Updates from: 06/11/2021 03:21:36
Category Microsoft Docs article Related commit history on GitHub Change details
admin Compare Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/compare-groups.md
Shared mailboxes include a calendar that can be used for collaboration.
Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from "Contoso Support" or "Building A Reception Desk."
-Currently it's not possible to migrate a shared mailbox to a Microsoft 365 group. Is this something you want? Let us know. **[Vote here](https://go.microsoft.com/fwlink/?linkid=871518)**.
+It's not possible to migrate a shared mailbox to a Microsoft 365 group.
## Related content
commerce Manage Billing Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-notifications.md
To receive your invoices as attachments to your invoice notifications, use the f
## Related content [View your bill or invoice](view-your-bill-or-invoice.md) (article)\
+[Billing information for Microsoft 365 for business in Mexico](/microsoft-365/commerce/billing-and-payments/mexico-billing-info) (article) \
[Understand your bill or invoice for Microsoft 365 for business](understand-your-invoice2.md) (article)\ [Add users and assign licenses at the same time](../../admin/add-users/add-users.md) (article)
commerce Understand Your Invoice2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice2.md
If you pay by invoice, you can add or change the purchase order (PO) number for
## Related content [Learn how to find and view your bill or invoice](view-your-bill-or-invoice.md) (article)\
+[Billing information for Microsoft 365 for business in Mexico](/microsoft-365/commerce/billing-and-payments/mexico-billing-info) (article) \
[Change your billing addresses](change-your-billing-addresses.md) (article)\ [Change your organization's address, technical contact email, and other information](../../admin/manage/change-address-contact-and-more.md) (article)\ [Pay for your Microsoft 365 for business subscription](pay-for-your-subscription.md) (article)\
commerce View Your Bill Or Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/view-your-bill-or-invoice.md
If you have a balance and would like to pay it, you can do that online. To learn
[Pay by invoice, credit card, or bank account](pay-for-your-subscription.md) (article) \ [Manage payment methods](manage-payment-methods.md) (article) \
+[Billing information for Microsoft 365 for business in Mexico](/microsoft-365/commerce/billing-and-payments/mexico-billing-info) (article) \
[Minecraft: Education Edition payment options](/education/windows/school-get-minecraft) (article)
compliance Create A Custom Sensitive Information Type In Scc Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type-in-scc-powershell.md
See [Potential validation issues to be aware of](#potential-validation-issues-to
For more information about the Boost.RegEx (formerly known as RegEx++) engine that's used for processing the text, see [Boost.Regex 5.1.3](https://www.boost.org/doc/libs/1_68_0/libs/regex/doc/html/).
+> [!NOTE]
+> If you use an ampersand character (&) as part of a keyword in your custom sensitive information type, please note that there is a known issue. You should add an additional term with spaces around the character to make sure that the character is properly identified, for example, L & P _not_ L&P.
+ ## Sample XML of a rule package Here's the sample XML of the rule package that we'll create in this topic. Elements and attributes are explained in the sections below.
compliance Create Custom Sensitive Information Types With Exact Data Match Based Classification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-custom-sensitive-information-types-with-exact-data-match-based-classification.md
-[Custom sensitive information types](sensitive-information-type-learn-about.md) are used to help identify sensitive items so that you can prevent them from being inadvertently or inappropriately shared. You define a custom sensitive information type based on:
+[Custom sensitive information types](sensitive-information-type-learn-about.md) are used to help identify sensitive items so that you can prevent them from being inadvertently or inappropriately shared. You define a custom sensitive information type (SIT)based on:
- patterns - keyword evidence such as *employee*, *badge*, or *ID*
EDM-based classification is included in these subscriptions
Setting up and configuring EDM-based classification involves:
-1. [Saving sensitive data in .csv format](#save-sensitive-data-in-csv-format)
+1. [Saving sensitive data in .csv or .tsv format](#save-sensitive-data-in-csv-or-tsv-format)
2. [Define your sensitive information database schema](#define-the-schema-for-your-database-of-sensitive-information) 3. [Create a rule package](#set-up-a-rule-package)
-#### Save sensitive data in .csv format
+#### Save sensitive data in .csv or .tsv format
-1. Identify the sensitive information you want to use. Export the data to an app, such as Microsoft Excel, and save the file in .csv format. The data file can include a maximum of:
+1. Identify the sensitive information you want to use. Export the data to an app, such as Microsoft Excel, and save the file in a text file. The file can be saved in .csv (comma-separated values), .tsv (tab-separated values), or pipe-separated (|) format. The .tsv format is recommended in cases where your data values may included commas, such as street addresses.
+The data file can include a maximum of:
- Up to 100 million rows of sensitive data - Up to 32 columns (fields) per data source - Up to 5 columns (fields) marked as searchable
-2. Structure the sensitive data in the .csv file such that the first row includes the names of the fields used for EDM-based classification. In your .csv file, you might have field names, such as "ssn", "birthdate", "firstname", "lastname". The column header names can't include spaces or underscores. For example, the sample .csv file that we use in this article is named *PatientRecords.csv*, and its columns include *PatientID*, *MRN*, *LastName*, *FirstName*, *SSN*, and more.
+2. Structure the sensitive data in the .csv or .tsv file such that the first row includes the names of the fields used for EDM-based classification. In your file you might have field names such as "ssn", "birthdate", "firstname", "lastname". The column header names can't include spaces or underscores. For example, the sample .csv file that we use in this article is named *PatientRecords.csv*, and its columns include *PatientID*, *MRN*, *LastName*, *FirstName*, *SSN*, and more.
-3. Pay attention to the format of the sensitive data fields. In particular, fields that may contain commas in their content (e.g. a street address that contains the value "Seattle,WA") would be parsed as two separate fields when parsed by the EDM tool. In order to avoid this, you need to ensure such fields are surrounded by single or double quotes in the sensitive data table. If fields with commas in them may also contain spaces, you would need to create a custom Sensitive Information Type that matches the corresponding format (e.g. a multi-word string with commas and spaces in it) to ensure the string is correctly matched when the document is scanned.
+3. Pay attention to the format of the sensitive data fields. In particular, fields that may contain commas in their content, for example, a street address that contains the value "Seattle,WA" would be parsed as two separate fields when parsed if the .csv format is selected. To avoid this, use the .tsv format or surrounded the comma containing values by double quotes in the sensitive data table. If comma containing values also contain spaces, you need to create a custom SIT that matches the corresponding format. For example, a SIT that detects multi-word string with commas and spaces in it.
#### Define the schema for your database of sensitive information
In this example, where both `caseInsensitive` and `ignoredDelimiters` are used,
1. Create a rule package in XML format (with Unicode encoding), similar to the following example. (You can copy, modify, and use our example.)
- When you set up your rule package, make sure to correctly reference your .csv file and **edm.xml** file. You can copy, modify, and use our example. In this sample xml the following fields needs to be customized to create your EDM sensitive type:
+ When you set up your rule package, make sure to correctly reference your .csv or .tsv file and **edm.xml** file. You can copy, modify, and use our example. In this sample xml the following fields needs to be customized to create your EDM sensitive type:
- **RulePack id & ExactMatch id**: Use [New-GUID](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-6) to generate a GUID.
If you do not want to expose your clear text sensitive data file, you can hash i
- a Windows 10 or Windows Server 2016 machine with .NET version 4.6.2 for running the EDMUploadAgent - a directory on your upload machine for the: - EDMUploadAgent
- - your sensitive item file in csv format **PatientRecords.csv** in our examples
+ - your sensitive item file in .csv or .tsv format, **PatientRecords.csv** in our examples
- and the output hash and salt files - the datastore name from the **edm.xml** file, for this example its `PatientRecords` - If you used the [Exact Data Match schema and sensitive information type wizard](sit-edm-wizard.md) you ***must*** download it
This computer must have direct access to your Microsoft 365 tenant.
> Before you begin this procedure, make sure that you are a member of the **EDM\_DataUploaders** security group. > [!TIP]
-> Optionally, you can run a validation against your csv file before uploading by running:
+> Optionally, you can run a validation against your .csv or .tsv file before uploading by running:
> >`EdmUploadAgent.exe /ValidateData /DataFile [data file] /Schema [schema file]` >
This computer must have direct access to your Microsoft 365 tenant.
4. To hash and upload the sensitive data, run the following command in Command Prompt window:
- `EdmUploadAgent.exe /UploadData /DataStoreName [DS Name] /DataFile [data file] /HashLocation [hash file location] /Schema [Schema file]`
+ `EdmUploadAgent.exe /UploadData /DataStoreName [DS Name] /DataFile [data file] /HashLocation [hash file location] /Schema [Schema file] /ColumnSeparator ["{Tab}"|"|"]`
Example: **EdmUploadAgent.exe /UploadData /DataStoreName PatientRecords /DataFile C:\Edm\Hash\PatientRecords.csv /HashLocation C:\Edm\Hash /Schema edm.xml**
- This will automatically add a randomly generated salt value to the hash for greater security. Optionally, if you want to use your own salt value, add the **/Salt <saltvalue>** to the command. This value must be 64 characters in length and can only contain the a-z characters and 0-9 characters.
+ The default format for the sensitive data file is comma-separated values. You can specify a tab-separated file by indicating the "{Tab}" option with the /ColumnSeparator parameter, or you can specify a pipe-separated file by indicating the "|" option.
