+2. Click the **View more** button from the at-a-glance activity card for a service (such as email or OneDrive) to see the report detail page. On that page, different reports for the service are provided in tabs.

+|[Microsoft Teams usage activity](microsoft-teams-usage-activity.md)|Yes|Yes|N/A|N/A|N/A|

+It'll take a few minutes for these changes to take effect on the reports in the reports dashboard. This setting also applies to the Microsoft 365 usage reports in [Microsoft Graph](/graph/api/resources/report) and [Power BI](/microsoft-365/admin/usage-analytics/usage-analytics) and [the usage reports in Microsoft Teams Admin center](/microsoftteams/teams-analytics-and-reports/teams-reporting-reference). Showing identifiable user information is a logged event in the Microsoft 365 compliance center audit log.

+Global admins can opt in to sending messages to users, who are accessing Microsoft 365 services from Internet Explorer (as a reminder, the Internet Explorer desktop application will be retired on June 15, 2022). This targeted message notifies users that support for these browsers will end soon and links to a support article with information on Microsoft Edge and simple steps to follow to switch browsers.

+|7. |You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data for all users and enables you to do simple aggregation, sorting, and filtering for further analysis. If you have fewer than 100 users, you can sort and filter within the table in the report itself. If you have more than 100 users, in order to filter and sort, you will need to export the data.|

+|Last activity date (UTC) <br/> |The last date (UTC) that the user participated in a Teams activity. <br/> |

+## See also

+[Microsoft Teams user activity report](../activity-reports/microsoft-teams-user-activity-preview.md)

+[Microsoft Teams usage activity report](../activity-reports/microsoft-teams-usage-activity.md)

+ Title: "Microsoft 365 admin center Teams usage activity reports"

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- Adm_NonTOC

+search.appverid:

+- BCS160

+- MST160

+- MET150

+- MOE150

+description: "Learn how to get the Microsoft Teams usage activity report and gain insights into the Teams activity in your organization."

+# Microsoft 365 Reports in the admin center - Microsoft Teams usage activity

+The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). <br/>

+The brand-new **Teams usage report** gives you an overview of the usage activity in Teams, including the number of active users, channels and messages so you can quickly see how many users across your organization are using Teams to communicate and collaborate. It also includes other Teams specific activities, such as the number of active guests, meetings, and messages.

+<br/>

+## How to get to the Microsoft Teams usage activity report

+1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.

+2. From the dashboard homepage, click on the **View more** button on the **Microsoft Teams activity** card.<br/>

+<br/><br/>

+3. On the **Microsoft Teams** reports page, select the **Teams Usage** tab.

+## Interpret the Microsoft Teams usage activity report

+You can view the user activity in the Teams report by choosing the **Teams Usage** tab. This will display the following charts:

+- **Channel usage**: Tracks the number of channel uses, by activity type, over time.<br/>

+ <br/> <br/>

+- **Team usage**: Tracks the number of teams, by type and activity, over time.<br/>

+ <br/> <br/>

+Additionally, the chart includes usage details for individual teams, such as last activity date, active users, active channels, and other data.

+<br/>

+In the table, select **Choose columns** to add or remove columns from the report. <br/> <br/>

+

+You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. If you have less than 2000 users, you can sort and filter within the table in the report itself. If you have more than 2000 users, in order to filter and sort, you will need to export the data. The exported format for **audio time**, **video time**, and **screen share time** follows ISO8601 duration format.

+The **Microsoft Teams usage activity** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you select a particular day in the report, the table will show data for up to 28 days from the current date (not the date the report was generated).

+To ensure data quality, we perform daily data validation checks for the past three days and will be filling any gaps detected. You may notice differences in historical data during the process.

+> [!Important]

+> Data for a given day will show up within 48 hours. For example, data for January 10th should show up in the report by January 12th.

+### Channel usage metrics

+The Channel usage chart shows data on the following metrics.

+|Item|Description|

+|:--|:--|

+|**Metric**|**Definition**|

+|Active channel users <br/> |This is the total of internal active users, active guests, and external active users. <br/><br/> **Internal active users** - Users that have at least one panel action in the specified time period. This excludes guests. <br/> **Active guests** - Guests that have at least one panel action in the specified time period. A guest is a person from outside your organization who accesses shared resources by signing in to a guest account in my directory. <br/> **External active user** - External participants that have at least one panel action in the specified time period. An external participant is a person from outside your organization who is participating in a resource ΓÇô such as a shared channel ΓÇô using their own identity and not a guest account in your directory. <br/>|

+|Active channels <br/> |Valid channels in active teams that have at least one active user in the specified time period. This includes public, private, or shared channels. <br/> |

+|Channel messages <br/> |The number of unique messages that the user posted in a private chat during the specified time period. <br/> |

+### Team usage metrics

+The Teams usage chart shows data on the following metrics.

+|Item|Description|

+|:--|:--|

+|**Metric**|**Definition**|

+|Private teams <br/> |A private team that is either active or inactive. |

+|Public teams <br/> |A public team that is either active or inactive. |

+|Active private teams <br/> |A team that is private and active. |

+|Active public teams <br/> |A team that is public and active. |

+### Teams details

+Data for following metrics are available for individual teams.

+|Item|Description|

+|:--|:--|

+|**Metric**|**Definition**|

+|Team ID <br/> |Team identifier <br/>|

+|Internal active users <br/> |Users that have at least one panel action in the specified time period including guests. <br/> <br/> Internal users and guests that reside in the same tenant. Internal users exclude guests. |

+|Active guests <br/> |Guests that have at least one panel action in the specified time period. <br/> <br/> A guest is defined as persons from outside your organization who accesses shared resources by signing in to a guest account in my directory. |

+|External active users <br/> |External participants that have at least one panel action in the specified time period.<br/><br/> An external participant is defined as a person from outside your organization who is participating in a resource ΓÇô such as a shared channel ΓÇô using their own identity and not a guest account in your directory. |

+|Active channels <br/> |Valid channels in active teams that have at least one active user in the specified time period. This includes public, private, or shared channels. <br/> |

+|Active shared channels <br/> |Valid shared channels in active teams that have at least one active user in the specified time. <br/> <br/>A shared channel is defined as a Teams channel that can be shared with people outside the team. These people can be inside your organization or from other Azure AD organizations. |

+|Total organized meetings <br/> |The sum of one-time scheduled, recurring, ad hoc and unclassified meetings a user organized during the specified time period. <br/>|

+|Posts <br/> |Count of all the post messages in channels in the specified time period. |

+|Replies <br/> |Count of all the reply messages in channels in the specified time period. |

+|Mentions <br/> |Count of all mentions made in the specified time period. <br/>|

+|Reactions <br/> |Number of reactions an active user made in the specified time period. |

+|Urgent messages <br/> |Count of urgent messages in the specified time period. |

+|Channel messages <br/> |The number of unique messages that the user posted in a team chat during the specified time period. <br/>|

+|Last activity date <br/> |The latest date that any member of the team has committed an action. |

+## Make the user-specific data anonymous

+To make the data in Teams user activity report anonymous, you have to be a global administrator. This will hide identifiable information (using MD5 hashes) such as display name, email, and Azure Active Directory Object ID in report and their export.

+1. In Microsoft 365 admin center, go to the **Settings** > **Org Settings**, and under **Services** tab, choose **Reports**.

+2. Select **Reports**, and then choose to **Display anonymous identifiers**. This setting gets applied both to the usage reports in Microsoft 365 admin center and Teams admin center.

+3. Select **Save changes**.

+## See also

+[Microsoft Teams device usage report](../activity-reports/microsoft-teams-device-usage-preview.md)

+[Microsoft Teams user activity report](../activity-reports/microsoft-teams-user-activity-preview.md)

+You can view the user activity in the Teams report by choosing the **User activity** tab. <br/>

+Select **Choose columns** to add or remove columns from the report. <br/> 

+|Tenant name <br/> |The name of an internal or external tenant where a user belongs. <br/> <br/> If a user belongs to an external tenant, corresponding data metrics (for example, post messages, reply messages, etc.) are calculated based on their interactions in shared channels of the adminΓÇÖs tenant. Interactions done by the user in their own tenant (outside of shared channels of the given tenant) are not considered for the admin usage report of given tenant. |

+|Shared channel tenant names <br/> |The names of internal or external tenants of shared channels where the user participated. <br/> |

+|Posts <br/> |The number of post messages in all channels during the specified time period <br/> |

+|Replies <br/> |The number of replied messages in all channels during the specified time period. <br/> |

+|Urgent messages <br/> |The number of urgent messages during the specified time period. <br/> |

+## Make the user-specific data anonymous

+To make the data in Teams user activity report anonymous, you have to be a global administrator. This will hide identifiable information (using MD5 hashes) such as display name, email, and Azure Active Directory Object ID in report and their export.

+1. In Microsoft 365 admin center, go to the **Settings** > **Org Settings**, and under **Services** tab, choose **Reports**.

+2. Select **Reports**, and then choose to **Display anonymous identifiers**. This setting gets applied both to the usage reports in Microsoft 365 admin center and Teams admin center.

+3. Select **Save changes**.

