Updates from: 05/19/2021 03:11:48
Category Microsoft Docs article Related commit history on GitHub Change details
admin Activity Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/activity-reports.md
search.appverid:
- MOE150 - GEA150 ms.assetid: 0d6dfb17-8582-4172-a9a9-aed798150263
-description: "Get a periodic report of how people in your organization are using Microsoft 365 services. Usage Overview dashboard lets you drill into each chart for more insights."
+description: "Get a periodic report of how people in your organization are using Microsoft 365 services and drill into each chart for more insights."
# Microsoft 365 Reports in the admin center
Whenever you close a user's account, Microsoft will delete that user's usage dat
However, when you select a particular day (see number 3), up to 28 days from the current date, the report show the user's usage for that day in the User Details table (see number 2).
-## Related articles
+## Related content
-[Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md)
+[Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md) (article)
+
+[Microsoft 365 usage analytics](../usage-analytics/usage-analytics.md) (article)
+
+[Customize the reports in Microsoft 365 usage analytics](../usage-analytics/customize-reports.md) (article)
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
search.appverid:
- MET150 - MOE150 ms.assetid: da585eea-f576-4f55-a1e0-87090b6aaa9d
-description: "Admin roles map to business functions and give permissions to do specific tasks in the admin center. For example, the Service admin can open support tickets through the admin center."
+description: "Admin roles such as the Service admin map to business functions and give permissions to do specific tasks in the admin center."
# About admin roles
Looking for the full list of detailed Intune role descriptions you can manage in
For more information on assigning roles in the Microsoft 365 admin center, see [Assign admin roles](assign-admin-roles.md).
-### Watch: What is an admin?
+## Watch: What is an admin?
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1SRc0]
A partner can assign these roles:
Before the partner can assign these roles to users, you must add the partner as a delegated admin to your account. This process is initiated by an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For instructions, see [Authorize or remove partner relationships](../misc/add-partner.md).
-## Related articles
+## Related content
-[Assign admin roles](assign-admin-roles.md)
+[Assign admin roles](assign-admin-roles.md) (article)
-[Azure AD roles in the Microsoft 365 admin center](azure-ad-roles-in-the-mac.md)
+[Azure AD roles in the Microsoft 365 admin center](azure-ad-roles-in-the-mac.md) (article)
-[Exchange Online admin role](about-exchange-online-admin-role.md)
+[Exchange Online admin role](about-exchange-online-admin-role.md) (article)
-[Activity reports in the Microsoft 365 admin center](../activity-reports/activity-reports.md)
+[Activity reports in the Microsoft 365 admin center](../activity-reports/activity-reports.md) (article)
admin Add Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/add-users.md
- AdminSurgePortfolio search.appverid: - MET150
-description: "Learn how to add users and assign licenses to Microsoft 365 at the same time."
+description: "Each team member needs a user account before they can sign in and access Microsoft 365 for business. Learn how to add users and assign licenses."
Last updated 07/01/2020
admin Change A User Name And Email Address https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/change-a-user-name-and-email-address.md
search.appverid:
- MET150 - MOE150 ms.assetid: fb5ac074-e203-4e1f-9843-b9d1a3e03297
-description: "Learn how a global admin can change a user's email address and display name. "
+description: "Learn how a Microsoft 365 global admin can change a user's email address and display name when their ame changes. "
# Change a user name and email address
Set-MsolUserPrincipalName -UserPrincipalName anne.wallace@contoso.onmicrosoft.co
To learn how to change someone's username in Active Directory, in Windows Server 2003 and earlier, see [Rename a user account](/previous-versions/windows/it-pro/windows-server-2003/cc772952(v=ws.10)).
-## Related articles
+## Related content
-[Admins: Reset a password for one or more users](reset-passwords.md)
+[Admins: Reset a password for one or more users](reset-passwords.md) (article)
-[Add another email address to a user](../email/add-another-email-alias-for-a-user.md)
+[Add another email address to a user](../email/add-another-email-alias-for-a-user.md) (article)
+
+[Create a shared mailbox](../email/create-a-shared-mailbox.md) (article)
admin Give Mailbox Permissions To Another User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user.md
search.appverid:
- MET150 - MOE150 ms.assetid: 1dbcf12f-a9de-4d1d-b0b3-a227f8a736d8
-description: "Learn how to give a user the right to access another user's mailbox. This will give the user the right to read mails and send mails from the other user's mailbox. "
+description: "Give a user the right to access another user's mailbox, which allows the user to read and send emails from the other user's mailbox."
# Give mailbox permissions to another user - Admin Help
There are a few different ways you can access a mailbox once you've been given a
::: moniker-end
-## Send and read from Outlook and Outlook on the web for business
--
-Want to know how to send email from another user's mailbox? Check out the following topics:
+## Related content
-- [Manage another person's mail and calendar items](https://support.microsoft.com/office/afb79d6b-2967-43b9-a944-a6b953190af5)
+[Manage another person's mail and calendar items](https://support.microsoft.com/office/afb79d6b-2967-43b9-a944-a6b953190af5) (article)
-- [Send email from another person or group](https://support.microsoft.com/office/0f4964af-aec6-484b-a65c-0434df8cdb6b)
+[Send email from another person or group](https://support.microsoft.com/office/0f4964af-aec6-484b-a65c-0434df8cdb6b) (article)
+
+[Change a user name and email address](../add-users/change-a-user-name-and-email-address.md) (video)
+
admin Compare Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/compare-groups.md
search.appverid:
- MET150 - MOE150 ms.assetid: 758759ad-63ee-4ea9-90a3-39f941897b7d
-description: "Learn about the types of groups you can use."
+description: "Microsoft 365 group members get a group email and shared workspace for conversations, files, and calendar events, Stream and a Planner."
# Compare groups
admin About Shared Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/about-shared-mailboxes.md
Shared mailboxes are used when multiple people need access to the same mailbox,
Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from "Contoso Support" or "Building A Reception Desk."
+## Before you begin
+ Before you [create a shared mailbox](create-a-shared-mailbox.md), here are some things you should know: - **Licenses:** Your shared mailbox can store up to 50GB of data without you assigning a license to it. After that, you need to assign a license to the mailbox to store more data. For more details on shared mailbox licensing, please see [Exchange Online Limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#StorageLimits). When a shared mailbox reaches the storage limit, you'll be able to receive email for a while, but you won't be able to send new email. Then, after that, it will stop receiving email. Senders to the mailbox will get a non-delivery receipt.
Before you [create a shared mailbox](create-a-shared-mailbox.md), here are some
## Related content
-[Create a shared mailbox](create-a-shared-mailbox.md)
+[Create a shared mailbox](create-a-shared-mailbox.md) (article)
-[Configure a shared mailbox](configure-a-shared-mailbox.md)
+[Configure a shared mailbox](configure-a-shared-mailbox.md) (article)
-[Convert a user mailbox to a shared mailbox](convert-user-mailbox-to-shared-mailbox.md)
+[Convert a user mailbox to a shared mailbox](convert-user-mailbox-to-shared-mailbox.md) (article)
-[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md)
+[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md) (article)
-[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md)
+[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md) (article)
admin Configure Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-email-forwarding.md
search.appverid:
- MET150 - MOE150 ms.assetid: ab5eb117-0f22-4fa7-a662-3a6bdb0add74
-description: "Set up email forwarding to one or more email accounts using Office365."
+description: "Email forwarding lets you forward email messages sent to a Microsoft 365 user mailbox to another mailbox inside or outside of your organization."
# Configure email forwarding in Microsoft 365
You must be an Exchange administrator or Global administrator in Microsoft 365 t
Or, in the admin center, [create a distribution group](../setup/create-distribution-lists.md), [add the addresses to it](add-user-or-contact-to-distribution-list.md), and then set up forwarding to point to the DL using the instructions in this article.
-5. Don't delete the account of the user who's email you're forwarding or remove their license! If you do, email forwarding will stop.
+5. Don't delete the account of the user who's email you're forwarding or remove their license! If you do, email forwarding will stop.
::: moniker-end
+## Related content
+
+[Create a shared mailbox](../email/create-a-shared-mailbox.md) (article)
+
+[Send email from a different address](https://support.microsoft.com/office/ccba89cb-141c-4a36-8c56-6d16a8556d2e) (article)
+
+[Change a user name and email address](../add-users/change-a-user-name-and-email-address.md) (article)
+
admin Convert User Mailbox To Shared Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox.md
search.appverid:
- MET150 - MOE150 ms.assetid: 2e122487-e1f5-4f26-ba41-5689249d93ba
-description: "Learn to convert a private mailbox to a shared mailbox that can be accessed by multiple users. "
+description: "Learn to convert a private mailbox to a shared mailbox that can be accessed by several people instead of by just one person. "
# Convert a user mailbox to a shared mailbox
For more info about converting a user mailbox to a shared mailbox in an Exchange
> [!NOTE] > If you are a member of the Organization Management or Recipient Management role group, you can use the Exchange Management Shell to change a user mailbox to a shared mailbox on-premises. For example, `Set-Mailbox -Identity mailbox1@contoso.com -Type Shared`.
-## Related articles
+## Related content
-[About shared mailboxes](about-shared-mailboxes.md)
+[About shared mailboxes](about-shared-mailboxes.md) (article)
-[Create a shared mailbox](create-a-shared-mailbox.md)
+[Create a shared mailbox](create-a-shared-mailbox.md) (article)
-[Configure a shared mailbox](configure-a-shared-mailbox.md)
+[Configure a shared mailbox](configure-a-shared-mailbox.md) (article)
-[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md)
+[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md) (article)
-[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md)
+[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md) (article)
admin Create A Shared Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/create-a-shared-mailbox.md
When you created the shared mailbox, you automatically created a shared calendar
3. Any member of the shared mailbox can create, view, and manage appointments on the calendar, just like they would their personal appointments. Everyone who is a member of shared mailbox can see their changes to the shared calendar.
-## Related articles
+## Related content
-[About shared mailboxes](about-shared-mailboxes.md)
+[About shared mailboxes](about-shared-mailboxes.md) (article)
-[Configure a shared mailbox](configure-a-shared-mailbox.md)
+[Configure a shared mailbox](configure-a-shared-mailbox.md) (article)
-[Convert a user mailbox to a shared mailbox](convert-user-mailbox-to-shared-mailbox.md)
+[Convert a user mailbox to a shared mailbox](convert-user-mailbox-to-shared-mailbox.md) (article)
-[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md)
+[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md) (article)
-[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md)
+[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md) (article)
admin Create Dns Records At Any Dns Hosting Provider https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md
- Adm_O365_Setup search.appverid: - MET150
-description: "Learn to verify your domain and create DNS records at any DNS hosting provider for Microsoft 365."
+description: "Connect a domain at any DNS hosting provider to Microsoft 365 by verifying your domain and updating the DNS records in your registrarΓÇÖs account."
- okr_smb - AdminSurgePortfolio
If your hosting provider doesn't provide these fields for SRV records, you must
To add these values, create a single string, separating the values with spaces and *sometimes ending with a dot* (check with your provider if you are unsure). The values must be included in this order: Priority, Weight, Port, Target. - Example 1: `100 1 443 sipdir.online.lync.com.`-- Example 2: `100 1 443 sipdir.online.lync.com`
+- Example 2: `100 1 443 sipdir.online.lync.com`
+
+## Related content
+
+[Change nameservers to set up Microsoft 365 with any domain registrar](change-nameservers-at-any-domain-registrar.md) (article)
+
+[Find and fix issues after adding your domain or DNS records](find-and-fix-issues.md) (article)
+
+[Manage domains](index.yml) (link page)
admin Assign Licenses To Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/assign-licenses-to-users.md
- manage_licenses - commerce_licensing search.appverid: MET150
-description: "Learn how to assign licenses to users."
+description: "Assign licenses depending on whether you want to assign product licenses to specific users or assign users licenses to a specific product."
Last updated 04/26/2021
admin Manage Office Scripts Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-office-scripts-settings.md
description: "Learn how to manage Office Scripts settings for users in your orga
# Manage Office Scripts settings
-Office ScriptsΓÇÄ allows users to automate tasks by recording, editing, and running scripts in ΓÇÄExcelΓÇÄ on the web. ΓÇÄOffice ScriptsΓÇÄ works with Power Automate, and users run scripts on workbooks by using the ΓÇÄExcelΓÇÄ Online (Business) connector. Microsoft 365 admins can manage Office Scripts settings from the Microsoft 365 admin center.
+[Office Scripts](/office/dev/scripts)ΓÇÄ allows users to automate tasks by recording, editing, and running scripts in ΓÇÄExcelΓÇÄ on the web. ΓÇÄOffice ScriptsΓÇÄ works with Power Automate, and users run scripts on workbooks by using the ΓÇÄExcelΓÇÄ Online (Business) connector. Microsoft 365 admins can manage Office Scripts settings from the Microsoft 365 admin center.
## Before you begin
Office ScriptsΓÇÄ allows users to automate tasks by recording, editing, and runn
To learn more about the different types of groups, see [Compare groups](../create-groups/compare-groups.md).
- - To learn more about using Office Scripts with Power Automate, including how your data loss prevention policies may be impacted, see [Run Office Scripts with Power Automate](/office/dev/scripts/develop/power-automate-integration).
+ - To learn more about using Office Scripts with Power Automate, see [Run Office Scripts with Power Automate](/office/dev/scripts/develop/power-automate-integration).
8. Select **Save**.
admin Set Password Expiration Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/set-password-expiration-policy.md
search.appverid:
- MOE150 - GEA150 ms.assetid: 0f54736f-eb22-414c-8273-498a0918678f
-description: "Learn how to set a password expiration policy for your organization in Microsoft 365 admin center."
+description: "Learn how an admin can set a password expiration policy for your business, school, or nonprofit in Microsoft 365 admin center."
# Set the password expiration policy for your organization
To learn how to update password policy for a specific domain or tenant, see [Set
## Related content
-[Let users reset their own passwords](../add-users/let-users-reset-passwords.md)
+[Let users reset their own passwords](../add-users/let-users-reset-passwords.md) (article)
-[Reset passwords](../add-users/reset-passwords.md)
+[Reset passwords](../add-users/reset-passwords.md) (article)
admin Mailbox Not Found Error https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/mailbox-not-found-error.md
search.appverid: - MET150 ms.assetid: 7e453a40-66df-44ab-92a1-96786cb7fb34
-description: "Learn how to add a licence to unlicensed users to fix the mailbox not found error."
+description: "A **Mailbox couldn't be found for** error means the account you used to connect to Outlook on the web doesn't have an Exchange Online license."
# Getting a mailbox not found error in Outlook on the web?
-If you're using Outlook on the web and you get a **Mailbox couldn't be found for** error, the account that you used to connect to Outlook on the web doesn't have an Exchange Online license and therefore, no mailbox is associated with the account. Your admin can assign a license to your account by following these steps:
+If you're using Outlook on the web and you get a **Mailbox couldn't be found for** error, the account that you used to connect to Outlook on the web doesn't have an Exchange Online license and therefore, no mailbox is associated with the account.
+
+## Assign a license to your account
+
+Your admin can assign a license to your account by following these steps:
1. Open the [Microsoft 365 admin center](https://portal.office.com/adminportal/home#/homepage) and go to **Active users** under the **Users** section, and select the user who is seeing the error.
-2. In the user page that opens, go to the **Licenses and Apps** section, select the appropriate **Location** value, and assign a license that contains Exchange Online (expand the license to see its details). When you're finished, click **Save changes**.
+1. In the user page that opens, go to the **Licenses and Apps** section, select the appropriate **Location** value, and assign a license that contains Exchange Online (expand the license to see its details).
+1. When you're finished, click **Save changes**.
+
+## Related content
+
+[Add another email alias for a user](../email/add-another-email-alias-for-a-user.md) (article)
+
+[Configure email forwarding in Microsoft 365](../email/configure-email-forwarding.md) (article)
+
+[Create a shared mailbox](../email/create-a-shared-mailbox.md) (article)
admin Parity Between Azure Information Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/parity-between-azure-information-protection.md
The following list includes the existing gaps between AIP for Office 365 operate
- The [Mobile Viewer](/azure/information-protection/rms-client/mobile-app-faq) is not supported by Azure China 21Vianet. -- The AIP area of the Azure portal is unavailable to customers in China. Use [PowerShell commands](#step-6-install-the-aip-on-premises-scanner-and-manage-content-scan-jobs) instead of performing actions in the portal, such as installing the on-premises scanner and managing your content scan jobs.
+- The AIP area of the Azure portal is unavailable to customers in China. Use [PowerShell commands](#step-6-install-the-aip-on-premises-scanner-and-manage-content-scan-jobs) instead of performing actions in the portal, such as managing and running your content scan jobs.
## Configure AIP for customers in China
Log in to your DNS provider, navigate to the DNS settings for the domain, and th
- Port = `80` - Priority, Weight, Seconds, TTL = default values + ### Step 4: Install and configure the AIP unified labeling client
-Download the AIP unified labeling client from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=53018).
+Download and install the AIP unified labeling client from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=53018).
For more information, see:
AIP apps on Windows need the following registry key to point them to the correct
Install the AIP on-premises scanner to scan your network and content shares for sensitive data, and apply classification and protection labels as configured in your organization's policy. -- When creating and configuring Azure AD applications for the [Set-AIPAuthentication](/powershell/module/azureinformationprotection/set-aipauthentication) command, the **Request API permissions** pane shows the **APIs my organization uses** tab instead of the **Microsoft APIs** tab. Select the **APIs my organization uses** to then select **Azure Rights Management Services**.--- When installing the scanner and managing your content scan jobs, use the following cmdlets instead of the Azure portal interface that's used by the commercial offerings:<br><br>-
- | Cmdlet | Description |
- |--|--|
- | [Add-AIPScannerRepository](/powershell/module/azureinformationprotection/add-aipscannerrepository) | Adds a new repository to your content scan job. |
- | [Get-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/get-aipscannercontentscanjob) | Gets details about your content scan job. |
- | [Get-AIPScannerRepository](/powershell/module/azureinformationprotection/get-aipscannerrepository) | Gets details about repositories defined for your content scan job. |
- | [Remove-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/remove-aipscannercontentscanjob) | Deletes your content scan job. |
- | [Remove-AIPScannerRepository](/powershell/module/azureinformationprotection/remove-aipscannerrepository) | Removes a repository from your content scan job. |
- | [Set-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob) | Defines settings for your content scan job. |
- | [Set-AIPScannerRepository](/powershell/module/azureinformationprotection/set-aipscannerrepository) | Defines settings for an existing repository in your content scan job. |
- | | |
-
-> [!TIP]
-> When [installing the scanner](/azure/information-protection/deploy-aip-scanner-configure-install#install-the-scanner), use the same cluster name in the [Install-AIPScanner](/powershell/module/azureinformationprotection/install-aipscanner) command to associate multiple scanner nodes to the same cluster. Using the same cluster for multiple scanner nodes enables multiple scanners to work together to perform your scans.
->
-> Use the [Get-AIPScannerConfiguration](/powershell/module/azureinformationprotection/get-aipscannerconfiguration) cmdlet to return details about your cluster.
->
+When configuring and managing your content scan jobs, use the following procedure instead of the [Azure portal interface](/azure/information-protection/deploy-aip-scanner-configure-install?tabs=azure-portal-only) that's used by the commercial offerings.
+ For more information, see [What is the Azure Information Protection unified labeling scanner?](/azure/information-protection/deploy-aip-scanner) and [Manage your content scan jobs using PowerShell only](/azure/information-protection/deploy-aip-scanner-prereqs#use-powershell-with-a-disconnected-computer).+
+**To install and configure your scanner**:
+
+1. Sign in to the Windows Server computer that will run the scanner. Use an account that has local administrator rights and that has permissions to write to the SQL Server master database.
+
+1. Start with PowerShell closed. If you've previously installed the AIP client and scanner, make sure that the **AIPScanner** service is stopped.
+
+1. Open a Windows PowerShell session with the **Run as an administrator** option.
+
+1. Run the [Install-AIPScanner](/powershell/module/azureinformationprotection/Install-AIPScanner) cmdlet, specifying your SQL Server instance on which to create a database for the Azure Information Protection scanner, and a meaningful name for your scanner cluster.
+
+ ```PowerShell
+ Install-AIPScanner -SqlServerInstance <name> -Cluster <cluster name>
+ ```
+
+ > [!TIP]
+ > You can use the same cluster name in the [Install-AIPScanner](/powershell/module/azureinformationprotection/install-aipscanner) command to associate multiple scanner nodes to the same cluster. Using the same cluster for multiple scanner nodes enables multiple scanners to work together to perform your scans.
+ >
+
+1. Verify that the service is now installed by using **Administrative Tools** > **Services**.
+
+ The installed service is named **Azure Information Protection Scanner** and is configured to run by using the scanner service account that you created.
+
+1. Get an Azure token to use with your scanner. An Azure AD token allows the scanner to authenticate to the Azure Information Protection service, enabling the scanner to run non-interactively.
+
+ 1. Open the Azure portal and create an Azure AD application to specify an access token for authentication. For more information, see [How to label files non-interactively for Azure Information Protection](/azure/information-protection/rms-client/clientv2-admin-guide-powershell#how-to-label-files-non-interactively-for-azure-information-protection).
+
+ > [!TIP]
+ > When creating and configuring Azure AD applications for the [Set-AIPAuthentication](/powershell/module/azureinformationprotection/set-aipauthentication) command, the **Request API permissions** pane shows the **APIs my organization uses** tab instead of the **Microsoft APIs** tab. Select the **APIs my organization uses** to then select **Azure Rights Management Services**.
+ >
+
+ 1. From the Windows Server computer, if your scanner service account has been granted the **Log on locally** right for the installation, sign in with this account and start a PowerShell session.
+
+ If your scanner service account cannot be granted the **Log on locally** right for the installation, use the *OnBehalfOf* parameter with [Set-AIPAuthentication](/powershell/module/azureinformationprotection/set-aipauthentication), as described in [How to label files non-interactively for Azure Information Protection](/azure/information-protection/rms-client/clientv2-admin-guide-powershell#how-to-label-files-non-interactively-for-azure-information-protection).
+
+ 1. Run [Set-AIPAuthentication](/powershell/module/azureinformationprotection/set-aipauthentication), specifying values copied from your Azure AD application:
+
+ ```PowerShell
+ Set-AIPAuthentication -AppId <ID of the registered app> -AppSecret <client secret sting> -TenantId <your tenant ID> -DelegatedUser <Azure AD account>
+ ```
+
+ For example:
+
+ ```PowerShell
+ $pscreds = Get-Credential CONTOSO\scanner
+ Set-AIPAuthentication -AppId "77c3c1c3-abf9-404e-8b2b-4652836c8c66" -AppSecret "OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4" -DelegatedUser scanner@contoso.com -TenantId "9c11c87a-ac8b-46a3-8d5c-f4d0b72ee29a" -OnBehalfOf $pscreds
+ Acquired application access token on behalf of CONTOSO\scanner.
+ ```
+
+ The scanner now has a token to authenticate to Azure AD. This token is valid for one year, two years, or never, according to your configuration of the **Web app /API** client secret in Azure AD. When the token expires, you must repeat this procedure.
+
+1. Run the [Set-AIPScannerConfiguration](/powershell/module/azureinformationprotection/set-aipscannerconfiguration) cmdlet to set the scanner to function in offline mode. Run:
+
+ ```powershell
+ Set-AIPScannerConfiguration -OnlineConfiguration Off
+ ```
+
+1. Run the [Set-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob) cmdlet to create a default content scan job.
+
+ The only required parameter in the **Set-AIPScannerContentScanJob** cmdlet is **Enforce**. However, you may want to define other settings for your content scan job at this time. For example:
+
+ ```powershell
+ Set-AIPScannerContentScanJob -Schedule Manual -DiscoverInformationTypes PolicyOnly -Enforce Off -DefaultLabelType PolicyDefault -RelabelFiles Off -PreserveFileDetails On -IncludeFileTypes '' -ExcludeFileTypes '.msg,.tmp' -DefaultOwner <account running the scanner>
+ ```
+
+ The syntax above configures the following settings while you continue the configuration:
+
+ - Keeps the scanner run scheduling to *manual*
+ - Sets the information types to be discovered based on the sensitivity labeling policy
+ - Does *not* enforce a sensitivity labeling policy
+ - Automatically labels files based on content, using the default label defined for the sensitivity labeling policy
+ - Does *not* allow for relabeling files
+ - Preserves file details while scanning and auto-labeling, including *date modified*, *last modified*, and *modified by* values
+ - Sets the scanner to exclude .msg and .tmp files when running
+ - Sets the default owner to the account you want to use when running the scanner
+
+1. Use the [Add-AIPScannerRepository](/powershell/module/azureinformationprotection/add-aipscannerrepository) cmdlet to define the repositories you want to scan in your content scan job. For example, run:
+
+ ```powershell
+ Add-AIPScannerRepository -OverrideContentScanJob Off -Path 'c:\repoToScan'
+ ```
+
+ Use one of the following syntaxes, depending on the type of repository you're adding:
+
+ - For a network share, use `\\Server\Folder`.
