Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
enterprise | Add A Domain To A Client Tenancy With Windows Powershell For Delegated Access Pe | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/add-a-domain-to-a-client-tenancy-with-windows-powershell-for-delegated-access-pe.md | Title: "Add a domain to a client tenancy with Windows PowerShell for DAP partner Previously updated : 08/10/2023 Last updated : 03/01/2024 audience: Admin description: "Summary: Use PowerShell for Microsoft 365 to add an alternate doma You can create and associate new domains with your customer's tenancy with PowerShell for Microsoft 365 faster than using the Microsoft 365 admin center. -Delegated Access Permission (DAP) partners are Syndication and Cloud Solution Providers (CSP) Partners. They are frequently network or telecom providers to other companies. They bundle Microsoft 365 subscriptions into their service offerings to their customers. When they sell a Microsoft 365 subscription, they are automatically granted Administer On Behalf Of (AOBO) permissions to the customer tenancies so they can administer and report on the customer tenancies. +Delegated Access Permission (DAP) partners are Syndication and Cloud Solution Providers (CSP) Partners. They're frequently network or telecom providers to other companies. They bundle Microsoft 365 subscriptions into their service offerings to their customers. When they sell a Microsoft 365 subscription, they're automatically granted Administer On Behalf Of (AOBO) permissions to the customer tenancies so they can administer and report on the customer tenancies. ## What do you need to know before you begin? -The procedures in this topic require you to connect to [Connect to Microsoft 365 with PowerShell](connect-to-microsoft-365-powershell.md). +The procedures in this article require you to connect to [Connect to Microsoft 365 with PowerShell](connect-to-microsoft-365-powershell.md). You also need your partner tenant administrator credentials. You also need the following information: - The FQDN must be registered with an Internet domain name service (DNS) registrar, such as GoDaddy. For more information on how to publicly register a domain name, see [How to buy a domain name](../admin/get-help-with-domains/buy-a-domain-name.md). -- You need to know how to add a TXT record to the registered DNS zone for your DNS registrar. For more information on how to add a TXT record, see [Add DNS records to connect your domain](../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md). If those procedures don't work for you, you will need to find the procedures for your DNS registrar.+- You need to know how to add a TXT record to the registered DNS zone for your DNS registrar. For more information on how to add a TXT record, see [Add DNS records to connect your domain](../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md). If those procedures don't work for you, you'll need to find the procedures for your DNS registrar. ## Create domains You also need the following information: ### Create the domain in Microsoft Entra ID -This command creates the domain in Microsoft Entra ID but does not associate it with the publicly registered domain. That comes when you prove that you own the publicly registered domain to Microsoft 365 for enterprises. +This command creates the domain in Microsoft Entra ID but doesn't associate it with the publicly registered domain. That comes when you prove that you own the publicly registered domain to Microsoft 365 for enterprises. ++>[!NOTE] +> The Azure Active Directory module is being replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). ++First, use a **Microsoft Entra DC admin**, **Cloud Application Admin**, or **Global admin** account to [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md). ++Assigning and removing licenses for a user requires the **Domain.ReadWrite.All** permission scope or one of the other permissions listed in the ['Assign license' Graph API reference page](/graph/api/user-assignlicense). [!INCLUDE [Azure AD PowerShell deprecation note](~/../microsoft-365/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)] ```powershell-New-MsolDomain -TenantId <customer TenantId> -Name <FQDN of new domain> +Connect-MgGraph -Scopes "Domain.ReadWrite.All" ``` -> [!NOTE] -> PowerShell Core does not support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with **Msol** in their name. To continue using these cmdlets, you must run them from Windows PowerShell. +Run the following command to create a new domain: ++```powershell +New-MgDomain -Id <customer TenantId> -DomainNameReferences <FQDN of new domain> +``` ### Get the data for the DNS TXT verification record Microsoft 365 will generate the specific data that you need to place into the DNS TXT verification record. To get the data, run this command. ```powershell-Get-MsolDomainVerificationDNS -TenantId <customer TenantId> -DomainName <FQDN of new domain> -Mode DnsTxtRecord +Import-Module Microsoft.Graph.Identity.DirectoryManagement +(Get-MgDomainVerificationDnsRecord -DomainId <domain ID, i.e. contoso.com> | Where-Object {$_.RecordType -eq "Txt"}).AdditionalProperties.text ``` This will give you output like: - `Label: domainname.com` -- `Text: MS=ms########` -- `Ttl: 3600` + `MS=ms########` > [!NOTE] > You will need this text to create the TXT record in the publicly registered DNS zone. Be sure to copy and save it. ### Add a TXT record to the publically registered DNS zone -Before Microsoft 365 will start accepting traffic that is directed to the publicly registered domain name, you must prove that you own and have administrator permissions to the domain. You prove you own the domain by creating a TXT record in the domain. A TXT record doesn't do anything in your domain, and it can be deleted after your ownership of the domain is established. To create the TXT records, follow the procedures at [Add DNS records to connect your domain](../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md). If those procedures don't work for you , you need to find the procedures for your DNS registrar. +Before Microsoft 365 will start accepting traffic that is directed to the publicly registered domain name, you must prove that you own and have administrator permissions to the domain. You prove you own the domain by creating a TXT record in the domain. A TXT record doesn't do anything in your domain, and it can be deleted after your ownership of the domain is established. To create the TXT records, follow the procedures at [Add DNS records to connect your domain](../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md). If those procedures don't work for you, you need to find the procedures for your DNS registrar. Confirm the successful creation of the TXT record via nslookup. Follow this syntax. This will give you output like: In this last step, you validate to Microsoft 365 that you own the publically registered domain. After this step, Microsoft 365 will begin accepting traffic routed to the new domain name. To complete the domain creation and registration process, run this command. ```powershell-Confirm-MsolDomain -TenantId <customer TenantId> -DomainName <FQDN of new domain> +Confirm-MgDomain -DomainId <FQDN of new domain> -InputObject @{TenantId=<customer TenantId>} ``` This command won't return any output, so to confirm that this worked, run this command. ```powershell-Get-MsolDomain -TenantId <customer TenantId> -DomainName <FQDN of new domain> +Get-MgDomain -DomainId <FQDN of new domain> ``` -This will return something like this +This will return something like this: ```console-Name Status Authentication ---FQDN of new domain Verified Managed +Id AuthenticationType AvailabilityStatus IsAdminManaged IsDefault IsInitial IsRoot IsVerified Manufact + urer +-- -- - -- +contoso.com Managed True True True True True ``` ## See also |
enterprise | Advanced Data Residency | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/advanced-data-residency.md | When a customer has a mix of commercial and education license types including bo ## Data Migration Management -If all of a customer's tenant data covered by the Advanced Data Residency feature isn't already stored at rest within their eligible _Local Region Geography_, then a data migration to the _Local Region Geography_ is required. If customer tenant data covered by the Advanced Data Residency feature is already stored at rest within their eligible _Local Region Geography_, then no data migration to the _Local Region Geography_ is required. +If any customer tenant data covered by the Advanced Data Residency feature is not stored at rest within the customer's eligible _Local Region Geography_, then a data migration is needed to address customer data residency compliance and tenant location requirements fulfilled by ADR. ### Starting Data Migration -After a customer receives their Advanced Data Residency licenses, the customer needs to signal that they're ready to schedule data migration, if one is necessary. To signal your tenant is ready for its data migration, the customer _tenant_ administrator visits the Data Location section of the Microsoft 365 Admin Console within the **Settings -> Org Settings -> Organization Profile** area. From here, the customer administrator is able to see the current location of their data-at-rest and what _Local Region Geography_ their customer data is migrated to. +After receiving the Advanced Data Residency licenses and applying them to the customer's tenant, the customer administrator must select the option to initiate the data migration process for ADR workloads that do not currently reside in their _Local Region Geography_. To initiate data migration for a tenant, the customer administrator should visit the "Data location" section in the Microsoft 365 admin center by navigating to **Settings > Org settings > Organization profile > Data location**. From here, the customer administrator can see the current location of the customer's data-at-rest and what _Local Region Geography_ their customer data currently resides in or is eligible to be migrated to upon selection. ++#### Microsoft 365 Admin Center Data Location + > [!NOTE]-> Data migration won't be scheduled until the customer administrator has completed this task. The migration expectation discussed elsewhere in this documentation won't start being tracked until this task has been completed. +> The data migration process described in the sections below will not initiate until the customer administrator completes this task. ++The following screenshot is an example of the Microsoft 365 admin center Data location view that an ADR customer can expect to see before opting for migration to their _Local Region Geography_. ++#### Before Migration Opt-in + -Once