+ This command will automatically add a randomly generated salt value to the hash for greater security. Optionally, if you want to use your own salt value, add the **/Salt <saltvalue>** to the command. This value must be 64 characters in length and can only contain the a-z characters and 0-9 characters.
5. Check the upload status by running this command:
OPTIONAL: If you used the Exact Data Match schema and sensitive information type
- .EdmHash - .EdmSalt
-2. Copy these files in a secure fashion to the computer you will use to upload your sensitive items csv file (PatientRecords) to your tenant.
+2. Copy these files in a secure fashion to the computer you will use to upload your sensitive items .csv or .tsv file (PatientRecords) to your tenant.
To upload the hashed data, run the following command in Windows Command Prompt:
You can refresh your sensitive information database daily, and the EDM Upload To
1. Determine your process and frequency (daily or weekly) for refreshing the database of sensitive information.
-2. Re-export the sensitive data to an app, such as Microsoft Excel, and save the file in .csv format. Keep the same file name and location you used when you followed the steps described in [Hash and upload the sensitive data](#part-2-hash-and-upload-the-sensitive-data).
+2. Re-export the sensitive data to an app, such as Microsoft Excel, and save the file in .csv or .tsv format. Keep the same file name and location you used when you followed the steps described in [Hash and upload the sensitive data](#part-2-hash-and-upload-the-sensitive-data).
> [!NOTE]
- > If there are no changes to the structure (field names) of the .csv file, you won't need to make any changes to your database schema file when you refresh the data. But if you must make changes, make sure to edit the database schema and your rule package accordingly.
+ > If there are no changes to the structure (field names) of the .csv or .tsv file, you won't need to make any changes to your database schema file when you refresh the data. But if you must make changes, make sure to edit the database schema and your rule package accordingly.
3. Use [Task Scheduler](/windows/desktop/TaskSchd/task-scheduler-start-page) to automate steps 2 and 3 in the [Hash and upload the sensitive data](#part-2-hash-and-upload-the-sensitive-data) procedure. You can schedule tasks using several methods:
$edminstallpath = 'C:\\Program Files\\Microsoft\\EdmUploadAgent\\'
$edmuploader = $edminstallpath + 'EdmUploadAgent.exe' $csvext = '.csv' $schemaext = '.xml'
-\# Assuming CSV file name is same as data store name
+\# Assuming file name is same as data store name and file is in .csv format
$dataFile = "$fileLocation\\$dataStoreName$csvext" \# Assuming location to store hash file is same as the location of csv file $hashLocation = $fileLocation
$edmuploader = $edminstallpath + 'EdmUploadAgent.exe'
$csvext = '.csv' $edmext = '.EdmHash' $schemaext = '.xml'
-\# Assuming CSV file name is same as data store name
+\# Assuming file name is same as data store name and file is in .csv format
$dataFile = "$fileLocation\\$dataStoreName$csvext" $hashFile = "$fileLocation\\$dataStoreName$edmext" \# Assuming Schema file name is same as data store name
compliance Create Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-sensitivity-labels.md
This button starts the **Create policy** wizard, which lets you edit which label
When you use built-in labeling for Office apps on Windows, macOS, iOS, and Android, users see new labels within four hours, and within one hour for Word, Excel, and PowerPoint on the web when you refresh the browser. However, allow up to 24 hours for changes to replicate to all apps and services.
+> [!NOTE]
+> Other apps and services that support sensitivity labels might update more frequently than 24 hours with their own update schedules and triggers for policy updates. Check their documentation for details. For example, for the Azure Information Protection unified labeling client, see the **Policy update** row in the [Detailed comparisons for the Azure Information Protection clients](/azure/information-protection/rms-client/use-client#detailed-comparisons-for-the-azure-information-protection-clients) table.
+ ### Additional label policy settings with Security & Compliance Center PowerShell Additional label policy settings are available with the [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) cmdlet from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell).
compliance Data Loss Prevention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-loss-prevention-policies.md
If you choose to include or exclude specific SharePoint sites, a DLP policy can
If you choose to include or exclude specific OneDrive accounts or groups, a DLP policy can contain no more than 100 user accounts or 50 groups as inclusion or exclusion. > [!NOTE]
-> OneDrive for business policy scoping using accounts or groups is in public preview. During this phase, you can either include or exclude user accounts and groups as part of a DLP policy. Both inclusion and exclusion as part of the same policy is not supported.
+> OneDrive for business policy scoping using user accounts or groups is in public preview.
### Rules
When you create a DLP policy that includes Microsoft Teams as a location, the po
## Permissions
-Members of your compliance team who will create DLP policies need permissions to the Security &amp; Compliance Center. By default, your tenant admin will have access to this location and can give compliance officers and other people access to the Security &amp; Compliance Center, without giving them all of the permissions of a tenant admin. To do this, we recommend that you:
+By default, Global admins, Security admins, and Compliance admins will have access to create and apply a DLP policy. Other Members of your compliance team who will create DLP policies need permissions to the Security &amp; Compliance Center. By default, your Tenant admin will have access to this location and can give compliance officers and other people access to the Security &amp; Compliance Center, without giving them all of the permissions of a Tenant admin. To do this, we recommend that you:
1. Create a group in Microsoft 365 and add compliance officers to it.
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
Use the **Disposition** page from **Records Management** in the Microsoft 365 co
## Prerequisites for viewing content dispositions
-To manage disposition reviews and confirm that records have been deleted, you must have sufficient permissions and auditing must be enabled.
+To manage disposition reviews and confirm that records have been deleted, you must have sufficient permissions and auditing must be enabled. Also be aware of any [limitations](retention-limits.md#maximum-number-of-items-for-disposition) for disposition.
### Permissions for disposition
These items display **Records Disposed** in the **Type** column. For example:
![Items that were disposed of without a disposition review](../media/records-disposed2.png)
-Items that are shown in the **Disposed Items** tab are kept for up to seven years after the item was disposed, with a limit of one million items per record for that period. If you see the **Count** number nearing this limit of one million, and you need proof of disposition for your records, contact [Microsoft Support](../business-video/get-help-support.md).
- > [!NOTE] > This functionality uses information from the [unified audit log](search-the-audit-log-in-security-and-compliance.md) and therefore requires auditing to be [enabled and searchable](turn-audit-log-search-on-or-off.md) so the corresponding events are captured.
compliance Endpoint Dlp Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md
f1.keywords:
Previously updated : 07/21/2020 Last updated : audience: ITPro f1_keywords:
compliance Retention Limits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-limits.md
SharePoint example:
- **Solution**: Create 20 retention policies for SharePoint with a retention period of 10 years that includes 100 specific sites, and create 80 retention policies for SharePoint with a retention period of 4 years that includes 100 specific sites.
- Because you don't need to retain all SharePoint sites, you must create retention policies that specify the specific sites. Because a retention policy doesn't support more than 100 specified sites, you must create multiple policies for the two retention periods. These retention policies have the maximum number of included sites, so the next new site that needs retaining would require a new retention policy, irrespective of the retention period.
+ Because you don't need to retain all SharePoint sites, you must create retention policies that specify the specific sites. Because a retention policy doesn't support more than 100 specified sites, you must create multiple policies for the two retention periods. These retention policies have the maximum number of included sites, so the next new site that needs retaining would require a new retention policy, irrespective of the retention period.
+
+## Maximum number of items for disposition
+
+For the [disposition of content](disposition.md), there are some limits to be aware of:
+
+- 1,000,000 items pending disposition per stage for each retention label
+
+- Proof of disposition for up to seven years after the item was disposed, with a limit of 1,000,000 items per retention label for that period.
+
+ If you need proof of disposition higher than this limit of 1,000,000 for items that are marked as records, contact [Microsoft Support](../business-video/get-help-support.md).
compliance Search For Ediscovery Activities In The Audit Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-ediscovery-activities-in-the-audit-log.md
Currently, you have to do a few specific things to view eDiscovery activities in
1. Go to <https://compliance.microsoft.com> and sign in using your work or school account.
-2. In the left navigation pane of the Microsoft 365 compliance center, click **Show all**, and then click **Audit**.
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Audit**.
3. In the **Activities** drop-down list, under **eDiscovery activities** or **Advanced eDiscovery activities**, click one or more activities to search for.
Currently, you have to do a few specific things to view eDiscovery activities in
## eDiscovery activities
-The following table describes the Content Search and Core eDiscovery activities that are logged when an administrator or eDiscovery manager performs an eDiscovery-related activity using the compliance center or running the corresponding cmdlet in Security & Compliance Center PowerShell. Note also that some activities performed in Advanced eDiscovery may be returned when you search for activities in this list.
+The following table describes the Content Search and Core eDiscovery activities that are logged when an administrator or eDiscovery manager performs an eDiscovery-related activity using the Microsoft 365 compliance center. Some activities performed in Advanced eDiscovery may be returned when you search for activities in this list.
> [!NOTE]
-> The eDiscovery activities described in this section provide similar information to the eDiscovery cmdlet activities described in the next section. We recommend that you use the eDiscovery activities described in this section because they will appear in the audit log search results within 30 minutes. It takes up to 24 hours for the eDiscovery cmdlet activities to appear in audit log search results.