+ - For a SharePoint library, use `http://sharepoint.contoso.com/Shared%20Documents/Folder`.
+ - For a local path: `C:\Folder`
+ - For a UNC path: `\\Server\Folder`
+
+ > [!NOTE]
+ > Wildcards are not supported and WebDav locations are not supported.
+ >
+ > To modify the repository later on, use the [Set-AIPScannerRepository](/powershell/module/azureinformationprotection/set-aipscannerrepository) cmdlet instead.
++
+Continue with the following steps as needed:
+
+- [Run a discovery cycle and view reports for the scanner](/azure/information-protection/deploy-aip-scanner-manage#run-a-discovery-cycle-and-view-reports-for-the-scanner)
+- [Use PowerShell to configure the scanner to apply classification and protection](/azure/information-protection/deploy-aip-scanner-configure-install?tabs=azure-portal-only#use-powershell-to-configure-the-scanner-to-apply-classification-and-protection)
+- [Use PowerShell to configure a DLP policy with the scanner](/azure/information-protection/deploy-aip-scanner-configure-install?tabs=azure-portal-only#use-powershell-to-configure-a-dlp-policy-with-the-scanner)
+
+The following table lists PowerShell cmdlets that are relevant for installing the scanner and managing your content scan jobs:
+
+| Cmdlet | Description |
+|--|--|
+| [Add-AIPScannerRepository](/powershell/module/azureinformationprotection/add-aipscannerrepository) | Adds a new repository to your content scan job. |
+| [Get-AIPScannerConfiguration](/powershell/module/azureinformationprotection/get-aipscannerconfiguration)|Returns details about your cluster. |
+| [Get-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/get-aipscannercontentscanjob) | Gets details about your content scan job. |
+| [Get-AIPScannerRepository](/powershell/module/azureinformationprotection/get-aipscannerrepository) | Gets details about repositories defined for your content scan job. |
+| [Remove-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/remove-aipscannercontentscanjob) | Deletes your content scan job. |
+| [Remove-AIPScannerRepository](/powershell/module/azureinformationprotection/remove-aipscannerrepository) | Removes a repository from your content scan job. |
+| [Set-AIPScannerContentScanJob](/powershell/module/azureinformationprotection/set-aipscannercontentscanjob) | Defines settings for your content scan job. |
+| [Set-AIPScannerRepository](/powershell/module/azureinformationprotection/set-aipscannerrepository) | Defines settings for an existing repository in your content scan job. |
+| | |
+
+For more information, see:
+
+- [What is the Azure Information Protection unified labeling scanner?](/azure/information-protection/deploy-aip-scanner)
+- [Configuring and installing the Azure Information Protection (AIP) unified labeling scanner](/azure/information-protection/deploy-aip-scanner-configure-install?tabs=powershell-only)
+- [Manage your content scan jobs using PowerShell only](/azure/information-protection/deploy-aip-scanner-prereqs#use-powershell-with-a-disconnected-computer).
admin Add Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/add-domain.md
search.appverid:
- MET150 - MOE150 ms.assetid: 6383f56d-3d09-4dcb-9b41-b5f5a5efd611
-description: "Add your domain to Microsoft 365 in the Microsoft 365 admin center by adding a DNS record at your DNS host. The setup wizard walks you through the process."
+description: "Use the setup wizard to add your domain to Microsoft 365 in the Microsoft 365 admin center by adding a DNS record at your DNS host."
# Add a domain to Microsoft 365
description: "Add your domain to Microsoft 365 in the Microsoft 365 admin center
*To Add, modify or remove domains you **must** be a **Global Administrator** of a [business or enterprise plan](https://products.office.com/business/office). These changes affect the whole tenant, *Customized administrators* or *regular users* won't be able to make these changes.*
- Follow these steps to add, set up, or continue setting up a domain.
+ ## Add a domain
+
+Follow these steps to add, set up, or continue setting up a domain.
::: moniker range="o365-worldwide"
After you finish setup, the MX record for your domain is updated to point to Mic
If you have a website that you use with your business, it will keep working where it is. The Domain Connect setup steps don't affect your website.
-## Related articles
+## Related content
-[Domains FAQ](domains-faq.yml)
+[Domains FAQ](domains-faq.yml) (article)
-[What is a domain?](../get-help-with-domains/what-is-a-domain.md)
+[What is a domain?](../get-help-with-domains/what-is-a-domain.md) (article)
-[Buy a domain name in Microsoft 365](../get-help-with-domains/buy-a-domain-name.md)
+[Buy a domain name in Microsoft 365](../get-help-with-domains/buy-a-domain-name.md) (article)
-[Set up your domain (host-specific instructions)](../get-help-with-domains/set-up-your-domain-host-specific-instructions.md)
+[Set up your domain](../get-help-with-domains/set-up-your-domain-host-specific-instructions.md) (article)
business-video Get Help Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/get-help-support.md
search.appverid:
- BCS160 - MET150 - MOE150
-description: "Learn how to get admin help or support in Microsoft 365 Business Premium."
+description: "You must be an admin for a business subscription to get admin help or online or phone support in Microsoft 365 Business Premium."
# Get support
Assisted support options are for admins of Office 365 Germany subscribed organiz
You can also [search the Microsoft 365 for business community forums](https://go.microsoft.com/fwlink/p/?LinkId=518605) to find known issues and trending topics, or to post a new question. The community forums are monitored by trained Microsoft support agents who can help resolve your issue. ::: moniker-end++
+## Related content
+
+[Find docs and training](find-help-answers.md) (article)
+
+[Employee quick setup](employee-quick-setup.md) (article)
+
+[Overview of Microsoft 365 Business Premium setup](setup-overview.md) (video)
commerce Manage Payment Methods https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-payment-methods.md
- AdminSurgePortfolio - commerce_billing search.appverid: MET150
-description: "Learn how to manage your payment methods in the Microsoft 365 admin center."
+description: "Buy business products or services from Microsoft by using an existing payment method or adding a new one in the Microsoft 365 admin center."
Last updated 04/02/2021
commerce Pay For Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription.md
- M365-subscription-management - Adm_O365 search.appverid: MET150
-description: "Learn what payment options are available to pay for your Microsoft 365 for business subscription."
+description: "Use a credit or debit card or bank account to pay for your Microsoft 365 for business subscription, or in some cases, you can pay by invoice."
- okr_SMB - fwlink 808700 for SEPA UI glink 906 for older uI
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
- AdminSurgePortfolio - commerce_subscriptions search.appverid: MET150
-description: "Learn how to cancel your Microsoft 365 for business trial or paid subscription."
+description: "If you have fewer than 25 user licenses, you can cancel your Microsoft 365 for business trial or paid subscription in the admin center."
Last updated 04/08/2021
compliance Data Classification Activity Explorer Available Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-activity-explorer-available-events.md
search.appverid: - MOE150 - MET150
-description: "listing of labeling actions that are available in activity explorer."
+description: "listing of labeling activities that are available in activity explorer."
# Labeling activities that are available in Activity explorer ## Sensitivity label applied
-This event is generated each time an unlabeled document is labeled or an email is sent with a label.
+This event is generated each time an unlabeled document is labeled or an email is sent with a sensitivity label.
- It is captured at the time of save in Office native applications and web applications. - It is captured at the time of occurrence in Azure Information protection add-ins.
This event is generated each time an unlabeled document is labeled or an email i
## Sensitivity label changed
-This event is generated each time a label is updated on the document or email.
+This event is generated each time a sensitivity label is updated on the document or email.
- For the AIP Unified client, Unified Scanner and MIP SDK sources, the AIP *upgrade label* and *downgrade label* action maps to activity explorer *label changed*
This event is generated each time a label is updated on the document or email.
## Sensitivity label removed
-This event is generated each time a label is removed from a file or document.
+This event is generated each time a sensitivity label is removed from a file or document.
- This event is captured at the time of save in Office native applications and web applications. - It is captured at the time of occurrence in Azure Information protection add-ins.
This event is generated each time a label is removed from a file or document.
## Sensitivity label file read
-This event is generated each time a labeled or protected document is opened.
+This event is generated each time a sensitivity labeled or protected document is opened.
|Source |Reported in activity explorer | Note | ||||
This event is generated each time a labeled or protected document is opened.
|MCAS |no | |
-## Sensitivity label files discovered
+## Files discovered
This event is generated each time files are discovered when AIP Scanner is used for scanning sensitive data in various locations and finds files.
This event is generated each time a document with a sensitivity label is renamed
|MCAS |no | |
-## Sensitivity label file removed
+## File removed
This event is generated each time the AIP scanner detects that a previously scanned file has been removed.
This event is generated each time the AIP scanner detects that a previously scan
|Power BI desktop and Web |not applicable | |MCAS |not applicable | |
-### Sensitivity label protection applied
+### Protection applied
This event is generated the first-time protection is added manually to an item that does not have a label.
This event is generated the first-time protection is added manually to an item t
|Power BI desktop and Web |not applicable | |MCAS |not applicable | |
-## Sensitivity label protection changed
+## Protection changed
This event is generated each time the protection on an unlabeled document is changed manually.
This event is generated each time the protection on an unlabeled document is cha
|Power BI desktop and Web |not applicable | |MCAS |not applicable |
-## Sensitivity label protection removed
+## Protection removed
This event is generated each time the protection on an unlabeled document is changed manually.
This event is generated each time the protection on an unlabeled document is cha
|Power BI desktop and Web |not applicable | |MCAS |not applicable |
-## Sensitivity label DLP policy matched
+## DLP policy matched
-This event is generated each time a DLP policy is matched.
+This event is generated each time a DLP policy is matched on a document or an email.
|Source |Reported in activity explorer | |||
The events for Windows 10 Devices (Endpoint DLP) are:
## Retention label applied
-This event is generated each time an unlabeled document is labeled or an email is sent with a label.
+This event is generated each time an unlabeled document is labeled or an email is sent with a retention label.
-- It is captured at the time of save in Office native applications and web applications.
+- It is captured at the time of save for a document and at time of sending for an email.
|Source |Reported in activity explorer | |||
This event is generated each time an unlabeled document is labeled or an email i
This event is generated each time a label is updated on a document or email. -- It is captured at the time of save.
+- It is captured at the time of save for a document and at time of sending for an email.
|Source |Reported in activity explorer | |||
This event is generated each time a label is updated on a document or email.
This event is generated each time a label is removed from a file or document. -- It is captured at the time of save.
+- It is captured at the time of save for a document and at time of sending for an email.
|Source |Reported in activity explorer | |||
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
Additionally:
- To view the contents of items during the disposition process, add users to the **Content Explorer Content Viewer** role group. If users don't have the permissions from this role group, they can still select a disposition review action to complete the disposition review, but must do so without being able to view the item's contents from the mini-preview pane in the compliance center. -- In preview: By default, each person that accesses the **Disposition** page sees only items that they are assigned to review. For a records management administrator to see all items assigned to all users, and all retention labels that are configured for disposition review: Navigate to **Records management settings** > **General** > **Record Manager Security Group** to select and then enable a mail-enabled security group that contains the administrator accounts.
+- In preview: By default, each person that accesses the **Disposition** page sees only items that they are assigned to review. For a records management administrator to see all items assigned to all users, and all retention labels that are configured for disposition review: Navigate to **Records management settings** > **General** > **Security group for records manager** to select and then enable a mail-enabled security group that contains the administrator accounts.
Microsoft 365 groups and security groups that aren't mail-enabled doesn't support this feature and wouldn't be displayed in the list to select. If you need to create a new mail-enabled security group, use the link to the Microsoft 365 admin center to create the new group. > [!IMPORTANT]
- > You can't disable this permission or replace the group that you enabled from the compliance center. However, you can enable another mail-enabled security group by using the [Enable-ComplianceTagStorage](/powershell/module/exchange/enable-compliancetagstorage) cmdlet.
- >
- > For example: `Enable-ComplianceTagStorage -RecordsManagementSecurityGroupEmail dispositionreviewers@contosoi.com`
+ > After you have enabled the group, you can't change it in the compliance center. See the next section for how to enable a different group by using PowerShell.
- In preview: The **Records management settings** option is visible only to record management administrators.
+#### Enabling another security group for disposition
+
+After you have enabled a security group for disposition from the **Records management settings** in the Microsoft 365 compliance center, you can't disable this permission for the group or replace the selected group in the compliance center. However, you can enable another mail-enabled security group by using the [Enable-ComplianceTagStorage](/powershell/module/exchange/enable-compliancetagstorage) cmdlet.
+
+For example:
+
+```PowerShell
+Enable-ComplianceTagStorage -RecordsManagementSecurityGroupEmail dispositionreviewers@contosoi.com
+````
+ ### Enable auditing Make sure that auditing is enabled at least one day before the first disposition action. For more information, see [Search the audit log in the Office 365 Security &amp; Compliance Center](search-the-audit-log-in-security-and-compliance.md).
When a disposition review is triggered at the end of the retention period:
- The reviewers you choose receive an email notification that they have content to review. These reviewers can be individual users or mail-enabled security groups. New in preview: - You can customize the email that they receive, including instructions in different languages. For multi-language support, you must specify the translations yourself and this custom text is displayed to all reviewers irrespective of their locale. - Users receive an initial email notification per label at the end of the item's retention period, with a reminder per label once a week of all disposition reviews that they are assigned. They can click the link in the notification and reminder emails to go to the **Disposition** page in the Microsoft 365 compliance center to review the content and take an action. Alternately, the reviewers can go directly to the **Disposition** page in the compliance center.
- - Reviewers see only the disposition reviews that are assigned to them, whereas administrators who are added to the selected Record Manager Security Group see all disposition reviews.
+ - Reviewers see only the disposition reviews that are assigned to them, whereas administrators who are added to the selected security group for records manager see all disposition reviews.
- Reviewers can add new users to the same disposition review. Currently, this action doesn't automatically grant these added users the [required permissions](#permissions-for-disposition). - For the disposition review process, a mini-review pane for each item shows a preview of the content if they have permissions to see it. If they don't have permissions, they can select the content link and request permissions. This mini-review pane also has tabs for additional information about the content: - **Details** to display indexed properties, where it's located, who created it and when, and who last modified it and when.
Example default email notification sent to a reviewer:
Also in preview, you can customize the email messages that are sent to disposition reviewers for the initial notification and then reminders.
-From any of the Disposition pages in the compliance center, select **Record management settings**:
+From any of the Disposition pages in the compliance center, select **Records management settings**:
-![Record management settings](../media/record-management-settings.png)
+![Records management settings](../media/record-management-settings.png)
-Then select the **Email templates** tab, and specify whether you want to use just the default email templates, or add your own text to the default template. Your custom text is added to the email instructions after the information about the retention label and before the next steps instructions.
+Then select the **Disposition notifications** tab, and specify whether you want to use just the default email message, or add your own text to the default message. Your custom text is added to the email instructions after the information about the retention label and before the next steps instructions.
Text for all languages can be added, but formatting and images are currently unsupported. URLs and email addresses can be entered as text and depending on the email client, display as hyperlinks or unformatted text in the customized email.
-Example text to append:
+Example text to add:
```console If you need additional information, visit the helpdesk website (https://support.contoso.com) or send them an email (helpdesk@contoso.com).
Select **Save** to save any changes.
### Viewing and disposing of content
-When a reviewer is notified by email that content is ready to review, they go to the **Disposition** tab from **Records Management** in the Microsoft 365 compliance center. The reviewers can see how many items for each retention label are awaiting disposition with the **Type** displaying **Pending disposition**. They then select a retention label, and **Open in new window** to see all content with that label:
+When a reviewer is notified by email that content is ready to review, they can click a link in the email that takes them directly to the **Disposition** page from **Records management** in the Microsoft 365 compliance center. There, the reviewers can see how many items for each retention label are waiting disposition with the **Type** displaying **Pending disposition**. They then select a retention label, and **Open in new window** to see all content with that label:
![Open in new window for disposition review](../media/open-in-new-window.png)
During a disposition review, the content never moves from its original location,
## Disposition of records
-Use the **Disposition** tab from the **Records Management** page to identify:
+Use the **Disposition** tab from the **Records management** page to identify:
- Items deleted as a result of a disposition review. - Items marked as a record or regulatory record that were automatically deleted at the end of their retention period.
compliance Encryption Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/encryption-sensitivity-labels.md
When you use this encryption solution, the **super user** feature ensures that a
4. On the **Encryption** page of the wizard, select one of the following options:
- - **Remove encryption if the file is encrypted**: For more information about this scenario, see the [What happens to existing encryption when a label's applied](#what-happens-to-existing-encryption-when-a-labels-applied) section. It's important to understand that this setting can result in a sensitivity label that users might not be able to apply when they don't have sufficient permissions.
+ - **Remove encryption if the file is encrypted**: This option is supported by the Azure Information Protection unified labeling client only. When you select this option and use built-in labeling, the label might not display in apps, or display and not make any encryption changes.
+
+ For more information about this scenario, see the [What happens to existing encryption when a label's applied](#what-happens-to-existing-encryption-when-a-labels-applied) section. It's important to understand that this setting can result in a sensitivity label that users might not be able to apply when they don't have sufficient permissions.
- **Configure encryption settings**: Turns on encryption and makes the encryption settings visible:
However, the content might be already encrypted. For example, another user might
The following table identifies what happens to existing encryption when a sensitivity label is applied to that content:
-| | Encryption: Not selected | Encryption: Configured | Encryption: Remove |
+| | Encryption: Not selected | Encryption: Configured | Encryption: Remove <sup>\*</sup> |
|:--|:--|:--|:--| |**Permissions specified by a user**|Original encryption is preserved|New label encryption is applied|Original encryption is removed| |**Protection template**|Original encryption is preserved|New label encryption is applied|Original encryption is removed| |**Label with administator-defined permissions**|Original encryption is removed|New label encryption is applied|Original encryption is removed|
-Note that in the cases where the new label encryption is applied or the original encryption is removed, this happens only if the user applying the label has a usage right or role that supports this action:
+**Footnote:**
+
+<sup>\*</sup>
+Supported by the Azure Information Protection unified labeling client only
+
+In the cases where the new label encryption is applied or the original encryption is removed, this happens only if the user applying the label has a usage right or role that supports this action:
- The [usage right](/azure/information-protection/configure-usage-rights#usage-rights-and-descriptions) Export or Full Control. - The role of [Rights Management issuer or Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner), or [super user](/azure/information-protection/configure-super-users).
When either of these options are applied to an email, the email is encrypted and
- **Do Not Forward**: Recipients cannot forward the email, print it, or copy from it. For example, in the Outlook client, the Forward button is not available, the Save As and Print menu options are not available, and you cannot add or change recipients in the To, Cc, or Bcc boxes.
- For more information about how this option works, see [Do Not Forward option for emails](https://docs.microsoft.com/azure/information-protection/configure-usage-rights#do-not-forward-option-for-emails).
+ For more information about how this option works, see [Do Not Forward option for emails](/azure/information-protection/configure-usage-rights#do-not-forward-option-for-emails).
- **Encrypt-Only**: Recipients have all usage rights except Save As, Export and Full Control. This combination of usage rights means that the recipients have no restrictions except that they cannot remove the protection. For example, a recipient can copy from the email, print it, and forward it.
- For more information about how this option works, see [Encrypt-only option for emails](https://docs.microsoft.com/azure/information-protection/configure-usage-rights#encrypt-only-option-for-emails).
+ For more information about how this option works, see [Encrypt-only option for emails](/azure/information-protection/configure-usage-rights#encrypt-only-option-for-emails).
Unencrypted Office documents that are attached to the email automatically inherit the same restrictions. For Do Not Forward, the usage rights applied to these documents are Edit Content, Edit; Save; View, Open, Read; and Allow Macros. If the user wants different usage rights for an attachment, or the attachment is not an Office document that supports this inherited protection, the user needs to encrypt the file before attaching it to the email.
compliance Endpoint Dlp Configure Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-configure-proxy.md
f1.keywords:
Previously updated : 07/21/2020 Last updated : audience: ITPro f1_keywords:
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
For a more consistent label experience with meaningful reporting, provide approp
- Keys *DisableEncryptOnly* and *DisableDoNotForward* security settings documented in [Set preferences for Outlook for Mac](/DeployOffice/mac/preferences-outlook) - Outlook on the web: - Parameters *SimplifiedClientAccessDoNotForwardDisabled* and *SimplifiedClientAccessEncryptOnlyDisabled* documented for [Set-IRMConfiguration](/powershell/module/exchange/set-irmconfiguration)
+ - Outlook for iOS and Android: These apps don't support users applying encryption without labels, so nothing to disable.
> [!NOTE] > If users manually remove encryption from a labeled document that's stored in SharePoint or OneDrive and you've [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md), the label encryption will be automatically restored the next time the document is accessed or downloaded.
compliance Sensitivity Labels Teams Groups Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
In addition to using [sensitivity labels](sensitivity-labels.md) to classify and
- External user access - External sharing from SharePoint sites - Access from unmanaged devices
+- Authentication contexts (in preview)
> [!IMPORTANT]
-> The **Access from unmanaged devices** setting works in conjunction with the SharePoint feature to [control access from unmanaged devices](/sharepoint/control-access-from-unmanaged-devices). You must configure this dependent SharePoint feature to use a sensitivity label that has this setting configured. Additional information is included in the instructions that follow.
+> The settings for unmanaged devices and authentication contexts work in conjunction with Azure Active Directory Conditional Access. You must configure this dependent feature if you want to use a sensitivity label for these settings. Additional information is included in the instructions that follow.
When you apply this sensitivity label to a supported container, the label automatically applies the classification and configured protection settings to the site or group.
Content in these containers however, do not inherit the labels for the classific
## Using sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites
-Before you enable sensitivity labels for containers and configure sensitivity labels for the new settings, users could see and apply sensitivity labels in their apps. For example, from Word:
+Before you enable sensitivity labels for containers and configure sensitivity labels for the new settings, users can see and apply sensitivity labels in their apps. For example, from Word:
![A sensitivity label displayed in the Word desktop app](../media/sensitivity-label-word.png)
After you enable and configure sensitivity labels for containers, users can addi
## How to enable sensitivity labels for containers and synchronize labels
+If you haven't yet enabled sensitivity labels for containers, do the following set of steps as a one-time procedure:
+ 1. Because this feature uses Azure AD functionality, follow the instructions from the Azure AD documentation to enable sensitivity label support: [Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory](/azure/active-directory/users-groups-roles/groups-assign-sensitivity-labels). 2. You now need to synchronize your sensitivity labels to Azure AD. First, [connect to Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell).
After you enable and configure sensitivity labels for containers, users can addi
## How to configure groups and site settings
-Enabling sensitivity labels for containers means that you can now configure protection settings for groups and sites in the sensitivity labeling wizard. Until you enable this support, the settings are visible in the wizard but you can't configure them.
+After sensitivity labels are enabled for containers as described in the previous section, you can then configure protection settings for groups and sites in the sensitivity labeling wizard. Until sensitivity labels are enabled for containers, the settings are visible in the wizard but you can't configure them.
1. Follow the general instructions to [create or edit a sensitivity label](create-sensitivity-labels.md#create-and-configure-sensitivity-labels) and make sure you select **Groups & sites** for the label's scope:
Enabling sensitivity labels for containers means that you can now configure prot
2. Then, on the **Define protection settings for groups and sites** page, select one or both of the available options: - **Privacy and external user access settings** to configure the **Privacy** and **External users access** settings.
- - **Device access and external sharing settings** to configure the **Control external sharing from labeled SharePoint sites** and **Access from unmanaged devices** setting.
+ - **External sharing and Conditional Access settings** to configure the **Control external sharing from labeled SharePoint sites** and **Use Azure AD Conditional Access to protect labeled SharePoint sites** setting.
3. If you selected **Privacy and external user access settings**, now configure the following settings:
Enabling sensitivity labels for containers means that you can now configure prot
- **External user access**: Control whether the group owner can [add guests to the group](/office365/admin/create-groups/manage-guest-access-in-groups).