the customer signal is received, they're provided with their opt-in date and the target date of completion. +Once a customer administrator chooses the option to initiate migration, they are provided with confirmation of their opt-in date and migration initiation as shown in the screenshot below. -In addition to a notification posted to the Message Center, the Data Location section in the Microsoft 365 admin center updates as each workload requiring a data migration is complete. +#### After Migration Opt-in +++The "Data location" section in the Microsoft 365 admin center (referenced in the screenshots above) displays the most up-to-date location of each workload throughout the data migration process. Customer administrators can also view any Message center notifications related to their migration within the Microsoft 365 admin center by navigating to **Health > Message center**. ### Migration Expectations -Microsoft uses reasonable efforts to try to complete an Advanced Data Residency add-on customer migration within 12 months from the time the customer administrator signals they're ready for migration. However, Microsoft might not be able to complete the migration within this timeframe for all customers. For example, larger or more complex customers or situations outside of Microsoft's control might require extra time to complete the migration. Advanced Data Residency add-on customers also receive prioritized migration services for their tenants over the legacy Move Program migration option. These migration expectations also apply to all ADR EDU customers as well. Customers utilizing the legacy Move Program for a data migration who don't have the Advanced Data Residency feature should follow [Legacy Move Program Migration Expectations](m365-dr-legacy-move-program.md#migration-expectations). +Microsoft adheres to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for service availability and uses reasonable efforts to complete an Advanced Data Residency add-on customer data migration within 12 months from the time the customer administrator selects the option to initiate migration. However, large, complex customers, and situations outside of Microsoft's control, may require more time for migration to complete. -Data moves are a back-end service operation with minimal effect on end users. We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there's nothing that customers need to prepare for or to monitor during the move. Notification of any service maintenance is sent if needed. +Data moves are a back-end service operation with minimal impact to a customer's operations. For information related to specific workloads, customer administrators can refer to the ΓÇ£MigrationΓÇ¥ sections in the following Workload Data Residency Capabilities pages: [Exchange Online](m365-dr-workload-exo.md#migration), [SharePoint and OneDrive](m365-dr-workload-spo.md#migration-with-advanced-data-residency), [Microsoft Teams](m365-dr-workload-teams.md#migration), [Microsoft Copilot for Microsoft 365](m365-dr-workload-copilot.md#migration), [Microsoft Defender for Office P1](m365-dr-workload-mdo-p1.md#migration), [Office for the Web](m365-dr-workload-office-for-web.md#migration), [Viva Connections](m365-dr-workload-viva-connections.md#migration), [Viva Topics](m365-dr-workload-viva-topics.md#migration), [Microsoft Purview](m365-dr-workload-purview.md#migration), and [Other Services](m365-dr-workload-other.md). ### During and After your Migration -No action is required while Microsoft moves each service and associated customer data for your tenant to the applicable geography. +No action is needed from the customer while Microsoft moves each ADR workload and associated customer tenant data to the customer's eligible _Local Region Geography_. ++Customer administrators can visit the Message center or ΓÇ£Data locationΓÇ¥ section within the Microsoft 365 admin center throughout the migration process to review any migration notices and see when each workload service completes migration. From the Microsoft 365 admin center, customer administrators can access the Message center by navigating to **Health > Message center** and the "Data location" section by navigating to **Settings > Org settings > Organization profile > Data location**. ++The following screenshots are examples of the Microsoft 365 admin center Data location view that an ADR customer can expect to see during and after their migration. -Watch the Microsoft 365 Message Center for confirmation when moves for each workload service are complete. +#### During Migration +++#### After Migration + ### Effect on End Users and Workloads -As mentioned, data moves are a back-end operation with minimal if any effect on end users. We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there's nothing that customers need to prepare for or to monitor during the move. Notification of any service maintenance is done if needed. +Data moves are a back-end service operation with minimal, if any, effect on end users. Microsoft adheres to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for service availability and notifies customers of any service maintenance done via Message center in the Microsoft 365 admin center. ### Features Affected -Because of the complex nature of services that are available within the workloads that customers sign up for and use within a typical E3 or E5 license, the migration of customer data from one data center to another could cause minor disruption or temporary unavailability of certain services. For more information, see the migration sections of each workload in the [Workload Data Residency Capabilities section](m365-dr-workload-exo.md). +Given the complex nature of services included in an E3 or E5 license, the migration of customer data from one data center to another could cause minor disruption or temporary unavailability of certain services. For more information, customer administrators can refer to the "Migration" section of each workload page within [Workload Data Residency Capabilities](m365-dr-workload-exo.md). ### Status Notification -Customers requiring a data migration can monitor the Message Center for updates. You can also check the Data Location section in the Microsoft 365 Admin console to see if a workload completes its migration. +Microsoft does not provide a granular status to indicate progress toward migration completion for individual customer scenarios. ++Customer administrators can stay informed of migration updates through Message center notifications and by reviewing the ΓÇ£Data locationΓÇ¥ section within the Microsoft 365 admin center to see when a workload completes migration to their _Local Region Geography_. From the Microsoft 365 admin center, customer administrators can access the Message center by navigating to **Health > Message center** and the "Data location" section by navigating to **Settings > Org settings > Organization profile > Data location**. -Due to the nature of how migrations work, there's no granular status provided to indicate just how close to completion a migration might be. +For more information on Migration, customer administrators can refer to the following pages: ++[Overview and Definitions - Microsoft 365 Enterprise](m365-dr-overview.md#migrationsmoves) ++[Where your Microsoft 365 customer data is stored - Microsoft 365 Enterprise](o365-data-locations.md) ## Related articles [Legacy Move Program](m365-dr-legacy-move-program.md)- + [New datacenter geos for Microsoft Dynamics CRM Online](/power-platform/admin/new-datacenter-regions?branch=main)- + [Azure services by region](https://azure.microsoft.com/regions/) [Teams experience in a Microsoft 365 Multi-Geo-enabled tenancy](/microsoftteams/teams-experience-o365odb-spo-multi-geo?branch=main) |
enterprise | M365 Multi Geo User Testing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-multi-geo-user-testing.md | +- must-keep # User Testing in Multi-Geo -In Microsoft Entra there are two types of user objects: cloud only users and synchronized users. Please follow the appropriate instructions for your type of user. +In Microsoft Entra there are two types of user objects: cloud only users and synchronized users. Follow the appropriate instructions for your type of user. >[!TIP] >We recommend that you begin validations with a test user or small group of users before rolling out multi-geo to your broader organization. Follow the process in <a href="/azure/active-directory/hybrid/how-to-connect-syn We recommend that you include setting the user's Preferred Data Location as a part of your standard user creation workflow. >[!IMPORTANT]->For new users with no OneDrive provisioned, license the account and wait at least 48 hours after a user's PDL is synchronized to Microsoft Entra ID for the changes to propagate before the user logs in to OneDrive for Business. (Setting the preferred data location before the user logs in to provision their OneDrive for Business ensures that the user's new OneDrive will be provisioned in the correct location.) +>For new users with no OneDrive provisioned, license the account and wait at least 48 hours after a user's PDL is synchronized to Microsoft Entra ID for the changes to propagate before the user logs in to OneDrive. (Setting the preferred data location before the user logs in to provision their OneDrive ensures that the user's new OneDrive will be provisioned in the correct location.) ## Setting Preferred Data Location (PDL) for cloud only users -If your company's users are not synchronized from an on-premises Active Directory system to Microsoft Entra ID, meaning they are created in Microsoft 365 or Microsoft Entra ID, then the PDL must be set using the Microsoft Azure Active Directory module for Windows PowerShell. +>[!NOTE] +> The Azure Active Directory module is being replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). -The procedures in this section require the <a href="https://www.powershellgallery.com/packages/MSOnline/1.1.166.0" target="_blank">Microsoft Azure Active Directory Module for Windows PowerShell Module</a>. If you already have this module installed, please ensure you update to the latest version. +First, use a **Microsoft Entra DC admin**, **Cloud Application Admin**, or **Global admin** account to [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md). [!INCLUDE [Azure AD PowerShell deprecation note](~/../microsoft-365/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)] [Connect and sign in](connect-to-microsoft-365-powershell.md) with a set of global administrator credentials for your _Tenant_. -Use the [Set-MsolUser](/powershell/module/msonline/set-msoluser) cmdlet to set the preferred data location for each of your users. For example: +```powershell +Connect-Graph -Scopes