Updates from: 05/28/2021 03:14:13
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove Former Employee Step 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-1.md
description: "Block a former employee from logging in and block access to Micros
If you need to immediately prevent a user's sign-in access, you should reset their password. In this step, force a sign out of the user from Microsoft 365. > [!NOTE]
-> You need to be a global administrator to initiate sign-out.
+> You need to be a global administrator to initiate sign-out for other administrators.
+> For non administrator users, you can use a User Adminsitrator or a Helpdesk Administrator user to perform this action.
+> Learn more about the Admin Roles <a href="https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles">About Admin Roles</a>
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page. 2. Select the box next to the user's name, and then select **Reset password**.
admin Remove Former Employee https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee.md
You need to be a global administrator to complete the steps in this solution.
|[Step 1 - Prevent a former employee from logging in and block access to Microsoft 365 services](remove-former-employee-step-1.md) <br/> |This blocks your former employee from logging in to Microsoft 365 and prevents the person from accessing Microsoft 365 services. <br/> | |[Step 2 - Save the contents of a former employee's mailbox](remove-former-employee-step-2.md) <br/> |This is useful for the person who is going to take over the employee's work, or if there is litigation. <br/> | |[Step 3 - Forward a former employee's email to another employee or convert to a shared mailbox](remove-former-employee-step-3.md) <br/> |This lets you keep the former employee's email address active. If you have customers or partners still sending email to the former employee's address, this gets them to the person taking over the work. <br/> |
-|[Step 4 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-6.md) <br/> |If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/><br/> Before you delete the account, you should give access of their OneDrive and Outlook to another user. After you delete an employee's account, the content in their OneDrive and Outlook is retained for **30** days. During that 30 days, however, you can restore the user's account, and gain access to their content. If you restore the user's account, the OneDrive and Outlook content will remain accessible to you even after 30 days. <br/> |
-|[Step 5 - Wipe and block a former employee's mobile device](remove-former-employee-step-4.md) <br/> |Removes your business data from the phone or tablet. <br/> |
+|[Step 4 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-4.md) <br/> |If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/><br/> Before you delete the account, you should give access of their OneDrive and Outlook to another user. After you delete an employee's account, the content in their OneDrive and Outlook is retained for **30** days. During that 30 days, however, you can restore the user's account, and gain access to their content. If you restore the user's account, the OneDrive and Outlook content will remain accessible to you even after 30 days. <br/> |
+|[Step 5 - Wipe and block a former employee's mobile device](remove-former-employee-step-5.md) <br/> |Removes your business data from the phone or tablet. <br/> |
|[Step 6 - Remove and delete the Microsoft 365 license from a former employee](remove-former-employee-step-7.md) <br/> |When you remove a license, you can assign it to someone else. Or, you can delete the license so you don't pay for it until you hire another person. <br/><br/> When you remove or delete a license, the user's old email, contacts, and calendar are retained for **30 days**, then permanently deleted. If you remove or delete a license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/> | |[Step 7 - Delete a former employee's user account](remove-former-employee-step-7.md) <br/> |This removes the account from your admin center. Keeps things clean. <br/> |
You need to be a global administrator to complete the steps in this solution.
[Restore a user](restore-user.md) (article)\ [Add a new employee to Microsoft 365](add-new-employee.md) (article)\ [Assign licenses to users](../manage/assign-licenses-to-users.md) (article)\
-[Unassign licenses from users](../manage/remove-licenses-from-users.md) (article)
+[Unassign licenses from users](../manage/remove-licenses-from-users.md) (article)
admin Configure Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-email-forwarding.md
As the admin of an organization, you might have company requirements to set up e
Before you set up email forwarding, note the following:
+- Allow automatically forwarded messages to be sent to people on the remote domain. See [Manage remote domains](/exchange/mail-flow-best-practices/remote-domains/manage-remote-domains) for details.
+ - Once you set up email forwarding, only **new** emails sent to the *from* mailbox will be forwarded. - Email forwarding requires that the *from* account has a license. If you're setting up email forwarding because the user has left your organization, another option is to [convert their mailbox to a shared mailbox](convert-user-mailbox-to-shared-mailbox.md). This way several people can access it. However, a shared mailbox cannot exceed 50GB.
You must be an Exchange administrator or Global administrator in Microsoft 365 t
[Create a shared mailbox](../email/create-a-shared-mailbox.md) (article)\ [Send email from a different address](https://support.microsoft.com/office/ccba89cb-141c-4a36-8c56-6d16a8556d2e) (article)\ [Change a user name and email address](../add-users/change-a-user-name-and-email-address.md) (article)-
admin Upgrade Distribution Lists https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/upgrade-distribution-lists.md
If you're experienced at using PowerShell, you might want to go this route inste
To upgrade a single DL, run the following command: ```PowerShell
-Upgrade-DistributionGroup -DlIdentities \<Dl SMTP address\>
+Upgrade-DistributionGroup -DlIdentities <Dl SMTP address>
```
-For example, if you want to upgrade a DLs with SMTP address dl1@contoso.com, run the following command:
+For example, if you want to upgrade a DL with SMTP address dl1@contoso.com, run the following command:
```PowerShell Upgrade-DistributionGroup -DlIdentities dl1@contoso.com
Upgrade-DistributionGroup -DlIdentities dl1@contoso.com
You can also pass multiple DLs as a batch and upgrade them together: ```PowerShell
-Upgrade-DistributionGroup -DlIdentities \<DL SMTP address1\>, \< DL SMTP address2\>,
-\< DL SMTP address3\>, \< DL SMTP address 4\>
+Upgrade-DistributionGroup -DlIdentities <DL SMTP address1>, <DL SMTP address2>,
+<DL SMTP address3>, <DL SMTP address4>
``` For example, if you want to upgrade five DLs with SMTP address `dl1@contoso.com` and `dl2@contoso.com`, `dl3@contoso.com`, `dl4@contoso.com` and `dl5@contoso.com`, run the following command:
You can only upgrade cloud-managed, simple, non-nested distribution lists. The t
If you want to check whether a DL is eligible or not, you can run the below command:
-`Get-DistributionGroup \<DL SMTP address\> | Get-EligibleDistributionGroupForMigration`
+`Get-DistributionGroup <DL SMTP address> | Get-EligibleDistributionGroupForMigration`
If you want to check which DLs are eligible for upgrade just run the following command:
The upgrade will happen only when the call is submitted to the server. If the up
[Compare groups](../create-groups/compare-groups.md) (article)\ [Explaining Microsoft 365 Groups to your users](../create-groups/explain-groups-knowledge-worker.md) (article)\
-[Add or remove members from Microsoft 365 groups using the admin center](../create-groups/add-or-remove-members-from-groups.md)
+[Add or remove members from Microsoft 365 groups using the admin center](../create-groups/add-or-remove-members-from-groups.md)
business-video Schedule Guest Meeting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/schedule-guest-meeting.md
Title: "Schedule a Teams meeting with guests"
+ Title: "Schedule a Teams meeting with external users"
f1.keywords: - NOCSH
search.appverid:
- BCS160 - MET150 - MOE150
-description: "Learn how to schedule a Teams meeting with guests."
+description: "Learn how to schedule a Teams meeting with external users."
-# Schedule a Teams meeting with guests
+# Schedule a Teams meeting with external users
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FOhP?autoplay=false]
You can invite people from outside of your organization to a meeting without hav
## Try it!
-With Microsoft Teams, you can create new teams as you start new projects or add customers.
+To schedule meetings with your employees, clients, External users and other guests, use Microsoft Teams.
-1. On the **Teams** tab, select **Join or create a team**, **Create team**, **Build a team from scratch**, and then **Private**.
-2. Enter a name for your team, a description, and then select **Create**.
-3. On the **Add members** page, add internal members by searching and selecting them, and add guest members by entering their email address, and then select **Add**.
-
- If you see **We didn't find any matches** , you must enable guest sharing. Go to the Microsoft 365 admin center, choose the Teams admin center, choose **Org-wide settings**, **Guest access** , and turn on **Allow guest access in Teams**. This change may take up to 24 hours.
-
-1. Select **Close**. Your guests and members will receive invitations to the team.
-2. On the General channel, enter a greeting for everyone and select **Send**.
-3. On the **Files** tab, add documents that you want to work on together. You can create them here or drag and drop files from your computer.
+1. In Microsoft Teams, in the left navigation, choose **Meetings**.
+2. Choose **Schedule a meeting**.
+3. In the **New meeting box**, enter a **Title** and **Location** for the meeting.
+4. Enter a **Start** and **End** time and date.
+5. In the **Details** box, enter a description of the meeting and any other details you want to add, such as a meeting agenda.
+6. Under **Invite people**, enter the names of employees or clients that you want to invite.
+7. If you see **Tentative** or **Busy** below any names, choose one of the **Free** times provided, or click **Scheduling assistant** for more options.
+8. Choose **Schedule a meeting**.
commerce Withholding Tax Credit Global https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/withholding-tax-credit-global.md
+
+ Title: "Request a credit for Withholding Tax on your account (Global customers)"
+f1.keywords:
+- NOCSH
++++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+search.appverid: MET150
+description: "Learn how to request a credit on your account for Withholding Tax you paid. This article applies to worldwide customers except for India."
+
+- AdminSurgePortfolio
+- commerce_billing
+monikerRange: 'o365-worldwide'
Last updated : ++
+# Request a credit for Withholding Tax on your account (Global customers)
+
+> [!NOTE]
+>
+> If your organization is based in India, please see [Request a credit for Withholding Tax on your account (India customers)](withholding-tax-credit-india.md).
+
+Some customers receive Web Direct (Azure and Microsoft 365) invoices billed by a Microsoft entity located in a foreign country. If your organization makes cross-border payments to that entity, the Tax Authority in your country might require you to withhold part of the cross-border payment as withholding tax (WHT). If you withheld taxes as required by your Tax Authority when remitting payments to Microsoft, this article explains the process for claiming a credit for the tax withheld.
+
+## For invoice pay customers who pay by check or wire
+
+If you withheld tax when remitting payment and deposited the withheld tax with the relevant Tax Authority, you must submit a WHT request to clear the outstanding balance in your account.
+
+Your WHT request must include the following items:
+
+- A completed copy of the [Withholding Tax Credit Form](https://download.microsoft.com/download/a/a/f/aaf8306b-79d4-455b-975f-41ce9e67b9cb/wht%20credit%20form%20-%20global.docx) (filled out by the customer)
+- A signed or scanned copy of the Withholding Tax Certificate or Receipt
+
+Submit the WHT request by opening a ticket with Microsoft support.
+
+## For customers who pay by credit card
+
+If your payment method is a credit card and you made a full payment to Microsoft, and also paid WHT to the relevant Tax authority, you must submit a WHT request to claim the refund of the tax amount.
+
+Your WHT request must include the following items:
+
+- A completed copy of the [Withholding Tax Credit Form](https://download.microsoft.com/download/a/a/f/aaf8306b-79d4-455b-975f-41ce9e67b9cb/wht%20credit%20form%20-%20global.docx) (filled out by the customer)
+- A signed or scanned copy of the Withholding Tax Certificate or Receipt
+
+Submit the WHT request by opening a ticket with Microsoft support.
+
+> [!IMPORTANT]
+>
+> - Customers can only submit a request for an adjustment or refund of the WHT amount after paying the invoice.
+> - The invoice amount on the Withholding Tax Credit Form must match the invoice amount identified in the Withholding Tax Certificate or Receipt. If the invoice amount is different between the two forms, you must specify the reason for the difference in the Withholding Tax Credit Form. This information is checked by the review team, who might ask clarifying questions, if required.
+> - Withholding Tax Certificate or Receipt files must be in one of the following file formats: .PDF or image only (.JPEG, .PNG, or .GIF). Additionally, file names must not contain spaces or special characters. File size cannot exceed 1 MB.
+
+After you submit the request, it goes into the approval process where it is either approved for completion or is sent back to you for correction.
+
+If thereΓÇÖs a problem with your request, the review team might require corrections to the withholding amount or replacement of the certificate or receipt. You must resubmit the request before it can be approved. The review team will either approve the request or ask for more changes.
+
+## Approved requests
+
+**For customers paying by check or wire:** Approved WHT requests are settled against the unpaid portion of the invoice amount reflected in Withholding Tax Credit Form.
+
+After your claim is approved, itΓÇÖs reflected in the next billing cycle. The WHT amount paid is included in the payment section of your next invoice. The amount is also displayed under the paid amount in the customer portal.
+
+**For customers paying by credit card:** After your claim is approved, your overpayment is refunded to your credit card.
+
+> [!IMPORTANT]
+>
+> - If changes are required, the approval process might take longer because of the corrections that must be made and then resubmitted.
+> - If you have questions about the WHT request process, please open a ticket with Microsoft support.
commerce Withholding Tax Credit India https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/withholding-tax-credit-india.md
description: "Learn how to request a credit on your account for Withholding Tax
- AdminSurgePortfolio - commerce_billing+ monikerRange: 'o365-worldwide' Last updated 05/03/2021 # Request a credit for Withholding Tax on your account (India customers)
+> [!NOTE]
+>
+> If your organization is not based in India, please see [Request a credit for Withholding Tax on your account (Global customers)](withholding-tax-credit-global.md).
+ Customers in India receive Web Direct (Azure and Microsoft 365) invoices billed by Microsoft Regional Sales Pte Ltd. Singapore (MRS) and make cross-border payments to Singapore to settle the invoice. If you withheld taxes when remitting the payment, this article explains the process for claiming a credit for the Withholding Tax (WHT) in your account with MRS.
-## For invoice pay customers who pay by check and wire
+## For invoice pay customers who pay by check or wire
If you withheld tax when remitting payment to MRS and deposited the withheld tax with the Income Tax Department, you must submit a WHT request to settle the tax amount withheld in your account.
Submit the WHT request by opening a ticket with Microsoft support.
## For customers who pay by credit card
-If your payment method is a credit card and you made a full payment to MRS, and paid WHT to the Income Tax Department, you must submit a WHT request to claim the refund of the tax amount.
+If your payment method is a credit card and you made a full payment to MRS, and also paid WHT to the Income Tax Department, you must submit a WHT request to claim the refund of the tax amount.
Your WHT request must include the following items:
The following table shows the due dates and timelines to submit digitally signed
> > - Customers can only submit a request for a refund of the WHT amount after paying the invoice. > - The invoice amount on the Withholding Tax Credit Form must match the invoice amount identified in the TDS certificate. If the invoice amount is different between the two forms, you must specify the reason for the difference in the Withholding Tax Credit Form. This information is checked by the review team, who might ask clarifying questions, if required.
-> - TDS certificate files must be in one of the following file formats: .PDF or Image only (.JPEG, .PNG and .GIF). Additionally, file names must not contain spaces or special characters. File size cannot exceed 1 MB.
+> - TDS certificate files must be in one of the following file formats: .PDF or Image only (.JPEG, .PNG, or .GIF). Additionally, file names must not contain spaces or special characters. File size cannot exceed 1 MB.
After you submit the request, it goes into the approval process where it is either approved for completion or is sent back to you for correction.
-If thereΓÇÖs a problem with your request, the review team might require corrections to the withholding amount or replacement of the TDS certificate. You must resubmit the request before itΓÇÖs approved. The review team will either approve the request or ask for more changes.
+If thereΓÇÖs a problem with your request, the review team might require corrections to the withholding amount or replacement of the TDS certificate. You must resubmit the request before it can be approved. The review team will either approve the request or ask for more changes.
## Approved requests
compliance Get Started With Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-retention.md
Most retention policies work unobtrusively in the background without user intera
Because retention labels have a UI presence in Microsoft 365 apps, make sure you provide guidance for end users and your help desk before you deploy these labels to your production network. To help users apply retention labels in SharePoint and OneDrive, see [Apply retention labels to files in SharePoint or OneDrive](https://support.microsoft.com/office/apply-retention-labels-to-files-in-sharepoint-or-onedrive-11a6835b-ec9f-40db-8aca-6f5ef18132df).
-However, the most effective end-user documentation will be customized guidance and instructions you provide for the retention label names and configurations you choose. See the following blog post for a download package that you can use to train users and drive adoption: [End User Training for Retention Labels in M365 ΓÇô How to Accelerate Your Adoption](https://techcommunity.microsoft.com/t5/microsoft-security-and/end-user-training-for-retention-labels-in-m365-how-to-accelerate/ba-p/1750861).
+However, the most effective end-user documentation will be customized guidance and instructions you provide for the retention label names and configurations you choose. See the following page and downloads that you can use to help train your users: [End User Training for Retention Labels](https://microsoft.github.io/ComplianceCxE/enduser/retention/).
compliance Get Started With Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
The most effective end-user documentation will be customized guidance and instru
- For built-in labeling: **Learn More** menu option. - For the Azure Information Protection unified labeling client: **Help and Feedback** menu option > **Tell Me More** link in the Microsoft Azure Information Protection dialog box.
-To help you write your customized documentation, see the following blog post for a download package that you can use to train users and drive adoption: [End User Training for Sensitivity Labels in M365 ΓÇô How to Accelerate Your Adoption](https://techcommunity.microsoft.com/t5/microsoft-security-and/end-user-training-for-sensitivity-labels-in-m365-how-to/ba-p/1750880).