-4. If you selected **Device access and external sharing setting**, now configure the following settings:
+4. If you selected **Device external sharing and device access settings**, now configure the following settings:
- **Control external sharing from labeled SharePoint sites**: Select this option to then select either external sharing for anyone, new and existing guests, existing guests, or only people in your organization. For more information about this configuration and settings, see the SharePoint documentation, [Turn external sharing on or off for a site](/sharepoint/change-external-sharing-site).
- - **Access from unmanaged devices**: This option uses the SharePoint feature that uses Azure AD conditional access to block or limit access to SharePoint and OneDrive content from unmanaged devices. For more information, see [Control access from unmanaged devices](/sharepoint/control-access-from-unmanaged-devices) from the SharePoint documentation. The option you specify for this label setting is the equivalent of running a PowerShell command for a site, as described in steps 3-5 from the [Block or limit access to a specific SharePoint site or OneDrive](/sharepoint/control-access-from-unmanaged-devices#block-or-limit-access-to-a-specific-sharepoint-site-or-onedrive) section from the SharePoint instructions.
-
- For additional information, see [More information about the dependencies for the unmanaged devices option](#more-information-about-the-dependencies-for-the-unmanaged-devices-option) at the end of this section.
+ - **Use Azure AD Conditional Access to protect labeled SharePoint sites**: Select this option only if your organization has configured and is using [Azure Active Directory Conditional Access](/azure/active-directory/conditional-access/overview). Then, select one of the following settings:
+
+ - **Determine whether users can access SharePoint sites from unmanaged devices**: This option uses the SharePoint feature that uses Azure AD Conditional Access to block or limit access to SharePoint and OneDrive content from unmanaged devices. For more information, see [Control access from unmanaged devices](/sharepoint/control-access-from-unmanaged-devices) from the SharePoint documentation. The option you specify for this label setting is the equivalent of running a PowerShell command for a site, as described in steps 3-5 from the [Block or limit access to a specific SharePoint site or OneDrive](/sharepoint/control-access-from-unmanaged-devices#block-or-limit-access-to-a-specific-sharepoint-site-or-onedrive) section from the SharePoint instructions.
+
+ For additional configuration information, see [More information about the dependencies for the unmanaged devices option](#more-information-about-the-dependencies-for-the-unmanaged-devices-option) at the end of this section.
+
+ - **Choose an existing authentication context**: Currently in preview, this option lets you enforce more stringent access conditions when users access SharePoint sites that have this label applied. These conditions are enforced when you select an existing authentication context that has been created and published for your organization's Conditional Access deployment. If users don't meet the configured conditions or if they use apps that don't support authentication contexts, they are denied access.
+
+ For additional configuration information, see [More information about the dependencies for the authentication context option](#more-information-about-the-dependencies-for-the-authentication-context-option) at the end of this section.
+
+ Examples for this label configuration:
+
+ - You choose an authentication context that is configured to require [multi-factor authentication (MFA)](/azure/active-directory/conditional-access/untrusted-networks). This label is then applied to a SharePoint site that contains highly confidential items. As a result, when users from an untrusted network attempt to access a document in this site, they see the MFA prompt that they must complete before they can access the document.
+
+ - You choose an authentication context that is configured for [terms of use (ToU) policies](/azure/active-directory/conditional-access/terms-of-use). This label is then applied to a SharePoint site that contains items that require a terms of use acceptance for legal or compliance reasons. As a result, when users attempt to access a document in this site, they see a terms of use document that they must accept before they can access the original document.
> [!IMPORTANT] > Only these site and group settings take effect when you apply the label to a team, group, or site. If the [label's scope](sensitivity-labels.md#label-scopes) includes files and emails, other label settings such as encryption and content marking aren't applied to the content within the team, group, or site.
For example, if your tenant is configured for **Allow limited, web-only access**
Because you can configure the SharePoint settings separately from the label configuration, there's no check in the sensitivity label wizard that the dependencies are in place. These dependencies can be configured after the label is created and published, and even after the label is applied. However, if the label is already applied, the label setting won't take effect until after the user next authenticates.
+##### More information about the dependencies for the authentication context option
+
+To display in the drop-down list for selection, authentication contexts must be created, configured, and published as part of your Azure Active Directory Condition Access configuration. For more information and instructions, see the [Configure authentication contexts](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#configure-authentication-contexts) section from the Azure AD Conditional Access documentation.
+
+Not all apps support authentication contexts. If a user with an unsupported app connects to the site that's configured for an authentication context, they see either an access denied message or they are prompted to authenticate but rejected. The apps that currently support authentication contexts:
+
+- Office for the web, which includes Outlook for the web
+
+- Microsoft Planner
+
+- Microsoft 365 Apps for Word, Excel, and PowerPoint; minimum versions:
+ - Windows: 2103
+ - macOS: 16.45.1202
+ - iOS: 2.48.303
+ - Android: 16.0.13924.10000
+
+- Microsoft 365 Apps for Outlook; minimum versions:
+ - Windows: 2103
+ - macOS: 16.45.1202
+ - iOS: 4.2109.0
+ - Android: 4.2025.1
+
+- OneDrive sync app, minimum versions:
+ - Windows: 21.002
+ - macOS: 21.002
+ - iOS: Rolling out in 12.30
+ - Android: Not yet supported
+
+Known limitations for this preview:
+
+- For the OneDrive sync app, supported for OneDrive only and not for other sites.
+
+- The following features and apps might be incompatible with authentication contexts, so we encourage you to check that these continue to work after a user successfully accesses a site by using an authentication context:
+
+ - Workflows that use PowerApps or Power Automate
+ - Third-party apps
+ ## Sensitivity label management Use the following guidance for when you create, modify, or delete sensitivity labels that are configured for sites and groups.
contentunderstanding Solution Manage Contracts Step1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-step1.md
audience: admin Previously updated : 05/10/2021 Last updated : 05/17/2021 ms.prod: microsoft-365-enterprise search.appverid: localization_priority: None
Your organization needs a way to identify and classify all contract documents fr
## Steps to create and train your model
+> [!NOTE]
+> For these steps, you can use the example files in the [Microsoft SharePoint Syntex Samples repository](https://github.com/pnp/syntex-samples). The samples in this repository contain both the document understanding model files and the files used to train the model.
+ ### Create a Contract model The first step is to create your Contract model.
enterprise Use Windows Powershell To Create Reports In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-windows-powershell-to-create-reports-in-microsoft-365.md
These articles describe how to use PowerShell for Microsoft 365 to get informati
- [Use Exchange Online PowerShell to display mailbox](/exchange/recipients-in-exchange-online/manage-user-mailboxes/use-powershell-to-display-mailbox-information)
-## Related articlesl
+## Related articles
[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)
includes Office 365 Germany Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-germany-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Germany endpoints version 2020120100-->
-<!--File generated 2021-05-16 11:01:00.1114-->
+<!--File generated 2021-05-18 11:00:55.7922-->
## Exchange Online
includes Office 365 Operated By 21Vianet Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-operated-by-21vianet-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--China endpoints version 2021032900-->
-<!--File generated 2021-05-16 11:00:54.9265-->
+<!--File generated 2021-05-18 11:00:53.9210-->
## Exchange Online
includes Office 365 U.S. Government Dod Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-dod-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovDoD endpoints version 2021042900-->
-<!--File generated 2021-05-16 11:00:49.0265-->
+<!--File generated 2021-05-18 11:00:49.3704-->
## Exchange Online
includes Office 365 U.S. Government Gcc High Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-gcc-high-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovGCCHigh endpoints version 2021012800-->
-<!--File generated 2021-05-16 11:00:53.8427-->
+<!--File generated 2021-05-18 11:00:51.2964-->
## Exchange Online
includes Office 365 Worldwide Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Worldwide endpoints version 2021042900-->
-<!--File generated 2021-05-14 11:00:43.1204-->
+<!--File generated 2021-05-18 11:00:40.2686-->
## Exchange Online
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
ms.sitesec: library
localization_priority: Normal Previously updated : 04/30/2021 Last updated : 05/18/2021
> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)
You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways:
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Create a subtask or role files that contribute to a playbook or task.
when: not mdatp_onboard.stat.exists ``` -- Add the Defender for Endpoint repository and key.
+- Add the Defender for Endpoint repository and key, `add_apt_repo.yml`:
Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
When upgrading your operating system to a new major version, you must first unin
- [Manage apt-packages](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html) ## See also-- [Investigate agent health issues](health-status.md)
+- [Investigate agent health issues](health-status.md)
security Advanced Hunting Expert Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-expert-training.md
Get more expert training with *L33TSP3AK: Advanced hunting in Microsoft 365 Defe
| Title | Description | Watch | Queries | |--|--|--|--|
-| Episode 1 | In this episode, you will learn different best practices in running advanced hunting queries. Among the topics covered are: how to optimize your queries, use advanced hunting for ransomware, handle JSON as a dynamic type, and work with external data operators. | [YouTube](https://www.youtube.com/watch?v=nMGbK-ALaVg&feature=youtu.be) (56:34) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/l33tSpeak/Performance%2C%20Json%20and%20dynamics%20operator%2C%20external%20data.txt)
+| Episode 1 | In this episode, you will learn different best practices in running advanced hunting queries. Among the topics covered are: how to optimize your queries, use advanced hunting for ransomware, handle JSON as a dynamic type, and work with external data operators. | [YouTube](https://www.youtube.com/watch?v=nMGbK-ALaVg&feature=youtu.be) (56:34) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/l33tSpeak/Performance%2C%20Json%20and%20dynamics%20operator%2C%20external%20data.txt) |
+| Episode 2 | In this episode, you will learn how to investigate and respond to suspicious or unusual logon locations and data exfiltration via inbox forwarding rules. Sebastien Molendijk, Senior Program Manager for Cloud Security CxE, shares how to use advanced hunting to investigate multi-stage incidents with Microsoft Cloud App Security data. | [YouTube](https://www.youtube.com/watch?v=QaUxdtNfbd8) (57:07) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/l33tSpeak/MCAS%20-%20The%20Hunt.txt)
## How to use the CSL file
security First Incident Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-prepare.md
Microsoft 365 Defender can help address several aspects of incident prevention:
## Step 1. Implement Zero Trust
-[Zero Trust](https://docs.microsoft.com/security/zero-trust/) is an integrated security philosophy and end-to-end strategy that considers the complex nature of any modern environment, including the mobile workforce and the users, devices, applications and data, wherever they may be located. By providing a single pane of glass to manage all endpoint detections in a consistent way, Microsoft 365 Defender can make it easier for your security operations team to implement the [guiding principles](https://docs.microsoft.com/security/zero-trust/#guiding-principles-of-zero-trust) of Zero Trust.
+[Zero Trust](https://docs.microsoft.com/security/zero-trust/) is an integrated security philosophy and end-to-end strategy that considers the complex nature of any modern environment, including the mobile workforce and the users, devices, applications and data, wherever they may be located. By providing a single pane of glass to manage all detections in a consistent way, Microsoft 365 Defender can make it easier for your security operations team to implement the [guiding principles](https://docs.microsoft.com/security/zero-trust/#guiding-principles-of-zero-trust) of Zero Trust.
Components of Microsoft 365 Defender can display violations of rules that have been implemented to establish Conditional Access policies for Zero Trust by integrating data from Microsoft Defender for Endpoint (MDE) or other mobile security vendors as an information source for device compliance policies and implementation of device-based Conditional Access policies.
Use [threat analytics](threat-analytics.md) in the Microsoft 365 security center
- Common attack surfaces - Prevalent malware
+Threat analytics also looks at your configuration and alerts to determine how at-risk you are and if there are active alerts applicable to a report.
+ You can implement the recommendations of an emerging threat to strengthen your security posture and minimize your attack surface area. Make time in your schedule to regularly check the [Threat Analytics](threat-analytics.md) section of the Microsoft 365 security center.
security Incidents Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md
On an ongoing basis, identify the highest priority incidents for analysis and re
3. As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident.
-4. [Resolve](manage-incidents.md#resolve-incident) the incident and take time for post-incident learning to:
+4. [Resolve](manage-incidents.md#resolve-an-incident) the incident and take time for post-incident learning to:
- Understand the type of the attack and its impact. - Research the attack in [Threat Analytics](threat-analytics.md) and the security community for a security attack trend.
If you are new to security analysis, see the [introduction to responding to your
Here's an example of security operations for Microsoft 365 Defender. Daily tasks can include:
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
Title: Investigate users in Microsoft 365 security center
-description: Investigate users in the Microsoft 365 security center
+ Title: Investigate users in Microsoft 365 Defender
+description: Investigate users for an incident in the Microsoft 365 security center.
keywords: security, malware, Microsoft 365, M365, security center, monitor, report, identities, data, devices, apps, incident, analyze, response ms.prod: m365-security ms.mktglfcycl: deploy
search.appverid: met150
ms.technology: m365d
-# Investigate users in Microsoft 365 security center
+# Investigate users in Microsoft 365 Defender
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security M365d Autoir Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-actions.md
If youΓÇÖve determined that a device or a file is not a threat, you can undo rem
## Next steps - [View the details and results of an automated investigation](m365d-autoir-results.md)-- [Address false positives or false negatives)](m365d-autoir-report-false-positives-negatives.md)
+- [Address false positives or false negatives](m365d-autoir-report-false-positives-negatives.md)
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
You manage incidents from **Incidents & alerts > Incidents** on the quick launch
Here are the ways you can manage your incidents: -- Change the incident name-- Add incident tags.-- Assign the incident to a user account-- Resolve them -- Set its classification and determination-- Add comments.
+- [Edit the incident name](#edit-the-incident-name)
+- [Add incident tags](#add-incident-tags)
+- [Assign the incident to a user account](#assign-incidents)
+- [Resolve them](#resolve-an-incident)
+- [Set its classification and determination](#set-the-classification-and-determination)
+- [Add comments](#add-comments)
You can manage incidents from the **Manage incident** pane for an incident. Here's an example.
You can display this pane from the **Manage incident** link on the:
- Properties pane of an incident in the incident queue. - **Summary** page of an incident.
-In cases where, while analyzing you would like to move alerts from one incident to another, you can also do so from the **Alerts** tab, thus creating a larger or smaller incident that includes all relevant alerts.
+In cases where you want to move alerts from one incident to another, you can also do so from the **Alerts** tab, thus creating a larger or smaller incident that includes all relevant alerts.
## Edit the incident name
When you start typing, you have the option to select from a list of selected tag
If an incident has not yet been assigned, you can select **Assign to** and specify the user account. Doing so assigns ownership of the incident and all the alerts associated with it.
-## Resolve incident
+## Resolve an incident
If the incident has been remediated, select **Resolve incident** to move the toggle to the right. Note that resolving an incident also resolves all the linked and active alerts related to the incident.
security Anti Phishing Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection.md
With the growing complexity of attacks, it's even difficult for trained users to
EOP (that is, Microsoft 365 organizations without Microsoft Defender for Office 365) contains features that can help protect your organization from phishing threats: -- **Spoof intelligence**: Review spoofed messages from senders in internal and external domains, and allow or block those senders. For more information, see [Configure spoof intelligence in EOP](learn-about-spoof-intelligence.md).
+- **Spoof intelligence**: Use the spoof intelligence insight to review detected spoofed senders in messages from external and internal domains, and manually allow or block those detected senders. For more information, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).
-- **Anti-phishing policies in EOP**: Turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and specify the action for blocked spoofed senders (move to Junk Email folder or quarantine). For more information, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
+- **Anti-phishing policies in EOP**: Turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and specify the action for blocked spoofed senders. For more information, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
+
+- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list.md).
- **Implicit email authentication**: EOP enhances standard email authentication checks for inbound email ([SPF](set-up-spf-in-office-365-to-help-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md)) with sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques to help identify forged senders. For more information, see [Email authentication in Microsoft 365](email-validation-and-authentication.md).
EOP (that is, Microsoft 365 organizations without Microsoft Defender for Office
Microsoft Defender for Office 365 contains additional and more advanced anti-phishing features: -- **Anti-phishing policies in Microsoft Defender for Office 365**: Create new custom policies, configure anti-impersonation settings (protect users and domains from impersonation), mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md). For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md).
+- **Anti-phishing policies in Microsoft Defender for Office 365**: Configure impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md). For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md).
- **Campaign Views**: Machine learning and other heuristics identify and analyze messages that are involved in coordinated phishing attacks against the entire service and your organization. For more information, see [Campaign Views in Microsoft Defender for Office 365](campaigns.md).
security Anti Spam Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection.md
The anti-spam settings in EOP are made of the following technologies:
- **Connection filtering**: Identifies good and bad email source servers early in the inbound email connection via the IP Allow List, IP Block List, and the *safe list* (a dynamic but non-editable list of trusted senders maintained by Microsoft). You configure these settings in the connection filter policy. Learn more at [Configure connection filtering](configure-the-connection-filter-policy.md).
- > [!NOTE]
- > Spoof intelligence uses connection filtering to create allow and block lists of senders who are spoofing your email domain. For more information, see [Learn more about spoof intelligence in Microsoft 365](learn-about-spoof-intelligence.md).
- - **Spam filtering (content filtering)**: EOP uses the spam filtering verdicts **Spam**, **High confidence spam**, **Bulk email**, **Phishing email** and **High confidence phishing email** to classify messages. You can configure the actions to take based on these verdicts, and you can configure the end-user notification options for messages that were quarantined instead of delivered. For more information, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md). > [!NOTE]
The anti-spam settings in EOP are made of the following technologies:
- **Outbound spam filtering**: EOP also checks to make sure that your users don't send spam, either in outbound message content or by exceeding outbound message limits. For more information, see [Configure outbound spam filtering in Microsoft 365](configure-the-outbound-spam-policy.md). -- **Spoof intelligence**: For more information, see [Learn more about spoof intelligence in Microsoft 365](learn-about-spoof-intelligence.md).
+- **Spoof intelligence**: For more information, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md).
## Manage errors in spam filtering
security Anti Spoofing Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-protection.md
When it comes to protecting its users, Microsoft takes the threat of phishing se
The following anti-spoofing technologies are available in EOP: -- **Spoof intelligence**: Review spoofed messages from senders in internal and external domains, and allow or block those senders. For more information, see [Configure spoof intelligence in Microsoft 365](learn-about-spoof-intelligence.md).
+- **Email authentication**: An integral part of any anti-spoofing effort is the use of email authentication (also known as email validation) by SPF, DKIM, and DMARC records in DNS. You can configure these records for your domains so destination email systems can check the validity of messages that claim to be from senders in your domains. For inbound messages, Microsoft 365 requires email authentication for sender domains. For more information, see [Email authentication in Microsoft 365](email-validation-and-authentication.md).
-- **Anti-phishing policies**: In EOP, anti-phishing policies allow you to turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and specify the action for blocked spoofed senders (move to the Junk Email folder or quarantine). Advanced anti-phishing policies that are available in Microsoft Defender for Office 365 also contain anti-impersonation settings (protected senders and domains), mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md).
+ EOP analyzes and blocks messages that can't be authenticated by the combination of standard email authentication methods and sender reputation techniques.
-- **Email authentication**: An integral part of any anti-spoofing effort is the use of email authentication (also known as email validation) by SPF, DKIM, and DMARC records in DNS. You can configure these records for your domains so destination email systems can check the validity of messages that claim to be from senders in your domains. For inbound messages, Microsoft 365 requires email authentication for sender domains. For more information, see [Email authentication in Microsoft 365](email-validation-and-authentication.md).
+ ![EOP anti-spoofing checks](../../media/eop-anti-spoofing-protection.png)
+
+- **Spoof intelligence insight**: Review spoofed messages from senders in internal and external domains during the last 7 days, and allow or block those senders. For more information, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).
+
+- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list.md).
+
+- **Anti-phishing policies**: In EOP, anti-phishing policies contain the following anti-spoofing settings:
+ - Turn spoof intelligence on or off.
+ - Turn unauthenticated sender identification in Outlook on or off.
+ - Specify the action for blocked spoofed senders.
-As of October 2018, anti-spoofing protection is available in EOP.
+ For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
-EOP analyzes and blocks messages that can't be authenticated by the combination of standard email authentication methods and sender reputation techniques.
+ **Note**: Anti-phishing policies in Microsoft Defender for Office 365 contain addition protections, including **impersonation** protection. For more information, see [Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
-![EOP anti-spoofing checks](../../media/eop-anti-spoofing-protection.png)
+- **Spoof detections report**: For more information, see [Spoof Detections report](view-email-security-reports.md#spoof-detections-report).
+
+ **Note**: Defender for Office 365 organizations can also use Real-time detections (Plan 1) or Threat Explorer (Plan 2) to view information about phishing attempts. For more information, see [Microsoft 365 threat investigation and response](office-365-ti.md).
## How spoofing is used in phishing attacks
Microsoft differentiates between two different types of spoofed messages:
For more information about DMARC, see [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).
-## Reports of how many messages were marked as spoofed
-
-EOP organizations can use the **Spoof detections** report in the Reports dashboard in the Security & Compliance Center. For more information, see [Spoof Detections report](view-email-security-reports.md#spoof-detections-report).
-
-Microsoft Defender for Office 365 organization can use Threat Explorer in the Security & Compliance Center to view information about phishing attempts. For more information, see [Microsoft 365 threat investigation and response](office-365-ti.md).
- ## Problems with anti-spoofing protection Mailing lists (also known as discussion lists) are known to have problems with anti-spoofing due to the way they forward and modify messages.
To help mailing list messages pass anti-spoofing checks, do following steps base
When enough senders reply back to domain owners that they should set up email authentication records, it spurs them into taking action. While Microsoft also works with domain owners to publish the required records, it helps even more when individual users request it.
- - Create inbox rules in your email client to move messages to the Inbox. You can also ask your admins to configure overrides as discussed in the [Use spoof intelligence to configure permitted senders of unauthenticated email](email-validation-and-authentication.md#use-spoof-intelligence-to-configure-permitted-senders-of-unauthenticated-email).
+ - Create inbox rules in your email client to move messages to the Inbox. You can also ask your admins to configure overrides as described in [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md) and [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
- Create a support ticket with Microsoft 365 to create an override for the mailing list to treat it as legitimate. For more information, see [Contact support for business products - Admin Help](../../business-video/get-help-support.md).
security Best Practices For Configuring Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/best-practices-for-configuring-eop.md
These settings cover a range of features that are outside of security policies.
|Authenticated SMTP submission|Disabled|Disabled|Authenticated client SMTP submission (also known as client SMTP submission or SMTP AUTH) is required for POP3 and IMAP4 clients and applications and devices that generate and send email. <p> For instructions to enable and disable SMTP AUTH globally or selectively, see [Enable or disable authenticated client SMTP submission in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission).| |EWS connectivity to mailbox|Disabled|Disabled|Outlook uses Exchange Web Services for free/busy, out-of-office settings, and calendar sharing. If you can't disable EWS globally, you have the following options: <ul><li>Use [Authentication policies](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online) to prevent EWS from using Basic authentication if your clients support modern authentication (modern auth).</li><li>Use [Client Access Rules](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) to limit EWS to specific users or source IP addresses.</li><li>Control EWS access to specific applications globally or per user. For instructions, see [Control access to EWS in Exchange](/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange).</li></ul> <p> The [Report message add-in](enable-the-report-message-add-in.md) and the [Report phishing add-in](enable-the-report-phish-add-in.md) uses REST by default in supported environments, but will fall back to EWS if REST isn't available. The supported environments that use REST are:<ul><li>Exchange Online</li><li>Exchange 2019 or Exchange 2016</li><li>Current Outlook for Windows from a Microsoft 365 subscription or one-time purchase Outlook 2019.</li><li>Current Outlook for Mac from a Microsoft 365 subscription or one-time purchase Outlook for Mac 2016 or later.</li><li>Outlook for iOS and Android</li><li>Outlook on the web</li></ul>| |[PowerShell connectivity](/powershell/exchange/disable-access-to-exchange-online-powershell)|Disabled|Disabled|Available for mailbox users or mail users (user objects returned by the [Get-User](/powershell/module/exchange/get-user) cmdlet).|
-|Use [spoof intelligence](learn-about-spoof-intelligence.md) to add senders to your allow list|Yes|Yes||
+|Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md)to add senders to your allow list|Yes|Yes||
|[Directory-Based Edge Blocking (DBEB)](/Exchange/mail-flow-best-practices/use-directory-based-edge-blocking)|Enabled|Enabled|Domain Type = Authoritative| |[Set up multi-factor authentication for all admin accounts](../../admin/security-and-compliance/set-up-multi-factor-authentication.md)|Enabled|Enabled|| |
security Bulk Complaint Level Values https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/bulk-complaint-level-values.md
Bulk mailers vary in their sending patterns, content creation, and recipient acq
Spam filtering marks messages as **Bulk email** based on the BCL threshold (the default value or a value you specify) and takes the specified action on the message (the default action is deliver the message to the recipient's Junk Email folder). For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md) and [What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md)
+You can use the Tenant Allow/Block List to configure exceptions for bulk mail filtering. Messages from senders in the specified domains don't receive the action for the **Bulk email** spam filtering verdict in anti-spam policies. For more information, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
+ The BCL thresholds are described in the following table. ****
security Configuration Analyzer For Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md
The following types of policies are analyzed by the configuration analyzer:
- [Anti-spam policies](configure-your-spam-filter-policies.md). - [Anti-malware policies](configure-anti-malware-policies.md).
