Docs update tracker

Updates from: 05/17/2023 01:37:12

Category	Microsoft Docs article	Related commit history on GitHub	Change details
admin	Remove Former Employee Step 5	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-5.md	To preserve a former user's OneDrive files, first give yourself access to their 4. Select the link to open the file location. Download the files to your computer, or select Move to or Copy to to move or copy them to your own OneDrive or to a shared library. > [!NOTE] -> You can move or copy up to 500 MB of files and folders at a time.<br/> -> When you move or copy documents that have version history, only the latest version is moved. - -> Administrative options for an active user under the OneDrive tab in the Microsoft 365 admin center are currently not supported for multi-geo tenants. +> - You can move or copy up to 500 MB of files and folders at a time.<br/> +> - When you move or copy documents that have version history, only the latest version is moved. +> - Administrative options for an active user under the OneDrive tab in the Microsoft 365 admin center are currently not supported for multi-geo tenants. You can also grant access to another user to access a former employee's OneDrive.
admin	Remove Former Employee	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee.md	If your organization synchronizes user accounts to Microsoft 365 from a local Ac To learn how to delete and restore user account in Active Directory, see [Delete a User Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753730(v=ws.11)). -If you're using Azure Active Directory, see the [Remove-MsolUser](/powershell/module/msonline/remove-msoluser) PowerShell cmdlet. +If you're using Azure Active Directory, see the [Remove-MgUser](/powershell/module/microsoft.graph.users/remove-mguser) PowerShell cmdlet. ## Related content
admin	Restore Deleted Group	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/restore-deleted-group.md	Visit the [Microsoft Tech Community](https://techcommunity.microsoft.com/t5/micr ## Related topics -[Restore deleted items](/Exchange/recipients-in-exchange-online/restore-deleted-items-group) +[Restore deleted email conversations](/Exchange/recipients-in-exchange-online/restore-deleted-items-group) [Manage Microsoft 365 Groups with PowerShell](../../enterprise/manage-microsoft-365-groups-with-powershell.md)
business-premium	M365bp Protect Against Malware Cyberthreats	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protect-against-malware-cyberthreats.md	If users are assigned multiple policies, an order of priority is used to apply t Strict protection overrides all other policies, and built-in protection is overridden by the other policies. -To learn more about preset security policies, see [What preset security policies are made of](../security/office-365-security/preset-security-policies.md#what-preset-security-policies-are-made-of). +To learn more about preset security policies, see [Preset security policies in EOP and Microsoft Defender for Office 365](../security/office-365-security/preset-security-policies.md). ### How do I assign preset security policies to users? To assign preset security policies, follow these steps: > [!TIP] > To learn more about assigning preset security policies, see the following articles: -> - [Assign preset security policies to users](../security/office-365-security/preset-security-policies.md#assign-preset-security-policies-to-users) +> - [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users](../security/office-365-security/preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users) > - [Recommended settings for email and collaboration content](../security/office-365-security/recommended-settings-for-eop-and-office365.md) (Microsoft 365 Business Premium includes Exchange Online Protection and Microsoft Defender for Office 365 Plan 1) ## 2. Turn on Microsoft Defender for Business
compliance	Communication Compliance Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-policies.md	The following table explains more about each condition. \| Message is received from any of these domains <br><br> Message is not received from any of these domains \| Apply the policy to include or exclude specific domains in received messages. Enter each domain and separate multiple domains with a comma. Do not include spaces between items separated by a comma. Each domain entered is applied separately, only one domain must apply for the policy to apply to the message. If you want to use Message is received from any of these domains to look for messages from specific emails address you need to combine this with another condition like Message contains any of these words or Content matches any of these classifiers or you might get unexpected results. <br><br> If you want to scan all email from a specific domain, but want to exclude messages that don't need review (newsletters, announcements, and so on), you must configure a Message is not received from any of these domains condition that excludes the email address (example newsletter@contoso.com). \| \| Message is sent to any of these domains <br><br> Message is not sent to any of these domains \| Apply the policy to include or exclude specific domains in sent messages. Enter each domain and separate multiple domains with a comma. Do not include spaces between items separated by a comma. Each domain is applied separately, only one domain must apply for the policy to apply to the message. <br><br> If you want to exclude all emails sent to two specific domains, you'd configure the Message is not sent to any of these domains condition with the two domains (example 'contoso.com,wingtiptoys.com'). \| \| Message is classified with any of these labels <br><br> Message is not classified with any of these labels \| To apply the policy when certain retention labels are included or excluded in a message. Retention labels must be configured separately and configured labels are chosen as part of this condition. Each label you choose is applied separately (only one of these labels must apply for the policy to apply to the message). For more information about retention labels, see [Learn about retention policies and retention labels](/microsoft-365/compliance/retention).\| -\| Message contains any of these words <br><br> Message contains none of these words \| To apply the policy when certain words or phrases are included or excluded in a message, enter each word separated with a comma. Do not include spaces between items separated by a comma. For phrases of two words or more, use quotation marks around the phrase. Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the message). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).\| -\| Attachment contains any of these words <br><br> Attachment contains none of these words \| To apply the policy when certain words or phrases are included or excluded in a message attachment (such as a Word document), enter each word separated with a comma. Do not include spaces between items separated by a comma. For phrases of two words or more, use quotation marks around the phrase. Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the attachment). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).\| +\| Message contains any of these words <br><br> Message contains none of these words \| To apply the policy when certain words or phrases are included or excluded in a message.<br><br> Make sure to use the following syntax when entering conditional text: <br><br>- Remove all leading and trailing spaces.<br>- Add quotation marks before and after each keyword or key phrase.<br>- Separate each keyword or key phrase with a comma.<br>- Do not include spaces between items separated by a comma. <br><br>Example: "banker","insider trading","confidential 123"<br><br>Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the message). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).\| +\| Attachment contains any of these words <br><br> Attachment contains none of these words \| To apply the policy when certain words or phrases are included or excluded in a message attachment (such as a Word document).<br><br>Make sure to use the following syntax when entering conditional text: <br><br>- Remove all leading and trailing spaces.<br>- Add quotation marks before and after each keyword or key phrase.<br>- Separate each keyword or key phrase with a comma.<br>- Do not include spaces between items separated by a comma. <br><br>Example: "banker","insider trading","confidential 123"<br><br>Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the attachment). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).\| \| Attachment is any of these file types <br><br> Attachment is none of these file types \| To bring communications into scope that include or exclude specific types of attachments, enter the file extensions (such as .exe or .pdf). If you want to include or exclude multiple file extensions, enter file types separated by a comma (example .exe,.pdf,.zip). Do not include spaces between items separated by a comma. Only one attachment extension must match for the policy to apply.\| \| Message size is larger than <br><br> Message size is not larger than \| To review messages based on a certain size, use these conditions to specify the maximum or minimum size a message can be before it's subject to review. For example, if you specify Message size is larger than \> 1.0 MB, all messages that are 1.01 MB and larger are subject to review. You can choose bytes, kilobytes, megabytes, or gigabytes for this condition.\| \| Attachment is larger than <br><br> Attachment is not larger than \| To review messages based on the size of their attachments, specify the maximum or minimum size an attachment can be before the message and its attachments are subject to review. For example, if you specify Attachment is larger than \> 2.0 MB, all messages with attachments 2.01 MB and over are subject to review. You can choose bytes, kilobytes, megabytes, or gigabytes for this condition.\|
compliance	Device Onboarding Offboarding Macos Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-offboarding-macos-intune.md	You can use Microsoft Intune to onboard macOS devices into Microsoft Purview sol ## Before you begin ## -- Make sure your [macOS devices are onboarded into Intune](https://learn.microsoft.co/mem/intune/fundamentals/deployment-guide-platform-macos) and are enrolled in the [Company Portal app](https://learn.microsoft.co/mem/intune/user-help/enroll-your-device-in-intune-macos-cp). +- Make sure your [macOS devices are onboarded into Intune](/mem/intune/fundamentals/deployment-guide-platform-macos) and are enrolled in the [Company Portal app](/mem/intune/user-help/enroll-your-device-in-intune-macos-cp). - Make sure you have access to the [Microsoft Intune admin center](https://endpoint.microsoft.com/#home). - Create the user groups that you're going to assign the configuration updates to. - OPTIONAL: Install the v95+ Microsoft Edge browser on your macOS devices to have native Endpoint DLP support on Microsoft Edge.
