this article.
+You configure Safe Attachments policies in the Microsoft 365 Defender portal or in Exchange Online PowerShell.
> [!NOTE]
-> In the global settings area of Safe Attachments settings, you configure features that are not dependent on Safe Attachments policies. For instructions see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-configure.md) and [Safe Documents in Microsoft 365 E5](safe-documents-in-e5-plus-security-about.md).
+> In the global settings of Safe Attachments settings, you configure features that aren't dependent on Safe Attachments policies. For instructions see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-configure.md) and [Safe Documents in Microsoft 365 E5](safe-documents-in-e5-plus-security-about.md).
## What do you need to know before you begin? - You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>. -- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
## Use the Microsoft 365 Defender portal to create Safe Attachments policies
-Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal creates the safe attachment rule and the associated safe attachment policy at the same time using the same name for both.
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+2. On the **Safe Attachments** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to start the new Safe Attachments policy wizard.
-2. On the **Safe Attachments** page, click ![Create icon.](../../media/m365-cc-sc-create-icon.png) **Create**.
-
-3. The policy wizard opens. On the **Name your policy** page, configure the following settings:
+3. On the **Name your policy** page, configure these settings:
- **Name**: Enter a unique, descriptive name for the policy. - **Description**: Enter an optional description for the policy.
- When you're finished, click **Next**.
+ When you're finished on the **Name your policy** page, select **Next**.
-4. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
+4. On the **Users and domains** page, identify the internal recipients that the policy applies to (recipient conditions):
- **Users**: The specified mailboxes, mail users, or mail contacts. - **Groups**: - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported). - The specified Microsoft 365 Groups. - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal c
> > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.
- When you're finished, click **Next**.
+ When you're finished on the **Users and domains** page, select **Next**.
5. On the **Settings** page, configure the following settings: - **Safe Attachments unknown malware response**: Select one of the following values:
- - **Off**: Typically, we don't recommend this value.
+ - **Off**
- **Monitor** - **Block**: This is the default value, and the recommended value in Standard and Strict [preset security policies](preset-security-policies.md). - **Replace**: This action will be deprecated. For more information, see [MC424901](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC424901).
- - **Dynamic Delivery (Preview feature)**
+ - **Dynamic Delivery (Preview messages)**
These values are explained in [Safe Attachments policy settings](safe-attachments-about.md#safe-attachments-policy-settings). - **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined by Safe Attachments (**Block**, **Replace**, or **Dynamic Delivery**). Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- A blank value means the default quarantine policy for malware detections by Safe Attachments is used (AdminOnlyAccessPolicy). When you later view or edit the Safe Attachments policy settings, the quarantine policy name is shown.
+ By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections by Safe Attachments policies. For more information about this quarantine policy, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
> [!NOTE] > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware by Safe Attachments, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). > > Users can't release their own messages that were quarantined as malware by Safe Attachments policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages.
- - **Redirect messages with detected attachments**: If you select **Enable redirect**, you can specify an email address in the **Send messages that contain blocked, monitored, or replaced attachments to the specified email address** box to send messages that contain malware attachments for analysis and investigation.
+ - **Redirect messages with detected attachments**: If you select **Enable redirect**, you can specify an email address in the **Send messages that contain monitored attachments to the specified email address** box to send messages that contain malware attachments for analysis and investigation.
> [!NOTE]
- > Redirection will soon be available only for the **Monitor** action. For more information, see [MC424899](https://admin.microsoft.com/AdminPortal/Home?#/MessageCenter/:/messages/MC424899).
+ > Redirection is available only for the **Monitor** action. For more information, see [MC424899](https://admin.microsoft.com/AdminPortal/Home?#/MessageCenter/:/messages/MC424899).
+
+ - **Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)**: The action specified by **Safe Attachments unknown malware response** is taken on messages even when Safe Attachments scanning can't complete.
+
+ When you're finished on the **Settings** page, select **Next**.
+
+6. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
- - **Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)**: The action specified by **Safe Attachments unknown malware response** is taken on messages even when Safe Attachments scanning can't complete. If you selected this option, always select **Enable redirect** and specify an email address to send messages that contain malware attachments. Otherwise, messages might be lost.
+ When you're finished on the **Review** page, select **Submit**.
- When you're finished, click **Next**.
+7. On the **New Safe Attachments policy created** page, you can select the links to view the policy, view Safe Attachments policies, and learn more about Safe Attachments policies.
-6. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+ When you're finished on the **New Safe Attachments policy created** page, select **Done**.
- When you're finished, click **Submit**.
+ Back on the **Safe Attachments** page, the new policy is listed.
-7. On the confirmation page that appears, click **Done**.
+## Use the Microsoft 365 Defender portal to view Safe Attachments policy details
-## Use the Microsoft 365 Defender portal to view Safe Attachments policies
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+On the **Safe Attachments** page, the following properties are displayed in the list of policies:
-2. On the **Safe Attachments** page, the following properties are displayed in the list of policies:
- - **Name**
- - **Status**
- - **Priority**
+- **Name**
+- **Status**: Values are **On** or **Off**.
+- **Priority**: For more information, see the [Set the priority of Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-attachments-policies) section.
-3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
+To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
-## Use the Microsoft 365 Defender portal to modify Safe Attachments policies
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific Safe Attachment policies.
-1. IIn the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of policies to a CSV file.
-2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
+Use :::image type="icon" source="../../medi#threat-protection-status-report).
+
+Select a policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
+
+> [!TIP]
+> To see details about other Safe Attachments policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-create-safe-attachments-policies) section earlier in this article.
+## Use the Microsoft 365 Defender portal to take action on Safe Attachments policies
-To enable or disable a policy or set the policy priority order, see the following sections.
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
-### Enable or disable Safe Attachments policies
+2. On the **Safe Attachments** page, select the Safe Attachments policy by using either of the following methods:
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+ - Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** drop down list that appears:
+ - **Enable selected policies**.
+ - **Disable selected policies**.
+ - **Delete selected policies**.
-2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
+ :::image type="content" source="../../media/safe-attachments-policies-main-page.png" alt-text="The Safe Attachments page with a policy selected and the More actions control expanded." lightbox="../../media/safe-attachments-policies-main-page.png":::
-3. At the top of the policy details flyout that appears, you'll see one of the following values:
- - **Policy off**: To turn on the policy, click ![Turn on icon.](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** .
- - **Policy on**: To turn off the policy, click ![Turn off icon.](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off**.
+ - Select the policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:
+ - Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)
+ - :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** or :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** (custom policies only)
+ - :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** or :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** (custom policies only)
+ - :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)
-4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
+ :::image type="content" source="../../media/anti-phishing-policies-details-flyout.png" alt-text="The details flyout of a custom Safe Attachments policy." lightbox="../../media/anti-phishing-policies-details-flyout.png":::
-5. Click **Close** in the policy details flyout.
+The actions are described in the following subsections.
-Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.
+### Use the Microsoft 365 Defender portal to modify custom Safe Attachments policies
-### Set the priority of Safe Attachments policies
+After you select a custom Safe Attachments policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-create-safe-attachments-policies) section earlier in this article.
-By default, Safe Attachments policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
+You can't modify the Safe Attachments policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md) in the policy details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
-For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
+### Use the Microsoft 365 Defender portal to enable or disable custom Safe Attachments policies
-Safe Attachments policies are displayed in the order they're processed (the first policy has the **Priority** value 0).