+To help you provide your customized documentation, see the following page and downloads that you can use to help train your users: [End User Training for Sensitivity Labels](https://microsoft.github.io/ComplianceCxE/enduser/sensitivity/).
You can also use the following resources for basic instructions:
You can also use the following resources for basic instructions:
- [Azure Information Protection unified labeling user guide](/azure/information-protection/rms-client/clientv2-user-guide)
-If your sensitivity labels apply encryption for PDF documents, these documents can be opened with Microsoft Edge on Windows or Mac. For more information, and alternative readers, see [Which PDF readers are supported for protected PDFs?](/azure/information-protection/rms-client/protected-pdf-readers#viewing-protected-pdfs-in-microsoft-edge-on-windows-or-mac)
+If your sensitivity labels apply encryption for PDF documents, these documents can be opened with Microsoft Edge on Windows or Mac. For more information, and alternative readers, see [Which PDF readers are supported for protected PDFs?](/azure/information-protection/rms-client/protected-pdf-readers#viewing-protected-pdfs-in-microsoft-edge-on-windows-or-mac)
compliance Sensitivity Labels Teams Groups Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
Not all apps support authentication contexts. If a user with an unsupported app
Known limitations for this preview:
+- This feature is still rolling out to some tenants. If the Conditional Access policy with your selected authentication context is not taking effect when a user accesses the site, you can use PowerShell to confirm that your configuration is correct and all prerequisites are met. You'll need to remove the sensitivity label from the site and then configure the site for the authentication context by using the [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) cmdlet from the current [SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online). If this method works, wait a few more days before you try to apply the sensitivity label again.
+
+ To test the authentication context by using PowerShell:
+
+ ```powershell
+ Set-SPOSite -Identity <site url> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName "Name of authentication context"
+ ```
+
+ To remove the authentication context so you can try to apply the sensitivity label again:
+
+ ```powershell
+ Set-SPOSite -Identity <site url> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName ""
+ ```
+ - For the OneDrive sync app, supported for OneDrive only and not for other sites. - The following features and apps might be incompatible with authentication contexts, so we encourage you to check that these continue to work after a user successfully accesses a site by using an authentication context:
contentunderstanding Adoption Getstarted https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-getstarted.md
description: "Learn how to use and implement SharePoint Syntex in your organizat
Previously updated : 7/20/2020 Last updated : audience: admin ms.prod: microsoft-365-enterprise
localization_priority: Normal
Think of the intelligent content services available in SharePoint Syntex as having three parts: -- **Content understanding:** create no-code AI models to classify and extract information from content to automatically apply metadata for knowledge discovery and reuse. Learn more about [content understanding](document-understanding-overview.md).
+- **Content understanding:** Create no-code AI models to classify and extract information from content to automatically apply metadata for knowledge discovery and reuse. Learn more about [content understanding](document-understanding-overview.md).
- **Content processing:** Automate capture, ingestion, and categorization of content and streamline content-centric processes using Power Automate. Learn more about [content processing](form-processing-overview.md). - **Content compliance:** Control and manage content to improve security and governance with integration to Microsoft Information Protection.
When thinking about which business scenarios to consider, ask yourself the follo
Prioritize scenarios based on impact and ease of implementation. Make your initial focus area higher impact scenarios that can also be easily implemented. De-prioritize lower impact scenarios that are hard to implement.
-Use the following example scenarios to prompt ideas about how you can use SharePoint Syntex in your organization.
-
-### Scenario: Track data from invoices with form processing
-
-For example, you can set up a process using SharePoint Syntex and Power Automate features to track and monitor invoices.
-
-1. Set up a library to store the invoice documents.
-1. Train the model to recognize fields in the documents.
-1. Extract the fields you want to track into a list.
-1. Set up a flow to notify you for specific events, such as:
- - A new invoice is added.
- - An invoice is past its due date.
- - An invoice is for an amount that's larger than your automatic approval amount.
-
-![Track and monitor invoices with SharePoint Syntex and Power Automate](../media/content-understanding/process-invoices-flow.png)
-
-When you automate this scenario, you can:
--- Save time and money by automatically extracting data from the invoices instead of doing it manually.-- Reduce potential errors and ensure better compliance by using workflows to check invoices and notify you of any issues.-
-### Scenario: Track information from contracts with document understanding
-
-As another example, you can set up a process to identify contracts your company has with other companies or individuals. Set up a model to extract key information from those contracts, such as the client name, fees, dates, or other important information, and add the information to the library as fields you can quickly view. Apply a retention label on the document library to ensure that contracts can't be deleted before a specific length of time for appropriate compliance with your business regulations.
-
-1. Start at the content center and create a new document understanding model for contracts.
-1. Upload sample documents for positive and negative examples, then run the training to identify contract documents and review the results.
-1. Train the extractor to identify fields in the contracts, such as the client name, fee, and date, and then test the extractor.
-1. When the model is complete, apply the model to a library where you can upload contracts.
-1. Apply a retention label to the date field, so that contracts are retained in the library for the required length of time.
-
-![Track and monitor contracts with SharePoint Syntex and retention labels](../media/content-understanding/process-contracts-flow.png)
-
-When you automate this scenario, you can:
--- Save time and money by automatically extracting data from the contracts instead of doing it manually.-- Ensure better compliance by using retention labels to ensure that the contracts are retained appropriately.-
-### Scenario: Avoid risk with records management, document governance, and compliance processes based on SharePoint Syntex
-
-Reducing risks is a common goal for most companies. You might need:
--- A better way to provide/enforce information governance across your tenant.-- To improve the system for classification of documents, emails and other forms of communication considered ΓÇÿrecordsΓÇÖ for projects.-- To audit receipts, contracts, and so on, to ensure compliance with company policies.-- To ensure that projects have all the documentation required for compliance.-
-Set up some processes for compliance with SharePoint Syntex to capture and appropriately classify, audit, and flag documents and forms that need better governance. You can rely on SharePoint Syntex to auto classify content rather than relying on end users to manually tag, or the compliance team to manually apply governance rules and archiving. And you can enable a simplified search experience, manage data volumes, apply records management and retention policies, ensure compliance, and best practice archiving and purging practices.
-
-When you automate this scenario, you can feel secure that:
--- Compliance is upheld and risk is reduced.-- Taxonomy and records management is consistently and accurately applied.-- Content volumes are controlled.-- Employees can easily discover the right information in the right context.-
-### Scenario: Capture information from previously inaccessible documents
-
-Most organizations have large repositories of legal documents, policies, contracts, HR documents, and governance guidelines. Mine these data stores to extract valuable information such as: projects, sectors, themes, people, geographical areas, and so on.
-
-For example, an HR director needs to quickly access all HR documents ΓÇô including resumes, HR policies, and other forms. And they want to quickly identify necessary information from resumes and other HR-related documents without manually sifting through the documents. TheyΓÇÖre looking for a solution that allows them to quickly find the information they need without having to manually look through thousands of resumes, HR policies, and other documentation that may be spread across several sites.
-
-When you automate this scenario, you can:
--- Unlock knowledge from digital content.-- Classify HR policies, resumes, sales documents, technical blueprints, account plans and extract information.-- Quickly find the correct information or document that youΓÇÖre looking for.-- Get instant access to the latest information.-- Reduce search times.-
-### Scenario: Improve data processing to provide insights & analytics
-
-For example, a pharmaceutical company could use SharePoint Syntex to extract information from FDA documents to answer questions that their leaders have. Having the answers more easily accessible can reduce the time needed to produce these answers and increase the availability of data to generate more accurate answers to leadership questions.
-
-For example, a project manager needs to quickly provide answers to product-related questions from my leadership team. They need to find information and metrics related to queries in one consolidated dashboard. TheyΓÇÖre looking for a solution that extracts the information they need from product labels, product pamphlets, and other materials and generates a consolidated report that they can use when reporting back to their leadership team.
-
-When you automate this scenario, you can:
--- Reduce time to produce answers.-- Increase availability of data.-- Provide more accurate answers.-
-### Scenario: Automate order processing
-
-With SharePoint Syntex, you can reduce the time of manual processing of customer orders. For example, you can upload orders from fax, email, or paper into SharePoint by using OCR processing and then extract the metadata from those orders so you can fulfill them by using automated processes.
-
-For example, a supply chain manager wants to reduce errors caused by manual data entry. They want to avoid manual review and data entry of inbound customer orders (paper, fax, or e-mail) to reduce errors going into their business systems. They want a solution that applies AI and machine learning techniques to validate incoming order information, extract core data and automatically push it into their ERP system, for order fulfillment and reconciliation.
-
-When you automate this scenario, you can ensure that:
--- Order and shipment accuracy increases.-- Fees or penalties associated to order or shipment errors are reduced.-- Delays in invoicing or payments decrease.-- Personnel costs are reduced.-
-### Scenario: Simplify visa renewal process
-
-SharePoint Syntex can help you automate reminders and renewals for key contract information. For example, an HR director needs to ensure that employeesΓÇÖ visas are up to date and/or renewed on time. They want to give people a simple and intuitive process for updating their Visas. They need a solution that extracts renewal dates from contracts and automatically sends employees reminders when their renewal dates are approaching.
-
-When you automate this scenario, you can ensure that:
--- The levels of non-compliance are reduced.-- The number of manual reminders is reduced.-- The number of fines for non-compliance is reduced.
+Use the [example scenarios and use cases](adoption-scenarios.md) to prompt ideas about how you can use SharePoint Syntex in your organization.
## Identify roles & responsibilities
To get ready for implementing SharePoint Syntex, you need to:
1. Roll out in stages. 1. Gather feedback and iterate. 1. As usage grows plan for any AI Builder credits as needed.+
+## See also
+
+[Scenarios and use cases in SharePoint Syntex](adoption-scenarios.md)
contentunderstanding Adoption Scenarios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-scenarios.md
+
+ Title: "Scenarios and use cases for Microsoft SharePoint Syntex"
++++ Last updated :
+audience: admin
++
+ - enabler-strategic
+ - m365initiative-syntex
+
+search.appverid:
+localization_priority: Normal
+description: "Find scenarios about how to use SharePoint Syntex in your organization."
++
+# Scenarios and use cases for Microsoft SharePoint Syntex
+
+Use the following example scenarios to prompt ideas about how you can use SharePoint Syntex in your organization.
+
+- [Scenario: Track data from invoices with form processing](adoption-scenarios.md#scenario-track-data-from-invoices-with-form-processing)
+- [Scenario: Track information from contracts with document understanding](adoption-scenarios.md#scenario-track-information-from-contracts-with-document-understanding)
+- [Scenario: Avoid risk with records management, document governance, and compliance processes based on SharePoint Syntex](adoption-scenarios.md#scenario-avoid-risk-with-records-management-document-governance-and-compliance-processes-based-on-sharepoint-syntex)
+- [Scenario: Capture information from previously inaccessible documents](adoption-scenarios.md#scenario-capture-information-from-previously-inaccessible-documents)
+- [Scenario: Improve data processing to provide insights and analytics](adoption-scenarios.md#scenario-improve-data-processing-to-provide-insights-and-analytics)
+- [Scenario: Automate order processing](adoption-scenarios.md#scenario-automate-order-processing)
+- [Scenario: Simplify visa renewal process](adoption-scenarios.md#scenario-simplify-visa-renewal-process)
+
+## Scenario: Track data from invoices with form processing
+
+For example, you can set up a process using SharePoint Syntex and Power Automate features to track and monitor invoices.
+
+1. Set up a library to store the invoice documents.
+1. Train the model to recognize fields in the documents.
+1. Extract the fields you want to track into a list.
+1. Set up a flow to notify you for specific events, such as:
+ - A new invoice is added.
+ - An invoice is past its due date.
+ - An invoice is for an amount that's larger than your automatic approval amount.
+
+![Track and monitor invoices with SharePoint Syntex and Power Automate](../media/content-understanding/process-invoices-flow.png)
+
+When you automate this scenario, you can:
+
+- Save time and money by automatically extracting data from the invoices instead of doing it manually.
+- Reduce potential errors and ensure better compliance by using workflows to check invoices and notify you of any issues.
+
+## Scenario: Track information from contracts with document understanding
+
+As another example, you can set up a process to identify contracts your company has with other companies or individuals. Set up a model to extract key information from those contracts, such as the client name, fees, dates, or other important information, and add the information to the library as fields you can quickly view. Apply a retention label on the document library to ensure that contracts can't be deleted before a specific length of time for appropriate compliance with your business regulations.
+
+1. Start at the content center and create a new document understanding model for contracts.
+1. Upload sample documents for positive and negative examples, then run the training to identify contract documents and review the results.
+1. Train the extractor to identify fields in the contracts, such as the client name, fee, and date, and then test the extractor.
+1. When the model is complete, apply the model to a library where you can upload contracts.
+1. Apply a retention label to the date field, so that contracts are retained in the library for the required length of time.
+
+![Track and monitor contracts with SharePoint Syntex and retention labels](../media/content-understanding/process-contracts-flow.png)
+
+When you automate this scenario, you can:
+
+- Save time and money by automatically extracting data from the contracts instead of doing it manually.
+- Ensure better compliance by using retention labels to ensure that the contracts are retained appropriately.
+
+## Scenario: Avoid risk with records management, document governance, and compliance processes based on SharePoint Syntex
+
+Reducing risks is a common goal for most companies. You might need:
+
+- A better way to provide/enforce information governance across your tenant.
+- To improve the system for classification of documents, emails and other forms of communication considered ΓÇÿrecordsΓÇÖ for projects.
+- To audit receipts, contracts, and so on, to ensure compliance with company policies.
+- To ensure that projects have all the documentation required for compliance.
+
+Set up some processes for compliance with SharePoint Syntex to capture and appropriately classify, audit, and flag documents and forms that need better governance. You can rely on SharePoint Syntex to auto classify content rather than relying on end users to manually tag, or the compliance team to manually apply governance rules and archiving. And you can enable a simplified search experience, manage data volumes, apply records management and retention policies, ensure compliance, and best practice archiving and purging practices.
+
+When you automate this scenario, you can feel secure that:
+
+- Compliance is upheld and risk is reduced.
+- Taxonomy and records management is consistently and accurately applied.
+- Content volumes are controlled.
+- Employees can easily discover the right information in the right context.
+
+## Scenario: Capture information from previously inaccessible documents
+
+Most organizations have large repositories of legal documents, policies, contracts, HR documents, and governance guidelines. Mine these data stores to extract valuable information such as: projects, sectors, themes, people, geographical areas, and so on.
+
+For example, an HR director needs to quickly access all HR documents ΓÇô including resumes, HR policies, and other forms. And they want to quickly identify necessary information from resumes and other HR-related documents without manually sifting through the documents. TheyΓÇÖre looking for a solution that allows them to quickly find the information they need without having to manually look through thousands of resumes, HR policies, and other documentation that may be spread across several sites.
+
+When you automate this scenario, you can:
+
+- Unlock knowledge from digital content.
+- Classify HR policies, resumes, sales documents, technical blueprints, account plans and extract information.
+- Quickly find the correct information or document that youΓÇÖre looking for.
+- Get instant access to the latest information.
+- Reduce search times.
+
+## Scenario: Improve data processing to provide insights and analytics
+
+For example, a pharmaceutical company could use SharePoint Syntex to extract information from FDA documents to answer questions that their leaders have. Having the answers more easily accessible can reduce the time needed to produce these answers and increase the availability of data to generate more accurate answers to leadership questions.
+
+For example, a project manager needs to quickly provide answers to product-related questions from my leadership team. They need to find information and metrics related to queries in one consolidated dashboard. TheyΓÇÖre looking for a solution that extracts the information they need from product labels, product pamphlets, and other materials and generates a consolidated report that they can use when reporting back to their leadership team.
+
+When you automate this scenario, you can:
+
+- Reduce time to produce answers.
+- Increase availability of data.
+- Provide more accurate answers.
+
+## Scenario: Automate order processing
+
+With SharePoint Syntex, you can reduce the time of manual processing of customer orders. For example, you can upload orders from fax, email, or paper into SharePoint by using OCR processing and then extract the metadata from those orders so you can fulfill them by using automated processes.
+
+For example, a supply chain manager wants to reduce errors caused by manual data entry. They want to avoid manual review and data entry of inbound customer orders (paper, fax, or e-mail) to reduce errors going into their business systems. They want a solution that applies AI and machine learning techniques to validate incoming order information, extract core data and automatically push it into their ERP system, for order fulfillment and reconciliation.
+
+When you automate this scenario, you can ensure that:
+
+- Order and shipment accuracy increases.
+- Fees or penalties associated to order or shipment errors are reduced.
+- Delays in invoicing or payments decrease.
+- Personnel costs are reduced.
+
+## Scenario: Simplify visa renewal process
+
+SharePoint Syntex can help you automate reminders and renewals for key contract information. For example, an HR director needs to ensure that employeesΓÇÖ visas are up to date and/or renewed on time. They want to give people a simple and intuitive process for updating their Visas. They need a solution that extracts renewal dates from contracts and automatically sends employees reminders when their renewal dates are approaching.
+
+When you automate this scenario, you can ensure that:
+
+- The levels of non-compliance are reduced.
+- The number of manual reminders is reduced.