- - [EOP Anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
+ - [EOP anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
- **Microsoft Defender for Office 365 policies**: This includes organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
Use the following procedures to modify anti-phishing policies: a new policy that
When you're finished, click **Save** on any page.
-5. **Spoof**: Click **Edit** to turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and configure the action to apply to messages from blocked spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
+5. **Spoof**: Click **Edit** to turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and configure the action to apply to messages from blocked spoofed senders. For more information about these settings, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
Note that these same settings are also available in anti-phishing policies in Defender for Office 365.
- - **Spoofing filter settings**: The default value is **On**, and we recommend that you leave it on. To turn it off, slide the toggle to **Off**. For more information, see [Configure spoof intelligence in EOP](learn-about-spoof-intelligence.md).
+ - **Spoofing filter settings**: Use the **Enable spoof intelligence?** setting to turn spoof intelligence on or off. The default value is **On**, and we recommend that you leave it on. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
> [!NOTE]
- > You don't need to disable anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
+ > You don't need to turn off anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
- - **Enable Unauthenticated Sender feature**: The default value is **On**. To turn it off, slide the toggle to **Off**.
+ - **Unauthenticated sender settings**: You can configure the following settings:
+ - **Enable unauthenticated sender question mark (?) symbol?**: This settings adds question mark to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication). The default value is **On**. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
+ - **Enable "via" tag?**: This setting adds a via tag (chris@contoso.com via fabrikam.com) is different from the domain in the DKIM signature or the **MAIL FROM** address. The default value is **On**. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
- - **Actions**: Specify the action to take on messages that fail spoof intelligence:
+ - **Actions**: Specify the action to take on messages from blocked spoofed senders:
**If email is sent by someone who's not allowed to spoof your domain**:
Use the following procedures to modify anti-phishing policies: a new policy that
- You can click **Edit** in each section to jump back to the relevant page. - You can toggle the following settings **On** or **Off** directly on this page:-
- - **Enable antispoofing protection**
- - **Enable Unauthenticated Sender feature**
+ - **Spoof filter settings**
+ - **Unauthenticated sender settings**
+ - **Actions**
When you're finished, click **Save** on any page.
The default anti-phishing policy is named Office365 AntiPhish Default, and it do
2. On the **Anti-phishing** page, click **Default policy**.
-3. The **Edit your policy Office365 AntiPhish Default** page appears. The following sections are available, which contain identical settings for when you [modify a custom policy](#use-the-security--compliance-center-to-modify-anti-phishing-policies).
-
- - **Impersonation**
- - **Spoof**
- - **Advanced settings**
+3. The **Edit your policy Office365 AntiPhish Default** page appears. Only the **Spoof** section is available, which contains identical settings for when you [modify a custom policy](#use-the-security--compliance-center-to-modify-anti-phishing-policies).
The following settings aren't available when you modify the default policy:
The default anti-phishing policy is named Office365 AntiPhish Default, and it do
2. Notice the value in the **Status** column:
- - Slide the toggle to **Off** to disable the policy.
+ - Slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png) to disable the policy.
- - Slide the toggle to **On** to enable the policy.
+ - Slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png) to enable the policy.
You can't disable the default anti-phishing policy.
Custom anti-phishing policies are displayed in the order they're processed (the
To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Security & Compliance Center). Changing the priority of a policy only makes sense if you have multiple policies.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP anti-phishing**.
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
2. Select the policy that you want to modify. If it's already selected, deselect it and select it again.
Creating an anti-phishing policy in PowerShell is a two-step process:
To create an anti-phish policy, use this syntax: ```PowerShell
-New-AntiPhishPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-EnableSpoofIntelligence <$true | $false>] [-AuthenticationFailAction <MoveToJmf | Quarantine>] [-EnableUnauthenticatedSender <$true | $false>]
+New-AntiPhishPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-EnableSpoofIntelligence <$true | $false>] [-AuthenticationFailAction <MoveToJmf | Quarantine>] [-EnableUnauthenticatedSender <$true | $false>] [-EnableViaTag <$true | $false>]
``` This example creates an anti-phish policy named Research Quarantine with the following settings:
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
To increase the effectiveness of anti-phishing protection in Microsoft Defender
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **ATP anti-phishing** page, use <https://protection.office.com/antiphishing>.
+- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Anti-phishing** page, use <https://protection.office.com/antiphishing>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
Creating a custom anti-phishing policy in the Security & Compliance Center creat
When you create an anti-phishing policy, you can only specify the policy name, description, and the recipient filter that identifies who the policy applies to. After you create the policy, you can modify the policy to change or review the default anti-phishing settings.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP anti-phishing**.
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
2. On the **Anti-phishing** page, click **Create**.
After you create the anti-phishing policy with these general settings, use the i
Use the following procedures to modify anti-phishing policies: a new policy that you created, or existing policies that you've already customized.
-1. If you're not already there, open the Security & Compliance Center, and go to **Threat management** \> **Policy** \> **ATP anti-phishing**.
+1. If you're not already there, open the Security & Compliance Center, and go to **Threat management** \> **Policy** \> **Anti-phishing**.
2. Select the custom anti-phishing policy that you want to modify. If it's already selected, deselect it and select it again.
Use the following procedures to modify anti-phishing policies: a new policy that
When you're finished, click **Save** on any page.
-5. **Impersonation**: Click **Edit** to modify the protected senders and protected domains in the policy. These settings are a condition for the policy that identifies spoofed senders to look for (individually or by domain) in the From address of inbound messages. For more information, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+5. **Impersonation**: Click **Edit** to modify the protected senders and protected sender domains in the policy. These settings are a condition for the policy that identifies specific senders to look for (individually or by domain) in the From address of inbound messages. For more information, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
- - **Add users to protect**: The default value is **Off**. To turn it on, slide the toggle to **On**, and then click the **Add user** button that appears.
+ - **Add users to protect**: The default value is **Off** ![Toggle Off](../../media/scc-toggle-off.png). To turn it on, slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png), and then click the **Add user** button that appears.
In the **Add user** flyout that appears, configure the following values:
Use the following procedures to modify anti-phishing policies: a new policy that
- **Add domains to protect**: Configure one or both of the following settings:
- - **Automatically include the domains I own**: The default value is **Off**. To turn it on, slide the toggle to **On**.
- - **Include custom domains**: The default value is **Off**. To turn it on, slide the toggle to **On**, and in the **Add domains** box, enter the domain name (for example, contoso.com), press ENTER, and repeat as necessary.
+ - **Automatically include the domains I own**: The default value is **Off** ![Toggle Off](../../media/scc-toggle-off.png). To turn it on, slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png).
+
+ To view the domains that you own, select **View domains I own**.
+
+ - **Include custom domains**: The default value is **Off** ![Toggle Off](../../media/scc-toggle-off.png). To turn it on, slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png), and in the **Add domains** box, enter the domain name (for example, contoso.com), press ENTER, and repeat as necessary.
> [!NOTE] > You can have a maximum of 50 domains in all anti-phishing policies. - **Actions**: Click **Edit**
- - **If email is sent by an impersonated user**: Configure one of the following actions for messages where the spoofed sender is one of the protected users you specified in **Add users to protect**:
+ - **If email is sent by an impersonated user**: Configure one of the following actions for messages where the sender is one of the protected users you specified in **Add users to protect**:
- **Don't apply any action** - **Redirect message to other email addresses**
- - **Move message to Junk Email folder**
+ - **Move message to the recipients' Junk Email folders**
- **Quarantine the message** - **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered**
- - **If email is sent by an impersonated domain**: Configure one of the following actions for messages where the spoofed sender is in one of the protected domains you specified in **Add domains to protect**:
+ - **If email is sent by an impersonated domain**: Configure one of the following actions for messages where the sender's domain is in one of the protected domains you specified in **Add domains to protect**:
- **Don't apply any action** - **Redirect message to other email addresses**
- - **Move message to Junk Email folder**
+ - **Move message to the recipients' Junk Email folders**
- **Quarantine the message** - **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered** - Click **turn on impersonation safety tips** and configure any of the following settings:
- - **Show tip for impersonated users**: The default value is **Off**. To turn it on, slide the toggle to **On**.
- - **Show tip for impersonated domains**: The default value is **Off**. To turn it on, slide the toggle to **On**.
- - **Show tip for unusual characters**: The default value is **Off**. To turn it on, slide the toggle to **On**.
+ - **Show tip for impersonated users**
+ - **Show tip for impersonated domains**
+ - **Show tip for unusual characters**
+
+ The default value for all tips is **Off** ![Toggle Off](../../media/scc-toggle-off.png). To turn any of them on, slide the toggle to **On** [Toggle On](../../media/scc-toggle-on.png).
When you're finished, click **Save**. - **Mailbox intelligence**:
- - **Enable mailbox intelligence?**: The default value is **On**. To turn it off, slide the toggle to **Off**.
+ - **Enable mailbox intelligence?**: The default value is **On** [Toggle On](../../media/scc-toggle-on.png). To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
- **Enable mailbox intelligence based impersonation protection?**: This setting is available only if **Enable mailbox intelligence?** is **On**. Turn on this setting to specify the action to take on messages for impersonation detections from mailbox intelligence results.
Use the following procedures to modify anti-phishing policies: a new policy that
- **Don't apply any action**: Note that this value has the same result as turning on **Enable mailbox intelligence?** but turning off **Enable mailbox intelligence based impersonation protection?**. - **Redirect message to other email addresses**
- - **Move message to Junk Email folder**
+ - **Move message to the recipients' Junk Email folders**
- **Quarantine the message** - **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered**
Use the following procedures to modify anti-phishing policies: a new policy that
When you're finished, click **Save** on any page.
-6. **Spoof**: Click **Edit** to turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and configure the action to apply to messages from blocked spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
+6. **Spoof**: Click **Edit** to turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and configure the action to apply to messages from blocked spoofed senders. For more information about these settings, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
Note that these same settings are also available in anti-phishing policies in EOP.
- - **Spoofing filter settings**: The default value is **On**, and we recommend that you leave it on. To turn it off, slide the toggle to **Off**. For more information, see [Configure spoof intelligence in EOP](learn-about-spoof-intelligence.md).
+ - **Spoofing filter settings**: Use the **Enable spoof intelligence?** setting to turn spoof intelligence on or off. The default value is **On**, and we recommend that you leave it on. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
> [!NOTE]
- > You don't need to disable anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
+ > You don't need to turn off anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
- - **Enable Unauthenticated Sender feature**: The default value is **On**. To turn it off, slide the toggle to **Off**.
+ - **Unauthenticated sender settings**: You can configure the following settings:
+ - **Enable unauthenticated sender question mark (?) symbol?**: Add a question mark to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication). The default value is **On**. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
+ - **Enable "via" tag?**: Add the via tag (chris@contoso.com via fabrikam.com) if the email address in the From box is different from the domain in the DKIM signature or the **MAIL FROM** address. The default value is **On**. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
- - **Actions**: Specify the action to take on messages that fail spoof intelligence:
+ - **Actions**: Specify the action to take on messages from blocked spoofed senders:
**If email is sent by someone who's not allowed to spoof your domain**:
Use the following procedures to modify anti-phishing policies: a new policy that
- You can click **Edit** in each section to jump back to the relevant page. - You can toggle the following settings **On** or **Off** directly on this page:
- - **Enable antispoofing protection**
- - **Enable Unauthenticated Sender feature**
+ - **Spoof filter settings**
+ - **Unauthenticated sender settings**
+ - **Actions**
When you're finished, click **Save** on any page.
Use the following procedures to modify anti-phishing policies: a new policy that
The default anti-phishing policy in Microsoft Defender for Office 365 is named Office365 AntiPhish Default, and it doesn't appear in the list of policies. To modify the default anti-phishing policy, do the following steps:
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP anti-phishing**.
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
2. On the **Anti-phishing** page, click **Default policy**.
The default anti-phishing policy in Microsoft Defender for Office 365 is named O
### Enable or disable custom anti-phishing policies in Microsoft Defender for Office 365
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP anti-phishing**.
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
2. Notice the value in the **Status** column:
- - Slide the toggle to **Off** to disable the policy.
+ - Slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png) to disable the policy.
- - Slide the toggle to **On** to enable the policy.
+ - Slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png) to enable the policy.
You can't disable the default anti-phishing policy.
Custom anti-phishing policies are displayed in the order they're processed (the
To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Security & Compliance Center). Changing the priority of a policy only makes sense if you have multiple policies.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP anti-phishing**.
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
2. Select the policy that you want to modify. If it's already selected, deselect it and select it again.
To change the priority of a policy, you click **Increase priority** or **Decreas
## Use the Security & Compliance Center to view anti-phishing policies in Microsoft Defender for Office 365
-1. In the Security & Compliance Center, and go to **Threat management** \> **Policy** \> **ATP anti-phishing**.
+1. In the Security & Compliance Center, and go to **Threat management** \> **Policy** \> **Anti-phishing**.
2. Do one of the following steps:
To change the priority of a policy, you click **Increase priority** or **Decreas
## Use the Security & Compliance Center to remove anti-phishing policies in Microsoft Defender for Office 365
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP anti-phishing**.
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
2. Select the policy that you want to remove. If it's already selected, deselect it and select it again.
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
To verify that you've successfully configured anti-phishing policies in Microsoft Defender for Office 365, do any of the following steps: -- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details do either of the following steps:
+- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details do either of the following steps:
- Select the policy from the list, and view the details in the flyout. - Click **Default policy** and view the details in the flyout.
security Create Safe Sender Lists In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md
Mail flow rules allow the most flexibility to ensure that only the right message
> > - While you can use safe sender lists to help with false positives (good email marked as bad), you should consider the use of safe sender lists as a temporary solution that should be avoided if possible. We don't recommend managing false positives by using safe sender lists, because exceptions to spam filtering can open your organization to spoofing and other attacks. If you insist on using safe sender lists to manage false positives, you need to be vigilant and keep the topic [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md) at the ready. >
-> - To allow a domain to send unauthenticated email (bypass anti-spoofing protection) but not bypass anti-spam and anti-malware checks, you can add it to the [AllowedToSpoof safe sender list](walkthrough-spoof-intelligence-insight.md)
+> - To allow a domain to send unauthenticated email (bypass anti-spoofing protection) but not bypass anti-spam and anti-malware checks, you can use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md).
> > - EOP and Outlook inspect different message properties to determine the sender of the message. For more information, see the [Considerations for bulk email](#considerations-for-bulk-email) section later in this article.
To prevent this message from being filtered, you can take the following steps:
- [Use a mail flow rule](#recommended-use-mail-flow-rules) with a condition that looks for messages from blueyonder@news.blueyonderairlines.com (the `5322.From` address, blueyonder.airlines@margiestravel.com (the `5321.MailFrom`), or both.
-For more information, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md).
+For more information, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md).
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
The script produces one file named Permissions.csv. Follow these steps to look f
## Determine the scope of the attack
-After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Security and Compliance Center](../../compliance/search-the-audit-log-in-security-and-compliance.md).
+After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Security & Compliance Center](../../compliance/search-the-audit-log-in-security-and-compliance.md).
> [!IMPORTANT] > [Mailbox auditing](../../compliance/enable-mailbox-auditing.md) and [Activity auditing for admins and users](../../compliance/turn-audit-log-search-on-or-off.md) must have been enabled prior to the attack for you to get this information.
security Email Validation And Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-validation-and-authentication.md
ms.prod: m365-security
Email authentication (also known as email validation) is a group of standards that tries to stop spoofing (email messages from forged senders). In all Microsoft 365 organizations, EOP uses these standards to verify inbound email: - [SPF](set-up-spf-in-office-365-to-help-prevent-spoofing.md)- - [DKIM](use-dkim-to-validate-outbound-email.md)- - [DMARC](use-dmarc-to-validate-email.md) Email authentication verifies that email messages from a sender (for example, laura@contoso.com) are legitimate and come from expected sources for that email domain (for example, contoso.com.)
Microsoft 365 keeps track of who is sending unauthenticated email to your organi
You can use this method to resolve intra-org spoofing and cross-domain spoofing in cases where you own or interact with multiple tenants. It also helps resolve cross-domain spoofing where you send to other customers within Microsoft 365 or third parties that are hosted by other providers. - [Configure SPF records](set-up-spf-in-office-365-to-help-prevent-spoofing.md) for your domains.- - [Configure DKIM records](use-dkim-to-validate-outbound-email.md) for your primary domains.- - [Consider setting up DMARC records](use-dmarc-to-validate-email.md) for your domain to determine your legitimate senders. Microsoft doesn't provide detailed implementation guidelines for SPF, DKIM, and DMARC records. However, there's many information available online. There are also third party companies dedicated to helping your organization set up email authentication records.
Microsoft 365 will treat inbound email from your corporate infrastructure as aut
Once you've gotten started with an SPF fallback policy of `?all`, you can gradually discover and include more email sources for your messages, and then update your SPF record with a stricter policy.
-### Use spoof intelligence to configure permitted senders of unauthenticated email
+### Configure permitted senders of unauthenticated email
-You can also use [spoof intelligence](learn-about-spoof-intelligence.md) to permit senders to transmit unauthenticated messages to your organization.
+You can also use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md) to permit senders to transmit unauthenticated messages to your organization.
For external domains, the spoofed user is the domain in the From address, while the sending infrastructure is either the source IP address (divided up into /24 CIDR ranges), or the organizational domain of the reverse DNS (PTR) record.
-In the screenshot below, the source IP might be 131.107.18.4 with the PTR record outbound.mail.protection.outlook.com. This would show up as outlook.com for the sending infrastructure.
-
-To permit this sender to send unauthenticated email, change the **No** to a **Yes**.
-
-![Setting up anti-spoofing allowed senders](../../media/d4334921-d820-4334-8217-788279701e94.jpg)
- ### Create an allow entry for the sender/recipient pair To bypass spam filtering, some parts of filtering for phishing, but not malware filtering for specific senders, see [Create safe sender lists in Microsoft 365](create-safe-sender-lists-in-office-365.md).
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
As a user, you can view, release, and delete quarantined messages where you are
## View your quarantined messages
-1. In the Security and Compliance Center, go to **Threat Management** \> **Review** \> **Quarantine**.
+1. In the Security & Compliance Center, go to **Threat Management** \> **Review** \> **Quarantine**.
2. You can sort the results by clicking on an available column header. Click **Modify columns** to show a maximum of seven columns. The default values are marked with an asterisk (<sup>\*</sup>):
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
There are two major factors that determine which policy is applied to a message:
|1|Malware|CAT:MALW|[Configure anti-malware policies in EOP](configure-anti-malware-policies.md)| |2|Phishing|CAT:PHSH|[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)| |3|High confidence spam|CAT:HSPM|[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)|
- |4|Spoofing|CAT:SPOOF|[Configure spoof intelligence in EOP](learn-about-spoof-intelligence.md)|
+ |4|Spoofing|CAT:SPOOF|[Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)|
|5<sup>\*</sup>|User impersonation (protected users)|UIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md)| |6<sup>\*</sup>|Domain impersonation (protected domains)|DIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md)| |7|Spam|CAT:SPM|[Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)|
security Impersonation Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/impersonation-insight.md
+
+ Title: Impersonation insight
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+ - MOE150
+ms.assetid:
+
+ - M365-security-compliance
+description: Admins can learn how the impersonation insight works. They can quickly determine which senders are legitimately sending email into their organizations from domains that don't pass email authentication checks (SPF, DKIM, or DMARC).
+
+ms.technology: mdo
++
+# Impersonation insight in Defender for Office 365
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+> [!NOTE]
+> The features described in this article are in Preview, are subject to change, and are not available in all organizations.
+
+Impersonation is where the sender of an email message looks very similar to a real or expected sender email address. Attackers often user impersonated sender email addresses in phishing or other types of attacks in an effort to gain the trust of the recipient. There are basically two types of impersonation:
+
+- **Domain impersonation**: Instead of lila@contoso.com, the impersonated sender's email address is lila@ćóntoso.com.
+- **User impersonation**: Instead of michelle@contoso.com, the impersonated sender's email address is rnichell@contoso.com.
+
+Domain impersonation is different from [domain spoofing](anti-spoofing-protection.md), because the impersonated domain is typically a real, registered domain. Messages from senders in the impersonated domain can and often do pass regular email authentication checks that would otherwise identify spoofing attempts (SPF, DKIM, and DMARC).
+
+Impersonation protection is part of the anti-phishing policy settings) that are exclusive to Microsoft Defender for Office 365. For more information about these settings, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+
+You can use the impersonation insight to quickly identify messages from impersonated senders or sender domains that you've configured for impersonation protection.
+
+## What do you need to know before you begin?
+
+- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the impersonation insight on the **Anti-phishing** page, use <https://protection.office.com/antiphishing>.
+
+- You need to be assigned permissions in the Security & Compliance Center before you can do the procedures in this article:
+ - **Organization Management**
+ - **Security Administrator**
+ - **Security Reader**
+ - **Global Reader**
+
+ For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+
+ **Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+
+- You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection is not enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+
+## Open the impersonation insight in the Security & Compliance Center
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+
+2. On the main **Anti-phishing page**, the impersonation insight looks like this:
+
+ This insight has two modes:
+
+ - **Insight mode**: If impersonation protection is enabled and configured in any anti-phishing policies, the insight shows the number of detected messages from impersonated senders over the past seven days. This is the total of all detected impersonated senders from all anti-phishing policies.
+ - **What if mode**: If impersonation protection is not enabled and configured in any active anti-phishing policies, the insight shows you how many messages *would* have been detected by our impersonation protection capabilities over the past seven days.
+
+ Either way, **Domains impersonated** shows the number of messages from senders in protected domains, while **Users impersonated** shows the number of messages from protected users.
+
+## View information about messages from senders in impersonated domains
+
+On the impersonation insight, click **Domains impersonated**. The **Impersonation insight** page that opens contains the following information:
+
+- **Sender Domain**: The impersonating domain, which is the domain that was used to send the email message.
+- **Message count**: The number of messages from impersonating sender domain over the last 7 days.
+- **Impersonation type**: This value shows the detected location of the impersonation (for example, **Domain in address**).
+- **Impersonated domain(s)**: The impersonated domain, which should closely resemble the domain that's configured for impersonation protection in the anti-phishing policy.
+- **Domain type**: This value is **Company domain** for internal domains or **Custom domain** for custom domains.
+- **Policy**: The anti-phishing policy that detected the impersonated domain.
+- **Allowed to impersonate**: One of the following values:
+ - **Yes**: The domain was configured as trusted domain (an exception for impersonation protection) in the anti-spam policy. Messages from senders in the impersonated domain were detected, but allowed.
+ - **No**: The domain was configured for impersonation protection in the anti-spam policy. Messages from senders in the impersonated domain were detected and acted upon based on the action for impersonated domains in the anti-spam policy.
+
+You can click selected column headings to sort the results.
+
+To filter the results, you can use the **Filter domain** box to enter a comma-separated list of values to filter the results.
+
+### View details about messages from senders in impersonated domains
+
+On the **Impersonation insight** page, select one of the available rows. The details flyout that appears contains the following information and features:
+
+- **Selection impersonation policy to modify**: Select the affected anti-phishing policy that you want to modify. Only polices where the impersonated domain is defined in the policy are available. Refer to the previous page to see which policy was actually responsible for detecting the impersonated domain (likely based on the recipient and the priority of the policy).
+
+- **Add to the allowed to impersonation list**: Use this toggle to add or remove the sender from the **Trusted senders and domains** (impersonation exceptions) for the anti-phishing policy that you selected:
+ - If the **Allowed to impersonate** value for this entry was **No**, the toggle is off. To exempt all senders in this domain from evaluation by impersonation protection, slide the toggle to on: ![Toggle on](../../media/scc-toggle-on.png). The domain is added to the **Trusted domains** list in the impersonation protection settings of the anti-phishing policy.
