-| 5 | **[Set sharing settings for SharePoint and OneDrive files and folders](../../business-premium/m365bp-protect-against-malware-cyberthreats.md)**. | Default sharing settings for SharePoint and OneDrive are set to the most permissive level, which might be a more permissive level than you should use. We recommend reviewing, and if necessary changing, the settings to better protect your business. Grant member of your organization only the access they need to do their jobs. <br/><br/>See [Set sharing settings for SharePoint and OneDrive files and folders](../../business-premium/m365bp-protect-against-malware-cyberthreats.md#set-sharing-settings-for-sharepoint-and-onedrive-files-and-folders). |

-The [missions](index.md) that were completed during the setup and configuration process focused on setting up your subscription, user accounts, and devices, as well as securing users, devices, and data. Now, you can put together plans for security operations and administration.

-## Administration

-Administration includes tasks that your administrators (also referred to as *admins*) perform in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).

-As new employees come in and other employees leave, it's important to manage user accounts and devices. Your admins can add or remove users, reset passwords, reset devices to factory settings, and more. These kinds of tasks (and more!) are listed in the [Microsoft 365 Business Premium administration guide](m365bp-admin-guide.md).

-## Security operations

-Security operations (also referred to as *SecOps*) includes tasks that your security team performs in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).

-As threats are detected, those threats must be reviewed and addressed. Regular antivirus scans should occur on devices, and you can initiate scans when needed. In addition, you can run automated investigations on devices that have a high risk level or detected threats. These kinds of security tasks (and more!) are listed in the [Microsoft 365 Business Premium security operations guide](m365bp-security-operations-guide.md).

-[Security incident management](m365bp-security-incident-management.md)

-description: "Learn how protection features in Microsoft 365 Business Premium map to Intune settings. The subscription provides you with a license to modify Intune settings."

-# How protection features in Microsoft 365 Business Premium map to Intune settings

-## Android and iOS application protection settings

-The following table details how the Android and iOS application policy settings map to Intune settings.

-

-To find the Intune setting, sign in with your Microsoft 365 Business Premium admin credentials, and go to **Admin centers**, and then **Intune**.

-

- > [!IMPORTANT]

- >

- > A Microsoft 365 Business Premium subscription gives you a license to modify all the Intune settings. See [Introduction to Intune to get started.](/intune/introduction-intune)

-

-Select the Policy name you want &mdash; for example, Application policy for Android &mdash; and then choose **Policy settings**.

-

-Under **Protect work files when devices are lost or stolen**

-

-|**Android or iOS application policy setting**|**Intune setting(s)**|

-|:--|:--|

-|Delete work files from an inactive device after |Offline interval (days) before app data is wiped |

-|Force users to save work files to OneDrive for Business <br/> Note that only OneDrive for Business is allowed |Select which storage services corporate data can be saved to |

-

-Under **Manage how user access Office files in mobile devices**

-

-|**Android or iOS application policy setting**|**Intune setting(s)**|

-|:--|:--|

-|Delete work files from an inactive device after |Offline interval (days) before app data is wiped |

-|Force users to save work files to OneDrive for Business <br/> Note that only OneDrive for Business is allowed |Select which storage services corporate data can be saved to |

-|Encrypt work files |Encrypt app data |

-|Under **Manage how user access Office files in mobile devices** ||

-|Require a PIN or fingerprint to access Microsoft 365 Apps | Require PIN to access <br/> This also sets: <br/> **Allow simple PIN** to **Yes** <br/> **Pin Length** to 4 <br/> **Allow fingerprint instead of PIN** to **Yes** <br/> **Disable app PIN when device PIN is managed** to **No** |

-|Reset PIN when login fails this many times (this is disabled if PIN isn't required) |Number of attempts before PIN reset |

-|Require users to sign in again after Microsoft 365 Apps have been idle for (this is disabled if PIN isn't required) | Recheck the access requirements after (minutes) <br/> This also sets: <br/> **Timeout** is set to minutes <br/> This is same number of minutes you set in Microsoft 365 Business. <br/> **Offline grace period** is set to 720 minutes by default |

-|Deny access to work files on jailbroken or rooted devices |Block managed apps from running on jailbroken or rooted devices |

-|Allow users to copy content from Microsoft 365 Apps into personal apps | Restrict cut, copy, and paste with other apps <br/> If the Microsoft 365 Business Premium option is set to **On**, then these three options are also set to **All Apps** in Intune: <br/> **Allow app to transfer data to other apps** <br/> **Allow app to receive data from other apps** <br/> **Restrict cut, copy, and paste with other apps** <br/> If the Microsoft 365 Business option is set to **On**, then all the Intune options are set to: <br/> **Allow app to transfer data to other apps** is set to **Policy managed apps** <br/> **Allow app to receive data from other apps** is set to **All Apps** <br/> **Restrict cut, copy, and paste with other apps** is set to **Policy Managed apps with Paste-In** |

-

-## Windows 10 app protection settings

-The following table details how the Windows 10 application policy settings map to Intune settings.