+- The number of fines for non-compliance is reduced.
+
+## See also
+
+[Microsoft SharePoint Syntex adoption: Get started](adoption-getstarted.md)
enterprise Portallaunchscheduler https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
- Less than 10k users: Two waves - 10k to 30k users: Three waves - 30k+ to 100k users: Five waves
- - More than 100k users: Five waves and contact your Microsoft account team
+ - More than 100k users: Five waves and contact your Microsoft via the steps listed in Launch portal with over 100k users section.
5. Then, determine the **Type of redirect** needed:
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
8. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.
+### Launch portal with over 100k users
+
+If you are planning to migrate over 100TB, please submit a support request following the steps listed below. Make sure to include all requested information.
+
+Follow these steps:
+1. Navigate to https://admin.microsoft.com
+2. Ensure you are using the new admin center preview.
+3. On the left nav pane, select **Support**, and then select **New Service Request**.
++
+ This will activate the **Need Help?** pane on the right-hand side of your screen.
+
+4. In the **Briefly describe your issue** area, enter "Launch SharePoint Portal with 100k users".</br>
+5. Select **Contact Support**.
+6. Under **Description**, enter "Launch SharePoint Portal with 100k users".
+7. Fill out the remaining info, and select **Contact me**.
+8. After the ticket has been created, ensure you provide the support agent with the following information:
+- Launch Portal URL's
+- Number of users expected
+- Estimated time of launch
## Make changes to a scheduled portal launch
enterprise Configure Exchange Server For Hybrid Modern Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication.md
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
If the EXCH version is Exchange 2016 (CU18 or higher) or Exchange 2019 (CU7 or higher) and hybrid was configured with HCW downloaded after September 2020, run the following command in the Exchange Management Shell, on-premises: ```powershell
-Set-AuthServer -Identity "EvoSTS - {GUID}" -Domain "Tenant Domain" -IsDefaultAuthorizationEndpoint $true
+Set-AuthServer -Identity "EvoSTS - {GUID}" -DomainName "Tenant Domain" -IsDefaultAuthorizationEndpoint $true
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true ```
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
Prepare the source tenant:
| -KeyVaultName | Azure Key Vault instance that will store your mailbox migration application certificate/secret. | Required | | -CertificateName | Certificate name when generating or searching for certificate in key vault. | Required | | -CertificateSubject | Azure Key Vault certificate subject name, such as CN=contoso_fabrikam. | Required |
+ | -AzureResourceLocation | The location of the Azure resource group and key vault. | Required |
| -ExistingApplicationId | Mail migration application to use if one was already created. | Optional | | -AzureAppPermissions | The permissions required to be given to the mailbox migration application, such as Exchange or MSGraph (Exchange for moving mailboxes, MSGraph for using this application to send a consent link invitation to resource tenant). | Required | | -UseAppAndCertGeneratedForSendingInvitation | Parameter for using the application created for migration to be used for sending consent link invitation to source tenant admin. If not present this will prompt for the target adminΓÇÖs credentials to connect to Azure invitation manager and send the invitation as target admin. | Optional |
Prepare the source tenant:
6. The script will pause and ask you to accept or consent to the Exchange mailbox migration application that was created during this process. Here is an example. ```powershell
- PS C:\PowerShell\> .\SetupCrossTenantRelationshipForTargetTenant.ps1 -ResourceTenantDomain contoso.onmicrosoft.com -ResourceTenantAdminEmail admin@contoso.onmicrosoft.com -TargetTenantDomain fabrikam.onmicrosoft.com -ResourceTenantId ksagjid39-ede2-4d2c-98ae-874709325b00 -SubscriptionId e4ssd05d-a327-49ss-849a-sd0932439023 -ResourceGroup "Cross-TenantMoves" -KeyVaultName "Cross-TenantMovesVault" -CertificateName "Contoso-Fabrikam-cert" -CertificateSubject "CN=Contoso_Fabrikam" -AzureAppPermissions Exchange, MSGraph -UseAppAndCertGeneratedForSendingInvitation -KeyVaultAuditStorageAccountName "t2tstorageaccount" -KeyVaultAuditStorageResourceGroup "Demo"
+ PS C:\PowerShell\> .\SetupCrossTenantRelationshipForTargetTenant.ps1 -ResourceTenantDomain contoso.onmicrosoft.com -ResourceTenantAdminEmail admin@contoso.onmicrosoft.com -TargetTenantDomain fabrikam.onmicrosoft.com -ResourceTenantId ksagjid39-ede2-4d2c-98ae-874709325b00 -SubscriptionId e4ssd05d-a327-49ss-849a-sd0932439023 -ResourceGroup "Cross-TenantMoves" -KeyVaultName "Cross-TenantMovesVault" -CertificateName "Contoso-Fabrikam-cert" -CertificateSubject "CN=Contoso_Fabrikam" -AzureResourceLocation "Brazil Southeast" -AzureAppPermissions Exchange, MSGraph -UseAppAndCertGeneratedForSendingInvitation -KeyVaultAuditStorageAccountName "t2tstorageaccount" -KeyVaultAuditStorageResourceGroup "Demo"
cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters:
enterprise Multi Geo Capabilities In Exchange Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-capabilities-in-exchange-online.md
Exchange Online synchronizes the **PreferredDataLocation** property from Azure A
- When **PreferredDataLocation** is not specified on a user, when you provision the mailbox, it will be provisioned in the central geo location. -- If the **PreferredDataLocation** code is incorrect (e.g. a type of NAN instead of NAM), the mailbox will be provisioned in the central geo location.
+- If the **PreferredDataLocation** code is incorrect (e.g. a typo of NAN instead of NAM), the mailbox will be provisioned in the central geo location.
**Note**: Multi-geo capabilities and Skype for Business Online regionally hosted meetings both use the **PreferredDataLocation** property on user objects to locate services. If you configure **PreferredDataLocation** values on user objects for regionally hosted meetings, the mailbox for those users will be automatically moved to the specified geo location after multi-geo is enabled on the Microsoft 365 tenant.
Exchange Online synchronizes the **PreferredDataLocation** property from Azure A
- Public folders are supported in multi-geo organizations. However, the public folders must remain in the central geo location. You can't move public folders to satellite geo locations. -- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox. For more information, see [Manage mailbox auditing](../compliance/enable-mailbox-auditing.md?view=o365-worldwide).
+- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox. For more information, see [Manage mailbox auditing](../compliance/enable-mailbox-auditing.md?view=o365-worldwide).
includes Microsoft 365 Client Support Single Sign On Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-single-sign-on-include.md
|OFFICE.COM|N/A|N/A|N/A|N/A|Γ£ö| |ONEDRIVE|Γ£ö|Γ£ö|Planned|Γ£ö|Γ£ö| |ONENOTE|Γ£ö|Γ£ö|Γ£ö|Planned|Γ£ö|
-|OUTLOOK|Γ£ö|Γ£ö|Planned|Γ£ö|Γ£ö|
+|OUTLOOK|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
|PLANNER|Γ£ö|Γ£ö|N/A|N/A|N/A| |POWER APPS|Γ£ö|Γ£ö|N/A|N/A|Planned| |POWER AUTOMATE|Γ£ö|Γ£ö|N/A|N/A|N/A|
includes Microsoft 365 Multi Geo Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-multi-geo-locations.md
|:-|:-|:| |Asia-Pacific |APC |Southeast or East Asia datacenters| |Australia |AUS |Southeast or East Asia datacenters|
+|Brazil |BRA |(eDiscovery data location coming soon)|
|Canada |CAN |US datacenters | |Europe / Middle East / Africa|EUR |Europe datacenters | |France |FRA |Europe datacenters |
managed-desktop Guest Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/guest-accounts.md
audience: Admin
# Prerequisites for guest accounts
-Microsoft Managed Desktop requires the following settings in your Azure AD organization for guest account access. You can adjust these settings at the [Azure portal](https://portal.azure.com) under **External Identities / External collaboration**:
+Microsoft Managed Desktop requires the following settings in your Azure AD organization for guest account access. You can adjust these settings at the [Azure portal](https://portal.azure.com) under **External Identities / External collaboration settings**:
-- **Admins and users in the guest inviter role can invite** set to **Yes**
+- For **Guest invite restrictions** set to **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
- For **Collaboration restrictions**, choose any of these options: - If you select **Allow invitations to be sent to any domain (most inclusive)**, no other configuration required. - If you select **Deny invitations to the specified domains**, make sure that Microsoft.com isnΓÇÖt listed in the target domains.
If you set restrictions that interact with these settings, make sure to exclude
6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md) 7. [Apps in Microsoft Managed Desktop](apps.md) 8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
security Android Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-privacy.md
For more information about data storage, see [Microsoft Defender for Endpoint da
Information is collected to help keep Defender for Endpoint for Android secure, up-to-date, performing as expected and to support the service.
+For more information on most common privacy questions about Microsoft Defender for Endpoint on Android and iOS mobile devices, see [Microsoft Defender for Endpoint and your privacy on Android and iOS mobile devices](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-and-your-privacy-on-android-and-ios-mobile-devices-4109bc54-8ec5-4433-9c33-d359b75ac22a).
+ ## Required Data Required data consists of data that is necessary to make Defender for Endpoint
security Get Assessmnt 1Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessmnt-1methods-properties.md
Title: Export assessment methods and properties per device
-description: Provides information about the APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. Since the amount of data can be very large, there are two ways it can be retrieved
-keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+description: Provides information about the APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. Since the amount of data can be large, there are two ways it can be retrieved
+keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
Provides methods and property details about the APIs that pull threat and vuln
> > Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
-There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
+There are three API methods that you can use to retrieve (export) different types of information:
-- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+1. Export secure configurations assessment
-- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+2. Export software inventory assessment
+
+3. Export software vulnerabilities assessment
+
+For each method, there are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
+
+- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
- Call the API to get a list of download URLs with all your organization data. - Download all the files using the download URLs and process the data as you like.
-The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-
-Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
## 1. Export secure configurations assessment
Returns all of the configurations and their status, on a per-device basis.
Method | Data type | Description :|:|:
-[Export secure configuration assessment (OData)](get-assessmnt-secure-cfg.md#1-export-secure-configuration-assessment-odata) | Secure configuration by device collection. See: [1.2 Properties (OData)](#12-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-[Export secure configuration assessment (via files)](get-assessmnt-secure-cfg.md#2-export-secure-configuration-assessment-via-files) | secure configuration by device files. See: [1.3 Properties (via files)](#13-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+Export secure configuration assessment **(OData)** | Secure configuration by device collection. See: [1.2 Properties (OData)](#12-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export secure configuration assessment **(via files)** | Secure configuration by device collection. See: [1.2 Properties (OData)](#12-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
### 1.2 Properties (OData)
Returns all of the installed software and their details on each device.
Method | Data type | Description :|:|:
-[Export software inventory assessment (OData)](get-assessmnt-software-inventory.md#1-export-software-inventory-assessment-odata) | Software inventory by device collection. See: [2.2 Properties (OData)](#22-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-[Export software inventory assessment (via files)](get-assessmnt-software-inventory.md#2-export-software-inventory-assessment-via-files) | Software inventory by device files. See: [2.3 Properties (via files)](#23-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+Export software inventory assessment **(OData)** | Software inventory by device collection. See: [2.2 Properties (OData)](#22-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export software inventory assessment **(via files)** | Software inventory by device files. See: [2.3 Properties (via files)](#23-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
### 2.2 Properties (OData)
Property (ID) | Data type | Description
Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization. GeneratedTime | string | The time that the export was generated.
-## 3. Export software vulnerabilities assessment per device
+## 3. Export software vulnerabilities assessment
Returns all the known vulnerabilities on a device and their details, for all devices.
Returns all the known vulnerabilities on a device and their details, for all dev
Method | Data type | Description :|:|:
-[Export software vulnerabilities assessment (OData)](get-assessmnt-software-vulnerabilities.md#1-export-software-vulnerabilities-assessment-odata) | Investigation collection See: [3.2 Properties (OData)](#32-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-[Export software vulnerabilities assessment (via files)](get-assessmnt-software-vulnerabilities.md#2-export-software-vulnerabilities-assessment-via-files) | Investigation entity See: [3.3 Properties (via files)](#33-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+Export software vulnerabilities assessment **(OData)** | Investigation collection See: [3.2 Properties (OData)](#32-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export software vulnerabilities assessment **(via files)** | Investigation entity See: [3.3 Properties (via files)](#33-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
### 3.2 Properties (OData)
security Get Assessmnt Secure Cfg https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessmnt-secure-cfg.md
> Returns all of the configurations and their status, on a per-device basis.
-There are different API calls to get different types of data. Because the amount of data can be very large, there are two ways it can be retrieved:
+There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
-- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+- [Export secure configuration assessment **OData**](#1-export-secure-configuration-assessment-odata): The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100 K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
-- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+- [Export secure configuration assessment **via files**](#2-export-secure-configuration-assessment-via-files): This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100 K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
- Call the API to get a list of download URLs with all your organization data. - Download all the files using the download URLs and process the data as you like.
-The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+> [!Note]
+>
+> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
## 1. Export secure configuration assessment (OData)
GET /api/machines/SecureConfigurationsAssessmentByMachine
>[!Note] >
->- The properties defined in the following table are listed alphanumerically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in these tables.
+>- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
> >- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns. >
-Property (id) | Data type | Description | Example of a returned value
+Property (ID) | Data type | Description | Example of a returned value
:|:|:|: ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | Security controls ConfigurationId | string | Unique identifier for a specific configuration | scid-10000
GET /api/machines/SecureConfigurationsAssessmentExport
> >- For maximum download speed of your data, you can make sure you are downloading from the same Azure region in which your data resides. >
-Property (id) | Data type | Description | Example of a returned value
+Property (ID) | Data type | Description | Example of a returned value
:|:|:|: Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization | [ Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ] GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z ]
security Get Assessmnt Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessmnt-software-inventory.md
> There are different API calls to get different types of data. Because the amount of data can be very large, there are two ways it can be retrieved: -- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100 K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+- [Export software inventory assessment **OData**](#1-export-software-inventory-assessment-odata) The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100 K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
-- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100 K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+- [Export software inventory assessment **via files**](#2-export-software-inventory-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100 K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
- Call the API to get a list of download URLs with all your organization data. - Download all the files using the download URLs and process the data as you like.
-The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+> [!Note]
+>
+> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
## 1. Export software inventory assessment (OData)
GET /api/machines/SoftwareInventoryByMachine
> >-Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
->-The properties defined in the following table are listed alphanumerically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in these tables.
+>-The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
> >-Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
-Property (id) | Data type | Description | Example of a returned value
+Property (ID) | Data type | Description | Example of a returned value
:|:|:|: DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1 DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
GET /api/machines/SoftwareInventoryExport
> >_ For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides. >
-Property (id) | Data type | Description | Example of a returned value
+Property (ID) | Data type | Description | Example of a returned value
:|:|:|: Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization | [ Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ] GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z ]
security Get Assessmnt Software Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessmnt-software-vulnerabilities.md
[!include[Prerelease information](../../includes/prerelease.md)] > >
-Returns all the known vulnerabilities and their details for all devices, on a per-device basis.
+Returns all known software vulnerabilities and their details for all devices, on a per-device basis.
There are different API calls to get different types of data. Because the amount of data can be very large, there are two ways it can be retrieved: -- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+- [Export software vulnerabilities assessment OData](#1-export-software-vulnerabilities-assessment-odata) The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100 K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
-- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+- [Export software vulnerabilities assessment via files](#2-export-software-vulnerabilities-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100 K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
- Call the API to get a list of download URLs with all your organization data. - Download all the files using the download URLs and process the data as you like.
-The data that is collected (for either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+> [!Note]
+>
+> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
## 1. Export software vulnerabilities assessment (OData)
GET /api/machines/SoftwareVulnerabilitiesByMachine
> >- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns. >
->- The properties defined in the following table are listed alphanumerically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in these tables.
+>- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
>
-Property (id) | Data type | Description | Example of a returned value
+Property (ID) | Data type | Description | Example of a returned value
:|:|:|: CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. | CVE-2020-15992 CvssScore | string | The CVSS score of the CVE. | 6.2
Rate limitations for this API are 5 calls per minute and 20 calls per hour.
### 2.2 Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details](apis-intro.md).
Permission type | Permission | Permission display name ||
GET /api/machines/SoftwareVulnerabilitiesExport
> >- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns. >
->- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in these tables.
->
-Property (id) | Data type | Description | Example of a returned value
+Property (ID) | Data type | Description | Example of a returned value
:|:|:|: Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization. | [ ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ] GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z
security Ios Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-privacy.md
Defender for Endpoint on iOS collects information from your configured iOS devic
For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md). +
+For more information on most common privacy questions about Microsoft Defender for Endpoint on Android and iOS mobile devices, see [Microsoft Defender for Endpoint and your privacy on Android and iOS mobile devices](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-and-your-privacy-on-android-and-ios-mobile-devices-4109bc54-8ec5-4433-9c33-d359b75ac22a).
+ ## Required data Required data consists of data that is necessary to make Defender for Endpoint on iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
security Ios Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md
While enabled by default, there might be some cases that require you to disable
## Issues with multiple VPN profiles
-Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
+Apple iOS does not support multiple **device-wide** VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
+Microsoft Defender for Endpoint VPN can co-exist with other VPNs that are configured as *per-app* or *"Personal"*.