+## See also

+[Microsoft Teams device usage report](../activity-reports/microsoft-teams-device-usage-preview.md)

+[Microsoft Teams usage activity report](../activity-reports/microsoft-teams-usage-activity.md)

+ :::image type="content" source="media/bookings-busy-tentative-view-2.png" alt-text="A view of a Bookings calendar.":::

+ :::image type="content" source="../media/bookings-applauncher.png" alt-text="Bookings in App launcher.":::

+ :::image type="content" source="media/bookings-remind-confirm-2.png" alt-text="Screenshot: Example confirmation email from a manual booking":::

+ :::image type="content" source="media/bookings-internal-page-1.png" alt-text="The Bookings Page.":::

+To unpublish the booking page, go to the Booking page and select **Unpublish**.

+ :::image type="content" source="media/bookings-remind-confirm-2.png" alt-text="A confirmation email from Bookings.":::

+## Watch: Set employee working hours

+## Customize employee working hours

+1. Choose your calendar.

+ 

+1. In the navigation pane, select **Your calendar** > **Business information** in the left pane.

+ 

+ 

+1. Enter your business name and business type and select **Continue**.

+## Watch: Enter business hours and time off for employees

+Schedule business closures or employee off.

+ :::image type="content" source="../media/bookings-calendar-timeoff-2.png" alt-text="Bookings calendar view and time off button.":::

+ :::image type="content" source="../media/bookings-applauncher.png" alt-text="App launcher.":::

+ :::image type="content" source="../media/bookings-calendar-timeoff-2.png" alt-text="Bookings calendar view and time off button.":::

+ :::image type="content" source="../media/bookings-outlook-tile.png" alt-text="Outlook tile on Microsoft 365 landing page.":::

+1. Select your language and current time zone and choose **OK**.

+ :::image type="content" source="../media/bookings-region-timezone-settings-1.png" alt-text="Language and time zone settings.":::

+ Title: "Understand invoicing for future start dates"

+f1.keywords:

+- CSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+search.appverid: MET150

+description: "Learn what it means when your invoice has a subscription with a future start date."

+- commerce_billing

+# Understand invoicing for future start dates

+Sales proposals might include subscriptions that start on a future date. A future start date aligns the start date of a new subscription with the end date of a previous subscription. If your proposal contains subscriptions that start on a future date, you receive an invoice for those subscriptions only when the future start date arrives. Using a future start date ensures that you arenΓÇÖt billed for items that you don't own yet. New subscriptions start on the future start date specified in the proposal. On the start date of the new subscription, we send you an email to let you know that your new subscription is now active and your billing for this subscription will begin immediately. Your next invoice reflects the new charges plus applicable taxes for the new subscription.

+For licensing requirements, see [Information Protection: Data Classification Analytics: Overview Content & Activity Explorer](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection-data-classification-analytics-overview-content--activity-explorer)

+3. In the list of mailboxes, select the user that you want to enable the archive mailbox for and select **Enable Archive**.

+5. Select **Enable** to enable the archive mailbox.

+3. In the list of mailboxes, select the user that you want to disable the archive mailbox for and select **Disable Archive**.

+5. Select **Disable** to disable the archive mailbox.

+- one letter (not case-sensitive) from this set of possible letters: A/B/F/G/M/P/R, which is a registrant code

+- optional space

+- a check character (any digit or the letter A) which is optionally enclosed in parentheses

+- the letter "F", "G", "M", "S", or "T" (not case-sensitive)

+eight or nine character alphanumeric pattern

+one letter (not case-sensitive) followed by seven digits

+or

+two letters (not case-sensitive) followed by six or seven digits

+- DLN

+Note that when you add sensitive information to an email, there may be latency between when the sensitive information is added and when the policy tip appears. When emails are encrypted with Office Message Encryption (OME) and the policy used to detect them uses the detect encryption condition policy tips will not appear.

+1. From the model home page, in the **Create and train extractors** tile, select **Train extractor**.

+3. When you're done, select **Create**.

+1. From the viewer, select the data that you want to extract from the files. For example, if you want to extract the *Start Service Date*, you highlight the date value in the first file (*Monday, October 14, 2019*). and then select **Save**. You should see the value display from the file in the Labeled examples list, under the **Label** column.

+2. Select **Next file** to autosave and open the next file in the list in the viewer. Or select **Save** and then select another file from the **Labeled examples** list.

+The Find feature is useful if you're searching a large document or if there are multiple instances of the entity in the document. If you find multiple instances, you can select the one you need in the search results to go to that location in the viewer to label it.

+For our example, we're going to create an explanation that provides a hint about the entity format itself and variations it might have in the sample documents. For example, a date value can be in a number of different formats, such as:

+For creating explanations for items such as dates, it's easier to [use the explanation library](./explanation-types-overview.md) than to manually enter all variations. The explanation library is a set of pre-built phrase and pattern explanations. The library tries to provide all formats for common phrase or pattern lists, such as dates, phone numbers, zip codes, and many others.

+For the *Service Start Date* sample, it's more efficient to use the pre-built explanation for *Date* in the explanation library:

+Saving your explanation starts the training. If your model has enough information to extract the data from your labeled example files, you'll see each file labeled with **Match**.

+If the explanation doesn't have enough information to find the data you want to extract, each file will be labeled with **Mismatch**. You can select **Mismatched** files to see more information about why there was a mismatch.

+Often the mismatch is an indication that the explanation we provided didn't provide enough information to extract the service start date value to match our labeled files. You might need to edit it, or add another explanation.

+1. From the model home page, select the **Test** tab. This runs the model on your unlabeled sample files.

+### Further refine an extractor

+If you have duplicate entities and want to extract only one value or a certain number of values, you can set a rule to specify how you want it processed. To add a rule to refine extracted information, follow these steps:

+1. From the model home page, in the **Entity extractors** section, select the extractor you want to refine, and then select **Refine extracted info**.

+ 

+2. On the **Refine extracted info** page, select one of the following rules:

+ - Keep one or more of the first values

+ - Keep one or more of the last values

+ - Remove duplicate values

+ - Keep one or more of the first lines

+ - Keep one or more of the last lines

+

+ 

+3. Enter the number of lines or values you want to use, and then select **Refine**.

+4. If you want to edit a rule by changing the number of lines or values, select the extractor you want to edit, select **Refine extracted info**, change the number, and then select **Save**.

+5. When you test the extractor, you'll be able to see the refinement in the **Refinement result** column of the **Test Files** list.

+ 

+6. If you want to delete a refinement rule on an extractor, select the extractor from which you want to remove the rule, select **Refine extracted info**, and then select **Delete**.

+[Introduction to SharePoint Syntex](index.md)

+## Change the view in a document library

+ Title: Change the view in a document library in Microsoft SharePoint Syntex

+audience: admin

+ms.customer: intro-overview

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to change the view in a document library in Microsoft SharePoint Syntex.

+There are multiple ways to view how you see the information in a SharePoint document library. You can change the view in your document library to fit your needs or preferences.

+To change the view on the library page, select the view dropdown menu to show the options, and then select the view you want to use.

+ 

+For example, if you select **Tiles** from the list, the page will display as shown.

+ 

+The **Tiles** view displays up to eight user-created fields. If there are fewer than eight, up to four system-generated fields are shown: Sensitivity (if available), Retention (if available), Content type, Modified date, Modified by, and Classification date.

+To edit any current view, on the view dropdown menu, select **Edit current view**.

+ Title: An overview of Microsoft LTI apps

+description: Learn about Learning Tools Interoperability (LTI) Microsoft apps, and how they will help educators when integrating Microsoft apps into their Learning Management System (LMS).

+Microsoft Education and our third-party partners understand that the flow of teaching and learning invariably crosses solution boundaries. We're working on providing more seamless experiences, keeping educators and learners focused on their goals, rather than having to juggle tools. We're integrating Microsoft products wherever teaching and learning occurs, including within and alongside Learning Management Systems (LMS).

+We've worked with our LMS partners to create a suite of tools using the [Learning Tools Interoperability (LTI) standard](https://www.imsglobal.org/activity/learning-tools-interoperability) that brings the best of Microsoft directly into your LMS.

+These tools include:

+- [OneDrive LTI](#onedrive-lti-apps)

+- [Teams Meetings LTI](#teams-meetings-lti)

+- [Teams Classes LTI](#teams-classes-lti)

+For general information on managing Microsoft OneLTI tools, see [Manage Microsoft OneLTI for any LMS](manage-microsoft-one-lti.md).

+## OneDrive LTI apps

+- **Brings Microsoft 365 directly into your workflows**

+The Microsoft OneDrive LTI app integrates with your LMS to bring Microsoft OneDrive and Microsoft 365 directly into your most important workflows that include:

+The Microsoft OneDrive LTI App is compatible with LTI 1.3 and LTI Advantage, allowing for a secure and integrated user experience.

+- **Modern and rich user experience**

+We're improving upon the existing Microsoft 365 integration in your LMS by delivering a modern user experience, complete with an expanded Microsoft OneDrive file picker and rich editing experiences for Office files.

+Microsoft owns the OneDrive LTI app, which means youΓÇÖll always get the latest updates from Microsoft automatically.

+- Attach Microsoft 365 files including Word documents, PowerPoint presentations, and Excel from the Rich Content Editor.

+- Distribute Microsoft 365 cloud assignments.

+- Integrate Microsoft 365 files with your course modules.

+For configuration steps, see:

+- [Microsoft OneDrive LTI with Canvas](onedrive-lti.md).