User.ReadWrite.All +``` ++Use the following script format: ```PowerShell-Set-MsolUser -UserPrincipalName Robyn.Buckley@Contoso.com -PreferredDatalocation EUR +$userUPN="<user's UPN>" +$user = Get-MgUser -UserId $userUPN +Update-MgUser -UserId $user.Id -PreferredDataLocation <international location code> ``` -You can check to confirm that the preferred data location was updated properly by using the Get-MsolUser cmdlet. For example: +In this example, you set the user adelev@contoso.com's preferred data location to EUR: -```PowerShell -(Get-MsolUser -UserPrincipalName Robyn.Buckley@Contoso.com).PreferredDatalocation +```powershell +$userUPN="adelev@contoso.com" +$user = Get-MgUser -UserId $userUPN +Update-MgUser -UserId $user.Id -PreferredDataLocation EUR ``` +You can check to confirm that the preferred data location was updated properly by navigating to the Microsoft 365 Admin Center and selecting **Settings > Users > Active Users > [username]**. Select the user from the list, and you'll find Preferred Data Location under the **Account** tab of the user's page. + We recommend that you include setting the user's Preferred Data Location as a part of your standard user creation workflow. >[!IMPORTANT]->For new users with no OneDrive provisioned, license the account and wait at least 48 hours after a user's PDL is set for the changes to propagate before the user logs in to OneDrive. (Setting the preferred data location before the user logs in to provision their OneDrive for Business ensures that the user's new OneDrive will be provisioned in the correct location.) +>For new users with no OneDrive provisioned, license the account and wait at least 48 hours after a user's PDL is set for the changes to propagate before the user logs in to OneDrive. (Setting the preferred data location before the user logs in to provision their OneDrive ensures that the user's new OneDrive will be provisioned in the correct location.) -## OneDrive for Business Provisioning and the effect of PDL +## OneDrive Provisioning and the effect of PDL -If the user already has a OneDrive for Business site created in the _Tenant_, setting their PDL will not automatically move their existing OneDrive. To move a user's OneDrive, see [OneDrive for Business Geo Move](move-onedrive-between-geo-locations.md). +If the user already has a OneDrive site created in the _Tenant_, setting their PDL won't automatically move their existing OneDrive. To move a user's OneDrive, see [OneDrive Geo Move](move-onedrive-between-geo-locations.md). > [!NOTE] > Exchange Online automatically relocates the user's mailbox if the PDL changes and the MailboxRegion no longer matches the Mailbox Database Geo Location code. For more information, see [Administering Exchange Online mailboxes in a multi-geo environment](administering-exchange-online-multi-geo.md). -If the user does not have a OneDrive for Business site within the _Tenant_, OneDrive for Business will be provisioned for them in accordance to their PDL value, assuming the PDL for the user matches one of the company's satellite locations. +If the user doesn't have a OneDrive site within the _Tenant_, OneDrive will be provisioned for them in accordance to their PDL value, assuming the PDL for the user matches one of the company's satellite locations. |
security | Machines View Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md | You can apply the following filters to limit the list of alerts and get a more f ### Device name -During the Microsoft Defender for Endpoint onboarding process, devices onboarded to MDE are gradually populated into the device inventory as they begin to report sensor data. Following this, the device inventory is populated by devices that are discovered in your network through the device discovery process. The device inventory has three tabs that list devices by: +During the Microsoft Defender for Endpoint onboarding process, devices onboarded to Defender for Endpoint are gradually populated into the device inventory as they begin to report sensor data. Following this, the device inventory is populated by devices that are discovered in your network through the device discovery process. The device inventory has three tabs that list devices by: - **Computers and Mobile**: Enterprise endpoints (workstations, servers, and mobile devices) - **Network devices**: Devices like routers and switches - **IoT devices**: Devices like printers and cameras+- **Uncategorized devices**: Devices that couldn't be properly classified ## Navigate to the Device inventory page -Access the device inventory page by selecting **Devices** from the **Assets** navigation menu in the [Microsoft Defender portal](/microsoft-365/security/defender-business/mdb-get-started). +Access the device inventory page by selecting **Devices** from the **Assets** navigation menu in the [Microsoft Defender portal](https://security.microsoft.com/machines). ## Device inventory overview -The device inventory opens on the **Computers and Mobile** tab. You can see at a glance information such as device name, domain, risk level, exposure level, OS platform, criticality level, onboarding status, sensor health state, and other details for easy identification of devices most at risk. +The device inventory opens on the **Computers and Mobile** tab. You can see at a glance information such as device name, domain, risk level, exposure level, OS platform, criticality level, onboarding status, sensor health state, mitigation status and other details for easy identification of devices most at risk. The **Classify critical assets** card allows you to define device groups as business critical. You might also see the **Attack path warning** card, which takes you to Attack paths to examine if any of your assets are part of an attack path. For more information, see [Overview of attack paths](/security-exposure-management/work-attack-paths-overview). Use the **Onboarding Status** column to sort and filter by discovered devices, a :::image type="content" alt-text="Image of devices list with list of devices." source="media/device-inventory.png" lightbox="media/device-inventory.png"::: -From the **Network devices** and **IoT devices** tabs, you'll also see information such as vendor, model, and device type: From the **Network devices** and **IoT devices** tabs, you'll also see information such as vendor, model, and device type: :::image type="content" alt-text="Image of network devices list." source="media/device-inventory-networkdevices.png" lightbox="media/device-inventory-networkdevices.png"::: From the **Network devices** and **IoT devices** tabs, you'll also see informati At the top of each device inventory tab, you can see: - The total number of devices.-- The number of devices that aren't yet onboarded. - The number of devices that are identified as a higher risk to your organization. - The number of your business critical assets.+- The number of devices that aren't yet onboarded. +- The number of devices with high exposure. +- The number of newly disocovered devices. You can use this information to help you prioritize devices for security posture improvements. Filter | Description **Risk level** | The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level. **Exposure level** | The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation.</br></br> If the exposure level says "No data available," there are a few reasons why:</br>- Device stopped reporting for more than 30 days. In that case it's considered inactive, and the exposure isn't computed.</br>- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements).</br>- Device with stale agent (unlikely). **Criticality level** | The criticality level reflects how critical a device is for your organization. The possible levels are low, medium, high, or very high. Very high means that the device is considered a business critical asset. For more information, see [Overview of critical asset management](/security-exposure-management/critical-asset-management).+**OS Platform** | Filter by the OS platforms you're interested in investigating </br></br>(_Computers and mobile and IoT devices only_). +**Windows version** | Filter by the Windows versions you're interested in investigating. If 'future version' appears in the Windows version field, it can mean:</br></br> - This is a pre-release build for a future Windows release</br> - The build has no version name</br> - The build version name isn't yet supported </br></br> In all these scenarios, where available, the full OS version can be seen in the device details page.</br></br> (_Computers and mobile only_). +**Sensor health state** | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:</br> - **Active**: Devices that are actively reporting sensor data to the service.</br> - **Inactive**: Devices that stopped sending signals for more than seven days.</br> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data.</br> Misconfigured devices can further be classified to: </br> - No sensor data </br> - Impaired communications </br> For more information on how to address issues on misconfigured devices, see, [Fix unhealthy sensors](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors).</br></br> (_Computers and mobile only_). +**Onboarding status** | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. Device discovery must be enabled for this filter to appear. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint.</br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but isn't currently onboarded. Microsoft highly recommends onboarding these devices.</br> - **Unsupported**: The endpoint was discovered in the network, but isn't supported by Microsoft Defender for Endpoint.</br> - **Insufficient info**: The system couldn't determine the supportability of the device.</br></br> (_Computers and mobile only_). +**Antivirus status** | Filter the view based on whether the antivirus status is disabled, not updated or unknown.</br></br> (_Computers and mobile only_). +**First seen** | Filter your view based on when the device was first seen in the network or when it was first reported by the Microsoft Defender for Endpoint sensor.</br></br>(_Computers and mobile and IoT devices only_). **Tags** | Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md).+**Internet facing** | Filter the list based on whether the device is internet facing. +**Group** | Filter the list based on the group you're interested in investigating.</br></br> (_Computers and mobile only_). **Device value** | Filter the list based on whether the device is marked as high value or low value. **Exclusion state** | Filter the list based on whether the device is excluded or not. For more information, see [Exclude devices](exclude-devices.md).