+> The eDiscovery activities described in this section provide similar information to the eDiscovery cmdlet activities described in the next section. We recommend that you use the eDiscovery activities described in this section because they will appear in the audit log search results within 30 minutes. It may take up to 24 hours for eDiscovery cmdlet activities to appear in audit log search results.
|**Friendly name**|**Operation**|**Corresponding cmdlet**|**Description**| |:--|:--|:--|:--|
The following table describes the Content Search and Core eDiscovery activities
|Changed search permissions filter <br/> |SearchPermissionUpdated <br/> |Set-ComplianceSecurityFilter <br/> |A search permissions filter was changed. <br/> | |Changed search query for eDiscovery case hold <br/> |HoldUpdated <br/> |Set-CaseHoldRule <br/> |A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold. <br/> | |Content search preview item downloaded <br/> |PreviewItemDownloaded <br/> |N/A <br/> |A user downloaded an item to their local computer (by clicking the **Download original item** link) when previewing search results. <br/> |
-|Content search preview item listed <br/> |PreviewItemListed <br/> |N/A <br/> |A user clicked **Preview search results** to display the preview search results page, which lists up to 1000 items from the results of a Content Search. <br/> |
+|Content search preview item listed <br/> |PreviewItemListed <br/> |N/A <br/> |A user clicked **Preview search results** to display the preview search results page, which lists up to 1,000 items from the results of a search. <br/> |
|Content search preview item viewed <br/> |PreviewItemRendered <br/> |N/A <br/> |An eDiscovery manager viewed an item by clicking it when previewing search results. <br/> | |Created content search <br/> |SearchCreated <br/> |New-ComplianceSearch <br/> |A new content search was created. <br/> | |Created eDiscovery administrator <br/> |CaseAdminAdded <br/> |Add-eDiscoveryCaseAdmin <br/> |A user was added as an eDiscovery Administrator in the organization. <br/> |
The following table describes the Content Search and Core eDiscovery activities
|Deleted search query for eDiscovery case hold <br/> |HoldRemoved <br/> |Remove-CaseHoldRule <br/> |A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query is deleted, the content locations that were on hold are released. <br/> | |Downloaded export of content search <br/> |SearchExportDownloaded <br/> |N/A <br/> |A user downloaded the results of a content search to their local computer. A **Started export of content search** activity has to be initiated before search results can be downloaded. <br/> | |Previewed results of content search <br/> |SearchPreviewed <br/> |N/A <br/> |A user previewed the results of a content search. <br/> |
-|Purged results of content search <br/> |SearchResultsPurged <br/> |New-ComplianceSearchAction <br/> |A user purged the results of a Content Search by running the **New-ComplianceSearchAction -Purge** command. <br/> |
+|Purged results of content search <br/> |SearchResultsPurged <br/> |New-ComplianceSearchAction <br/> |A user purged the results of a Content search by running the **New-ComplianceSearchAction -Purge** command. <br/> |
|Removed analysis of content search <br/> |RemovedSearchResultsSentToZoom <br/> |Remove-ComplianceSearchAction <br/> |A content search prepare action (to prepare search results for Advanced eDiscovery) was deleted. If the preparation action was less than two weeks old, the search results that were prepared for Advanced eDiscovery were deleted from the Microsoft Azure storage area. If the preparation action was older than 2 weeks, then this event indicates that only the corresponding preparation action was deleted. <br/> | |Removed export of content search <br/> |RemovedSearchExported <br/> |Remove-ComplianceSearchAction <br/> |A content search export action was deleted. If the export action was less than two weeks old, the search results that were uploaded to the Microsoft Azure storage area were deleted. If the export action was older than 2 weeks, then this event indicates that only the corresponding export action was deleted. <br/> | |Removed member from eDiscovery case <br/> |CaseMemberRemoved <br/> |Remove-ComplianceCaseMember <br/> |A user was removed as a member of an eDiscovery case. <br/> |
The following table describes the Content Search and Core eDiscovery activities
|Removed purge action performed on content search <br/> |RemovedSearchResultsPurged <br/> |Remove-ComplianceSearchAction <br/> |A content search purge action was deleted. <br/> | |Removed search report <br/> |SearchReportRemoved <br/> |Remove-ComplianceSearchAction <br/> |A content search export report action was deleted. <br/> | |Started analysis of content search <br/> |SearchResultsSentToZoom <br/> |New-ComplianceSearchAction <br/> |The results of a content search were prepared for analysis in Advanced eDiscovery. <br/> |
-|Started content search <br/> |SearchStarted <br/> |Start-ComplianceSearch <br/> |A content search was started. When you create or change a content search by using the Microsoft 365 compliance center GUI, the search is automatically started. If you create or change a search by using the **New-ComplianceSearch** or **Set-ComplianceSearch** cmdlet, you have to run the **Start-ComplianceSearch** cmdlet to start the search. <br/> |
+|Started content search <br/> |SearchStarted <br/> |Start-ComplianceSearch <br/> |A content search was started. When you create or change a content search by using the Microsoft 365 compliance center, the search is automatically started.<br/> |
|Started export of content search <br/> |SearchExported <br/> |New-ComplianceSearchAction <br/> |A user exported the results of a content search. <br/> | |Started export report <br/> |SearchReport <br/> |New-ComplianceSearchAction <br/> |A user exported a content search report. <br/> | |Stopped content search <br/> |SearchStopped <br/> |Stop-ComplianceSearch <br/> |A user stopped a content search. <br/> |
-|(none)|CaseViewed|Get-ComplianceCase|A user viewed the list of cases on the **Core eDiscovery** page or the **Advanced eDiscovery** page in the compliance center or by running the Get-ComplianceCase cmdlet.|
-|(none)|SearchViewed|Get-ComplianceSearch|A user viewed the list on content searches (listed on the **Searches** tab) in the compliance center or by running the cmdlet. This activity is also logged when a user views the list of content searches associated with an eDiscovery case (by clicking the **Searches** tab in a case) or by running the **Get-ComplianceSearch -Case** command.|
-|(none)|ViewedSearchExported|Get-ComplianceSearchAction -Export|A user viewed the list of content search export jobs (listed on the **Exports** tab) in the compliance center or by running the cmdlet. This activity is also logged when a user views the list of export jobs in an eDiscovery case (listed on the **Exports** tab in a case) or by running the **Get-ComplianceSearchAction -Case -Export** command.|
-|(none)|ViewedSearchPreviewed|Get-ComplianceSearchAction -Preview|A user previews the results of a content search in the compliance center or by running the cmdlet.|
+|(none)|CaseViewed|Get-ComplianceCase|A user viewed a Core eDiscovery case in the compliance center. The audit record for this event includes the name of the case that was viewed. |
+|(none)|SearchViewed|Get-ComplianceSearch|A user viewed a Content search in the compliance center by accessing the search on the **Searches** tab in a Core eDiscovery case or accessing it on the **Content search** page. The audit record for this event includes the identity of the search that was viewed.|
+|(none)|ViewedSearchExported|Get-ComplianceSearchAction -Export|A user viewed a Content search export in the compliance center by accessing the export on the **Exports** tab on the **Content search** page. This activity is also logged when a user views an export associated with a Core eDiscovery case.|
+|(none)|ViewedSearchPreviewed|Get-ComplianceSearchAction -Preview|A user previewed the results of a Content search in the compliance center. This activity is also logged when a user previews the results of a search associated with a Core eDiscovery case.|
||||| ## Advanced eDiscovery activities
The following table describes the Advanced eDiscovery activities logged in the a
The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the compliance center or by running the corresponding cmdlet in Security & Compliance Center PowerShell. The detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section.
-As previously stated, it takes up to 24 hours for eDiscovery cmdlet activities to appear in the audit log search results.
+As previously stated, it may take up to 24 hours for eDiscovery cmdlet activities to appear in the audit log search results.
> [!TIP] > The cmdlets in the **Operation** column in the following table are linked to the corresponding cmdlet help topic on TechNet. Go to the cmdlet help topic for a description of the available parameters for each cmdlet. The parameter and the parameter value that were used with a cmdlet are included in the audit log entry for each eDiscovery cmdlet activity that's logged.
As previously stated, it takes up to 24 hours for eDiscovery cmdlet activities t
|Created eDiscovery administrator <br/> |[Add-eDiscoveryCaseAdmin](/powershell/module/exchange/add-ediscoverycaseadmin) <br/> |A user was added as an eDiscovery Administrator in your organization. <br/> | |Deleted eDiscovery administrator <br/> |[Remove-eDiscoveryCaseAdmin](/powershell/module/exchange/remove-ediscoverycaseadmin) <br/> |An eDiscovery Administrator was deleted from your organization. <br/> | |Changed eDiscovery administrator membership <br/> |[Update-eDiscoveryCaseAdmin](/powershell/module/exchange/update-ediscoverycaseadmin) <br/> |The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the **Add-eDiscoveryCaseAdmin** or **Remove-eDiscoveryCaseAdmin** operation is logged. <br/> |
+|(none)|[Get-ComplianceCase](/powershell/module/exchange/get-compliancecase) <br/>|This activity is logged when a user viewed a list of Core eDiscovery or Advanced eDiscovery cases. This activity is also logged when a user views a specific case in Core eDiscovery. When a user views a specific case, the audit record includes the identity of the case that was viewed. If the user only viewed a list of cases, the audit record doesn't contain a case identity.|
+|(none)|[Get-ComplianceSearch](/powershell/module/exchange/get-compliancesearch)|This activity is logged when a user viewed a list of Content searches or searches associated with a Core eDiscovery case. This activity is also logged when a user views a specific Content search or views a specific search associated with a Core eDiscovery case. When a user views a specific search, the audit record includes the identity of the search that was viewed. If the user only viewed a list of searches, the audit record doesn't contain a search identity.