+- [Microsoft OneDrive LTI with Blackboard](onedrive-lti-blackboard.md).

+### Teams meetings LTI

+Microsoft Teams meetings LTI app incorporates Teams meetings into LMS courses. Educators and students can view past and upcoming meetings, schedule individual or recurring meetings, and join team meetings related to the course, all from within their LMS.

+For configuration steps, see:

+- [Microsoft Teams Meetings with Canvas](teams-meetings-with-canvas.md).

+- [Microsoft Teams Meetings with Moodle](teams-classes-meetings-with-moodle.md).

+### Teams classes LTI

+The Microsoft Teams classes LTI app helps educators and students navigate between their LMS and Teams. Users can access their class teams associated with their course within their LMS.

+For configuration steps, see:

+- [Teams Classes LTI with Canvas](teams-classes-with-canvas.md).

+- [Teams Classes LTI with Blackboard](teams-classes-with-blackboard.md).

+- [Teams Classes LTI with Moodle](teams-classes-meetings-with-moodle.md).

+ Title: Manage Microsoft OneLTI for any LMS

+audience: admin

+f1.keywords:

+- CSH

+ms.localizationpriority: medium

+description: Learn how to conduct key Microsoft OneLTI management tasks including deleting, viewing, editing, and troubleshooting.

+# Manage Microsoft OneLTI for any LMS

+Microsoft OneLTI integrates with several LMSs including Canvas, Blackboard, and Moodle.

+In this article, IT admins will find instructions on key OneLTI management tasks.

+- [Delete an LTI registration](#delete-an-lti-registration).

+- [View an LTI registration](#view-an-lti-registration).

+- [Edit an LTI registration](#edit-an-lti-registration).

+- [Troubleshoot issues with OneLTI](#troubleshoot-issues-with-onelti).

+- [Report problems with OneLTI](#report-problems-with-onelti).

+## Delete an LTI registration

+If you would like to delete a Microsoft OneLTI registration, follow the steps below.

+1. Visit [Microsoft LTI Portal](https://lti.microsoft.com/).

+2. Sign in with a Microsoft 365 administrator account.

+3. In the registration list, find the LTI registration you wish to delete.

+4. Select the **trash can icon** next to the listing.

+5. In the confirmation dialog box, select **Delete** to confirm deletion.

+6. You'll see a success message once it's deleted.

+## View an LTI registration

+If you would like to view the details of an LTI registration, follow the steps below.

+1. Visit [Microsoft LTI Portal](https://lti.microsoft.com/).

+2. Sign in with a Microsoft 365 administrator account.

+3. In the registration list, find the LTI registration you wish to view.

+4. Select the **eye icon** next to the listing.

+5. The registration details panel will open.

+## Edit an LTI registration

+Currently, we don't support editing an existing LTI registration after itΓÇÖs added.

+To change an LTI registration, you'll need to:

+1. Delete the existing registration.

+2. Add a new registration.

+## Troubleshoot issues with OneLTI

+If you or your educators are experiencing issues with Microsoft OneLTI, here are some things you can do to troubleshoot.

+### Issues while launching an LTI tool from the LMS

+Educators might experience issues launching a Microsoft LTI tool in their LMS.

+If so, here are some common issues and how to resolve them.

+- **Cookies can't be found**

+ - Third-party cookies need to be allowed for the **LMS URL** in the browser settings.

+ - These cookies are needed to complete the LTI 1.3 handshake per the IMS specifications.

+- **Registration details not found**

+ - This issue happens when registration of the LTI tool wasn't completed or if the registration was deleted in the OneLTI admin portal.

+ - The IT admin will need to complete registration of the LTI tool.

+- **Some details from LMS aren't valid**

+ - This issue happens when the details sent from the LMS in the tool launch request aren't aligned with the IMS LTI 1.3 specification.

+ - The IT admin will need to reach out to [Microsoft's education support team](https://edusupport.microsoft.com/support?product_id=lti_apps&platform_id=web) if the issue persists.

+### Issues with signing in to the registration portal

+When signing in to the Microsoft LTI registration portal, you may have issues accessing the registration page or receive a sign-in error.

+Here are some common sign-in issues and how to resolve them.

+- **Authorization error**

+ - If you see the error message, "Your account doesnΓÇÖt have permission to access this page," then either:

+ - The account doesn't belong to a registered tenant, or

+ - The account doesn't belong to an educator or an admin.

+ - For both these cases, you'll see a **Sign out & switch accounts** button.

+ - Select this button or select the **Sign out** button under the user profile menu.

+ - Sign in with an account that belongs to the tenant, an educator, or an admin.

+ - If the tenant isn't registered, then the IT admin must register it before trying to register LTI integrations.

+ - If after trying these steps, you still see this error, then sign out and sign in again.

+ - You can also clear cookies and local storage for the LTI registration portal and `https://login.microsoftonline.com/`.

+ - Try to sign in again.

+ - If the issue persists, report the problem by selecting the **Report a problem** link at the top right.

+- **Authentication error**

+ - If you see the error message, ΓÇ£Authentication failed. Try again," the sign-in session may have expired.

+ - Sign out and sign back in again.

+ - You can also clear cookies and local storage for the LTI registration portal and `https://login.microsoftonline.com/`.

+ - Try to sign in again.

+ - If the issue persists, report the problem by selecting the **Report a problem** link at the top right.

+- **Other errors**

+ - For all other errors, you'll see the error message, ΓÇ£Something went wrong. Try again later.ΓÇ¥

+ - This could be an internal processing error.

+ - Try signing in again after a few hours.

+ - Select the **Go to Home page** button. This will navigate back to the landing page.

+ - Select the **Go to registration portal** button to go back to the LTI registration portal.

+## Report problems with OneLTI

+To report any issues or submit feedback for Microsoft OneLTI, follow the steps below.

+1. In the Microsoft OneLTI registration portal, select the **question mark icon** in the page header.

+2. In the dropdown, select **Report a problem**.

+3. The Microsoft Education Support page will open. Sign in with your Microsoft 365 credentials.

+4. Fill out the form and submit.

+ Title: Set up and configure the Moodle plugin

+audience: admin

+f1.keywords:

+- CSH

+ms.localizationpriority: medium

+description: Get ready to integrate Moodle and Microsoft Teams by setting up and configuring the Moodle plugin.

+# Set up and configure the Moodle plugin

+In this article, you'll learn how to install and configure the Moodle LMS plugin to incorporate Microsoft Teams with your Moodle experience.

+## Prerequisites

+Here are the prerequisites to install Moodle:

+* Moodle administrator credentials.

+* Azure AD administrator credentials.

+* An Azure subscription where you can create new resources.

+## 1. Install the Microsoft 365 Moodle Plugins

+Moodle integration in Microsoft Teams is powered by the open source [Microsoft 365 Moodle plugins set](https://github.com/Microsoft/o365-moodle).

+### Requisite applications and plugins

+Install and download the following items before proceeding with the Microsoft 365 Moodle plugins installation:

+1. A [current stable version of Moodle](https://download.moodle.org/releases/latest/).

+1. Download and save the Moodle [OpenID Connect](https://moodle.org/plugins/auth_oidc) and the [Microsoft 365 Integration](https://moodle.org/plugins/local_o365) plugins to your local computer.

+ > [!NOTE]

+ > Installing the OpenID Connect and Microsoft 365 Integration plugins is required for the Teams integration.

+ >

+ > The [Microsoft 365 Teams Theme](https://moodle.org/plugins/theme_boost_o365teams) plugin is recommended.

+### Microsoft 365 Moodle plugins

+#### Install plugins

+1. Sign in to your Moodle server and navigate to **Site administration**.

+1. Select the **Plugins** tab then select **Install plugins**.

+1. From the **Install plugins from ZIP file** section, select **Choose a file**.

+1. Select **Upload a file** from the left navigation panel, browse for the file that you downloaded, and select **Upload this file**.

+1. Select **Site administration** from the left navigation panel to return to your admin dashboard.

+1. Scroll down to the **Local plugins** and select the **Microsoft 365 Integration** link.

+ > [!IMPORTANT]

+ >

+ > * Keep your Microsoft 365 Moodle Plugins configuration page open in a separate browser tab as you need to return to this set of pages throughout the process.

+ >

+ > * If you do not have an existing Moodle site, go to the [Moodle on Azure](https://github.com/azure/moodle) repo, and quickly deploy a Moodle instance and customize it to your needs.

+#### Enable the OpenID Connect authentication plugin

+1. Navigate to **Site Administration** > **Plugins** > **Authentication** then select **Manage Authentication**.

+1. Find the **OpenID Connect** authentication plugin and select the *eye icon* to enable it.

+1. Select **Settings** for the plugin to verify the **Authorization** and **Token** endpoints.

+ 1. The default values should be:

+ 1. Authorization endpoint: ``https://login.microsoftonline.com/common/oauth2/authorize``.

+ 1. Token endpoint: ``https://login.microsoftonline.com/common/oauth2/token``.

+1. Record the **Redirect URI** for later use.

+## 2. Configure the connection between the Microsoft 365 plugins and Azure AD

+You must configure the connection between the Microsoft 365 plugins and Azure AD.