-**OS Platform** | Filter by the OS platforms you're interested in investigating </br></br>(_Computers and mobile and IoT devices only_) -**First seen** | Filter your view based on when the device was first seen in the network or when it was first reported by the Microsoft Defender for Endpoint sensor.</br></br>(_Computers and mobile and IoT devices only_) -**Windows version** | Filter by the Windows versions you're interested in investigating. If 'future version' appears in the Windows version field, it can mean:</br></br> - This is a pre-release build for a future Windows release</br> - The build has no version name</br> - The build version name isn't yet supported </br></br> In all these scenarios, where available, the full OS version can be seen in the device details page.</br></br> (_Computers and mobile only_) -**Sensor health state** | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:</br> - **Active**: Devices that are actively reporting sensor data to the service.</br> - **Inactive**: Devices that have stopped sending signals for more than seven days.</br> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data.</br> Misconfigured devices can further be classified to: </br> - No sensor data </br> - Impaired communications </br> For more information on how to address issues on misconfigured devices, see [Fix unhealthy sensors](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors).</br></br> (_Computers and mobile only_) -**Onboarding status** | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. Device discovery must be enabled for this filter to appear. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint.</br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but isn't currently onboarded. Microsoft highly recommends onboarding these devices.</br> - **Unsupported**: The endpoint was discovered in the network, but isn't supported by Microsoft Defender for Endpoint.</br> - **Insufficient info**: The system couldn't determine the supportability of the device.</br></br> (_Computers and mobile only_) -**First seen** | Filter your view based on when the device was first seen in the network or when it's first reported by the Microsoft Defender for Endpoint sensor.</br></br>(_Computers and mobile and IoT devices only_) -**Windows version** | Filter by the Windows versions you're interested in investigating. If 'future version' appears in the Windows version field, it can mean:</br></br> - This is a prerelease build for a future Windows release</br> - The build has no version name</br> - The build version name isn't yet supported </br></br> In all these scenarios, where available, the full OS version can be seen in the device details page.</br></br> (_Computers and mobile only_) -**Sensor health state** | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:</br> - **Active**: Devices that are actively reporting sensor data to the service.</br> - **Inactive**: Devices that stopped sending signals for more than seven days.</br> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data.</br> Misconfigured devices can further be classified to: </br> - No sensor data </br> - Impaired communications </br> For more information on how to address issues on misconfigured devices, see, [Fix unhealthy sensors](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors).</br></br> (_Computers and mobile only_) -**Onboarding status** | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. Device discovery must be enabled for this filter to appear. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint. </br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but it's not currently onboarded. Microsoft highly recommends onboarding these devices.</br> - **Unsupported**: The endpoint was discovered in the network, but isn't supported by Microsoft Defender for Endpoint.</br> - **Insufficient info**: The system couldn't determine the supportability of the device.</br></br> (_Computers and mobile only_) -**Antivirus status** | Filter the view based on whether the antivirus status is disabled, not updated or unknown.</br></br> (_Computers and mobile only_) -**Group** | Filter the list based on the group you're interested in investigating.</br></br> (_Computers and mobile only_) **Managed by** | Managed by indicates how the device is being managed. You can filter by:</br> - Microsoft Defender for Endpoint</br> - Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach</br>- Microsoft Configuration manager (ConfigMgr)</br> - Unknown: This issue could be due the running an outdated Windows version, GPO management, or another non-Microsoft MDM.</br></br> (_Computers and mobile only_) **Device Type** | Filter by the device type you're interested in investigating.</br></br> (_IoT devices only_) **Mitigation status** | Filter by isolation or containment status of a device. |
security | Fixed Reported Inaccuracies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies.md | Inaccuracy report ID |Description |Fix date | |:|:|:| | - | Defender Vulnerability Management doesn't currently support CVE-2023-4966 | 05-Mar-24 | 47296 | Defender Vulnerability Management doesn't currently support Bitdefender Vulnerabilities - CVE-2017-17408, CVE-2017-17409 & CVE-2017-17410 | 05-Mar-24+| 45748 | Fixed inaccuracy in Zscaler Client Connector | 14-Mar-24 +| 49672 | Fixed inaccuracy in CVE-2024-0819 | 20-Mar-24 +| 30583 | Fixed inaccuracy in Opera Browser | 21-Mar-24 +| - | Fixed inaccuracy in Autodesk Civil 3D and Anydesk | 21-Mar-24 +| 44979 | Defender Vulnerability Management doesn't currently support CVE-2017-13774 | 26-Mar-24 +| 46812 | Fixed inaccuracy in Dell Supportassist | 26-Mar-24 +| 48178 | Fixed inaccuracy in RuneLite | 26-Mar-24 +| 49660 | Fixed inaccuracy in RSUPPORT RemoteView Agent | 26-Mar-24 +| 46828 | Defender Vulnerability Management doesn't currently support OsiSoft Pi Server | 26-Mar-24 +| 48034 | Defender Vulnerability Management doesn't currently support CVE-2023-35637 | 26-Mar-24 +| - | Fixed inaccuracy in Adobe Acrobat Reader and Reader DC | 26-Mar-24 +| 46021 | Defender Vulnerability Management doesn't currently support CVE-2023-6129 | 26-Mar-24 +| - | Fixed inaccuracy in Ultraedit | 26-Mar-24 +| - | Defender Vulnerability Management doesn't currently support CVE-2023-47248 | 26-Mar-24 +| - | Fixed inaccuracy in Mitel 6920 & 6930 Firmwares | 31-Mar-24 ## February 2024 |
security | Activate Defender Rbac | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/activate-defender-rbac.md | You can activate your workloads in two ways from the Permissions and roles page: > Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC. > [!NOTE]- > To activate Exchange Online (EXO) permissions in Microsoft Defender XDR Unified RBAC, Exchange Online Protection (EOP) permissions must be active. + > To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active. 2. **Workload settings** - Select **Workload settings**. |
security | Configure Attack Disruption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-attack-disruption.md | description: Configure automatic attack disruption options in Microsoft Defender search.appverid: MET150 -+ audience: ITPro Review the configured automation level for your device group policies, wWhether 3. Review your device group policies. Look at the **Automation level** column. We recommend using **Full - remediate threats automatically**. You might need to create or edit your device groups to get the level of automation you want. To exclude a device group from automated containment, set its automation level to **no automated response**. Note that this is not highly recommended and should only be done for a limited number of devices. -#### Device Discovery configuration +#### Device discovery configuration -Device Discovery settings must be activated to "Standard Discovery" at a minimum. Learn how to configure Device Discovery in [Set up device discovery](/defender-endpoint/configure-device-discovery). +Device discovery settings must be activated to "Standard Discovery" at a minimum. Learn how to configure device discovery in [Set up device discovery](/microsoft-365/security/defender-endpoint/configure-device-discovery). >[!NOTE] >Attack disruption can act on devices independent of a device's Microsoft Defender Antivirus operating state. The operating state can be in Active, Passive, or EDR Block Mode. The following mailbox events need to be audited by minimum: - SoftDelete - HardDelete -Review [Manage mailbox auditing](/purview/audit-mailboxes) to learn about managing mailbox auditing. +Review [manage mailbox auditing](/purview/audit-mailboxes) to learn about managing mailbox auditing. #### Safelinks policy needs to be present. |
security | Anti Malware Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-policies-configure.md | You can configure anti-malware policies in the Microsoft Defender portal or in P Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). - Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). The recipient must satisfy _all_ of the specified conditions, which is typically difficult or redundant. For more information, see [Recipient filters in anti-malware policies](anti-malware-protection-about.md#recipient-filters-in-anti-malware-policies). + Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group1\>_). The recipient must satisfy _all_ of the specified conditions, which is typically difficult or redundant. For more information, see [Recipient filters in anti-malware policies](anti-malware-protection-about.md#recipient-filters-in-anti-malware-policies). - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. |
security | Anti Malware Protection About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection-about.md | Anti-malware policies control the configurable settings and notification options ### Recipient filters in anti-malware policies -In custom anti-malware policies and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions: +Recipient filters use conditions and exceptions to identify the internal recipients that the policy applies to. At least one condition is required in custom policies. Conditions and exceptions aren't available in the default policy (the default policy applies to all recipients). You can use the following recipient filters for conditions and exceptions: -- **Users**-- **Groups**-- **Domains**+- **Users**: One or more mailboxes, mail users, or mail contacts in the organization. +- **Groups**: + - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). + - The specified Microsoft 365 Groups. +- **Domains**: One or more of the configured [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in Microsoft 365. The recipient's primary email address is in the specified domain. -You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). +You can use a condition or exception only once, but the condition or exception can contain multiple values: -> [!IMPORTANT] -> Multiple different types of conditions or exceptions aren't additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: -> -> - Users: romain@contoso.com -> - Groups: Executives -> -> The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. -> -> Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. +- Multiple **values** of the **same condition or exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_): + - **Conditions**: If the recipient matches **any** of the specified values, the policy is applied to them. + - **Exceptions**: If the recipient matches **any** of the specified values, the policy isn't applied to them. ++- Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. ++- Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ### Common attachments filter in anti-malware policies |