## Battery consumption
-The battery usage by an app is computed by Apple based on a multitude of factors including CPU and Network usage. Microsoft Defender for Endpoint uses a local/loop-back VPN in the background to check web traffic for any malicious websites or connections. Network packets from any app go through this check and that causes the battery usage of Microsoft Defender for Endpoint to be computed inaccurately. This gives a false impression to the user. The actual battery consumption of Microsoft Defender for Endpoint is lesser than what is shown on the Battery Settings page on the device. This is based on conducted tests done on the Microsoft Defender for Endpoint app to understand battery consumption.
+In the Settings app, iOS only shows battery usage of apps that are visible to the user for a specific duration of time. The battery usage by apps shown on the screen are only for that time duration and is computed by iOS based on a multitude of factors including CPU and Network usage. Microsoft Defender for Endpoint uses a local/loop-back VPN in the background to check web traffic for any malicious websites or connections. Network packets from any app go through this check and that causes the battery usage of Microsoft Defender for Endpoint to be computed inaccurately. The actual battery consumption of Microsoft Defender for Endpoint is much less than what is shown on the Battery Settings page on the device.
-Also the VPN used is a local VPN and unlike a traditional VPN, network traffic is not sent outside the device.
+On an average, per-day battery usage by Microsoft Defender for Endpoint running on the background is **approximately 8.81% of overall battery consumed in that day**. This metric is reported by Apple based on actual usage of Microsoft Defender for Endpoint on end-user devices and due to reasons mentioned above can also be accounted to other apps that have network activity.
+
+Also, the VPN used is a local VPN and unlike a traditional VPN, network traffic is not sent outside the device.
## Data usage
-Microsoft Defender for Endpoint uses a local/loopback VPN to check web traffic for any malicious websites or connections. Due to this reason Apple accounts data usage to Microsoft Defender for Endpoint inaccurately. The actual data usage by Microsoft Defender for Endpoint is not significant and much less than what is shown on the Data Usage Settings on the device.
+Microsoft Defender for Endpoint uses a local/loopback VPN to check web traffic for any malicious websites or connections. Due to this reason, Microsoft Defender for Endpoint data usage can be inaccurately accounted for. The actual data usage by Microsoft Defender for Endpoint is not significant and lesser than what is shown on the Data Usage Settings on the device.
## Report unsafe site
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
The following steps can be used to troubleshoot and mitigate these issues:
To collect current statistics, run: ```bash
- mdatp config real-time-protection-statistics --output json > real_time_protection.json
+ mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json
``` > [!NOTE]
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
iOS devices along with other platforms.
- Access to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
-**Network Requirements**
-- For Microsoft Defender for Endpoint on iOS to function when connected to a network the firewall/proxy will need to be configured to [enable access to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server)- **System Requirements** - iOS devices running iOS 11.0 and above. iPad devices are officially supported from version 1.1.15010101 onward.
iOS devices along with other platforms.
- Device is enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358). > [!NOTE]
-> **Microsoft Defender ATP (Microsoft Defender for Endpoint) on iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
+> **Microsoft Defender for Endpoint on iOS is available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
## Installation instructions
security Tvm End Of Support Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-end-of-support-software.md
End-of-support (EOS), otherwise known as end-of-life (EOL), for software or soft
It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates. >[!NOTE]
-> EOS capability is not currently available for non-Windows products (Mac, Linux); it will, however, be added in the future.
+> End-of-support capability is currently available only for Windows products.
## Find software or software versions that are no longer supported
security Tvm Zero Day Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-zero-day-vulnerabilities.md
Threat and vulnerability management will only display zero-day vulnerabilities i
Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft Defender Security Center. >[!NOTE]
-> 0-day capability is not currently available for non-Windows products (Mac, Linux); it will, however, be added in the future.
+> 0-day vulnerability capability is currently available only for Windows products.
### Threat and vulnerability management dashboard
security Advanced Hunting Deviceinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceinfo-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `OSVersion` | string | Version of the operating system running on the machine | | `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
+| `OnboardingStatus` | string | Indicates whether the device is currently onboarded or not to Microsoft Defender For Endpoint or if the device is not supported |
|`AdditionalFields` | string | Additional information about the event in JSON array format |
+|`DeviceCategory` | string | Broader classification that groups certain device types under the following categories: Endpoint, Network device, IoT, Unknown |
+|`DeviceType` | string | Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
+|`DeviceSubType` | string | Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone |
+|`Model` | string | Model name or number of the product from the vendor or manufacturer |
+|`Vendor` | string | Name of the product vendor or manufacturer |
+|`OSDistribution` | string | Distribution of the OS platform, such as Ubuntu or RedHat for Linux platforms |
+|`OSVersionInfo` | string | Additional information about the OS version, such as the popular name, code name, or version number |
+|`MergedDeviceIds` | string | Previous device IDs that have been assigned to the same device |
+|`MergedToDeviceId` | string | The most recent device ID assigned to a device |
The `DeviceInfo` table provides device information based on heartbeats, which are periodic reports or signals from a device. Every fifteen minutes, the device sends a partial heartbeat that contains frequently changing attributes like `LoggedOnUsers`. Once a day, a full heartbeat containing the device's attributes is sent.
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
An alert page is composed of these sections:
Throughout an alert page, you can select the ellipses (**...**) beside any entity to see available actions, such as opening the alert page or linking the alert to another incident.
+### Alert sources
+Microsoft 365 Defender alerts may come from solutions like Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Cloud App Security. You may notice alerts with prepended characters in the alert. The following table provides guidance to help you understand the mapping of alert sources based on the prepended character on the alert.
+
+> [!NOTE]
+> - The prepended GUIDs are specific only to unified experiences such as unified alerts queue, unified alerts page, unified investigation, and unified incident.<br>
+> - The prepended character does not change the GUID of the alert. The only change to the GUID is the prepended component.<br>
++
+Alert source | Prepended character
+:|:
+Microsoft Defender for Office 365 | `fa{GUID}` <br> Example: `fa123a456b-c789-1d2e-12f1g33h445h6i`
+Microsoft Defender for Endpoint | `da` or `ed` for custom detection alerts <br>
+Microsoft Defender for Identity | `aa{GUID}` <br> Example: `aa123a456b-c789-1d2e-12f1g33h445h6i`
+Microsoft Cloud App Security |`ca{GUID}` <br> Example: `aa123a456b-c789-1d2e-12f1g33h445h6i`
+++ ### Analyze affected assets The **Actions taken** section has a list of impacted assets, such as mailboxes, devices, and users affected by this alert.
security M365d Configure Auto Investigation Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-configure-auto-investigation-response.md
audience: ITPro
ms.prod: m365-security localization_priority: Normal-+ - M365-security-compliance - m365initiative-m365-defender
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
-Microsoft 365 Defender includes powerful [automated investigation and response capabilities](m365d-autoir.md) that can save your security operations team much time and effort. With [self-healing](m365d-autoir.md#how-automated-investigation-and-self-healing-works), these capabilities mimic the steps a security analyst would take to investigate and respond to threats, only faster, and with more ability to scale.
+Microsoft 365 Defender includes powerful [automated investigation and response capabilities](m365d-autoir.md) that can save your security operations team much time and effort. With [self-healing](m365d-autoir.md#how-automated-investigation-and-self-healing-works), these capabilities mimic the steps a security analyst would take to investigate and respond to threats, only faster, and with more ability to scale.
This article describes how to configure automated investigation and response in Microsoft 365 Defender with these steps:
Then, after you're all set up, you can [view and manage remediation actions in t
## Prerequisites for automated investigation and response in Microsoft 365 Defender
-|Requirement |Details |
-|:-|:-|
-|Subscription requirements |One of these subscriptions: <br/>- Microsoft 365 E5<br/>- Microsoft 365 A5<br/>- Microsoft 365 E3 with the Microsoft 365 E5 Security add-on<br/>- Microsoft 365 A3 with the Microsoft 365 A5 Security add-on<br/>- Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5<p> See [Microsoft 365 Defender licensing requirements](./prerequisites.md#licensing-requirements).|
-|Network requirements |- [Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) enabled<br/>- [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) configured<br/>- [Microsoft Defender for Identity integration](/cloud-app-security/mdi-integration) |
-|Windows machine requirements |- Windows 10, version 1709 or later installed (See [Windows 10 release information](/windows/release-information/)) <br/>- The following threat protection services configured:<br/>- [Microsoft Defender for Endpoint](../defender-endpoint/configure-endpoints.md)<br/>- [Microsoft Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) |
-|Protection for email content and Office files |[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365#configure-atp-policies) configured |
-|Permissions | To configure automated investigation and response capabilities, you must have the Global Administrator or Security Administrator role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).<p>To get the permissions needed to work with automated investigation and response capabilities, such as reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](m365d-action-center.md#required-permissions-for-action-center-tasks). |
+<br>
+
+****
+
+|Requirement|Details|
+|||
+|Subscription requirements|One of these subscriptions: <ul><li>Microsoft 365 E5</li><li>Microsoft 365 A5</li><li>Microsoft 365 E3 with the Microsoft 365 E5 Security add-on</li><li>Microsoft 365 A3 with the Microsoft 365 A5 Security add-on</li><li>Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5</li></ul> <p> See [Microsoft 365 Defender licensing requirements](./prerequisites.md#licensing-requirements).|
+|Network requirements|<ul><li>[Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) enabled</li><li>[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) configured</li><li>[Microsoft Defender for Identity integration](/cloud-app-security/mdi-integration)</li></ul>|
+|Windows machine requirements|<ul><li>Windows 10, version 1709 or later installed (See [Windows 10 release information](/windows/release-information/))</li><li>The following threat protection services configured:<ul><li>[Microsoft Defender for Endpoint](../defender-endpoint/configure-endpoints.md)</li><li>[Microsoft Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)</li></ul></li></ul>|
+|Protection for email content and Office files|[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365#configure-atp-policies) configured|
+|Permissions|To configure automated investigation and response capabilities, you must have the Global Administrator or Security Administrator role assigned in either Azure Active Directory (<https://portal.azure.com>) or in the Microsoft 365 admin center (<https://admin.microsoft.com>). <p> To get the permissions needed to work with automated investigation and response capabilities, such as reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](m365d-action-center.md#required-permissions-for-action-center-tasks).|
+|
## Review or change the automation level for device groups
Although certain alerts and security policies can trigger automated investigatio
Security settings in Office 365 help protect email and content. To view or change these settings, follow the guidance in [Protect against threats](../office-365-security/protect-against-threats.md).
-1. In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies & Rules** > **Threat policies**.
+1. In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies & Rules** \> **Threat policies**.
2. Make sure all of the following policies are configured. To get help and recommendations, see [Protect against threats](/microsoft-365/security/office-365-security/protect-against-threats).
- - [Anti-malware)](../office-365-security/protect-against-threats.md#part-1anti-malware-protection)
+ - [Anti-malware)](../office-365-security/protect-against-threats.md#part-1anti-malware-protection-in-eop)
- [Anti-phishing)](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection) - [Safe Attachments](../office-365-security/protect-against-threats.md#safe-attachments-policies-in-microsoft-defender-for-office-365) - [Safe Links](../office-365-security/protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365)
- - [Anti-spam](../office-365-security/protect-against-threats.md#part-3anti-spam-protection)
+ - [Anti-spam](../office-365-security/protect-against-threats.md#part-3anti-spam-protection-in-eop)
3. Make sure [Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on) is turned on. 4. Make sure [zero-hour auto purge for email](../office-365-security/protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop) protection is in effect. 5. (This step is optional.) Review your [Office 365 alert policies](../../compliance/alert-policies.md) in the Microsoft 365 compliance center ([https://compliance.microsoft.com/compliancepolicies](https://compliance.microsoft.com/compliancepolicies)). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see [Default alert policies](../../compliance/alert-policies.md#default-alert-policies).
Security settings in Office 365 help protect email and content. To view or chang
2. In the navigation pane, look for **Incidents**, **Action center**, and **Hunting**, as shown in the preceding image. - If you see **Incidents**, **Action center**, and **Hunting**, Microsoft 365 Defender is turned on. See the [Review or change the automation level for device groups](#review-or-change-the-automation-level-for-device-groups) section of this article. - If you do *not* see **Incidents**, **Action center**, or **Hunting**, Microsoft 365 Defender might not be turned on. In this case, [visit the Action center](m365d-action-center.md)).
-3. In the navigation pane, choose **Settings** > **Microsoft 365 Defender**. Confirm that Microsoft 365 Defender is turned on.
+3. In the navigation pane, choose **Settings** > **Microsoft 365 Defender**. Confirm that Microsoft 365 Defender is turned on.
> [!TIP] > Need help? See [Turn on Microsoft 365 Defender](m365d-enable.md).
security Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/prerequisites.md
Currently, Microsoft 365 Defender is *not* available to:
- US Department of Defense - All US government institutions with commercial licenses +
+Currently, the Microsoft Defender for Office 365 integration into the unified Microsoft 365 Defender features are not available to customers in the following Office 365 datacenter locations:
+
+- Brazil
+- Germany
+- Norway
+- Singapore
+- South Africa
+- Switzerland
+- United Arab Emirates
++ ## Related topics - [Microsoft 365 Defender overview](microsoft-365-defender.md) - [Turn on Microsoft 365 Defender](m365d-enable.md)
security Anti Spam And Anti Malware Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-and-anti-malware-protection.md
EOP has built-in inbound and outbound malware filtering to help protect your org
The following table contains links to topics that explain how anti-malware protection works in EOP, and how you can fine-tune your anti-malware configuration settings to best meet the needs of your organization.
+<br>
+ **** |Topic|Description|
The following table contains links to topics that explain how anti-malware prote
The following table contains links to topics that explain how anti-spam protection works in EOP, and how you can fine-tune your anti-spam configuration settings to best meet the needs of your organization.
+<br>
+ **** |Topic|Description|
The following table contains links to topics that explain how anti-spam protecti
The following table contains links to topics that explain how outbound spam protection works for Exchange Online mailboxes.
+<br>
+ **** |Topic|Description|
The following table contains links to topics that explain how outbound spam prot
The following table contains links to topics that explain settings that are common to anti-malware and anti-spam protection.
+<br>
+ **** |Topic|Description|
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
You can configure anti-malware policies in the Microsoft 365 security center or
Creating a custom anti-malware policy in the security center creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware**, and then click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware**, and then click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
2. The policy wizard opens. On the **Name your policy page**, configure these settings: - **Name**: Enter a unique, descriptive name for the policy.
Creating a custom anti-malware policy in the security center creates the malware
## Use the security center to view anti-malware policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
- The following properties are displayed on the page:
+2. On the **Anti-malware** page, the following properties are displayed in the list of anti-malware policies:
- **Name** - **Status** - **Priority**
-2. When you select a policy, the policy settings are displayed in a flyout.
+3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
## Use the security center to modify anti-malware policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
-2. Select a policy from the list by clicking on the name of the policy. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the security center to create anti-malware policies](#use-the-security-center-to-create-anti-malware-policies) section in this article.
+2. On the **Anti-malware** page, select a policy from the list by clicking on the name.
- **Note**: You can't rename the default policy.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the security center to create anti-malware policies](#use-the-security-center-to-create-anti-malware-policies) section in this article.
-## Use the security center to enable or disable anti-malware policies
+ For the default anti-malware policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.
+
+To enable or disable a policy or set the policy priority order, see the following sections.
+
+### Enable or disable anti-malware policies
You can't disable the default anti-malware policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
+
+2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
-2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, you'll see one of the following values:
+3. At the top of the policy details flyout that appears, you'll see one of the following values:
- **Policy off**: To turn on the policy, click ![Turn on icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** . - **Policy on**: To turn off the policy, click ![Turn off icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off**.
-3. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
+4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
-4. Click **Close** in the policy details flyout.
+5. Click **Close** in the policy details flyout.
-Back on the main policy page, the **Status** value will be **On** or **Off**.
+Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.
-## Use the security center to set the priority of custom anti-malware policies
+### Set the priority of custom anti-malware policies
By default, anti-malware policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Security & Compliance Center). Changing the priority of a policy only makes sense if you have multiple policies.
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
**Notes**: - In the security center, you can only change the priority of the anti-malware policy after you create it. In PowerShell, you can override the default priority when you create the malware filter rule (which can affect the priority of existing rules).-- Anti-malware policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-malware policy named Default has the priority value **Lowest**, and you can't change it.
+- Anti-malware policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-malware policy has the priority value **Lowest**, and you can't change it.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
-2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
+2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
+
+3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
- The anti-malware policy with the **Priority** value **0** has only the **Decrease priority** option available. - The anti-malware policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available. - If you have three or more anti-malware policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
-3. Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
+ Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
4. When you're finished, click **Close** in the policy details flyout. ## Use the security center to remove anti-malware policies
-When you use the security center to remove an anti-malware policy, the malware filter rule and the corresponding malware filter policy are both deleted.