+You can't enable or disable the Safe Attachments policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md) here. You enable or disable preset security policies on the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies>.
-**Note**: In the Microsoft 365 Defender portal, you can only change the priority of the Safe Attachments policy after you create it. In PowerShell, you can override the default priority when you create the safe attachment rule (which can affect the priority of existing rules).
+After you select an enabled custom Safe Attachments policy (the **Status** value is **On**), use either of the following methods to disable it:
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
+- **On the Safe Attachments page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Disable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the flyout.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.
+After you select a disabled custom Safe Attachments policy (the **Status** value is **Off**), use either of the following methods to enable it:
-2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
+- **On the Safe Attachments page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Enable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the flyout.
-3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of policies:
- - The policy with the **Priority** value **0** has only the **Decrease priority** option available.
- - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
- - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
+On the **Safe Attachments** page, the **Status** value of the policy is now **On** or **Off**.
- Click ![Increase priority icon.](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
+### Use the Microsoft 365 Defender portal to set the priority of custom Safe Attachments policies
-4. When you're finished, click **Close** in the policy details flyout.
+Safe Attachments policies are processed in the order that they're displayed on the **Safe Attachments** page:
-## Use the Microsoft 365 Defender portal to remove Safe Attachments policies
+- The Safe Attachments policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The Safe Attachments policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled).
+- Custom Safe Attachments policies are applied next in priority order (if they're enabled):
+ - A lower priority value indicates a higher priority (0 is the highest).
+ - By default, a new policy is created with a priority that's lower than the lowest existing custom policy (the first is 0, the next is 1, etc.).
+ - No two policies can have the same priority value.
+- The Safe Attachments policy named **Built-in protection (Microsoft)** that's associated with Built-in protection always has the priority value **Lowest**, and you can't change it.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+Safe Attachments protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-2. On the **Safe Attachments** page, select a custom policy from the list by clicking on the name of the policy.
+After you select the custom Safe Attachments policy by clicking anywhere in the row other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
-3. At the top of the policy details flyout that appears, click ![More actions icon.](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
+- The custom policy with the **Priority** value **0** on the **Safe Attachments** page has the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** action at the top of the details flyout.
+- The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout.
+- If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.
-4. In the confirmation dialog that appears, click **Yes**.
+When you're finished in the policy details flyout, select **Close**.
-## Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Attachments policies
+Back on the **Safe Attachments** page, the order of the policy in the list matches the updated **Priority** value.
+
+### Use the Microsoft 365 Defender portal to remove custom Safe Attachments policies
+
+You can't remove the Safe Attachments policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md).
+
+After you select the custom Safe Attachments policy, use either of the following methods to remove it:
+
+- **On the Safe Attachments page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Delete selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout.
+
+Select **Yes** in the warning dialog that opens.
+
+Back on the **Safe Attachments** page, the removed policy is no longer listed.
+
+## Use Exchange Online PowerShell to configure Safe Attachments policies
+
+In PowerShell, the basic elements of a Safe Attachments policy are:
+
+- **The safe attachment policy**: Specifies the actions for unknown malware detections, whether to send messages with malware attachments to a specified email address, and whether to deliver messages if Safe Attachments scanning can't complete.
+- **The safe attachment rule**: Specifies the priority and recipient filters (who the policy applies to).
+
+The difference between these two elements isn't obvious when you manage Safe Attachments policies in the Microsoft 365 Defender portal:
-As previously described, a Safe Attachments policy consists of a safe attachment policy and a safe attachment rule.
+- When you create a Safe Attachments policy in the Defender portal, you're actually creating a safe attachment rule and the associated safe attachment policy at the same time using the same name for both.
+- When you modify a Safe Attachments policy in the Defender portal, settings related to the name, priority, enabled or disabled, and recipient filters modify the safe attachment rule. All other settings modify the associated safe attachment policy.
+- When you remove a Safe Attachments policy from the Defender portal, the safe attachment rule and the associated safe attachment policy are removed.
In PowerShell, the difference between safe attachment policies and safe attachment rules is apparent. You manage safe attachment policies by using the **\*-SafeAttachmentPolicy** cmdlets, and you manage safe attachment rules by using the **\*-SafeAttachmentRule** cmdlets. -- In PowerShell, you create the safe attachment policy first, then you create the safe attachment rule that identifies the policy that the rule applies to.
+- In PowerShell, you create the safe attachment policy first, then you create the safe attachment rule, which identifies the associated policy that the rule applies to.
- In PowerShell, you modify the settings in the safe attachment policy and the safe attachment rule separately.-- When you remove a safe attachment policy from PowerShell, the corresponding safe attachment rule isn't automatically removed, and vice versa.
+- When you remove an safe attachment policy from PowerShell, the corresponding safe attachment rule isn't automatically removed, and vice versa.
### Use PowerShell to create Safe Attachments policies
To verify that you've successfully created, modified, or removed Safe Attachment
- On the **Safe Attachments** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/safeattachmentv2>, verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name, and view the details in the fly out. -- In Exchange Online PowerShell or Exchange Online Protection PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
+- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
```PowerShell Get-SafeAttachmentPolicy -Identity "<Name>" | Format-List
security Safe Links About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-about.md
audience: Admin
f1_keywords: - '197503' Previously updated : 1/31/2023 Last updated : 4/20/2023 ms.localizationpriority: medium - Strat_O365_IP
> [!IMPORTANT] > This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365.md). If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and you're looking for information about Safelinks in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2).
-Safe Links is a feature in [Defender for Office 365](defender-for-office-365.md) that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, Teams messages and other locations. Safe Links scanning occurs in addition to the regular [anti-spam](anti-spam-protection-about.md) and [anti-malware](anti-malware-protection-about.md) in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
+In organizations with Microsoft Defender for Office 365, Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Specifically, Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. Safe Links scanning occurs in addition to regular [anti-spam](anti-spam-protection-about.md) and [anti-malware](anti-malware-protection-about.md) protection.
Watch this short video on how to protect against malicious links with Safe Links in Microsoft Defender for Office 365. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGzjb] > [!NOTE]
-> Although there's no default Safe Links policy, the **Built-in protection** preset security policy provides Safe Links protection in e-mail messages, Microsoft Teams, and files in supported Office apps to all recipients who are licensed for Defender for Office 365 (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md). You can also create Safe Links policies that apply to specific users, group, or domains. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](safe-links-policies-configure.md).
+> Although there's no default Safe Links policy, the **Built-in protection** preset security policy provides Safe Links protection in e-mail messages, Microsoft Teams, and files in supported Office apps to all recipients who are licensed for Defender for Office (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md). You can also create Safe Links policies that apply to specific users, group, or domains. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](safe-links-policies-configure.md).
Safe Links protection is available in the following locations: -- **Email messages**: Safe Links protections for links in email messages are controlled by Safe Links policies.
+- **Email messages**: Safe Links protection for links in email messages is controlled by Safe Links policies.
For more information about Safe Links protection for email messages, see the [Safe Links settings for email messages](#safe-links-settings-for-email-messages) section later in this article.
Safe Links protection is available in the following locations:
> > Safe Links supports only HTTP(S) and FTP formats. >
- > Using another service to wrap links before Defender for Office 365 might invalidate the ability of Safe Links to process links, including wrapping, detonating, or otherwise validating the "maliciousness" of the link.
