-|**Email reported by user as spam**|Generates an alert when users in your organization report messages as junk using the built-in Report button in Outlook or the Report Message add-in. For more information about the add-ins, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2).|Low|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-You can work with a Microsoft Partner to import and archive data from a third-party data source to Microsoft 365. A partner can provide you with a custom connector that is configured to extract items from the third-party data source (on a regular basis) and then import those items. The partner connector converts the content of an item from the data source to an email message format and then stores the items in mailboxes. After third-party data is imported, you can apply Microsoft Purview features such as Litigation Hold, eDiscovery, In-Place Archiving, Auditing, and Microsoft 365 retention policies to this data.

- - Place the third-party data mailbox on Litigation Hold. You can also apply a Microsoft 365 retention policy in the Microsoft Purview compliance portal. Placing this mailbox on hold retains third-party data items (indefinitely or for a specified duration) and prevent them from being purged from the mailbox. See one of the following topics:

-2. Place user mailboxes on Litigation Hold or apply a Microsoft 365 retention policy; see one of the following topics:

-Starting September 30, 2018, the Azure service in Microsoft 365 will begin using modern authentication in Exchange Online to authenticate third-party data connectors that attempt to connect to your organization to import data. The reason for this change is that modern authentication provides more security than the current method, which was based on an allow list for third-party connectors that use the previously described endpoint to connect to the Azure service.

-To revoke consent for a third-party data connector, you can delete the application (by deleting the corresponding service principal) from Azure Active Directory using the **Enterprise applications** blade in the Azure portal, or by using the [Remove-MsolServicePrincipal](/powershell/module/msonline/remove-msolserviceprincipal) in Microsoft 365 PowerShell. You can also use the [Remove-AzureADServicePrincipal](/powershell/module/azuread/remove-azureadserviceprincipal) cmdlet in Azure Active Directory PowerShell.

- |**FROM**|Yes|The user who originally created or sent the item in the third-party data source. The partner connector attempts to map the user ID from the source item (for example a Twitter handle) to a user account for all participants (users in the FROM and TO fields). A copy of the message will be imported to the mailbox of every participant. If none of the participants from the item can be mapped to a user account, the item will be imported to the third-party archiving mailbox in Microsoft 365. <br/> <br/> The participant who's identified as the sender of the item must have an active mailbox in the organization that the item is being imported to. If the sender doesn't have an active mailbox, the following error is returned:<br/><br/> `One or more messages in the Request failed to be delivered to either From or Sender email address. You will need to resend your entire Request. Error: The request failed. The remote server returned an error: (401) Unauthorized.`|`bob@contoso.com`|

-When you assign users a Compliance Manager role in the Microsoft Purview compliance portal, they can view or edit data within all assessments by default (review the [Compliance Manager role types](compliance-manager-setup.md#role-types)). You can restrict user access to only certain assessments by managing user roles from within an assessment or assessment template. Restricting access in this way can help ensure that users who play a role in overseeing compliance with particular regulations or standards have access only to the data and information they need to perform their duties.

-Users need a **Compliance Manager Assessor** role in order to edit improvement action testing notes. You may also want to grant users access only to certain assessments. Learn [how to set permissions](compliance-manager-setup.md#set-user-permissions-and-assign-roles) and [how to grant role-based assess to assessments](compliance-manager-setup.md#role-based-access-to-assessments).

-Compliance Manager uses a role-based access control (RBAC) permission model. Only users who are assigned a role may access Compliance Manager, and the actions allowed by each user are restricted by [role type](#role-types). Our RBAC model also allows you to grant user access to individual assessments. See [role-based access to assessments](#role-based-access-to-assessments) below to learn more.

-### Role-based access to assessments

-You can assign roles to users in order to grant access to specific assessments. Granting access to individual assessments is useful when you need to ensure that only the people working on certain regulatory requirements have access to that data. You can grant access to individual assessments to users outside of your organization, which helps when you have external auditors. For users outside your organization, you'll need to assign them an Azure AD role. For instructions, see [More about Azure AD](#setting-permissions-in-azure-ad).

-The four roles listed in table above provide access to assessments: Compliance Manager Reader, Compliance Manager Contribution, Compliance Manager Assessor, and Compliance Manager Administration. What you can do with each assessment remains restricted based on which activities the role allows.