+ - If the **Allowed to impersonate** value for this entry was **Yes**, the toggle is on. To return all senders in this domain to evaluation by impersonation protection, slide the toggle to off: ![Toggle off](../../media/scc-toggle-off.png). The domain is removed from the **Trusted domains** list in the impersonation protection settings of the anti-phishing policy.
+
+- Why we caught this.
+- What you need to do.
+- A domain summary that list the impersonated domain.
+- WhoIs data about the sender.
+- A link to open [Threat Explorer](threat-explorer.md) to see additional details about the sender.
+- Similar messages from the same sender that were delivered to your organization.
+
+## View information about messages from impersonated senders
+
+On the impersonation insight, click **Users impersonated**. The **Impersonation insight** page that opens contains the following information:
+
+- **Sender**: The email address of the impersonating sender that sent the email message.
+- **Message count**: The number of messages from the impersonating sender over the last 7 days.
+- **Impersonation type**: This value is **User in display name**.
+- **Impersonated user(s)**: The email address of the impersonated sender, which should closely resemble the user that's configured for impersonation protection in the anti-phishing policy.
+- **User type**: This value shows the type of protection applied (for example, **Protected user** or **Mailbox Intelligence**).
+- **Policy**: The anti-phishing policy that detected the impersonated sender.
+- **Allowed to impersonate**: One of the following values:
+ - **Yes**: The sender was configured as trusted user (an exception for impersonation protection) in the anti-spam policy. Messages from the impersonated sender were detected, but allowed.
+ - **No**: The sender was configured for impersonation protection in the anti-spam policy. Messages from the impersonated sender were detected and acted upon based on the action for impersonated users in the anti-spam policy.
+
+You can click selected column headings to sort the results.
+
+To filter the results, you can use the **Filter sender** box to enter a comma-separated list of values to filter the results.
+
+### View details about messages from impersonated senders
+
+On the **Impersonation insight** page, select one of the available rows. The details flyout that appears contains the following information and features:
+
+- **Selection impersonation policy to modify**: Select the affected anti-phishing policy that you want to modify. Only polices where the impersonated sender is defined in the policy are available. Refer to the previous page to see which policy was actually responsible for detecting the impersonated sender (likely based on the recipient and the priority of the policy).
+
+- **Add to the allowed to impersonation list**: Use this toggle to add or remove the sender from the **Trusted senders and domains** (impersonation exceptions) for the anti-phishing policy that you selected:
+ - If the **Allowed to impersonate** value for this entry was **No**, the toggle is off. To exempt the sender from evaluation by impersonation protection, slide the toggle to on: ![Toggle on](../../media/scc-toggle-on.png). The sender is added to the **Trusted users** list in the impersonation protection settings of the anti-phishing policy.
+ - If the **Allowed to impersonate** value for this entry was **Yes**, the toggle is on. To return the sender to evaluation by impersonation protection, slide the toggle to off: ![Toggle off](../../media/scc-toggle-off.png). The sender is removed from the **Trusted users** list in the impersonation protection settings of the anti-phishing policy.
+
+- Why we caught this.
+- What you need to do.
+- A sender summary that list the impersonated sender.
+- WhoIs data about the sender.
+- A link to open [Threat Explorer](threat-explorer.md) to see additional details about the sender.
+- Similar messages from the same sender that were delivered to your organization.
security Learn About Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
Title: Configure spoof intelligence
+ Title: Spoof intelligence insight
f1.keywords: - NOCSH
- M365-security-compliance - seo-marvel-apr2020
-description: Admins can learn about spoof intelligence in Exchange Online Protection (EOP), where you can allow or block specific spoofed senders.
+description: Admins can learn about the spoof intelligence insight in Exchange Online Protection (EOP).
ms.technology: mdo ms.prod: m365-security
-# Configure spoof intelligence in EOP
+# Spoof intelligence insight in EOP
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spoofing by EOP as of October 2018. EOP uses spoof intelligence as part of your organization's overall defense against phishing. For more information, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md).
+> [!NOTE]
+> The features described in this article are in Preview, are subject to change, and are not available in all organizations. If your organization does not have the features described in this article, see the older spoof management experience at [Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight in EOP](walkthrough-spoof-intelligence-insight.md).
+
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spoofing. EOP uses **spoof intelligence** as part of your organization's overall defense against phishing. For more information, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md).
When a sender spoofs an email address, they appear to be a user in one of your organization's domains, or a user in an external domain that sends email to your organization. Attackers who spoof senders to send spam or phishing email need to be blocked. But there are scenarios where legitimate senders are spoofing. For example: - Legitimate scenarios for spoofing internal domains:- - Third-party senders use your domain to send bulk mail to your own employees for company polls. - An external company generates and sends advertising or product updates on your behalf. - An assistant regularly needs to send email for another person within your organization. - An internal application sends email notifications. - Legitimate scenarios for spoofing external domains:- - The sender is on a mailing list (also known as a discussion list), and the mailing list relays email from the original sender to all the participants on the mailing list. - An external company sends email on behalf of another company (for example, an automated report or a software-as-a-service company).
-Spoof intelligence, and specifically the default (and only) spoof intelligence policy, helps ensure that the spoofed email sent by legitimate senders doesn't get caught up in EOP spam filters or external email systems, while protecting your users from spam or phishing attacks.
+You can use the **spoof intelligence insight** in the Security & Compliance Center to quickly identify spoofed senders who are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks), and manually allow those senders.
+
+By allowing known senders to send spoofed messages from known locations, you can reduce false positives (good email marked as bad). By monitoring the allowed spoofed senders, you provide an additional layer of security to prevent unsafe messages from arriving in your organization.
-You can manage spoof intelligence in the Security & Compliance Center, or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+Likewise, you can review spoofed senders that were allowed by spoof intelligence and manually block those senders from the spoof intelligence insight.
+
+The rest of this article explains how to use the spoof intelligence insight in the Security & Compliance Center and in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+
+> [!NOTE]
+>
+> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list.md).
+>
+> - The spoof intelligence insight and the **Spoof** tab in the Tenant Allow/Block list replace the functionality of the spoof intelligence policy that was available on the anti-spam policy page in the Security & Compliance Center.
+>
+>- The spoof intelligence insight shows 7 days worth of data. The **Get-SpoofIntelligenceInsight** cmdlet shows 30 days worth of data.
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Anti-spam settings** page, use <https://protection.office.com/antispam>. To go directly to the **Anti-phishing** page, use <https://protection.office.com/antiphishing>.
+- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Anti-phishing** page, use <https://protection.office.com/antiphishing>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
You can manage spoof intelligence in the Security & Compliance Center, or in Pow
- Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. -- For our recommended settings for spoof intelligence, see [EOP default anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-default-anti-phishing-policy-settings).-
-## Use the Security & Compliance Center to manage spoofed senders
+- You enable and disable spoof intelligence in anti-phishing policies in EOP and Microsoft Defender for Office 365. Spoof intelligence is enabled by default. For more information, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) or [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
-> [!NOTE]
-> If you have an Microsoft 365 Enterprise E5 subscription or have separately purchased a Microsoft Defender for Office 365 add-on, you can also manage senders who are spoofing your domain through the [Spoof Intelligence insight](walkthrough-spoof-intelligence-insight.md).
+- For our recommended settings for spoof intelligence, see [EOP default anti-phishing policy settings](recommended-settings-for-eop-and-office365-atp.md#eop-default-anti-phishing-policy-settings).
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+## Open the spoof intelligence insight in the Security & Compliance Center
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand **Spoof intelligence policy**.
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
- ![Select the spoof intelligence policy](../../media/anti-spam-settings-spoof-intelligence-policy.png)
+2. On the main **Anti-phishing page**, the spoof intelligence insight has two modes:
-3. Make one of the following selections:
+ - **Insight mode**: If spoof intelligence is enabled, the insight shows you how many messages were detected by spoof intelligence during the past seven days.
+ - **What if mode**: If spoof intelligence is disabled, then the insight shows you how many messages *would* have been detected by spoof intelligence during the past seven days.
- - **Review new senders**
- - **Show me senders I already reviewed**
+ Either way, the spoofed domains displayed in the insight are separated into two categories: **Suspicious domains** and **Non-suspicious domains**.
-4. In the **Decide if these senders are allowed to spoof your users** flyout that appears, select one of the following tabs:
+ - **Suspicious domains** include:
- - **Your Domains**: Senders spoofing users in your internal domains.
- - **External Domains**: Senders spoofing users in external domains.
+ - High-confidence spoof: Based on the historical sending patterns and the reputation score of the domains, we're highly confident that the domains are spoofing, and messages from these domains are more likely to be malicious.
-5. Click ![Expand icon](../../medi#spoof-settings).
+ - Moderate confidence spoof: Based on historical sending patterns and the reputation score of the domains, we're moderately confident that the domains are spoofing, and that messages sent from these domains are legitimate. False positives are more likely in this category than high-confidence spoof.
- ![Screenshot showing the spoofed senders flyout, and whether the sender is allowed to spoof](../../media/c0c062fd-f4a4-4d78-96f7-2c22009052bb.jpg)
+ **Non-suspicious domains**: The domain failed explicit email authentication checks [SPF](how-office-365-uses-spf-to-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md)). However, the domain passed our implicit email authentication checks ([composite authentication](email-validation-and-authentication.md#composite-authentication)). As a result, no anti-spoofing action was taken on the message.
- The columns and values that you see are explained in the following list:
+### View information about spoofed messages
- - **Spoofed user**: The user account that's being spoofed. This is the message sender in the From address (also known as the `5322.From` address) that's shown in email clients. The validity of this address is not checked by SPF.
+On the spoof intelligence insight, click **Suspicious domains** or **Non-suspicious domains** to go to the **Spoof intelligence insight** page. The page contains the following information:
- - On the **Your Domains** tab, the value contains a single email address, or if the source email server is spoofing multiple user accounts, it contains **More than one**.
+- **Spoofed domain**: The domain of the spoofed user that's displayed in the **From** box in email clients. This address is also known as the `5322.From` address.
+- **Infrastructure**: Also known as the _sending infrastructure_. This will be one of the following values:
+ - The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address.
+ - If the source IP address has no PTR record, then the sending infrastructure is identified as \<source IP\>/24 (for example, 192.168.100.100/24).
+- **Message count**: The number of messages from the combination of the spoofed domain _and_ the sending infrastructure to your organization within the last 7 days.
+- **Last seen**: The last date when a message was received from the sending infrastructure that contains the spoofed domain.
+- **Spoof type**: One of the following values:
+ - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)).
+ - **External**: The spoofed sender is in an external domain.
+- **Allowed to spoof**: The value depends on whether you clicked **Suspicious domains** or **Non-suspicious domains** on the insight:
+ - **Suspicious domains**: The **Allowed to spoof** value is always **No**. Messages from the combination of the spoofed domain _and_ sending infrastructure are marked as bad by spoof intelligence. The action that's taken on the spoofed messages is controlled by the default anti-phishing policy or custom anti-phishing policies (the default value is **Move message to Junk Email folder**). For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+ - **Non-suspicious domains**: The **Allowed to spoof** value is always **Yes**. Messages from the combination of the spoofed domain _and_ sending infrastructure are marked as good by spoof intelligence.
- - On the **External Domains** tab, the value contains the domain of the spoofed user, not the full email address.
+You can click selected column headings to sort the results.
- - **Sending Infrastructure**: The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address. If the source IP address has no PTR record, then the sending infrastructure is identified as \<source IP\>/24 (for example, 192.168.100.100/24).
+To filter the results, you have the following options:
- For more information about message sources and message senders, see [An overview of email message standards](how-office-365-validates-the-from-address.md#an-overview-of-email-message-standards).
+- Use the **Filter spoofed domain** box to enter a comma-separated list of spoofed domain values to filter the results.
+- Use the **Filter infrastructure** box to enter a comma-separated list of infrastructure values to filter the results.
+- Click the **Filter** button to filter the results by **Spoof type**.
- - **# of messages**: The number of messages from the sending infrastructure to your organization that contain the specified spoofed sender or senders within the last 30 days.
+### View details about spoofed messages
- - **# of user complaints**: Complaints filed by your users against this sender within the last 30 days. Complaints are usually in the form of junk submissions to Microsoft.
+Select an item in the list to view details. A flyout appears with the following information and features:
- - **Authentication result**: One of the following values:
- - **Passed**: The sender passed sender email authentication checks (SPF or DKIM).
- - **Failed**: The sender failed EOP sender authentication checks.
- - **Unknown**: The result of these checks isn't known.
+- **Allowed to spoof**: Use this toggle to override the spoof intelligence verdict:
+ - If you originally selected **Suspicious domains** in the insight, **Allowed to spoof** is turned off. To turn it on, which moves the entry from the spoof intelligence insight to the Tenant Allow/Block List as an allow entry for spoof, slide the toggle to on: ![Toggle on](../../media/scc-toggle-on.png).
+ - If you originally selected **Non-suspicious domains** in the insight, **Allowed to spoof** is turned on. To turn it off, which moves the entry from the spoof intelligence insight to the Tenant Allow/Block List as a block entry for spoof, slide the toggle to off: ![Toggle off](../../media/scc-toggle-off.png).
- - **Decision set by**: Shows who determined if the sending infrastructure is allowed to spoof the user:
- - **Spoof intelligence policy** (automatic)
- - **Admin** (manual)
+- Why we caught this.
+- What you need to do.
+- A domain summary that includes most of the same information from the main spoof intelligence page.
+- WhoIs data about the sender.
+- Similar messages we have seen in your tenant from the same sender.
- - **Last seen**: The last date when a message was received from the sending infrastructure that contains the spoofed user.
+### About allowed spoofed senders
- - **Allowed to spoof?**: The values that you see here are:
- - **Yes**: Messages from the combination of spoofed user and sending infrastructure are allowed and not treated as spoofed email.
- - **No**: Messages from the combination of spoofed user and sending infrastructure are marked as spoofed. The action is controlled by the default anti-phishing policy or custom anti-phishing policies (the default value is **Move message to Junk Email folder**). See the next section for more information.
+An allowed spoofed sender in **Non-suspicious domains** in the spoof intelligence insight or a blocked sender in **Suspicious domains** that you manually changed to **Allowed to spoof** only allows messages from the combination of the spoofed domain *and* the sending infrastructure. It does not allow email from the spoofed domain from any source, nor does it allow email from the sending infrastructure for any domain.
- - **Some users** (**Your Domains** tab only): A sending infrastructure is spoofing multiple users, where some spoofed users are allowed and others are not. Use the **Detailed** tab to see the specific addresses.
+For example, the following spoofed sender is allowed to spoof:
-6. At the bottom of the page, click **Save**.
+- **Domain**: gmail.com
+- **Infrastructure**: tms.mx.com
-## Use PowerShell to manage spoofed senders
+Only email from that domain/sending infrastructure pair will be allowed to spoof. Other senders attempting to spoof gmail.com aren't automatically allowed. Messages from senders in other domains that originate from tms.mx.com are still checked by spoof intelligence, and might be blocked.
-To view allowed and blocked senders in spoof intelligence, use the following syntax:
+## Use the spoof intelligence insight in Exchange Online PowerShell or standalone EOP PowerShell
-```powershell
-Get-PhishFilterPolicy [-AllowedToSpoof <Yes | No | Partial>] [-ConfidenceLevel <Low | High>] [-DecisionBy <Admin | SpoofProtection>] [-Detailed] [-SpoofType <Internal | External>]
-```
+In PowerShell, you use the **Get-SpoofIntelligenceInsight** cmdlet to **view** allowed and blocked spoofed senders that were detected by spoof intelligence. To manually allow or block the spoofed senders, you need to use the **New-TenantAllowBlockListSpoofItems** cmdlet. For more information, see [Use PowerShell to configure the Tenant Allow/Block List](tenant-allow-block-list.md#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-the-tenant-allowblock-list).
-This example returns detailed information about all senders that are allowed to spoof users in your domains.
+To view the information in the spoof intelligence insight, run the following command:
```powershell
-Get-PhishFilterPolicy -AllowedToSpoof Yes -Detailed -SpoofType Internal
+Get-SpoofIntelligenceInsight
```
-For detailed syntax and parameter information, see [Get-PhishFilterPolicy](/powershell/module/exchange/get-phishfilterpolicy).
-
-To configure allowed and blocked senders in spoof intelligence, follow these steps:
-
-1. Capture the current list of detected spoofed senders by writing the output of the **Get-PhishFilterPolicy** cmdlet to a CSV file:
-
- ```powershell
- Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"
- ```
-
-2. Edit the CSV file to add or modify the **SpoofedUser** (email address) and **AllowedToSpoof** (Yes or No) values. Save the file, read the file, and store the contents as a variable named `$UpdateSpoofedSenders`:
-
- ```powershell
- $UpdateSpoofedSenders = Get-Content -Raw "C:\My Documents\Spoofed Senders.csv"
- ```
-
-3. Use the `$UpdateSpoofedSenders` variable to configure the spoof intelligence policy:
-
- ```powershell
- Set-PhishFilterPolicy -Identity Default -SpoofAllowBlockList $UpdateSpoofedSenders
- ```
-
-For detailed syntax and parameter information, see [Set-PhishFilterPolicy](/powershell/module/exchange/set-phishfilterpolicy).
-
-## Use the Security & Compliance Center to configure spoof intelligence
-
-The configuration options for spoof intelligence are described in [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
-
-You can configure spoof intelligence settings in the default anti-phishing policy, and also in custom policies. For instructions based on your subscription, see one of the following topics:
--- [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).--- [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).-
-## How do you know these procedures worked?
-
-To verify that you've configured spoof intelligence with senders who are allowed and not allowed to spoof, and that you've configured the spoof intelligence settings, use any of the following steps:
--- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam** \> expand **Spoof intelligence policy** \> select **Show me senders I already reviewed** \> select the **Your Domains** or **External Domains** tab, and verify the **Allowed to spoof?** value for the sender.--- In PowerShell, run the following commands to view the senders who are allowed and not allowed to spoof:-
- ```powershell
- Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType Internal
- Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType Internal
- Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType External
- Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType External
- ```
--- In PowerShell, run the following command to export the list of all spoofed senders to a CSV file:-
- ```powershell
- Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"
- ```
--- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing** or **ATP anti-phishing**, and do either of the following steps:-
- - Select a policy from the list. In the flyout that appears, verify the values in the **Spoof** section.
- - Click **Default policy**. In the flyout that appears, verify the values in the **Spoof** section.
--- In Exchange Online PowerShell, replace \<Name\> with Office365 AntiPhish Default or the name of a custom policy, and run the following command to verify the settings:-
- ```PowerShell
- Get-AntiPhishPolicy -Identity "<Name>" | Format-List EnableSpoofIntelligence,EnableUnauthenticatedSender,AuthenticationFailAction
- ```
+For detailed syntax and parameter information, see [Get-SpoofIntelligenceInsight](/powershell/module/exchange/get-spoofintelligenceinsight).
## Other ways to manage spoofing and phishing
-Be diligent about spoofing and phishing protection. Here are related ways to check on senders spoofing your domain and help prevent them from damaging your organization:
+Be diligent about spoofing and phishing protection. Here are related ways to check on senders who are spoofing your domain and help prevent them from damaging your organization:
- Check the **Spoof Mail Report**. You can use this report often to view and help manage spoofed senders. For information, see [Spoof Detections report](view-email-security-reports.md#spoof-detections-report).
Be diligent about spoofing and phishing protection. Here are related ways to che
- Review your DomainKeys Identified Mail (DKIM) configuration. You should use DKIM in addition to SPF and DMARC to help prevent attackers from sending messages that look like they are coming from your domain. DKIM lets you add a digital signature to email messages in the message header. For information, see [Use DKIM to validate outbound email sent from your custom domain in Office 365](use-dkim-to-validate-outbound-email.md). -- Review your Domain-based Message Authentication, Reporting, and Conformance (DMARC) configuration. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks. For information, see [Use DMARC to validate email in Office 365](use-dmarc-to-validate-email.md).
+- Review your Domain-based Message Authentication, Reporting, and Conformance (DMARC) configuration. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks. For information, see [Use DMARC to validate email in Office 365](use-dmarc-to-validate-email.md).
security Manage Quarantined Messages And Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files.md
You view and manage quarantined messages in the Security & Compliance Center or
### View quarantined email
-1. In the Security and Compliance Center, go to **Threat Management** \> **Review** \> **Quarantine**.
+1. In the Security & Compliance Center, go to **Threat Management** \> **Review** \> **Quarantine**.
2. Verify that **View quarantined** is set to the default value **email**.
In organizations with Defender for Office 365, admins can manage quarantined fil
### View quarantined files
-1. In the Security and Compliance Center, go to **Threat Management** \> **Review** \> **Quarantine**.
+1. In the Security & Compliance Center, go to **Threat Management** \> **Review** \> **Quarantine**.
2. Change **View quarantined** to the value **files**. You can sort on a field by clicking on an available column header.
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
Admins of Microsoft Defender for Office 365 (or MDO) E5, and MDO P1 and P2 have
## Reach the email entity page
-Either of the existing Office Security and Compliance center (protection.office.com) or new Microsoft 365 Security center (security.microsoft.com) will let you see and use the email entity page..
+Either of the existing Security & Compliance center (protection.office.com) or new Microsoft 365 Security center (security.microsoft.com) will let you see and use the email entity page..
|Center|URL|Navigation| ||||
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
This guidance shows you how to implement a set of policies to protect access to
### Windows 10 and Microsoft 365 Apps for enterprise
-Windows 10 with Microsoft 365 Apps for enterprise is the recommended client environment for PCs. We recommend Windows 10 because Azure is designed to provide the smoothest experience possible for both on-premises and Azure AD. Windows 10 also includes advanced security capabilities that can be managed through Intune. Microsoft 365 Apps for enterprise includes the latest versions of Office applications. These use modern authentication, which is more secure and a requirement for Conditional Access. These apps also include enhanced security and compliance tools.
+Windows 10 with Microsoft 365 Apps for enterprise is the recommended client environment for PCs. We recommend Windows 10 because Azure is designed to provide the smoothest experience possible for both on-premises and Azure AD. Windows 10 also includes advanced security capabilities that can be managed through Intune. Microsoft 365 Apps for enterprise includes the latest versions of Office applications. These use modern authentication, which is more secure and a requirement for Conditional Access. These apps also include enhanced compliance and security tools.
## Applying these capabilities across the three tiers of protection
security Monitor For Leaks Of Personal Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data.md
The security center and compliance center provide two ways to monitor and report
- Search the audit log directly: Search for all events in a specified date rage. Or you can filter the results based on specific criteria, such as the user who performed the action, the action, or the target object.
-Information security and compliance teams can use these tools to proactively review activities performed by both end users and administrators across services. Automatic alerts can be configured to send email notifications when certain activities occur on specific site collections - for example when content is shared from sites known to contain GDPR-related information. This allows those teams to follow up with users to ensure that corporate security policies are followed, or to provide additional training.
+Information compliance and security teams can use these tools to proactively review activities performed by both end users and administrators across services. Automatic alerts can be configured to send email notifications when certain activities occur on specific site collections - for example when content is shared from sites known to contain GDPR-related information. This allows those teams to follow up with users to ensure that corporate security policies are followed, or to provide additional training.
Information security teams can also search the audit log to investigate suspected data breaches and determine both root cause and the extent of the breach. This built-in capability facilitates compliance with article 33 and 34 of the GDPR, which require notifications be provided to the GDPR supervisory authority and to the data subjects themselves of a data breach within a specific time period. Audit log entries are only retained for 90 days within the service - it is often recommended and many organizations required that these logs be retained for longer periods of time.
Solutions are available that subscribe to the Unified Audit Logs through the Mic
More information about alert policies and searching the audit log: -- [Alert policies in the Microsoft 365 security and compliance centers](../../compliance/alert-policies.md)
+- [Alert policies in Microsoft 365](../../compliance/alert-policies.md)
- [Search the audit log for user and admin activity in Office 365](../../compliance/search-the-audit-log-in-security-and-compliance.md) (introduction)
security Outbound Spam Controls https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-controls.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, we take managing outbound spam seriously. One customer who intentionally or unintentionally sends spam from their organization can degrade the reputation of the whole service, and can affect email delivery for other customers.
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, we take managing outbound spam seriously. Even if one customer intentionally or unintentionally sends spam from their organization, that action can degrade the reputation of the whole service and can affect email delivery for other customers.
