+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RW14Ir8?autoplay=false]

+- To search for Power BI activities in the audit log, you have to enable auditing in the Power BI admin portal. For instructions, see the "Audit logs" section in [Power BI admin portal](/power-bi/service-admin-portal#audit-logs).

+#### Connectors

+We're rolling out a selection of connectors built specifically for Compliance Manager to support other non-Microsoft services. Connectors for Salesforce and Zoom are available now, with more connectors releasing soon. Learn more at [Working with connectors in Compliance Manager](compliance-manager-connectors.md).

+Updates to the improvement actionΓÇÖs status shows within 24 hours.

+You come back to your action's details page. Under **Testing Source** on the **Overview** section, the new action you designated as the parent is listed under **Parent action**.

+##### Where you see assessment update notifications

+When an improvement action is updated, you see a **Pending update** label next to its name on the improvement actions page, and on the details page of its related assessments.

+### Actions that support policy tips in Outlook Web Access

+### Sensitive information types that support policy tips in Outlook Web Access

+- ABA Routing Number

+- Argentina National Identity (DNI) Number

+- Australia Bank Account Number

+- Australia Medical Account Number

+- Australia Passport Number

+- Australia Tax File Number

+- Azure DocumentDB Auth Key

+- Azure IAAS Database Connection String and Azure SQL Connection String

+- Azure IoT Connection String

+- Azure Publish Setting Password

+- Azure Redis Cache Connection String

+- Azure SAS

+- Azure Service Bus Connection String

+- Azure Storage Account Key

+- Azure Storage Account Key (Generic)

+- Belgium National Number

+- Brazil CPF Number

+- Brazil Legal Entity Number (CNPJ)

+- Brazil National ID Card (RG)

+- Canada Bank Account Number

+- Canada Driver's License Number

+- Canada Health Service Number

+- Canada Passport Number

+- Canada Personal Health Identification Number (PHIN)

+- Canada Social Insurance Number

+- Chile Identity Card Number

+- China Resident Identity Card (PRC) Number

+- Credit Card Number

+- Croatia Identity Card Number

+- Croatia Personal Identification (OIB) Number

+- Czech Personal Identity Number

+- Denmark Personal Identification Number

+- Drug Enforcement Agency (DEA) Number

+- EU Debit Card Number

+- EU Driver's License Number

+- EU National Identification Number

+- EU Passport Number

+- EU Social Security Number (SSN) or Equivalent ID

+- EU Tax Identification Number (TIN)

+- Finland National ID

+- Finland Passport Number

+- France Driver's License Number

+- France National ID Card (CNI)

+- France Passport Number

+- France Social Security Number (INSEE)

+- German Driver's License Number

+- German Passport Number

+- Germany Identity Card Number

+- Greece National ID Card

+- Hong Kong Identity Card (HKID) Number

+- India Permanent Account Number (PAN)

+- India Unique Identification (Aadhaar) Number

+- Indonesia Identity Card (KTP) Number

+- International Banking Account Number (IBAN)

+- International Classification of Diseases (ICD-10-CM)

+- International Classification of Diseases (ICD-9-CM)

+- IP Address

+- Ireland Personal Public Service (PPS) Number

+- Israel Bank Account Number

+- Israel National ID

+- Italy Driver's License Number

+- Japan Bank Account Number

+- Japan Driver's License Number

+- Japan Passport Number

+- Japan Resident Registration Number

+- Japan Social Insurance Number (SIN)

+- Japanese Residence Card Number

+- Malaysia Identity Card Number

+- Netherlands Citizen's Service (BSN) Number

+- New Zealand Ministry of Health Number

+- Norway Identity Number

+- Philippines Unified Multi-Purpose ID Number

+- Poland Identity Card

+- Poland National ID (PESEL)

+- Poland Passport

+- Portugal Citizen Card Number

+- Saudi Arabia National ID

+- Singapore National Registration Identity Card (NRIC) Number

+- South Africa Identification Number

+- South Korea Resident Registration Number

+- Spain Social Security Number (SSN)

+- SQL Server Connection String

+- Sweden National ID

+- Sweden Passport Number

+- SWIFT Code

+- Taiwan National ID

+- Taiwan Passport Number

+- Taiwan Resident Certificate (ARC/TARC)

+- Thai Population Identification Code

+- Turkish National Identification number

+- U.K. Driver's License Number

+- U.K. Electoral Roll Number

+- U.K. National Health Service Number

+- U.K. National Insurance Number (NINO)

+- U.S. / U.K. Passport Number

+- U.S. Bank Account Number

+- U.S. Driver's License Number

+- U.S. Individual Taxpayer Identification Number (ITIN)

+- U.S. Social Security Number (SSN)

+ Title: "Microsoft 365 Network Provider Program"

+description: "The Microsoft 365 Network Provider Program allows your device to become certified as working with Microsoft 365."