+ > Using another service to wrap links before Defender for Office 365 might prevent Safe Links from process links, including wrapping, detonating, or otherwise validating the "maliciousness" of the link.
- **Microsoft Teams**: Safe Links protection for links in Teams conversations, group chats, or from channels is controlled by Safe Links policies.
This article includes detailed descriptions of the following types of Safe Links
- [Safe Links settings for Office apps](#safe-links-settings-for-office-apps) - ["Do not rewrite the following URLs" lists in Safe Links policies](#do-not-rewrite-the-following-urls-lists-in-safe-links-policies) -- **Global Safe Links settings**: These settings are configured globally, not in Safe Links policies. These settings include:
+- **Global Safe Links settings**: The only available global setting for Safe Links is the "Block the following URLs" list. As of April 1 2023, the "Block the following URLs" list for Safe Links no longer works. For more information, see [MC373880](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC373880). Instead, use [block entries for URLs in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). Messages that are blocked by URL entries in the Tenant Allow/Block List are quarantined as high confidence phishing.
- - ["Block the following URLs" list for Safe Links](#block-the-following-urls-list-for-safe-links)
-
- > [!NOTE]
- > The **Global settings** menu and the **Block the following URLs** list for Safe Links are in the process of being deprecated. Use block entries for URLs in the [Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list) instead.
+ To see and remove any leftover URL entries in the "Block the following URLs list, see [Configure the "Block the following URLs" list for Safe Links in Defender for Office 365](safe-links-policies-global-settings-configure.md).
The following table describes scenarios for Safe Links in Microsoft 365 and Office 365 organizations that include Defender for Office 365 (note that lack of licensing is never an issue in the examples).
Safe Links scans incoming email for known malicious hyperlinks. Scanned URLs are
After Safe Links rewrites a URL, the URL remains rewritten even if the message is _manually_ forwarded or replied to (both to internal and external recipients). Additional links that are added to the forwarded or replied-to message aren't rewritten.
-In the case of _automatic_ forwarding by Inbox rules or SMTP forwarding, the URL will not be rewritten in the message that's intended for the final recipient _unless_ one of the following statements is true:
+For _automatic_ forwarding by Inbox rules or SMTP forwarding, the URL isn't rewritten in the message that's intended for the final recipient _unless_ one of the following statements is true:
- The recipient is also protected by Safe Links. - The URL was already rewritten in a previous communication.
The settings in Safe Links policies that apply to email messages are described i
- **On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default.**: Turn on or turn off Safe Links scanning in email messages. The recommended value is selected (on), and results in the following actions: - Safe Links scanning is turned on in Outlook (C2R) on Windows. - URLs are rewritten and users are routed through Safe Links protection when they click URLs in messages.
- - When clicked, URLs are checked against a list of known malicious URLs and the ["Block the following URLs" list](#block-the-following-urls-list-for-safe-links).
+ - When clicked, URLs are checked against a list of known malicious URLs.
- URLs that don't have a valid reputation are detonated asynchronously in the background. The following settings are available only if Safe Links scanning in email messages is turned on:
You turn on or turn off Safe Links protection for Microsoft Teams in Safe Links
> [!NOTE] > When you turn on or turn off Safe Links protection for Teams, it might take up to 24 hours for the change to take effect.
-After you turn on Safe Links protection for Microsoft Teams, URLs in Teams are checked against a list of known malicious links when the protected user clicks the link (time-of-click protection). URLs aren't rewritten. If a link is found to be malicious, users will have the following experiences:
+URLs in Teams are checked against a list of known malicious links when the protected user clicks the link (time-of-click protection). URLs aren't rewritten. If a link is found to be malicious, users have the following experiences:
-- If the link was clicked in a Teams conversation, group chat, or from channels, the warning page as shown in the screenshot below will appear in the default web browser.-- If the link was clicked from a pinned tab, the warning page will appear in the Teams interface within that tab. The option to open the link in a web browser is disabled for security reasons.-- Depending on how the **Let users click through to the original URL** setting in the policy is configured, the user will or will not be allowed to click through to the original URL (**Continue anyway (not recommended)** in the screenshot). We recommend that you don't select the **Let users click through to the original URL** setting so users can't click through to the original URL.
+- If the link was clicked in a Teams conversation, group chat, or from channels, the warning page as shown in the screenshot appears in the default web browser.
+- If the link was clicked from a pinned tab, the warning page appears in the Teams interface within that tab. The option to open the link in a web browser is disabled for security reasons.
+- Depending on how the **Let users click through to the original URL** setting in the policy is configured, the user is or isn't allowed to click through to the original URL (**Continue anyway (not recommended)** in the screenshot). We recommend that you don't select the **Let users click through to the original URL** setting so users can't click through to the original URL.
If the user who sent the link isn't protected by a Safe Links policy where Teams protection is turned on, the user is free to click through to the original URL on their computer or device. :::image type="content" source="../../media/tp-safe-links-for-teams-malicious.png" alt-text="A Safe Links for Teams page reporting a malicious link" lightbox="../../media/tp-safe-links-for-teams-malicious.png":::
-Clicking the **Go Back** button on the warning page will return the user to their original context or URL location. However, clicking on the original link again will cause Safe Links to rescan the URL, so the warning page will reappear.
+Clicking the **Go Back** button on the warning page returns the user to their original context or URL location. However, clicking on the original link again causes Safe Links to rescan the URL, so the warning page reappears.
### How Safe Links works in Teams
At a high level, here's how Safe Links protection works for URLs in Office apps.
3. Safe Links immediately checks the URL before opening the target website:
- - If the URL is included in the list that skips Safe Links scanning (the **Block the following URLs** list) a [blocked URL warning](#blocked-url-warning) page opens.
- - If the URL points to a website that has been determined to be malicious, a [malicious website warning](#malicious-website-warning) page (or a different warning page) opens. - If the URL points to a downloadable file, and the Safe Links policy that applies to the user is configured to scan links to downloadable content (**Apply real-time URL scanning for suspicious links and links that point to files**), the downloadable file is checked.
After you create multiple policies, you can specify the order that they're appli
For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order of precedence for preset security policies and other policies](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies) and [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-## "Block the following URLs" list for Safe Links
-
-> [!NOTE]
-> The **Block the following URLs** list for Safe Links is in the process of being deprecated. Use block entries for URLs in the [Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list) instead. Messages containing the blocked URL are quarantined.
-
-The **Block the following URLs** list defines the links that are always blocked by Safe Links scanning in the following locations:
--- Email messages.-- Documents in Office apps in Windows and Mac.-- Documents in Office for iOS and Android.-
-When a user in an active Safe Links policy clicks a blocked link in a supported app, they're taken to the [Blocked URL warning](#blocked-url-warning) page.
-
-You configure the list of URLs in the global settings for Safe Links. For instructions, see [Configure the "Block the following URLs" list](safe-links-policies-global-settings-configure.md#configure-the-block-the-following-urls-list-in-the-microsoft-365-defender-portal).
-
-**Notes**:
--- For a truly universal list of URLs that are blocked everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list-about.md).-- Limits for the **Block the following URLs** list:
- - The maximum number of entries is 500.
- - The maximum length of an entry is 128 characters.