+### Requisites

+Register Moodle as an application in your Azure AD, using the PowerShell script. The script provisions the following items:

+* A new Azure AD application for your Microsoft 365 tenant, which is used by the Microsoft 365 Moodle Plugins.

+* The app for your Microsoft 365 tenant sets up the required reply URLs and permissions for the provisioned app and returns the `AppID` and `Key`.

+Use the generated `AppID` and `Key` in your Microsoft 365 Moodle Plugins setup page to configure your Moodle server site with Azure AD.

+> [!IMPORTANT]

+>

+> * The PowerShell script is not updated with the latest configuration items, therefore, you must complete the configuration manually following the steps outlined on the Moodle [3.10.6 and 3.11.3](https://docs.moodle.org/311/en/Microsoft_365) release page.

+>

+> * For more information on registering your Moodle instance manually, see [Register your Moodle instance as an application](https://docs.moodle.org/311/en/Microsoft_365#Register_Application_in_Azure_manually).

+### The Teams for Moodle set up process

+1. From the Microsoft 365 Integration plugins page, select the **Setup** tab.

+1. Select the **Download PowerShell Script** button and save it as a ZIP folder to your local computer.

+1. Prepare the PowerShell script from the ZIP file as follows:

+ 1. Download and extract the `Moodle-AzureAD-Powershell.zip` file.

+ 1. Open the extracted folder.

+ 1. Right-click on the `Moodle-AzureAD-Script.ps1` file and select **Properties**.

+ 1. Under the **General** tab of the Properties window, select the `Unblock` checkbox next to the **Security** attribute located at the bottom of the window.

+ 1. Select **OK**.

+ 1. Copy the directory path to the extracted folder.

+1. Run PowerShell as an administrator:

+ 1. Select Start.

+ 1. Type PowerShell.

+ 1. Right-click on **Windows PowerShell**.

+ 1. Select **Run as Administrator**.

+1. Navigate to the unzipped directory by typing `cd .../.../Moodle-AzureAD-Powershell` where `.../...` is the path to the directory.

+1. Execute the PowerShell script:

+ 1. Enter `Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser`.

+ 1. Enter `./Moodle-AzureAD-Script.ps1`.

+ 1. Sign in to your Microsoft 365 administrator account in the pop-up window.

+ 1. Enter the name of the Azure AD Application, for example, Moodle or Moodle plugins.

+ 1. Enter the URL for your Moodle server.

+ 1. Copy the **Application ID (`AppID`)** and **Application Key(`Key`)** generated by the script and save them.

+1. Return to the plugins administration page, **Site administration** > **Plugins** > **Authentication** > **OpenID Connect**.

+1. Paste the `AppID` value into the **Application ID** box and the `Key` value into the **Key** box, and then select **Save changes**.

+1. Navigate to **Site administration** > **Plugins** > **Local plugins** and select **Microsoft 365 Integration**.

+1. In **Choose connection method**, select **Application access**, and then select **Save changes** again.

+1. After the page refreshes, you can see another new section **Admin consent & additional information**.

+ 1. Select **Provide Admin Consent** link, enter your Microsoft 365 Global Administrator credentials, then **Accept** to grant the permissions.

+ 1. Next to the **Azure AD Tenant** field, select the **Detect** button.

+ 1. Next to the **OneDrive for Business URL**, select the **Detect** button.

+ 1. After the fields populate, select the **Save changes** button again.

+1. Select the **Update** button to verify the installation, and then select **Save changes**.

+1. Synchronize users between your Moodle server and Azure AD. Depending on your environment, you can select different options during this stage. To get started:

+ 1. Switch to the **Sync Settings tab**.

+ 1. In the **Sync users with Azure AD** section, select the checkboxes that apply to your environment. You must select the following options:

+ Γ£ö Create accounts in Moodle for users in Azure AD.

+

+ Γ£ö Update all accounts in Moodle for users in Azure AD.

+

+ 1. In the **User Creation Restriction** section, you can set up a filter to limit the Azure AD users that are synced to Moodle.

+ 1. In the **Course Sync** section, you can select **Course sync customization** option to enable the automatic creation of Groups and Teams for some, or all, of your existing Moodle courses.

+1. To validate [cron](https://docs.moodle.org/310/en/Cron) tasks and to run them manually for the first time, navigate to **Site administration** > **Server** > **Tasks** > **Scheduled tasks**.

+ 1. Scroll down and find the task **Sync users with Azure AD** and select **Run now**.

+ 1. This will sync the AAD user to your Moodle site.

+ 1. Next, find the **Sync Moodle courses to Microsoft Teams** task and select **Run now**.

+ 1. This task will create groups and Teams if an owner is found.

+ 1. If the user has `local/o365:teamowner` capability in the course context, the user is a team owner. If the user has `local/o365:teammember` capability in the course context, the user is a team member.

+ 1. The default *Teacher* role has the `local/o365:teamowner" capability`, and the default *Student* role has the `local/o365:teammember` capability.

+ > [!NOTE]

+ >

+ > The Moodle [Cron](https://docs.moodle.org/311/en/Scheduled_tasks) runs according to the task schedule. The default schedule is once a day at 1:00 AM in your server's local time zone. However, the cron should run more frequently to keep everything in sync.

+1. Return to the site administration page.

+1. Configure the required settings to enable the Teams app integration.

+ 1. To enable **OpenID Connect**, go to **Site administration** > **Plugins** > **Manage authentication**.

+ 1. Find **OpenID Connect**, and select the eye icon if it's greyed out. Save changes.

+ 1. To enable frame embedding, go to **Site administration** and select **HTTP Security** in the **Security** section.

+ 1. Select the checkbox next to **Allow frame embedding**. Save changes.

+ 1. To enable web services, which enable the Moodle API features, go to **Site administration** > **Advanced features**.

+ 1. Ensure the checkbox next to **Enable web services** is selected. Save changes.

+ 1. To enable the external services for Microsoft 365, go to **Site administration** > **Plugins**, and select **External services** in the **Web services** section.

+ Γ£ö In the **Built-in services** section, find **Moodle Microsoft 365 Webservices**.

+

+ Γ£ö Select **Edit** on the **Moodle Microsoft 365 Webservices** row.

+

+ Γ£ö Select the eye icon if it's greyed out. Save changes.

+

+ 1. Edit your authenticated user permissions to allow them to create web service tokens.

+ Γ£ö Go to **Site administration**, **Users** tab, and find **Define roles** in the **Permissions** section.

+

+ Γ£ö On the **Manage users** tab, find **Authenticated user** role, and select the edit icon.

+

+ Γ£ö Scroll down and find the **Create a web service token** capability and select the **Allow** checkbox. Save changes.

+

+After the plugins are installed and configured, you can:

+* [Add Moodle tabs to Teams classes](/microsoftteams/install-moodle-integration#step-4-deploy-your-microsoft-teams-app).

+* [Add Teams classes and meetings to the Moodle LMS](teams-classes-meetings-with-moodle.md).

+## Extra Moodle plugin documentation

+If you would like to review Moodle's Microsoft 365 integration guides and release notes, see these resources:

+* [Moodle and Microsoft 365 3.10.6](https://docs.moodle.org/310/en/Microsoft_365).

+* [Moodle and Microsoft 365 3.11.3](https://docs.moodle.org/310/en/Microsoft_365).

+ Title: Integrate Microsoft OneDrive LTI with Canvas

+description: Create and grade assignments, build and curate course content, and collaborate on files in real time with the new Microsoft OneDrive Learning Tools Interoperability App for Canvas.

+ Title: Integrate Microsoft Teams classes and meetings with Moodle

+audience: admin

+f1.keywords:

+- CSH

+ms.localizationpriority: medium

+description: Create and manage Teams classes and meetings with Microsoft OneDrive Learning Tools Interoperability for Moodle.

+# Integrate Microsoft Teams classes and meetings within Moodle

+This guide provides the IT admin steps for registering both Teams Classes and Teams Meetings LTI apps on Moodle.

+For details on managing all OneLTI tools for any LMS, see [Manage Microsoft OneLTI for any LMS](manage-microsoft-one-lti.md).

+## Prerequisites before set up

+For the integration between Moodle and Teams to function correctly, Moodle and Teams must be set up to communicate with one another.

+Follow the [instructions for installing and configuring the Moodle plugin](moodle-plugin-configuration.md).

+## Register Microsoft OneLTI tools for use in Moodle

+> [!IMPORTANT]

+> The person who performs this integration should be a Moodle administrator and a Microsoft 365 tenant administrator.

+1. Visit [Microsoft LTI Portal](https://lti.microsoft.com/) and select **Go to registration portal**.

+2. Sign in with a Microsoft 365 administrator account.

+3. After signing in, select **Add new registration**.

+4. Select either **Teams Meetings LTI** or **Teams Classes LTI** to register and then select **Next**.

+5. Enter in an easily identifiable **Registration** name and select **Moodle** as the LMS platform. Select **Next**.

+6. You'll be given a list of keys that need to be added to your Moodle site.

+7. Open Moodle in another tab. Don't close the Microsoft LTI portal tab.

+8. In Moodle, go to **Site administration** > **Plugins** > **Activity modules** > **External tools** > **Manage tools**.

+9. On the **Manage tools** page, select **configure a tool manually**.

+10. Under **Tool settings**, enter in a **Tool name** like **Microsoft Teams Classes**. For **LTI version**, select **LTI 1.3**. For **Public key type**, select **Keyset URL**.