+# Microsoft 365 Network Provider Program

+As customers adopt Microsoft 365 for business productivity, Microsoft has observed a common trend that network performance and the resulting end-user collaboration experience is directly influenced by network solutions in the path between the user and Microsoft 365. To help partners design optimal network solutions and help customers make informed decisions regarding such solutions, we built the Microsoft 365 Network Provider Program.

+The Microsoft 365 Network Provider Program deepens our collaboration with network partners and identifies key products and solutions that follow Microsoft 365 networking requirements, recommendations, and best practices. The goal of the Microsoft 365 Network Provider program is to facilitate customer ability to improve their Microsoft 365 experience through easy discovery of validated partner solutions that consistently demonstrate alignment to key principles for optimal Microsoft 365 connectivity in customer deployments.

+The Microsoft 365 Network Provider Program demonstrates MicrosoftΓÇÖs commitment to help our customers get the best Microsoft 365 experience. The Microsoft 365 team works with many network industry partners to help ensure that key principles for optimal connectivity are natively built into their network product and solutions.

+The Microsoft 365 Network Provider program is in preview for a limited number of network providers. If you are interested in participating in the preview to give early feedback on the program, please register your interest by [filling out the form](https://aka.ms/NPPproviderpreview).

+## Week of May 15, 2023

+| Published On |Topic title | Change |

+|||--|

+| 5/15/2023 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-worldwide) | modified |

+| 5/15/2023 | [Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Management](/microsoft-365/security/defender-endpoint/ios-install-unmanaged?view=o365-worldwide) | modified |

+| 5/15/2023 | [Automatic attack disruption in Microsoft 365 Defender](/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide) | modified |

+| 5/15/2023 | [Configure Microsoft Syntex for pay-as-you-go billing](/microsoft-365/syntex/syntex-azure-billing) | modified |

+| 5/15/2023 | [Top 10 ways to secure your business data with Microsoft 365 for business](/microsoft-365/business-premium/secure-your-business-data?view=o365-worldwide) | modified |

+| 5/15/2023 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified |

+| 5/16/2023 | [Permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-permissions?view=o365-worldwide) | modified |

+| 5/16/2023 | [Adaptive scopes](/microsoft-365/compliance/purview-adaptive-scopes?view=o365-worldwide) | modified |

+| 5/16/2023 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified |

+| 5/16/2023 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags-about?view=o365-worldwide) | modified |

+| 5/16/2023 | [Check the device health at Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide) | modified |

+| 5/16/2023 | [Salesforce connector setup for Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-connectors-salesforce?view=o365-worldwide) | added |

+| 5/16/2023 | [Zoom connector setup for Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-connectors-zoom?view=o365-worldwide) | added |

+| 5/16/2023 | [Connectors for Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-connectors?view=o365-worldwide) | added |

+| 5/17/2023 | [Custom functions in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-custom-functions?view=o365-worldwide) | added |

+| 5/17/2023 | [Deploy and manage Office Add-ins](/microsoft-365/admin/manage/office-addins?view=o365-worldwide) | added |

+| 5/17/2023 | [SaaS linked apps](/microsoft-365/admin/manage/saas-linked-apps?view=o365-worldwide) | added |

+| 5/17/2023 | [Teams apps that work on Outlook and Microsoft 365](/microsoft-365/admin/manage/teams-apps-work-on-outlook-and-m365?view=o365-worldwide) | added |

+| 5/17/2023 | [Teams apps that only work on Teams](/microsoft-365/admin/manage/teams-apps-work-only-on-teams?view=o365-worldwide) | added |

+| 5/17/2023 | [Enable admin notifications in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-admin-notifications?view=o365-worldwide) | added |

+| 5/17/2023 | [Export insider risk management alert information](/microsoft-365/compliance/insider-risk-management-settings-alerts?view=o365-worldwide) | added |

+| 5/17/2023 | [Enable analytics in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-analytics?view=o365-worldwide) | added |

+| 5/17/2023 | [Configure inline alert customization in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-inline-alert-customization?view=o365-worldwide) | added |

+| 5/17/2023 | [Configure intelligent detections in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-intelligent-detections?view=o365-worldwide) | added |

+| 5/17/2023 | [Configure policy indicators in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-policy-indicators?view=o365-worldwide) | added |

+| 5/17/2023 | [Set policy timeframes in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-policy-timeframes?view=o365-worldwide) | added |

+| 5/17/2023 | [Automate insider risk management actions with Microsoft Power Automate flows (preview)](/microsoft-365/compliance/insider-risk-management-settings-power-automate?view=o365-worldwide) | added |

+| 5/17/2023 | [Identify priority physical assets for insider risk management policies](/microsoft-365/compliance/insider-risk-management-settings-priority-physical-assets?view=o365-worldwide) | added |

+| 5/17/2023 | [Prioritize user groups for insider risk management policies](/microsoft-365/compliance/insider-risk-management-settings-priority-user-groups?view=o365-worldwide) | added |

+| 5/17/2023 | [Manage username privacy in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-privacy?view=o365-worldwide) | added |