security | Anti Phishing Policies About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-about.md | The following policy settings are available in anti-phishing policies in EOP and - **Description** You can't add a description to the default anti-phishing policy, but you can add and change the description for custom policies that you create. -- **Users, groups, and domains**: Identifies internal recipients that the anti-phishing policy applies to. This value is required in custom policies, and not available in the default policy (the default policy applies to all recipients).+- **Users, groups, and domains** and **Exclude these users, groups, and domains**: Recipient filters to identify the internal recipients that the policy applies to. At least one condition is required in custom policies. Conditions and exceptions aren't available in the default policy (the default policy applies to all recipients). You can use the following recipient filters for conditions and exceptions: - You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). -- - **Users**: One or more mailboxes, mail users, or mail contacts in your organization. + - **Users**: One or more mailboxes, mail users, or mail contacts in the organization. - **Groups**: - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). - The specified Microsoft 365 Groups. - **Domains**: One or more of the configured [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in Microsoft 365. The recipient's primary email address is in the specified domain. - - **Exclude these users, groups, and domains**: Exceptions for the policy. The settings and behavior are exactly like the conditions: - - **Users** - - **Groups** - - **Domains** + You can use a condition or exception only once, but the condition or exception can contain multiple values: - > [!NOTE] - > At least one selection in the **Users, groups, and domains** settings is required in custom anti-phishing policies to identify the message **recipients** <u>that the policy applies to</u>. Anti-phishing policies in Defender for Office 365 also have [impersonation settings](#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) where you can specify individual sender email addresses or sender domains <u>that will receive impersonation protection</u> as described later in this article. - > - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. - > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. + - Multiple **values** of the **same condition or exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_): + - **Conditions**: If the recipient matches **any** of the specified values, the policy is applied to them. + - **Exceptions**: If the recipient matches **any** of the specified values, the policy isn't applied to them. ++ - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. ++ - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ++ > [!TIP] + > At least one selection in the **Users, groups, and domains** settings is required in custom anti-phishing policies to identify the message **recipients that the policy applies to**. Anti-phishing policies in Defender for Office 365 also have [impersonation settings](#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) where you can specify **sender email addresses or sender domains that receive impersonation protection** as described later in this article. ## Spoof settings |
security | Anti Phishing Policies Eop Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure.md | For anti-phishing policy procedures in organizations with Microsoft Defender for For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. - Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). + You can use a condition only once, but the condition can contain multiple values: - - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. + - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives - > [!IMPORTANT] - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. - > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. + The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ++ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. ++ You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. When you're finished on the **Users, groups, and domains** page, select **Next**. For anti-phishing policy procedures in organizations with Microsoft Defender for - **Safety tips & indicators** section: Configure the following settings: - **Show first contact safety tip**: For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip). - **Show (?) for unauthenticated senders for spoof**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Adds a question mark (?) to the sender's photo in the From box in Outlook if the message doesn't pass SPF or DKIM checks **and** the message doesn't pass DMARC or [composite authentication](email-authentication-about.md#composite-authentication). This setting is selected by default.- - **Show "via" tag**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Adds tag named via (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. This setting is selected by default. + - **Show "via" tag**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Adds tag named via (`chris@contoso.com` via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. This setting is selected by default. To turn on a setting, select the check box. To turn it off, clear the check box. |
security | Anti Phishing Policies Mdo Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure.md | For anti-phishing policy procedures in organizations without Defender for Office For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. - Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). + You can use a condition only once, but the condition can contain multiple values: - - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. + - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives - > [!IMPORTANT] - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. - > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. + The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ++ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. ++ You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. When you're finished on the **Users, groups, and domains** page, select **Next**. |
security | Anti Spam Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md | You can configure anti-spam policies in the Microsoft Defender portal or in Powe Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). - Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). The recipient must satisfy _all_ of the specified conditions, which is typically difficult or redundant. For more information, see [Recipient filters in anti-spam policies](anti-spam-protection-about.md#recipient-filters-in-anti-spam-policies). + Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group1\>_). The recipient must satisfy _all_ of the specified conditions, which is typically difficult or redundant. For more information, see [Recipient filters in anti-spam policies](anti-spam-protection-about.md#recipient-filters-in-anti-spam-policies). - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. |
security | Anti Spam Protection About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection-about.md | Anti-spam policies control the configurable settings for spam filtering. The imp ### Recipient filters in anti-spam policies -In [custom anti-spam policies](anti-spam-policies-configure.md) and in the Standard and Strict [preset security policies](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users), you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions: +Recipient filters use conditions and exceptions to identify the internal recipients that the policy applies to. At least one condition is required in custom policies. Conditions and exceptions aren't available in the default policy (the default policy applies to all recipients). You can use the following recipient filters for conditions and exceptions: -- **Users**-- **Groups**-- **Domains**+- **Users**: One or more mailboxes, mail users, or mail contacts in the organization. +- **Groups**: + - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). + - The specified Microsoft 365 Groups. +- **Domains**: One or more of the configured [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in Microsoft 365. The recipient's primary email address is in the specified domain. -You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). +You can use a condition or exception only once, but the condition or exception can contain multiple values: -> [!IMPORTANT] -> Multiple different types of conditions or exceptions aren't additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: -> -> - Users: romain@contoso.com -> - Groups: Executives -> -> The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. -> -> Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. +- Multiple **values** of the **same condition or exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_): + - **Conditions**: If the recipient matches **any** of the specified values, the policy is applied to them. + - **Exceptions**: If the recipient matches **any** of the specified values, the policy isn't applied to them. ++- Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. ++- Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ### Bulk complaint threshold (BCL) in anti-spam policies |