+11. Next, copy the keys from **Microsoft LTI keys** to the corresponding tools inputs.

+ 1. Microsoft's **Target link URL** key goes into Moodle's **Tool URL** field.

+ 1. Microsoft's **Open ID connection URL** key goes into Moodle's **Initiate login URL** field.

+ 1. Microsoft's **Redirect URL** key goes into Moodle's **Redirection URI(s)** field.

+12. Select **Save changes**.

+13. The new tool should now appear in the **Tools** section of Moodle's **Manage tools** page. Select the list icon to view **Tool configuration details**.

+14. Go back to the Microsoft LTI portal tab. Select **Next** to go to the **LMS provided registration keys** step.

+15. Copy and paste the values from Moodle's **Tool configuration details** to Microsoft's **LMS provided registration keys** step.

+ Paste the values as follows:

+ | On Moodle | On Microsoft LTI registration portal |

+ | | |

+ | Platform ID | Issuer ID URL |

+ | Client ID | Client ID |

+ | Deployment ID | Deployment ID |

+ | Public keyset URL | Keyset URL |

+ | Access token URL | Access token URL |

+ | Authentication request URL | Platform authentication URL |

+ Select **Next**.

+16. Review the **Review and add** page. If there are no errors, select **Save and exit**. You should see a message indicating successful registration.

+You've completed registration of either the Teams Classes or Teams Meetings LTI app.

+If you would like to add the other app too, repeat the steps above, selecting the other Teams LTI app in step 4.

+### Add Teams LTI tools to educators' Moodle courses

+After registering Teams LTI apps, educators can add the Teams Classes app and the Teams Meetings app to their Moodle courses.

+- [Educator instructions on adding the Teams Classes app](https://support.microsoft.com/topic/use-microsoft-teams-classes-in-your-lms-ac6a1e34-32f7-45e6-b83e-094185a1e78a).

+- [Educator instructions on adding the Teams Meetings app](https://support.microsoft.com/topic/use-microsoft-teams-meetings-in-your-lms-11b6095d-f90b-42b9-ab77-4dcff2bb3b76).

+| [Threat hunting](../defender-endpoint/advanced-hunting-overview.md) and six months of data retention ^[[3](#fn3)] | No | No | Yes |

+| [Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>(Windows, macOS, iOS, and Android OS) | Yes ^[[4](#fn4)] | Yes | Yes |

+(<a id="fn3">3</a>) There is no timeline tab in Defender for Business.

+(<a id="fn4">4</a>) During the preview program, Windows client devices are supported in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).

+4. Use one of the following procedures:<br/>

+ | Scenario | Procedure |

+ |:|:|

+ | You're setting up a Microsoft 365 subscription for the first time. | Select **Go to guided setup** and complete the following steps:<br/><br/>1. Either install your Office apps now, or choose **Continue** to skip this step. (You can install your Office apps later.)<br/><br/>2. If your company has a domain, you can add it now (this option is recommended). Alternately, you could choose to use your default `.onmicrosoft.com` domain for now.<br/><br/>3. Add users and assign licenses. Each user you list will be assigned a license automatically. See [Add users and assign licenses at the same time](../../admin/add-users/add-users.md). |

+ | You're adding a trial to an existing Microsoft 365 tenant. | 1. Go to the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) and sign in.<br/><br/>2. In the navigation pane, choose **Users** > **Active users**. Review the list of users. <br/><br/>3. To assign licenses, follow the guidance in [Assign licenses to users](../../admin/manage/assign-licenses-to-users.md). |

+1. [Use the setup wizard in Microsoft Defender for Business](mdb-use-wizard.md) or [See the setup and configuration process for Defender for Business](mdb-setup-configuration.md).

+2. [See how to get help and support for Defender for Business](mdb-get-help.md) (just in case you need help)

+After you've onboarded your company's devices to Microsoft Defender for Business, your next step is to view and if necessary, edit your security policies and settings. Security policies to configure include:

+Proceed to [Step 2: Assign roles and permissions in Microsoft Defender for Business](mdb-roles-permissions.md).

+Proceed to [Step 1: Review the requirements for Microsoft Defender for Business](mdb-requirements.md).

+ Title: Use setup wizard in Microsoft Defender for Business

+# Use the setup wizard in Microsoft Defender for Business

+Microsoft Defender for Business was designed to save small and medium-sized businesses time and effort with a wizard-like experience for initial setup and configuration. The setup wizard guides you through granting access to your security team, setting up email notifications for your security team, and onboarding your company's Windows devices.

+## Overview of the setup wizard

+> [!IMPORTANT]

+> Before you begin, make sure that you have already added users to your Microsoft 365 subscription. To get help with this task, see [Add users and assign licenses at the same time](../../admin/add-users/add-users.md).

+1. **Assign user permissions**. In this step, you grant your security team access to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This portal is where you and your security team will manage your security capabilities, view alerts, and take any needed actions on detected threats. Portal access is granted through roles that imply certain permissions.

+ In Defender for Business, members of your security team can be assigned one of three roles:<br/>

+

+ - **Global Admin**: A global admin can view and edit all settings across your Microsoft 365 tenant. The global admin does the initial setup and configuration for your company's Microsoft 365 subscription.

+ - **Security Administrator**: A security administrator can view and edit security settings, and take action when threats are detected.

+ - **Security Reader**: A security reader can view information in reports, but cannot change any security settings.

+

+ [Learn more about roles and permissions](mdb-roles-permissions.md).

+2. **Set up email notifications**. In this step, you can set up email notifications for your security team. Then, when an alert is generated or a new vulnerability is discovered, your security team will not about it even if they're away from their desk.

+ [Learn more about email notifications](mdb-email-notifications.md).

+3. **Onboard and configure Windows devices**. In this step, you can onboard your company's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one.

+ - **If you're already using Microsoft Endpoint Manager** (which includes Microsoft Intune), and your company has devices enrolled in Endpoint Manager, you'll be asked whether you want to use [automatic onboarding](mdb-onboard-devices.md#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager) for some or all of your enrolled Windows devices. Automatic onboarding sets up a connection between Endpoint Manager and Defender for Business, and then onboards Windows devices to Defender for Business seamlessly.

+ - **If you're not already using Endpoint Manager**, you can [onboard devices to Defender for Business by using a local script](mdb-onboard-devices.md#local-script-in-defender-for-business).

+

+ See [Learn more about onboarding devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+

+4. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can also create your own security policies. And, if you're already using Endpoint Manager, you can continue using that to manage your security policies.

+ To learn more, see [View and edit your security policies and settings](mdb-configure-security-settings.md). |

+Using the setup wizard is optional. If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own. See [Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md) to walk through these steps:

+1. **[Assign roles and permissions](mdb-roles-permissions.md)** so your security team can access and use the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).

+2. **[Set up email notifications for your security team](mdb-email-notifications.md)** so they're in the loop about new alerts or vulnerabilities.

+3. **[Onboard devices](mdb-onboard-devices.md)** so they're protected by Defender for Business.

+4. **[Manage your security policies](mdb-configure-security-settings.md)**, which include next-generation protection, firewall protection, and web content filtering.

+#### [Submit files](admin-submissions-mde.md)

+ Title: Submit files in Microsoft Defender for Endpoint

+# Submit files in Microsoft Defender for Endpoint

+## Report items to Microsoft from the portal

+If you have a file that you suspect might be malware or is being incorrectly detected (false positive), you can submit it to Microsoft for analysis using the Microsoft 365 Defender portal at https://security.microsoft.com/.

+### Submit a file or file hash

+## Report items to Microsoft from the Alerts page

+You can easily find these queries in the **Community queries** drop-down menu as well.

+Community queries are grouped into folders like *Campaigns*, *Collection*, *Defense evasion*, and the like. Further information about the query is provided as in-line comments in the query itself.

+ Title: Security Operations Guide for Defender for Office 365

+f1.keywords:

+ - NOCSH

+audience: Admin

+ms.localizationpriority: medium

+search.appverid:

+ - MET150

+ - MOE150

+ - M365-security-compliance

+description: A prescriptive playbook for SecOps personnel to manage Microsoft Defender for Office 365.

+ms.technology: mdo

+# Microsoft Defender for Office 365 Security Operations Guide

+This article gives an overview of the requirements and tasks for successfully operating Microsoft Defender for Office 365 in your organization. These tasks help ensure that your security operations center (SOC) provides a high-quality, reliable approach to protect, detect, and respond to email and collaboration-related security threats.

+The rest of this guide describes the required activities for SecOps personnel. The activities are grouped into prescriptive daily, weekly, monthly, and ad-hoc tasks.

+A companion article to this guide provides an overview to [manage incidents and alerts from Defender for Office 365 on the Incidents page in the Microsoft 365 Defender portal](mdo-sec-ops-manage-incidents-and-alerts.md).

+The [Microsoft 365 Defender Security Operations Guide](/microsoft-365/security/defender/integrate-microsoft-365-defender-secops) contains additional information that you can use for planning and development.

+## Daily activities

+### Monitor the Microsoft 365 Defender Incidents queue

+The **Incidents** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/incidents-queue> (also known as the _Incidents queue_) allows you to manage and monitor events from the following sources in Defender for Office 365:

+- [Alerts](../../compliance/alert-policies.md#default-alert-policies).