+|(none)|[Get-ComplianceSearchAction](/powershell/module/exchange/get-compliancesearchaction)|This activity is logged when a user viewed a list of compliance search actions (such as exports, previews, or purges) or actions associated with a Core eDiscovery case. This activity is also logged when a user views a specific compliance search action (such as an export) or views a specific action associated with a Core eDiscovery case. When a user views a search action, the audit record includes the identity of the search action that was viewed. If the user only viewed a list of actions, the audit record doesn't contain an action identity.|
+||||
## Detailed properties for eDiscovery activities
The following table describes the properties that are included when you click **
|ExtendedProperties <br/> |Additional properties from a content search, a content search action, or hold in an eDiscovery case, such as the object GUID and the corresponding cmdlet and cmdlet parameters that were used when the activity was performed. <br/> | |Id <br/> |The ID of the report entry. The ID uniquely identifies the audit log entry. <br/> | |NonPIIParameters <br/> |A list of the parameters (without any values) that were used with the cmdlet identified in the Operation property. The parameters listed in this property are the same as those listed in the Parameters property. <br/> |
-|ObjectId <br/> |The GUID or name of the object (for example, a Content Search or an eDiscovery case) that was created, changed, or deleted by the activity listed in the Operation property. This object is also identified in the Item column in the audit log search results. <br/> |
+|ObjectId <br/> |The GUID or name of the object (for example, a Content search or a Core eDiscovery case) that was created, accessed, changed, or deleted by the activity listed in the Operation property. This object is also identified in the Item column in the audit log search results. <br/> |
|ObjectType <br/> |The type of eDiscovery object that the user created, deleted, or modified; for example, a content search action (preview, export, or purge), an eDiscovery case, or a content search. <br/> | |Operation <br/> |The name of the operation that corresponds to the eDiscovery activity that was performed. <br/> | |OrganizationId <br/> |The GUID for your Microsoft 365 organization. <br/> |
The following table describes the properties that are included when you click **
|UserServicePlan <br/> |The subscription used by your organization. For eDiscovery activities, this property is typically blank. <br/> | |UserType <br/> |The type of user that performed the operation. The following values indicate the user type. <br/> 0 A regular user. 2 An administrator in your organization. 3 A Microsoft datacenter administrator or datacenter system account. 4 A system account. 5 An application. 6 A service principal. | |Version <br/> |Indicates the version number of the activity (identified by the Operation property) that's logged. <br/> |
-|Workload <br/> |Theservice where the activity occurred. For eDiscovery activities, the value is **SecurityComplianceCenter**. <br/> |
+|Workload <br/> |The service where the activity occurred. For eDiscovery activities, the value is **SecurityComplianceCenter**. <br/> |
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Provide help link to a custom help page](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Mark the content](sensitivity-labels.md#what-sensitivity-labels-can-do) | 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
-|[Dynamic markings with variables](#dynamic-markings-with-variables) | 2010+ | 16.42+ | 2.42+ | 16.0.13328+ | Under review |
+|[Dynamic markings with variables](#dynamic-markings-with-variables) | 2010+ | 16.42+ | 2.42+ | 16.0.13328+ | Rolling out |
|[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Let users assign permissions: <br /> - Prompt users](encryption-sensitivity-labels.md#let-users-assign-permissions) |2004+ | 16.35+ | Under review | Under review | Under review | |[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | 2.46+ | Rolling out: 16.0.13628+ | Yes <sup>\*</sup> |
compliance Sensitivity Labels Sharepoint Onedrive Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md
description: "Administrators can enable sensitivity label support for Word, Exce
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*
-Enable sensitivity labels for Office files in SharePoint and OneDrive so that users can apply your [sensitivity labels](sensitivity-labels.md) in Office for the web. When this feature is enabled, users will see the **Sensitivity** button on the ribbon so they can apply labels, and see any applied label name on the status bar.
+Enable built-in labeling for [supported Office files](sensitivity-labels-office-apps.md#office-file-types-supported) in SharePoint and OneDrive so that users can apply your [sensitivity labels](sensitivity-labels.md) in Office for the web. When this feature is enabled, users will see the **Sensitivity** button on the ribbon so they can apply labels, and see any applied label name on the status bar.
-Enabling this feature also results in SharePoint and OneDrive being able to process the contents of files that have been encrypted by using a sensitivity label. The label can be applied in Office for the web, or in Office desktop apps and uploaded or saved in SharePoint and OneDrive. Until you enable this feature, these services can't process encrypted files, which means that coauthoring, eDiscovery, Data Loss Prevention, search, and other collaborative features won't work for these files.
+Enabling this feature also results in SharePoint and OneDrive being able to process the contents of Office files that have been encrypted by using a sensitivity label. The label can be applied in Office for the web, or in Office desktop apps and uploaded or saved in SharePoint and OneDrive. Until you enable this feature, these services can't process encrypted files, which means that coauthoring, eDiscovery, Data Loss Prevention, search, and other collaborative features won't work for these files.
After you enable sensitivity labels for Office files in SharePoint and OneDrive, for new and changed files that have a sensitivity label that applies encryption with a cloud-based key (and doesn't use [Double Key Encryption](double-key-encryption.md)):
compliance Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels.md
When you configure a label policy, you can:
![Prompt in Outlook asking user to apply required label](../media/sensitivity-labels-mandatory-prompt-aipv2-outlook.PNG)
- > [!NOTE]
- > Mandatory labeling for documents and emails isn't available for all apps or all platforms. For more information, see [Require users to apply a label to their email and documents](sensitivity-labels-office-apps.md#require-users-to-apply-a-label-to-their-email-and-documents).
+ For more information about mandatory labeling for documents and emails, see [Require users to apply a label to their email and documents](sensitivity-labels-office-apps.md#require-users-to-apply-a-label-to-their-email-and-documents).
For containers, a label must be assigned at the time the group or site is created.
compliance Set Up Compliance Boundaries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-compliance-boundaries.md
Although more user attributes are available, particularly for Exchange mailboxes
## Step 2: File a request with Microsoft Support to synchronize the user attribute to OneDrive accounts
+> [!IMPORTANT]
+> This step is no longer required. Starting in June 2021, mailbox filters will apply to OneDrive for Business. Support requests to synchronize the attribute to OneDrive will be declined because it's no longer required. This article will be updated in the near future.
+ The next step is to file a request with Microsoft Support to synchronize the Azure AD attribute that you chose in Step 1 to all OneDrive accounts in your organization. After this synchronization occurs, the attribute (and its value) that you chose in Step 1 will be mapped to a hidden managed property named `ComplianceAttribute`. You use this attribute to create the search permissions filter for OneDrive in Step 4. Include the following information when you submit the request to Microsoft support:
If the region specified in the search permissions filter doesn't exist in your o
**What is the maximum number of search permissions filters that can be created in an organization?**
-There is no limit to the number of search permissions filters that can be created in an organization. However, search performance will be impacted when there are more than 100 search permissions filters. To keep the number of search permissions filters in your organization as small as possible, create filters that combine rules for Exchange, SharePoint, and OneDrive into a single search permissions filter whenever possible.
+There is no limit to the number of search permissions filters that can be created in an organization. However, search performance will be impacted when there are more than 100 search permissions filters. To keep the number of search permissions filters in your organization as small as possible, create filters that combine rules for Exchange, SharePoint, and OneDrive into a single search permissions filter whenever possible.
compliance Sit Edm Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-edm-wizard.md
steps in [Part 1: Set up EDM-based classification](create-custom-sensitive-infor
1. Familiarize yourself with the steps to create a custom sensitive information type with EDM [work flow at a glance](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md#the-work-flow-at-a-glance).
-2. Perform the steps in the [Save sensitive data in .csv format](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md#save-sensitive-data-in-csv-format) section.
+2. Perform the steps in [Save sensitive data in .csv or .tsv format](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md#save-sensitive-data-in-csv-or-tsv-format).
## Use the exact data match schema and sensitive information type pattern wizard
enterprise Moving Data To New Datacenter Geos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/moving-data-to-new-datacenter-geos.md
Data moves to the new datacenter geo are completed at no additional cost to the
[New datacenter geos for Microsoft Dynamics CRM Online](/power-platform/admin/new-datacenter-regions)
-[Azure services by region](https://azure.microsoft.com/regions/)
+[Azure services by region](https://azure.microsoft.com/regions/)
+
+[Teams experience in a Microsoft 365 Multi-Geo-enabled tenancy](/microsoftteams/teams-experience-o365odb-spo-multi-geo)
enterprise Ms Cloud Germany Transition Add Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-devices.md
description: "Summary: Additional device information on services when moving fro
# Additional device information for the migration from Microsoft Cloud Deutschland
-Azure AD joined and registered devices connected to Microsoft Cloud Deutschland must be migrated after phase 9 and before phase 10. The migration of a device depends on the devices type, operating system and AAD relation.
+Azure AD joined and registered devices connected to Microsoft Cloud Deutschland must be migrated after phase 9 and before phase 10. The migration of a device depends on the devices type, operating system and Azure AD relation.
-## Frequently asked questions
-
-**How can I tell if my organization is affected?**
-
-Administrators should check `https://portal.microsoftazure.de` to determine if they have any registered or Azure AD joined devices. If your organization has registered devices, you're affected.
-
-**What is the impact on my users?**
-
-Users from a registered device will no longer be able to sign in after [migration phase 10](ms-cloud-germany-transition-phases.md#phase-9--10-azure-ad-finalization) has been completed and the endpoints for Microsoft Cloud Deutschland have been disabled.