compliance	Microsoft 365 Compliance Center Permissions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center-permissions.md	f1.keywords: Previously updated : 04/28/2023 Last updated : 05/16/2023 audience: ITPro The following Microsoft Purview compliance solutions support administrative unit \|Solution\|Configuration support\| \|:--\|:-\| -\| [Data lifecycle management](data-lifecycle-management.md) \| [Role groups, retention policies, and retention label policies](get-started-with-data-lifecycle-management.md#support-for-administrative-units) \| +\| [Data lifecycle management](data-lifecycle-management.md) \| [Role groups, retention policies and retention label policies](get-started-with-data-lifecycle-management.md#support-for-administrative-units), and [adaptive scopes](purview-adaptive-scopes.md) \| \| [Data Loss Prevention (DLP)](/microsoft-365/compliance/dlp-learn-about-dlp) \| Role groups and [DLP policies](/microsoft-365/compliance/dlp-create-deploy-policy) \| -\| [Records management](records-management.md) \| [Role groups, retention policies, and retention label policies](get-started-with-records-management.md#support-for-administrative-units)\| +\| [Records management](records-management.md) \| [Role groups, retention policies, retention label policies](get-started-with-records-management.md#support-for-administrative-units), and [adaptive scopes](purview-adaptive-scopes.md)\| \| [Sensitivity labeling](/microsoft-365/compliance/sensitivity-labels) \| [Role groups, sensitivity label policies, and auto-labeling policies](/microsoft-365/compliance/get-started-with-sensitivity-labels#support-for-administrative-units) \| -When you configure these solutions to use administrative units, the configuration automatically flows down to the following features: +The configuration for administrative units automatically flows down to the following features: - Alerts: [DLP](/microsoft-365/compliance/dlp-alerts-dashboard-get-started) alerts are visible only from users in assigned administrative units - [Activity explorer](data-classification-activity-explorer.md): Activity events are visible only from users in assigned administrative units-- [Adaptive scopes](purview-adaptive-scopes.md): When adaptive scopes are supported by a solution, restricted administrators can select, create, edit, and view adaptive scopes only from users in assigned administrative units +- [Adaptive scopes](purview-adaptive-scopes.md): + - Restricted administrators can select, create, edit, and view adaptive scopes only for users in those administrators' assigned administrative units + - When a restricted administrator configures a policy that's using adaptive scopes, that administrator can only select adaptive scopes that are assigned to their administrative units - Data lifecycle management and records management: - [Policy lookup](retention.md#policy-lookup): Restricted administrators will see policies only from users within their assigned administrative units - [Disposition review and verification](disposition.md): Restricted administrators will be able to add reviewers only from within their assigned administrative units, and see disposition reviews and items disposed only from users within their assigned administrative units
compliance	Purview Adaptive Scopes	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/purview-adaptive-scopes.md	f1.keywords: Previously updated : 03/06/2023 Last updated : 05/16/2023 audience: Admin description: Learn about Microsoft Purview adaptive scopes for policies. # Adaptive scopes -When you create a [communication compliance policy](/microsoft-365/compliance/communication-compliance-policies) or a policy for retention, you can create or add an adaptive scope for your policy. A single policy can have one or many adaptive scopes. +When you create a [communication compliance policy](/microsoft-365/compliance/communication-compliance-policies) or a [policy for retention](retention.md#retention-policies-and-retention-labels), you can create or add an adaptive scope for your policy. A single policy can have one or many adaptive scopes. - An adaptive scope uses a query that you specify, so you can define the membership of users or groups included in that query. These dynamic queries run daily against the attributes or properties that you specify for the selected scope. You can use one or more adaptive scopes with a single policy. - For example, you can assign different policy settings to users according to their department by using existing Azure AD attributes without the administrative overhead of creating and maintaining groups for this purpose. The advantages of using adaptive scopes include: - Powerful targeting for your policy requirements. For example, you can create an adaptive scope to define a custom distribution group for a specific policy. - Query-based scopes provide resilience against business changes that might not be reliably reflected in group membership or external processes that rely on cross-department communication. - A single policy can include locations for both Microsoft Teams and Yammer, whereas when you donΓÇÖt use an adaptive scope, each location requires its own policy. +- Support for [Azure AD administrative units](/azure/active-directory/roles/administrative-units). For specific advantages of using adaptive scopes specific to policies for retention, see [Learn about retention policies and retention labels](retention.md#adaptive-or-static-policy-scopes-for-retention). The attribute names for users and groups are based on [filterable recipient prop The attributes and properties listed in the table can be easily specified when you configure an adaptive scope by using the simple query builder. Additional attributes and properties are supported with the advanced query builder, as described in the following section. -To configure an adaptive scope: +### How to configure an adaptive scope Before you configure your adaptive scope, use the previous section to identify what type of scope to create and what attributes and values you'll use. You might need to work with other administrators to confirm this information. Specifically for SharePoint sites, there might be additional SharePoint configur 1. Sign into [Microsoft Purview compliance portal](https://compliance.microsoft.com/) using credentials for an admin account in your Microsoft 365 organization. 2. In the compliance portal, select Roles and Scopes. 3. Select Adaptive scopes, and then + Create scope. -4. Follow the prompts in the configuration to first select the type of scope, and then select the attributes or properties you want to use to build the dynamic membership, and type in the attribute or property values. +4. Follow the prompts in the configuration where you'll first be asked to assign an administrative unit. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you must select one administrative unit that will restrict the scope membership. + + > [!NOTE] + > Because administrative units don't yet support SharePoint sites, you won't be able to create an adaptive scope for SharePoint sites if you select administrative units. + + If you don't want to restrict the adaptive scope by using administrative units, or your organization hasn't configured administrative units, keep the default of Full directory. + +5. Select the type of scope, and then select the attributes or properties you want to use to build the dynamic membership, and type in the attribute or property values. For example, to configure an adaptive scope that will be used to identify users in Europe, first select Users as the scope type, and then select the Country or region attribute, and type in Europe: Specifically for SharePoint sites, there might be additional SharePoint configur > - To exclude inactive mailboxes, make sure the query includes: `(IsInactiveMailbox -eq "False")` > - To target just inactive mailboxes, specify: `(IsInactiveMailbox -eq "True")` -3. Create as many adaptive scopes as you need. You can select one or more adaptive scopes when you create your policy. +6. Create as many adaptive scopes as you need. You can select one or more adaptive scopes when you create your policy. > [!NOTE] > It can take up to five days for the queries to fully populate and changes will not be immediate. Factor in this delay by waiting a few days before you add a newly created scope to a policy.
security	Add Or Remove Machine Tags	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags.md	Delegated (work or school account)\|Machine.ReadWrite\|'Read and write machine inf ## HTTP request ```http -PATCH https://api.securitycenter.microsoft.com/api/machines/{id}/tags +POST https://api.securitycenter.microsoft.com/api/machines/{id}/tags ``` ## Request headers
security	Check Sensor Status	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md	Title: Check the health state of the sensor at Microsoft Defender for Endpoint + Title: Check the device health at Microsoft Defender for Endpoint description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or aren't reporting sensor data. keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication - m365-security - tier2 Previously updated : 04/24/2018 Last updated : 05/16/2023 search.appverid: met150 -# Check sensor health state at Microsoft Defender for Endpoint +# Check sevice health at Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] search.appverid: met150 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-checksensor-abovefoldlink) -The Devices with sensor issues tile provides information on the individual device's ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. +The Device health tile provides information on the individual device's ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. There are two status indicators on the tile that provide information on the number of devices that aren't reporting properly to the service: - Misconfigured - These devices might partially be reporting sensor data to the Defender for Endpoint service and might have configuration errors that need to be corrected. - Inactive - Devices that have stopped reporting to the Defender for Endpoint service for more than seven days in the past month. -Clicking any of the groups directs you to Devices list, filtered according to your choice. +Clicking any of the groups directs you to Device inventory, filtered according to your choice. - -On Devices list, you can filter the health state list by the following status: +On Device inventory, you can filter the health state list by the following status: - Active - Devices that are actively reporting to the Defender for Endpoint service. - Misconfigured - These devices might partially be reporting sensor data to the Defender for Endpoint service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues: You can also download the entire list in CSV format using the Export feature > [!NOTE] > Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. You can view the device details when you click on a misconfigured or inactive device.
security	Defender Compatibility	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md	You must configure Security intelligence updates on the Defender for Endpoint de If an onboarded device is protected by a third-party anti-malware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode. -Microsoft Defender Antivirus will continue to receive updates, and the mspeng.exe process will be listed as a running a service. But, it won't perform scans and doesn't replace the running third-party anti-malware client. +Microsoft Defender Antivirus will continue to receive updates, and the msmpeng.exe process will be listed as a running a service. But, it won't perform scans and doesn't replace the running third-party anti-malware client. The Microsoft Defender Antivirus interface will be disabled. Users on the device won't be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
security	Grant Mssp Access	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md	To implement a multi-tenant delegated access solution, take the following steps: 2. Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint. - To enable RBAC in the customer Microsoft 365 Defender portal, access Settings > Permissions > Roles and "Turn on roles", from a user account with Global Administrator or Security Administrator rights. - - :::image type="content" source="images/mssp-access.png" alt-text="MSSP access" lightbox="images/mssp-access.png"::: + To enable RBAC in the customer Microsoft 365 Defender portal, access Settings > Endpoints > Permissions > Roles and "Turn on roles", from a user account with Global Administrator or Security Administrator rights. Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via "Assigned user groups".
security	Machine Tags	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md	You can use Microsoft Intune to define and apply device tags. You can perform th - In the [Create the profile](/mem/intune/configuration/custom-settings-configure) procedure, for step 3, choose either [macOS](/mem/intune/configuration/custom-settings-macos) or [Windows 10 and later](/mem/intune/configuration/custom-settings-windows-10), depending on the devices you want to tag. -- For Windows 10 or later, in the [OMA-IRU settings](/mem/intune/configuration/custom-settings-windows-10) section, for Data type, choose String. For Value, type (or paste) `./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group`. +- For Windows 10 or later, in the [OMA-IRU settings](/mem/intune/configuration/custom-settings-windows-10) section, for Data type, choose String. For OMA-URI, type (or paste) `./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group`. -- For macOS, follow the guidance in [Use custom settings for macOS devices in Microsoft Intune](/mem/intune/configuration/custom-settings-macos). +- For macOS, follow the guidance in [Use custom settings for macOS devices in Microsoft Intune](/mem/intune/configuration/custom-settings-macos).