+When you use the security center to remove an anti-malware policy, the malware filter rule and the corresponding malware filter policy are both deleted. You can't remove the default policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
When you use the security center to remove an anti-malware policy, the malware f
## Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-malware policies
+For more information about anti-spam policies in PowerShell, see [Anti-malware policies in the Microsoft 365 security center vs PowerShell](anti-malware-protection.md#anti-malware-policies-in-the-microsoft-365-security-center-vs-powershell).
+ ### Use PowerShell to create anti-malware policies Creating an anti-malware policy in PowerShell is a two-step process:
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
Admins can view, edit, and configure (but not delete) the default anti-spam policy. For greater granularity, you can also create custom anti-spam policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
-You can configure anti-spam policies in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+You can configure anti-spam policies in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
The basic elements of an anti-spam policy are: - **The spam filter policy**: Specifies the actions for spam filtering verdicts and the notification options. - **The spam filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a spam filter policy.
-The difference between these two elements isn't obvious when you manage anti-spam polices in the Security & Compliance Center:
+The difference between these two elements isn't obvious when you manage anti-spam polices in the security center:
- When you create an anti-spam policy, you're actually creating a spam filter rule and the associated spam filter policy at the same time using the same name for both. - When you modify an anti-spam policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the spam filter rule. All other settings modify the associated spam filter policy.
To increase the effectiveness of spam filtering, you can create custom anti-spam
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Anti-spam settings** page, use <https://protection.office.com/antispam>.
+- You open the security center at <https://security.microsoft.com/>. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
To increase the effectiveness of spam filtering, you can create custom anti-spam
- For our recommended settings for anti-spam policies, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
-## Use the Security & Compliance Center to create anti-spam policies
+## Use the security center to create anti-spam policies
-Creating a custom anti-spam policy in the Security & Compliance Center creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
+Creating a custom anti-spam policy in the security center creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
-2. On the **Anti-spam settings** page, click **Create a policy**.
+2. Click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Inbound** from the dropdown list.
-3. In the **New spam filter policy** fly out that opens, configure the following settings:
+3. The policy wizard opens. On the **Name your policy page**, configure these settings:
+ - **Name**: Enter a unique, descriptive name for the policy.
+ - **Description**: Enter an optional description for the policy.
- - **Name**: Enter a unique, descriptive name for the policy. Don't use the following characters: `\ % & * + / = ? { } | < > ( ) ; : , [ ] "`.
+ When you're finished, click **Next**.
- If you previously created anti-spam policies in the Exchange admin center (EAC) that contains these characters, you should rename the anti-spam policy in PowerShell. For instructions, see the [Use PowerShell to modify spam filter rules](#use-powershell-to-modify-spam-filter-rules) section later in this article.
+4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
+ - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
+ - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- - **Description**: Enter an optional description for the policy.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+
+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
+
+ Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
+
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
+
+ When you're finished, click **Next**.
+
+5. On the **Bulk email threshold & spam properties** page that appears, configure the following settings:
+
+ - **Bulk email threshold**: Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the **Bulk** spam filtering verdict that you configure on the next page (greater than the specified value, not greater than or equal to). A higher value indicates the message is less desirable (more likely to resemble spam). The default value is 7. For more information, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md) and [What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md).
+
+ By default, the PowerShell only setting _MarkAsSpamBulkMail_ is `On` in anti-spam policies. This setting dramatically affects the results of a **Bulk** filtering verdict:
+
+ - **_MarkAsSpamBulkMail_ is On**: A BCL that's greater than the threshold is converted to an SCL 6 that corresponds to a filtering verdict of **Spam**, and the action for the **Bulk** filtering verdict is taken on the message.
+ - **_MarkAsSpamBulkMail_ is Off**: The message is stamped with the BCL, but _no action_ is taken for a **Bulk** filtering verdict. In effect, the BCL threshold and **Bulk** filtering verdict action are irrelevant.
+
+ - **Increase spam score**, **Mark as spam**<sup>\*</sup> and **Test mode**: Contains the Advanced Spam Filter (ASF) settings that are turned off by default. ASF settings are in the process of being deprecated, and their functionality is being incorporated into other parts of the filtering stack. We recommend that you leave all of these ASF settings turned off in your anti-spam policies.
-4. (Optional) Expand the **Spam and bulk actions** section, and verify or configure the following settings:
+ For details about these settings, see [Advanced Spam Filter settings in EOP](advanced-spam-filtering-asf-options.md).
- - **Select the action to take for incoming spam and bulk email**: Select or review the action to take on messages based on the following spam filtering verdicts:
+ <sup>\*</sup> **Contains specific languages** and **from these countries** are not part of ASF settings.
+ - **Contains specific languages**: Click the box and select **On** or **Off** from the dropdown list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages will appear. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+
+ - **From these countries***: Click the box and select **On** or **Off** from the dropdown list. If you turn it on, a box appears. Start typing the name of a country in the box. A filtered list of supported countries will appear. When you find the country that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+
+ When you're finished, click **Next**.
+
+6. On the **Actions** page that appears, configure the following settings:
+
+ - **Message actions**: Select or review the action to take on messages based on the following spam filtering verdicts:
- **Spam** - **High confidence spam**
- - **Phishing email**
- - **High confidence phishing email**
- - **Bulk email**
+ - **Phishing**
+ - **High confidence phishing**
+ - **Bulk**
The available actions for spam filtering verdicts are described in the following table.
- - A check mark ( ![Check mark](../../media/checkmark.png)) indicates the action is available (not all actions are available for all spam filtering verdicts).
+ - A check mark ( ![Check mark](../../media/checkmark.png)) indicates the action is available (not all actions are available for all verdicts).
- An asterisk ( <sup>\*</sup> ) after the check mark indicates the default action for the spam filtering verdict.
+ <br>
+ ****
- |Action|Spam|High<br>confidence<br>spam|Phishing<br>email|High<br>confidence<br>phishing<br>email|Bulk<br>email|
+ |Action|Spam|High<br>confidence<br>spam|Phishing|High<br>confidence<br>phishing|Bulk|
||::|::|::|::|::| |**Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder.<sup>1</sup>|![Check mark](../../media/checkmark.png)<sup>\*</sup>|![Check mark](../../media/checkmark.png)<sup>\*</sup>|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)<sup>\*</sup>| |**Add X-header**: Adds an X-header to the message header and delivers the message to the mailbox. <p> You enter the X-header field name (not the value) later in the **Add this X-header text** box. <p> For **Spam** and **High confidence spam** verdicts, the message is moved to the Junk Email folder.<sup>1,2</sup>|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)||![Check mark](../../media/checkmark.png)<sup>\*</sup>|
Creating a custom anti-spam policy in the Security & Compliance Center creates t
> > <sup>2</sup> You can this use value as a condition in mail flow rules to filter or route the message.
- - **Select the threshold**: Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the **Bulk email** spam filtering verdict (greater than the specified value, not greater than or equal to). A higher value indicates the message is less desirable (more likely to resemble spam). The default value is 7. For more information, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md) and [What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md).
-
- By default, the PowerShell only setting _MarkAsSpamBulkMail_ is `On` in anti-spam policies. This setting dramatically affects the results of a **Bulk email** filtering verdict:
-
- - **_MarkAsSpamBulkMail_ is On**: A BCL that's greater than the threshold is converted to an SCL 6 that corresponds to a filtering verdict of **Spam**, and the action for the **Bulk email** filtering verdict is taken on the message.
-
- - **_MarkAsSpamBulkMail_ is Off**: The message is stamped with the BCL, but _no action_ is taken for a **Bulk email** filtering verdict. In effect, the BCL threshold and **Bulk email** filtering verdict action are irrelevant.
-
- - **Quarantine**: Specifies how long to keep the message in quarantine if you selected **Quarantine message** as the action for a spam filtering verdict. After the time period expires, the message is deleted. The default value is 30 days. A valid value is from 1 to 30 days. For information about quarantine, see the following topics:
+ - **Retain spam in quarantine for this many days**: Specifies how long to keep the message in quarantine if you selected **Quarantine message** as the action for a spam filtering verdict. After the time period expires, the message is deleted. The default value is 30 days. A valid value is from 1 to 30 days. For information about quarantine, see the following topics:
- [Quarantined messages in EOP](quarantine-email-messages.md) - [Manage quarantined messages and files as an admin in EOP](manage-quarantined-messages-and-files.md)
Creating a custom anti-spam policy in the Security & Compliance Center creates t
- **Redirect to this email address**: This box is required and available only if you selected the **Redirect message to email address** as the action for a spam filtering verdict. Enter the email address where you want to deliver the message. You can enter multiple values separated by semicolons (;).
- - **Safety Tips**: By default, Safety Tips are enabled, but you can disable them by clearing the **On** checkbox. For more information about Safety Tips, see [Safety tips in email messages](safety-tips-in-office-365.md).
-
- **Zero-hour auto purge** settings: ZAP detects and takes action on messages that have already been delivered to Exchange Online mailboxes. For more information about ZAP, see [Zero-hour auto purge - protection against spam and malware](zero-hour-auto-purge.md).
-
- - **Spam ZAP**: By default, ZAP is enabled for spam detections, but you can disable it by clearing the **On** checkbox.
-
- - **Phish ZAP**: By default, ZAP is enabled for phishing detections, but you can disable it by clearing the **On** checkbox.
-
-5. (Optional) Expand the **Allow lists** section to configure message senders by email address or email domain that are allowed to skip spam filtering:
-
- > [!CAUTION]
- >
- > - Think very carefully before you add domains here. For more information, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md)
- >
- > - Never add accepted domains (domains that you own) or common domains (for example, microsoft.com or office.com) to the allowed domains list. This would allow attackers to send email that bypasses spam filtering into your organization.
-
- - **Allow sender**: Click **Edit**. In the **Allowed sender list** flyout that appears:
-
- a. Enter the sender's email address. You can specify multiple email addresses separated by semicolons (;).
-
- b. Click ![Add icon](../../media/c2dd8b3a-5a22-412c-a7fa-143f5b2b5612.png) to add the senders.
-
- Repeat these steps as many times as necessary.
-
- The senders you added appear in the **Allowed Sender** section on the flyout. To delete a sender, click ![Remove icon](../../media/scc-remove-icon.png).
-
- When you're finished, click **Save**.
-
- - **Allow domain**: Click **Edit**. In the **Allowed domain list** flyout that appears do these steps:
-
- a. Enter the domain. You can specify multiple domains separated by semicolons (;).
-
- b. Click ![Add icon](../../media/c2dd8b3a-5a22-412c-a7fa-143f5b2b5612.png) to add the domains.
-
- Repeat these steps as many times as necessary.
-
- The domains you added appear in the **Allowed Domain** section on the flyout. To delete a domain, click ![Remove icon](../../media/scc-remove-icon.png).
-
- When you're finished, click **Save**.
-
-6. (Optional) Expand the **Block lists** section to configure message senders by email address or email domain that will always be marked as high confidence spam:
-
- > [!NOTE]
- > Manually blocking domains isn't dangerous, but it can increase your administrative workload. For more information, see [Create block sender lists in EOP](create-block-sender-lists-in-office-365.md).
-
- - **Block sender**: Click **Edit**. In the **Blocked sender list** flyout that appears do these steps:
+ - **Enable safety Tips**: By default, Safety Tips are enabled, but you can disable them by clearing the checkbox. For more information about Safety Tips, see [Safety tips in email messages](safety-tips-in-office-365.md).
- a. Enter the sender's email address. You can specify multiple email addresses separated by semicolons (;). Wildcards (*) aren't allowed.
+ - **Enable zero-hour auto purge (ZAP)**: ZAP detects and takes action on messages that have already been delivered to Exchange Online mailboxes. For more information, see [Zero-hour auto purge - protection against spam and malware](zero-hour-auto-purge.md).
- b. Click ![Add icon](../../media/c2dd8b3a-5a22-412c-a7fa-143f5b2b5612.png) to add the senders.
+ ZAP is turned on by default. When ZAP is turned on, the following settings are available:
- Repeat these steps as many times as necessary.
+ - **Enable ZAP for phishing messages**: By default, ZAP is enabled for phishing detections, but you can disable it by clearing the checkbox.
+ - **Enable ZAP for spam messages**: By default, ZAP is enabled for spam detections, but you can disable it by clearing the checkbox.
- The senders you added appear in the **Blocked Sender** section on the flyout. To delete a sender, click ![Remove button](../../media/scc-remove-icon.png).
+ - **Enable end-user spam notifications**: For more information, see the [Configure end-user spam notifications](#configure-end-user-spam-notifications) section later in this topic.
- When you're finished, click **Save**.
+ When you're finished, click **Next**.
- - **Block domain**: Click **Edit**. In the **Blocked domain list** flyout that appears:
+7. On the **Allow & block list** flyout that appears, you are able to configure message senders by email address or email domain that are allowed to skip spam filtering.
- a. Enter the domain. You can specify multiple domains separated by semicolons (;). Wildcards (*) aren't allowed.
+ In the **Allowed** section, you can configure allowed senders and allowed domains. In the **Blocked** section, you can add blocked senders and blocked domains.
- b. Click ![Add icon](../../media/c2dd8b3a-5a22-412c-a7fa-143f5b2b5612.png) to add the domains.
-
- Repeat these steps as many times as necessary.
-
- The domains you added appear in the **Blocked Domain** list on the flyout. To delete a domain, click ![Remove button](../../media/scc-remove-icon.png).
-
- When you're finished, click **Save**.
-
-7. (Optional) Expand the **International spam** section to configure the email languages or source countries that are blocked by spam filtering:
-
- - **Filter email messages written in the following languages**: This setting is disabled by default (**Status: OFF**). Click **Edit**. In the **International spam settings** flyout that appears, configure the following settings:
-
- - **Filter email messages written in the following languages**: Select the checkbox to enable this setting. Clear the checkbox to disable this setting.
-
- - Click in the box and start typing the *name* of the language. A filtered list of supported languages will appear, along with the corresponding ISO 639-2 language code. When you find the language you're looking for, select it. Repeat this step as many times as necessary.
-
- The list of languages you selected appears on the flyout. To delete a language, click ![Remove button](../../media/scc-remove-icon.png).
-
- When you're finished, click **Save**.
-
- - **Filter email messages sent from the following countries or regions**: This setting is disabled by default (**Status: OFF**). To enable it, click **Edit**. In the **International spam settings** flyout that appears, configure the following settings:
-
- - **Filter email messages sent from the following countries or regions**: Select the checkbox to enable this setting. Clear the checkbox to disable this setting.
-
- - Click in the box and start typing the *name* of the country or region. A filtered list of supported countries will appear, along with the corresponding ISO 3166-1 two-letter country code. When you find the country or region you're looking for, select it. Repeat this step as many times as necessary.
-
- The list of countries you selected appears on the flyout. To delete a country or region, click ![Remove button](../../media/scc-remove-icon.png).
-
- When you're finished, click **Save**.
-
-8. The optional **Spam properties** section contains Advanced Spam Filter (ASF) settings that are turned off by default. ASF settings are in the process of being deprecated, and their functionality is being incorporated into other parts of the filtering stack. We recommend that you leave all of these ASF settings turned off in your anti-spam policies.
+ > [!IMPORTANT]
+ >
+ > Think very carefully before you add domains to the allowed domains list. For more information, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md)
+ >
+ > Never add your own [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) or common domains (for example, microsoft.com or office.com) to the allowed domains list. If these domains are allowed to bypass spam filtering, allow attackers an easily send email into your organization.
+ >
+ > Manually blocking domains by adding the domains to the blocked domains list isn't dangerous, but it can increase your administrative workload. For more information, see [Create block sender lists in EOP](create-block-sender-lists-in-office-365.md).
+ >
+ > There will be times when our filters will miss a message, you don't agree with the filtering verdict, or it takes time for our systems to catch up to it. In these cases, the allow list and block list are available to override the current filtering verdicts. But, you should use these lists sparingly and temporarily: longs lists can become unmanageable, and our filtering stack should be doing what it's supposed to be doing. If you're going to keep an allowed domain for an extended period of time, you should tell the sender to verify that their domain is authenticated and set to DMARC reject if it's not.
- For details about these settings, see [Advanced Spam Filter settings in EOP](advanced-spam-filtering-asf-options.md).
+ The steps to add entries to any of the lists are the same:
-9. (Required) Expand the **Applied to** section to identify the internal recipients that the policy applies to.
+ 1. Click the link for the list that you want to configure:
+ - **Allowed** \> **Senders**: Click **Manage (nn) sender(s)**.
+ - **Allowed** \> **Domains**: Click **Allow domains**.
+ - **Blocked** \> **Senders**: Click **Manage (nn) sender(s)**.
+ - **Blocked** \> **Domains**: Click **Block domains**.
- You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
+ 2. In the flyout that appears, do the following steps:
+ 1. Click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Add senders** or **Add domains**.
+ 2. In the **Add senders** or **Add domains** flyout that appears, enter the sender's email address in the **Sender** box or the domain in the **Domain** box. As you're typing, the value appears below the box. When you're finished typing the email address or domain, select the value below the box.
+ 3. Repeat the previous step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- It's easiest to click **Add a condition** three times to see all of the available conditions. You can click ![Remove button](../../media/scc-remove-icon.png) to remove conditions that you don't want to configure.
+ When you're finished, click **Add senders** or **Add domains**.