+| 5/17/2023 | [Enable Microsoft Teams for collaborating on insider risk management cases](/microsoft-365/compliance/insider-risk-management-settings-teams?view=o365-worldwide) | added |

+| 5/17/2023 | [Use DMARC Reports to protect against spoofing and phishing in Microsoft Office 365](/microsoft-365/security/office-365-security/email-authentication-dmarc-reports?view=o365-worldwide) | added |

+| 5/17/2023 | [Learn about insider risk management settings](/microsoft-365/compliance/insider-risk-management-settings?view=o365-worldwide) | modified |

+| 5/17/2023 | [Enable controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide) | modified |

+| 5/17/2023 | [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) | modified |

+| 5/17/2023 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide) | modified |

+| 5/17/2023 | [Microsoft Defender for Office 365 permissions in the Microsoft 365 Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified |

+| 5/18/2023 | Allotment basics | removed |

+| 5/18/2023 | [Prioritize incidents in Microsoft 365 Defender](/microsoft-365/security/defender/incident-queue?view=o365-worldwide) | modified |

+| 5/18/2023 | [Data Loss Prevention policy reference](/microsoft-365/compliance/dlp-policy-reference?view=o365-worldwide) | modified |

+| 5/18/2023 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide) | modified |

+| 5/18/2023 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified |

+| 5/19/2023 | [Remove blocked connectors from the Restricted entities page in Microsoft 365](/microsoft-365/security/office-365-security/connectors-remove-blocked?view=o365-worldwide) | modified |

+| 5/19/2023 | [Remove blocked users from the Restricted entities page](/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-worldwide) | modified |

+| 5/19/2023 | [Responding to a Compromised Email Account](/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide) | modified |

+| 5/19/2023 | [Create and deploy a data loss prevention policy](/microsoft-365/compliance/dlp-create-deploy-policy?view=o365-worldwide) | modified |

+| 5/19/2023 | [Data Loss Prevention policy reference](/microsoft-365/compliance/dlp-policy-reference?view=o365-worldwide) | modified |

+| 5/19/2023 | [Get started with communication compliance](/microsoft-365/compliance/communication-compliance-configure?view=o365-worldwide) | modified |

+| 5/19/2023 | [Working with improvement actions in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-improvement-actions?view=o365-worldwide) | modified |

+| 5/19/2023 | [Data Loss Prevention policy tips reference](/microsoft-365/compliance/dlp-policy-tips-reference?view=o365-worldwide) | modified |

+| 5/19/2023 | [Assign eDiscovery permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/ediscovery-assign-permissions?view=o365-worldwide) | modified |

+| 5/19/2023 | [Get started with eDiscovery (Premium)](/microsoft-365/compliance/ediscovery-premium-get-started?view=o365-worldwide) | modified |

+| 5/19/2023 | [Get started with eDiscovery (Standard)](/microsoft-365/compliance/ediscovery-standard-get-started?view=o365-worldwide) | modified |

+Wildcard|Description|Examples|

+||

+\*|Matches any number of any characters including none (note if this wildcard is not used at the end of the path then it will substitute only one folder)| `/var/*/tmp` includes any file in `/var/abc/tmp` and its subdirectories, and `/var/def/tmp` and its subdirectories. It does not include `/var/abc/log` or `/var/def/log` <p> <p> `/var/*/` includes any file in `/var` and its subdirectories.

+?|Matches any single character|`file?.log` includes `file1.log` and `file2.log`, but not`file123.log`

+> [!NOTE]

+> When using the * wildcard at the end of the path, it will match all files and subdirectories under the parent of the wildcard.

+ mdatp exclusion folder add --path "/var/*/tmp"

+ > This will only exclude paths below */var/\*/tmp/*, but not folders which are siblings of *tmp*; for example, */var/this-subfolder/tmp*, but not */var/this-subfolder/log*.

+ OR

+ ```bash

+ mdatp exclusion folder add --path "/var/*/"

+ ```

+

+ "enforcementLevel":"passive",

+ "unmonitoredFilesystems": ["nfs,fuse"],

+- This new release is build over March 2023 release (101.98.05) with fix for Live response commands failing for one of our customers. There's no change for other customers and upgrade is optional.

+ - In case crash collection is disabled by configuration, crash monitoring process won't be launched.

+- Fixes a kernel hang observed on select customer workloads running mdatp version 101.75.43. After RCA this was attributed to a race condition while releasing the ownership of a sensor file descriptor. The race condition was exposed due to a recent product change in the shutdown path. Customers on newer Kernel versions (5.1+) aren't impacted by this issue. More information about the underlying issue can be found at [System hang due to blocked tasks in fanotify code](https://access.redhat.com/solutions/2838901).

+Wildcard|Description|Examples|

+||

+\*|Matches any number of any characters including none (note if this wildcard is not used at the end of the path then it will substitute only one folder)| `/var/*/tmp` includes any file in `/var/abc/tmp` and its subdirectories, and `/var/def/tmp` and its subdirectories. It does not include `/var/abc/log` or `/var/def/log` <p> <p> `/var/*/` includes any file in `/var` and its subdirectories.