security	Microsoft Defender Endpoint Mac	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md	There are several methods and deployment tools that you can use to install and c ### System requirements The three most recent major releases of macOS are supported.- +- 13 (Ventura), 12 (Monterey), 11 (Big Sur) > [!IMPORTANT] > On macOS 11 (Big Sur) and above, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md). --- 13 (Ventura), 12 (Monterey), 11 (Big Sur) +- Supported processors: x64 and ARM64 (M1 and M2). - Disk space: 1GB Beta versions of macOS aren't supported. -Support for macOS devices with M1 chip-based processors has been officially supported since version 101.40.84 of the agent. - After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. ### Licensing requirements
security	Microsoft Defender Endpoint	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md	Defender for Endpoint directly integrates with various Microsoft solutions, incl With Microsoft 365 Defender, Defender for Endpoint, and various Microsoft security solutions, form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. - -## Training for security analysts - -With this learning path from Microsoft Learn, you can understand Defender for Endpoint and how it can help prevent, detect, investigate, and respond to threats across your organization's endpoints ΓÇô your devices and systems. - -\|Training:\|Detect and respond to cyber attacks with Microsoft 365 Defender\| -\|\|\| -\|![Microsoft 365 Defender training icon.](../../media/microsoft-365-defender/m365-defender-secure-organization.svg)\|Defender for Endpoint is an endpoint security solution that offers vulnerability management, endpoint protection, endpoint detection and response, mobile threat defense, and managed services in a single, unified platform.<p> 2 hr 25 min - Learning Path - 9 Modules\| - -> [!div class="nextstepaction"] -> [Start >](/training/paths/defender-endpoint-fundamentals/)
security	Minimum Requirements	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md	ms.pagetype: security ms.localizationpriority: medium Previously updated : 01/12/2023 Last updated : 05/11/2023 audience: ITPro There are some minimum requirements for onboarding devices to the service. Learn ## Licensing requirements -The standalone versions of [Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md), even when they're included as part of other Microsoft 365 plans, don't include server licenses. To onboard servers to those plans, you need either Microsoft Defender for Endpoint for Servers or Defender for Servers Plan 1 or Plan 2 as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md). +[Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md) (standalone or as part of other Microsoft 365 plans) don't include server licenses. To onboard servers to those plans, you need either Microsoft Defender for Cloud or Microsoft Defender for Business servers. For information licensing requirements for Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint licensing information](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-defender-for-endpoint).
security	Anti Phishing Mdo Impersonation Insight	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-mdo-impersonation-insight.md	Admins can use the impersonation insight in the Microsoft 365 Defender portal to - You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection isn't enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md) and [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). +- For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms). + ## Open the impersonation insight in the Microsoft 365 Defender portal In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-phishing in the Policies section. Or, to go directly to the Anti-phishing page, use <https://security.microsoft.com/antiphishing>.
security	Anti Phishing Protection Spoofing About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about.md	Spoofing messages have the following negative implications for users: The following message is an example of phishing that uses the spoofed sender msoutlook94@service.outlook.com: - ![Phishing message impersonating service.outlook.com.](../../media/1a441f21-8ef7-41c7-90c0-847272dc5350.jpg) + :::image type="content" source="../../media/1a441f21-8ef7-41c7-90c0-847272dc5350.jpg" alt-text="Phishing message impersonating service.outlook.com." lightbox="../../media/1a441f21-8ef7-41c7-90c0-847272dc5350.jpg"::: This message didn't come from service.outlook.com, but the attacker spoofed the From header field to make it look like it did. This was an attempt to trick the recipient into clicking the change your password link and giving up their credentials. The following message is an example of BEC that uses the spoofed email domain contoso.com: - ![Phishing message - business email compromise.](../../media/da15adaa-708b-4e73-8165-482fc9182090.jpg) + :::image type="content" source="../../media/da15adaa-708b-4e73-8165-482fc9182090.jpg" alt-text="Phishing message - business email compromise." lightbox="../../media/da15adaa-708b-4e73-8165-482fc9182090.jpg"::: The message looks legitimate, but the sender is spoofed. Spoofing messages have the following negative implications for users: The following message is an example of a real password reset message from the Microsoft Security account: - ![Microsoft legitimate password reset.](../../media/58a3154f-e83d-4f86-bcfe-ae9e8c87bd37.jpg) + :::image type="content" source="../../media/58a3154f-e83d-4f86-bcfe-ae9e8c87bd37.jpg" alt-text="Microsoft legitimate password reset." lightbox="../../media/58a3154f-e83d-4f86-bcfe-ae9e8c87bd37.jpg"::: The message really did come from Microsoft, but users have been conditioned to be suspicious. Because it's difficult to the difference between a real password reset message and a fake one, users might ignore the message, report it as spam, or unnecessarily report the message to Microsoft as phishing.
security	Anti Spam Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md	You can configure anti-spam policies in the Microsoft 365 Defender portal or in - High confidence phishing messages are still filtered. Other features in EOP aren't affected (for example, messages are always scanned for malware). - If you need to bypass spam filtering for SecOps mailboxes or phishing simulations, don't use mail flow rules. For more information, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](skip-filtering-phishing-simulations-sec-ops-mailboxes.md). +- If you disagree with the verdict from anti-spam filtering, you can report the message to Microsoft as a false positive. For instructions, see [Report good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft). + ## Use the Microsoft 365 Defender portal to create anti-spam policies 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use <https://security.microsoft.com/antispam>.
security	Attack Simulation Training Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md	description: Admins can learn how to use Attack simulation training to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations. Previously updated : 5/8/2023 Last updated : 5/16/2023 # Get started using Attack simulation training Watch this short video to learn more about Attack simulation training. ## What do you need to know before you begin? -- Attack simulation training requires a Microsoft 365 E5 or [Microsoft Defender for Office 365 Plan 2](defender-for-office-365.md) license. +- Attack simulation training requires a Microsoft 365 E5 or [Microsoft Defender for Office 365 Plan 2](defender-for-office-365.md) license. For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms). - To open the Microsoft 365 Defender portal, go to <https://security.microsoft.com>. Attack simulation training is available at Email and collaboration \> Attack simulation training. To go directly to Attack simulation training, use <https://security.microsoft.com/attacksimulator>. Watch this short video to learn more about Attack simulation training. > [!NOTE] > NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry will be available in these regions. We are working to enable the features and will notify our customers as soon as reported email telemetry becomes available. -- As of June 15 2021, Attack simulation training is available in GCC. If your organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training as described in this article. Attack simulation training isn't yet available in GCC High or DoD environments. +- As of June 2021, Attack simulation training is available in GCC. If your organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training as described in this article. Attack simulation training isn't yet available in GCC High or DoD environments. > [!NOTE] > Attack simulation training offers a subset of capabilities to E3 customers as a trial. The trial offering contains the ability to use a Credential Harvest payload and the ability to select 'ISA Phishing' or 'Mass Market Phishing' training experiences. No other capabilities are part of the E3 trial offering.
security	Preset Security Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md	description: Admins can learn how to apply Standard and Strict policy settings a search.appverid: met150 Previously updated : 3/3/2023 Last updated : 5/15/2023 # Preset security policies in EOP and Microsoft Defender for Office 365 Last updated 3/3/2023 - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) -Preset security policies provide a centralized location for applying all of the recommended spam, malware, and phishing policies to users at once. The policy settings are not configurable. Instead, they are set by us and are based on our observations and experiences in the datacenters for a balance between keeping harmful content away from users and avoiding unnecessary disruptions. +_Preset security policies_ allow you to apply protection features to users based on our recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on our observations in the datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. -The rest of this article describes preset security policies and how to configure them. +Depending on your organization, preset security policies provide the protection features that are available in [Exchange Online Protection (EOP)](eop-about.md) and[Microsoft Defender for Office 365](microsoft-defender-for-office-365-product-overview.md). -## What preset security policies are made of +For details about the elements of preset security policies, see the [Appendix](#appendix) section at the end of this article. -Preset security policies consist of the following elements: --- Profiles-- Policies-- Policy settings- -In addition, the order of precedence is important if multiple preset security policies and other policies apply to the same person. - -### Profiles in preset security policies - -A profile determines the level of protection. The following profiles are available: --- Standard protection: A baseline protection profile that's suitable for most users.-- Strict protection: A more aggressive protection profile for selected users (high value targets or priority users).- - for Standard protection and Strict protection, you use rules with conditions and exceptions to determine the internal recipients that the policy applies to (recipient conditions). - - The available conditions and exceptions are: - - - Users: The specified mailboxes, mail users, or mail contacts. - - Groups: - - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported). - - The specified Microsoft 365 Groups. - - Domains: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. - - You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). - - > [!IMPORTANT] - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The preset security policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: - > - > - Users: romain@contoso.com - > - Groups: Executives - > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. - > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. --- Built-in protection (Defender for Office 365 only): A profile that enables Safe Links and Safe Attachments protection only. This profile effectively provides default policies for Safe Links and Safe Attachments, which never had default policies.- - For Built-in protection, the preset security policy is on by default for all Defender for Office 365 customers. You can also configure exceptions based on Users, Groups, and Domains so the protection isn't applied to specific users. - - > [!IMPORTANT] - > Unless you configure exceptions to Built-in protection, all recipients in the organization will receive Safe Links and Safe Attachments protection. - -Until you assign the policies to users, the Standard and Strict preset security policies are assigned to no one. In contrast, the Built-in protection preset security policy is assigned to all recipients by default, but you can configure exceptions. - -### Policies in preset security policies - -Preset security policies use the corresponding policies from the various protection features in EOP and Microsoft Defender for Office 365. These policies are created _after_ you assign the Standard protection or Strict protection preset security policies to users. You can't modify the settings in these policies. --- Exchange Online Protection (EOP) policies: These policies are in all Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes:- - - [Anti-spam policies](anti-spam-policies-configure.md) named Standard Preset Security Policy and Strict Preset Security Policy. - - [Anti-malware policies](anti-malware-policies-configure.md) named Standard Preset Security Policy and Strict Preset Security Policy. - - [Anti-phishing policies (spoofing protection)](anti-phishing-policies-about.md#spoof-settings) named Standard Preset Security Policy and Strict Preset Security Policy (spoof settings). - - > [!NOTE] - > Outbound spam policies are not part of preset security policies. The default outbound spam policy automatically protects members of preset security policies. Or, you can create custom outbound spam policies to customize the protection for members of preset security policies. For more information, see [Configure outbound spam filtering in EOP](outbound-spam-policies-configure.md). --- Microsoft Defender for Office 365 policies: These policies are in organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions: - - Anti-phishing policies in Defender for Office 365 named Standard Preset Security Policy and Strict Preset Security Policy, which include: - - The same [spoof settings](anti-phishing-policies-about.md#spoof-settings) that are available in the EOP anti-phishing policies. - - [Impersonation settings](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) - - [Advanced phishing thresholds](anti-phishing-policies-about.