- - **The recipient domain is**: Specifies recipients in one or more of the configured accepted domains in your organization. Click in the **Add a tag** box to see and select a domain. Click again the **Add a tag** box to select additional domains if more than one domain is available.
+ Back on the main flyout, the senders or domains that you added are listed on the page. To remove an entry from this page, do the following steps:
- - **Recipient is**: Specifies one or more mailboxes, mail users, or mail contacts in your organization. Click in the **Add a tag** and start typing to filter the list. Click again the **Add a tag** box to select additional recipients.
+ 1. Select one or more entries from the list. You can also use the **Search** box to find values in the list.
+ 2. After you select at least one entry, the delete icon ![Delete icon](../../media/m365-cc-sc-delete-icon.png) appears.
+ 3. Click the delete icon ![Delete icon](../../media/m365-cc-sc-delete-icon.png) to remove the selected entries.
- - **Recipient is a member of**: Specifies one or more groups in your organization. Click in the **Add a tag** and start typing to filter the list. Click again the **Add a tag** box to select additional recipients.
+ When you're finished, click **Done**.
- - **Except if**: To add exceptions for the rule, click **Add a condition** three times to see all of the available exceptions. The settings and behavior are exactly like the conditions.
+ Back on the **Allow & block list** page, click **Next** when you're read to continue.
-10. When you're finished, click **Save**.
+8. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section.
-## Use the Security & Compliance Center to view anti-spam policies
+ When you're finished, click **Create**.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+9. On the confirmation page that appears, click **Done**.
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand an anti-spam policy:
+## Use the security center to view anti-spam policies
- - The default policy named **Default spam filter policy**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
- - A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**.
+2. On the **Anti-spam policy** page, look for one of the following values:
+ - The **Type** value is **Custom anti-spam policy**
+ - The **Name** value is **Anti-spam inbound policy (Default)**
-3. The important policy settings are displayed in the expanded policy details that appear. To see more details, click **Edit policy**.
+ The following properties are displayed in the list of anti-spam policies:
-## Use the Security & Compliance Center to modify anti-spam policies
+ - **Name**
+ - **Status**
+ - **Priority**
+ - **Type**
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+3. When you select an anti-spam policy by clicking on the name, the policy settings are displayed in a flyout.
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand an anti-spam policy:
+## Use the security center to modify anti-spam policies
- - The default policy named **Default spam filter policy**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
+2. On the **Anti-spam policy** page, select an anti-spam policy from the list by clicking on the name:
- A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**.
+ - The default policy named **Anti-spam inbound policy (Default)**.
-3. Click **Edit policy**.
-
-For custom anti-spam policies, the available settings in the flyout that appears are identical to those described in the [Use the Security & Compliance Center to create anti-spam policies](#use-the-security--compliance-center-to-create-anti-spam-policies) section.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the security center to create anti-spam policies](#use-the-security-center-to-create-anti-spam-policies) section in this article.
-For the default anti-spam policy named **Default spam filter policy**, the **Applied to** section isn't available (the policy applies to everyone), and you can't rename the policy.
+ For the default anti-spam policy, the **Applied to** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy, set the policy priority order, or configure the end-user quarantine notifications, see the following sections. ### Enable or disable anti-spam policies
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+You can't disable the default anti-spam policy.
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand a custom policy that you created (the value in the **Type** column is **Custom anti-spam policy**).
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
-3. In the expanded policy details that appear, notice the value in the **On** column.
+2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
- Move the toggle to the left to disable the policy: ![Toggle off](../../media/scc-toggle-off.png)
+3. At the top of the policy details flyout that appears, you'll see one of the following values:
+ - **Policy off**: To turn on the policy, click ![Turn on icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** .
+ - **Policy on**: To turn off the policy, click ![Turn off icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off**.
- Move the toggle to the right to enable the policy: ![Toggle on](../../media/scc-toggle-on.png)
+4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
-You can't disable the default anti-spam policy.
+5. Click **Close** in the policy details flyout.
-### Set the priority of custom anti-spam policies
+Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.
-By default, anti-spam policies are given a priority that's based on the order they were created in (newer polices are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-
-For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
+### Set the priority of custom anti-spam policies
-Custom anti-spam policies are displayed in the order they're processed (the first policy has the **Priority** value 0). The default anti-spam policy named **Default spam filter policy** has the priority value **Lowest**, and you can't change it.
+By default, anti-spam policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
- **Note**: In the Security & Compliance Center, you can only change the priority of the anti-spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules).
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
-To change the priority of a policy, move the policy up or down in the list (you can't directly modify the **Priority** number in the Security & Compliance Center).
+ **Notes**:
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+- In the security center, you can only change the priority of the anti-spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules).
+- Anti-spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-spam policy has the priority value **Lowest**, and you can't change it.
-2. On the **Anti-spam settings** page, find the policies where the value in the **Type** column is **Custom anti-spam policy**. Notice the values in the **Priority** column:
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
- - The custom anti-spam policy with the highest priority has the value ![Down Arrow icon](../../media/ITPro-EAC-DownArrowIcon.png) **0**.
+2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
- - The custom anti-spam policy with the lowest priority has the value ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png) **n** (for example, ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png) **3**).
+3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
+ - The anti-spam policy with the **Priority** value **0** has only the **Decrease priority** option available.
+ - The anti-spam policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
+ - If you have three or more anti-spam policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
- - If you have three or more custom anti-spam policies, the policies between the highest and lowest priority have values ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png)![Down Arrow icon](../../media/ITPro-EAC-DownArrowIcon.png) **n** (for example, ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png)![Down Arrow icon](../../media/ITPro-EAC-DownArrowIcon.png) **2**).
+ Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
-3. Click ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png) or ![Down Arrow icon](../../media/ITPro-EAC-DownArrowIcon.png) to move the custom anti-spam policy up or down in the priority list.
+4. When you're finished, click **Close** in the policy details flyout.
### Configure end-user spam notifications When a spam filtering verdict quarantines a message, you can configure end-user spam notifications to let recipients know what happened to messages that were sent to them. For more information about these notifications, see [End-user spam notifications in EOP](use-spam-notifications-to-release-and-report-quarantined-messages.md).
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
-
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand an anti-spam policy:
-
- - The default policy named **Default spam filter policy**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
+2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name:
- A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**.
+ - The default policy named **Anti-spam inbound policy (Default)**.
-3. In the expanded policy details that appear, click **Configure end-user spam notifications**.
+3. In the policy details flyout that appears, click **Edit** in the **Actions** section. In the **Actions** flyout that appears, configure the following settings:
-4. In the **\<Policy Name\>** dialog that opens, configure the following settings:
+ - **Enable end-user spam notifications**: Select the checkbox to enable notifications or clear the checkbox to disable notifications. When you select the checkbox, the following additional settings appear:
- - **Enable end-user spam notifications**: Select the checkbox to enable notifications. Clear the checkbox to disable notifications.
+ - **Send end-user spam notifications every (days)**: Select how frequently notifications are sent. The default value is 3 days. You can enter 1 to 15 days.
- - **Send end-user spam notifications every (days)**: Select how frequently notifications are sent. The default value is 3 days. You can enter 1 to 15 days.
+ There are 3 cycles of end-user spam notification within a 24 hour period that start at the following times: 01:00 UTC, 08:00 UTC, and 16:00 UTC.
- There are 3 cycles of end-user spam notification within a 24 hour period that start at the following times: 01:00 UTC, 08:00 UTC, and 16:00 UTC.
+ > [!NOTE]
+ > If we missed a notification during a previous cycle, a subsequent cycle will push the notification. This might give the appearance of multiple notifications within the same day.
- > [!NOTE]
- > If we missed a notification during a previous cycle, a subsequent cycle will push the notification. This may give the appearance of multiple notifications within the same day.
-
- - **Notification language**: Click the drop down an select an available language from the list. The default value is **Default**, which means English.
+ - **Language**: Click the drop down an select an available language from the list. The default value is **Default**, which means English.
When you're finished, click **Save**.
-## Use the Security & Compliance Center to remove anti-spam policies
+4. Back on the policy details flyout, click **Close**.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+## Use the security center to remove anti-spam policies
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand the custom policy that you want to delete (the **Type** column is **Custom anti-spam policy**).
+When you use the security center to remove an anti-spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default policy.
-3. In the expanded policy details that appear, click **Delete policy**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
-4. Click **Yes** in the warning dialog that appears.
+2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
-You can't remove the default policy.
+3. In the confirmation dialog that appears, click **Yes**.
## Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-spam policies
In Exchange Online PowerShell or standalone EOP PowerShell, the difference betwe
The following anti-spam policy settings are only available in PowerShell: -- The _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting were explained in the [Use the Security & Compliance Center to create anti-spam policies](#use-the-security--compliance-center-to-create-anti-spam-policies) section earlier in this article.
+- The _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting were explained in the [Use the security center to create anti-spam policies](#use-the-security-center-to-create-anti-spam-policies) section earlier in this article.
- The following settings for end-user spam quarantine notifications:- - The _DownloadLink_ parameter that shows or hides the link to the Junk Email Reporting Tool for Outlook.- - The _EndUserSpamNotificationCustomSubject_ parameter that you can use to customize the subject line of the notification. ### Use PowerShell to create anti-spam policies
Creating an anti-spam policy in PowerShell is a two-step process:
- You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy. -- You can configure the following settings on new spam filter policies in PowerShell that aren't available in the Security & Compliance Center until after you create the policy:
+- You can configure the following settings on new spam filter policies in PowerShell that aren't available in the security center until after you create the policy:
- Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedContentFilterRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedContentFilterRule** cmdlet). -- A new spam filter policy that you create in PowerShell isn't visible in the Security & Compliance Center until you assign the policy to a spam filter rule.
+- A new spam filter policy that you create in PowerShell isn't visible in the security center until you assign the policy to a spam filter rule.
#### Step 1: Use PowerShell to create a spam filter policy
New-HostedContentFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments
This example creates a spam filter policy named Contoso Executives with the following settings: - Quarantine messages when the spam filtering verdict is spam or high confidence spam.--- BCL 6 triggers the action for a bulk email spam filtering verdict.
+- BCL 7, 8, or 9 triggers the action for a bulk email spam filtering verdict.
```PowerShell New-HostedContentFilterPolicy -Name "Contoso Executives" -HighConfidenceSpamAction Quarantine -SpamAction Quarantine -BulkThreshold 6 ```
-> [!NOTE]
-> **New-HostedContentFilterPolicy** and **Set-HostedContentFilterPolicy** contain an older _ZapEnabled_ parameter, as well as newer _PhishZapEnabled_ and _SpamZapEnabled_ parameters. The _ZapEnabled_ parameter was deprecated in February 2020. The _PhishZapEnabled_ and _SpamZapEnabled_ parameters used to inherit their values from the _ZapEnabled_ parameter. But, if you use the _PhishZapEnabled_ and _SpamZapEnabled_ parameters in a command or you use the **Spam ZAP** or **Phish ZAP** settings in the anti-spam policy in the Security & Compliance Center, the value of the _ZapEnabled_ parameter is ignored. In other words, don't use the _ZapEnabled_ parameter; use the _PhishZapEnabled_ and _SpamZapEnabled_ parameters instead.
- For detailed syntax and parameter information, see [New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy). #### Step 2: Use PowerShell to create a spam filter rule
New-HostedContentFilterRule -Name "<RuleName>" -HostedContentFilterPolicy "<Poli
This example creates a new spam filter rule named Contoso Executives with these settings: - The spam filter policy named Contoso Executives is associated with the rule.- - The rule applies to members of the group named Contoso Executives Group. ```PowerShell
For detailed syntax and parameter information, see [Get-HostedContentFilterRule]
Other than the following items, the same settings are available when you modify a spam filter policy in PowerShell as when you create the policy as described in the [Step 1: Use PowerShell to create a spam filter policy](#step-1-use-powershell-to-create-a-spam-filter-policy) section earlier in this article. - The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, always **Lowest** priority, and you can't delete it) is only available when you modify a spam filter policy in PowerShell.--- You can't rename a spam filter policy (the **Set-HostedContentFilterPolicy** cmdlet has no _Name_ parameter). When you rename an anti-spam policy in the Security & Compliance Center, you're only renaming the spam filter _rule_.
+- You can't rename a spam filter policy (the **Set-HostedContentFilterPolicy** cmdlet has no _Name_ parameter). When you rename an anti-spam policy in the security center, you're only renaming the spam filter _rule_.
To modify a spam filter policy, use this syntax:
To modify a spam filter rule, use this syntax:
Set-HostedContentFilterRule -Identity "<RuleName>" <Settings> ```
-This example renames the existing spam filter rule named `{Fabrikam Spam Filter}` that might cause problems in the Security & Compliance Center.
+This example renames the existing spam filter rule named `{Fabrikam Spam Filter}`.
```powershell Set-HostedContentFilterRule -Identity "{Fabrikam Spam Filter}" -Name "Fabrikam Spam Filter"
Set-HostedContentFilterRule -Identity "Marketing Department" -Priority 2
**Notes**: - To set the priority of a new rule when you create it, use the _Priority_ parameter on the **New-HostedContentFilterRule** cmdlet instead.- - The default spam filter policy doesn't have a corresponding spam filter rule, and it always has the unmodifiable priority value **Lowest**. ### Use PowerShell to remove spam filter policies
For detailed syntax and parameter information, see [Remove-HostedContentFilterRu
### Send a GTUBE message to test your spam policy settings > [!NOTE]
-> These steps will only work if the email organization that you're sending the GTUBE message from doesn't scan for outbound spam. If it does, the test message can't be sent.
+> These steps will only work if the email organization that you're sending the GTUBE message from doesn't scan for outbound spam. If it does, you can't send the test message.
Generic Test for Unsolicited Bulk Email (GTUBE) is a text string that you include in a test message to verify your organization's anti-spam settings. A GTUBE message is similar to the European Institute for Computer Antivirus Research (EICAR) text file for testing malware settings.
Include the following GTUBE text in an email message on a single line, without a
```text XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X ```-
-## Allow/Block Lists
-
-There will be times when our filters will miss the message or it takes time for our systems to catch up to it. In this cases, the anti-spam policy has an Allow and a Block list available to override the current verdict. This option should only be used sparingly since lists can become unmanageable and temporarily since our filtering stack should be doing what it is supposed to be doing.
-
-> [!TIP]
-> There may be situations where your organization may not agree with the verdict the service provides. In this case, you may want to keep the Allow or Block listing permanent. However, if you are going to put a domain on the Allow list for extended periods of time, you should tell the sender to make sure that their domain is authenticated and set to DMARC reject if it is not.