-To grant users access to an assessment, open the assessment's details page and select **Manage users access** to add users by role. If a user has a role assigned to them in the Microsoft Purview compliance portal for overall access to Compliance Manager, any role you assign them for a specific assessment will apply only to that assessment.

-The **User access** section of **Settings** displays a list of all users who have a role that allows access to one or more assessments. From this page, you can make changes to assessment-based role assignments. To add or remove such roles for users, follow the steps below:

-1. From the **Edit assessment roles** dropdown menu above the list of names, select **Add assessment permissions** or **Remove assessment permissions**.

-1. **For adding a role**: From the flyout pane, go to the tab that corresponds to the role you want to add (Reader, Assessor, or Contributor), then select **Add assessments**. On the next flyout pane, choose the checkbox next to the assessments and select **Apply**, then select **Save**.

-1. **For removing a role**: From the flyout pane, go to the tab that corresponds to the role you want to remove (Reader, Assessor, or Contributor). Select the button next to the assessments for which you want to remove access, and select the X mark in the **Remove** column.

-Select a regulation from the list on the **Regulations** page to bring up its details page. This page contains a description of the regulation and details about applicable services, the date it was last updated, and tabs for viewing controls and improvement actions.

- - **Share with member**: You invite user1 from Contoso to join the shared channel without making him a member of TeamA. Everyone in this shared channel, including user1, will be covered by P1.

- - **Share with team (internally)**: You share the channel with another team TeamB in Contoso. That another team may have a different DLP policy, but that doesnΓÇÖt matter. P1 will apply to everyone in this shared channel, including both TeamA and TeamB users.

- - **Share with team (cross tenant)**: You share the channel with a team TeamF in Fabrikam. Fabrikam may have its own DLP policy, but that doesnΓÇÖt matter. P1 will apply to everyone in this shared channel, including both TeamA (Contoso) and TeamF (Fabrikam) users.

- > This application uses Exchange Online PowerShell module. Basic authentication must be enabled in WinRM on the local computer. For more information, see [Prerequisites for the Exchange Online PowerShell module](/powershell/exchange/exchange-online-powershell-v2#prerequisites-for-the-exchange-online-powershell-module).

-Microsoft Teams data will appear as IM or Conversations in the Excel eDiscovery export output. You can open the `.pst` file in Outlook to view those messages after you export them.

-1. Connect to Azure AD PowerShell. For instructions, see the "Connect with the Azure Active Directory PowerShell" section in [Connect to Microsoft 365 with PowerShell](/microsoft-365/enterprise/connect-to-microsoft-365-powershell#connect-with-the-azure-active-directory-powershell-for-graph-module). Be sure to complete Step 1 and Step 2 in the previous article.

-2. After you successfully connect to Azure AD PowerShell, run the following command to display the user principal name (UPN) for all guests in your organization. You have to use the UPN of the guest when you create the search in step 4.

- Get-AzureADUser -Filter "userType eq 'Guest'" -All $true | FL UserPrincipalName

- - [Install Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2)

- 1. Prerequisite: [Install Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2).

- Connect-AzureAD -Tenant "<yourtenantdomain.com>" //for example: Connect-AzureAD -Tenant "Contoso.onmicrosoft.com"

- $sp=Get-AzureADServicePrincipal -Filter "appid eq '$($appid)'"

- if ($sp -eq $null) { New-AzureADServicePrincipal -AppId $appId }

- Connect-AzureAD

-3. Select the locations where you wish to scan images. Then, for each location and solution, define the scope (users/groups/sites) for the OCR. Supported locations and solutions are listed in the following table.

-> For information on OCR functionality in Microsoft Purview Communication Compliance, see **[Create and manage communication compliance policies](communication-compliance-policies.md#optical-character-recognition-ocr)**.

-OCR scanning supports more than [150 languages](https://azure.microsoft.com/cognitive-services/computer-vision/language-support).

-For built-in labeling, use the tables in [Minimum versions for sensitivity labels in Office apps](sensitivity-labels-versions.md). The Azure Information Protection unified labeling client doesn't support PDF in Office apps.