-

-To find the Intune setting, sign in with your Microsoft 365 Business Premium admin credentials, and go to [Azure portal](https://portal.azure.com). Select **More services**, and type Intune into the **Filter**. Select **Intune App Protection** \> **App Policy**.

-

- > [!IMPORTANT]

- > A Microsoft 365 Business Premium subscription gives you a license to modify only the Intune settings that map to the settings available in Microsoft 365 Business Premium.

-

-To explore the available settings, select the policy name you want, and then choose **General, Assignments**, **Allowed apps**, **Exempt apps**, **Required settings**, or **Advanced settings** from the left navigation pane.

-

-|**Windows 10 application policy setting**|**Intune setting(s)**|

-|:--|:--|

-|Encrypt work files |**Advanced settings** \> **Data protection**: **Revoke encryption keys on unenroll** and **Revoke access to protected data device enrolls to MDM** are both set to **On**. |

-|Prevent users from copying company data to personal files. |**Required settings** \> **Windows Information Protection mode**. **On** in Microsoft 365 Business Premium maps to: **Hide Overrides**, **Off** in Microsoft 365 Business Premium maps to: **Off**. |

-|Office documents access control | If this is set to **On** in Microsoft 365 Business Premium, then <br/> **Advanced settings** \> **Access**, **Use Windows Hello for Business as a method for signing into Windows** is set to **On**, with the following additional settings: <br/> **Set the minimum number of characters required for the PIN** is set to **4**. <br/> **Configure the use of uppercase letters in the Windows Hello for Business PIN** is set to **Do not allow use of upper case letters for PIN**. <br/> **Configure the use of lowercase letters in the Windows Hello for Business PIN** is set to **Do not allow use of lower case letters for PIN**. <br/> **Configure the use of special characters in the Windows Hello for Business PIN** is set to **Do not allow the use of special characters in PIN**. <br/> **Specify the period of time (in days) that a PIN can be used before the system requires the user to change** is set to **0**. <br/> **Specify the number of past PINs that can be associated to a user account that can't be reused** is set to **0**. <br/> **Number of authentication failures allowed before the device will be wiped** is set to same as in Microsoft 365 Business (5 by default). <br/> **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked** is set to same as in Microsoft 365 Business. |

-|Enable recovery of protected data |**Advanced settings** \> **Data protection**: **Show the enterprise data protection icon** and **Use Azure RMS for WIP** are set to **On**. |

-|Protect additional company cloud locations |**Advanced settings** \> **Protected domains** and **Cloud resources** show domains and SharePoint sites. |

-|Files used by these apps are protected |The list of protected apps is listed in **Allowed apps**. |

-

-## Windows 10 device protection settings

-The following table details how the Windows 10 device configuration settings map to Intune settings.

-

-To find the Intune setting, sign in with your Microsoft 365 Business Premium admin credentials, and go to [Azure portal](https://portal.azure.com), then select **More services**, and type in Intune into the **Filter**, select **Intune** \> **Device configuration** \> **Profiles**. Then select **Device policy for Windows 10** \> **Properties** \> **Settings**.

-

-|**Windows 10 device policy setting**|**Intune setting(s)**|

-|:--|:--|

-|Help protect PCs from viruses and other threats using Microsoft Defender Antivirus |Allow Real-time Monitoring = ON <br/> Allow Cloud Protection = ON <br/> Prompt Users for Samples Submission = Send Safe samples automatically (Default Non PII auto submit) |

-|Help protect PCs from web-based threats in Microsoft Edge |**SmartScreen** in **Edge Browser settings** is set to **Required**. |

-|Turn off device screen when idle for (minutes) |Maximum minutes of inactivity until screen locks (minutes) |

-|Allow users to download apps from Microsoft Store |Custom URI policy |

-|Allow users to access Cortana |**General** \> **Cortana** is set to **block** in Intune when set to **off** in Microsoft 365 Business Premium. |