-This topic describes the controls and notifications that are designed to help prevent outbound spam, and what you can do if you need to send mass mailings.
+This article describes the controls and notifications that are designed to help prevent outbound spam, and what you can do if you need to send mass mailings.
## What admins can do to control outbound spam -- **Use built-in notifications**: When a user exceeds sending limits of [the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or [outbound spam policies](configure-the-outbound-spam-policy.md) and is restricted from sending email, the default alert policy named **User restricted from sending email** sends email notifications to members of the **TenantAdmins** (**Global admins**) group. To configure who else receives these notifications, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). Also, the default alert policies named **Email sending limit exceeded** and **Suspicious email sending patterns detected** send email notifications to members of the **TenantAdmins** (**Global admins**) group. For more information about alert policies, see [Alert policies in the security and compliance center](../../compliance/alert-policies.md).
+- **Use built-in notifications**: When a user exceeds sending limits of [the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or [outbound spam policies](configure-the-outbound-spam-policy.md) and is restricted from sending email, the default alert policy named **User restricted from sending email** sends email notifications to members of the **TenantAdmins** (**Global admins**) group. To configure who else receives these notifications, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). Also, the default alert policies named **Email sending limit exceeded** and **Suspicious email sending patterns detected** send email notifications to members of the **TenantAdmins** (**Global admins**) group. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
-- **Review spam complaints from third party email providers**: Many email services like Outlook.com, Yahoo and AOL provide a feedback loop where if any user in their service marks an email from Microsoft 365 as spam, the message is packaged up and sent back to us for review. To learn more about sender support for Outlook.com, go to <https://sendersupport.olc.protection.outlook.com/pm/services.aspx>.
+- **Review spam complaints from third-party email providers**: Many email services like Outlook.com, Yahoo, and AOL provide a feedback loop where if any user in their service marks an email from Microsoft 365 as spam, the message is packaged up and sent back to us for review. To learn more about sender support for Outlook.com, go to <https://sendersupport.olc.protection.outlook.com/pm/services.aspx>.
## How EOP controls outbound spam - **Segregation of outbound email traffic**: Every outbound message that's sent through the service is scanned for spam. If the message is determined to be spam, it's delivered from a secondary, less reputable IP address pool named the _high-risk delivery pool_. For more information, see [High-risk delivery pool for outbound messages](high-risk-delivery-pool-for-outbound-messages.md). -- **Monitoring our source IP address reputation**: Microsoft 365 queries various third party IP block lists. An alert is generated if any of the IP addresses that we use for outbound email appear on these lists. This allows us to react quickly when spam has caused our reputation to degrade. When an alert is generated, we have internal documentation that outlines how to get our IP addresses remove (delisted) from block lists.
+- **Monitoring our source IP address reputation**: Microsoft 365 queries various third-party IP block lists. An alert is generated if any of the IP addresses that we use for outbound email appear on these lists. This monitoring allows us to react quickly when spam has caused our reputation to degrade. When an alert is generated, we have internal documentation that outlines how to get our IP addresses remove (delisted) from block lists.
- **Disable accounts that send too much spam**<sup>\*</sup>: Even though we segregate outbound spam into the high-risk delivery pool, we can't allow an account (often, a compromised account) to send spam indefinitely. We monitor accounts that are sending spam, and when they exceed an undisclosed limit, the account is blocked from sending email. There are different thresholds for individual users and the entire tenant.
This topic describes the controls and notifications that are designed to help pr
## Recommendations for customers who want to send mass mailings through EOP
-It's difficult to strike a balance between customers who want to send a large volume of email vs. protecting the service from compromised accounts and bulk email senders with poor recipient acquisition practices. The cost of a Microsoft 365 email source landing on a third party IP block list is greater than blocking a user who's sending too much email.
+It's difficult to strike a balance between customers who want to send a large volume of email vs. protecting the service from compromised accounts and bulk email senders with poor recipient acquisition practices. The cost of a Microsoft 365 email source landing on a third-party IP block list is greater than blocking a user who's sending too much email.
As described in the [Exchange Online Service Description](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits), using EOP to send bulk email is not a supported use of the service, and is only permitted on a "best-effort" basis. For customers who do want to send bulk email, we recommend the following solutions: -- **Send bulk email through on-premises email servers**: This means that customers will need to maintain their own email infrastructure for mass mailings.
+- **Send bulk email through on-premises email servers**: Customers maintain their own email infrastructure for mass mailings.
-- **Use a third party bulk email provider**: There are several third party bulk email solution providers that you can use to send mass mailings. These companies have a vested interest in working with customers to ensure good email sending practices.
+- **Use a third-party bulk email provider**: There are several third-party bulk email solution providers that you can use to send mass mailings. These companies have a vested interest in working with customers to ensure good email sending practices.
-The Messaging, Mobile, Malware Anti-Abuse Working Group (MAAWG) publishes its membership roster at <https://www.maawg.org/about/roster>. Several bulk email providers are on the list, and are known to be responsible internet citizens.
+The Messaging, Mobile, Malware Anti-Abuse Working Group (MAAWG) publishes its membership roster at <https://www.maawg.org/about/roster>. Several bulk email providers are on the list, and are known to be responsible internet citizens.
security Permissions Microsoft 365 Compliance Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-microsoft-365-compliance-security.md
Title: Permissions in the Microsoft 365 security and compliance centers
+ Title: Permissions in the Microsoft 365 compliance center and security center
f1.keywords: - NOCSH
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Your organization needs to manage security and compliance scenarios that span all the Microsoft 365 services. And you need the flexibility to give the right admin permissions to the right people in your organization's IT group. By using the Microsoft 365 security center or Microsoft 365 compliance center, you can manage permissions centrally for all tasks related to security or compliance.
+Your organization needs to manage compliance and security scenarios that span all the Microsoft 365 services. And you need the flexibility to give the right admin permissions to the right people in your organization's IT group. By using the Microsoft 365 security center or Microsoft 365 compliance center, you can manage permissions centrally for all tasks related to security or compliance.
After a global administrator adds users to these admin roles, these admin will have access to features and data that span all services in Microsoft 365, such as the Microsoft 365 security center, Microsoft 365 compliance center, Azure, Office 365, and Enterprise Mobility + Security.
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
To learn more about anti-malware policy options, see [Configure anti-malware pol
The following procedure describes how to configure an anti-phishing policy in Microsoft Defender for Office 365. The steps are similar for configuring an anti-phishing policy in EOP.
-1. In the [Security & Compliance Center](https://protection.office.com), choose **Threat management** \> **Policy** \> **ATP anti-phishing**.
+1. In the [Security & Compliance Center](https://protection.office.com), choose **Threat management** \> **Policy** \> **Anti-phishing**.
2. Click **Default policy**.
security Protection Stack Microsoft Defender For Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md
Features in sender intelligence are critical for catching spam, bulk, impersonat
- **DMARC** lets admins mark SPF and DKIM as required in their domain and enforces alignment between the results of these two technologies. - **ARC** is not customer configured, but builds on DMARC to work with forwarding in mailing lists, while recording an authentication chain.
-3. **Spoof intelligence** is capable of filtering those allowed to 'spoof' (that is, those sending mail on behalf of another account, or forwarding for a mailing list) from malicious spoofers imitating an organizational, or known external, domain. It separates legitimate 'on behalf of' mail from senders spoofing to deliver spam and phishing messages.
+3. **Spoof intelligence** is capable of filtering those allowed to 'spoof' (that is, those sending mail on behalf of another account, or forwarding for a mailing list) from malicious senders who imitate organizational or known external domains. It separates legitimate 'on behalf of' mail from senders who spoof to deliver spam and phishing messages.
**Intra-org spoof intelligence** detects and blocks spoof attempts from a domain within the organization.
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
To create and configure anti-spam policies, see [Configure anti-spam policies in
|Quarantine retention period <p> _QuarantineRetentionPeriod_|15 days|30 days|30 days|| |**Safety Tips** <p> _InlineSafetyTipsEnabled_|On <p> `$true`|On <p> `$true`|On <p> `$true`|| |Allowed Senders <p> _AllowedSenders_|None|None|None||
-|Allowed Sender Domains <p> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <p> Use [spoof intelligence](learn-about-spoof-intelligence.md) in the Security & Compliance Center on the **Anti-spam settings** page to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|
+|Allowed Sender Domains <p> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <p> Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md) in the Security & Compliance Center to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|
|Blocked Senders <p> _BlockedSenders_|None|None|None|| |Blocked Sender Domains <p> _BlockedSenderDomains_|None|None|None|| |**Enable end-user spam notifications** <p> _EnableEndUserSpamNotifications_|Disabled <p> `$false`|Enabled <p> `$true`|Enabled <p> `$true`||
For more information about these settings, see [Spoof settings](set-up-anti-phis
||::|::|::|| |**Enable anti-spoofing protection** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`|| |**Enable Unauthenticated Sender** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).|
-|**If email is sent by someone who's not allowed to spoof your domain** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to blocked senders in [spoof intelligence](learn-about-spoof-intelligence.md).|
+|**If email is sent by someone who's not allowed to spoof your domain** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
| ## Microsoft Defender for Office 365 security
Note that these are the same settings that are available in [anti-spam policy se
|||||| |**Enable anti-spoofing protection** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`|| |**Enable Unauthenticated Sender** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).|
-|**If email is sent by someone who's not allowed to spoof your domain** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to blocked senders in [spoof intelligence](learn-about-spoof-intelligence.md).|
+|**If email is sent by someone who's not allowed to spoof your domain** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
| #### Advanced settings in anti-phishing policies in Microsoft Defender for Office 365
security Remediate Malicious Email Delivered Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365.md
ms.prod: m365-security
Remediation means taking a prescribed action against a threat. Malicious email sent to your organization can be cleaned up either by the system, through zero-hour auto purge (ZAP), or by security teams through remediation actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete*. Microsoft Defender for Office 365 P2/E5 enables security teams to remediate threats in email and collaboration functionality through manual and automated investigation. > [!NOTE]
-> To remediate malicious email, security teams need the *search and purge* role assigned to them. Role assignment is done through permissions in the security and compliance center.
+> To remediate malicious email, security teams need the *search and purge* role assigned to them. Role assignment is done through [permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
## What you need to know before you begin
security Removing User From Restricted Users Portal After Spam https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md
Admins can remove users from the Restricted Senders portal in the Security & Com
## Verify the alert settings for restricted users
-The default alert policy named **User restricted from sending email** will automatically notify admins when users are blocked from sending outbound mail. You can verify these settings and add additional users to notify. For more information about alert policies, see [Alert policies in the security and compliance center](../../compliance/alert-policies.md).
+The default alert policy named **User restricted from sending email** will automatically notify admins when users are blocked from sending outbound mail. You can verify these settings and add additional users to notify. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
> [!IMPORTANT] > For alerts to work, audit log search must to be turned on. For more information, see [Turn the audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
security Reports And Insights In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance.md
If you are part of your organization's Microsoft for 365 for business security t
## Smart reports and insights overview
-Monitoring capabilities available in the Security & Compliance Center include smart reports and insights that enable your security and compliance administrators to focus on high-priority issues, such as security attacks or increased suspicious activity. In a dashboard, smart reports and insights resemble the following image:
+Monitoring capabilities available in the Security & Compliance Center include smart reports and insights that enable your compliance and security admins to focus on high-priority issues, such as security attacks or increased suspicious activity. In a dashboard, smart reports and insights resemble the following image:
![The Reports dashboard in the Security & Compliance Center](../../media/2a668c3d-3fa3-4e37-8149-46989b33ae8c.png)
In addition to highlighting problem areas, smart reports and insights include re
A wide variety of reports are available in the Security & Compliance Center. (Go to **Reports** \> **Dashboard** to get an all-up view.) The following table lists available reports with links to learn more:
+<br>
+ ****
-|Type of information|How to get there|Where to go to learn more|
+|Type of information|How to get there|Where to go to learn more|
|||| |**Security & Compliance Center reports** (all up) <p> Top insights and recommendations, and links to Security & Compliance reports, including data loss prevention reports, labels, email security reports, Defender for Office 365 reports, and more|In the Security & Compliance Center, go to **Reports** \> **Dashboard**|[Monitor and view reports in the Microsoft 365 security center](../defender/overview-security-center.md)| |**Data loss prevention** <p> Data loss prevention policy matches, false positives and overrides, and links to create or edit policies|In the Security & Compliance Center, go to **Data loss prevention** \> **Policy**|[View the reports for data loss prevention](../../compliance/view-the-dlp-reports.md)|
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
Spoofing is when the From address in an email message (the sender address that's
The following spoof settings are available in anti-phishing policies in EOP and Microsoft Defender for Office 365: -- **Anti-spoofing protection**: Enables or disables anti-spoofing protection. We recommend that you leave it enabled. You use the **spoof intelligence policy** to allow or block specific spoofed internal and external senders. For more information, see [Configure spoof intelligence in Microsoft 365](learn-about-spoof-intelligence.md).
+- **Enable spoof intelligence?**: Turns spoof intelligence on or off. We recommend that you leave it turned on.
+
+ When spoof intelligence is enabled, the **spoof intelligence insight** shows spoofed senders that were automatically detected and allowed or blocked by spoof intelligence. You can manually override the spoof intelligence verdict to allow or block the detected spoofed senders from within the insight. But when you do, the spoofed sender disappears from the spoof intelligence insight, and is now visible only on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders in the Tenant Allow/Block List. For more information, see the following topics:
+
+ - [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)
+ - [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list.md)
> [!NOTE] >
The following spoof settings are available in anti-phishing policies in EOP and
> > - Disabling anti-spoofing protection only disables implicit spoofing protection from [composite authentication](email-validation-and-authentication.md#composite-authentication) checks. If the sender fails explicit [DMARC](use-dmarc-to-validate-email.md) checks where the policy is set to quarantine or reject, the message is still quarantined or rejected.
- For messages from blocked spoofed senders, you can also specify the action to take on the messages:
+- **Unauthenticated sender settings**: See the information in the next section.
+
+- **Actions**: For messages from blocked spoofed senders (automatically blocked by spoof intelligence or manually blocked in the Tenant Allow/Block list), you can also specify the action to take on the messages:
- - **Move message to Junk Email folder**: This is the default value. The message is delivered to the mailbox and moved to the Junk Email folder. In Exchange Online, the message is moved to the Junk Email folder if the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md).
+ - **Move messages to the recipients' Junk Email folders**: This is the default value. The message is delivered to the mailbox and moved to the Junk Email folder. In Exchange Online, the message is moved to the Junk Email folder if the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md).
- **Quarantine the message**: Sends the message to quarantine instead of the intended recipients. For information about quarantine, see the following articles:
The following spoof settings are available in anti-phishing policies in EOP and
- [Manage quarantined messages and files as an admin in Microsoft 365](manage-quarantined-messages-and-files.md) - [Find and release quarantined messages as a user in Microsoft 365](find-and-release-quarantined-messages-as-a-user.md) -- **Unauthenticated Sender**: See the information in the next section.-
-### Unauthenticated Sender
-
-Unauthenticated sender identification is part of the [Spoof settings](#spoof-settings) that are available in anti-phishing policies in EOP and Microsoft Defender for Office 365 as described in the previous section.
+### Unauthenticated sender
-The **Unauthenticated Sender** setting enables or disables unauthenticated sender identification in Outlook. Specifically:
+Unauthenticated sender settings are part of the [Spoof settings](#spoof-settings) that are available in anti-phishing policies in EOP and Microsoft Defender for Office 365 as described in the previous section.
-- A question mark (?) is added to the sender's photo if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication). Disabling unauthenticated sender identification prevents the question mark from being added to the sender's photo.
+- **Enable unauthenticated sender question mark (?) symbol?**: When this setting is turned on, a question mark is added to the sender's photo in the From box if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication). When this setting is turned off, the question mark isn't added to the sender's photo.
-- The via tag (chris@contoso.com <u>via</u> fabrikam.com) is added if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the **MAIL FROM** address. For more information about these addresses, see [An overview of email message standards](how-office-365-validates-the-from-address.md#an-overview-of-email-message-standards).
+- **Enable "via" tag?**<sup>\*</sup>: When this setting is turned on, the via tag (chris@contoso.com <u>via</u> fabrikam.com) is added in the From box if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the **MAIL FROM** address. For more information about these addresses, see [An overview of email message standards](how-office-365-validates-the-from-address.md#an-overview-of-email-message-standards).
- Disabling unauthenticated sender identification does not prevent the via tag from being added if the domain in the From address is different from the domain in the DKIM signature or the MAIL FROM address.
+> [!NOTE]
+> Currently, the **Enable "via" tag?** setting is not available in all organizations. If you don't have the **Enable "via" tag?** setting, the the question mark **and** the via tag are both controlled by the **Enable unauthenticated sender question mark (?) symbol?** setting in your organization.
To prevent the question mark or via tag from being added to messages from specific senders, you have the following options: -- Allow the sender to spoof in the spoof intelligence policy. This action will prevent the via tag from appearing in messages from the sender when unauthenticated sender identification is disabled. For instructions, see [Configure spoof intelligence in Microsoft 365](learn-about-spoof-intelligence.md).
+- Allow the spoofed sender in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually in the [Tenant Allow/Block List](tenant-allow-block-list.md). Allowing the spoofed sender will prevent the via tag from appearing in messages from the sender when unauthenticated sender identification is disabled.
- [Configure email authentication](email-validation-and-authentication.md#configure-email-authentication-for-domains-you-own) for the sender domain. - For the question mark in the sender's photo, SPF or DKIM are the most important.
An impersonated domain might otherwise be considered legitimate (registered doma
The following impersonation settings are only available in anti-phishing policies in Microsoft Defender for Office 365: -- **Users to protect**: Prevents the specified internal or external email addresses from being impersonated **as message senders**. For example, you receive an email message from the Vice President of your company asking you to send her some internal company information. Would you do it? Many people would send the reply without thinking.
+- **Add users to protect**: Prevents the specified internal or external email addresses from being impersonated **as message senders**. For example, you receive an email message from the Vice President of your company asking you to send her some internal company information. Would you do it? Many people would send the reply without thinking.
You can use protected users to add internal and external sender email addresses to protect from impersonation. This list of **senders** that are protected from user impersonation is different from the list of **recipients** that the policy applies to (all recipients for the default policy; specific recipients as configured in the **Applied to** setting in the [Policy settings](#policy-settings) section).
The following impersonation settings are only available in anti-phishing policie
When you add internal or external email addresses to the **Users to protect** list, messages from those **senders** are subject to impersonation protection checks. The message is checked for impersonation **if** the message is sent to a **recipient** that the policy applies to (all recipients for the default policy; **Applied to** recipients in custom policies). If impersonation is detected in the sender's email address, the impersonation protections actions for users are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.). -- **Domains to protect**: Prevents the specified domains from being impersonated **in the message sender's domain**. For example, all domains that you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)) or specific domains (domains you own or partner domains). This list of **sender domains** that are protected from impersonation is different from the list of **recipients** that the policy applies to (all recipients for the default policy; specific recipients as configured in the **Applied to** setting in the [Policy settings](#policy-settings) section).
+- **Add domains to protect**: Prevents the specified domains from being impersonated **in the message sender's domain**. For example, all domains that you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)) or specific domains (domains you own or partner domains). This list of **sender domains** that are protected from impersonation is different from the list of **recipients** that the policy applies to (all recipients for the default policy; specific recipients as configured in the **Applied to** setting in the [Policy settings](#policy-settings) section).
> [!NOTE] > The maximum number of protected domains that you can define in all anti-phishing policies is 50.
The following impersonation settings are only available in anti-phishing policie
When you add domains to the **Domains to protect** list, messages from **senders in those domains** are subject to impersonation protection checks. The message is checked for impersonation **if** the message is sent to a **recipient** that the policy applies to (all recipients for the default policy; **Applied to** recipients in custom policies). If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.). -- **Actions for protected users or domains**: Choose the action to take on inbound messages that contain impersonation attempts against the protected users and protected domains in the policy. You can specify different actions for impersonation of protected users vs. impersonation of protected domains:
+- **Actions**: Choose the action to take on inbound messages that contain impersonation attempts against the protected users and protected domains in the policy. You can specify different actions for impersonation of protected users vs. impersonation of protected domains:
- **Don't apply any action** - **Redirect message to other email addresses**: Sends the message to the specified recipients instead of the intended recipients.
- - **Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder. In Exchange Online, the message is moved to the Junk Email folder if the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md).
-
- - **Quarantine the message**: Sends the message to quarantine instead of the intended recipients. For information about quarantine, see the following articles:
+ - **Move messages to the recipients' Junk Email folders**: The message is delivered to the mailbox and moved to the Junk Email folder. In Exchange Online, the message is moved to the Junk Email folder if the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md).
+ - **Quarantine the message**: Sends the message to quarantine instead of the intended recipients. For information about quarantine, see the following articles:
- [Quarantine in Microsoft 365](quarantine-email-messages.md) - [Manage quarantined messages and files as an admin in Microsoft 365](manage-quarantined-messages-and-files.md) - [Find and release quarantined messages as a user in Microsoft 365](find-and-release-quarantined-messages-as-a-user.md)
The following impersonation settings are only available in anti-phishing policie
- **Delete the message before it's delivered**: Silently deletes the entire message, including all attachments. -- **Safety tips**: Enables or disables the following impersonation safety tips that will appear messages that fail impersonation checks:-
- - **Impersonated users**: The From address contains a protected user.
- - **Impersonated domains**: The From address contains a protected domain.
- - **Unusual characters**: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in a protected sender or domain.
+- **Turn on impersonation safety tips**: Turn on or turn off the following impersonation safety tips that will appear messages that fail impersonation checks:
+ - **Show tip for impersonated users**: The From address contains a protected user.
+ - **Show tip for impersonated domains**: The From address contains a protected domain.
+ - **Show tip for unusual characters**: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in a protected sender or domain.
> [!IMPORTANT] >
The following impersonation settings are only available in anti-phishing policie
- **Don't apply any action**: Note that this value has the same result as turning on **Mailbox intelligence** but turning off **Mailbox intelligence based impersonation protection**. - **Redirect message to other email addresses**
- - **Move message to Junk Email folder**
+ - **Move message to the recipients' Junk Email folders**
- **Quarantine the message** - **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered** -- **Trusted senders and domains**: Exceptions to the impersonation protection settings. Messages from the specified senders and sender domains are never classified as impersonation-based attacks by the policy. In other words, the action for protected senders, protected domains, or mailbox intelligence protection aren't applied to these trusted senders or sender domains. The maximum limit for these lists is approximately 1000 entries.
+- **Add trusted senders and domains**: Exceptions to the impersonation protection settings. Messages from the specified senders and sender domains are never classified as impersonation-based attacks by the policy. In other words, the action for protected senders, protected domains, or mailbox intelligence protection aren't applied to these trusted senders or sender domains. The maximum limit for these lists is approximately 1000 entries.
### Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365
security Set Up Spf In Office 365 To Help Prevent Spoofing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md
Title: Set up SPF to help prevent spoofing
+f1.keywords:
- CSH
audience: ITPro
localization_priority: Priority
+search.appverid:
- MET150 ms.assetid: 71373291-83d2-466f-86ea-fc61493743a6-+ - M365-security-compliance-+ - seo-marvel-apr2020 description: Learn how to update a Domain Name Service (DNS) record to use Sender Policy Framework (SPF) with your custom domain in Office 365. ms.technology: mdo
This article describes how to update a Domain Name Service (DNS) record so that
SPF helps *validate* outbound email sent from your custom domain (is coming from who it says it is). It's a first step in setting up the full recommended email authentication methods of SPF, [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md).
+- [Prerequisites](#prerequisites)
+- [Create or update your SPF TXT record](#create-or-update-your-spf-txt-record)
+ - [How to handle subdomains?](#how-to-handle-subdomains)
+- [What does SPF email authentication actually do?](#what-does-spf-email-authentication-actually-do)
+ - [Troubleshooting SPF](#troubleshooting-spf)
+- [More information about SPF](#more-information-about-spf)
+ ## Prerequisites > [!IMPORTANT]
A wildcard SPF record (`*.`) is required for every domain and subdomain to preve
Having trouble with your SPF TXT record? Read [Troubleshooting: Best practices for SPF in Office 365](how-office-365-uses-spf-to-prevent-spoofing.md#SPFTroubleshoot). - ## What does SPF email authentication actually do? SPF identifies which mail servers are allowed to send mail on your behalf. Basically, SPF, along with DKIM, DMARC, and other technologies supported by Office 365, help prevent spoofing and phishing. SPF is added as a TXT record that is used by DNS to identify which mail servers can send mail on behalf of your custom domain. Recipient mail systems refer to the SPF TXT record to determine whether a message from your custom domain comes from an authorized messaging server.
security Set Up Your Eop Service https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-your-eop-service.md
Before configuring your mail to flow to and from the EOP service, we recommend a
Create connectors in the Exchange admin center (EAC) that enable mail flow between EOP and your on-premises mail servers. For detailed instructions, see [Set up connectors to route mail between Microsoft 365 and your own email servers](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail).