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365) - - [Safe Links policies](safe-links-policies-configure.md) named Standard Preset Security Policy, Strict Preset Security Policy, and Built-in Protection Policy. - - [Safe Attachments policies](safe-attachments-policies-configure.md) named Standard Preset Security Policy, Strict Preset Security Policy, and Built-in Protection Policy. - -You can apply EOP protections to different users than Defender for Office 365 protections, or you can apply EOP and Defender for Office 365 to the same recipients. - -### Policy settings in preset security policies +The rest of this article how to configure preset security policies. -You can't modify the policy settings in the protection profiles. The Standard, Strict, and Built-in protection policy setting values, including the [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy), are listed in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md). - -> [!NOTE] -> In Defender for Office 365 protections, you need to identify the senders for [user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) and the internal or external domains for [domain impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). -> -> All domains that you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)) automatically receive domain impersonation protection in preset security policies. -> -> All recipients automatically receive impersonation protection from [mailbox intelligence](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in preset security policies. - -### Order of precedence for preset security policies and other policies - -When multiple policies are applied to a user, the following order is applied from highest priority to lowest priority: - -1. Strict preset security policy. -2. Standard preset security policy. -3. Custom policies. Custom policies are applied based on the priority value of the policy. -4. Built-in protection preset security policy for Safe Links and Safe Attachments; default policies for anti-malware, anti-spam, and anti-phishing. - -In other words, the settings of the Strict preset security policy override the settings of the Standard preset security policy, which overrides the settings from any custom policies, which override the settings of the Built-in protection preset security policy for Safe Links and Safe Attachments, and the default policies for anti-spam, anti-malware, and anti-phishing. - -For example, a security setting exists in Standard protection and an admin specifies a user for Standard protection. The Standard protection setting is applied to the user instead of what's configured for that setting in a custom policy or in the default policy for the same user. - -You might want to apply the Standard or Strict preset security policies to a subset of users, and apply custom policies to other users in your organization to meet specific needs. To meet this requirement, do the following steps: --- Configure the users who should get the settings of the Standard preset security policy and custom policies as exceptions in the Strict preset security policy.-- Configure the users who should get the settings of custom policies as exceptions in the Standard preset security policy.- -Built-in protection does not affect recipients in existing Safe Links or Safe Attachments policies. If you've already configured Standard protection, Strict protection or custom Safe Links or Safe Attachments policies, those policies are _always_ applied _before_ Built-in protection, so there's no impact to the recipients who are already defined in those existing preset or custom policies. - -## Assign preset security policies to users - -### What do you need to know before you begin? +## What do you need to know before you begin? - You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the Preset security policies page, use <https://security.microsoft.com/presetSecurityPolicies>. You might want to apply the Standard or Strict preset security policies - _Read-only access to preset security policies_: Membership in the Global Reader role group. - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the Global Administrator, Security Administrator, or Global Reader roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -### Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users +## Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users + +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Preset Security Policies in the Templated policies section. Or, to go directly to the Preset security policies page, use <https://security.microsoft.com/presetSecurityPolicies>. -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Preset Security Policies in the Templated policies section. To go directly to the Preset security policies page, use <https://security.microsoft.com/presetSecurityPolicies>. +2. If this is your first time on the Preset security policies page, it's likely that Standard protection and Strict protection are turned off :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::. -2. On the Preset security policies page, click Manage in the Standard protection or Strict protection sections. + Slide the toggle of the one you want to configure to :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::, and then select Manage protection settings to start the configuration wizard. -3. The Apply Standard protection or Apply Strict protection wizard starts in a flyout. +3. On the Apply Exchange Online Protection page, identify the internal recipients that the [EOP protections](#policies-in-preset-security-policies) apply to (recipient conditions): - On the Apply Exchange Online Protection page, identify the internal recipients that the [EOP protections](#policies-in-preset-security-policies) apply to (recipient conditions): - All recipients - - Specific recipients: - - Users + + - Specific recipients: Configure one of the following settings that appears: + - Users: The specified mailboxes, mail users, or mail contacts. - Groups: - - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported). + - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). - The specified Microsoft 365 Groups. - - Domains + - Domains: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. + + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. - Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value. + For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\) by itself to see all available values. - For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\) by itself to see all available values. + Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). + + > [!IMPORTANT] + > Multiple different types of conditions or exceptions aren't additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: + > + > - Users: romain@contoso.com + > - Groups: Executives + > + > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy isn't applied to him. + > + > Likewise, if you use the same recipient filter as an exception to the policy, the policy isn't applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. - None - - Exclude these recipients: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. + - Exclude these recipients: If you selected All recipients or Specific recipients, select this option and configure the recipient exceptions. The settings and behavior are exactly like the recipient conditions. - When you're finished, click Next. + When you're finished on the Apply Exchange Online Protection page, select Next. > [!NOTE] - > In organizations without Defender for Office 365, clicking Next takes you to the Review page. The remaining steps/pages before the Review page are available only in organizations with Defender for Office 365. + > In organizations without Defender for Office 365, selecting Next takes you to the Review page (Step 9). 4. On the Apply Defender for Office 365 protection page, identify the internal recipients that the [Defender for Office 365 protections](#policies-in-preset-security-policies) apply to (recipient conditions). - The settings and behavior are exactly like the EOP protections apply to page in the previous step. + The settings and behavior are exactly like the Apply Exchange Online Protection page in the previous step. You can also select Previously selected recipients to use the same recipients that you selected for EOP protection on the previous page. - When you're finished, click Next. + When you're finished on the Apply Defender for Office 365 protection page, select Next. -5. On the Impersonation protection page, click Next. +5. On the Impersonation protection page, select Next. 6. On the Add email addresses to flag when impersonated by attackers page, add internal and external senders who are protected by [user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). You might want to apply the Standard or Strict preset security policies > > You can specify a maximum of 350 users for user impersonation protection in the Standard or Strict preset security policy. > - > User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt. + > User impersonation protection doesn't work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt. + + Each entry consists of a display name and an email address: - Each entry consists of a display name and an email address. Enter each value in the boxes and then click Add. Repeat this step as many times as necessary. + - Internal users: Click in the Add a valid email box or start typing the user's email address. Select the email address in the Suggested contacts drop down list that appears. The user's display name is added to the Add a name box (which you can change). When you're finished selecting the user, select Add. - To remove an existing entry from the list, click ![Remove user from impersonation protection icon.](../../media/m365-cc-sc-remove.png). + - External users: Type the external user's full email address in the Add a valid email box, and then select the email address in the Suggested contacts drop down list that appears. The email address is also added in the Add a name box (which you can change to a display name). - When you're finished, click Next. + Repeat these steps as many times as necessary. + + The users you added are listed on the page by Display name and Sender email address. To remove a user, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: next to the entry. + + Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: Search box to find entries on the page. + + When you're finished on the Apply Defender for Office 365 protection page, select Next. 7. On the Add domains to flag when impersonated by attackers page, add internal and external domains that are protected by [domain impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). You might want to apply the Standard or Strict preset security policies > > You can specify a maximum of 50 custom domains for domain impersonation protection in the Standard or Strict preset security policy. - All senders in the specified domains are protected by domain impersonation protection. + Click in the Add domains box, enter a domain value, press the ENTER key or select the value that's displayed below the box. To remove a domain from the box and start over, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the domain. When you're ready to add the domain, select Add. Repeat this step as many times as necessary. - Enter the domain in the box, and then click Add. Repeat this step as many times as necessary. + The domains you added are listed on the page. To remove the domain, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. - To remove an existing entry from the list, select the entry, and then click ![Remove domain from impersonation protection icon.](../../media/m365-cc-sc-remove.png). + The domains you added are listed on the page. To remove a domain, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: next to the entry. - When you're finished, click Next. + To remove an existing entry from the list, select :::image type="icon" source="../../media/m365-cc-sc-remove.png" border="false"::: next to the entry. -8. On the Add trusted email addresses and domains to not flag as impersonation page, enter the sender email addresses and domains that you want excluded from impersonation protection. Messages from these senders will never be flagged as an impersonation attack, but the senders are still subject to scanning by other filters in EOP and Defender for Office 365. + When you're finished on the Add domains to flag when impersonated by attackers, select Next. + +8. On the Add trusted email addresses and domains to not flag as impersonation page, enter the sender email addresses and domains that you to exclude from impersonation protection. Messages from these senders are never flagged