+- [Automated investigation and response (AIR)](automated-investigation-response-office.md).

+For more information about the Incidents queue, see [Prioritize incidents in Microsoft 365 Defender](../defender/incident-queue.md).

+Your triage plan for monitoring the Incidents queue should use the following order of precedence for incidents:

+1. **A potentially malicious URL click was detected**.

+2. **User restricted from sending email**.

+3. **Suspicious email sending patterns detected**.

+4. **Email reported by user as malware or phish**, and **Multiple users reported email as malware or phish**.

+5. **Email messages containing malicious file removed after delivery**, **Email messages containing malicious URL removed after delivery**, and **Email messages from a campaign removed after delivery**.

+6. **Phish delivered due to an ETR override**, **Phish delivered because a user's Junk Mail folder is disabled**, and **Phish delivered due to an IP allow policy**

+7. **Malware not zapped because ZAP is disabled** and **Phish not zapped because ZAP is disabled**.

+Incident queue management and the responsible personas are described in the following table:

+|Activity|Cadence|Description|Persona|

+|||||

+|Triage incidents in the Incidents queue at <https://security.microsoft.com/incidents-queue>.|Daily|Verify that all **Medium** and **High** severity incidents from Defender for Office 365 are triaged.|Security Operations Team|

+|Investigate and take Response actions on incidents.|Daily|Investigate all incidents and actively take the recommended or manual response actions.|Security Operations Team|

+|Resolve incidents.|Daily|If the incident has been remediated, resolve the incident. Resolving the incident resolves all linked and related active alerts.|Security Operations Team|

+|Classify incidents.|Daily|Classify incidents as true or false. For true alerts, specify the threat type. This classifications helps your security team see threat patterns and defend your organization from them.|Security Operations Team|

+### Manage false positive and false negative detections

+In Defender for Office 365, you manage false positives (good mail marked as bad) and false negatives (bad mail allowed) in the following locations:

+- The [Submissions portal (admin submissions)](admin-submission.md).

+- The [Tenant Allow/Block List](tenant-allow-block-list.md)

+- [Threat Explorer](threat-explorer.md)

+For more information, see the [Manage false positive and false negative detections](#manage-false-positive-and-false-negative-detections) section later in this article.

+False positive and false negative management and the responsible personas are described in the following table:

+|Activity|Cadence|Description|Persona|

+|||||

+|Submit false positives and false negatives to Microsoft at <https://security.microsoft.com/reportsubmission>.|Daily|Provide signals to Microsoft by reporting incorrect email, URL, and file detections.|Security Operations Team|

+|Analyze admin submission details.|Daily|Understand the following factors for the submissions you make to Microsoft: <ul><li>What caused the false positive ofr false negative.</li><li>The state of your Defender for Office 365 configuration at the time of the submission.</li><li>Whether you need to make changes to your Defender for Office 365 configuration.</li></ul>|Security Operations Team <br/><br/> Security Administration|

+|Add block entries in the Tenant Allow/Block List at <https://security.microsoft.com/tenantAllowBlockList>.|Daily|Use the Tenant Allow/Block List to add block entries for false negative URL, file, or sender detections as needed.|Security Operations Team|

+|Release false negatives from quarantine.|Daily|After the recipient confirms that the message was incorrectly quarantined, you can release or approve release requests for users. <br/><br/> To control what users can do to their own quarantined messages (including release or request release), see [Quarantine policies](quarantine-policies.md).|Security Operations Team <br/><br/> Messaging Team|

+### Review phishing and malware campaigns that resulted in delivered mail

+|Activity|Cadence|Description|Persona|

+|||||

+|Review email campaigns.|Daily|[Review email campaigns](campaigns.md) that targeted your organization at <https://security.microsoft.com/campaigns>. Focus on campaigns that resulted in messages being delivered to recipients. <br/><br/> Remove messages from campaigns that exist in user mailboxes. This action is required only when a campaign contains email that hasn't already been remediated by actions from incidents, [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md), or manual remediation.|Security Operations Team|

+## Weekly activities

+### Review email detection trends in Defender for Office 365 reports

+In Defender for Office 365, you can use the following reports to review email detection trends in your organization:

+- The [Mailflow status report](view-mail-flow-reports.md#mailflow-status-report)

+- The [Threat Protection status report](view-email-security-reports.md#threat-protection-status-report)

+|Activity|Cadence|Description|Persona|

+|||||

+|Review email detection reports at: <ul><li><https://security.microsoft.com/reports/TPSAggregateReportATP></li><li><https://security.microsoft.com/mailflowStatusReport?viewid=type></li></ul>|Weekly|Review email detection trends for malware, phishing, and spam as compared to good email. Observation over time allows you to see threat patterns and determine whether you need to adjust your Defender for Office 365 policies.|Security Administration <br/><br/> Security Operations Team|

+### Track and respond to emerging threats using Threat analytics

+Use [Threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics) to review active, trending threats.

+|Activity|Cadence|Description|Persona|

+|||||

+|Review threats in Threat analytics at <https://security.microsoft.com/threatanalytics3>.|Weekly|Threat analytics provides detailed analysis, including the following items: <ul><li>IOCs.</li><li>Hunting queries about active threat actors and their campaigns.</li><li>Popular and new attack techniques.</li><li>Critical vulnerabilities.</li><li>Common attack surfaces.</li><li>Prevalent malware.</li></ul>|Security Operations Team <br/><br/> Threat hunting team|

+### Review top targeted users for malware and phishing

+Use the **[Top targeted users](threat-explorer.md#top-targeted-users)** tab in Threat Explorer to discover or confirm the users who are the top targets for malware and phishing email.

+|Activity|Cadence|Description|Persona|

+|||||

+|Review the **Top targeted users** tab in Threat Explorer at <https://security.microsoft.com/threatexplorer>.|Weekly|Use the information to decide if you need to adjust policies or protections for these users. Add the affected users to [Priority accounts](/microsoft-365/admin/setup/priority-accounts) to gain the following benefits: <ul><li>Additional visibility when incidents affect them.</li><li>Tailored heuristics for executive mail flow patterns (priority account protection).</li><li>[Email issues for priority accounts report](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report)</li></ul>|Security Administration <br/><br/> Security Operations Team|

+### Review top malware and phishing campaigns that target your organization

+Campaign Views reveals malware and phishing attacks against your organization. For more information, see [Campaign Views in Microsoft Defender for Office 365](campaigns.md).

+|Activity|Cadence|Description|Persona|

+|||||

+|Use **Campaign Views** at <https://security.microsoft.com/campaigns> to review malware and phishing attacks that affect you.|Weekly|Learn about the attacks and techniques and what Defender for Office 365 was able to identify and block. <br/><br/> Use **Download threat report** in Campaign Views for detailed information about a campaign.|Security Operations Team|

+## Ad-hoc activities

+### Manual investigation and removal of email

+|Activity|Cadence|Description|Persona|

+|||||

+|Investigate and remove bad email in Threat Explorer at <https://security.microsoft.com/threatexplorer> based on user requests.|Ad-hoc|Use the **Trigger investigation** action in Threat Explorer to start an automated investigation and response playbook on any email from the last 30 days. Manually triggering an investigation saves time and effort by centrally including: <ul><li>A root investigation.</li><li>Steps to identify and correlate threats.</li><li>Recommended actions to mitigate those threats.</li></ul> <br/> For more information, see [Example: A user-reported phish message launches an investigation playbook](automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) <br/><br/> Or, you can use Threat Explorer to [manually investigate email](investigate-malicious-email-that-was-delivered.md) with powerful search and filtering capabilities and [take manual response action](remediate-malicious-email-delivered-office-365.md) directly from the same place. Available manual actions: <ul><li>Move to Inbox</li><li>Move to Junk</li><li>Move to Deleted items</li><li>Soft delete</li><li>Hard delete.</li></ul>|Security Operations Team|

+### Proactively hunt for threats

+|Activity|Cadence|Description|Persona|

+|||||

+|Regular, proactive hunting for threats at: <ul><li><https://security.microsoft.com/threatexplorer></li><li><https://security.microsoft.com/v2/advanced-hunting></li></ul>.|Ad-hoc|Search for threats using [Threat Explorer](threat-explorer.md) and [Advanced hunting](../defender-endpoint/advanced-hunting-overview.md).|Security Operations Team <br/><br/> Threat hunting team|

+|Share hunting queries.|Ad-hoc|Actively share frequently used, useful queries within the security team for faster manual threat hunting and remediation. <br/><br/> Use [Threat trackers](threat-trackers.md) and [shared queries in Advanced hunting](/microsoft-365/security/defender/advanced-hunting-shared-queries).|Security Operations Team <br/><br/> Threat hunting team|

+|Create custom detection rules at <https://security.microsoft.com/custom_detection>.|Ad-hoc|[Create custom detection rules](../defender/advanced-hunting-overview.md#get-started-with-advanced-hunting) to proactively monitor events, patterns, and threats based on Defender for Office 365 data in Advance Hunting. Detection rules contain advanced hunting queries that generate alerts based on the matching criteria.|Security Operations Team <br/><br/> Threat hunting team|