- - All of the entries can't exceed 10,000 characters.
-- Don't include a forward slash (`/`) at the end of the URL. For example, use `https://www.contoso.com`, not `https://www.contoso.com/`.-- A domain-only-URL (for example `contoso.com` or `tailspintoys.com`) will block any URL that contains the domain.-- You can block a subdomain without blocking the full domain. For example, `toys.contoso.com*` blocks any URL that contains the subdomain, but it doesn't block URLs that contain the full domain `contoso.com`.-- You can include up to three wildcards (`*`) per URL entry.-
-### Entry syntax for the "Block the following URLs" list
-
-Examples of the values that you can enter and their results are described in the following table:
-
-|Value|Result|
-|||
-|`contoso.com` <p> or <p> `*contoso.com*`|Blocks the domain, subdomains, and paths. For example, `https://www.contoso.com`, `https://sub.contoso.com`, and `https://contoso.com/abc` are blocked.|
-|`https://contoso.com/a`|Blocks `https://contoso.com/a` but not additional subpaths like `https://contoso.com/a/b`.|
-|`https://contoso.com/a*`|Blocks `https://contoso.com/a` and additional subpaths like `https://contoso.com/a/b`.|
-|`https://toys.contoso.com*`|Blocks a subdomain (`toys` in this example) but allow clicks to other domain URLs (like `https://contoso.com` or `https://home.contoso.com`).|
- ## "Do not rewrite the following URLs" lists in Safe Links policies > [!NOTE]
Examples of the values that you can enter and their results are described in the
Each Safe Links policy contains a **Do not rewrite the following URLs** list that you can use to specify URLs that aren't rewritten by Safe Links scanning. In other words, the list allows users who are included in the policy to access the specified URLs that would otherwise be blocked by Safe Links. You can configure different lists in different Safe Links policies. Policy processing stops after the first (likely, the highest priority) policy is applied to the user. So, only one **Do not rewrite the following URLs** list is applied to a user who is included in multiple active Safe Links policies.
-To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) or [Modify Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-365-defender-portal-to-modify-safe-links-policies).
+To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) or [Modify Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-365-defender-portal-to-modify-custom-safe-links-policies).
**Notes**:
To add entries to the list in new or existing Safe Links policies, see [Create S
- Microsoft Teams - Office web apps
- For a truly universal list of URLs that are allowed everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list-about.md). However, note that URLs added there will not be excluded from Safe Links rewriting, as that must be done in a Safe Links policy.
+ For a truly universal list of URLs that are allowed everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list-about.md). However, URL allow entries in the Tenant Allow/Block List aren't excluded from Safe Links rewriting.
- Consider adding commonly used internal URLs to the list to improve the user experience. For example, if you have on-premises services, such as Skype for Business or SharePoint, you can add those URLs to exclude them from scanning. - If you already have **Do not rewrite the following URLs** entries in your Safe Links policies, be sure to review the lists and add wildcards as required. For example, your list has an entry like `https://contoso.com/a` and you later decide to include subpaths like `https://contoso.com/a/b`. Instead of adding a new entry, add a wildcard to the existing entry so it becomes `https://contoso.com/a/*`.
To add entries to the list in new or existing Safe Links policies, see [Create S
- Don't specify http:// or https:// (that is, contoso.com) in order to exclude both HTTP and HTTPS versions. - `*.contoso.com` does **not** cover contoso.com, so you would need to exclude both to cover both the specified domain and any child domains. - `contoso.com/*` covers **only** contoso.com, so there's no need to exclude both `contoso.com` and `contoso.com/*`; just `contoso.com/*` would suffice.-- To exclude all iterations of a domain, two exclusion entries are needed; `contoso.com/*` and `*.contoso.com/*`. These combine to exclude both HTTP and HTTPS, the main domain contoso.com and any child domains, as well as any or not ending part (for example, both contoso.com and contoso.com/vdir1 are covered).
+- To exclude all iterations of a domain, two exclusion entries are needed; `contoso.com/*` and `*.contoso.com/*`. These entries combine to exclude both HTTP and HTTPS, the main domain contoso.com and any child domains, as well as any or not ending part (for example, both contoso.com and contoso.com/vdir1 are covered).
### Entry syntax for the "Do not rewrite the following URLs" list
Examples of the values that you can enter and their results are described in the
This section contains examples of the various warning pages that are triggered by Safe Links protection when you click a URL.
-Note that several warning pages have been updated. If you're not already seeing the updated pages, you will soon. The updated pages include a new color scheme, more detail, and the ability to proceed to a site despite the given warning and recommendations.
- ### Scan in progress notification The clicked URL is being scanned by Safe Links. You might need to wait a few moments before trying the link again. :::image type="content" source="../../media/ee8dd5ed-6b91-4248-b054-12b719e8d0ed.png" alt-text="The notification that the link is being scanned" lightbox="../../media/ee8dd5ed-6b91-4248-b054-12b719e8d0ed.png":::
-The original notification page looked like this:
-- ### Suspicious message warning The clicked URL was in an email message that's similar to other suspicious messages. We recommend that you double-check the email message before proceeding to the site. - ### Phishing attempt warning The clicked URL was in an email message that has been identified as a phishing attack. As a result, all URLs in the email message are blocked. We recommend that you don't proceed to the site. - ### Malicious website warning The clicked URL points to a site that has been identified as malicious. We recommend that you don't proceed to the site. :::image type="content" source="../../media/058883c8-23f0-4672-9c1c-66b084796177.png" alt-text="The warning that states that the website is classified as malicious" lightbox="../../media/058883c8-23f0-4672-9c1c-66b084796177.png":::
-The original warning page looked like this:
-- ### Blocked URL warning
+> [!IMPORTANT]
+> As described in [MC373880](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC373880), the "Block the following URLs" list for Safe Links no longer works as of April 1 2023.
+ The clicked URL has been manually blocked by an admin in your organization (the **Block the following URLs** list in the global settings for Safe Links). The link wasn't scanned by Safe Links because it was manually blocked. There are several reasons why an admin would manually block specific URLs. If you think the site shouldn't be blocked, contact your admin. :::image type="content" source="../../media/6b4bda2d-a1e6-419e-8b10-588e83c3af3f.png" alt-text="The warning that states that website was blocked by your admin" lightbox="../../media/6b4bda2d-a1e6-419e-8b10-588e83c3af3f.png":::
-The original warning page looked like this:
-- ### Error warning Some kind of error has occurred, and the URL can't be opened. :::image type="content" source="../../media/2f7465a4-1cf4-4c1c-b7d4-3c07e4b795b4.png" alt-text="The warning that states the page that you are trying to access cannot be loaded" lightbox="../../media/2f7465a4-1cf4-4c1c-b7d4-3c07e4b795b4.png":::
-The original warning page looked like this:
+## "Block the following URLs" list for Safe Links
+
+> [!IMPORTANT]
+> As described in [MC373880](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC373880), the ability to add entries to the "Block the following URLs" list for Safe Links was deprecated in June 2022, and the list no longer works as of April 1 2023. Instead, use [block entries for URLs in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). Messages that are blocked by URL entries in the Tenant Allow/Block List are quarantined as high confidence phishing.
+
+The **Block the following URLs** list defines the links that are always blocked by Safe Links scanning in the following locations:
+
+- Email messages.
+- Documents in Office apps in Windows and Mac.