as an impersonation attack, but the senders are still subject to scanning by other filters in EOP and Defender for Office 365. > [!NOTE] > Trusted domain entries don't include subdomains of the specified domain. You need to add an entry for each subdomain. - Enter the email address or domain in the box, and then click Add. Repeat this step as many times as necessary. + Enter the email address or domain in the box, and then press the ENTER key or select the value that's displayed below the box. To remove a value from the box and start over, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. When you're ready to add the user or domain, select Add. Repeat this step as many times as necessary. - To remove an existing entry from the list, select the entry, and then click ![Remove exceptions to impersonation protection icon.](../../media/m365-cc-sc-remove.png). + The users and domains you added are listed on the page by Name and Type. To remove an entry, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: next to the entry. - When you're finished, click Next. + When you're finished on the Add trusted email addresses and domains to not flag as impersonation page, select Next. -9. On the Review and confirm this policy page, verify your selections, and then click Confirm. +9. On the Review and confirm your changes page, review your settings. You can select Back or the specific page in the wizard to modify the settings. -### Use the Microsoft 365 Defender portal to modify the assignments of Standard and Strict preset security policies + When you're finished on the Review and confirm your changes page, select Confirm. -The steps to modify the assignment of the Standard protection or Strict protection preset security policy are the same as when you initially [assigned the preset security policies to users](#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). +10. On the Standard protection updated or Strict protection updated page, select Done. -To disable the Standard protection or Strict protection preset security policies while still preserving the existing conditions and exceptions, slide the toggle to Disabled ![Toggle Off.](../../media/scc-toggle-off.png). To enable the policies, slide the toggle to Enabled ![Toggle On](../../media/scc-toggle-on.png). +## Use the Microsoft 365 Defender portal to modify the assignments of Standard and Strict preset security policies -### Use the Microsoft 365 Defender portal to modify the assignments of the Built-in protection preset security policy +The steps to modify the assignment of the Standard protection or Strict protection preset security policy are the same as when you initially [assigned the preset security policies to users](#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). -Remember, the Built-in protection preset security policy is assigned to all recipients, and doesn't affect recipients who are defined in the Standard protection or Strict protection preset security policies, or custom Safe Links or Safe Attachments policies. +To disable the Standard protection or Strict protection preset security policies while still preserving the existing conditions and exceptions, slide the toggle to :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::. To enable the policies, slide the toggle to :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::. -Therefore, we typically don't recommend exceptions to the Built-in protection preset security policy. +## Use the Microsoft 365 Defender portal to add exclusions to the Built-in protection preset security policy -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Preset Security Policies in the Templated policies section. To go directly to the Preset security policies page, use <https://security.microsoft.com/presetSecurityPolicies>. +> [!TIP] +> The Built-in protection preset security policy is assigned to all recipients, and doesn't affect recipients who are defined in the Standard or Strict preset security policies, or in custom Safe Links or Safe Attachments policies. Therefore, we typically don't recommend exceptions to the Built-in protection preset security policy. + +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Preset Security Policies in the Templated policies section. Or, to go directly to the Preset security policies page, use <https://security.microsoft.com/presetSecurityPolicies>. 2. On the Preset security policies page, select Add exclusions (not recommended) in the Built-in protection section. -3. On the Exclude from Built-in protection flyout that appears, identify the internal recipients that are excluded from the built-in Safe Links and Safe Attachments protection: +3. In the Exclude from Built-in protection flyout that opens, identify the internal recipients that are excluded from the built-in Safe Links and Safe Attachments protection: - Users - Groups: - - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported). + - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). - The specified Microsoft 365 Groups. - Domains - Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove exclusions from Built-in protection icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value. + Click in the appropriate box, start typing a value, and then select the value that's displayed below the box. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\) by itself to see all available values. - When you're finished, click Save. + > [!IMPORTANT] + > Multiple different types of exceptions aren't additive; they're inclusive. The policy isn't applied _only_ if those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter exception with the following values: + > + > - Users: romain@contoso.com + > - Groups: Executives + > + > The policy isn't applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. -### How do you know these procedures worked? +4. When you're finished in the Exclude from Built-in protection* flyout, select Save. + +## How do you know these procedures worked? To verify that you've successfully assigned the Standard protection or Strict protection security policy to a user, use a protection setting where the default value is different than the Standard protection setting, which is different that the Strict protection setting. Or, for [bulk mail](anti-spam-bulk-complaint-level-bcl-about.md), verify that th In PowerShell, preset security policies consist of the following elements: -- Individual security policies: For example, anti-malware policies, anti-spam policies, anti-phishing policies, Safe Links policies, and Safe Attachments policies. +- Individual security policies: For example, anti-malware policies, anti-spam policies, anti-phishing policies, Safe Links policies, and Safe Attachments policies. These policies are visible using the standard policy management cmdlets in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell): + - <u>EOP policies</u>: + - [Get-AntiPhishPolicy](/powershell/module/exchange/get-antiphishpolicy) + - [Get-HostedContentFilterPolicy](/powershell/module/exchange/get-hostedcontentfilterpolicy) (anti-spam policies) + - [Get-MalwareFilterPolicy](/powershell/module/exchange/get-malwarefilterpolicy) + - <u>Defender for Office 365 policies</u>: + - [Get-SafeAttachmentPolicy](/powershell/module/exchange/get-safeattachmentpolicy) + - [Get-SafeLinksPolicy](/powershell/module/exchange/get-safesafelinkspolicy) > [!WARNING] > Do not attempt to create, modify, or remove the individual security policies that are associated with preset security policies. The only supported method for creating the individual security policies for Standard or Strict preset security policies is to turn on the preset security policy in the Microsoft 365 Defender portal for the first time. -- Rules: Separate rules for the Standard preset security policy, the Strict preset security policy, and the Built-in protection preset security policy define the recipient conditions and exceptions for the policies (identify the recipients that the protections of the policy apply to).- - For the Standard and Strict preset security policies, these rules are created the first time you turn on the preset security policy in the Microsoft 365 Defender portal. If you've never turned on the preset security policy, the associated rules don't exist. Subsequently turning off the preset security policy does not delete the associated rules. - - The Built-in protection preset security policy has a single rule that controls exceptions to the default Safe Links and Safe Attachments protection of the policy. - - The Standard and Strict preset security policies have the following rules: - - - Rules for Exchange Online Protection (EOP) protections: The rule for the Standard Preset security policy and the rule for the Strict preset security policy controls who the EOP protections in the policy (anti-malware, anti-spam, and anti-phishing) apply to (the recipient conditions and exceptions for EOP protections). - - Rules for Defender for Office 365 protections: The rule for the Standard Preset security policy and the rule for the Strict preset security policy controls who the Defender for Office 365 protections in the policy (Safe Links and Safe Attachments) apply to (the recipient conditions and exceptions for Defender for Office 365 protections). - - The rules for Standard and Strict preset security policies also allow you to turn on or turn of the preset security policy by enabling or disabling the rules that are associated with the policies. - - The rules for preset security policies are not available to the regular rule cmdlets that work for individual security policies (for example, Get-AntiPhishRule). Instead, the following cmdlets are required: - - - Built-in protection preset security policy: *\-ATPBuiltInProtectionRule cmdlets. - - Standard and strict preset security policies: \-EOPProtectionPolicyRule* and *\-ATPProtectionPolicyRule cmdlets. +- Rules: Separate rules are used for the Standard preset security policy, the Strict preset security policy, and the Built-in protection preset security policy. The rules define the recipient conditions and exceptions for the policies (who the policies apply to). You manage these rules using the following cmdlets in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell): + - <u>Rules for Exchange Online Protection (EOP) protections</u>: + - [Disable-EOPProtectionPolicyRule](/powershell/module/exchange/disable-eopprotectionpolicyrule) + - [Enable-EOPProtectionPolicyRule](/powershell/module/exchange/enable-eopprotectionpolicyrule) + - [Get-EOPProtectionPolicyRule](/powershell/module/exchange/get-eopprotectionpolicyrule) + - [New-EOPProtectionPolicyRule](/powershell/module/exchange/new-eopprotectionpolicyrule) + - [Set-EOPProtectionPolicyRule](/powershell/module/exchange/set-eopprotectionpolicyrule) + - <u>Rules for Defender for Office 365 protections</u>: + - [Disable-ATPProtectionPolicyRule](/powershell/module/exchange/disable-atpprotectionpolicyrule) + - [Enable-ATPProtectionPolicyRule](/powershell/module/exchange/enable-atpprotectionpolicyrule) + - [Get-ATPProtectionPolicyRule](/powershell/module/exchange/get-atpprotectionpolicyrule) + - [New-ATPProtectionPolicyRule](/powershell/module/exchange/new-atpprotectionpolicyrule) + - [Set-ATPProtectionPolicyRule](/powershell/module/exchange/set-atpprotectionpolicyrule) + - <u>The rule for the Build-in protection preset security policy</u>: + - [Get-ATPBuiltInProtectionRule](/powershell/module/exchange/get-atpbuiltinprotectionrule) + - [New-ATPBuiltInProtectionRule](/powershell/module/exchange/new-atpbuiltinprotectionrule) + - [Set-ATPBuiltInProtectionRule](/powershell/module/exchange/set-atpbuiltinprotectionrule) + + For the Standard and Strict preset security policies, these rules are created the first time you turn on the preset security policy in the Microsoft 365 Defender portal. If you never turned on the preset security policy, the associated rules don't exist. Turning off the preset security policy doesn't delete the associated rules. The following sections describe how to use these cmdlets in supported scenarios. To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerS Remember, if you never turned on the Standard preset security policy or the Strict preset security policy in the Microsoft 365 Defender portal, the associated security policies for the preset security policy don't exist. -> [!WARNING] -> Do not attempt to create, modify, or remove the individual security policies that are associated with preset security policies. The only supported method for creating the individual security policies for Standard or Strict preset security policies is to turn on the preset security policy in the Microsoft 365 Defender portal for the first time. - - Built-in protection preset security policy*: The associated policies are named Built-In Protection Policy. The IsBuiltInProtection property value is True for these policies. To view the individual security policies for the Built-in protection preset security policy, run the following command: Remember, if you never turned on the Standard preset security policy or the Stri Write-Output -InputObject ("`r`n"3),"Built-in protection Safe Attachments policy",("-"79);Get-SafeAttachmentPolicy -Identity "Built-In Protection Policy" \| Format-List; Write-Output -InputObject ("`r`n"3),"Built-in protection Safe Links policy",("-"79);Get-SafeLinksPolicy -Identity "Built-In Protection Policy" \| Format-List ``` -- Standard preset security policy: The associated policies are named `Standard Preset Security Policy<13-digit number>`. For example, `Standard Preset Security Policy1622650008019`. The RecommendPolicyType property value is Standard.