+### Review Defender for Office 365 policy configurations

+|Activity|Cadence|Description|Persona|

+|||||

+|Review the configuration of Defender for Office 365 policies at <https://security.microsoft.com/configurationAnalyzer>.|Ad-hoc <br/><br/> Monthly|Use the [Configuration analyzer](configuration-analyzer-for-security-policies.md) to compare your existing policy settings to the [recommended Standard or Strict values for Defender for Office 365](recommended-settings-for-eop-and-office365.md). The Configuration analyzer identifies accidental or malicious changes that can lower your organizations's security posture of your organization. <br/><br/> Or yu can use the PowerShell-based [ORCA tool](https://aka.ms/getorca).|Security Administration <br/><br/> Messaging Team|

+|Review detection overrides in Defender for Office 365 at <https://security.microsoft.com/reports/TPSMessageOverrideReportATP>|Ad-hoc <br/><br/> Monthly|Use the [View data by System override \> Chart breakdown by Reason view](view-email-security-reports.md#view-data-by-system-override-and-chart-breakdown-by-reason) in the **Threat Protection status report** to review email that was detected as phishing but delivered due to policy or user override settings. <br/><br/> Actively investigate, remove, or fine tune overrides to avoid delivery of email that was determined to be malicious.|Security Administration <br/><br/> Messaging Team|

+### Review spoof and impersonation detections

+|Activity|Cadence|Description|Persona|

+|||||

+|Review the **Spoof intelligence insight** and the **Impersonation detection insights** at <ul><li><<https://security.microsoft.com/spoofintelligence>></li><li><https://security.microsoft.com/impersonationinsight></li></ul>.|Ad-hoc <br/><br/> Monthly|Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [impersonation insight](impersonation-insight.md) to adjust filtering for spoof and impersonation detections.|Security Administration <br/><br/> Messaging Team|

+### Review priority account membership

+|Activity|Cadence|Description|Persona|

+|||||

+|Review who's defined as a priority account at <https://security.microsoft.com/securitysettings/userTags>.|Ad-hoc|Keep the membership of [priority accounts](/microsoft-365/admin/setup/priority-accounts) current with organizational changes to get the following benefits for those users: <ul><li>Better visibility in reports.</li><li>Filtering in incidents and alerts.</li><li>Tailored heuristics for executive mail flow patterns (priority account protection).</li></ul> <br/> Use custom [user tags](user-tags.md) for other users to get: <ul><li>Better visibility in reports.</li><li>Filtering in incidents and alerts.</li></ul>|Security Operations Team|

+## Appendix

+### Learn about Microsoft Defender for Office 365 tools and processes

+Security operations and response team members need to integrate Defender for Office 365 tools and features into existing investigations and response processes. Learning about new tools and capabilities can take time but it's a critical part of the on-boarding process. The simplest way for SecOps and email security team members to learn about Defender for Office 365 is to use the training content that's available as part of the Ninja training content at <https://aka.ms/mdoninja>.

+The content is structured for different knowledge levels (Fundamentals, Intermediate, and Advanced) with multiple modules per level.

+Short videos for specific tasks are also available in the [Microsoft Defender for Office 365 YouTube channel](https://www.youtube.com/playlist?list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf).

+### Permissions for Defender for Office 365 activities and tasks

+Permissions for managing Defender for Office 365 in the Microsoft 365 Defender portal and PowerShell are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).

+> [!NOTE]

+> Privileged Identity Management (PIM) in Azure AD is also a way to assign required permissions to SecOps personnel. For more information, see [Privileged Identity Management (PIM) and why to use it with Microsoft Defender for Office 365](use-privileged-identity-management-in-defender-for-office-365.md).

+The following permissions (roles and role groups) are available in Defender for Office 365 and can be used to grant access to security team members:

+- **Azure AD roles**: Centralized roles that assign permissions for _all_ Microsoft 365 services, including Defender for Office 365. You can view the Azure AD roles and assigned users in the Microsoft 365 Defender portal, but you can't manage them directly there. Instead, you manage Azure AD roles and members at <https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators>. The most frequent roles used by security teams are:

+ - **Security administrator**

+ - **Security operator**

+ - **Security reader**

+- **Email & collaboration roles**: Roles and role groups that grant permission specific to Microsoft Defender for Office 365. The following role are not available in Azure AD, but can be important for security teams:

+ - **Preview** role: Assign this role to team members who need to preview or download email messages as part of investigation activities. Allows users to [preview and download](investigate-malicious-email-that-was-delivered.md#preview-role-permissions) email messages in cloud mailboxes using the [email entity page](mdo-email-entity-page.md#email-preview-for-cloud-mailboxes).

+ By default, this role is assigned only to the following role groups:

+ - Data Investigator

+ - eDiscovery Manager

+ To assign this role to a new or existing role group, see [Modify Email & collaboration role membership in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md#modify-email--collaboration-role-membership-in-the-microsoft-365-defender-portal).

+ - **Search and Purge** role: Approve the deletion of malicious messages as recommended by AIR or take manual action on messages in hunting experiences like Threat Explorer.

+ By default, this role is assigned only to the following role groups:

+ - Data Investigator

+ - Organization Management

+ To assign this role to a new or existing role group, see [Modify Email & collaboration role membership in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md#modify-email--collaboration-role-membership-in-the-microsoft-365-defender-portal).

+ - **Tenant AllowBlockList Manager**: Manage allow and block entries in the [Tenant Allow/Block List](tenant-allow-block-list.md). Blocking URLs, files (using file hash) or senders is a useful response action to take when investigating malicious email that was delivered.

+ By default, this role is assigned only to the **Security Operator** role group. But, members of the **Security Administrators** and **Organization management** role groups can also manage entries in the Tenant Allow/Block List.

+### SIEM/SOAR integration

+Defender for Office 365 exposes most of its data through a set of programmatic APIs. These APIs help you automate workflows and make full use of Defender for Office 365 capabilities. Data is available through the [Microsoft 365 Defender APIs](/microsoft-365/security/defender/api-overview) and can be used to integrate Defender for Office 365 into existing SIEM/SOAR solutions.

+- [Incident API](/microsoft-365/security/defender/api-incident): Defender for Office 365 alerts and automated investigations are active parts of incidents in Microsoft 365 Defender. Security teams can focus on what's critical by grouping the full attack scope and all impacted assets together.

+- [Event streaming API](/microsoft-365/security/defender/streaming-api): Allows shipping of real-time events and alerts into a single data stream as they happen. Supported Defender for Office 365 event types include:

+ - [EmailEvents](/microsoft-365/security/defender/advanced-hunting-emailevents-table)

+ - [EmailUrlInfo](/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table)

+ - [EmailAttachmentInfo](/microsoft-365/security/defender/advanced-hunting-emailattachmentinfo-table)

+ - [EmailPostDeliveryEvents](/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table)

+ The events contain data from processing all email (including intra-org messages) in the last 30 days.

+- [Advance Hunting API](/microsoft-365/security/defender/api-advanced-hunting): Allows cross-product threat hunting.

+- [Threat Assessment API](/graph/api/resources/threatassessment-api-overview): Can be used to report spam, phishing URLs, or malware attachments directly to Microsoft.

+To connect Defender for Office 365 incidents and raw data with Microsoft Sentinel, you can use the [Microsoft 365 Defender (M365D) connector](/azure/sentinel/connect-microsoft-365-defender?tabs=MDO)

+You can use this simple "Hello World" example to test API access to Microsoft Defender APIs: [Hello World for Microsoft 365 Defender REST API](/microsoft-365/security/defender/api-hello-world).

+For more information about SIEM tool integration, see [Integrate your SIEM tools with Microsoft 365 Defender](/microsoft-365/security/defender/configure-siem-defender).

+## Address false positives and false negatives in Defender for Office 365

+User submission and admin submissions of email messages are critical positive reinforcement signals for our machine learning detection systems. Submissions help us review, triage, rapidly learn, and mitigate attacks. Actively reporting false positives and false negatives is an important activity that provides feedback to Defender for Office 365 when mistakes are made during detection.

+Organizations have multiple options for configuring user submissions. Depending on the configuration, security teams might have more active involvement when users submit false positives or false negatives to Microsoft:

+- User submissions are sent to Microsoft for analysis when the [user reported message settings](user-submission.md) are configured with either of the following settings:

+ - Send the reported messages to: Microsoft.

+ - Send the reported messages to: Microsoft and my organization's mailbox.

+ Security teams members should do add-hoc [admin submissions](admin-submission.md) when false positives or false negatives that were not reported by users were discovered by the operations teams.

+- When user reported messages are configured to send messages only to the organization's mailbox, security teams should actively send user-reported false positives and false negatives to Microsoft via admin submissions.

+Whenever a user reports a message as phishing, Defender for Office 365 generates an alert and the alert will trigger an AIR playbook. Incident logic will correlate this information to other alerts and events where possible. This consolidation of information helps security teams triage, investigate, and respond to user reported email.

+User submissions and admin submissions are handled by the submission pipeline by Microsoft, which follows a tightly integrated process. This process includes:

+- Noise reduction.

+- Automated triage.

+- Grading by security analysts and human-partnered machine learning-based solutions.

+For more information, see [Reporting an email in Defender for Office 365 - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/reporting-an-email-in-microsoft-defender-for-office-365/ba-p/2870231).