-|Allow users to receive Windows tips and advertisements from Microsoft |**Windows spotlight**, all blocked if this is set to **off** in Microsoft 365 Business Premium. |

-|Keep Windows 10 devices up to date automatically | This setting is in **Microsoft Intune** \> **Service updates - Windows 10 Update Rings**, choose **Update policy for Windows 10 devices**, and then **Properties** \> **Settings**. <br/> When the Microsoft 365 Business Premium setting is set to **On**, all the following settings are set: <br/> **Service branch** is set to **CB** (CBB when this is turned off in Microsoft 365 Business Premium). <br/> **Microsoft product updates** is set to **Allow**. <br/> **Windows drivers** is set to **Allow**. <br/> **Automatic update behavior** is set to **Auto install at maintenance time** with: <br/> **After hours start** is set to **6 AM**. <br/> **Active hours end** is set to **10 PM**. <br/> **Quality update deferral period (days)** is set to **0**. <br/> **Feature update deferral period (days)** is set to **0**. <br/> **Delivery optimization download mode** is set to **HTTP blended with peering behind same NAT**. |

-## See also

-[Best practices for securing Microsoft 365 for business plans](secure-your-business-data.md)

-In this objective, you increase your threat protection with Microsoft 365 Business Premium. It's critical to protect your business against phishing, malware, and other threats. This article includes information about:

-## Review and apply preset security policies

-> Preset security policies are not the same thing as [security defaults](m365bp-turn-on-mfa.md). Typically, you'll be using *either* security defaults *or* Conditional Access first, and then you'll add your security policies. [Preset security policies](#what-are-preset-security-policies) simplify the process of adding your security policies. You can also [add your own custom policies](#create-custom-security-policies).

-## Create custom security policies

-The [preset security policies](#what-are-preset-security-policies) described earlier in this article provide strong protection for most businesses. However, you're not limited to using preset security policies only. You can define your own custom security policies to suit your company's needs.

-Use our quick-start guide, [Protect against threats](../security/office-365-security/protect-against-threats.md), to get started creating your own custom policies. The guidance not only walks you through how to set up your own security policies, it also provides recommended settings to use as a starting point for:

-## Set sharing settings for SharePoint and OneDrive files and folders

-## Review your alert policies

-## Manage calendar sharing

-1. Go [Org settings in the Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2053743) and sign in.

-See the following articles:

-| [Microsoft 365 Business Premium](index.md) | Use SharePoint and OneDrive for storing and sharing files. <br/>[Set sharing settings for SharePoint and OneDrive](m365bp-protect-against-malware-cyberthreats.md#set-sharing-settings-for-sharepoint-and-onedrive-files-and-folders). <br/>Use [Safe Links](/microsoft-365/security/office-365-security/safe-links-about) and [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about) with SharePoint and OneDrive. <br/>Use [sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels) and [DLP](/microsoft-365/compliance/get-started-with-the-default-dlp-policy). |

-Becoming overwhelmed with the number of alerts produced by your insider risk management policies could be frustrating. The number of alerts can be quickly addressed with simple steps, depending on the types of alert volume you're receiving. You may be receiving too many valid alerts or have too many stale low-risk alerts. Consider taking the following actions:

-Insider risk management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. This evaluation may also help you determine needs for additional licensing or future optimization of existing policies. Analytics scan results may take up to 48 hours before insights are available as reports for review. To learn more about analytics insights, see [Insider risk management settings: Analytics](insider-risk-management-settings.md#analytics) and check out the [Insider Risk Management Analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help understand how analytics can help accelerate the identification of potential insider risks and help you to quickly take action.

-To enable insider risk analytics, you must be a member of the *Insider Risk Management*, *Insider Risk Management Admins*, or Microsoft 365 *Global admin* role group.

-Complete the following steps to enable insider risk analytics:

-11. If you've selected **I want to prioritize content** in the previous step, you'll see the detail pages for *SharePoint sites*, *sensitive info types*, *sensitivity labels*, *file extensions*, and *Scoring*. Use these detail pages to define the SharePoint, sensitive info types, sensitivity labels, trainable classifiers, and file extensions to prioritize in the policy. The *Scoring* detail page allows you to scope the policy to only assign risk scores and generate alerts for specified activities that include priority content.

-22. On the **Decide whether to use default or custom indicator thresholds** page, choose custom or default thresholds for the policy indicators that you've selected. Choose either the **Use default thresholds for all indicators** or **Specify custom thresholds** for the selected policy indicators. If you've selected Specify custom thresholds, choose the appropriate level to generate the desired level of activity alerts for each policy indicator.