security Eop Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/eop-features.md
The following table provides a list of features that are available in the Exchan
|Feature|Description| |||
+|**Anti-malware protection**||
+|Multiple engine anti-malware protection|Multiple anti-malware engines help to automatically protect our customers at all times.|
+|Always-on malware filtering|You can't disable malware filtering. We believe that helping to provide a consistent and rigorous level of protection for all of our customers is a critical part of the defense-in-depth strategy necessary to help protect your email messaging environment. As a result, malware filtering is automatically enabled for all customers.|
+|Malware inspection of the message body and attachments|The service inspects the active payload in the message body and all message attachments for malware.|
+|Anti-spyware protection|Anti-malware protection encompasses anti-virus protection and anti-spyware protection.|
+|Malware filter policies|Every organization has a default anti-spam policy that applies to all recipients. For greater granularity, you can create custom anti-malware policies that apply to specific users, groups, or domains in your organization. Custom policies are always applied before default policy, but you can change the order that custom policies are applied. <p> You can configure the following settings in anti-malware policies: <ul><li>**Common attachment filtering**: Enable a customized list of file types that are always presumed to be malware.</li><li>**ZAP for malware**: Retroactively quarantine delivered malware messages. For more information, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).</li><li>**Recipient notifications**: Silently quarantine the message or quarantine the message and also deliver it with all attachments replaced by a single text file containing standard or custom text.</li><li>**Sender notifications**: Notify senders that their message was detected as malware.</li><li>**Admin notifications**: Notify an admin when messages from internal or external senders were detected as malware.</li></ul> <p> For more information, see [Configure anti-malware policies](configure-anti-malware-policies.md).|
+|**Anti-phishing protection**||
+|Anti-phishing protection|EOP uses a list of domains that are used by known spammers.|
+|Anti-spoofing protection|Anti-phishing protection in EOP includes anti-spoofing protection. For more information, see [Anti-spoofing protection](anti-spoofing-protection.md). <p> Anti-phishing protection in Microsoft Defender for Office 365 also includes impersonation protection. For more information, see [Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).|
|**Anti-spam protection**||
-|Inbound spam detection|For more information, see [Anti-spam protection in Microsoft 365](anti-spam-protection.md). <p> In hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange to translate the EOP spam filtering verdict so the junk email rule can move the message to the Junk Email folder. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).|
-|Outbound spam detection|Outbound anti-spam protection is always enabled if you use the service for sending outbound mail. For more information, see [Outbound spam protection](outbound-spam-controls.md).|
+|Inbound spam detection|For more information, see [Anti-spam protection in Microsoft 365](anti-spam-protection.md). <p> For additional steps that are required in hybrid environments, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).|
|Backscatter protection|For more information, see [Backscatter and EOP](backscatter-messages-and-eop.md).|
-|Bulk mail filtering|EOP uses the bulk complaint threshold (BCL) to mark bulk email messages as spam. For more information, see the following topics: <p> [What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md) <p> [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md) <p> [Configure anti-spam policies](configure-your-spam-filter-policies.md)|
+|Bulk mail filtering|EOP uses the bulk complaint (BCL) threshold in anti-spam policies to mark bulk email messages as spam. For more information, see the following topics: <ul><li>[What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md)</li><li>[Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md)</li><li>[Configure anti-spam policies](configure-your-spam-filter-policies.md)</li></ul>|
|Malicious URL block lists|EOP uses several URL block lists that help detect known malicious links within messages.|
-|Anti-phishing protection|EOP includes 750,000 domains of known spammers.|
-|Anti-spoofing protection|For more information, see [Anti-spoofing protection](anti-spoofing-protection.md).|
+|**Outbound spam protection**||
+|Outbound spam detection|Outbound anti-spam protection is always enabled if you use the service for sending outbound mail. For more information, see [Outbound spam protection](outbound-spam-controls.md).|
+|Outbound spam policies|Every organization has a default outbound spam policy that applies to all recipients. For greater granularity, you can create custom anti-spam policies that apply to specific users, groups, or domains in your organization. Custom policies are always applied before default policy, but you can change the order that custom policies are applied. <p> You can configure the following settings in anti-spam policies: <ul><li>**Messsage limts**: You can set limits that are lower than the [service defaults](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#receiving-and-sending-limits) for **external recipients per hour**, **internal recipients per hour**, and **maximum number of recipients per day**</li><li>**Action to take on users who exceed a limit**: Restrict the user for 24 hours, restrict the user until release, or alert only.</li><li>**Enable or disable automatic external email forwarding**: [Learn more](external-email-forwarding.md)</li><li>**Notify or send copies of messages to admins**</li></ul> <p> For more information, see [Configure outbound spam filtering in EOP](configure-the-outbound-spam-policy.md).|
+|**Connection filtering**||
+|Connection filter policy|Configure the IP Allow list and the IP Block list for the organization. For more information, see [Configure connection filtering](configure-the-connection-filter-policy.md)|
|**Spam management**||
-|Configure safe senders and blocked senders|For more information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md) and [Create blocked sender lists](create-block-sender-lists-in-office-365.md).|
-|Create custom anti-spam policies|For greater granularity, you can create custom anti-spam policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies. For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).|
-|Configure the actions on spam-filtered messages|For example, you can delete content-filtered messages or send them to the Junk Email folder or the quarantine. For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).|
-|International spam filtering|You can configure anti-spam filtering to filter messages written in specific languages or sent from specific countries or regions. For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).|
-|Manage spam via Outlook or Outlook on the web (formerly known as Outlook Web App)|Admins and end users can create safe sender lists and blocked sender lists. For more information, see [About junk email settings in Outlook](configure-junk-email-settings-on-exo-mailboxes.md#about-junk-email-settings-in-outlook). <p> If you're using EOP to help protect on-premises mailboxes, be sure to use directory synchronization to help ensure that these settings are synced to the service. For more information about setting up directory synchronization, see "Use directory synchronization to manage mail users" in [Manage mail users in standalone EOP](/exchange/standalone-eop/manage-mail-users-in-eop).|
+|Anti-spam policies|Every organization has a default anti-spam policy that applies to all recipients. For greater granularity, you can create custom anti-spam policies that apply to specific users, groups, or domains in your organization. Custom policies are always applied before default policy, but you can change the order that custom policies are applied. <p> You can configure the following settings in anti-spam policies: <ul><li>**Spam filter verdict actions**: When a message is detected, you can configure the action to take (delete, move to Junk Email folder, quarantine, etc.) based on the verdict.</li><li>**Advanced spam filter (ASF) settings**: These settings are described in [Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md)</li><li>**ZAP for phishing and spam**: Retroactively quarantine or move delivered messages to the Junk Email folder. For more information, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).</li><li>**Enable end-user spam notifications**: [Learn more about end-user spam notifications].(use-spam-notifications-to-release-and-report-quarantined-messages.md)</li>**Allowed and blocked senders and domains**: For important information about how to safely use these lists, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md) and [Create blocked sender lists](create-block-sender-lists-in-office-365.md)</li><li>**International spam settings**: Block messages based on language or source country.</li></ul> <p> For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).|
+|Manage spam via Outlook or Outlook on the web (formerly known as Outlook Web App)|Users and admins can create personal safe sender lists and blocked sender lists in Exchange Online mailboxes. For more information, see [About junk email settings in Outlook](configure-junk-email-settings-on-exo-mailboxes.md#about-junk-email-settings-in-outlook). <p> If you're using EOP to help protect on-premises Exchange mailboxes, be sure to use directory synchronization to help ensure that these settings are synced to the service. For more information, see [Use directory synchronization to manage mail users](/exchange/standalone-eop/manage-mail-users-in-eop#synchronize-directories-with-azure-active-directory-connect-aad-connect).|
|Report false positives and false negatives to Microsoft.|For more information, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).|
-|End-user spam quarantine notifications|For more information, see [End-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md) and [Configure end-user spam notifications](configure-your-spam-filter-policies.md#configure-end-user-spam-notifications).|
|View, find, and manage messages in the quarantine portal.|For more information, see [Manage quarantined messages and files as an admin in EOP](manage-quarantined-messages-and-files.md) or [Find and release quarantined messages as a user](find-and-release-quarantined-messages-as-a-user.md).|
-|View spam-quarantined message headers|After you view the message header in the quarantine, you can also copy and paste the header text into the [Message Header Analyzer](https://mha.azurewebsites.net/) to find out what happened to the message.|
-|**Anti-malware protection**||
-|Multiple engine anti-malware protection|Multiple anti-malware engines help to automatically protect our customers at all times.|
-|The ability to disable malware filtering|You can't disable malware filtering. We believe that helping to provide a consistent and rigorous level of protection for all of our customers is a critical part of the defense-in-depth strategy necessary to help protect your email messaging environment. As a result, malware filtering is automatically enabled for all customers.|
-|Malware inspection of the message body and attachments|The service inspects the active payload in the message body and all message attachments for malware.|
-|Default or custom malware alert notifications|You can send a notification message to senders or admins. For more information, see [Configure anti-malware policies](configure-anti-malware-policies.md).|
-|Recipient notifications|Silently quarantine the message or quarantine the message and also deliver it with all attachments replaced by a single text file containing standard or custom text. For more information, see [Configure anti-malware policies](configure-anti-malware-policies.md).|
-|Common Attachment Filtering|You can enable and customize a list of file types that are always presumed to be malware. For more information, see [Anti-malware protection in EOP](anti-malware-protection.md).|
-|Anti-spyware protection|Anti-malware protection encompasses anti-virus protection and anti-spyware protection.|
-|Create custom malware filter policies|For greater granularity, you can create custom malware filter policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies. For more information, see [Configure anti-malware policies](configure-anti-malware-policies.md).|
+|View spam-quarantined message headers|After you view the message header in the quarantine, you can also copy and paste the header text into the [Message Header Analyzer](https://mha.azurewebsites.net/) to find out what happened to the message.|
|**Mail routing and connectors**||
+|
|Conditional mail routing|For more information, see [Scenario: Conditional mail routing in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/conditional-mail-routing).|
-|Opportunistic or forced TLS|Opportunistic or forced TLS is available with connectors. Opportunistic TLS attempts a TLS connection but uses an SMTP connection if the TLS connection is unsuccessful. Force TLS enforces TLS connections, meaning that the message is rejected if the TLS connection is unsuccessful. For more information about TLS, security, and connectors, see [Set up connectors for secure mail flow with a partner organization](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner).|
-|Regional routing (the restriction of mail flow to a specific region)|For more information, see the "EOP datacenters" section in the [Exchange Online Protection overview](exchange-online-protection-overview.md).|
+|Opportunistic or forced TLS|<ul><li>Opportunistic TLS attempts a TLS connection but uses an SMTP connection if the TLS connection is unsuccessful.</li><li>Forced TLS enforces TLS connections, meaning that the message is rejected if the TLS connection is unsuccessful.</li></ul> <p> For more information about TLS, security, and connectors, see [Set up connectors for secure mail flow with a partner organization](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner).|
+|Regional routing (the restriction of mail flow to a specific region)|For more information, see [EOP datacenters](exchange-online-protection-overview.md#eop-datacenters).|
|The SMTP Connectivity Checker tool|For more information about using this tool to test your mail flow, see [Test mail flow by validating your Microsoft 365 connectors](/exchange/mail-flow-best-practices/test-mail-flow).| |Match subdomains|For more information about enabling mail flow to and from subdomains of your accepted domains, see [Mail flow in EOP](mail-flow-in-eop.md).| |**Mail flow rules**||
-|Policy-based filtering and actions|Custom policies are based on Exchange mail flow rules (also known as transport rules). You can filter by domain, keyword, file name, file type, subject line, message body, sender, recipient, header, and IP address. For more information, see [Mail flow rules (transport rules) in Exchange Online Protection](mail-flow-rules-transport-rules-0.md).|
-|Filter by text patterns|Mail flow rules can use an array or regular expressions to match text. You can also use one string or an array of strings to match many message properties, such as the address, subject, body, or attachment names. For more information, see [Mail flow rules (transport rules) in Exchange Online Protection](mail-flow-rules-transport-rules-0.md)|
-|Custom dictionaries|Mail flow rules can include long lists of text and keywords, providing the same functionality as a custom dictionary.|
-|Per-domain policy rules|The scope of a mail flow rule can be customized to match sender or recipient domain names, IP address ranges, address keywords or patterns, group memberships, and other conditions.|
-|Attachment scanning|Rules can be created to scan the file name, extension, and content of the attachment.|
-|Send policy rule notifications to the sender|You can reject messages and send a non-delivery report (also known as an NDR or bounce message) to the sender via the **Reject the message with the explanation** or **Reject the message with the enhanced status code** action. For more information, see [Mail flow rule actions in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions).|
-|Redirect or copy messages|Mail flow rules can redirect, add recipients by Cc or Bcc, simply add recipients, and other options. For more information, see [Mail flow rule actions in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions).|
-|Adjust rule priority across multiple rules|Use the Exchange admin center to change the order in which rules are processed.|
-|Filter messages and then change the routing or attributes of a message|You can filter messages based on a wide variety of conditions and then apply a series of actions to each message. For more information, see [Mail flow rules (transport rules) in Exchange Online Protection](mail-flow-rules-transport-rules-0.md).|
-|Change the spam confidence level (SCL) of a message by rule.|You can inspect an in-transit message and assign a spam confidence level to it based on criteria that you choose. For more information, see [Use mail flow rules to set the spam confidence level (SCL) in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).|
-|Inspect message attachments|You can examine the content of an attachment or the characteristics of an attached file and define an action to take based on what is found. For more information, see [Using mail flow rules to inspect message attachments in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments).|
+|Mail flow rules in EOP|Virtually all of the conditions, exceptions, and actions that are available in mail flow rules (also known as transport rules) in Exchange Online are also available in standalone EOP organizations without Exchange Online mailboxes. For more information about mail flow rules, see the following topics: <ul><li>[Mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)</li><li>[Mail flow rule conditions and exceptions](/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions)</li><li>[Mail flow rule actions](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions)</li></ul>|
+|Mail flow rule scenarios|Many scenarios are available using transport rules. For example: <ul><li>**Policy-based filtering and actions**: You can filter by domain, keyword, file name, file type, subject line, message body, sender, recipient, header, and IP address.</li><li>**Filter by text patterns**: Mail flow rules can use an array or regular expressions to match text. You can also use one string or an array of strings to match many message properties, such as the address, subject, body, or attachment names.</li><li>**Custom dictionaries**: Mail flow rules can include long lists of text and keywords, providing the same functionality as a custom dictionary.</li><li>**Per-domain policy rules**: You can customize the scope of a mail flow rule to match sender or recipient domain names, IP address ranges, address keywords or patterns, group memberships, and other conditions.</li><li>**Attachment scanning**: You can create mail flow rules to scan the file name, extension, and content of email attachments.</li><li>**Send policy rule notifications to the sender**: You can reject messages and send a non-delivery report (also known as an NDR or bounce message) to the sender via the **Reject the message with the explanation** or **Reject the message with the enhanced status code** action.</li><li>**Redirect or copy messages**: Mail flow rules can redirect, add recipients by Cc or Bcc, simply add recipients, and other options.</li><li>**Filter messages and change the message attributes or routing**: You can filter messages based on a wide variety of conditions and then apply a series of actions to each message.</li><li>**Change the spam confidence level (SCL) of messages in transit**</li></ul> <p> For specific mail flow rule scenario article, see [Mail flow rule procedures](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-procedures).|
|**Administration**||
-|Web-based administration|Most features are managed in the [Security & Compliance Center](grant-access-to-the-security-and-compliance-center.md). <p> Other features require management in the Exchange admin center (EAC). For more information, see [Exchange admin center in Exchange Online](/exchange/exchange-admin-center) or [Exchange admin center in standalone EOP](/exchange/standalone-eop/exchange-admin-center-eop).|
-|Directory synchronization|Directory synchronization is available via the Azure Active Directory Sync tool. For more information, see the "Use directory synchronization to manage mail users" section in [Manage mail users in standalone EOP](/exchange/standalone-eop/manage-mail-users-in-eop).|
-|Directory Based Edge Blocking (DBEB)|The DBEB feature lets you reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to Microsoft 365 and block all messages sent to email addresses that aren't present in Microsoft 365. For more information about configuring DBEB, see [Use Directory Based Edge Blocking to reject messages sent to invalid recipients](/exchange/mail-flow-best-practices/use-directory-based-edge-blocking).|
-|PowerShell|Full EOP functionality is available in standalone EOP PowerShell. For more information, see [Exchange Online Protection PowerShell](/powershell/exchange/exchange-online-protection-powershell).|
+|Web-based administration|You use the following admin centers to manage EOP: <ul><li>The [Microsoft 365 security center](/microsoft-365/security/defender/overview-security-center)</li><li>The [Exchange admin center](/exchange/exchange-admin-center)</li><li>The [Microsoft 365 admin center](/microsoft-365/admin/admin-overview/about-the-admin-center)</li></ul>|
+|PowerShell|If your organization has Exchange Online mailboxes, you manage EOP features in [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell). If your organization has no Exchange Online mailboxes, you manage EOP features in [Exchange Online Protection PowerShell](/powershell/exchange/exchange-online-protection-powershell).|
|**Reporting and logging**|| |Message trace|Admins can follow email messages as they pass through the service. You can determine whether a targeted email message was received, rejected, deferred, or delivered by the service. This lets you efficiently answer your users' questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance. For more information, see [Message trace in the Security & Compliance Center](message-trace-scc.md).| |Web-based reports|The mail protection reports in the Security & Compliance Center provide messaging data. For example, you can monitor how much spam and malware is being detected or how often your mail flow rules are being matched. With these interactive reports, you can quickly get a visual report of summary data and drill down into details about individual messages, for as far back as 90 days. For more information, see [Use mail protection reports to view data about malware, spam, and rule detections](/exchange/monitoring/use-mail-protection-reports).|
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
During and after each automated investigation, your security operations team can
AIR capabilities are included in [Microsoft Defender for Office 365](defender-for-office-365.md#microsoft-defender-for-office-365-plan-1-and-plan-2), provided your policies and alerts are configured. Need some help? Follow the guidance in [Protect against threats](protect-against-threats.md) to set up or configure the following protection settings: - [Audit logging](../../compliance/turn-audit-log-search-on-or-off.md) (should be turned on)-- [Antimalware policies](protect-against-threats.md#part-1anti-malware-protection)-- [Antiphishing protection](protect-against-threats.md#part-2anti-phishing-protection)-- [Antispam protection](protect-against-threats.md#part-3anti-spam-protection)
+- [Anti-malware policies](protect-against-threats.md#part-1anti-malware-protection-in-eop)
+- [Anti-phishing protection](protect-against-threats.md#part-2anti-phishing-protection)
+- [Anti-spam protection](protect-against-threats.md#part-3anti-spam-protection-in-eop)
- [Safe Links and Safe Attachments](protect-against-threats.md#part-4protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365) - [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on) - [Zero-hour auto purge for email](protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop)
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
Threat protection features are included in *all* Microsoft or Office 365 subscri
> [!TIP] > Notice that, beyond the directions to turn on auditing, *steps* start anti-malware, anti-phishing, and anti-spam, which are marked as part of Office 365 Exchange Online Protection (**EOP**). This can seem odd in an Defender for Office 365 article, until you remember (**Defender for Office 365**) contains, and builds on, EOP.
+<br>
+ **** |Protection type|Subscription requirement|
Threat protection features are included in *all* Microsoft or Office 365 subscri
To configure Defender for Office 365 policies, you must be assigned an appropriate role in the [Security & Compliance Center](/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center). Take a look at the table below for roles that can do these actions.