-### How do you know this task worked?
+### How do you know this worked?
Check mail flow between the service and your environment. For more information, see [Test mail flow by validating your Microsoft 365 connectors](/exchange/mail-flow-best-practices/test-mail-flow).
At this point, you've verified service delivery for a properly configured Outbou
- If you want to run an outbound email test, you can send an email message from a user in your organization to a web-based email account and confirm that the message is received. > [!TIP]
-> When you've completed your setup, you don't have to perform extra steps to make EOP remove spam and malware. EOP removes spam and malware automatically. However, you can fine tune your settings based on your business requirements. For more information, see [Anti-spam and anti-malware protection in Office 365](anti-spam-and-anti-malware-protection.md) and [Configure spoof intelligence](learn-about-spoof-intelligence.md).
+> When you've completed your setup, you don't have to perform extra steps to make EOP remove spam and malware. EOP removes spam and malware automatically. However, you can fine tune your settings based on your business requirements. For more information, see [Anti-spam and anti-malware protection in EOP](anti-spam-and-anti-malware-protection.md) and [Anti-phishing protection in Microsoft 365](anti-phishing-protection.md).
> > Now that your service is running, we recommend reading [Best practices for configuring EOP](best-practices-for-configuring-eop.md), which describes recommended settings and considerations for after you set up EOP.
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!NOTE]
-> You can't **configure** allowed items in the Tenant Allow/Block List at this time.
+>
+> The features described in this article are in Preview, are subject to change, and are not available in all organizations. If your organization does not have the spoof features as described in this article, see the older spoof management experience at [Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight in EOP](walkthrough-spoof-intelligence-insight.md).
+>
+> You can't **configure** allowed URL or file items in the Tenant Allow/Block List at this time.
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).
-The Tenant Allow/Block List in the Security & Compliance Center gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow and at the time of user clicks. You can specify URLs or files to always block.
+The Tenant Allow/Block List in the Security & Compliance Center gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow and at the time of user clicks. You can specify the following types of overrides:
+
+- URLs to block.
+- Files to block.
+- Bulk mail sender domains to allow. For more information about bulk mail, the bulk confidence level (BCL), and bulk mail filtering by anti-spam policies, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md).
+- Spoofed senders to allow or block. If you override the allow or block verdict in the [spoof intelligence insight](learn-about-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders here before they're detected by spoof intelligence.
This article describes how to configure entries in the Tenant Allow/Block List in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
This article describes how to configure entries in the Tenant Allow/Block List i
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). -- You need to be assigned permissions in **Exchange Online** before you can do the procedures in this article:
- - To add and remove values from the Tenant Allow/Block List, you need to be a member of the **Organization Management** or **Security Administrator** role groups.
- - For read-only access to the Tenant Allow/Block List, you need to be a member of the **Global Reader** or **Security Reader** role groups.
+- You need to be assigned permissions in Exchange Online before you can do the procedures in this article:
+ - **URLs, files, and allow bulk senders**:
+ - To add and remove values from the Tenant Allow/Block List, you need to be a member of the **Organization Management** or **Security Administrator** role groups.
+ - For read-only access to the Tenant Allow/Block List, you need to be a member of the **Global Reader** or **Security Reader** role groups.
+ - **Spoofing**: One of the following combinations:
+ - **Organization Management**
+ - **Security Administrator** <u>and</u> **View-Only Configuration** or **View-Only Organization Management**.
For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo). > [!NOTE]
- >
+ >
> - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ >
> - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
-## Use the Security & Compliance Center to create URL entries in the Tenant Allow/Block List
-
-For details about the syntax for URL entries, see the [URL syntax for the Tenant Allow/Block List](#url-syntax-for-the-tenant-allowblock-list) section later in this article.
+## Use the Security & Compliance Center to create block URL entries in the Tenant Allow/Block List
1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
For details about the syntax for URL entries, see the [URL syntax for the Tenant
3. In the **Block URLs** flyout that appears, configure the following settings:
- - **Add URLs to block**: Enter one URL per line, up to a maximum of 20.
+ - **Add URLs to block**: Enter one URL per line, up to a maximum of 20. For details about the syntax for URL entries, see the [URL syntax for the Tenant Allow/Block List](#url-syntax-for-the-tenant-allowblock-list) section later in this article.
- **Never expire**: Do one of the following steps:
For details about the syntax for URL entries, see the [URL syntax for the Tenant
4. When you're finished, click **Add**.
-## Use the Security & Compliance Center to create file entries in the Tenant Allow/Block List
+## Use the Security & Compliance Center to create block file entries in the Tenant Allow/Block List
1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
-2. On the **Tenant Allow/Block List** page, select **Files** tab, and then click **Block**.
+2. On the **Tenant Allow/Block List** page, select the **Files** tab, and then click **Block**.
3. In the **Add files to block** flyout that appears, configure the following settings:
For details about the syntax for URL entries, see the [URL syntax for the Tenant
4. When you're finished, click **Add**.
-## Use the Security & Compliance Center to view entries in the Tenant Allow/Block List
+## Use the Security & Compliance Center to create allow bulk mail sender domain entries in the Tenant Allow/Block List
1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
-2. Select the **URLs** tab or the **Files** tab.
+2. On the **Tenant Allow/Block List** page, select the **Sender domains for BCL bypass** tab, and then click **Add**.
+
+3. In the **Add sender domain for BCL bypass** flyout that appears, configure the following settings:
+
+ - **Add sender domains for BCL bypass**: Enter one source domain of good bulk mail per line, up to a maximum of 20.
+
+ - **Never expire**: Do one of the following steps:
+
+ - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Expires on** box to specify the expiration date for the entries.
+
+ or
+
+ - Move the toggle to the right to configure the entries to never expire: ![Toggle on](../../media/scc-toggle-on.png).
+
+4. When you're finished, click **Add**.
-Click on the following column headings to sort in ascending or descending order:
+## Use the Security & Compliance Center to create allow or block spoofed sender entries in the Tenant Allow/Block List
-- **Value**: The URL or the file hash.-- **Last updated date**-- **Expiration date**-- **Note**
+**Notes**:
-Click **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click **Clear search** ![Clear search icon](../../media/b6512677-5e7b-42b0-a8a3-3be1d7fa23ee.gif).
+- Only the _combination_ of the spoofed user _and_ the sending infrastructure as defined in the domain pair is specifically allowed or blocked from spoofing.
+- When you configure an allow or block entry for a domain pair, messages from that domain pair no longer appear in the spoof intelligence insight.
+- Entries for spoofed senders never expire.
-Click **Filter**. In the **Filter** flyout that appears, configure any of the following settings:
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
-- **Never expire**: Select off: ![Toggle off](../../media/scc-toggle-off.png) or on: ![Toggle on](../../media/scc-toggle-on.png).
+2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click **Add**.
-- **Last updated**: Select a start date (**From**), an end date (**To**) or both.
+3. In the **Add new domain pairs** flyout that appears, configure the following settings:
-- **Expiration date**: Select a start date (**From**), an end date (**To**) or both.
+ - **Add new domain pairs with wildcards**: Enter one domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see the [Domain pair syntax for spoofed sender entries in the Tenant Allow/Block List](#domain-pair-syntax-for-spoofed-sender-entries-in-the-tenant-allowblock-list) section later in this article.
-When you're finished, click **Apply**.
+ - **Spoof type**: Select one of the following values:
+ - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)).
+ - **External**: The spoofed sender is in an external domain.
-To clear existing filters, click **Filter**, and in the **Filter** flyout that appears, click **Clear filters**.
+ - **Action**: Select **Allow** or **Block**.
-## Use the Security & Compliance Center to modify block entries in the Tenant Allow/Block List
+4. When you're finished, click **Add**.
-You can't modify the existing blocked URL or file values within an entry. To modify these values, you need to delete and recreate the entry.
+## Use the Security & Compliance Center to view entries in the Tenant Allow/Block List
1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
-2. Select the **URLs** tab or the **Files** tab.
+2. Select the tab you want. The columns that are available depend on the tab you selected:
-3. Select the block entry that you want to modify, and then click **Edit** ![Edit icon](../../media/0cfcb590-dc51-4b4f-9276-bb2ce300d87e.png).
+ - **URLs**:
+ - **Value**: The URL.
+ - **Action**: The value **Block**.
+ - **Last updated date**
+ - **Expiration date**
+ - **Note**
-4. In the flyout that appears, configure the following settings:
+ - **Files**
+ - **Value**: The file hash.
+ - **Action**: The value **Block**.
+ - **Last updated date**
+ - **Expiration date**
+ - **Note**
- - **Never expire**: Do one of the following steps:
+ - **Sender domains for BCL bypass**
+ - **Value**: The bulk mail sender's domain.
+ - **Last updated date**
+ - **Expiration date**
- - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Expires on** box to specify the expiration date for the entry.
+ - **Spoofing**
+ - **Spoofed user**
+ - **Sending infrastructure**
+ - **Spoof type**: The value **Internal** or **External**.
+ - **Action**: The value **Block** or **Allow**.
- or
+ You can click on a column heading to sort in ascending or descending order.
+
+ You can click **Group** to group the results. The values that are available depend on the tab you selected:
+
+ - **URLs**: You can group the results by **Action**.
+ - **Files**: You can group the results by **Action**.
+ - **Sender domains for BCL bypass**: **Group** is not available on this tab.
+ - **Spoofing**: You can group the results by **Action** or **Spoof type**.
+
+ Click **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click **Clear search** ![Clear search icon](../../media/b6512677-5e7b-42b0-a8a3-3be1d7fa23ee.gif).
+
+ Click **Filter** to filter the results. The values that are available in **Filter** flyout that appears depend on the tab you selected:
+
+ - **URLs**
+ - **Action**
+ - **Never expire**
+ - **Last updated date**
+ - **Expiration date**
+
+ - **Files**
+ - **Action**
+ - **Never expire**
+ - **Last updated date**
+ - **Expiration date**
+
+ - **Sender domains for BCL bypass**
+ - **Never expire**
+ - **Last updated date**
+ - **Expiration date**
+
+ - **Spoofing**
+ - **Action**
+ - **Spoof type**
+
+ When you're finished, click **Apply**. To clear existing filters, click **Filter**, and in the **Filter** flyout that appears, click **Clear filters**.
+
+## Use the Security & Compliance Center to modify entries in the Tenant Allow/Block List
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
- - Move the toggle to the right to configure the entry to never expire: ![Toggle on](../../media/scc-toggle-on.png).
+2. Select the tab that contains the type of entry that you want to modify:
+ - **URLs**
+ - **Files**
+ - **Sender domains for BCL bypass**
+ - **Spoofing**
- - **Optional note**: Enter descriptive text for the entry.
+3. Select the entry that you want to modify, and then click **Edit** ![Edit icon](../../media/0cfcb590-dc51-4b4f-9276-bb2ce300d87e.png). The values that you are able to modify in the flyout that appears depend on the tab you selected in the previous step:
-5. When you're finished, click **Save**.
+ - **URLs**
+ - **Never expire** and/or expiration date.
+ - **Optional note**
-## Use the Security & Compliance Center to remove block entries from the Tenant Allow/Block List
+ - **Files**
+ - **Never expire** and/or expiration date.
+ - **Optional note**
+
+ - **Sender domains for BCL bypass**
+ - **Never expire** and/or expiration date.
+
+ - **Spoofing**
+ - **Action**: You can change the value to **Allow** or **Block**.
+
+4. When you're finished, click **Save**.
+
+## Use the Security & Compliance Center to remove entries from the Tenant Allow/Block List
1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
-2. Select the **URLs** tab or the **Files** tab.
+2. Select the tab that contains the type of entry that you want to remove:
+ - **URLs**
+ - **Files**
+ - **Sender domains for BCL bypass**
+ - **Spoofing**
-3. Select the block entry that you want to remove, and then click **Delete** ![Delete icon](../../media/87565fbb-5147-4f22-9ed7-1c18ce664392.png).
+3. Select the entry that you want to remove, and then click **Delete** ![Delete icon](../../media/87565fbb-5147-4f22-9ed7-1c18ce664392.png).
4. In the warning dialog that appears, click **Delete**. ## Use Exchange Online PowerShell or standalone EOP PowerShell to configure the Tenant Allow/Block List
-### Use PowerShell to add block entries to the Tenant Allow/Block List
+### Use PowerShell to add block file or URL entries to the Tenant Allow/Block List
+
+To add block file or URL entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+New-TenantAllowBlockListItems -ListType <FileHash | Url> -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]
+```
-To add block entries in the Tenant Allow/Block List, use the following syntax:
+This example adds a block file entry for the specified files that never expires.
```powershell
-New-TenantAllowBlockListItems -ListType <Url | FileHash> -Block -Entries <String[]> [-ExpirationDate <DateTime>] [-NoExpiration] [-Notes <String>]
+New-TenantAllowBlockListItem -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration
``` This example adds a block URL entry for contoso.com and all subdomains (for example, contoso.com, www.contoso.com, and xyz.abc.contoso.com). Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days.
This example adds a block URL entry for contoso.com and all subdomains (for exam
New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com ```
-This example adds a block file entry for the specified files that never expires.
+For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
+
+### Use PowerShell to add allow bulk mail sender domain entries to the Tenant Allow/Block List
+
+To add allow bulk mail sender domain entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+New-TenantAllowBlockListItems -ListType BulkSender -Block:$false -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]
+```
+
+This example adds an allowed bulk sender entry for the specified domain that never expires.
```powershell
+New-TenantAllowBlockListItem -ListType BulkSender -Block:$false -Entries contosodailydeals.com
New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration ``` For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
-### Use PowerShell to view entries in the Tenant Allow/Block List
+### Use PowerShell to add allow or block spoofed sender entries to the Tenant Allow/Block List
-To view entries in the Tenant Allow/Block List, use the following syntax:
+To add spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
```powershell
-Get-TenantAllowBlockListItems -ListType <Url | FileHash> [-Entry <URLValue | FileHashValue>] [-Block] [-ExpirationDate <DateTime>] [-NoExpiration]
+New-TenantAllowBlockListSpoofItems -SpoofedUser <Domain | EmailAddress | *> -SendingInfrastructure <Domain | IPAddress/24> -SpoofType <External | Internal> -Action <Allow | Block>
```
-This example returns all blocked URLs.
+For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems).
+
+### Use PowerShell to view block file or URL entries in the Tenant Allow/Block List
+
+To view block file or URL entries in the Tenant Allow/Block List, use the following syntax:
```powershell
-Get-TenantAllowBlockListItems -ListType Url -Block
+Get-TenantAllowBlockListItems -ListType <FileHash | URL> [-Entry <FileHashValue | URLValue>] [<-ExpirationDate Date | -NoExpiration>]
``` This example returns information for the specified file hash value.
This example returns information for the specified file hash value.
Get-TenantAllowBlockListItems -ListType FileHash -Entry "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" ```
+This example returns all blocked URLs.
+
+```powershell
+Get-TenantAllowBlockListItems -ListType Url -Block
+```
+
+For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
+
+### Use PowerShell to view allow bulk mail sender domain entries in the Tenant Allow/Block List
+
+To view allow bulk mail sender domain entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+Get-TenantAllowBlockListItems -ListType BulkSender [-Entry <BulkSenderDomainValue>] [<-ExpirationDate Date | -NoExpiration>]
+```
+
+This example returns all allowed bulk mail sender domains.
+
+```powershell
+Get-TenantAllowBlockListItems -ListType BulkSender
+```
+
+This example returns information for the specified bulk sender domain.
+
+```powershell
+Get-TenantAllowBlockListItems -ListType FileHash -Entry "contosodailydeals.com"
+```
+ For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
-### Use PowerShell to modify block entries in the Tenant Allow/Block List
+### Use PowerShell to view allow or block spoofed sender entries in the Tenant Allow/Block List
+
+To view spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+Get-TenantAllowBlockListSpoofItems [-Action <Allow | Block>] [-SpoofType <External | Internal>
+```
+
+This example returns all spoofed sender entries in the Tenant Allow/Block List.
+
+```powershell
+Get-TenantAllowBlockListSpoofItems
+```
+
+This example returns all allow spoofed sender entries that are internal.
+
+```powershell
+Get-TenantAllowBlockListSpoofItems -Action Allow -SpoofType Internal
+```
+
+This example returns all blocked spoofed sender entries that are external.
+
+```powershell
+Get-TenantAllowBlockListSpoofItems -Action Block -SpoofType External
+```
-You can't modify the existing URL or file values within a block entry. To modify these values, you need to delete and recreate the entry.
+For detailed syntax and parameter information, see [Get-TenantAllowBlockListSpoofItems](/powershell/module/exchange/get-tenantallowblocklistspoofitems).
-To modify block entries in the Tenant Allow/Block List, use the following syntax:
+### Use PowerShell to modify block file and URL entries in the Tenant Allow/Block List
+
+To modify block file and URL entries in the Tenant Allow/Block List, use the following syntax:
```powershell
-Set-TenantAllowBlockListItems -ListType <Url | FileHash> -Ids <"Id1","Id2",..."IdN"> [-Block] [-ExpirationDate <DateTime>] [-NoExpiration] [-Notes <String>]
+Set-TenantAllowBlockListItems -ListType <FileHash | Url> -Ids <"Id1","Id2",..."IdN"> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]
```
-This example changes the expiration date of the specified block entry.
+This example changes the expiration date of the specified block URL entry.
```powershell
-Set-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -ExpirationDate (Get-Date "5/30/2020 9:30 AM").ToUniversalTime()
+Set-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -ExpirationDate "5/30/2020"
``` For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).
-### Use PowerShell to remove block entries from the Tenant Allow/Block List
+### Use PowerShell to modify allow bulk mail sender domain entries in the Tenant Allow/Block List
+
+To modify allow bulk mail sender domain entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+Get-TenantAllowBlockListItems -ListType BulkSender -Ids <"Id1","Id2",..."IdN"> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]
+```
+
+This example changes the expiration of the specified allow bulk mail sender domain entry to never expire.
-To remove block entries from the Tenant Allow/Block List, use the following syntax:
+```powershell
+Set-TenantAllowBlockListItems -ListType BulkSender -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -NoExpiration
+```
+
+For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
+
+### Use PowerShell to modify allow or block spoofed sender entries in the Tenant Allow/Block List
+
+To modify allow or block spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+Set-TenantAllowBlockListSpoofItems -Ids <"Id1","Id2",..."IdN"> -Action <Allow | Block>
+```
+
+This example changes spoofed sender entry from allow to block.
+
+```powershell
+Set-TenantAllowBlockListItems -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -Action Block
+```
+
+For detailed syntax and parameter information, see [Set-TenantAllowBlockListSpoofItems](/powershell/module/exchange/set-tenantallowblocklistspoofitems).
+
+### Use PowerShell to remove bulk mail sender domain, file, and domain entries from the Tenant Allow/Block List
+
+To remove allow bulk mail sender domain entries, block file entries, and block URL entries from the Tenant Allow/Block List, use the following syntax:
```powershell
-Remove-TenantAllowBlockListItems -ListType <Url | FileHash> -Ids <"Id1","Id2",..."IdN">
+Remove-TenantAllowBlockListItems -ListType <BulkSender | FileHash | Url> -Ids <"Id1","Id2",..."IdN">
``` This example removes the specified block URL entry from the Tenant Allow/Block List.
Remove-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBy
For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems).
+### Use PowerShell to remove allow or block spoofed sender entries from the Tenant Allow/Block List
+
+To remove allow or block spoof sender entries from the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+Remove-TenantAllowBlockListSpoofItems -Ids <"Id1","Id2",..."IdN">
+```
+
+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListSpoofItems](/powershell/module/exchange/remove-tenantallowblocklistspoofitems).
+ ## URL syntax for the Tenant Allow/Block List - IP4v and IPv6 addresses are allowed, but TCP/UDP ports are not.
The following entries are invalid:
- contoso.com/\*\* - contoso.com/\*/\*+
+## Domain pair syntax for spoofed sender entries in the Tenant Allow/Block List
+
+A domain pair for a spoofed sender in the Tenant Allow/Block List uses the following syntax: `<Spoofed user>, <Sending infrastructure>`.
+
+- **Spoofed user**: This value involves the email address of the spoofed user that's displayed in the **From** box in email clients. This address is also known as the `5322.From` address. Valid values include:
+ - An individual email address (for example, chris@contoso.com).
+ - An email domain (for example, contoso.com).
+ - The wildcard character (for example, \*).
+
+- **Sending infrastructure**: This value indicates the source of messages from the spoofed user. Valid values include:
+ - The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address (for example, fabrikam.com).
+ - If the source IP address has no PTR record, then the sending infrastructure is identified as \<source IP\>/24 (for example, 192.168.100.100/24).
+
+Here are some examples of valid domain pairs to identify spoofed senders:
+
+- `contoso.com, 192.168.100.100/24`
+- `chris@contoso.com, fabrikam.com`
+- `*, contoso.net`
+
+Adding a domain pair only allows or blocks the *combination* of the spoofed user *and* the sending infrastructure. It does not allow email from the spoofed user from any source, nor does it allow email from the sending infrastructure source for any spoofed user.
+
+For example, you add an allow entry for the following domain pair:
+
+- **Domain**: gmail.com
+- **Infrastructure**: tms.mx.com
+
+Only messages from that domain *and* sending infrastructure pair are allowed to spoof. Other senders attempting to spoof gmail.com aren't allowed. Messages from senders in other domains originating from tms.mx.com are checked by spoof intelligence.
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
The Microsoft 365 security center includes capabilities that protect your enviro
|Area|Includes a default policy|Recommendation| ||||
-|**Anti-phishing**|Yes|If you have a custom domain, configure the default anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain. <p> Review [Anti-phishing policies in Office 365](set-up-anti-phishing-policies.md) and see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) or [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).|
+|**Anti-phishing**|Yes|<ul><li>Impersonation protection ΓÇö If you have Defender for Office 365 and a custom domain, configure the impersonation protection settings in the default anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain. More information: [Impersonation settings in anti-phishing policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) and [Impersonation insight](impersonation-insight.md)</li><li>Spoof intelligence ΓÇö Review senders who are spoofing your domain. Block or allow these senders. More information: [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md) and [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).</li></ul>|
|**Anti-Malware Engine**|Yes| Edit the default policy: <ul><li>Common Attachment Types Filter: Select On</li></ul> <p> You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization. <p> More information: <ul><li>[Anti-malware protection](anti-malware-protection.md)</li><li>[Configure anti-malware policies](configure-anti-malware-policies.md)</li></ul>| |**Safe Attachments in Microsoft Defender for Office 365**|No|On the main page for Safe Attachments, click **Global settings** and turn on this setting: <ul><li>**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**</li></ul> <p> Create a Safe Attachments policy with these settings: <ul><li> **Block**: Select **Block** as the unknown malware response.</li><li>**Enable redirect**: Check this box and enter an email address, such as an admin or quarantine account.</li><li>**Apply the above selection if malware scanning for attachments times out or error occurs**: Check this box.</li><li>***Applied to**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) and [Set up Safe Attachments policies](set-up-safe-attachments-policies.md)| |**Safe Links in Microsoft Defender for Office 365**|Yes|On the main page for Safe Links, click **Global settings**: <ul><li>**Use Safe Links in: Office 365 applications**: Verify this setting is turned on.</li><li>**Do not track when users click Safe Links**: Turn this setting off to track user clicks.</li></ul> <p> Create a Safe Links policy with these settings: <ul><li>**Select the action for unknown potentially malicious URLs in messages**: Verify this setting is **On**.</li><li>**Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Verify this setting is **On**.</li><li>**Apply real-time URL scanning for suspicious links and links that point to files**: Check this box.</li><li>**Wait for URL scanning to complete before delivering the message**: Check this box.</li><li>**Apply Safe Links to email messages sent within the organization**: Check this box</li><li>**Do not allow users to click through to original URL**: Check this box.</li><li>**Applied To**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Set up Safe Links policies](set-up-safe-links-policies.md).|
-|**Anti-Spam (Mail filtering)**|Yes| What to watch for: <ul><li>Too much spam ΓÇö Choose the Custom settings and edit the Default spam filter policy.</li><li>Spoof intelligence ΓÇö Review senders that are spoofing your domain. Block or allow these senders.</li></ul> <p> More information: [Microsoft 365 Email Anti-Spam Protection](anti-spam-protection.md).|
+|**Anti-Spam (Mail filtering)**|Yes| What to watch for: Too much spam ΓÇö Choose the Custom settings and edit the Default spam filter policy. More information: [Microsoft 365 Email Anti-Spam Protection](anti-spam-protection.md).|
|***Email Authentication***|Yes|Email authentication uses a Domain Name System (DNS) to add verifiable information to email messages about the sender of an email. Microsoft 365 sets up email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also use email authentication for custom domains. Three authentication methods are used: <ul><li>Sender Policy Framework (or SPF).</li><ul><li>For setup, see [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md).</li></ul> <li>DomainKeys Identified Mail (DKIM).</li><ul><li>See [Use DKIM to validate outbound email sent from your custom domain](use-dkim-to-validate-outbound-email.md).</li><li>After you've configured DKIM, enable it in the security center.</li></ul><li>Domain-based Message Authentication, Reporting, and Conformance (DMARC).</li><ul><li>For DMARC setup [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).</li></ul></ul>| | > [!NOTE] > For non-standard deployments of SPF, hybrid deployments, and troubleshooting: [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](how-office-365-uses-spf-to-prevent-spoofing.md).