-14. If you've selected the *Data leaks by risky users* or *Security policy violations by risky users* templates, you'll see options on the **Triggers for this policy** page for [integration with communication compliance](/microsoft-365/compliance/communication-compliance-policies#policy-for-insider-risk-management-integration-preview) and HR data connector events. You have the choice to assign risk scores when users send messages that contain potentially threatening, harassing, or discriminatory language or to bring users into the the policy scope after risky user events are reported in your HR system. If you select the **Risk triggers from communication compliance (preview)** option, you can accept the default communication compliance policy (automatically created), choose a previously created policy scope for this trigger, or create another scoped policy. If you select **HR data connector events**, you must configure a HR data connector for your organization.

-To exclude specific file types from all insider risk management policy matching, enter file type extensions separated by commas. For example, to exclude certain types of music files from policy matches you may enter *aac,mp3,wav,wma* in the **File type exclusions** field. Files with these extensions will be ignored by all insider risk management policies.

-Insider risk analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. Analytics scans offer the following advantages for your organization:

-### Enable analytics and start your scan

-### Viewing analytics insights and creating new policies

-For completed analyses, you'll see the potential risks discovered in your organization and insights and recommendations to address these risks. Identified risks and specific insights are included in reports grouped by area, the total number of users with identified risks, the percentage of these users with potentially risky activities, and a recommended insider risk policy to help mitigate these risks. The reports include:

-To turn off insider risk analytics, you must be a member of the *Insider Risk Management*, *Insider Risk Management Admins*, or Microsoft 365 *Global admin* role group. After you disable analytics, analytics insight reports will remain static and not be updated for new risks.

-2. Select **Insider risk settings** > **Analytics** page.

-|[Label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments) |Current Channel: Rolling out to 2303+ <br /><br> Monthly Enterprise Channel: 2304+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

-The staff member who conducts the appointment can share their screen from their Teams desktop, mobile, or web client with an attendee who joins from a desktop or mobile browser. However, attendees can't share their screen from a desktop or mobile browser.

-7. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can start with your default policies, and add more later. See [View and edit your security policies and settings](mdb-configure-security-settings.md).

-> JAMF supports Smart Computer Groups, that allow deployoing e.g. configuration profiles or policies to all machines matching certain criteria evaluated dynamically.

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-Because Microsoft 365 Defender technologies span various functions, your SOC team will need to determine which roles and responsibilities are best suited to manage each component of Microsoft 365 Defender and align to service function.

-## Suppress an alert

-As a security operations center (SOC) analyst, one of the top issues is triaging the sheer number of alerts that are triggered daily. For lower priority alerts, an analyst is still required to triage and resolve the alert which tends to be a manual process. A SOC analyst's time is valuable, wanting to focus only on high severity and high priority alerts.

-Alert suppression provides the ability to tune and manage alerts in advance. This streamlines the alert queue and saves triage time by hiding or resolving alerts automatically, each time a certain expected organizational behavior occurs, and rule conditions are met.

-You can create rule conditions based on 'evidence types' such as files, processes, scheduled tasks, and many other evidence types that trigger the alert. After creating the rule, user can apply the rule on the selected alert or any alert type that meets the rule conditions to suppress the alert.

-> Suppression of alerts is not recommended. However in certain situations, a known internal business application or security tests trigger an expected activity and you don't want to see these alerts. So, you can create a suppression rule for the alert.

-### Create rule conditions to suppress alerts

-To create a suppression rule for alerts:

-1. Select the investigated alert. In the main alert page, select **Create suppression rule** in the summary details section of the alert page.

- :::image type="content" source="../../media/investigate-alerts/suppression-click.png" lightbox="../../media/investigate-alerts/suppression-click.png" alt-text="Screenshot of Create separation rule action.":::

-2. In the **Create suppression rule** pane, select **Only this alert type** to apply the rule on the selected alert.

- However, to apply the rule on any alert type that meets rule conditions select **Any alert type based on IOC conditions**.

- IOCs are indicators such as files, processes, scheduled tasks, and other evidence types that trigger the alert.

- > [!NOTE]

- > You can no longer suppress an alert triggered by 'custom detection' source. You can't create a suppression rule for this alert.

-3. In the **IOCs** section, select **Any IOC** to suppress the alert no matter what 'evidence' has caused the alert.