+?|Matches any single character|`file?.log` includes `file1.log` and `file2.log`, but not`file123.log`

+> [!NOTE]

+> When using the * wildcard at the end of the path, it will match all files and subdirectories under the parent of the wildcard.

+Connectors are used for enabling mail flow between Microsoft 365 and email servers that you have in your on-premises environment. For more information, see [Configure mail flow using connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow).

+An inbound connector with the **Type** value `OnPremises` is considered compromised when an attacker creates a new connector or modifies and existing connector to send spam or phishing email.

+This article explains the symptoms of a compromised connector and how to regain control of it.

+## Symptoms of a compromised connector

+A compromised connector exhibits one or more of the following characteristics:

+- A sudden spike in outbound mail volume.

+- A mismatch between the `5321.MailFrom` address (also known as the **MAIL FROM** address, P1 sender, or envelope sender) and the `5322.From` address (also known as the From address or P2 sender) in outbound email. For more information about these senders, see [How EOP validates the From address to prevent phishing](anti-phishing-from-email-address-validation.md#an-overview-of-email-message-standards).

+- Outbound mail sent from a domain that isn't provisioned or registered.

+- The connector is blocked from sending or relaying mail.

+- The presence of an inbound connector that wasn't created by an admin.

+- Unauthorized changes in the configuration of an existing connector (for example, the name, domain name, and IP address).

+- A recently compromised admin account. Creating or editing connectors requires admin access.

+If you see these symptoms or other unusual symptoms, you should investigate.

+Do **all** of the following steps to regain control of the connector. Go through the steps as soon as you suspect a problem and as quickly as possible to make sure that the attacker doesn't resume control of the connector. These steps also help you remove any back-door entries that the attacker might have added to the connector.

+In [Microsoft Defender for Office 365 Plan 2](defender-for-office-365.md), open the Microsoft 365 Defender portal at <https://security.microsoft.com> and go to **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorer>.

+1. On the **Explorer** page, verify that the **All email** tab is selected and then configure the following options:

+ - Select the date/time range.

+ - Select **Connector**.

+ - Enter the connector name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box.

+ - Select **Refresh**.

+2. Look for abnormal spikes or dips in email traffic.

+3. Answer the following questions:

+ - Does the **Sender IP** match your organization's on-premises IP address?

+ - Were a significant number of recent messages sent to the **Junk Email** folder? This result clearly indicates that a compromised connector was used to send spam.

+ - Is it reasonable for the message recipients to receive email from senders in your organization?

+In [Microsoft Defender for Office 365 Plan 1](defender-for-office-365.md) or [Exchange Online Protection](eop-about.md), use **Alerts** and **Message trace** to look for the symptoms of connector compromise:

+1. Open the Defender portal at <https://security.microsoft.com> and go to **Incidents & alerts** \> **Alerts**. Or, to go directly to the **Alerts** page, useOpen **Suspicious connector activity** alert in <https://security.microsoft.com/alerts>.

+2. On the **Alerts** page, use the :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** \> **Policy** \> **Suspicious connector activity** to find any alerts related to suspicious connector activity.

+3. Select a suspicious connector activity alert by clicking anywhere in the row other than the check box next to the name. On the details page that opens, select an activity under **Activity list**, and copy the **Connector domain** and **IP address** values from the alert.

+4. Open the Exchange admin center at <https://admin.exchange.microsoft.com> and go to **Mail flow** \> **Message trace**. Or, to go directly to the **Message trace** page, use <https://admin.exchange.microsoft.com/#/messagetrace>.

+ On the **Message trace** page, select the **Custom queries** tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Start a trace**, and use the **Connector domain** and **IP address** values from the previous step.

+ For more information about message trace, see [Message trace in the modern Exchange admin center in Exchange Online](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac).

+ :::image type="content" source="../../media/connector-compromise-new-message-trace.png" alt-text="New message trace flyout" lightbox="../../media/connector-compromise-new-message-trace.png":::

+4. In the message trace results, look for the following information:

+ - A significant number of messages were recently marked as **FilteredAsSpam**. This result clearly indicates that a compromised connector was used to send spam.

+ - Whether it's reasonable for the message recipients to receive email from senders in your organization

+ :::image type="content" source="../../media/connector-compromise-message-trace-results.png" alt-text="New message trace search results" lightbox="../../media/connector-compromise-message-trace-results.png":::

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), replace \<StartDate\> and \<EndDate\> with your values, and then run the following command to find and validate admin-related connector activity in the audit log. For more information, see [Use a PowerShell script to search the audit log](/compliance/audit-log-search-script).

+Search-UnifiedAuditLog -StartDate "<ExDateTime>" -EndDate "<ExDateTime>" -Operations "New-InboundConnector","Set-InboundConnector","Remove-InboundConnector

+For detailed syntax and parameter information, see [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog).

+Open the Exchange admin center at <https://admin.exchange.microsoft.com> and go to **Mail flow** \> **Connectors**. Or, to go directly to the **Connectors** page, use <https://admin.exchange.microsoft.com/#/connectors>.