-Word, Excel, and PowerPoint support the following methods to convert an Office document into a PDF document:

-|[PDF support](sensitivity-labels-office-apps.md#pdf-support)|Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: 2209+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

-You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it doesn't block the file from running. This could potentially allow unsafe files to run and infect your devices.

-You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Defender for Endpoint file and certificate indicators. (See [Manage indicators](manage-indicators.md).)

-You can specify individual files or folders (using folder paths or the full path of the file to be excluded). An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service continues to trigger events until the service is stopped and restarted.

-For information about per-rule exclusions, see the section titled **Configure ASR rules per-rule exclusions** in the article [Test attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-test.md)

-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).

-|[Microsoft Defender Experts](https://go.microsoft.com/fwlink/?linkid=2203232)|Microsoft|Defender Experts for Hunting is a proactive threat hunting service for Microsoft 365 Defender.|

-> Between March and May of 2023, Microsoft Defender for Endpoint on macOS will start respecting the selection for tamper protection applied via the global tamper protection switch under advanced settings in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). You can choose to enforce (block/audit/disable) your own macOS tamper protection settings by using a Mobile Device Management (MDM) solution such as Intune or JAMF (recommended). If the tamper protection setting was not enforced via MDM, a local administrator can continue to manually change the setting with the following command: `sudo mdatp config tamper-protection enforcement-level --value (chosen mode)`.

-You can set tamper protection in the following modes:

-|Audit|Tampering operations are logged, but not blocked. This is the default mode after installation.|

-Here is an example of a system message in response to a blocked action:

-> [!NOTE]

->

-> Enabling **TCC** (Transparency, Consent & Control) through an Mobile Device Management solution such as [Intune](mac-install-with-intune.md), will eliminate the risk of Defender for Endpoint losing **Full Disk Access** Authorization to function properly

-.

-## Configure tamper protection on macOS devices

-There are several ways you can configure tamper protection:

-Verify that "tamper_protection" is set to "disabled" or "audit" to observe the state change.

-engine_version : "1.1.19300.3"

-app_version : "101.70.19"

-org_id : "..."

-log_level : "info"

-machine_guid : "..."

-release_ring : "InsiderFast"

-product_expiration : Dec 29, 2022 at 09:48:37 PM

-cloud_enabled : true

-cloud_automatic_sample_submission_consent : "safe"

-cloud_diagnostic_enabled : false

-passive_mode_enabled : false

-real_time_protection_enabled : true

-real_time_protection_available : true

-real_time_protection_subsystem : "endpoint_security_extension"

-network_events_subsystem : "network_filter_extension"

-device_control_enforcement_level : "audit"

-automatic_definition_update_enabled : true

-definitions_updated : Jul 06, 2022 at 01:57:03 PM

-definitions_updated_minutes_ago : 5

-definitions_version : "1.369.896.0"

-definitions_status : "up_to_date"

-edr_early_preview_enabled : "disabled"

-edr_device_tags : []

-edr_group_ids : ""

-edr_configuration_version : "20.199999.main.2022.07.05.02-ac10b0623fd381e28133debe14b39bb2dc5b61af"

-edr_machine_id : "..."

-conflicting_applications : []

-network_protection_status : "stopped"

-data_loss_prevention_status : "disabled"