+- Documents in Office for iOS and Android.
+
+When a user in an active Safe Links policy clicks a blocked link in a supported app, they're taken to the [Blocked URL warning](#blocked-url-warning) page.
+
+You configure the list of URLs in the global settings for Safe Links. For instructions, see [Configure the "Block the following URLs" list](safe-links-policies-global-settings-configure.md#configure-the-block-the-following-urls-list-in-the-microsoft-365-defender-portal).
+
+**Notes**:
+
+- Limits for the **Block the following URLs** list:
+ - The maximum number of entries is 500.
+ - The maximum length of an entry is 128 characters.
+ - All of the entries can't exceed 10,000 characters.
+- Don't include a forward slash (`/`) at the end of the URL. For example, use `https://www.contoso.com`, not `https://www.contoso.com/`.
+- A domain-only-URL (for example `contoso.com` or `tailspintoys.com`) blocks any URL that contains the domain.
+- You can block a subdomain without blocking the full domain. For example, `toys.contoso.com*` blocks any URL that contains the subdomain, but it doesn't block URLs that contain the full domain `contoso.com`.
+- You can include up to three wildcards (`*`) per URL entry.
+
+### Entry syntax for the "Block the following URLs" list
+
+Examples of the values that you can enter and their results are described in the following table:
+|Value|Result|
+|||
+|`contoso.com` <p> or <p> `*contoso.com*`|Blocks the domain, subdomains, and paths. For example, `https://www.contoso.com`, `https://sub.contoso.com`, and `https://contoso.com/abc` are blocked.|
+|`https://contoso.com/a`|Blocks `https://contoso.com/a` but not additional subpaths like `https://contoso.com/a/b`.|
+|`https://contoso.com/a*`|Blocks `https://contoso.com/a` and additional subpaths like `https://contoso.com/a/b`.|
+|`https://toys.contoso.com*`|Blocks a subdomain (`toys` in this example) but allow clicks to other domain URLs (like `https://contoso.com` or `https://home.contoso.com`).|
security Safe Links Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md
- m365-security - tier1
-description: Admins can learn how to view, create, modify, and delete Safe Links policies and global Safe Links settings in Microsoft Defender for Office 365.
+description: Admins can learn how to view, create, modify, and delete Safe Links policies in Microsoft Defender for Office 365.
Previously updated : 12/05/2022 Last updated : 4/21/2023 # Set up Safe Links policies in Microsoft Defender for Office 365
Last updated 12/05/2022
> [!IMPORTANT] > This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365.md). If you are a home user looking for information about Safelinks in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2).
-Safe Links in [Microsoft Defender for Office 365](defender-for-office-365.md) provides URL scanning of inbound email messages in mail flow, and time of click verification of URLs and links in email messages and in other locations. For more information, see [Safe Links in Microsoft Defender for Office 365](safe-links-about.md).
+In organizations with Microsoft Defender for Office 365, Safe Links provides URL scanning of links in messages, Microsoft Teams, and supported Office 365 apps. For more information, see [Safe Links in Microsoft Defender for Office 365](safe-links-about.md).
-Although there's no default Safe Links policy, the **Built-in protection** preset security policy provides Safe Links protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).
+Although there's no default Safe Links policy, the **Built-in protection** preset security policy provides Safe Links protection to all recipients by default. Recipients who are specified in the Standard or Strict preset security policies or in custom Safe Links policies aren't affected. For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).
-You can also use the procedures in this article to create Safe Links policies that apply to specific users, group, or domains.
+For greater granularity, you can also use the procedures in this article to create Safe Links policies that apply to specific users, group, or domains.
-> [!NOTE]
->
-> You configure the "Block the following URLs" list in the global settings for Safe Links protection **outside** of Safe Links policies. For instructions, see [Configure global settings for Safe Links in Microsoft Defender for Office 365](safe-links-policies-global-settings-configure.md).
->
-> Admins should consider the different configuration settings for Safe Links. One of the available options is to include user identifiable information in Safe Links. This feature enables security operations (SecOps) teams to investigate potential user compromise, take corrective action, and limit costly breaches.
-
-You can configure Safe Links policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).
-
-The basic elements of a Safe Links policy are:
--- **The safe links policy**: Turn on Safe Links protection, turn on real-time URL scanning, specify whether to wait for real-time scanning to complete before delivering the message, turn on scanning for internal messages, specify whether to track user clicks on URLs, and specify whether to allow users to click trough to the original URL.-- **The safe links rule**: Specifies the priority and recipient filters (who the policy applies to).-
-The difference between these two elements isn't obvious when you manage Safe Links policies in the Microsoft 365 Defender portal:
--- When you create a Safe Links policy, you're actually creating a safe links rule and the associated safe links policy at the same time using the same name for both.-- When you modify a Safe Links policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the safe links rule. All other settings modify the associated safe links policy.-- When you remove a Safe Links policy, the safe links rule and the associated safe links policy are removed.-
-In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy and the rule separately. For more information, see the [Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Links policies](#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-safe-links-policies) section later in this article.
+You configure Safe Links policies in the Microsoft 365 Defender portal or in Exchange Online PowerShell.
## What do you need to know before you begin? - You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>. -- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
- Allow up to 6 hours for a new or updated policy to be applied. -- [New features are continually being added to Microsoft Defender for Office 365](defender-for-office-365-whats-new.md). As new features are added, you might need to make adjustments to your existing Safe Links policies.- ## Use the Microsoft 365 Defender portal to create Safe Links policies
-Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates the safe links rule and the associated safe links policy at the same time using the same name for both.
-
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. Or, to go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
-2. On the **Safe Links** page, click ![Create icon.](../../media/m365-cc-sc-create-icon.png) **Create**.
+2. On the **Safe Links** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** to start the new Safe Links policy wizard.
-3. The **New Safe Links policy** wizard opens. On the **Name your policy** page, configure the following settings:
+3. On the **Name your policy** page, configure the following settings:
- **Name**: Enter a unique, descriptive name for the policy. - **Description**: Enter an optional description for the policy.
- When you're finished, click **Next**.
+ When you're finished on the **Name your policy** page, select **Next**.
-4. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
+4. On the **Users and domains** page, identify the internal recipients that the policy applies to (recipient conditions):
- **Users**: The specified mailboxes, mail users, or mail contacts. - **Groups**:
- - Members of the specified distribution groups (including non-mail-enabled security groups within distribution groups) or mail-enabled security groups (dynamic distribution groups are not supported).
+ - Members of the specified distribution groups (including non-mail-enabled security groups within distribution groups) or mail-enabled security groups (dynamic distribution groups aren't supported).
- The specified Microsoft 365 Groups. - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates
> > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.
- When you're finished, click **Next**.
+ When you're finished on the **Users and domains** page, select **Next**.
-5. On the **URL & click protection settings** page that appears, configure the following settings:
+5. On the **URL & click protection settings** page, configure the following settings:
- **Email** section: - **On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default**: Select this option to turn on Safe Links protection for links in email messages (URL rewriting and time of click protection). If you select this option, the following settings are available:
- - **Apply Safe Links to email messages sent within the organization**: Select this option to apply the Safe Links policy to messages between internal senders and internal recipients. Turning this on will enable link wrapping for all intra-organization messages.