+On the **Connectors** page, review the list of connectors. Remove or turn off any unknown connectors, and check each connector for unauthorized configuration changes.

+After you've regained control of the compromised connector, unblock the connector on the **Restricted entities** page in the Defender portal. For instructions, see [Remove blocked connectors from the Restricted entities page](connectors-remove-blocked.md).

+### Step 4: Investigate and remediate potentially compromised admin accounts

+After you identify the admin account that was responsible for the unauthorized connector configuration activity, investigate the admin account for compromise. For instructions, see [Responding to a Compromised Email Account](responding-to-a-compromised-email-account.md).

+To manage Defender for Office 365 permissions in the Microsoft 365 Defender portal, go to **Permissions** \> **Email & collaboration roles** \> **Roles** or go directly to <https://security.microsoft.com/emailandcollabpermissions>.

+You need to be member of the **Global Administrator** role in Azure AD or a member of the **Organization Management** role group in Defender for Office 365 permissions. Specifically, the **Role Management** role in Defender for Office 365 allows users to view, create, and modify Defender for Office 365 role groups. By default, that role is assigned only to the **Organization Management** role group (and by extension, global administrators).

+On the **Permissions** page in the Defender portal at <https://security.microsoft.com/securitypermissions>, the following types of roles and role groups are available:

+|[:::image type="content" source="../../medi)|:::image type="content" source="../../media/phase-diagrams/onboard.png" alt-text="Phase 3: Onboard." lightbox="../../media/phase-diagrams/onboard.png"::: <br> Phase 3: Onboard|

+If your organization has a security response team, now is the time to begin integrating Microsoft Defender for Office 365 into your response processes, including ticketing systems. This process is an entire topic unto itself, but it's sometimes overlooked. Getting the security response team involved early ensures that your organization is ready to deal with threats when you switch your MX records. Incident response needs to be well equipped to handle the following tasks:

+If your organization doesn't have a security response team or existing process flows, you can use this time to familiarize yourself with basic hunting and response features in Defender for Office 365. For more information, see [Threat investigation and response](office-365-ti.md).

+Permissions in Defender for Office 365 are based on role-based access control (RBAC) and is explained in Permissions in the [Microsoft 365 Defender portal](mdo-portal-permissions.md). Here are the important points to keep in mind:

+Typically, only a subset of security personnel needs additional rights to download messages directly from user mailboxes. This need requires an additional permission that Security Reader doesn't have by default.

+Spoof intelligence will eventually tune itself after you configure user reported settings, so there's no need for perfection.

+The longer you monitor the impersonation protection results without acting on the messages, the more data you have to identify allows or blocks that might be required. Consider using a delay between turning on each protection that's significant enough to allow for observation and adjustment.

+Although mailbox intelligence has been configured to take no action on messages that were [determined to be impersonation attempts](anti-phishing-mdo-impersonation-insight.md), it has been on and learning the email sending and receiving patterns of the pilot users. If an external user is in contact with one your pilot users, messages from that external user aren't identified as impersonation attempts by mailbox intelligence (thus reducing false positives).

+As your pilot users report false positives and false negatives, the messages appear on the **User reported** tab of the [Submissions page in the Microsoft 365 Defender portal](submissions-admin.md). You can report the misidentified messages to Microsoft for analysis and use the information to adjust the settings and exceptions in your pilot policies as necessary.

+As you find and fix issues, you can add more users to the pilot groups (and correspondingly exempt those new pilot users from scanning by your existing protection service as appropriate). The more testing that you do now, the fewer user issues that you need to deal with later. This "waterfall" approach allows tuning against larger portions of the organization and gives your security teams time to adjust to the new tools and processes.

+- It's also a good idea to examine unnecessary overrides. In other words, look at the verdicts that Microsoft 365 would have provided on the messages. If Microsoft 365 rendered the correct verdict, then the need for override is greatly diminished or eliminated.

+1. Extend the pilot policies to the entire organization. Fundamentally, there are different ways to extend the policies:

+ - Use [preset security](preset-security-policies.md) policies and divide your users between the Standard protection profile and the Strict protection profile (make sure everyone is covered). Preset security policies are applied before any custom policies that you've created or any default policies. You can turn off your individual pilot policies without deleting them.

+Now you begin the normal operation and maintenance of Defender for Office 365. Monitor and watch for issues that are similar to what you experienced during the pilot, but on a larger scale. The [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) and the [impersonation insight](anti-phishing-mdo-impersonation-insight.md) are most helpful, but consider making the following activities a regular occurrence:

+|:::image type="content" source="../../medi)|

+Your testing and observation of the native capabilities and behavior of Defender for Office 365 ultimately determines the overrides and settings that you need. You might find it helpful to organize the settings from your existing protection service into the following categories:

+- **Business routing**: Most of the customizations that you need to recreate likely fall into this category. For example, you can recreate these settings in Microsoft 365 as Exchange mail flow rules (also known as transport rules), connectors, and exceptions to spoof intelligence.