- To set multiple rule conditions, select **Choose IOCs**. Use **AND**, **OR** and grouping options to build relationship between these multiple 'evidence types' that cause the alert.

- 1. For example, in the **Conditions** section, select the triggering evidence **Entity Role: Triggering**, **Equals** and select the evidence type from the drop-down list.

- :::image type="content" source="../../media/investigate-alerts/evidence-types-drop-down-list.png" alt-text="Screenshot of evidence types drop-down list." lightbox="../../media/investigate-alerts/evidence-types-drop-down-list.png":::

- 2. All the properties of this 'evidence' will auto populate as a new subgroup in the respective fields below.

- :::image type="content" source="../../media/investigate-alerts/properties-evidence.png" alt-text="Screenshot of properties of evidence auto-populating." lightbox="../../media/investigate-alerts/properties-evidence.png" :::

- > [!NOTE]

- > Condition values are not case sensitive.

- 3. You can edit and/or delete properties of this 'evidence' as per your requirement (using wildcards, when supported).

- 4. Other than files and processes, AntiMalware Scan Interface (AMSI) script, Windows Management Instrumentation (WMI) event, and scheduled tasks are some of the newly added evidence types that you can select from the evidence types drop-down list.

- :::image type="content" source="../../media/investigate-alerts/other-evidence-types.png" alt-text="Screenshot of other types of evidence." lightbox="../../media/investigate-alerts/other-evidence-types.png":::

- 5. To add another IOC, click **Add filter**.

- > [!NOTE]

- > Adding at least one IOC to the rule condition is required to suppress any alert type.

-4. Alternatively, you can select **Auto fill all alert 7 related IOCs** in the **IOC** section to add all alert related evidence types and their properties at once in the **Conditions** section.

- :::image type="content" source="../../media/investigate-alerts/autofill-iocs.png" alt-text="Screenshot of auto fill all alert related IOCs." lightbox="../../media/investigate-alerts/autofill-iocs.png":::

-5. In the **Scope** section, set the Scope in the **Conditions** sub-section by selecting specific device, multiple devices, device groups, the entire organization or by user.

- > You must have Admin permission when the **Scope** is set only for **User**. Admin permission is not required when the **Scope** is set for **User** together with **Device**, **Device groups**.

- :::image type="content" source="../../media/investigate-alerts/suppression-choose-scope.png" lightbox="../../media/investigate-alerts/suppression-choose-scope.png" alt-text="Screenshot of create suppression rule pane: Conditions, Scope, Action.":::

-6. In the **Action** section, take the appropriate action of either **Hide alert** or **Resolve alert**.

-7. **Prevent the IOCs from being blocked in the future:**

- Once you save the suppression rule, in the **Successful suppression rule creation** page that appears, you can add the selected IOCs as indicators to the "allow list" and prevent them from being blocked in the future.

- :::image type="content" source="../../media/investigate-alerts/suppression-2-choose-iocs.png" lightbox="../../media/investigate-alerts/suppression-2-choose-iocs.png" alt-text="Screenshot of successful suppression rule creation. ":::

-8. The new suppression alert functionality is available by default.

- However, you can switch back to the previous experience in Microsoft 365 Defender portal by navigating to **Settings > Endpoints > Alert suppression**, then switch off the **New suppression rules creation enabled** toggle.

- :::image type="content" source="../../media/investigate-alerts/suppression-toggle.png" lightbox="../../media/investigate-alerts/suppression-toggle.png" alt-text="Screenshot of toggle for turning on/off the suppression rule creation feature.":::

- > Soon, only the new alert suppression experience will be available. You will not be able to go back to the previous experience.

-9. **Edit existing rules:**

- You can always add or change rule conditions and scope of new or existing rules in Microsoft Defender portal, by selecting the relevant rule and clicking **Edit rule**.

- To edit existing rules, ensure that the **New suppression rules creation enabled** toggle is enabled.

- :::image type="content" source="../../media/investigate-alerts/suppression-toggle-on-edit.png" lightbox="../../media/investigate-alerts/suppression-toggle-on-edit.png" alt-text="Screenshot of edit suppression rule.":::

-|Chris's organization has long-standing Safe Attachments policies for everyone in the organization. Chris receives an email that has an attachment, and then forwards the message to external recipients.|Chis is protected by Safe Attachments. <br/><br/> If the external recipients are in a Microsoft 365 organization, then the forwarded messages are also protected by Safe Attachments.|