+ - **Apply Safe Links to email messages sent within the organization**: Select this option to apply the Safe Links policy to messages between internal senders and internal recipients. Turning on this setting enables link wrapping for all intra-organization messages.
- **Apply real-time URL scanning for suspicious links and links that point to files**: Select this option to turn on real-time scanning of links in email messages from external senders. If you select this option, the following setting is available: - **Wait for URL scanning to complete before delivering the message**: Select this option to wait for real-time URL scanning to complete before delivering the message from external senders. The recommended setting is **On**. - **Do not rewrite URLs, do checks via SafeLinks API only**: Select this option to prevent URL wrapping and skip reputation check during mail flow. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it.
- - **Do not rewrite the following URLs in email** section: Click **Manage (nn) URLs** to allow access to specific URLs that would otherwise be blocked by Safe Links.
+ - **Do not rewrite the following URLs in email** section: Select the **Manage (nn) URLs** link to allow access to specific URLs that would otherwise be blocked by Safe Links.
> [!NOTE] > Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [URL allow entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-on-the-submissions-page) to override the Safe Links URL verdict.
- 1. In the **Manage URLs to not rewrite** flyout that appears, click ![Add URLs icon.](../../media/m365-cc-sc-create-icon.png) **Add URLs**.
- 2. In the **Add URLs** flyout that appears, type the URL or value that you want, select the entry that appears below the box, and then click **Save**. Repeat this step as many times as necessary.
+ 1. In the **Manage URLs to not rewrite** flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add URLs**.
+ 2. In the **Add URLs** flyout that opens, click in the **URL** box, enter a value, and then press the ENTER key or select the complete value that's displayed below the box. Repeat this step as many times as necessary.
- For entry syntax, see [Entry syntax for the "Do not rewrite the following URLs" list](safe-links-about.md#entry-syntax-for-the-do-not-rewrite-the-following-urls-list).
+ For URL syntax, see [Entry syntax for the "Do not rewrite the following URLs" list](safe-links-about.md#entry-syntax-for-the-do-not-rewrite-the-following-urls-list).
- To remove an entry, click ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the entry.
+ To remove an entry, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the entry.
- When you're finished, click **Save**.
+ When you're finished on the **Add URLs** flyout, select **Save**.
- 3. Back on the **Manage URLs to not rewrite** flyout, click **Done** or do maintenance on the list of entries:
+ 3. Back on the **Manage URLs to not rewrite** flyout, the URL entries that you added are listed on the flyout.
- To remove entries from the list, can use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to find the entry.
+ To change the list of URLs from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
- To select a single entry, click on the value in the **URLs** column.
+ Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find entries on the flyout.
- To select multiple entries one at a time, click the blank area to the left of the value.
+ To add entries, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add URLs** and repeat the previous step.
- To select all entries at one, click the blank area to the left of the **URLs** column header.
+ To remove entries, do either of the following steps:
- With one or more entries selected, click the ![Add URLs icon.](../../media/m365-cc-sc-create-icon.png) or ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) icons that appear.
+ - Select one or more entries by selecting the round check box that appears in the blank area next to the URL value.
+ - Select all entries at once by selecting the round check box that appears in the blank area next to the **URLs** column header.
- When you're finished, click **Done**.
+ With one or more entries selected, select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears.
+
+ When you're finished on the **Manage URLs to not rewrite** flyout, select **Done** to return to the **URL & click protection settings** page.
- **Teams** section:
- - **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten.**: Select this option to enable Safe Links protection for links in Teams. Note that this setting might take up to 24 hours to take effect. This setting affects time of click protection.
+ - **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten.**: Select this option to enable Safe Links protection for links in Teams. This setting might take up to 24 hours to take effect. This setting affects time of click protection.
- **Office 365 apps** section: - **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten.**: Select this option to enable Safe Links protection for links in files in supported Office desktop, mobile, and web apps. This setting affects time of click protection.
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates
For more the recommended values for Standard and Strict policy settings, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings).
- When you're finished, click **Next**.
+ When you're finished on the **URL & click protection settings** page, select **Next**.
-6. On the **Notification** page that appears, select one of the following values for **How would you like to notify your users?**:
+6. On the **Notification** page, select one of the following values for **How would you like to notify your users?**:
- **Use the default notification text** - **Use custom notification text**: If you select this value, the following settings appear: - **Use Microsoft Translator for automatic localization** - **Custom notification text**: Enter the custom notification text in this box (the length can't exceed 200 characters).
- When you're finished, click **Next**.
+ When you're finished on the **Notification** page, select **Next**.
+
+7. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can select **Back** or the specific page in the wizard.
+
+ When you're finished on the **Review** page, select **Submit**.
+
+8. On the **New Safe Links policy created** page, you can select the links to view the policy, view Safe Links policies, and learn more about Safe Links policies.
-7. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+ When you're finished on the **New Safe Links policy created** page, select **Done**.
- When you're finished, click **Submit**.
+ Back on the **Safe Links** page, the new policy is listed.
-8. On the confirmation page that appears, click **Done**.
+## Use the Microsoft 365 Defender portal to view Safe Links policy details
-## Use the Microsoft 365 Defender portal to view Safe Links policies
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
+On the **Safe Links** page, the following properties are displayed in the list of policies:
-2. On the **Safe Links** page, the following properties are displayed in the list of Safe Links policies:
- - **Name**
- - **Status**
- - **Priority**
+- **Name**
+- **Status**: Values are **On** or **Off**.
+- **Priority**: For more information, see the [Set the priority of Safe Links policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-safe-links-policies) section.
-3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
+To change the list of policies from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.
-## Use the Microsoft 365 Defender portal to modify Safe Links policies
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific Safe Links policies.
-1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Policies** section \> **Safe Links**.
+Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of policies to a CSV file.
-2. On the **Safe Links** page, select a policy from the list by clicking on the name.
+Use :::image type="icon" source="../../medi#threat-protection-status-report).
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create Safe Links policies](#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) section in this article.
+Select a policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
-To enable or disable a policy or set the policy priority order, see the following sections.
+> [!TIP]
+> To see details about other Safe Links policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the policy details flyout.
-### Enable or disable Safe Links policies
+## Use the Microsoft 365 Defender portal to take action on Safe Links policies
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safealinksv2>.
-2. On the **Safe Links** page, select a policy from the list by clicking on the name.
+2. On the **Safe Links** page, select the Safe Links policy by using either of the following methods:
-3. At the top of the policy details flyout that appears, you'll see one of the following values:
- - **Policy off**: To turn on the policy, click ![Turn on icon.](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** .
- - **Policy on**: To turn off the policy, click ![Turn off icon.](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off**.
+ - Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** drop down list that appears:
+ - **Enable selected policies**.
+ - **Disable selected policies**.
+ - **Delete selected policies**.
-4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
+ :::image type="content" source="../../media/safe-links-policies-main-page.png" alt-text="The Safe Links page with a policy selected and the More actions control expanded." lightbox="../../media/safe-links-policies-main-page.png":::
-5. Click **Close** in the policy details flyout.
+ - Select the policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:
+ - Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)
+ - :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** or :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** (custom policies only)
+ - :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** or :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** (custom policies only)
+ - :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)
-Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.
+ :::image type="content" source="../../media/anti-phishing-policies-details-flyout.png" alt-text="The details flyout of a custom Safe Links policy." lightbox="../../media/anti-phishing-policies-details-flyout.png":::
-### Set the priority of Safe Links policies
+The actions are described in the following subsections.