-
-Ensure that all of your devices are registered with the worldwide endpoint before your organization is disconnected from Microsoft Cloud Deutschland.
-
-**When do my users re-register their devices?**
-
-It's critical to your success that you only unregister and re-register your devices after [phase 9](ms-cloud-germany-transition-phases.md#phase-9--10-azure-ad-finalization) has been completed. You must finish the re-registration before phase 10 starts, otherwise you could lose access to your device.
-
-**How do I restore my device state after migration?**
-
-For company-owned Windows devices that are registered with Azure AD, administrators will be able to manage the migration of these devices through remotely triggered workflows that will unregister the old device states.
-
-For all other devices, including personal Windows devices that are registered in Azure AD, the end user must perform these steps manually. For Azure ADΓÇôjoined devices, users need to have a local administrator account to unregister and then re-register their devices.
-
-Please refer to detailed instructions for how to successfully restore device states below.
-
-**How do I know that all my devices are registered in the public cloud?**
-
-To check whether your devices are registered in the public cloud, you should export and download the list of devices from the Azure AD portal to an Excel spreadsheet. Then, filter the devices that are registered (by using the _registeredTime_ column) after the [Separate from Microsoft Cloud Deutschland](ms-cloud-germany-transition.md#how-is-the-migration-organized) migration phase.
-
-## Additional considerations
-Device registration is deactivated after migration of the tenant and cannot be enabled or disabled.
-
-If Intune is not used, sign in to your subscription and run this command to re-activate the option:
-
-```powershell
-Get-AzureADServicePrincipal -All:$true |Where-object -Property AppId -eq "0000000a-0000-0000-c000-000000000000" | Set-AzureADServicePrincipal -AccountEnabled:$false
-```
-**IMPORTANT:** The Intune service principal will be enabled after commerce migration, which implies the activation of Azure AD Device Registration. If you blocked Azure AD Device Registration before migration, you must disable the Intune service principal with PowerShell to disable Azure AD Device Registration with the Azure AD portal again. You can disable the Intune service principal with this command in the Azure Active Directory PowerShell for Graph module.
-
-```powershell
-Get-AzureADServicePrincipal -All:$true |Where-object -Property AppId -eq "0000000a-0000-0000-c000-000000000000" | Set-AzureADServicePrincipal -AccountEnabled:$false
-```
--
-## Azure AD Join
-This applies to Windows 10 devices.
-
-If a device is Azure AD joined, it must be disconnected from Azure AD and be connected again.
+## Azure AD Joined Windows 10 devices
+If a Windows 10 device is Azure AD joined, it must be disconnected from Azure AD and must be connected again.
[ ![Azure AD Device Re-Join Flow](../media/ms-cloud-germany-migration-opt-in/AAD-ReJoin-flow.png) ](../media/ms-cloud-germany-migration-opt-in/AAD-ReJoin-flow.png#lightbox)
-If the user is an administrator on the Windows 10 device, the user can unregister the device from Azure AD and re-join it again. If he has no administrator privileges, the user needs credentials of a local administrator account on this machine.
--
-An Administrator can create an local administrator account on the device following this configuration path:
-
-*Settings > Accounts > Other Accounts > Credentials unknown > Add user without Microsoft-Account*
+If the user is an administrator on the Windows 10 device, the user can unregister the device from Azure AD and re-join it again in three steps.
### Step 1: Determine if the device is Azure ID joined
-1. Sign In with users E-mail and password.
-2. Go to Settings > Accounts > Access Work Or School.
-3. Look for a user in the list with **connected to … ‘s Azure AD**.
-4. If a connected user exists, proceed with Step 2. If not, no further action is required.
+1. Sign in with your work account.
+2. Go to **Settings** > **Accounts** > **Access Work Or School**.
+3. Look for an account in the list with **connected to […]‘s Azure AD**.
+4. If a connected account exists, proceed with Step 2.
### Step 2: Disconnect the device from Azure AD
-1. Tap **Disconnect** on the connected work or School Account.
+1. Click **Disconnect** on the connected work or School Account.
2. Confirm the disconnect twice.
-3. Enter the local administrator username and password. The device is disconnected.
+3. Enter a local administrator username and password. The device is disconnected.
4. Restart the device. ### Step 3: Join the device to Azure AD
-1. the user signs in with the credentials of the local administrator
-2. Go to **Settings** then **Accounts** then **Access Work Or School**
-3. Tap **Connect**
-4. **IMPORTANT**: Tap **Join to Azure AD**
-5. Enter the e-mail address and password of the user. The device is connected
-6. Restart the device
-7. sign with your e-mail address and password
-
-## Azure AD Registered (Company owned)
-
-To determine whether the Windows 10 device is Azure ADΓÇôregistered, run the following command on the device:
-
-```console
-%SystemRoot%\system32\dsregcmd.exe /status
-```
+1. Sign in with the credentials of the local administrator.
+2. Go to **Settings** > **Accounts** > **Access Work Or School**.
+3. Click **Connect**.
+4. **IMPORTANT**: Click **Join to Azure AD**.
+5. Enter the e-mail address and password of your work account. The device is connected.
+6. Restart the device.
+7. Sign in with the email address and password of your work account.
-If the device is Azure AD Registered, you would see the following output:
+If the user is not an administrator of the device, an Azure AD global administrator can create the local administrator account on the device following this configuration path and unjoin the device:
-```console
-+-+
-| User State |
-+-+
- WorkplaceJoined : YES
- WamDefaultSet : NO
- WamDefaultAuthority : organizations
-```
+*Settings > Accounts > Other Accounts > Credentials unknown > Add user without Microsoft-Account*
-To remove the existing Azure AD-registered account on the device:
+For re-joining, the credentials of any work account from your organization can be used in this step.
-- To remove the Azure ADΓÇôregistered account on the device, use CleanupWPJ, a tool that you can download from here: [CleanupWPJ.zip](https://download.microsoft.com/download/8/e/f/8ef13ae0-6aa8-48a2-8697-5b1711134730/WPJCleanUp.zip).
+Please consider that the work account used to join the device will be automatically promoted as an Administrator of the device.
+Any other work account from the organization can sign in to the device, but has no administrator privileges.
-- Extract the ZIP file and run **WPJCleanup.cmd**. This tool will launch the right executable based on the version of Windows on the device.
+## Azure AD registered (workplace-joined) Windows 10 devices
+If a Windows 10 device is Azure AD registered, it needs to be disconnected from the Azure AD and connected again.
-- By using a mechanism like Group Policy, the admin can run the command on the device in the context of any user who is signed in on the device.
+[ ![Azure AD Device Re-Registration Flow](../media/ms-cloud-germany-migration-opt-in/AAD-ReRegistration-flow.png) ](../media/ms-cloud-germany-migration-opt-in/AAD-ReJoin-flow.png#lightbox)
-To disable Web Account Manager prompts to register the device in Azure AD, add this registry value:
+### Step 1: Determine if the device is Azure ID registered
+1. Sign in with your user.
+2. Go to **Settings** > **Accounts** > **Access Work Or School**.
+3. Discover your work account in the list and check if it is **connected to […]‘s Azure AD**.
-- Location: HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin-- Type: DWORD (32 bit)-- Name: BlockAADWorkplaceJoin-- Value data: 1
+ If your work account is in the list but NOT connected to an Azure AD, proceed with step 2.
-The presence of this registry value should block workplace join and prevent users from seeing prompts to join the device.
+ Otherwise, your device is an Azure AD joined device and you have to refer to [this section](##-Azure-AD-Joined-Windows-10-devices).
+### Step 2: Disconnect the device from Azure AD
+1. Click on your work account. The buttons *Info* and *Disconnect* appear.
+2. Click **Disconnect**.
+3. Confirm account removal from the device by clicking **Yes**.
+### Step 3: Connect the device to Azure AD
+1. Click **Connect**.
+2. Enter the email address of your work account and click **Next**.
+3. Enter the password of your work account and click **Sign in**.
+4. Confirm by clicking **Done**. Your work account is listed again.
## Android
On iOS devices, a user will need to manually remove any cached accounts from the
Users can go to individual apps like Outlook, Teams, and OneDrive, and remove accounts from those apps.
+## Frequently asked questions
+
+**How can I tell if my organization is affected?**
+
+Administrators should check `https://portal.microsoftazure.de` to determine if they have any Azure AD registered or Azure AD joined devices. If your organization has Azure AD registered or Azure AD joined devices, your organization has to follow the instructions on this page.
+
+**When do my users re-register their devices?**
+
+It's critical to your success that you only unregister and re-register your devices after [phase 9](ms-cloud-germany-transition-phases.md#Phase-9-&-10:-Azure-AD-Finalization) has been completed. You must finish the re-registration before phase 10 starts, otherwise you could lose access to your device.
+
+**How do I know that all my devices are registered in the public cloud?**
+
+To check whether your devices are registered in the public cloud, you should export and download the list of devices from the Azure AD portal to an Excel spreadsheet. Then, filter the devices that are registered (by using the _registeredTime_ column) after the date when your organization has passed [phase 9 of the migration process](ms-cloud-germany-transition-phases.md#Phase-9-&-10:-Azure-AD-Finalization).