+<br>
+ **** |Role or role group|Where to learn more|
To learn more, see [Permissions in the Security & Compliance Center](permissions
- Start your audit logging early. You'll need auditing to be **ON** for some of the following steps. Audit logging is available in subscriptions that include [Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description). In order to view data in threat protection reports, such as the [Security Dashboard](security-dashboard.md), [email security reports](view-email-security-reports.md), and [Explorer](threat-explorer.md), audit logging must be *On*. To learn more, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
-## Part 1 - Anti-malware protection
+## Part 1 - Anti-malware protection in EOP
For more information about the recommended settings for anti-malware, see [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings). 1. Open <https://security.microsoft.com/antimalwarev2>.
-2. Select the Default policy by clicking on the name of the policy.
+2. On the **Anti-malware** page, select the policy named **Default** policy by clicking on the name.
3. In the policy details flyout that opens, click **Edit protection settings**, and then configure the following settings: - Select **Enable the common attachments filter** to turn on the common attachments filter. Click **Customize file types** to add more file types. - Verify that **Enable zero-hour auto purge for malware** is selected. - Verify that none of the settings in the **Notification** section are selected.
- When you're finished, click **Save**
+ When you're finished, click **Save**.
+
+4. Back on the policy details flyout, click **Close**.
For detailed instructions for configuring anti-malware policies, see [Configure anti-malware policies in EOP](configure-anti-malware-policies.md).
The following procedure describes how to configure an anti-phishing policy in Mi
To learn more about your anti-phishing policy options, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
-## Part 3 - Anti-spam protection
+## Part 3 - Anti-spam protection in EOP
-[Anti-spam protection](anti-spam-protection.md) is available in subscriptions that include [EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description).
+For more information about the recommended settings for anti-spam, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
-1. In the [Security & Compliance Center](https://protection.office.com), choose **Threat management** \> **Policy** \> **Anti-spam**.
+1. Open <https://security.microsoft.com/antispam>.
-2. On the **Custom** tab, turn on Custom settings.
+2. On the **Anti-spam policies** page, select the policy named **Anti-spam inbound policy** from the list by clicking on the name.
-3. Expand **Default spam filter policy**, click **Edit policy**, and then specify the following settings:
+3. In the policy details flyout that appears, click **Edit spam threshold and properties** in the **Bulk email threshold & spam properties** section.
- - In the **Spam and bulk actions** section, set the threshold to a value of 5 or 6.
+4. In the **spam threshold and properties** flyout that appears, set the **Bulk email threshold** value to 5 (Strict) or 6 (Standard). When you're finished, click **Save**
- - In the **Allow lists** section, review (and/or edit) your allowed senders and domains.
+5. Back on the policy details flyout, go to the **Allowed and blocked senders and domains** section and review or edit your allowed senders and allowed domains.
-4. Click **Save**.
+6. When you're finished, click **Close**.
-To learn more about your anti-spam policy options, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
+For detailed instructions for configuring anti-spam policies, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
## Part 4 - Protection from malicious URLs and files (Safe Links and Safe Attachments in Defender for Office 365)
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
To automatically apply the Standard or Strict settings to users, see [Preset sec
> [!NOTE] > The junk email rule needs to be enabled on mailboxes in order for filtering to work properly. It's enabled by default, but you should check it if filtering does not seem to be working. For more information, see [Configure junk email settings on Exchange Online mailboxes in Office 365](configure-junk-email-settings-on-exo-mailboxes.md).
-This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users.
+This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users. The tables contain the settings in the Microsoft 365 security center and PowerShell (Exchange Online PowerShell or standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).
> [!TIP] > The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help you (admins) find the current values of these settings. Specifically, the **Get-ORCAReport** cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at <https://www.powershellgallery.com/packages/ORCA/>.
To create and configure anti-spam policies, see [Configure anti-spam policies in
||::|::|::|| |**Spam** detection action <p> _SpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|| |**High confidence spam** detection action <p> _HighConfidenceSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
-|**Phishing email** detection action <p> _PhishSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
-|**High confidence phishing email** detection action <p> _HighConfidencePhishAction_|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
-|**Bulk email** detection action <p> _BulkSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`||
-|Bulk email threshold <p> _BulkThreshold_|7|6|4|For details, see [Bulk complaint level (BCL) in Office 365](bulk-complaint-level-values.md).|
-|Quarantine retention period <p> _QuarantineRetentionPeriod_|15 days|30 days|30 days||
-|**Safety Tips** <p> _InlineSafetyTipsEnabled_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
-|Allowed Senders <p> _AllowedSenders_|None|None|None||
-|Allowed Sender Domains <p> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <p> Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md) in the Security & Compliance Center to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|
-|Blocked Senders <p> _BlockedSenders_|None|None|None||
-|Blocked Sender Domains <p> _BlockedSenderDomains_|None|None|None||
+|**Phishing** detection action <p> _PhishSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
+|**High confidence phishing** detection action <p> _HighConfidencePhishAction_|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
+|**Bulk** detection action <p> _BulkSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`||
+|**Bulk email threshold** <p> _BulkThreshold_|7|6|4|For details, see [Bulk complaint level (BCL) in Office 365](bulk-complaint-level-values.md).|
+|_MarkAsSpamBulkMail_|On|On|On|This setting is only available in PowerShell.|
+|**Retain spam in quarantine for this many days** <p> _QuarantineRetentionPeriod_|15 days|30 days|30 days||
+|**Enable spam safety tips** <p> _InlineSafetyTipsEnabled_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
+|Allowed senders <p> _AllowedSenders_|None|None|None||
+|Allowed sender domains <p> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <p> Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|
+|Blocked senders <p> _BlockedSenders_|None|None|None||
+|Blocked sender domains <p> _BlockedSenderDomains_|None|None|None||
|**Enable end-user spam notifications** <p> _EnableEndUserSpamNotifications_|Disabled <p> `$false`|Enabled <p> `$true`|Enabled <p> `$true`|| |**Send end-user spam notifications every (days)** <p> _EndUserSpamNotificationFrequency_|3 days|3 days|3 days||
-|**Spam ZAP** <p> _SpamZapEnabled_|Enabled <p> `$true`|Enabled <p> `$true`|Enabled <p> `$true`||
-|**Phish ZAP** <p> _PhishZapEnabled_|Enabled <p> `$true`|Enabled <p> `$true`|Enabled <p> `$true`||
-|_MarkAsSpamBulkMail_|On|On|On|This setting is only available in PowerShell.|
+|Enable zero-hour auto purge (ZAP) for phishing messages <p> _PhishZapEnabled_|Enabled <p> `$true`|Enabled <p> `$true`|Enabled <p> `$true`||
+|Enable ZAP for spam message <p> _SpamZapEnabled_|Enabled <p> `$true`|Enabled <p> `$true`|Enabled <p> `$true`||
|
-There are several other Advanced Spam Filter (ASF) settings in anti-spam policies that are in the process of being deprecated. More information on the timelines for the depreciation of these features will be communicated outside of this article.
+There are many Advanced Spam Filter (ASF) settings in anti-spam policies that are in the process of being deprecated. More information on the timelines for the depreciation of these features will be communicated outside of this article.
-We recommend that you turn these ASF settings **Off** for both **Standard** and **Strict** levels. For more information about ASF settings, see [Advanced Spam Filter (ASF) settings in Office 365](advanced-spam-filtering-asf-options.md).
+We recommend that you leave the following ASF settings **Off** for both **Standard** and **Strict** levels. For more information about ASF settings, see [Advanced Spam Filter (ASF) settings in Office 365](advanced-spam-filtering-asf-options.md).
<br>
security Report Junk Email Messages To Microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
||| |[Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md)|The recommended reporting method for admins in organizations with Exchange Online mailboxes (not available in standalone EOP).| |[Enable the Report Message or the Report Phishing add-ins](enable-the-report-message-add-in.md)|Works with Outlook and Outlook on the web (formerly known as Outlook Web App). <p> Depending on your subscription, messages that users reported with the add-ins are available in [the Admin Submissions portal](admin-submission.md), [Automated investigation and response (AIR) results](air-view-investigation-results.md), the [User-reported messages report](view-email-security-reports.md#user-reported-messages-report), and [Threat Explorer](threat-explorer-views.md#email--submissions). <p> You can configure reported messages to be copied or redirected to a mailbox that you specify. For more information, see [User submissions policies](user-submission.md).
-|[Report false positives and false negatives to Outlook](report-false-positives-and-false-negatives.md)|Submit false positives (good email that was blocked or sent to junk folder) and false negatives (unwanted email or phish that was delivered to the inbox) to Exchange Online Protection (EOP) using the Report Message feature.|
+|[Report false positives and false negatives in Outlook](report-false-positives-and-false-negatives.md)|Submit false positives (good email that was blocked or sent to junk folder) and false negatives (unwanted email or phish that was delivered to the inbox) to Exchange Online Protection (EOP) using the Report Message feature.|
|[Manually submit messages to Microsoft for analysis](submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis.md)|Manually send attached messages to specific Microsoft email addresses for spam, not spam, and phishing.| |[Use mail flow rules to see what users are reporting to Microsoft](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-see-what-users-are-reporting-to-microsoft)|Learn how to create a mail flow rule (also known as a transport rule) that notifies you when users report messages to Microsoft for analysis.| |[Submit malware and non-malware to Microsoft for analysis](submitting-malware-and-non-malware-to-microsoft-for-analysis.md)|Use the Microsoft Security Intelligence site to submit attachments and other files.|
security Set Up Safe Links Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-links-policies.md
The basic elements of a Safe Links policy are:
- **The safe links policy**: Turn on Safe Links protection, turn on real-time URL scanning, specify whether to wait for real-time scanning to complete before delivering the message, turn on scanning for internal messages, specify whether to track user clicks on URLs, and specify whether to allow users to click trough to the original URL. - **The safe links rule**: Specifies the priority and recipient filters (who the policy applies to).
+> [!IMPORTANT]
+> Admins should consider the different configuration settings for SafeLinks. One of the available options is to include user identifiable information in SafeLinks. This feature enables *Security Ops teams* to investigate potential user compromise, take corrective action, and limit costly breaches.
+ The difference between these two elements isn't obvious when you manage Safe Links polices in the Security & Compliance Center: - When you create a Safe Links policy, you're actually creating a safe links rule and the associated safe links policy at the same time using the same name for both.
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
The Tenant Allow/Block List in the Security & Compliance Center gives you a way
- URLs to block. - Files to block.-- Bulk mail sender domains to allow. For more information about bulk mail, the bulk confidence level (BCL), and bulk mail filtering by anti-spam policies, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md). - Spoofed senders to allow or block. If you override the allow or block verdict in the [spoof intelligence insight](learn-about-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders here before they're detected by spoof intelligence. This article describes how to configure entries in the Tenant Allow/Block List in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
This article describes how to configure entries in the Tenant Allow/Block List i
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions in Exchange Online before you can do the procedures in this article:
- - **URLs, files, and allow bulk senders**:
+ - **URLs and files**:
- To add and remove values from the Tenant Allow/Block List, you need to be a member of the **Organization Management** or **Security Administrator** role groups. - For read-only access to the Tenant Allow/Block List, you need to be a member of the **Global Reader** or **Security Reader** role groups. - **Spoofing**: One of the following combinations:
This article describes how to configure entries in the Tenant Allow/Block List i
4. When you're finished, click **Add**.
-## Use the Security & Compliance Center to create allow bulk mail sender domain entries in the Tenant Allow/Block List
-
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
-
-2. On the **Tenant Allow/Block List** page, select the **Sender domains for BCL bypass** tab, and then click **Add**.
-
-3. In the **Add sender domain for BCL bypass** flyout that appears, configure the following settings:
-
- - **Add sender domains for BCL bypass**: Enter one source domain of good bulk mail per line, up to a maximum of 20.
-
- - **Never expire**: Do one of the following steps:
-
- - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Expires on** box to specify the expiration date for the entries.
-
- or
-
- - Move the toggle to the right to configure the entries to never expire: ![Toggle on](../../media/scc-toggle-on.png).
-
-4. When you're finished, click **Add**.
- ## Use the Security & Compliance Center to create allow or block spoofed sender entries in the Tenant Allow/Block List **Notes**:
This article describes how to configure entries in the Tenant Allow/Block List i
- **Expiration date** - **Note**
- - **Sender domains for BCL bypass**
- - **Value**: The bulk mail sender's domain.
- - **Last updated date**
- - **Expiration date**
- - **Spoofing** - **Spoofed user** - **Sending infrastructure**
New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com
For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
-### Use PowerShell to add allow bulk mail sender domain entries to the Tenant Allow/Block List
-
-To add allow bulk mail sender domain entries in the Tenant Allow/Block List, use the following syntax:
-
-```powershell
-New-TenantAllowBlockListItems -ListType BulkSender -Block:$false -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]
-```
-
-This example adds an allowed bulk sender entry for the specified domain that never expires.
-
-```powershell
-New-TenantAllowBlockListItem -ListType BulkSender -Block:$false -Entries contosodailydeals.com
-New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration
-```
-
-For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
- ### Use PowerShell to add allow or block spoofed sender entries to the Tenant Allow/Block List To add spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
Get-TenantAllowBlockListItems -ListType Url -Block
For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
-### Use PowerShell to view allow bulk mail sender domain entries in the Tenant Allow/Block List
-
-To view allow bulk mail sender domain entries in the Tenant Allow/Block List, use the following syntax:
-
-```powershell
-Get-TenantAllowBlockListItems -ListType BulkSender [-Entry <BulkSenderDomainValue>] [<-ExpirationDate Date | -NoExpiration>]
-```
-
-This example returns all allowed bulk mail sender domains.
-
-```powershell
-Get-TenantAllowBlockListItems -ListType BulkSender
-```
-
-This example returns information for the specified bulk sender domain.
-
-```powershell
-Get-TenantAllowBlockListItems -ListType FileHash -Entry "contosodailydeals.com"
-```
-
-For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
- ### Use PowerShell to view allow or block spoofed sender entries in the Tenant Allow/Block List To view spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
Set-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBw
For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).
-### Use PowerShell to modify allow bulk mail sender domain entries in the Tenant Allow/Block List
-
-To modify allow bulk mail sender domain entries in the Tenant Allow/Block List, use the following syntax:
-
-```powershell
-Get-TenantAllowBlockListItems -ListType BulkSender -Ids <"Id1","Id2",..."IdN"> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]
-```
-
-This example changes the expiration of the specified allow bulk mail sender domain entry to never expire.
-
-```powershell
-Set-TenantAllowBlockListItems -ListType BulkSender -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -NoExpiration
-```
-
-For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
- ### Use PowerShell to modify allow or block spoofed sender entries in the Tenant Allow/Block List To modify allow or block spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
Set-TenantAllowBlockListItems -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdl
For detailed syntax and parameter information, see [Set-TenantAllowBlockListSpoofItems](/powershell/module/exchange/set-tenantallowblocklistspoofitems).
-### Use PowerShell to remove bulk mail sender domain, file, and domain entries from the Tenant Allow/Block List
+### Use PowerShell to remove URL or file entries from the Tenant Allow/Block List
-To remove allow bulk mail sender domain entries, block file entries, and block URL entries from the Tenant Allow/Block List, use the following syntax:
+To remove file and URL entries from the Tenant Allow/Block List, use the following syntax:
```powershell
-Remove-TenantAllowBlockListItems -ListType <BulkSender | FileHash | Url> -Ids <"Id1","Id2",..."IdN">
+Remove-TenantAllowBlockListItems -ListType <FileHash | Url> -Ids <"Id1","Id2",..."IdN">
``` This example removes the specified block URL entry from the Tenant Allow/Block List.
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
Use the following articles to configure the prerequisites required so user repor
- Turn off URL scanning on messages in the custom mailbox. Use [Set up Safe Links policies in Defender for Office 365](set-up-safe-links-policies.md) to create a Safe Links policy with the setting **Off** for **Select the action for unknown potentially malicious URLs in messages**. -- Create an anti-malware policy to turn off Malware Zero-hour Auto Purge. See [Use the Security & Compliance Center to create anti-malware policies](configure-your-spam-filter-policies.md#use-the-security--compliance-center-to-create-anti-spam-policies) to set **Malware Zero-hour Auto Purge** to **Off**.
+- Create an anti-malware policy to turn off Malware Zero-hour Auto Purge. See [Use the Security & Compliance Center to create anti-malware policies](configure-your-spam-filter-policies.md#use-the-security-center-to-create-anti-spam-policies) to set **Malware Zero-hour Auto Purge** to **Off**.
-- Create a spam filter policy to disable zero-hour auto purge (ZAP) for spam and phishing in the custom mailbox. See [Use the Security & Compliance Center to create anti-spam policies](configure-your-spam-filter-policies.md#use-the-security--compliance-center-to-create-anti-spam-policies) and clear the **On** checkboxes for **Spam ZAP** and **Phish ZAP**.
+- Create a spam filter policy to disable zero-hour auto purge (ZAP) for spam and phishing in the custom mailbox. See [Use the Security & Compliance Center to create anti-spam policies](configure-your-spam-filter-policies.md#use-the-security-center-to-create-anti-spam-policies) and clear the **On** checkboxes for **Spam ZAP** and **Phish ZAP**.
- Disable the junk email rule in the custom mailbox. Use [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md) to disable the junk email rule. Once disabled, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action **Move message to Junk Email folder** or the safelist collection on the mailbox.