+Security team members can do submissions from multiple location in the Microsoft 365 Defender portal at <https://security.microsoft.com>:

+- [Admin submission](admin-submission.md): Use the Submissions portal to submit suspected spam, phishing, URLs, and files to Microsoft.

+- Directly from Threat Explorer using one of the following message actions:

+ - Report clean

+ - Report phishing

+ - Report malware

+ - Report spam

+ You can select up to 10 messages to perform a bulk submission. Admin submissions created this way also visible in the Submission portal.

+For the short-term mitigation of false positives, security teams can directly manage [block entries](manage-tenant-blocks.md) for files, URLs, and senders in the [Tenant Allow/Block List](tenant-allow-block-list.md).

+For the short-term mitigation of false negatives, security teams can't directly manage [allow entries](manage-tenant-allows.md) in the Tenant Allow/Block List. Instead, they need to use [admin submissions](admin-submission.md) and the the **Allow messages like this** option.

+[Quarantine](manage-quarantined-messages-and-files.md) in Defender for Office 365 holds potentially dangerous or unwanted messages and files. Security teams can view, release, and delete all types of quarantined messages for all users. This capability enables security teams to respond effectively when a false positive message or file is quarantined.

+## Integrate third-party reporting tools with Defender for Office 365 user submission

+If your organization uses a third-party reporting tool that allows users to internally report suspicious email, you can integrate the tool with the user submissions capabilities of Defender for Office 365. This integration provides the following benefits to security teams:

+- Integration with the AIR capabilities of Defender for Office 365.

+- Simplified triage.

+- Reduced investigation and response time.

+Designate the custom mailbox where user reported messages are sent on the **User submissions** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/userSubmissionsReportMessage>. For more information, see [User reported message settings](user-submission.md).

+> [!NOTE]

+>

+> - The custom mailbox is an Exchange Online mailbox.

+> - The third-party reporting tool must include the original reported message as an uncompressed .EML or .MSG attachment in the message that's sent to the custom mailbox (don't just forward the original message to the custom mailbox).

+> - The custom mailbox requires specific prerequisites to allow potentially bad messages to be delivered. For more information, see [Custom mailbox prerequisites](user-submission.md#custom-mailbox-prerequisites).

+When user reported email arrives in the custom mailbox, Defender for Office 365 automatically generates the alert named **Email reported by user as malware or phish**. This alert launches an [AIR playbook](automated-investigation-response-office.md#example-a-user-reported-phish-message-launches-an-investigation-playbook). The playbook performs a series of automated investigations steps:

+- Gather data about the specified email.

+- Gather data about the threats and entities related to that email. Entities can include files, URLs, and recipients.

+- Provide recommended actions for the SecOps team to take based on the investigation findings.

+**Email reported by user as malware or phish** alerts, automated investigations and their recommended actions are automatically correlated to incidents in Microsoft 365 Defender. This correlation further simplifies the triage and response process for security teams. If multiple users report the same or similar messages, all of the users and messages are correlated into the same incident.

+Data from alerts and investigations in Defender for Office 365 is automatically compared to alerts and investigations in the other Microsoft 365 Defender products:

+- Microsoft Defender for Endpoint

+- Microsoft Defender for Cloud Apps

+- Microsoft Defender for Identity

+If a relationship is discovered, the system creates an incident that gives visibility for the entire attack.

+ Title: Manage incidents and alerts from Defender for Office 365 in Microsoft 365 Defender

+f1.keywords:

+ - NOCSH

+audience: Admin

+ms.localizationpriority: medium

+search.appverid:

+ - MET150

+ - MOE150

+ - M365-security-compliance

+description: SecOps personnel can learn how to use the Incidents queue in Microsoft 365 Defender to manage incidents in Microsoft Defender for Office 365.

+ms.technology: mdo

+# Manage incidents and alerts from Microsoft Defender for Office 365 in Microsoft 365 Defender

+An [incident](/microsoft-365/security/defender/incidents-overview) in Microsoft 365 Defender is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/microsoft-365/compliance/alert-policies#default-alert-policies), [automated investigation and response (AIR)](office-365-air.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft 365 Defender at <https://security.microsoft.com/incidents-queue>. We'll refer to this page as the _Incidents queue_.

+Alerts are created when malicious or suspicious activity affects an entity (for example, email, users, or mailboxes). Alerts provide valuable insights about in-progress or completed attacks. However, an ongoing attack can affect multiple entities, which results in multiple alerts from different sources. Some built-in alerts will automatically trigger AIR playbooks. These playbooks do a series of investigation steps to look for other impacted entities or suspicious activity.

+Defender for Office 365 alerts, investigations, and their data are automatically correlated. When a relationship is determined, an incident is created by the system to give security teams visibility for the entire attack.

+We strongly recommend that SecOps teams manage incidents and alerts from Defender for Office 365 in the Incidents queue at <https://security.microsoft.com/incidents-queue>. This approach has the following benefits:

+- Multiple options for [management](/microsoft-365/security/defender/manage-incidents):

+ - Prioritization

+ - Filtering

+ - Classification

+ - Tag management

+ You can take incidents directly from the queue or assign them to someone. Comments and comment history can help track progress.

+- If the attack impacts other workloads that are protected by Microsoft Defender^\*, the related alerts, investigations, and their data are also correlated to the same incident.

+ ^\*Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps.

+- Complex correlation logic isn't required, because the logic is provided by the system.

+- If the correlation logic doesn't fully meet your needs, you can add alerts to existing incidents or create new incidents.

+- Related Defender for Office 365 alerts, AIR investigations, and pending actions from investigations are automatically added to incidents.

+- If the AIR investigation finds no threat, the related alerts are automatically resolved by the system. If all alerts within an incident are resolved, the incident status also changes to **Resolved**.

+- Related evidence and response actions are automatically aggregated on the **Evidence and response** tab of the incident.

+- Security team members can take response actions directly from the incidents. For example, they can soft-delete email in mailboxes or remove suspicious Inbox rules from mailboxes.

+- Recommended email actions are created only when the latest delivery location of a malicious email is a cloud mailbox.

+- Pending email actions are updated based on the latest delivery location. If the email was already remediated by a manual action, the status will reflect that.

+- Recommended actions are created only for email and email clusters that are determined to be the most critical threats:

+ - Malware

+ - High confidence phishing

+ - Malicious URLs

+ - Malicious files

+> [!NOTE]

+> Incidents don't just represent static events. They also represent attack stories that happen over time. As the attack progresses, new Defender for Office 365 alerts, AIR investigations, and their data are continuously added to the existing incident.

+Manage incidents on the **Incidents** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/incidents-queue>:

+

+

+

+

+

+Manage incidents on the **Incidents** page in Microsoft Sentinel at <https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel>:

+

+

+## Response actions to take

+Security teams can take wide variety of response actions on email using Defender for Office 365 tools:

+- You can delete messages, but you can also take the following actions on email:

+ - Move to Inbox

+ - Move to Junk

+ - Move to Deleted Items

+ - Soft delete

+ - Hard delete.

+ You can take these actions from the following locations:

+ - The **Evidence and response** tab from the details of the incident on the **Incidents** page** at <https://security.microsoft.com/incidents-queue> (recommended).

+ - **Threat Explorer** at <https://security.microsoft.com/threatexplorer>.

+ - The unified **Action center** at <https://security.microsoft.com/action-center/pending>.

+- You can start an AIR playbook manually on any email message using the **Trigger investigation** action in Threat Explorer.

+- You can report false positive or false negative detections directly to Microsoft using [Threat Explorer](threat-explorer.md) or [admin submissions](admin-submission.md).

+- You can block undetected malicious files, URLs, or senders using the [Tenant Allow/Block List](tenant-allow-block-list.md).

+Defender for Office 365 actions are seamlessly integrated into hunting experiences and the history of actions are visible on the **History** tab in the unified **Action center** at <https://security.microsoft.com/action-center/history>.

+The most effective way to take action is to use the built-in integration with Incidents in Microsoft 365 Defender. You can simply approve the actions that were recommended by AIR in Defender for Office 365 on the [Evidence and response](/microsoft-365/security/defender/investigate-incidents#evidence-and-response) tab of an Incident in Microsoft 365 Defender. This method of tacking action is recommended for the following reasons:

+- You investigate the complete attack story.

+- You benefit from the built-in correlation with other workloads: Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps.

+- You take actions on email from a single place.

+You take action on email based on the result of a manual investigation or hunting activity. [Threat Explorer](threat-explorer.md) allows security team members to take action on any email messages that might still exist in cloud mailboxes. They can take action on intra-org messages that were sent between users in your organization. Threat Explorer data is available for the last 30 days.

+The unified **Trials** portal in the Microsoft 365 Defender portal provides a single point of entry for the formerly separate Trial and Evaluate experiences for Microsoft Defender for Office 365. The intent is to allow you to try the features of Defender for Office 365 Plan 2 for 90 days before you fully commit to it. But, there are differences in the evaluation experiences based on the nature of your Microsoft 365 organization:

+- SharePoint - View, edit, download, move, share, or upload files. (Viewing a SharePoint page does not count as an action for automatic renewal.)

+- Outlook - Join or edit group, read or write group message from the group, and like a message (Outlook on the web).

+- Teams - Visit a teams channel.

+- Yammer - View a post within a Yammer community or an interactive email in Outlook.

+- Forms - View, create, or edit forms, or submit a response to a form.