+
+## Additional considerations
+
+**IMPORTANT:** The Intune service principal will be enabled after [phase 3 of the migration process](ms-cloud-germany-transition-phases.md#Phase-3:-Subscription-transfer), which implies the activation of Azure AD Device Registration. If you blocked Azure AD Device Registration before migration, you must disable the Intune service principal with PowerShell to disable Azure AD Device Registration with the Azure AD portal again. You can disable the Intune service principal with this command in the Azure Active Directory PowerShell for Graph module.
+
+```powershell
+Get-AzureADServicePrincipal -All:$true |Where-object -Property AppId -eq "0000000a-0000-0000-c000-000000000000" | Set-AzureADServicePrincipal -AccountEnabled:$false
+```
+ ## More information Getting started:
knowledge Set Up Topic Experiences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/set-up-topic-experiences.md
It may take up to an hour for users to get access to Topics after the licenses a
## Set up Topics
-To set up Topics
+> [!Note]
+> The first time topic discovery is enabled, it may take up to two weeks for all suggested topics to appear in the Manage Topics view. Topic discovery continues as new content or updates to content are made. It is normal to have fluctuations in the number of suggested topics in your organization as Viva Topics evaluates new information.
+To set up Topics
1. In the [Microsoft 365 admin center](https://admin.microsoft.com), select **Setup**, and then view the **Files and content** section. 2. In the **Files and content** section, click **Connect people to knowledge**.
To set up Topics
![Settings applied](../media/ksetup7.png)
-Note that the first time topic discovery is enabled, it may take up to two weeks for all suggested topics to appear in the Manage Topics view. Topic discovery continues as new content or updates to content are made. It is normal to have fluctuations in the number of suggested topics in your organization as Viva Topics evaluates new information.
- ## Manage topic experiences Once you have set up Topics, you can change the settings that you chose during setup in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal#/featureexplorer/csi/KnowledgeManagement). See the following references:
knowledge Topic Experiences Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-overview.md
When a topic is identified and AI determines that it has enough information for
Your knowledge admins can choose to crawl all SharePoint sites in your tenant for topics, or to just select certain ones.
-See [Topic discovery and curation](./topic-experiences-discovery-curation.md).
+For more information, see [Topic discovery and curation](./topic-experiences-discovery-curation.md).
## Roles
When you use Viva Topics in your Microsoft 365 environment, your users will have
- Contributors: Users who have rights to edit existing topics or create new ones. Knowledge admins assign contributor permissions to users through the Viva Topics settings in the Microsoft 365 admin center. Note that you can also choose to give all topic viewers the permission to edit and create topics so that everyone can contribute to topics that they see. -- Knowledge managers: Users who guide topics through the topic lifecycle. Knowledge managers use the **Manage topics** page in the Topic center to confirm AI-suggested topics, remove topics that are no longer relevant, as well as edit existing topics or create new ones, and are the only users who have access to it. Knowledge admins assign knowledge manager permissions to users through the Viva Topics admin settings in the Microsoft 365 admin center.
+- Knowledge managers: Users who guide topics through the topic lifecycle. Knowledge managers use the **Manage topics** page in the topic center to confirm AI-suggested topics, remove topics that are no longer relevant, as well as edit existing topics or create new ones, and are the only users who have access to it. Knowledge admins assign knowledge manager permissions to users through the Viva Topics admin settings in the Microsoft 365 admin center.
- Knowledge admins: Admins set up Viva Topics and manage it through the admin controls in the Microsoft 365 admin center. Currently, a Microsoft 365 global or SharePoint administrator can serve as a knowledge admin.
For more information, see [Viva Topics roles](topic-experiences-roles.md).
Topic management is done in the **Manage topics** page in your organization's *topic center*. The topic center is created during setup and serves as your center of knowledge for your organization.
-While all licensed users can see topics they're connected with in the Topic center, only users with *Manage topics* permissions (knowledge managers) can view and use the **Manage topics** page.
+While all licensed users can see topics they're connected with in the topic center, only users with *Manage topics* permissions (knowledge managers) can view and use the **Manage topics** page.
Knowledge managers can: - Confirm or remove topics that were discovered in your tenant. - Create new topics manually as needed (for example, if not enough information was provided for it to be discovered through AI).-- Edit existing topic pages.<br/>
+- Edit existing topic pages.
-For more information, see [Manage topics in the Topic center](manage-topics.md).
+For more information, see [Manage topics in the topic center](manage-topics.md).
## Admin controls
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) #### [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](configure-real-time-protection-microsoft-defender-antivirus.md) #### [Configure remediation for Microsoft Defender Antivirus detections](configure-remediation-microsoft-defender-antivirus.md)
-#### [Configure scheduled quick or full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+#### [Configure Microsoft Defender Antivirus scans](schedule-antivirus-scans.md)
+##### [Schedule antivirus scans using Group Policy](schedule-antivirus-scans-group-policy.md)
+##### [Schedule antivirus scans using PowerShell](schedule-antivirus-scans-powershell.md)
+##### [Schedule antivirus scans using Windows Management Instrumentation (WMI)](schedule-antivirus-scans-wmi.md)
#### [Use limited periodic scanning in Microsoft Defender Antivirus](limited-periodic-scanning-microsoft-defender-antivirus.md) #### [Compatibility with other security products](microsoft-defender-antivirus-compatibility.md)
###### [Get access with application context](exposed-apis-create-app-webapp.md) ###### [Get access with user context](exposed-apis-create-app-nativeapp.md) ###### [Get partner application access](exposed-apis-create-app-partners.md)++ ##### [Microsoft Defender for Endpoint APIs Schema]() ###### [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) ###### [Common REST API error codes](common-errors.md)
####### [Get IP related alerts](get-ip-related-alerts.md) ####### [Get IP statistics](get-ip-statistics.md) + ###### [Machine]() ####### [Machine methods and properties](machine.md) ####### [List machines](get-machines.md)
####### [Get missing KBs](get-missing-kbs-machine.md) ####### [Set device value](set-device-value.md) + ###### [Machine Action]() ####### [Machine Action methods and properties](machineaction.md) ####### [List Machine Actions](get-machineactions-collection.md) ####### [Get Machine Action](get-machineaction-object.md) ####### [Collect investigation package](collect-investigation-package.md) ####### [Get investigation package SAS URI](get-package-sas-uri.md)
+####### [Get live response result](get-live-response-result.md)
####### [Isolate machine](isolate-machine.md) ####### [Release machine from isolation](unisolate-machine.md) ####### [Restrict app execution](restrict-code-execution.md) ####### [Remove app restriction](unrestrict-code-execution.md) ####### [Run antivirus scan](run-av-scan.md)
+####### [Run live response](run-live-response.md)
####### [Offboard machine](offboard-machine-api.md) ####### [Stop and quarantine file](stop-and-quarantine-file.md)
+####### [Cancel machine action](cancel-machine-action.md)
###### [Recommendation]() ####### [Recommendation methods and properties](recommendation.md)
security Cancel Machine Action https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cancel-machine-action.md
+
+ Title: Cancel machine action API
+description: Learn how to cancel an already launched machine action
+keywords: apis, graph api,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+localization_priority: normal
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+MS.technology: mde
+++
+# Cancel machine action API
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
++
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+++
+## API description
+
+Cancel an already launched machine action that are not yet in final state (completed, cancelled, failed).
+
+## Limitations
+
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per
+ hour.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more,
+including how to choose permissions, see [Get
+started](apis-intro.md).
+
+| Permission type | Permission | Permission display name |
+|-|-|-|
+| <br>Application | <br>Machine.CollectForensic<br> Machine.Isolate <br>Machine.RestrictExecution<br> Machine.Scan<br> Machine.Offboard<br> Machine.StopAndQuarantine<br> Machine.LiveResponse | Collect forensics <br>Isolate machine<br>Restrict code execution<br> Scan machine<br> Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine |
+| <br>Delegated (work or school account) | Machine.CollectForensic<br> Machine.Isolate <br>Machine.RestrictExecution<br> Machine.Scan<br> Machine.Offboard<br> Machine.StopAndQuarantineMachine.LiveResponse | Collect forensics<br> Isolate machine<br> Restrict code execution<br> Scan machine<br>Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine |
++
+## HTTP request
+
+```
+POST https://api.securitycenter.microsoft.com/api/machineactions/<machineactionid>/cancel
+```
++
+## Request headers
+
+| Name | Type | Description |
+||-||
+| Authorization | String | Bearer {token}. Required. |
+| Content-Type | string | application/json. Required. |
+
+## Request body
+
+| Parameter | Type | Description |
+||-|-|
+| Comment | String | Comment to associate with the cancellation action. |
+
+## Response
+
+If successful, this method returns 200, Ok response code with a Machine Action
+entity. If machine action entity with the specified id was not found - 404 Not
+Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```HTTP
+POST
+https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-4b28-ab65-54970c5d5018/cancel
+```
++
+```JSON
+{
+ "Comment": "Machine action was canceled by automation"
+}
+```
+
+## Related topic
+
+- [Get machine action API](get-machineaction-object.md)
security Get Live Response Result https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-live-response-result.md
+
+ Title: Get live response results
+description: Learn how to retrieve a specific live response command result by its index.
+keywords: apis, graph api, supported apis, upload to library
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+localization_priority: normal
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+MS.technology: mde
+++
+# Get live response results
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
++
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+++
+## API description
+
+Retrieves a specific live response command result by its index.
+
+## Limitations
+
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per
+ hour.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more,
+including how to choose permissions, see [Get
+started](apis-intro.md).