- - - Organizations without Defender for Microsoft 365: +- Standard preset security policy: The associated policies are named `Standard Preset Security Policy<13-digit number>`. For example, `Standard Preset Security Policy1622650008019`. The RecommendPolicyType property value for the policies is Standard. - To view the individual security policies for the Standard preset security policy in organizations without Defender for Microsoft 365, run the following command: + - To view the individual security policies for the Standard preset security policy in organizations with EOP only, run the following command: ```powershell Write-Output -InputObject ("`r`n"3),"Standard anti-malware policy",("-"79);Get-MalwareFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"3),"Standard anti-spam policy",("-"79);Get-HostedContentFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"3),"Standard anti-phishing policy",("-"79);Get-AntiPhishPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Standard" ``` - - Organizations with Defender for Microsoft 365: - - To view the individual security policies for the Standard preset security policy in organizations with Defender for Microsoft 365, run the following command: + - To view the individual security policies for the Standard preset security policy in organizations with Defender for Office 365, run the following command: ```powershell Write-Output -InputObject ("`r`n"3),"Standard anti-malware policy",("-"79);Get-MalwareFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"3),"Standard anti-spam policy",("-"79);Get-HostedContentFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"3),"Standard anti-phishing policy",("-"79);Get-AntiPhishPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"3),"Standard Safe Attachments policy",("-"79);Get-SafeAttachmentPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"3),"Standard Safe Links policy",("-"79);Get-SafeLinksPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Standard" ``` -- Strict preset security policy: The associated policies are named `Strict Preset Security Policy<13-digit number>`. For example, `Strict Preset Security Policy1642034872546`. The RecommendPolicyType property value is Strict.- - - Organizations without Defender for Microsoft 365: +- Strict preset security policy: The associated policies are named `Strict Preset Security Policy<13-digit number>`. For example, `Strict Preset Security Policy1642034872546`. The RecommendPolicyType property value for the policies is Strict. - - To view the individual security policies for the Strict preset security policy in organizations without Defender for Microsoft 365, run the following command: + - To view the individual security policies for the Strict preset security policy in organizations with EOP only, run the following command: - ```powershell - Write-Output -InputObject ("`r`n"3),"Strict anti-malware policy",("-"79);Get-MalwareFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"3),"Strict anti-spam policy",("-"79);Get-HostedContentFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"3),"Strict anti-phishing policy",("-"79);Get-AntiPhishPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict" - ``` - - - Organizations with Defender for Microsoft 365: + ```powershell + Write-Output -InputObject ("`r`n"3),"Strict anti-malware policy",("-"79);Get-MalwareFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"3),"Strict anti-spam policy",("-"79);Get-HostedContentFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"3),"Strict anti-phishing policy",("-"79);Get-AntiPhishPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict" + ``` - - To view the individual security policies for the Strict preset security policy in organizations with Defender for Microsoft 365, run the following command: + - To view the individual security policies for the Strict preset security policy in organizations with Defender for Office 365, run the following command: ```powershell Write-Output -InputObject ("`r`n"3),"Strict anti-malware policy",("-"79);Get-MalwareFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"3),"Strict anti-spam policy",("-"79);Get-HostedContentFilterPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"3),"Strict anti-phishing policy",("-"79);Get-AntiPhishPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"3),"Strict Safe Attachments policy",("-"79);Get-SafeAttachmentPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"3),"Strict Safe Links policy",("-"79);Get-SafeLinksPolicy \| Where-Object -Property RecommendedPolicyType -eq -Value "Strict" ```- ### Use PowerShell to view rules for preset security policies Remember, if you never turned on the Standard preset security policy or the Strict preset security policy in the Microsoft 365 Defender portal, the associated rules for those policies don't exist. -- Built-in protection preset security policy: The associated rule is named ATP Built-In Protection Rule. +- Built-in protection preset security policy: There's only one rule named ATP Built-In Protection Rule. To view the rule that's associated with the Built-in protection preset security policy, run the following command: Remember, if you never turned on the Standard preset security policy or the Stri Get-ATPBuiltInProtectionRule ``` - For detailed syntax and parameter information, see [Get-ATPBuiltInProtectionRule](/powershell/module/exchange/get-atpbuiltinprotectionrule). - - Standard preset security policy: The associated rules are named Standard Preset Security Policy. Use the following commands to view the rules that are associated with the Standard preset security policy: - - To view the rule that's associated with EOP protections in the Standard preset security policy, run the following command: + - To view the rule that's associated with EOP protections* in the Standard preset security policy, run the following command: ```powershell Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" ``` - - To view the rule that's associated with Defender for Office 365 protections in the Standard preset security policy, run the following command: + - To view the rule that's associated with Defender for Office 365 protections in the Standard preset security policy, run the following command: ```powershell Get-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy" ``` - - To view both rules at the same time, run the following command: + - To view both rules at the same time, run the following command: ```powershell Write-Output -InputObject ("`r`n"3),"EOP rule - Standard preset security policy",("-"79);Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Write-Output -InputObject ("`r`n"3),"Defender for Office 365 rule - Standard preset security policy",("-"79);Get-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy" Remember, if you never turned on the Standard preset security policy or the Stri Use the following commands to view the rules that are associated with the Strict preset security policy: - - To view the rule that's associated with EOP protections in the Strict preset security policy, run the following command: + - To view the rule that's associated with EOP protections in the Strict preset security policy, run the following command: ```powershell Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" ``` - - To view the rule that's associated with Defender for Office 365 protections in the Strict preset security policy, run the following command: + - To view the rule that's associated with Defender for Office 365 protections in the Strict preset security policy, run the following command: ```powershell Get-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" ``` - - To view both rules at the same time, run the following command: + - To view both rules at the same time, run the following command: ```powershell Write-Output -InputObject ("`r`n"3),"EOP rule - Strict preset security policy",("-"79);Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Write-Output -InputObject ("`r`n"3),"Defender for Office 365 rule - Strict preset security policy",("-"79);Get-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" ``` -For detailed syntax and parameter information, see [Get-EOPProtectionPolicyRule](/powershell/module/exchange/get-eopprotectionpolicyrule) and [Get-ATPProtectionPolicyRule](/powershell/module/exchange/get-atpprotectionpolicyrule). - ### Use PowerShell to turn on or turn off preset security policies -As described earlier, To turn on or turn off the Standard or Strict preset security policies, you enable or disable the rules that are associated with policy. The State property value of the rule shows whether the rule is Enabled or Disabled. - -Depending on whether your organization has Defender for Office 365, you might need to enable or disable one rule (the rule for EOP protections) or two rules (one rule for EOP protections, and one rule for Defender for Office 365 protections) to turn on or turn off the preset security policy. --- Standard preset security policy:- - - Organizations without Defender for Office 365: - - - In organizations without Defender for Office 365, run the following command to determine whether the rule for the Standard preset policy is currently enabled or disabled: - - ```powershell - Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" \| Format-Table Name,State - ``` +To turn on or turn off the Standard or Strict preset security policies in PowerShell, enable or disable the rules that are associated with policy. The State property value of the rule shows whether the rule is Enabled or Disabled. - - Run the following command to turn off the Standard preset security policy if it's turned on: +If your organization has EOP only, you disable or enable the rule for EOP protections. - ```powershell - Disable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" - ``` +If your organization has Defender for Office 365, you enable or disable the rule for EOP protections and the rule for Defender for Office 365 protections (enable or disable both rules). - - Run the following command to turn on the Standard preset security policy if it's turned off: +- Organizations with EOP only: - ```powershell - Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" - ``` + - Run the following command to determine whether the rules for the Standard and Strict preset security policies are currently enabled or disabled: - - Organizations with Defender for Office 365: - - - In organizations with Defender for Office 365, run the following command to determine whether the rules for the Standard preset policy are currently enabled or disabled: - - ```powershell - Write-Output -InputObject ("`r`n"3),"EOP rule - Standard preset security policy",("-"63);Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" \| Format-Table Name,State; Write-Output -InputObject `r`n,"Defender for Office 365 rule - Standard preset security policy",("-"63);Get-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy" \| Format-Table Name,State - ``` - - - Run the following command to turn off the Standard preset security policy if it's turned on: + ```powershell + Write-Output -InputObject ("`r`n"3),"EOP protection rule",("-"50); Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" \| Format-Table Name,State; Write-Output -InputObject ("`r`n"3),"EOP protection rule",("-"50); Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" \| Format-Table Name,State + ``` - ```powershell - Disable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Disable-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy" - ``` + - Run the following command to turn off the Standard preset security policy if it's turned on: - - Run the following command to turn on the Standard preset security policy if it's turned off: + ```powershell + Disable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" + ``` - ```powershell - Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" - ``` + - Run the following command to turn off the Strict preset security policy if it's turned on: -- Strict preset security policy: + ```powershell + Disable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" + ``` - - Organizations without Defender for Office 365: + - Run the following command to turn on the Standard preset security policy if it's turned off: - - In organizations with Defender for Office 365, run the following command to determine whether the rule for the Strict preset policy is currently enabled or disabled: + ```powershell + Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" + ``` - ```powershell - Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" \| Format-Table Name,State - ``` + - Run the following command to turn on the Strict preset security policy if it's turned off: - - Run the following command to turn off the Strict preset security policy if it's turned on: + ```powershell + Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" + ``` - ```powershell - Disable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" - ``` +- Organizations with Defender for Office 365: - - Run the following command to turn on the Strict preset security policy if it's turned off: + - Run the following command to determine whether the rules for the Standard and Strict preset security policies are currently enabled or disabled: - ```powershell - Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" - ``` + ```powershell + Write-Output -InputObject ("`r`n"3),"EOP protection rule",("-"50);Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" \| Format-Table Name,State; Write-Output -InputObject `r`n,"Defender for Office 365 protection rule",("-"50);Get-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy" \| Format-Table Name,State; Write-Output -InputObject ("`r`n"3),"EOP protection rule",("-"50);Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" \| Format-Table Name,State; Write-Output -InputObject `r`n,"Defender for Office 365 protection rule",("-"50);Get-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" \| Format-Table