security | Mdo Support Teams About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-support-teams-about.md | In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams pro - **Exclude these participants** section: Specify the **Users**, **Groups**, or **Domains** to exclude from ZAP for Teams protection. Exclusions matter for message _recipients_, not message _senders_. For more information, see [Zero-hour auto purge (ZAP) in Microsoft Teams](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams). - > [!IMPORTANT] - > Unlike all other security policies in Exchange Online Protection and Defender for Office 365, multiple different types of exceptions for ZAP for Teams protection use OR logic instead of AND. The message is excluded from ZAP for Teams protection for recipients that match _any_ of the specified filters. For example, you configure exclusions with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The user romain@contoso.com and members of the Executives group are excluded from ZAP for Teams protection. + You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, ZAP for Teams protection isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, ZAP for Teams protection isn't applied to them. 4. When you're finished on the **Microsoft Teams protection** page, select **Save**. |
security | Outbound Spam Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md | You can configure outbound spam policies in the Microsoft Defender portal or in When you're finished on the **Name your policy page**, select **Next**. -4. On the **Users, groups, and domains** page, identify the internal senders that the policy applies to (conditions): +4. On the **Users, groups, and domains** page, identify the internal senders that the policy applies to (recipient conditions): - **Users**: The specified mailboxes, mail users, or mail contacts. - **Groups**: - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). You can configure outbound spam policies in the Microsoft Defender portal or in For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. - Multiple values in the same condition use OR logic (for example, _\<sender1\>_ or _\<sender2\>_). Different conditions use AND logic (for example, _\<sender1\>_ and _\<member of group 1\>_). + You can use a condition only once, but the condition can contain multiple values: - - **Exclude these users, groups, and domains**: To add exceptions for the internal senders that the policy applies to, select this option and configure the exceptions. The settings and behavior are exactly like the conditions. + - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives - > [!IMPORTANT] - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those senders that match _all_ of the specified sender filters. For example, you configure a sender filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. - > - > Likewise, if you use the same sender filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. + The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ++ - **Exclude these users, groups, and domains**: To add exceptions for the internal senders that the policy applies to, select this option and configure the exceptions. ++ You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. When you're finished on the **Users, groups, and domains**, select **Next**. |
security | Preset Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md | The rest of this article how to configure preset security policies. - **All recipients** - - **Specific recipients**: Configure one of the following settings that appears: + - **Specific recipients**: Configure one of the following recipient conditions that appear: - **Users**: The specified mailboxes, mail users, or mail contacts. - **Groups**: - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). The rest of this article how to configure preset security policies. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. - Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). + You can use a condition only once, but the condition can contain multiple values: - > [!IMPORTANT] - > Multiple different types of conditions or exceptions aren't additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy isn't applied to him. - > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy isn't applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. + - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. - **None** - - **Exclude these recipients**: If you selected **All recipients** or **Specific recipients**, select this option and configure the recipient exceptions. The settings and behavior are exactly like the recipient conditions. + - **Exclude these recipients**: If you selected **All recipients** or **Specific recipients**, select this option to configure recipient exceptions. ++ You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. When you're finished on the **Apply Exchange Online Protection** page, select **Next**. To disable the **Standard protection** or **Strict protection** preset security For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. - > [!IMPORTANT] - > Multiple different types of exceptions aren't additive; they're inclusive. The policy isn't applied _only_ if those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter exception with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy isn't applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. + You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. 4. When you're finished in the **Exclude from Built-in protection** flyout, select **Save**. If your organization has Defender for Office 365, you enable or disable the rule ### Use PowerShell to specify recipient conditions and exceptions for preset security policies -> [!IMPORTANT] - > Multiple different types of conditions or exceptions aren't additive; they're inclusive. The preset security policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy isn't applied to him. - > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy isn't applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. +You can use a recipient condition or exception only once, but the condition or exception can contain multiple values: ++- Multiple **values** of the **same condition or exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_): + - **Conditions**: If the recipient matches **any** of the specified values, the policy is applied to them. + - **Exceptions**: If the recipient matches **any** of the specified values, the policy isn't applied to them. ++- Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. ++- Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. For the Built-in protection preset security policy, you can specify only recipient exceptions. If all exception parameter values are empty (`$null`), there are no exceptions to the policy. |
security | Quarantine Admin Manage Messages Files | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md | Users can request the release of email messages if the quarantine policy used ** After a recipient requests the release of the email message, the **Release status** value changes to **Release requested**, and an admin can approve or deny the request. > [!TIP]-> One alert to release the message might be created for multiple release requests for that message. +> One alert to release the message might be created for multiple release requests for that message. Use the **quarantine** link in the **Details** section of the alert message to take action on the release request from users in the organization for the past 7 days. If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the **Expires** column. |
security | Reports Email Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md | description: "Admins can learn how to find and use the email security reports th - seo-marvel-apr2020 Previously updated : 3/7/2024 Last updated : 4/8/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a> Depending on the report and the specific view in the report, one or more of the 3. On the **Set preferences** page, review or configure the following settings: - **Frequency**: Select one of the following values: - **Weekly** (default)- - **Daily** + - **Daily** (this value results in no data being shown in charts) - **Monthly** - **Start date**: Enter the date when generation of the report begins. The default value is today. - **Expiry date**: Enter the date when generation of the report ends. The default value is one year from today. |
security | Safe Attachments About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-about.md | Safe Attachments scanning takes place in the same region where your Microsoft 36 This section describes the settings in Safe Attachments policies: -- **Recipient filters**: You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:- - **Users** - - **Groups** - - **Domains** -- You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). -- > [!IMPORTANT] - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. - > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. +- **Recipient filters**: Conditions and exceptions to identify the internal recipients that the policy applies to. At least one condition is required. You can use the following recipient filters for conditions and exceptions: + - **Users**: One or more mailboxes, mail users, or mail contacts in the organization. + - **Groups**: + - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). + - The specified Microsoft 365 Groups. + - **Domains**: One or more of the configured [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in Microsoft 365. The recipient's primary email address is in the specified domain. ++ You can use a condition or exception only once, but the condition or exception can contain multiple values: ++ - Multiple **values** of the **same condition or exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_): + - **Conditions**: If the recipient matches **any** of the specified values, the policy is applied to them. + - **Exceptions**: If the recipient matches **any** of the specified values, the policy isn't applied to them. ++ - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. ++ - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. - **Safe Attachments unknown malware response**: This setting controls the action for Safe Attachments malware scanning in email messages. The available options are described in the following table: |
security | Safe Attachments Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md | You configure Safe Attachments policies in the Microsoft Defender portal or in E For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. - Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). -- - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. -- > [!IMPORTANT] - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. - > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. + You can use a condition only once, but the condition can contain multiple values: ++ - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ++ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. ++ You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. When you're finished on the **Users and domains** page, select **Next**. |