+
+| Permission type | Permission | Permission display name |
+||-|-|
+| Application | Machine.LiveResponse | Run live response on a specific machine |
+| Delegated (work or school account) | Machine.LiveResponse | Run live response on a specific machine |
+
+## HTTP request
+
+```HTTP
+GET https://api.securitycenter.microsoft.com/api/machineactions/{machine action
+id}/GetLiveResponseResultDownloadLink(index={command-index})
+```
+
+## Request headers
+
+| Name | Type | Description |
+||-|-|
+| Authorization | String | Bearer {token}. Required. |
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200, Ok response code with object that holds
+the link to the command result in the *value* property. This link is valid for
+30 minutes and should be used immediately for downloading the package to a local
+storage. An expired link can be re-created by another call, and there is no
+need to run live response again.
+
+*Runscript transcript properties:*
+
+| Property | Description |
+|||
+| name | Executed script name |
+| exit_code | Executed script exit code |
+| script_output | Executed script standard output |
+| script_error | Executed script standard error output |
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```HTTP
+GET
+https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-4b28-ab65-54970c5d5018/GetLiveResponseResultDownloadLink(index=0)
+```
+
+**Response**
+
+Here is an example of the response.
+
+HTTP/1.1 200 Ok
+
+Content-type: application/json
+
+```JSON
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",
+ "value": "https://core.windows.net/investigation-actions-data/ID/CustomPlaybookCommandOutput/4ed5e7807ad1fe59b00b664fe06a0f07?se=2021-02-04T16%3A13%3A50Z&sp=r&sv=2019-07-07&sr=b&sig=1dYGe9rPvUlXBPvYSmr6/OLXPY98m8qWqfIQCBbyZTY%3D"
+}
+```
+
+*File content:*
+
+```JSON
+{
+ "script_name": "minidump.ps1",
+ "exit_code": 0,
+ "script_output": "Transcript started, output file is C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{TRANSCRIPT_ID}.txt
+C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip\n51 MB\n\u0000\u0000\u0000",
+ "script_error":""
+}
+```
+
+## Related topics
+
+- [Get machine action API](get-machineaction-object.md)
+- [Cancel machine action](cancel-machine-action.md)
+- [Run live response](run-live-response.md)
security Live Response Command Examples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-command-examples.md
Depending on the role that's been granted to you, you can run basic or advanced
## analyze
-```
+```console
# Analyze the file malware.txt analyze file c:\Users\user\Desktop\malware.txt ```
-```
+```console
# Analyze the process by PID analyze process 1234 ``` ## connections
-```
+```console
# List active connections in json format using parameter name connections -output json ```
-```
+```console
# List active connections in json format without parameter name connections json ``` ## dir
-```
+```console
# List files and sub-folders in the current folder dir ```
-```
+```console
# List files and sub-folders in a specific folder dir C:\Users\user\Desktop\ ```
-```
+```console
# List files and subfolders in the current folder in json format dir -output json ``` ## fileinfo
-```
+```console
# Display information about a file fileinfo C:\Windows\notepad.exe ``` ## findfile
-```
+```console
# Find file by name findfile test.txt ``` ## getfile
-```
+```console
# Download a file from a machine getfile c:\Users\user\Desktop\work.txt ```
-```
+```console
# Download a file from a machine, automatically run prerequisite commands getfile c:\Users\user\Desktop\work.txt -auto ```
getfile c:\Users\user\Desktop\work.txt -auto
> Use PowerShell as an alternative, if you have problems using this command from within Live Response. ## processes
-```
+```console
# Show all processes processes ```
-```
+```console
# Get process by pid processes 123 ```
-```
+```console
# Get process by pid with argument name processes -pid 123 ```
-```
+```console
# Get process by name processes -name notepad.exe ``` ## putfile
-```
+```console
# Upload file from library putfile get-process-by-name.ps1 ```
-```
+```console
# Upload file from library, overwrite file if it exists putfile get-process-by-name.ps1 -overwrite ```
-```
+```console
# Upload file from library, keep it on the machine after a restart putfile get-process-by-name.ps1 -keep ``` ## registry
-```
+```console
# Show information about the values in a registry key registry HKEY_CURRENT_USER\Console ```
-```
+```console
# Show information about a specific registry value registry HKEY_CURRENT_USER\Console\\ScreenBufferSize ```
registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
## remediate
-```
+```console
# Remediate file in specific path remediate file c:\Users\user\Desktop\malware.exe ```
-```
+```console
# Remediate process with specific PID remediate process 7960 ```
-```
+```console
# See list of all remediated entities remediate list ``` ## run
-```
+```console
# Run PowerShell script from the library without arguments run script.ps1 ```
-```
+```console
# Run PowerShell script from the library with arguments run get-process-by-name.ps1 -parameters "-processName Registry" ```
run get-process-by-name.ps1 -parameters "-processName Registry"
> ## scheduledtask
-```
+```console
# Get all scheduled tasks scheduledtasks ```
-```
+```console
# Get specific scheduled task by location and name scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition ```
-```
+```console
# Get specific scheduled task by location and name with spacing scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation" ```
scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Eva
## undo
-```
+```console
# Restore remediated registry undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize ```
-```
+```console
# Restore remediated scheduledtask undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition ```
-```
+```console
# Restore remediated file undo file c:\Users\user\Desktop\malware.exe ``` +
+## library
+
+```console
+# List files in the library
+library
+```
+
+```console
+# Delete a file from the library
+library delete script.ps1
+```
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
You can view mount, unmount, and volume change events originating from USB devic
``` DeviceEvents
- | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"
+ | where ActionType == "UsbDriveMounted" or ActionType == "UsbDriveUnmounted" or ActionType == "UsbDriveDriveLetterChanged"
| where DeviceId == "<device ID>" ```
security Machineaction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machineaction.md
ms.technology: mde
| [Run antivirus scan](run-av-scan.md) | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable). | | [Offboard machine](offboard-machine-api.md) | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender for Endpoint. | | [Stop and quarantine file](stop-and-quarantine-file.md) | [Machine Action](machineaction.md) | Stop execution of a file on a machine and delete it. |
+| [Run live response](run-live-response.md) | [Machine Action](machineaction.md) | Runs a sequence of live response commands on a device |
+| [Get live response result](get-live-response-result.md) | URL entity | Retrieves specific live response command result download link by its index. |
+|[Cancel machine action](cancel-machine-action.md) | [Machine Action](machineaction.md) | Cancel an active machine action. |
<br>
ms.technology: mde
| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1", "Sha256" and "Md5". | + ## Json representation ```json
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
If you experience any installation failures, refer to [Troubleshooting installat
- /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install). -- Memory: 1 GB
+- Cores: 2 minimum, 4 preferred
+
+- Memory: 1 GB minimum, 4 preferred
> [!NOTE] > Please make sure that you have free disk space in /var.
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
Defender for Endpoint uses the following combination of technology built into Wi
>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vnC4?rel=0] > [!TIP]
-> - Learn about the latest enhancements in Defender for Endpoint: [What's new in Microsoft Defender for Endpoint](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+> - Learn about the latest enhancements in Defender for Endpoint: [What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-atp.md).
> - Microsoft Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). <a name="tvm"></a>
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-threat-experts.md
This managed threat hunting service provides expert-driven insights and data thr
> [!NOTE] > Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
-If you're a Microsoft Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis that help identify the most critical threats in your environment so you can respond to them quickly
+If you're a Microsoft Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis that help identify the most critical threats in your environment so you can respond to them quickly.
-To enroll to Microsoft Threat Experts - Targeted Attack Notifications benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts - Targeted Attack Notifications** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications.
+To enroll to Microsoft Threat Experts - Targeted Attack Notifications benefits, go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Microsoft Threat Experts - Targeted Attack Notifications** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications.
Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries that your organization is facing.
security Run Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-live-response.md
+
+ Title: Run live response commands on a device
+description: Learn how to run a sequence of live response commands on a device.
+keywords: apis, graph api, supported apis, upload to library
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+localization_priority: normal
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+MS.technology: mde
+++
+# Run live response commands on a device
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+++
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+++
+## API description
+
+Runs a sequence of live response commands on a device
+
+## Limitations
+
+1. Rate limitations for this API are 10 calls per minute (additional requests
+ are responded with HTTP 429).
+
+2. 25 concurrently running sessions (requests exceeding the throttling limit will receive a "429 - Too many requests" response).
+
+3. If the machine is not available, the session will be queued for up to 3 days.
+
+4. RunScript command timeouts after 10 minutes.
+
+5. When a live response command fails all followed actions will not be
+ executed.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more,
+including how to choose permissions, see [Get started](apis-intro.md).
+
+| Permission type | Permission | Permission display name |
+||-|-|
+| Application | Machine.LiveResponse | Run live response on a specific machine |
+| Delegated (work or school account) | Machine.LiveResponse | Run live response on a specific machine |
+
+## HTTP request
+
+```HTTP
+POST
+https://api.securitycenter.microsoft.com/API/machines/{machine_id}/runliveresponse
+```
+
+## Request headers
+
+| Name | Type | Description |
+||-||
+| Authorization | String | Bearer\<token>\. Required. |
+| Content-Type | string | application/json. Required. |
+
+## Request body
+
+| Parameter | Type | Description |
+||-||
+| Comment | String | Comment to associate with the action. |
+| Commands | Array | Commands to run. Allowed values are PutFile, RunScript, GetFile. |
+
+Commands:
+
+| Command Type | Parameters | Description |
+||--|--|
+| PutFile | Key: FileName <br><br> Value: \<file name\> | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.