Name,State + ``` - - Organizations with Defender for Office 365: + - Run the following command to turn off the Standard preset security policy if it's turned on: - - In organizations with Defender for Office 365, run the following command to determine whether the rules for the Strict preset policy are currently enabled or disabled: + ```powershell + Disable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Disable-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy" + ``` - ```powershell - Write-Output -InputObject ("`r`n"3),"EOP rule - Strict preset security policy",("-"63);Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" \| Format-Table Name,State; Write-Output -InputObject `r`n,"Defender for Office 365 rule - Strict preset security policy",("-"63);Get-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" \| Format-Table Name,State - ``` + - Run the following command to turn off the Strict preset security policy if it's turned on: - - Run the following command to turn off the Strict preset security policy if it's turned on: + ```powershell + Disable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Disable-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" + ``` - ```powershell - Disable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Disable-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" - ``` + - Run the following command to turn on the Standard preset security policy if it's turned off: - - Run the following command to turn on the Strict preset security policy if it's turned off: + ```powershell + Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Enable-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy" + ``` - ```powershell - Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" - ``` + - Run the following command to turn on the Strict preset security policy if it's turned off: -For detailed syntax and parameter information, see [Enable-EOPProtectionPolicyRule](/powershell/module/exchange/enable-eopprotectionpolicyrule), [Enable-ATPProtectionPolicyRule](/powershell/module/exchange/enable-atpprotectionpolicyrule), [Disable-EOPProtectionPolicyRule](/powershell/module/exchange/disable-eopprotectionpolicyrule), and [Disable-ATPProtectionPolicyRule](/powershell/module/exchange/disable-atpprotectionpolicyrule). + ```powershell + Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Enable-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" + ``` ### Use PowerShell to specify recipient conditions and exceptions for preset security policies > [!IMPORTANT] - > Multiple different types of conditions or exceptions are not additive; they're inclusive. The preset security policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: + > Multiple different types of conditions or exceptions aren't additive; they're inclusive. The preset security policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: > > - Users: romain@contoso.com > - Groups: Executives > - > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. + > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy isn't applied to him. > - > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. + > Likewise, if you use the same recipient filter as an exception to the policy, the policy isn't applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. -For the Built-in protection preset security policy, you can only specify recipient exceptions. If all exception parameter values are empty (`$null`), there are no exceptions to the policy. +For the Built-in protection preset security policy, you can specify only recipient exceptions. If all exception parameter values are empty (`$null`), there are no exceptions to the policy. For the Standard and Strict preset security policies, you can specify recipient conditions and exceptions for EOP protections and Defender for Office 365 protections. If all of conditions and exception parameter values are empty (`$null`), there are no recipient conditions or exceptions to the Standard or Strict preset security policies. -Even if there are no recipient conditions or exceptions applied to a preset security policy, whether the policy is applied to all recipients depends on the [the order of precedence for policies](#order-of-precedence-for-preset-security-policies-and-other-policies) as previously described in this article. - - Built-in protection preset security policy: Use the following syntax: Even if there are no recipient conditions or exceptions applied to a preset secu This example configures exceptions from the Defender for Office 365 protections in the Strict preset security policy for the specified security operations (SecOps) mailboxes. ```powershell - Set-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" -ExceptIfSentTo "SecOps1","SecOps2" + Set-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" -ExceptIfSentTo "SecOps1","SecOps2" ``` For detailed syntax and parameter information, see [Set-EOPProtectionPolicyRule](/powershell/module/exchange/set-eopprotectionpolicyrule) and [Set-ATPProtectionPolicyRule](/powershell/module/exchange/Set-atpprotectionpolicyrule).+ +## Appendix + +Preset security policies consist of the following elements: + +- [Profiles](#profiles-in-preset-security-policies) +- [Policies](#policies-in-preset-security-policies) +- [Policy settings](#policy-settings-in-preset-security-policies) + +These elements are described in the following sections. + +In addition, it's important to understand how preset security policies fit in the [order of precedence](#order-of-precedence-for-preset-security-policies-and-other-policies) with other policies. + +### Profiles in preset security policies + +A profile determines the level of protection. The following profiles are available for preset security policies: + +- Standard protection: A baseline profile that's suitable for most users. +- Strict protection: A more aggressive profile for selected users (high value targets or priority users). +- Built-in protection (Microsoft Defender for Office 365 only): Effectively provides default policies for Safe Links and Safe Attachments only. + +To compare the configurations between Standard and Strict, see the individual feature tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md). + +Until you turn on the profiles and assign users to them, the Standard and Strict preset security policies are assigned to no one. In contrast, the Built-in protection preset security policy is assigned to all recipients by default, but you can configure exceptions. + +> [!IMPORTANT] +> Unless you configure exceptions to the Built-in protection preset security policy, all recipients in the organization receive Safe Links and Safe Attachments protection. + +### Policies in preset security policies + +Preset security policies use special versions of the individual protection policies that are available in EOP and Microsoft Defender for Office 365. These policies are created _after_ you assign the Standard protection or Strict protection preset security policies to users. + +- EOP policies: These policies are in all Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes: + + - [Anti-spam policies](anti-spam-policies-configure.md) named Standard Preset Security Policy and Strict Preset Security Policy. + - [Anti-malware policies](anti-malware-policies-configure.md) named Standard Preset Security Policy and Strict Preset Security Policy. + - [Anti-phishing policies (spoofing protection)](anti-phishing-policies-about.md#spoof-settings) named Standard Preset Security Policy and Strict Preset Security Policy (spoof settings). + + > [!NOTE] + > Outbound spam policies aren't part of preset security policies. The default outbound spam policy automatically protects members of preset security policies. Or, you can create custom outbound spam policies to customize the protection for members of preset security policies. For more information, see [Configure outbound spam filtering in EOP](outbound-spam-policies-configure.md). + +- Microsoft Defender for Office 365 policies: These policies are in organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions: + - Anti-phishing policies in Defender for Office 365 named Standard Preset Security Policy and Strict Preset Security Policy, which include: + - The same [spoof settings](anti-phishing-policies-about.md#spoof-settings) that are available in the EOP anti-phishing policies. + - [Impersonation settings](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) + - [Advanced phishing thresholds](anti-phishing-policies-about.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365) + - [Safe Links policies](safe-links-policies-configure.md) named Standard Preset Security Policy, Strict Preset Security Policy, and Built-in Protection Policy. + - [Safe Attachments policies](safe-attachments-policies-configure.md) named Standard Preset Security Policy, Strict Preset Security Policy, and Built-in Protection Policy. + +As previously described, you can apply EOP protections to different users than Defender for Office 365 protections, or you can apply EOP and Defender for Office 365 protections to the same recipients. + +### Policy settings in preset security policies + +Fundamentally, you can't modify the individual policy settings in the protection profiles. The Standard, Strict, and Built-in protection policy setting values, including the associated [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy), are listed in the feature tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md). + +But, you need to configure the individual users (senders) and domains to receive [impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in Defender for Office 365. Otherwise, preset security policies automatically configure the following types of impersonation protection: + +- Domain impersonation protection for all domains that you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)). +- [Mailbox intelligence protection (contact history)](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). + +### Order of precedence for preset security policies and other policies + +When a recipient is defined in multiple policies, the policies are applied in the following order: + +1. The Strict preset security policy. +2. The Standard preset security policy. +3. Custom policies based on the priority of the policy (a lower number indicates a higher priority). +4. The Built-in protection preset security policy for Safe Links and Safe Attachments; the default policies for anti-malware, anti-spam, and anti-phishing. + +In other words, the settings of the Strict preset security policy override the settings of the Standard preset security policy, which overrides the settings from any custom policies, which override the settings of the Built-in protection preset security policy for Safe Links and Safe Attachments, and the default policies for anti-spam, anti-malware, and anti-phishing. + +This order is shown on the pages of the individual security policies in the Defender portal (the policies are applied in the order they're shown on the page). + +For example, an admin configures the Standard preset security policy and a custom anti-spam policy with the same recipient. The anti-spam policy settings from the Standard preset security policy are applied to the user instead of what's configured in the custom policy anti-spam policy or in the default anti-spam policy. + +Consider applying the Standard or Strict preset security policies to a subset of users, and apply custom policies to other users in your organization to meet specific needs. To meet this requirement, consider the following methods: + +- Use unambiguous groups or lists of recipients in the Standard preset security policy, the Strict preset security, and in custom policies so exceptions aren't required. Using this method, you don't need to account for multiple policies applying to the same users and the effects of the order of precedence. +- If you can't avoid multiple policies applying to the same users, use the following strategies: + - Configure recipients who should get the settings of the Standard preset security policy and custom policies as exceptions in the Strict preset security policy. + - Configure recipients who should get the settings of custom policies as exceptions in the Standard preset security policy. + - Configure the users who should get the settings of the Built-in protection preset security policy or default policies as exceptions to custom policies. + +The Built-in protection doesn't affect recipients in existing Safe Links or Safe Attachments policies. If you already configured Standard protection, Strict protection or custom Safe Links or Safe Attachments policies, those policies are _always_ applied _before_ Built-in protection**, so there's no effect on the recipients who are already defined in those existing preset or custom policies. + +For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
security	Safe Attachments Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md	You configure Safe Attachments policies in the Microsoft 365 Defender portal or - Allow up to 30 minutes for a new or updated policy to be applied. +- For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms). + ## Use the Microsoft 365 Defender portal to create Safe Attachments policies 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Safe Attachments in the Policies section.Or, to go directly to the Safe Attachments page, use <https://security.microsoft.com/safeattachmentv2>. You configure Safe Attachments policies in the Microsoft 365 Defender portal or - The specified Microsoft 365 Groups. - Domains: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. - Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value. + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