security | Safe Links About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-about.md | audience: Admin f1_keywords: - '197503' Previously updated : 9/19/2023 Last updated : 4/8/2024 ms.localizationpriority: medium - Strat_O365_IP appliesto: [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] > [!IMPORTANT]-> This article is intended for business customers who have [Microsoft Defender for Office 365](mdo-about.md). If you're using .com, Microsoft 365 Family, or Microsoft 365 Personal, and you're looking for information about Safelinks in , see [Advanced .com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2). +> This article is intended for business customers who have [Microsoft Defender for Office 365](mdo-about.md). If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and you're looking for information about Safelinks in Outlook.com, see [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2). In organizations with Microsoft Defender for Office 365, Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Specifically, Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. Safe Links scanning occurs in addition to regular [anti-spam](anti-spam-protection-about.md) and [anti-malware](anti-malware-protection-about.md) protection. The following table describes scenarios for Safe Links in Microsoft 365 and Offi ## Recipient filters in Safe Links policies -You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions: +Recipient filters use conditions and exceptions to identify the internal recipients that the policy applies to. At least one condition is required. You can use the following recipient filters for conditions and exceptions: -- **Users**-- **Groups**-- **Domains**+- **Users**: One or more mailboxes, mail users, or mail contacts in the organization. +- **Groups**: + - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). + - The specified Microsoft 365 Groups. +- **Domains**: One or more of the configured [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in Microsoft 365. The recipient's primary email address is in the specified domain. -You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). +You can use a condition or exception only once, but the condition or exception can contain multiple values: -> [!IMPORTANT] -> Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: -> -> - Users: romain@contoso.com -> - Groups: Executives -> -> The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. -> -> Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. +- Multiple **values** of the **same condition or exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_): + - **Conditions**: If the recipient matches **any** of the specified values, the policy is applied to them. + - **Exceptions**: If the recipient matches **any** of the specified values, the policy isn't applied to them. ++- Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. ++- Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ## Safe Links settings for email messages |
security | Safe Links Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md | You configure Safe Links policies in the Microsoft Defender portal or in Exchang For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. - Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). + You can use a condition only once, but the condition can contain multiple values: ++ - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. - > [!IMPORTANT] - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. - > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. + You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. When you're finished on the **Users and domains** page, select **Next**. |
security | Submissions Admin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md | appliesto: [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] +For more information about what Microsoft does to your submissions, [check this out](submissions-report-messages-files-to-microsoft.md#report-suspicious-email-messages-to-microsoft). + In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the **Submissions** page in the Microsoft Defender portal to submit messages, URLs, and attachments to Microsoft for analysis. There are two basic types of admin submissions: - **Admin-originated submissions**: Admins identify and report messages, attachments, or URLs (entities) by selecting :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Submit to Microsoft for analysis** from the tabs on the **Submissions** page as described in the [Admin-originated submissions](#admin-originated-submissions) section. For URLs reported as false positives, we allow subsequent messages that contain - **7 days** - **30 days** - **Specific date**: The maximum value is 30 days from today.- - **Allow entry note (optional)**: Enter optional information about why you're allow this item. + - **Allow entry note (optional)**: Enter optional information about why you're allowing this item. When you're finished on the second page of the **Submit to Microsoft for analysis** flyout, select **Submit**. |
security | Submissions Report Messages Files To Microsoft | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft.md | Watch this video that shows more information about the unified submissions exper > [!IMPORTANT] >-> When you report a message to Microsoft, everything associated with the message is copied and included in the continual algorithm reviews. This copy includes email content, email headers, any attachments, and related data about email routing. -> -> Microsoft treats your feedback as your organization's permission to analyze all the information to fine tune the message hygiene algorithms. Your message is held in secured and audited data centers in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and attachments, which is normally not permitted for email in Microsoft 365. However, your email is still treated as confidential between you and Microsoft, and your email or attachments isn't shared with any other party as part of the review process. +> When you make a submission to Microsoft, everything associated with the submission is copied and included in the continual algorithm reviews. This copy includes all data associated with submission, including: message content, headers, any attachments, related data about routing and all other data directly associated with the submission. +> +> Microsoft treats your submission as your organization's permission to analyze all the information to fine tune the submission hygiene algorithms. Your submission is held in secured and audited data centers in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and attachments, which is normally not permitted for customer data in Microsoft 365. However, your submission is still treated as confidential between you and Microsoft, and your data isn't shared with any other party as part of the review process. Microsoft may also use AI to evaluate and create responses tailored to your submissions. > > For information about reporting messages in Microsoft Teams in Defender for Office 365 Plan 2, see [User reported message settings in Microsoft Teams](submissions-teams.md). |
security | Submissions Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-teams.md | For more information, see [User reported settings](submissions-user-reported-mes > [!IMPORTANT] >-> When a user reports a Teams message to Microsoft, everything associated with the message is copied to include in the continual algorithm reviews. This copy includes the message content, message headers added by the Microsoft filtering system, any files or URLs, and related data. +> When a user reports a Teams message to Microsoft, everything associated with the message is copied to include in the continual algorithm reviews. This copy includes the all the data associated with the message, including: message content, headers, any attachments, related data about routing and all other data directly associated with the submission. >-> Microsoft treats your feedback as your organization's permission to analyze all the information to fine tune the message hygiene algorithms. Your message is held in secured and audited data centers in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and files, which is normally not permitted for Teams messages in Microsoft 365. However, your message is still treated as confidential between you and Microsoft, and your message or file isn't shared with any other party as part of the review process. +> Microsoft treats your feedback as your organization's permission to analyze all the information to fine tune the submission hygiene algorithms. Your message is held in secured and audited data centers in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and files, which is normally not permitted for Teams messages in Microsoft 365. However, your message is still treated as confidential between you and Microsoft, and your message or file isn't shared with any other party as part of the review process. Microsoft might also use AI to evaluate and create responses tailored to your submissions. ## View and triage user reported messages in Teams |
security | Submissions User Reported Messages Custom Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md | The difference between these two elements isn't obvious when you manage the user Only after you specify a reporting mailbox (used by Microsoft or third-party reporting tools) and save the changes on the **User reported settings page** is the report submission rule named DefaultReportSubmissionRule created. It might take several seconds before the rule is visible in PowerShell. > [!NOTE]- > The default settings on the **User reported settings** page include **Send reported messages to** \> **Microsoft and my reporting mailbox** with a blank value for the reporting mailbox. In PowerShell, there's no report submission rule. This default configuration means the reporting mailbox is the global admin's Exchange Online mailbox. The global admin isn't _shown_ as the reporting mailbox in the output of the **Get-ReportSubmissionPolicy** and **Get-ReportSubmissionRule** cmdlets or on the **User reported settings** page until _after_ the first user in the organization reports a message from Outlook. [Learn more about reported message destinations](submissions-report-messages-files-to-microsoft.md#report-suspicious-email-messages-to-microsoft). + > The default settings on the **User reported settings** page include **Send reported messages to** \> **Microsoft and my reporting mailbox** with a blank value for the reporting mailbox. In PowerShell, there's no report submission rule. This default configuration means the reporting mailbox is the global admin's Exchange Online mailbox. The global admin isn't _shown_ as the reporting mailbox in the output of the **Get-ReportSubmissionPolicy** and **Get-ReportSubmissionRule** cmdlets or on the **User reported settings** page until _after_ the first user in the organization reports a message from Outlook. [Learn more about what Microsoft does to your submitted messages](submissions-report-messages-files-to-microsoft.md#report-suspicious-email-messages-to-microsoft). - You can delete the report submission rule and recreate it with a different name, but the rule is always associated with the report submission policy, and you can't select or change the name of the policy. So, we recommend naming the rule DefaultReportSubmissionRule if you create or recreate the rule. |