-full_disk_access_enabled : true

-1. Use the following command:

- ```console

- 

- > [!NOTE]

- > If you use manual configuration to enable tamper protection, you can also disable tamper protection manually at any time. For example, you can revoke Full Disk Access from Defender in System Preferences manually. You must use MDM instead of manual configuration to prevent a local admin from doing that.

-```bash

-mdatp health

-```

-Follow the documented Intune profile example to configure tamper protection through Intune. For more information, see [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md).

-You can also run full `mdatp health` and look for the "tamper_protection" in the output

-## Turning off tamper protection

-You can turn off tamper protection using any of the following methods.

-sudo mdatp config tamper-protection enforcement-level - -value disabled

-Change the `enforcementLevel` value to "disabled" in your configuration profile, and push it to the machine:

-Add the following configuration in your Intune profile:

- <key>enforcementLevel</key>

- <string>disabled</string>

-```console

-$ sudo grep -F '[{tamperProtection}]: Feature state:' /Library/Logs/Microsoft/mdatp/microsoft_defender_core.log | tail -n 1

-The mode must be "block" (or "audit"). If it is not, then you haven't set the tamper protection mode either through `mdatp config` command or through Intune.

- - Ensure that no sender domains are allowed for anti-spam policies (will replace "Ensure that there are no sender domains allowed for Anti-spam policies" to extend functionality also for specific senders)

-If you have any issues, let us know by posting in the [Security, Privacy & Compliance](https://techcommunity.microsoft.com/t5/Security-Privacy-Compliance/bd-p/security_privacy) community. We're monitoring the community and will provide help.

-Campaigns is available in the Microsoft 365 Defender portal at <https://security.microsoft.com> at **Email & collaboration** \> **Campaigns**, or directly at <https://security.microsoft.com/campaigns>.

-description: Admins can learn how to manage Microsoft Defender for Office 365 (Email & collaboration) permissions in the Microsoft 365 Defender portal for all tasks related to Defender for Office 365 security features.

-Defender for Office 365 permissions in the Microsoft 365 Defender portal are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services, so if you're familiar with the permission structure in these services, granting permissions in the Microsoft 365 Defender portal will be very familiar.

-When you open the Microsoft 365 Defender portal at <https://security.microsoft.com> and go to **Permissions** \> **Azure AD** \> **Roles** (or directly to <https://security.microsoft.com/aadpermissions>) you see the Azure AD roles that are described in this section.

-When you select a role, a details flyout that contains the description of the role and the user assignments appears. But to manage those assignments, you need to click **Manage members in Azure AD** in the details flyout.

-|**Security reader**|View and investigate active threats to your Microsoft 365 users, devices, and content, but (unlike the Security operator) they do not have permissions to respond by taking action. For more information, see [Security Reader](/azure/active-directory/roles/permissions-reference#security-reader).|

-The same role groups and roles are available in the Microsoft 365 Defender portal and in the Microsoft Purview compliance portal:

-#### Modify Email & collaboration role membership in the Microsoft 365 Defender portal

-2. On the **Permissions** page, select the role group that you want to modify from the list. You can click on the **Name** column header to sort the list by name, or you can click **Search**  to find the role group.

-3. In the role group details flyout that appears, click **Edit** in the **Members** section.

-4. In the **Editing choose members** page that appears, do one of the following steps:

- - If there are no role group members, click **Choose members**.

- - If there are existing role group members, click **Edit**

-5. In the **Choose members** flyout that appears, do one of the following steps:

- - Click **Add**. In the list of users that appears, select one or more users. Or, you can click **Search**  to find and select users.

- When you've selected the users that you want to add, click **Add**.

- - Click **Remove**. Select one or more of the existing members. Or, you can click **Search**  to find and select members.

- When you've selected the users that you want to remove, click **Remove**.

-6. Back on the **Choose members** flyout, click **Done**.

-7. Back on the **Editing choose members** page, click **Save**.

-8. Back on the role group details flyout, click **Done**.

- To assign this role to a new or existing role group, see [Modify Email & collaboration role membership in the Microsoft 365 Defender portal](mdo-portal-permissions.md#modify-email--collaboration-role-membership-in-the-microsoft-365-defender-portal).

- To assign this role to a new or existing role group, see [Modify Email & collaboration role membership in the Microsoft 365 Defender portal](mdo-portal-permissions.md#modify-email--collaboration-role-membership-in-the-microsoft-365-defender-portal).

-||::|::|::|

-|**Safe Links policy**||||

-description: Learn how to identify critical people in an organization and add the priority account tag to provide them with extra protection.

-# Configure and review Priority accounts in Microsoft Defender for Office 365

-In every organization, there are people that are critical, like executives, leaders, managers, or other users who have access to sensitive, proprietary, or high priority information. You can tag these users within Microsoft Defender for Office 365 as priority accounts, allowing security teams to prioritize their focus on these critical individuals. With differentiated protection for priority accounts, users tagged as priority accounts will receive a higher level of protection against threats.

-Priority accounts are targeted by attackers more often and are generally attacked with more sophisticated techniques. Differentiated protection for priority accounts focuses on this specific user set and provides higher level of protection using enhanced machine learning models. This differentiation in learning and message handling provides the highest level of protection for these accounts and helps maintain a low false positive rate, as a high rate of false positives can also have a negative impact on these users.

-## Configure Priority account protection

-Priority account protection is turned on by default for pre-identified critical users.

-You need to be assigned permissions before you can do the procedures in this article. You have the following options:

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Settings** \> **Email & collaboration** \> **Priority account protection**. To go directly to the **Priority account protection** page, use <https://security.microsoft.com/securitysettings/priorityAccountProtection>.

-2. On the **Priority account protection** page, turn on **Priority account protection** (:::image type="icon" source="../../media/scc-toggle-on.png" border="false":::).

- > [!div class="mx-imgBorder"]

- > 

-> We don't recommend disabling or turning off priority account protection.

-If you want to use Exchange Online PowerShell to turn on priority account protection, do the following steps:

-1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and run the following command:

- ```powershell

- Set-EmailTenantSettings -EnablePriorityAccountProtection $true

- ```

-2. To verify that priority account protection is turned on, run the following command to verify the EnablePriorityAccountProtection property value:

- ```powershell

- Get-EmailTenantSettings | Format-List Identity,EnablePriorityAccountProtection

- ```

- The value True means priority account protection is turned on. The value False means priority account protection is turned off.

-### Assign the Priority account tag to users

-Microsoft Defender for Office 365 supports priority accounts as tags that can be used as filters in alerts, reports, incidents, and more.

-For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md).

-> [!NOTE]

-> Currently, you can only apply user tags to mailbox users.

->

-> Your organization can tag a maximum of 250 users using the Priority account tag.

->

-> Each custom tag has a maximum of 10,000 users per tag and your organization can create up to 500 custom tags.

-The effects of priority account protection are visible in the following features:

-### Threat protection status report

-The **Threat protection status** report is a single view that brings together information about malicious content and malicious email detected and blocked by Microsoft Defender for Office 365.

-To view the report, do the following steps:

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** \> find **Threat protection status** and then click **View details**. To go directly to the report, use <https://security.microsoft.com/reports/TPSAggregateReportATP>.

-2. The default view is **View data by Overview**. Click on this value to change the view by selecting one of the following values:

- - **View data by Email \> Phish**

- - **View data by Email \> Malware**

- - **View data by Email \> Spam**

-3. Click  **Filter**.

-4. On the **Filters** flyout that opens, in the **Priority accounts** section, select **Yes**, **No** or both values.

- 

-### Threat Explorer

-Context filter within Threat Explorer helps search for emails where priority account protection was involved in the detection of the message. This allows security operations teams to be able to see the value provided by this protection. You can still filter messages by priority account tag to find all messages for the specific set of users.

-To view the extra protection in Threat Explorer, do the following steps:

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer**. To go directly to the **Threat Explorer** page, use <https://security.microsoft.com/threatexplorer>.

-2. Select **Context** from the dropdown, and then select the checkbox next to **Priority account protection**.

-> [!div class="mx-imgBorder"]

-> 

-### Email entity page

-The email entity page is available in **Threat Explorer**. Select the subject of an email you're investigating. A gold bar will display at the top of the email flyout for that mail. Select to view the new page.

-The tabs along the top of the entity page will allow you to investigate email efficiently. Click the **Analysis** tab. Priority account protection is now listed under **Threat detection details**.

-[Review the differentiated protection for users tagged as priority accounts](../../office-365-security/priority-accounts-turn-on-priority-account-protection.md).

-After you apply system tags or custom tags to users, you can use those tags as filters in alerts, incidents, reports, and investigations:

-This article explains how to configure user tags in the Microsoft 365 Defender portal. You can also apply or remove the Priority Account tag using the _VIP_ parameter on the [Set-User](/powershell/module/exchange/set-user) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). No PowerShell cmdlets are available to manage custom user tags.

- - _Add and remove members from the Priority Account tag_: Membership in the **Security Administrator** and **Exchange Admin** role groups.

- - _Add and remove members from existing custom user tags_: Membership in the **Organization Management** or **Security Administrator** role groups.

-You can't remove the built-in Priority Account tag.

-[Configure and review priority accounts in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md)