+Instead of moving old settings blindly into Microsoft 365, we recommend a waterfall approach. This approach involves a pilot phase with ever-increasing user membership, and observation-based tuning based on balancing security considerations with organizational business needs.

+- Outbound and relay mail flow is out of the scope for this article. However, you might need to do one or more of the following steps:

+ - We strongly recommend that you set up DKIM signing in Microsoft 365. For more information, see [Use DKIM to validate outbound email](email-authentication-dkim-configure.md).

+- Using Microsoft 365 to relay email from your on-premises email servers can be a complex project in itself. A simple example is a small number of apps or devices that send most of their messages to internal recipients and aren't used for mass mailings. See [this guide](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365) for details. More extensive environments need to be more thoughtful. Marketing email and messages that could be seen as spam by recipients aren't allowed.

+- Defender for Office 365 doesn't have a feature for aggregating DMARC reports. Visit the [Microsoft Intelligent Security Association (MISA) catalog](https://www.microsoft.com/misapartnercatalog) to view third-party vendors that offer DMARC reporting for Microsoft 365.

+- DKIM will break. Not all senders rely on DKIM, but senders that do will fail authentication.

+- [Spoof intelligence](anti-phishing-protection-spoofing-about.md) and the tuning step later in this guide won't work properly.

+Microsoft is working with the industry to support the Authenticated Received Chain (ARC) standard. If you wish to leave any message modification features enabled at your current mail gateway provider, then we recommend contacting them about their plans to support this standard.

+- **Wanted bulk mail vs. unwanted bulk mail**: Many protection systems allow users to allow or block bulk email for themselves. These settings don't easily migrate to Microsoft 365, so you should consider working with VIPs and their staff to recreate their existing configurations in Microsoft 365.

+ Today, Microsoft 365 considers some bulk mail (for example, newsletters) as safe based on the message source. Mail from these "safe" sources is currently not marked as bulk (the bulk complaint level or BCL is 0 or 1), so it's difficult to globally block mail from these sources. For most users, the solution is to ask them to individually unsubscribe from these bulk messages or use Outlook to block the sender. But, some users don't like blocking or unsubscribing from bulk messages themselves.

+ Mail flow rules that filter bulk email can be helpful when VIP users don't wish to manage bulk email themselves. For more information, see [Use mail flow rules to filter bulk email](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-filter-bulk-mail).

+|[:::image type="content" source="../../medi)|

+- **Exceptions for the SCL=-1 mail flow rule**: You want pilot users to get the full effect of Defender for Office 365 protection, so you need their incoming messages to be scanned by Defender for Office 365. You get this result by defining your pilot users in the appropriate distribution groups in Microsoft 365, and configuring these groups as exceptions to the SCL=-1 mail flow rule.

+When you're ready to begin testing, add these groups as exceptions to [the SCL=-1 mail flow rule](#step-3-maintain-or-create-the-scl-1-mail-flow-rule). As you create policies for the various protection features in Defender for Office 365, use these groups as conditions that define who the policy applies to.

+- The terms Standard and Strict come from our [recommended security settings](recommended-settings-for-eop-and-office365.md), which are also used in [preset security policies](preset-security-policies.md). Ideally, we would tell you to define your pilot users in the Standard and Strict preset security policies, but we can't do that. Why? Because you can't customize the settings in preset security policies (in particular, actions that are taken on messages). During your migration testing, you want to see what Defender for Office 365 would do to messages, verify that's the result you want, and possibly adjust the policy configurations to allow or prevent those results.

+Instead of relying on data that's based on the experience of the entire organization, more than one migration has resulted in emotional speculation based on a single negative user experience. Furthermore, if you've been running phishing simulations, you can use feedback from your users to inform you when they see something risky that might require investigation.

+Tune spoofing protection (adjust allows and blocks) and turn on each impersonation protection action to quarantine or move the messages to the Junk Email folder (based on the Standard or Strict recommendations). Observe the results and adjust their settings as necessary.

+Access to Microsoft 365 mailboxes, data, and other services is controlled by credentials (for example a username and a password or PIN). When someone other than the intended user steals those credentials, the associated account is considered to be compromised.

+After an attacker steals the credentials and gains access to the account, they can access the associated Microsoft 365 mailbox, SharePoint folders, or files in the user's OneDrive. Attackers often use the compromised mailbox to send email as the original user to recipients inside and outside of the organization. Attackers using email to send data to external recipients is known as _data exfiltration_.

+This article explains the symptoms of account compromise and how to regain control of the compromised account.

+Users might notice and report unusual activity in their Microsoft 365 mailboxes. For example:

+- Users receiving email from the compromised account without the corresponding email in the sender's **Sent Items** folder.

+- Inbox rules that weren't created by the user or admins. These rules might automatically forward email to unknown addresses or move messages to the **Notes**, **Junk Email**, or **RSS Subscriptions** folders.

+- The user's display name is changed in the Global Address List.