-## View dashboards and reports in the security and compliance centers
+## View dashboards and reports in the Security & Compliance Center
-Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on. For more information, see : [Reports in the Microsoft 365 security and compliance centers](../../compliance/reports-in-security-and-compliance.md).
+Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on. For more information, see [Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md).
****
security Tuning Anti Phishing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tuning-anti-phishing.md
Specifically, you should check the **X-Forefront-Antispam-Report** header field
- For messages that end up in quarantine by mistake, or for messages that are allowed through, we recommend that you search for those messages in [Threat Explorer and real-time detections](threat-explorer.md). You can search by sender, recipient, or message ID. After you locate the message, go to details by clicking on the subject. For a quarantined message, look to see what the "detection technology" was so that you can use the appropriate method to override. For an allowed message, look to see which policy allowed the message. -- Spoofed mail is tagged as phishing in Defender for Office 365. Sometimes spoof is benign, and sometimes users do not want it quarantined. To minimize impact to users, periodically review the [Spoof intelligence report](learn-about-spoof-intelligence.md). Once you have reviewed and made any necessary overrides, you can be confident to [configure spoof intelligence](set-up-anti-phishing-policies.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder.
+- Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as phishing in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](learn-about-spoof-intelligence.md), the **Spoof** tab in the [Tenant Allow/Block List](tenant-allow-block-list.md), and the [Spoof detections report](view-email-security-reports.md#spoof-detections-report). Once you have reviewed allowed and blocked spoofed senders and made any necessary overrides, you can be confident to [configure spoof intelligence in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder.
-- You can repeat the above step for Impersonation (domain or user). The Impersonation report is found under **Threat Management** \> **Dashboard** \> **Insights**.
+- You can repeat the above step for Impersonation (domain or user) in Microsoft Defender for Office 365. The Impersonation report is found under **Threat Management** \> **Dashboard** \> **Insights**.
- Periodically review the [Threat Protection Status report](view-reports-for-mdo.md#threat-protection-status-report).
Specifically, you should check the **X-Forefront-Antispam-Report** header field
- Verify that your SPF record identifies _all_ sources of email for senders in your domain (don't forget third-party services!).
- - Use hard fail (\-all) to ensure that unauthorized senders are rejected by email systems that are configured to do so. You can use [spoof intelligence](learn-about-spoof-intelligence.md) to help identify senders that are using your domain so that you can include authorized third-party senders in your SPF record.
+ - Use hard fail (\-all) to ensure that unauthorized senders are rejected by email systems that are configured to do so. You can use the [spoof intelligence insight](learn-about-spoof-intelligence.md) to help identify senders that are using your domain so that you can include authorized third-party senders in your SPF record.
For configuration instructions, see:
security Use Dkim To Validate Outbound Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
In this article:
> [!NOTE] > Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains. That means you don't need to do anything to set up DKIM for any initial domain names (for example, litware.onmicrosoft.com). For more information about domains, see [Domains FAQ](../../admin/setup/domains-faq.yml#why-do-i-have-an--onmicrosoft-com--domain).
-DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent spoofers from sending messages that look like they come from your domain.
+DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain.
DKIM lets you add a digital signature to outbound email messages in the message header. When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from your domain can use this digital signature to help verify whether incoming email is legitimate.
Although DKIM is designed to help prevent spoofing, DKIM works better with SPF a
## More information Key rotation via PowerShell
-[Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig)
+[Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig)
security Use Dmarc To Validate Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dmarc-to-validate-email.md
Title: Use DMARC to validate email
+ Title: Use DMARC to validate email, setup steps
f1.keywords: - NOCSH
audience: ITPro - Last updated : 05/10/2021 localization_priority: Priority search.appverid: - MET150
_dmarc.microsoft.com. 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=
Microsoft sends its DMARC reports to [Agari](https://agari.com), a third party. Agari collects and analyzes DMARC reports. Please visit the [MISA catalog](https://www.microsoft.com/misapartnercatalog) to view more third-party vendors offering DMARC reporting for Microsoft 365.
-## Implement DMARC for inbound mail
+## Set up DMARC for inbound mail
You don't have to do a thing to set up DMARC for mail that you receive in Microsoft 365. We've taken care of everything for you. If you want to learn what happens to mail that fails to pass our DMARC checks, see [How Microsoft 365 handles inbound email that fails DMARC](#how-microsoft-365-handles-inbound-email-that-fails-dmarc).
-## Implement DMARC for outbound mail from Microsoft 365
+## Set up DMARC for outbound mail from Microsoft 365
If you use Microsoft 365 but you aren't using a custom domain, that is, you use onmicrosoft.com, you don't need to do anything else to configure or implement DMARC for your organization. SPF is already set up for you and Microsoft 365 automatically generates a DKIM signature for your outgoing mail. For more information about this signature, see [Default behavior for DKIM and Microsoft 365](use-dkim-to-validate-outbound-email.md#DefaultDKIMbehavior).
Examples:
Once you have formed your record, you need to update the record at your domain registrar. For instructions on adding the DMARC TXT record to your DNS records for Microsoft 365, see [Create DNS records for Microsoft 365 when you manage your DNS records](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md).
+## DMARC Mail (Public Preview feature)
+> [!CAUTION]
+> Mails may not be sent out daily, and the report itself may change during public preview. The DMARC aggregate report emails can be expected from the Consumer accounts (such as hotmail.com, outlook.com, or live.com accounts).
+
+In this example DMARC TXT record **_dmarc.microsoft.com. 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1"** you can see the *rua* address, in this case, processed by third-party company Agari. This address is used to send 'aggregate feedback' for analysis, and which is used to generate a report.
+
+> [!TIP]
+> Please visit the [MISA catalog](https://www.microsoft.com/misapartnercatalog) to view more third-party vendors offering DMARC reporting for Microsoft 365. See [IETF.org's 'Domain-based Message Authentication, Reporting, and Conformance (DMARC)'](https://datatracker.ietf.org/doc/html/rfc7489) for more information on DMARC 'rua' addresses.
+ ## Best practices for implementing DMARC in Microsoft 365 You can implement DMARC gradually without impacting the rest of your mail flow. Create and implement a roll-out plan that follows these steps. Do each of these steps first with a sub-domain, then other sub-domains, and finally with the top-level domain in your organization before moving on to the next step.
Microsoft 365 is configured like this because some legitimate email may fail DMA
- Users add safe senders individually by using their email client. -- Administrators can update the [Spoof Intelligence](learn-about-spoof-intelligence.md) reporting to allow the spoof.
+- Admins can use the [spoof intelligence insight](learn-about-spoof-intelligence.md) or the [Tenant Allow/Block List](tenant-allow-block-list.md) to allow messages from the spoofed sender.
-- Administrators create an Exchange mail flow rule (also known as a transport rule) for all users that allows messages for those particular senders.
+- Admins create an Exchange mail flow rule (also known as a transport rule) for all users that allows messages for those particular senders.
For more information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md).
security View Email Security Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md
To go back to the report view, click **View report**.
## Spoof detections report
-The **Spoof detections** report shows how many spoof mail messages were detected, and of those, which ones were considered "good" (spoof mail done for legitimate business reasons). For more information about spoofing, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md).
+> [!NOTE]
+> The improved Spoof detections report as described in this article is in Preview, is subject to change, and is not available in all organizations. The older version of the report showed only **Good mail** and **Caught as spam**.
+
+The **Spoof detections** report shows information about messages that were blocked or allowed due to spoofing. For more information about spoofing, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md).
+
+The aggregate view of the report allows for 45 days of filtering<sup>\*</sup>, while the detail view only allows for ten days of filtering.
-The aggregate view of the report allows for 90 days of filtering, while the detail view only allows for ten days of filtering.
+<sup>\*</sup> Eventually, you'll be able to use up to 90 days of filtering.
To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Spoof detections**. To go directly to the report, open <https://protection.office.com/reportv2?id=SpoofMailReport>. ![Spoof detections widget in the Reports dashboard](../../media/spoof-detections-widget.png)
-When you hover over a day (data point) in the chart, you can see how many spoof mail messages came through.
+When you hover over a day (data point) in the chart, you can see how many spoofed messages were detected and why.
You can filter both the chart and the details table by clicking **Filters** and selecting one or more of the following values: - **Start date** and **End date** -- **Good mail**
+- **Result**
+ - **Pass**
+ - **Fail**
+ - **SoftPass**
+ - **None**
+ - **Other**
-- **Caught as spam**
+- **Spoof type**: **Internal** and **External**
![Report view in the Spoof detections report](../../media/spoof-detections-report-view.png) If you click **View details table**, you can see the following details: - **Date**-- **Spoofed sender**-- **True sender**-- **Sender IP**-- **Action**
+- **Spoofed user**
+- **Sending infrastructure**
+- **Spoof type**
+- **Result**
+- **Result code**
+- **SPF**
+- **DKIM**
+- **DMARC**
- **Message count** To go back to the report view, click **View report**.
+For more information about composite authentication result codes, see [Anti-spam message headers in Microsoft 365](anti-spam-message-headers.md).
+ ## Threat protection status report The **Threat protection status** report is available in both EOP and Microsoft Defender for Office 365; however, the reports contain different data. For example, EOP customers can view information about malware detected in email, but not information about malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md).
security Walkthrough Spoof Intelligence Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md
Title: Walkthrough - Spoof intelligence insight
+ Title: Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight
f1.keywords: - NOCSH
search.appverid:
ms.assetid: 59a3ecaf-15ed-483b-b824-d98961d88bdd - M365-security-compliance
-description: Admins can learn how the Spoof intelligence insight works. They can quickly determine which senders are legitimately sending email into their organizations from domains that don't pass email authentication checks (SPF, DKIM, or DMARC).
+description: Admins can learn how to use the spoof intelligence policy and the spoof intelligence insight to allow or block detected spoofed senders.
ms.technology: mdo ms.prod: m365-security
-# Walkthrough - Spoof intelligence insight in Microsoft Defender for Office 365
+# Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight in EOP
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-In Microsoft 365 organizations with Defender for Office 365, you can use the Spoof intelligence insight to quickly determine which external senders are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks).
-
-By allowing known external senders to send spoofed messages from known locations, you can reduce false positives (good email marked as bad). By monitoring the allowed spoofed senders, you provide an additional layer of security to prevent unsafe messages from arriving in your organization.
+> [!NOTE]
+> This article describes the older spoofed sender management experience that's being replaced. For more information about the new experience, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)
-For more information about reports and insights, see [Reports and insights in the Security & Compliance Center](reports-and-insights-in-security-and-compliance.md).
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spoofing by EOP as of October 2018. EOP uses **spoof intelligence** as part of your organization's overall defense against phishing. For more information, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md).
-This walkthrough is one of several for the Security & Compliance Center. To about navigating reports and insights, see the walkthroughs in the [Related topics](#related-topics) section.
+The default (and only) **spoof intelligence policy** helps ensure that the spoofed email sent by legitimate senders doesn't get caught up in EOP spam filters while protecting your users from spam or phishing attacks. You can also use the **Spoof intelligence insight** to quickly determine which external senders are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks).
-> [!NOTE]
-> The spoof intelligence insight shows data from the last 7 days. The [spoof intelligence policy](learn-about-spoof-intelligence.md) and the corresponding [Get-PhishFilterPolicy](/powershell/module/exchange/get-phishfilterpolicy) cmdlet in Exchange Online PowerShell shows data from the last 30 days. The [Get-SpoofMailReport](/powershell/module/exchange/get-spoofmailreport) shows data for up to 90 days.
+You can manage spoof intelligence in the Security & Compliance Center, or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Security dashboard** page, use <https://protection.office.com/searchandinvestigation/dashboard>.
+- You open the Security & Compliance Center at <https://protection.office.com/>.
+ - To go directly to the **Anti-spam settings** page for the spoof intelligence policy, use <https://protection.office.com/antispam>.
+ - To go directly to the **Security dashboard** page for the spoof intelligence insight, use <https://protection.office.com/searchandinvestigation/dashboard>.
+
+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
+
+- You need to be assigned permissions in **Exchange Online** before you can do the procedures in this article:
+ - To modify the spoof intelligence policy or enable or disable spoof intelligence, you need to be a member of the **Organization Management** or **Security Administrator** role groups.
+ - For read-only access to the spoof intelligence policy, you need to be a member of the **Global Reader** or **Security Reader** role groups.
+
+ For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
+
+ **Notes**:
+
+ - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
+
+- The options for spoof intelligence are described in [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
+
+- You can enable, disable, and configure the spoof intelligence settings in anti-phishing policies. For instructions based on your subscription, see one of the following topics:
+
+ - [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
+ - [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+
+- For our recommended settings for spoof intelligence, see [EOP default anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-default-anti-phishing-policy-settings).
+
+## Manage spoofed senders
+
+There are two ways to allow and block spoofed senders:
+
+- [Use the spoof intelligence policy](#manage-spoofed-senders-in-the-spoof-intelligence-policy)
+- [Use the spoof intelligence insight](#manage-spoofed-senders-in-the-spoof-intelligence-insight)
+
+### Manage spoofed senders in the spoof intelligence policy
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+
+2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand **Spoof intelligence policy**.
+
+ ![Select the spoof intelligence policy](../../media/anti-spam-settings-spoof-intelligence-policy.png)
+
+3. Make one of the following selections:
+
+ - **Review new senders**
+ - **Show me senders I already reviewed**
+
+4. In the **Decide if these senders are allowed to spoof your users** flyout that appears, select one of the following tabs:
+
+ - **Your Domains**: Senders spoofing users in your internal domains.
+ - **External Domains**: Senders spoofing users in external domains.
+
+5. Click ![Expand icon](../../medi#spoof-settings).
+
+ ![Screenshot showing the spoofed senders flyout, and whether the sender is allowed to spoof](../../media/c0c062fd-f4a4-4d78-96f7-2c22009052bb.jpg)
+
+ The columns and values that you see are explained in the following list:
- You can view the Spoof intelligence insight from more than one dashboard in the Security & Compliance Center. Regardless of which dashboard you're looking at, the insight provides the same details and allows you to quickly do the same tasks.
+ - **Spoofed user**: The user account that's being spoofed. This is the message sender in the From address (also known as the `5322.From` address) that's shown in email clients. The validity of this address is not checked by SPF.
+ - On the **Your Domains** tab, the value contains a single email address, or if the source email server is spoofing multiple user accounts, it contains **More than one**.
+ - On the **External Domains** tab, the value contains the domain of the spoofed user, not the full email address.
-- You need to be assigned permissions in the Security & Compliance Center before you can do the procedures in this article:
- - **Organization Management**
- - **Security Administrator**
- - **Security Reader**
- - **Global Reader**
+ - **Sending Infrastructure**: The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address. If the source IP address has no PTR record, then the sending infrastructure is identified as \<source IP\>/24 (for example, 192.168.100.100/24).
- For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+ For more information about message sources and message senders, see [An overview of email message standards](how-office-365-validates-the-from-address.md#an-overview-of-email-message-standards).
- **Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ - **# of messages**: The number of messages from the sending infrastructure to your organization that contain the specified spoofed sender or senders within the last 30 days.
-- You enable and disable spoof intelligence in anti-phishing policies in Microsoft Defender for Office 365. Spoof intelligence is enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+ - **# of user complaints**: Complaints filed by your users against this sender within the last 30 days. Complaints are usually in the form of junk submissions to Microsoft.
-- To use spoof intelligence to monitor and manage senders who are sending you unauthenticated messages, see [Configure spoof intelligence in Microsoft 365](learn-about-spoof-intelligence.md).
+ - **Authentication result**: One of the following values:
+ - **Passed**: The sender passed sender email authentication checks (SPF or DKIM).
+ - **Failed**: The sender failed EOP sender authentication checks.
+ - **Unknown**: The result of these checks isn't known.
-## Open the spoof intelligence insight in the Security & Compliance Center
+ - **Decision set by**: Shows who determined if the sending infrastructure is allowed to spoof the user:
+ - **Spoof intelligence policy** (automatic)
+ - **Admin** (manual)
-1. In the Security & Compliance Center, go to **Threat Management** \> **Dashboard.**
+ - **Last seen**: The last date when a message was received from the sending infrastructure that contains the spoofed user.
+
+ - **Allowed to spoof?**: The values that you see here are:
+ - **Yes**: Messages from the combination of spoofed user and sending infrastructure are allowed and not treated as spoofed email.
+ - **No**: Messages from the combination of spoofed user and sending infrastructure are marked as spoofed. The action is controlled by the default anti-phishing policy or custom anti-phishing policies (the default value is **Move message to Junk Email folder**). See the next section for more information.
+
+ - **Some users** (**Your Domains** tab only): A sending infrastructure is spoofing multiple users, where some spoofed users are allowed and others are not. Use the **Detailed** tab to see the specific addresses.
+
+6. At the bottom of the page, click **Save**.
+
+#### Use PowerShell to manage spoofed senders
+
+To view allowed and blocked senders in spoof intelligence, use the following syntax:
+
+```powershell
+Get-PhishFilterPolicy [-AllowedToSpoof <Yes | No | Partial>] [-ConfidenceLevel <Low | High>] [-DecisionBy <Admin | SpoofProtection>] [-Detailed] [-SpoofType <Internal | External>]
+```
+
+This example returns detailed information about all senders that are allowed to spoof users in your domains.
+
+```powershell
+Get-PhishFilterPolicy -AllowedToSpoof Yes -Detailed -SpoofType Internal
+```
+
+For detailed syntax and parameter information, see [Get-PhishFilterPolicy](/powershell/module/exchange/get-phishfilterpolicy).
+
+To configure allowed and blocked senders in spoof intelligence, follow these steps:
+
+1. Capture the current list of detected spoofed senders by writing the output of the **Get-PhishFilterPolicy** cmdlet to a CSV file by running the following command:
+
+ ```powershell
+ Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"
+ ```
+
+2. Edit the CSV file to add or modify the following values:
+ - **Sender** (domain in source server's PTR record or IP/24 address)
+ - **SpoofedUser**: One of the following values:
+ - The internal user's email address.
+ - The external user's email domain.
+ - A blank value that indicates you want to block or allow any and all spoofed messages from the specified **Sender**, regardless of the spoofed email address.
+ - **AllowedToSpoof** (Yes or No)
+ - **SpoofType** (Internal or External)
+
+ Save the file, read the file, and store the contents as a variable named `$UpdateSpoofedSenders` by running the following command:
+
+ ```powershell
+ $UpdateSpoofedSenders = Get-Content -Raw "C:\My Documents\Spoofed Senders.csv"
+ ```
+
+3. Use the `$UpdateSpoofedSenders` variable to configure the spoof intelligence policy by running the following command:
+
+ ```powershell
+ Set-PhishFilterPolicy -Identity Default -SpoofAllowBlockList $UpdateSpoofedSenders
+ ```
+
+For detailed syntax and parameter information, see [Set-PhishFilterPolicy](/powershell/module/exchange/set-phishfilterpolicy).
+
+### Manage spoofed senders in the spoof intelligence insight
+
+1. In the Security & Compliance Center, go to **Threat Management** \> **Dashboard**.
2. In the **Insights** row, look for one of the following items:
This walkthrough is one of several for the Security & Compliance Center. To abou
Either way, the spoofed domains displayed in the insight are separated into two categories: **Suspicious domains** and **Non-suspicious domains**.
- - **Suspicious domains** include:
-
- - High-confidence spoof: Based on the historical sending patterns and the reputation score of the domains, we're highly confident that the domains are spoofing, and messages from these domains are more likely to be malicious.
+ - **Suspicious domains**:
+ - **High-confidence spoof**: Based on the historical sending patterns and the reputation score of the domains, we're highly confident that the domains are spoofing, and messages from these domains are more likely to be malicious.
+ - **Moderate confidence spoof**: Based on historical sending patterns and the reputation score of the domains, we're moderately confident that the domains are spoofing, and that messages sent from these domains are legitimate. False positives are more likely in this category than high-confidence spoof.
+ - **Non-suspicious domains**: The domain failed explicit email authentication checks [SPF](how-office-365-uses-spf-to-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md)). However, the domain passed our implicit email authentication checks ([composite authentication](email-validation-and-authentication.md#composite-authentication)). As a result, no anti-spoofing action was taken on the message.
- - Moderate confidence spoof: Based on historical sending patterns and the reputation score of the domains, we're moderately confident that the domains are spoofing, and that messages sent from these domains are legitimate. False positives are more likely in this category than high-confidence spoof.
-
- **Non-suspicious domains**: The domain failed explicit email authentication checks [SPF](how-office-365-uses-spf-to-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md)). However, the domain passed our implicit email authentication checks ([composite authentication](email-validation-and-authentication.md#composite-authentication)). As a result, no anti-spoofing action was taken on the message.
-
-### View detailed information about suspicious domains from the Spoof intelligence insight
+#### View detailed information about suspicious and nonsuspicious domains
1. On the Spoof intelligence insight, click **Suspicious domains** or **Non-suspicious domains** to go to the **Spoof intelligence insight** page. The **Spoof Intelligence insight** page contains the following information:
This walkthrough is one of several for the Security & Compliance Center. To abou
- **Yes**: Messages from the combination of spoofed user's domain and sending infrastructure are allowed and not treated as spoofed email. - **No**: Messages from the combination of spoofed user's domain and sending infrastructure are marked as spoofed. The action is controlled by the default anti-phishing policy or custom anti-phishing policies (the default value is **Move message to Junk Email folder**).
- For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
- 2. Select an item in the list to view details about the domain/sending infrastructure pair in a flyout. The information includes: - Why we caught this. - What you need to do.
This walkthrough is one of several for the Security & Compliance Center. To abou
![Screenshot of a domain in the Spoof intelligence insight details pane](../../media/03ad3e6e-2010-4e8e-b92e-accc8bbebb79.png)
-### Adding a domain to the Allowed to spoof list
+## How do you know these procedures worked?
-Adding a domain to the Allowed to spoof list from the spoof intelligence insight only allows the combination of the spoofed domain *and* the sending infrastructure. It does not allow email from the spoofed domain from any source, nor does it allow email from the sending infrastructure for any domain.
+To verify that you've configured spoof intelligence with senders who are allowed and not allowed to spoof, use any of the following steps:
-For example, you allow the following domain to the Allowed to spoof list:
+- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam** \> expand **Spoof intelligence policy** \> select **Show me senders I already reviewed** \> select the **Your Domains** or **External Domains** tab, and verify the **Allowed to spoof?** value for the sender.
-- **Domain**: gmail.com-- **Infrastructure**: tms.mx.com
+- In PowerShell, run the following commands to view the senders who are allowed and not allowed to spoof:
-Only email from that domain/sending infrastructure pair will be allowed to spoof. Other senders attempting to spoof gmail.com aren't allowed. Messages in other domains from tms.mx.com are checked by spoof intelligence.
+ ```powershell
+ Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType Internal
+ Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType Internal
+ Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType External
+ Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType External
+ ```
-## Related topics
+- In PowerShell, run the following command to export the list of all spoofed senders to a CSV file:
-[Anti-spoofing protection in Microsoft 365](anti-spoofing-protection.md)
+ ```powershell
+ Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"
+ ```