security	Safe Links Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md	You configure Safe Links policies in the Microsoft 365 Defender portal or in Exc - Allow up to 6 hours for a new or updated policy to be applied. +- For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms). + ## Use the Microsoft 365 Defender portal to create Safe Links policies 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Safe Links in the Policies section. Or, to go directly to the Safe Links page, use <https://security.microsoft.com/safelinksv2>. You configure Safe Links policies in the Microsoft 365 Defender portal or in Exc - The specified Microsoft 365 Groups. - Domains: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. - Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value. + Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png"::: next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
security	User Tags About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md	f1.keywords: Previously updated : 1/31/2023 Last updated : 5/16/2023 audience: ITPro ms.localizationpriority: medium - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) -User tags are identifiers for specific groups of users in [Microsoft Defender for Office 365](defender-for-office-365.md). There are two types of user tags: +_User tags_ are identifiers for specific groups of users in [Microsoft Defender for Office 365](defender-for-office-365.md). There are two types of user tags: - System tags: Currently, [Priority account](../../admin/setup/priority-accounts.md) is the only type of system tag.-- Custom tags: You create these user tags yourself. +- Custom tags: You create these types of tags. If your organization has Defender for Office 365 Plan 2 (included in your subscription or as an add-on), you can create custom user tags in addition to using the Priority account tag. After you apply system tags or custom tags to users, you can use those tags as f - [Quarantine](quarantine-about.md) - For priority accounts, you can use the [Email issues for priority accounts report](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report) in the Exchange admin center (EAC). -This article explains how to configure user tags in the Microsoft 365 Defender portal. You can also manage the Priority Account tag can using the _VIP_ parameter on the [Set-User](/powershell/module/exchange/set-user) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). There are no cmdlets in Microsoft 365 Defender portal to manage custom user tags. +This article explains how to configure user tags in the Microsoft 365 Defender portal. You can also apply or remove the Priority Account tag using the _VIP_ parameter on the [Set-User](/powershell/module/exchange/set-user) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). No PowerShell cmdlets are available to manage custom user tags. To see how user tags are part of the strategy to help protect high-impact user accounts, see [Security recommendations for priority accounts in Microsoft 365](priority-accounts-security-recommendations.md). To see how user tags are part of the strategy to help protect high-impact user a - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): configuration/system (manage) or configuration/system (read). Currently, this option requires membership in the Microsoft 365 Defender Preview program. - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): - _Create, modify, and delete custom user tags_: Membership in the Organization Management or Security Administrator role groups. - - _Add and remove members from the Priority Account system tag_: Membership in the Security Administrator and Exchange Admin role groups. + - _Add and remove members from the Priority Account tag_: Membership in the Security Administrator and Exchange Admin role groups. - _Add and remove members from existing custom user tags_: Membership in the Organization Management or Security Administrator role groups. > [!NOTE] To see how user tags are part of the strategy to help protect high-impact user a - You can also manage and monitor priority accounts in the Microsoft 365 admin center. For instructions, see [Manage and monitor priority accounts](../../admin/setup/priority-accounts.md). -- For information about securing _privileged accounts_ (admin accounts), see [this topic](/security/compass/critical-impact-accounts). +- For information about securing _privileged accounts_ (admin accounts), see [this article](/security/compass/critical-impact-accounts). ## Use the Microsoft 365 Defender portal to create user tags -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. To go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. Or, to go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. -2. On the User tags page, click ![Create tag icon.](../../media/m365-cc-sc-create-icon.png) Create tag. +2. On the User tags page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: Create tag to start the new tag wizard. -3. The Create tag wizard opens in a new flyout. On the Define tag page, configure the following settings: - - Name: Enter a unique, descriptive name for the tag. This is the value that you'll see and use. Note that you can't rename a tag after you create it. +3. On the Define tag page, configure the following settings: + - Name: Enter a unique, descriptive name for the tag. You can't rename a tag after you create it. - Description: Enter an optional description for the tag. - When you're finished, click Next. + When you're finished on the User tags page, select Next. 4. On the Assign members page, do either of the following steps: - - Click ![Add members icon.](../../media/m365-cc-sc-create-icon.png) Add members. In the fly out that appears, do any of the following steps to add individual users or groups: + + - Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: Add members. In the Add members flyout that opens, do any of the following steps to add individual users or groups in the Search users and groups to add box: - Click in the box and scroll through the list to select a user or group. - - Click in the box and start typing to filter the list and select a user or group. - - To add additional values, click in an empty area in the box. - - To remove individual entries, click ![Remove entry icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the entry in the box. - - To remove all entries, click ![Remove entry icon.](../../media/m365-cc-sc-remove-selection-icon.png) on the Selected nn users and nn groups item below the box. + - Click in the box, start typing a name to filter the list, and then select the value below the box.select a user or group. + + To add more members, click in an empty area in the box and repeat the previous step. + + To remove individual entries from the box, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the entry. + + To remove all entries, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: in the Selected nn users and nn groups item below the box. + + When you're finished on the Add members flyout, select Add. - When you're finished, click Add. + Back on the Assign members page, the users and groups that you added are listed by Name and Type. To remove entries from the list, select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete next to the entry. - Back on the Assign members page, you can also remove entries by clicking ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) next to the entry. + - Select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: Import to select a text file that contains the email addresses of the users or groups (one entry per line). - - Click Import to select a text file that contains the email addresses of the users or groups. Be sure the text file contains one entry per line. + When you're finished on the Assign members page, select Next. - When you're finished, click Next. +5. On the Review tag page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard. -5. On the Review tag page that appears, review your settings. You can select Edit in each section to modify the settings within the section. Or you can click Back or select the specific page in the wizard. + When you're finished on the Review tag page, select Submit. - When you're finished, click Submit, and then click Done. +6. On the New tag created page, you can select the links to add a new tag or manage the tag members. + + When you're finished on the New tag created page, select Done. + + Back on the User tags page, the new tag is listed. ## Use the Microsoft 365 Defender portal to view user tags -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. To go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. +In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. Or, to go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. -2. On the User tags page, the following properties are displayed in the list of user tags: +On the User tags page, the following properties are displayed in the list of user tags: - - Tag: The name of the user tag. Note that this includes the built-in Priority account system tag. + - Tag: The name of the user tag. - Applied to: The number of members - Last modified - Created on -3. When you select a user tag by clicking on the name, the details are displayed in a flyout. +Use :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter to filter the user tags by Last modified date. + +Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: Search box and a corresponding value to find specific user tag. + +Select a user tag by clicking anywhere in the row other than the check box next to the name to open the details flyout for the user tag. -## Use the Microsoft 365 Defender portal to modify user tags +The details flyout of the user tag contains the following information, based on the type of tag: -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. To go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. +- System tags: The details flyout for the Priority Account tag contains the following information: + - Last updated + - Description + - A link to <https://security.microsoft.com/securitysettings/priorityAccountProtection> to turn on or turn off [priority account protection](priority-accounts-turn-on-priority-account-protection.md) + - Applied to +- Custom tags: The details flyout for a custom tag contains the same information as the User tags page, plus the list of users and groups that the tag applies to. -2. On the User tags page, select the user tag from the list, and then click ![Edit tag icon.](../../media/m365-cc-sc-edit-icon.png) Edit tag. +To take action on user tags, see the next section. -3. In the details flyout that appears, the same wizard and settings are available as described in the [Use the Microsoft 365 Defender portal to create user tags](#use-the-microsoft-365-defender-portal-to-create-user-tags) section earlier in this article. +## Use the Microsoft 365 Defender portal to take action on user tags - Notes: +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. Or, to go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. - - The Define tag page is not available for the built-in Priority account system tag, so you can't rename this tag or change the description. - - You can't rename a custom tag, but you can change the description. +2. On the User tags page, select the user tag by using either of the following methods: + - Select the tag from the list by selecting the check box next to the name. The available actions appear on the page. + - Select the tag from the list by clicking anywhere in the row other than the check box next to the name. The available actions are in the details flyout that opens. + +After you select the user tag, the available actions are described in the following subsections. + +### Use the Microsoft 365 Defender portal to modify user tags + +After you select the user tag, use either of the following methods to modify it: + +- On the User tags page: Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit action that appears. +- In the details flyout of the selected user tag: Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit action at the top of the flyout. + +The same wizard and most of the same settings are available as described in the [Use the Microsoft 365 Defender portal to create user tags](#use-the-microsoft-365-defender-portal-to-create-user-tags) section earlier in this article, with the following exceptions: + +- You can't rename or change the description of the Priority Account tag, so the Define tag page isn't available for the Priority Account tag. +- The Define tag page is available for custom tags, but you can't rename the tag; you can only change the description. ## Use the Microsoft 365 Defender portal to remove user tags -> [!NOTE] -> You can't remove the built-in Priority account system tag. +You can't remove the built-in Priority Account tag. + +After you select the custom tag, use either of the following methods to remove it: -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Settings \> Email & collaboration \> User tags. To go directly to the User tags page, use <https://security.microsoft.com/securitysettings/userTags>. +- On the User tags page: Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete action that appears. +- In the details flyout of the selected user tag: Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete action at the top of the flyout. -2. On the User tags page, select the user tag from the list, and then click ![Delete tag icon.](../../media/m365-cc-sc-delete-icon.png) Delete tag. +Read the warning in the confirmation dialog that opens, and then select Yes, remove. -3. Read the warning in the confirmation dialog that appears, and then click Yes, remove. +Back on the User tags page, the custom tag is no longer listed. ## More information