+- The **Sent Items** or **Deleted Items** folders in Microsoft Outlook or Outlook on the web (formerly known as Outlook Web App) contain typical messages for compromised accounts (for example, "I'm stuck in London, send money.").

+- Unusual profile changes. For example, name, telephone number, or the postal code updates.

+- Multiple and frequent password changes.

+- Unusual signatures were recently added. For example, a fake banking signature or a prescription drug signature.

+If a user reports these symptoms or other unusual symptoms, you should investigate. The Microsoft 365 Defender portal and the Azure portal offer the following tools to help you investigate suspicious activity on a user account.

+- **Unified audit logs in the Microsoft 365 Defender portal**: Filter the logs for activity using a date range that starts immediately before the suspicious activity occurred to today. Don't filter on specific activities during the search. For more information, see [Search the audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md).

+> The following button lets you test and identify suspicious account activity. You can use this information to recover a compromised account.

+## Secure and restore email function to a compromised Microsoft 365 account and mailbox

+Even after the user regains access to their account, the attacker might have left back-door entries that allow the attacker to resume control of the account.

+Do **all** of the following steps to regain control of the account. Go through the steps as soon as you suspect a problem and as quickly as possible to make sure that the attacker doesn't resume control of the account. These steps also help you remove any back-door entries that the attacker might have added to the account. After you do these steps, we recommend that you run a virus scan to make sure that the client computer isn't compromised.

+> - Don't send the new password to the user through email, because the attacker still has access to the mailbox at this point.

+> - Be sure to use a strong password: upper and lowercase letters, at least one number, and at least one special character.

+> - Even if the password history requirement allows it, don't reuse any of the last five passwords. Use a unique password that the attacker can't guess.

+> - If the on-premises identity is federated with Microsoft 365, you must change the on-premises account password on-premises, and then notify the administrator of the compromise.

+> - Be sure to update app passwords. App passwords aren't automatically revoked when you reset the password. The user should delete existing app passwords and create new ones. For instructions, see [Create and delete app passwords from the Additional security verification page](/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords#create-and-delete-app-passwords-from-the-additional-security-verification-page).

+> - We highly recommended that you enable multi-factor authentication (MFA) for the account. MFA is a good way to help prevent account compromise, and is very important for accounts with administrative privileges. For instructions, see [Set up multi-factor authentication](../../admin/security-and-compliance/set-up-multi-factor-authentication.md).

+1. In the Microsoft 365 admin center at <https://admin.microsoft.com>, go to **Users** \> **Active users**. Or, to go directly to the **Active users** page, use <https://admin.microsoft.com/Adminportal/Home#/users>.

+2. On the **Active users** page, find the user account, and select it by clicking anywhere in the row other than the check box next to the name.

+3. In the details flyout that opens, select the **Mail** tab.

+4. The value **Applied** in the **Email forwarding** section indicates that mail forwarding is configured on the account.

+ Select **Manage email forwarding**, clear the **Forward all email sent to this mailbox** check box in the **Manage email forwarding** flyout that opens, and then select **Save changes**.

+### Step 3: Disable suspicious Inbox rules

+1. Sign in to the user's mailbox using Outlook on the web.

+2. Select **Settings** (gear icon), enter 'rules' in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box, and then select **Inbox rules** from the results.

+3. On the **Rules** tab of the flyout that opens, review the existing rules, and turn off or delete any suspicious rules.

+If the account was used to send spam or a high volume of email, it's likely that the mailbox has been blocked from sending mail.

+To unblock a mailbox from sending email, follow the procedures in [Remove blocked users from the Restricted entities page](removing-user-from-restricted-users-portal-after-spam.md).

+> You can block the account from signing-in until you believe it's safe to re-enable access.

+ 2. On the **Active users** page, find and select the user account from the list by doing one of the following steps:

+ - Select the user by clicking anywhere in the row other than the check box next to the name. In the details flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-no-icon.png" border="false"::: **Block sign-in** at the top of the flyout.

+ - Select the user by selecting the check box next to the name. Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> :::image type="icon" source="../../media/m365-cc-sc-no-icon.png" border="false"::: **Edit sign-in status**.

+ 3. In the **Block sign-in** flyout that opens, read the information, select **Block this user from signing in**, select **Save changes**, and then select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Close** at the top of the flyout.

+ 2. On the **Mailboxes** page, find and select the user from the list by doing one of the following steps:

+ - Select the user by clicking anywhere in the row other than the round check box that appears next to the name.

+ - Select the user by selecting the round check box that appears next to the name, and then selecting the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears on the page.

+ 3. In the details flyout that opens, do the following steps:

+ 1. Verify the **General** tab is selected, and then select **Manage email apps settings** in the **Email apps & mobile devices** section.

+ 2. In the **Manage settings for email apps** flyout that opens, disable all of the available settings by changing the toggles to :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: **Disabled**:

+ - **Outlook on the web**

+ When you're finished in the **Manage settings for email apps** flyout, select **Save**, and then select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Close** at the top of the flyout.