security | Try Microsoft Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md | The default policies for these EOP features are always on, apply to all recipien Do you want your Defender for Office 365 experience to be active or passive? The following modes are available: -- **Audit mode**: Special *evaluation policies* are created for anti-phishing (which includes impersonation protection), Safe Attachments, and Safe Links. These evaluation policies are configured to *detect* threats only. Defender for Office 365 detects harmful messages for reporting, but the messages aren't acted upon (for example, detected messages aren't quarantined). The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article. We also automatically turn on SafeLinks time of click protection in audit mode for non-email workloads (for example, Microsoft Teams, SharePoint, and OneDrive for Business)+- **Audit mode**: Special _evaluation policies_ are created for anti-phishing (which includes impersonation protection), Safe Attachments, and Safe Links. These evaluation policies are configured to _detect_ threats only. Defender for Office 365 detects harmful messages for reporting, but the messages aren't acted upon (for example, detected messages aren't quarantined). The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article. We also automatically turn on SafeLinks time of click protection in audit mode for non-email workloads (for example, Microsoft Teams, SharePoint, and OneDrive for Business) You can also selectively turn on or turn off anti-phishing protection (spoofing and impersonation), Safe Links protection, and Safe Attachments protection. For instructions, see [Manage evaluation settings](#manage-evaluation-settings). Audit mode provides specialized reports for threats that are detected by the evaluation policies on the **Microsoft Defender for Office 365 evaluation** page at <https://security.microsoft.com/atpEvaluation>. These reports are described in the [Reports for audit mode](#reports-for-audit-mode) section later in this article. -- **Blocking mode**: The Standard template for [preset security policies](preset-security-policies.md) is turned on and used for the trial, and the users you specify to include in the trial are added to the Standard preset security policy. Defender for Office 365 *detects and takes action on* harmful messages (for example, detected messages are quarantined).+- **Blocking mode**: The Standard template for [preset security policies](preset-security-policies.md) is turned on and used for the trial, and the users you specify to include in the trial are added to the Standard preset security policy. Defender for Office 365 _detects and takes action on_ harmful messages (for example, detected messages are quarantined). The default and recommended selection is to scope these Defender for Office 365 policies to all users in the organization. But during or after the setup of your trial, you can change the policy assignment to specific users, groups, or email domains in the Microsoft Defender portal or in [Exchange Online PowerShell](#policy-settings-associated-with-defender-for-office-365-evaluations-and-trials). Remember, when you evaluate or try Defender for Office 365 in audit mode, specia - **Groups**: - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). - The specified Microsoft 365 Groups.- - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). + - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). Click in the box, start typing a value, and select the value from the results below the box. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value in the box. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. - > [!NOTE] - > You can change these selections after you finish setting up the trial as described in the [Manage your trial](#manage-your-evaluation-or-trial-of-defender-for-office-365) section. - > - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The evaluation or trial is applied *only* to those recipients that match *all* of the specified recipient filters. For example, you configure a condition with the following values: - > - > - **Users**: romain@contoso.com - > - **Groups**: Executives - > - > The evaluation or trial is applied to romain@contoso.com *only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial is not applied to him. - > - > Likewise, if you use the same recipient filter as an exception, the evaluation or trial is not applied to romain@contoso.com *only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial still applies to him. + You can use a recipient condition only once, but the condition can contain multiple values: ++ - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. When you're finished in the **Select the users you want to include** dialog, select **Continue**. Remember, when you evaluate or try Defender for Office 365 in audit mode, specia - **The connector to apply this evaluation to**: Select the connector that's used for mail flow into Microsoft 365. - [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as *skip listing*) is automatically configured on the connector that you specify. + [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as _skip listing_) is automatically configured on the connector that you specify. When a third-party service or device sits in front of email flowing into Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md). Remember, when you try Defender for Office 365 in **blocking mode**, the Standar For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. - > [!NOTE] - > You can change these selections after you finish setting up the trial as described in the [Manage your trial](#manage-your-evaluation-or-trial-of-defender-for-office-365) section. - > - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The evaluation or trial is applied *only* to those recipients that match *all* of the specified recipient filters. For example, you configure a condition with the following values: - > - > - **Users**: romain@contoso.com - > - **Groups**: Executives - > - > The evaluation or trial is applied to romain@contoso.com *only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial is not applied to him. - > - > Likewise, if you use the same recipient filter as an exception, the evaluation or trial is not applied to romain@contoso.com *only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial still applies to him. + You can use a recipient condition only once, but the condition can contain multiple values: ++ - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives ++ The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. When you're finished in the **Select the users you want to include** dialog, select **Continue**. After you select **Convert to standard protection**, read the information in the You're taken to the **Apply standard protection** wizard on the **Preset security policies** page. The list of recipients that are included and excluded from the evaluation or trial are copied into the Standard preset security policy. For more information, see [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). -- The security policies in the Standard preset security policy have a higher priority than the evaluation policies, which means the policies in the Standard preset security are always applied *before* the evaluation policies, even if both are present and turned on.+- The security policies in the Standard preset security policy have a higher priority than the evaluation policies, which means the policies in the Standard preset security are always applied _before_ the evaluation policies, even if both are present and turned on. - There's no automatic way to go from **blocking mode** to **audit mode**. The manual steps are: 1. Turn off the Standard preset security policy on the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies>. 2. On the **Microsoft Defender for Office 365 evaluation** page at <https://security.microsoft.com/atpEvaluation>, verify the value **Evaluation on** is shown. In **audit mode**, you're looking for reports that show detections by the evalua The following permissions are required in [Microsoft Entra ID](/entra/identity/role-based-access-control/manage-roles-portal) to set up an evaluation or trial of Defender for Microsoft 365: -- *Create, modify or delete an evaluation or trial*: Membership in the **Security Administrator** or **Global Administrator** roles.-- *View evaluation policies and reports in audit mode*: Membership in the **Security Administrator** or **Security Reader** roles.+- _Create, modify or delete an evaluation or trial_: Membership in the **Security Administrator** or **Global Administrator** roles. +- _View evaluation policies and reports in audit mode_: Membership in the **Security Administrator** or **Security Reader** roles. For more information about Microsoft Entra permissions in the Microsoft Defender portal, see [Microsoft Entra roles in the Microsoft Defender portal](mdo-portal-permissions.md#microsoft-entra-roles-in-the-microsoft-defender-portal) |
security | Zero Hour Auto Purge | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md | ZAP takes action on a message based on the configuration of anti-spam policies a ### How is ZAP affected by the exceptions to protection features in EOP and Defender for Office 365? -[Safe sender lists](create-safe-sender-lists-in-office-365.md), mail flow rules, and other organizational block and allow settings take precedence over ZAP. These messages are excluded from ZAP, since the service is doing what you configured it to do. This behavior is another reason to be careful about configuring messages to bypass filtering. +ZAP actions might be overridden by [Safe sender lists](create-safe-sender-lists-in-office-365.md), mail flow rules, and other organizational block and allow settings. For malware and high-confidence phishing verdicts, ZAP always takes action to protect users. Carefully consider the implications of bypassing filtering, as it may affect the security posture of your organization. ### What are the licensing requirements for ZAP? |