-By default, Safe Links are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
+### Use the Microsoft 365 Defender portal to modify custom Safe Links policies
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
+After you select a custom Safe Links policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create Safe Links policies](#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) section earlier in this article.
-**Note**:
+You can't modify the Safe Links policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md) in the policy details flyout. Instead, you select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.
-- In the Microsoft 365 Defender portal, you can only change the priority of the Safe Links policy after you create it. In PowerShell, you can override the default priority when you create the safe links rule (which can affect the priority of existing rules).-- Safe Links policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
+### Use the Microsoft 365 Defender portal to enable or disable custom Safe Links policies
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
+You can't enable or disable the Safe Links policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md) here. You enable or disable preset security policies on the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies>.
-2. On the **Safe Links** page, select a policy from the list by clicking on the name.
+After you select an enabled custom Safe Links policy (the **Status** value is **On**), use either of the following methods to disable it:
-3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
- - The policy with the **Priority** value **0** has only the **Decrease priority** option available.
- - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
- - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
+- **On the Safe Links page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Disable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the flyout.
- Click ![Increase priority icon.](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
+After you select a disabled custom Safe Links policy (the **Status** value is **Off**), use either of the following methods to enable it:
-4. When you're finished, click **Close** in the policy details flyout.
+- **On the Safe Links page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Enable selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the flyout.
-## Use the Microsoft 365 Defender portal to remove Safe Links policies
+On the **Safe Links** page, the **Status** value of the policy is now **On** or **Off**.
-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.
+### Use the Microsoft 365 Defender portal to set the priority of custom Safe Links policies
-2. On the **Safe Links** page, select a policy from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon.](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
+Safe Links policies are processed in the order that they're displayed on the **Safe Links** page:
-3. In the confirmation dialog that appears, click **Yes**.
+- The Safe Links policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).
+- The Safe Links policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled).
+- Custom Safe Links policies are applied next in priority order (if they're enabled):
+ - A lower priority value indicates a higher priority (0 is the highest).
+ - By default, a new policy is created with a priority that's lower than the lowest existing custom policy (the first is 0, the next is 1, etc.).
+ - No two policies can have the same priority value.
+- The Safe Links policy named **Built-in protection (Microsoft)** that's associated with Built-in protection always has the priority value **Lowest**, and you can't change it.
-## Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Links policies
+Safe Links protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
+
+After you select the custom Safe Links policy by clicking anywhere in the row other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
+
+- The custom policy with the **Priority** value **0** on the **Safe Links** page has the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** action at the top of the details flyout.
+- The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout.
+- If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.
+
+When you're finished in the policy details flyout, select **Close**.
+
+Back on the **Safe Links** page, the order of the policy in the list matches the updated **Priority** value.
+
+### Use the Microsoft 365 Defender portal to remove custom Safe Links policies
+
+You can't remove the Safe Links policies named **Standard Preset Security Policy**, **Strict Preset Security Policy**, or **Built-in protection (Microsoft)** that are associated with [preset security policies](preset-security-policies.md).
+
+After you select the custom Safe Links policy, use either of the following methods to remove it:
+
+- **On the Safe Links page**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Delete selected policies**.
+- **In the details flyout of the policy**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout.
+
+Select **Yes** in the warning dialog that opens.
+
+Back on the **Safe Links** page, the removed policy is no longer listed.
+
+## Use Exchange Online PowerShell to configure Safe Links policies
+
+In PowerShell, the basic elements of a Safe Links policy are:
+
+- **The safe links policy**: Turns on Safe Links protection, turns on real-time URL scanning, specifies whether to wait for real-time scanning to complete before delivering the message, turns on scanning for internal messages, specifies whether to track user clicks on URLs, and specifies whether to allow users to click through to the original URL.
+- **The safe links rule**: Specifies the priority and recipient filters (who the policy applies to).
+
+The difference between these two elements isn't obvious when you manage Safe Links policies in the Microsoft 365 Defender portal:
-As previously described, a Safe Links policy consists of a safe links policy and a safe links rule.
+- When you create a Safe Links policy in the Defender portal, you're actually creating a safe links rule and the associated safe links policy at the same time using the same name for both.
+- When you modify a Safe Links policy in the Defender portal, settings related to the name, priority, enabled or disabled, and recipient filters modify the safe links rule. All other settings modify the associated safe links policy.
+- When you remove a Safe Links policy in the Defender portal, the safe links rule and the associated safe links policy are removed.
In PowerShell, the difference between safe links policies and safe links rules is apparent. You manage safe links policies by using the **\*-SafeLinksPolicy** cmdlets, and you manage safe links rules by using the **\*-SafeLinksRule** cmdlets.
To verify that you've successfully created, modified, or removed Safe Links poli
Get-SafeLinksRule -Identity "<Name>" ``` -- Use the URL `http://spamlink.contoso.com` to test Safe Links protection. This URL is similar to the GTUBE text string for testing anti-spam solutions. This URL is not harmful, but it will trigger Safe Links protection.
+- Use the URL `http://spamlink.contoso.com` to test Safe Links protection. This URL is similar to the GTUBE text string for testing anti-spam solutions. This URL isn't harmful, but it triggers a Safe Links protection response.
security Safe Links Policies Global Settings Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-global-settings-configure.md
- m365-security - tier1
-description: Admins can learn how to view and configure global settings (the 'Block the following URLs' list and protection for Office 365 apps) for Safe Links in Microsoft Defender for Office 365.
+description: Admins can learn how to view and configure the 'Block the following URLs' list for Safe Links in Microsoft Defender for Office 365.
Previously updated : 12/05/2022 Last updated : 4/20/2023
-# Configure global settings for Safe Links in Microsoft Defender for Office 365
+# Configure the "Block the following URLs" list for Safe Links in Microsoft Defender for Office 365
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
Last updated 12/05/2022
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!IMPORTANT]
-> The **Global settings** menu and the **Block the following URLs** list for Safe Links are in the process of being deprecated. Use block entries for URLs in the [Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list) instead.
+> As of April 1 2023, the **Block the following URLs** list for Safe Links no longer works. For more information, see [MC373880](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC373880). Instead, use [block entries for URLs in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). Messages that are blocked by URL entries in the Tenant Allow/Block List are quarantined as high confidence phishing.
>
-> This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365.md). If you are a home user looking for information about Safelinks in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2).
+> This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365.md). If you're a home user looking for information about Safelinks in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2).
-Safe Links is a feature in [Microsoft Defender for Office 365](defender-for-office-365.md) that provides URL scanning of inbound email messages in mail flow, and time of click verification of URLs and links in email messages and in other locations. For more information, see [Safe Links in Microsoft Defender for Office 365](safe-links-about.md).
+In organizations with Microsoft Defender for Office 365, Safe Links provides URL scanning of links in messages, Microsoft Teams, and supported Office 365 apps. For more information, see [Safe Links in Microsoft Defender for Office 365](safe-links-about.md).
-You configure most Safe Links settings in Safe Links policies, including [Safe Links settings for supported Office Apps](safe-links-about.md#safe-links-settings-for-office-apps). For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](safe-links-policies-configure.md).