+> You can restore the user's membership in administrative role groups after the account has been secured.

+ 1. Go to **Users** \> **Active users**. Or, to go directly to the **Active users** page, use <https://admin.microsoft.com/Adminportal/Home#/users>.

+ 2. On the **Active users** page, find and select the user account from the list by doing one of the following steps:

+ - Select the user by clicking anywhere in the row other than the check box next to the name. In the details flyout that opens, verify the **Account** tab is selected, and then select **Manage roles** in the **Roles** section.

+ - Select the user by selecting the check box next to the name. Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> :::image type="icon" source="../../media/m365-cc-sc-manage-roles-icon.png" border="false"::: **Manage roles**.

+ 3. In the **Manage admin roles** flyout that opens, do the following steps:

+ - Record any information that you want to restore later.

+ - Remove administrative role membership by selecting **User (no admin center access)**.

+ When you're finished in the **Manage admin roles** flyout, select **Save changes**.

+2. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, do the following steps:

+ 1. Go to **Permissions** \> **Email & collaboration roles** \> **Roles**. Or, to go directly to the **Permissions** page, use <https://security.microsoft.com/emailandcollabpermissions>.

+ 2. On the **Permissions** page, select a role group from the list.

+ 3. Look for the user account in the **Members** section of the details flyout that opens. If the role group contains the user account, do the following steps:

+ 1. In the **Members** section, select **Edit**.

+ 2. On the **Choose members** tab of the flyout that opens, select **Edit**.

+ 3. In the **Choose members** flyout that opens, select **Remove**.

+ 4. In the **Members** section that appears, select the user account by selecting the check box next to the name, select **Remove**, and then select **Done**.

+ 5. In the **Editing Choose members** flyout, select **Save**.

+ 6. In the role group details flyout, select **Close**.

+ 4. Repeat the previous steps for each role group in the list.

+ 1. Go to **Roles** \> **Admin roles**. Or to go directly to the **Admin roles** page, use <https://admin.exchange.microsoft.com/#/adminRoles>.

+ 2. On the **Admin roles** page, select a role group from the list by clicking anywhere in the row other than the round check box that appears next to the name.

+ 3. In the details flyout that opens, select the **Assigned** tab, and then look for the user account. If the role group contains the user account, do the following steps:

+ 2. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears, select **Yes, remove** in the warning dialog, and then select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Close** at the top of the flyout.

+ 4. Repeat the previous steps for each role group in the list.

+1. Verify the contents of the **Sent items** folder of the account in Outlook or Outlook on the web.

+ You might need to inform people in your contacts list that your account was compromised. For example, the attacker might have sent messages asking your contacts for money, or the attacker might have sent a virus to hijack their computers.

+2. The accounts for any other services that use this account as an alternative email account might have also been compromised. After you do the steps in this article for the account in this Microsoft 365 organization, do these steps for your other accounts.

+3. Verify the contact information (for example, telephone numbers and addresses) of the account.

+Safe Documents is a premium feature that uses the cloud back end of [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) to scan opened Office documents in [Protected View](https://support.microsoft.com/office/d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653) or [Application Guard for Office](https://support.microsoft.com/topic/9e0fb9c2-ffad-43bf-8ba3-78f785fdba46).

+ Safe Documents isn't included in Microsoft Defender for Office 365 licensing plans.

+1. In the Microsoft 365 Defender portal, go to the **Safe Attachments** page at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.

+2. On the **Safe Attachments** page, select :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Global settings**.

+3. In the **Global settings** flyout that opens, confirm or configure the following settings:

+ - **Turn on Safe Documents for Office clients**: Move the toggle to the right to turn on the feature: :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.

+ - **Allow people to click through Protected View even if Safe Documents identified the file as malicious**: We recommend that you leave this option turned off :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::.

+ When you're finished in the **Global settings** flyout, select **Save**.

+If you'd rather user PowerShell to configure Safe Documents, use the following syntax in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):

+For more information, see the following articles:

+To learn more, see [Onboard to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/onboarding). If you need help, see [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding).

+### How do I know this procedure worked?

+- In the Microsoft 365 Defender portal, go to the **Safe Attachments** page at <https://security.microsoft.com/safeattachmentv2>, select :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Global settings**, and verify the **Turn on Safe Documents for Office clients** and **Allow people to click through Protected View even if Safe Documents identifies the file as malicious** settings.

+- The following files are available to test Safe Documents protection. These files are similar to the EICAR.TXT file for testing anti-malware and anti-virus solutions. The files aren't harmful, but they trigger Safe Documents protection.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Permissions** \> **Email & collaboration roles** \> **Roles**. Or, to go directly to the **Permissions** page, use <https://security.microsoft.com/emailandcollabpermissions>.

+Annotation tools currently include pen and highlighter, where can choose the colors you want to use, and an eraser for removing ink strokes and previous annotations.

+The feature is currently available for the following file types: .ai, .dwg, .epub, .pdf, .rtf, and .tiff.

+More annotation tools and file types will be added in future releases.