+The "Block the following URLs" list for Safe Links applies to all users who are included in any Safe Links policies. For more information, see ["Block the following URLs" list for Safe Links](safe-links-about.md#block-the-following-urls-list-for-safe-links).
-But, Safe Links also uses the following global settings that you configure outside of the Safe Links policies themselves:
--- The **Block the following URLs** list. This setting applies to all users who are included in any active Safe Links policies. For more information, see ["Block the following URLs" list for Safe Links](safe-links-about.md#block-the-following-urls-list-for-safe-links)-
-You can configure the global Safe Links settings in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).
+You configure the "Block the following URLs" list for Safe Links in the Microsoft 365 Defender portal or in Exchange Online PowerShell.
## What do you need to know before you begin?
You can configure the global Safe Links settings in the Microsoft 365 Defender p
- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>. -- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program.
You can configure the global Safe Links settings in the Microsoft 365 Defender p
- Allow up to 30 minutes for a new or updated policy to be applied. -- [New features are continually being added to Microsoft Defender for Office 365](defender-for-office-365-whats-new.md). As new features are added, you may need to make adjustments to your existing Safe Links policies.- ## Configure the "Block the following URLs" list in the Microsoft 365 Defender portal > [!NOTE]
-> You can now manage block URL entries in the [Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.
-
-The **Block the following URLs** list identifies the links that should always be blocked by Safe Links scanning in supported apps. For more information, see ["Block the following URLs" list for Safe Links](safe-links-about.md#block-the-following-urls-list-for-safe-links).
-
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
-
-2. On the **Safe Links** page, click **Global settings**. In the **Safe Links policy for your organization** fly out that appears, go to the **Block the following URLs** box.
-
-3. Configure one or more entries as described in [Entry syntax for the "Block the following URLs" list](safe-links-about.md#entry-syntax-for-the-block-the-following-urls-list).
-
- When you're finished, click **Save**.
-
-### Configure the "Block the following URLs" list in PowerShell
-
-For details about the entry syntax, see [Entry syntax for the "Block the following URLs" list](safe-links-about.md#entry-syntax-for-the-block-the-following-urls-list).
-
-You can use the **Get-AtpPolicyForO365** cmdlet to view existing entries in the _BlockURLs_ property.
+> As described in [MC373880](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC373880), the ability to add entries to the "Block the following URLs" list for Safe Links was deprecated in June 2022, and the list no longer works as of April 1 2023.
-- To add values that will replace any existing entries, use the following syntax in Exchange Online PowerShell or Exchange Online Protection PowerShell:
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section. Or, to go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
- ```powershell
- Set-AtpPolicyForO365 -BlockUrls "Entry1","Entry2",..."EntryN"
- ```
+2. On the **Safe Links** page, select :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Global settings**.
- This example adds the following entries to the list:
+3. On the **Safe Links settings for your organization** flyout that opens, the following options are available:
- - Block the domain, subdomains, and paths for fabrikam.com.
- - Block the subdomain research, but not the parent domain or other subdomains in tailspintoys.com
+ - Use the :::image type="icon" source="../../media/search-icon.png" border="false"::: **Search URL** box to find URL entries.
- ```powershell
- Set-AtpPolicyForO365 -BlockUrls "fabrikam.com","https://research.tailspintoys.com*"
- ```
+ - Use the **Filter** drop down list to filter the list of URL entries by the following values:
+ - **All**
+ - **Migrated**: Entries that were automatically migrated as [URL block entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#create-block-entries-for-urls) from June 2022 to December 2022.
+ - **Manually migrate**: Entries that couldn't be automatically migrated to the Tenant Allow/Block List. Automatic migration of URL entries to the Tenant Allow/Block List ended in December 2022.
-- To add or remove values without affecting other existing entries, use the following syntax:-
- ```powershell
- Set-AtpPolicyForO365 -BlockUrls @{Add="Entry1","Entry2"...; Remove="Entry3","Entry4"...}
- ```
+ - Use **Delete all URLs in the current list** to remove entries (affected by the **Filter** value).
- This example adds a new entry for adatum.com, and removes the entry for fabrikam.com.
+ When you're finished on the **Safe Links settings for your organization** flyout that opens, select **Save**.
- ```powershell
- Set-AtpPolicyForO365 -BlockUrls @{Add="adatum.com"; Remove="fabrikam"}
- ```
-
-## How do you know these procedures worked?
-
-To verify that you've successfully configured the global settings for Safe Links (the **Block the following URLs** list and the Office 365 app protection settings), do any of the following steps:
+### Configure the "Block the following URLs" list in PowerShell
-- On the **Safe Links** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/safelinksv2>, click **Global settings**, and verify the settings in the fly out that appears.
+You can use the [Get-AtpPolicyForO365](/powershell/module/exchange/get-atppolicyforo365) cmdlet in Exchange Online PowerShell to view existing entries in the _BlockURLs_ property.
-- In Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command and verify the settings:
+For example:
```powershell Get-AtpPolicyForO365 | Format-List BlockUrls ```
- For detailed syntax and parameter information, see [Get-AtpPolicyForO365](/powershell/module/exchange/get-atppolicyforo365).
+For details about the entry syntax, see [Entry syntax for the "Block the following URLs" list](safe-links-about.md#entry-syntax-for-the-block-the-following-urls-list).
security Submissions Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-teams.md
To view or configure this setting, you need to be a member of the **Global Admin
2. On the **Messaging policies** page, verify that the **Manage policies** tab is selected, and do either of the following actions to edit the appropriate policy (the **Global (Org-wide) default** policy or a custom policy): - Click the link in the **Name** column.
- - Select the policy by clicking anywhere other than the **Name** column, and then click ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit**.
+ - Select the policy by clicking anywhere in the row other than the **Name** column, and then click ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit**.
3. In the policy details page that opens, find the **Report a security concern** toggle. By default, it's ![Teams 'Report a security concern' toggle on.](../../media/scc-toggle-on.png) **On**. To turn it off, toggle the setting to ![Teams 'Report a security concern' toggle off.](../../media/scc-toggle-off.png) **Off**.
whiteboard Manage Clients Gcc High https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/whiteboard/manage-clients-gcc-high.md
description: Learn which clients are currently supported for Whiteboard.
> [!NOTE] > This guidance applies to US Government Community Cloud (GCC) High environments.
-Whiteboard clients are currently being updated to support OneDrive for Business.
- ## Clients supported The following clients are currently supported in Whiteboard:
The following clients are currently supported in Whiteboard:
- Standalone Whiteboard web application at [https://whiteboard.office365.us](https://whiteboard.office365.us) - Microsoft Teams meetings, chats, and channels using Teams desktop and web - Standalone Whiteboard application for mobile
+- Standalone Whiteboard application for Windows 10 or later versions
+- Standalone Whiteboard application for Surface Hub
+- Whiteboard in Teams meetings on Surface Hub and Teams meeting rooms
+- Whiteboard in 1:1 calls in Teams
## Clients planned The following clients are planned for future releases of Whiteboard: -- Standalone Whiteboard application for Windows 10 or later versions-- Standalone Whiteboard application for Surface Hub (currently can be used in anonymous mode) - Whiteboard in the Office.com app launcher-- Whiteboard in Teams meetings on Surface Hub and Teams meeting rooms-- Whiteboard in 1:1 calls in Teams > [!NOTE] > While users can install the Windows client, they won't be able to sign in until the client is updated.