+| RunScript | Key: ScriptName<br>Value: \<Script from library\> <br><br> Key: Args <br> Value: \<Script arguments\> | Runs a script from the library on a device. <br><br> The Args parameter is passed to your script. <br><br> Timeouts after 10 minutes.
+| GetFile | Key: Path <br> Value: \<File path\> | Collect file from a device. NOTE: Backslashes in path must be escaped. |
+
+## Response
+
+- If successful, this method returns 200, Ok.
+ Action entity. If machine with the specified ID was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```HTTP
+
+POST
+https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runliveresponse
+
+```
+**JSON**
+
+```JSON
+{
+ "Commands":[
+ {
+ "type":"RunScript",
+ "params":[
+ {
+ "key":"ScriptName",
+ "value":"minidump.ps1"
+ },
+ {
+ "key":"Args",
+ "value":"OfficeClickToRun"
+ }
+
+ ]
+ },
+ {
+ "type":"GetFile",
+ "params":[
+ {
+ "key":"Path",
+ "value":"C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
+ }
+ ]
+ }
+ ],
+ "Comment":"Testing Live Response API"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```HTTP
+HTTP/1.1 200 Ok
+```
+
+Content-type: application/json
+
+```JSON
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
+ "id": "{machine_action_id}",
+ "type": "LiveResponse",
+ "requestor": "analyst@microsoft.com",
+ "requestorComment": "Testing Live Response API",
+ "status": "Pending",
+ "machineId": "{machine_id}",
+ "computerDnsName": "hostname",
+ "creationDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
+ "lastUpdateDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
+ "errorHResult": 0,
+ "commands": [
+ {
+ "index": 0,
+ "startTime": null,
+ "endTime": null,
+ "commandStatus": "Created",
+ "errors": [],
+ "command": {
+ "type": "RunScript",
+ "params": [
+ {
+ "key": "ScriptName",
+ "value": "minidump.ps1"
+ },{
+ "key": "Args",
+ "value": "OfficeClickToRun"
+ }
+ ]
+ }
+ }, {
+ "index": 1,
+ "startTime": null,
+ "endTime": null,
+ "commandStatus": "Created",
+ "errors": [],
+ "command": {
+ "type": "GetFile",
+ "params": [{
+ "key": "Path", "value": "C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
+ }
+ ]
+ }
+ }
+ ]
+}
++
+```
+
+## Related topics
+- [Get machine action API](get-machineaction-object.md)
+- [Get live response result](get-live-response-result.md)
+- [Cancel machine action](cancel-machine-action.md)
security Run Scan Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md
localization_priority: Normal
Previously updated : 06/04/2021 Last updated : 06/10/2021 ms.technology: mde
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
+You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. When you run a scan, you can choose from among three types: Quick scan, full scan, and custom scan. In most cases, use a quick scan. A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-## Quick scan versus full scan
-
-Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware. In most cases, a quick scan is sufficient and is the recommended option for scheduled or on-demand scans. [Learn more about scan types](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan).
> [!IMPORTANT] > Microsoft Defender Antivirus runs in the context of the [LocalSystem](/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
-Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Always-on, real-time protection reviews files when they're opened and closed, and whenever a user navigates to a folder. By default, quick scans run on mounted removable devices, such as USB drives. In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection.
-
-A full scan can be useful when a malware threat is reported on an endpoint. The scan can identify whether there are any inactive components that require a more thorough clean-up. However, Microsoft generally recommends using quick scans instead of full scans. A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.
-
-> [!TIP]
-> To learn more about the differences between quick and full scans, see [Quick scan versus full scan and custom scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md#quick-scan-versus-full-scan-and-custom-scan).
- ## Use Microsoft Endpoint Manager to run a scan 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.+ 2. Choose **Endpoint security** > **Antivirus**.+ 3. In the list of tabs, select **Windows 10 unhealthy endpoints**.
-4. From the list of actions provided, select **Quick Scan** or **Full Scan**.
+
+4. From the list of actions provided, select **Quick Scan** (recommended) or **Full Scan**.
[ ![IMAGE](images/mem-antivirus-scan-on-demand.png) ](images/mem-antivirus-scan-on-demand.png#lightbox)
For more information about how to use the tool and additional parameters, includ
## Use Microsoft Intune to run a scan 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
-2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan.
-3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**.
+
+2. From the sidebar, select **Devices** > **All Devices** and choose the device you want to scan.
+
+3. Select **...More**. From the options, select **Quick Scan** (recommended) or **Full Scan**.
## Use the Windows Security app to run a scan
Use the [**Start** method](/previous-versions/windows/desktop/defender/start-msf
For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
-## Related articles
--- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)-- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Schedule Antivirus Scans Group Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-group-policy.md
+
+ Title: Schedule antivirus scans using Group Policy
+description: Use Group Policy to set up antivirus scans
+keywords: quick scan, full scan, schedule, group policy, antivirus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localization_priority: Normal
+++ Last updated : 06/09/2021++
+ms.technology: mde
+++
+# Schedule antivirus scans using Group Policy
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+This article describes how to configure scheduled scans using Group Policy. To learn more about scheduling scans and about scan types, see [Configure scheduled quick or full Microsoft Defender Antivirus scans](schedule-antivirus-scans.md).
+
+## Configure antivirus scans using Group Policy
+
+1. On your Group Policy management machine, in the Group Policy Editor, go to **Computer configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Scan**.
+
+2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
+
+3. Specify settings for the Group Policy Object, and then select **OK**.
+
+4. Repeat steps 1-4 for each setting you want to configure.
+
+5. Deploy your Group Policy Object as you normally do. If you need help with Group Policy Objects, see [Create a Group Policy Object](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object).
+
+> [!TIP]
+> See the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
+
+## Group Policy settings for scheduling scans
+
+| Location | Setting | Description | Default setting (if not configured) |
+|:|:|:|:|
+| Scan | Specify the scan type to use for a scheduled scan | Quick scan |
+| Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never |
+| Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
+| Root | Randomize scheduled task times |In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 4 hours. <p>In [SCEP](/mem/intune/protect/certificates-scep-configure), randomize scans to any interval plus or minus 30 minutes. This can be useful in virtual machines or VDI deployments. | Enabled |
+
+## Group Policy settings for scheduling scans for when an endpoint is not in use
+
+| Location | Setting | Description | Default setting (if not configured) |
+|:|:|:|:|
+| Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled |
+
+> [!NOTE]
+> When you schedule scans for times when endpoints are not in use, scans do not honor the CPU throttling configuration and will take full advantage of the resources available to complete the scan as fast as possible.
+
+## Group Policy settings for scheduling remediation-required scans
+
+| Location | Setting | Description | Default setting (if not configured) |
+|||||
+| Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never |
+| Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
+
+## Group Policy settings for scheduling daily scans
+
+| Location | Setting | Description | Default setting (if not configured) |
+|:|:|:|:|
+| Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
+| Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
+
+## Group Policy settings for scheduling scans after protection updates
+
+| Location | Setting | Description | Default setting (if not configured)|
+|:|:|:|:|
+| Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled |
+
security Schedule Antivirus Scans Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-powershell.md
+
+ Title: Schedule antivirus scans using PowerShell
+description: Schedule antivirus scans using PowerShell
+keywords: quick scan, full scan, antivirus, schedule, PowerShell
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localization_priority: Normal
+++ Last updated : 06/09/2021++
+ms.technology: mde
+++
+# Schedule antivirus scans using PowerShell
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+This article describes how to configure scheduled scans using PowerShell cmdlets. To learn more about scheduling scans and about scan types, see [Configure scheduled quick or full Microsoft Defender Antivirus scans](schedule-antivirus-scans.md).
+
+## Use PowerShell cmdlets to schedule scans
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanParameters
+Set-MpPreference -ScanScheduleDay
+Set-MpPreference -ScanScheduleTime
+Set-MpPreference -RandomizeScheduleTaskTimes
+
+```
+
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+## PowerShell cmdlets for scheduling scans when an endpoint is not in use
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanOnlyIfIdleEnabled
+```
+
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
+
+> [!NOTE]
+> When you schedule scans for times when endpoints are not in use, scans do not honor the CPU throttling configuration and will take full advantage of the resources available to complete the scan as fast as possible.
+
+## PowerShell cmdlets for scheduling scans to complete remediation
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -RemediationScheduleDay
+Set-MpPreference -RemediationScheduleTime
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+## PowerShell cmdlets for scheduling daily scans
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanScheduleQuickScanTime
+```
+
+For more information about how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
++
security Schedule Antivirus Scans Wmi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-wmi.md
+
+ Title: Schedule antivirus scans using Windows Management Instrumentation
+description: Schedule antivirus scans using WMI
+keywords: quick scan, full scan, WMI, schedule, antivirus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localization_priority: Normal
+++ Last updated : 06/09/2021++
+ms.technology: mde
+++
+# Schedule antivirus scans using Windows Management Instrumentation (WMI)
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+This article describes how to configure scheduled scans using WMI. To learn more about scheduling scans and about scan types, see [Configure scheduled quick or full Microsoft Defender Antivirus scans](schedule-antivirus-scans.md).
+
+## Use Windows Management Instruction (WMI) to schedule scans
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+ScanParameters
+ScanScheduleDay
+ScanScheduleTime
+RandomizeScheduleTaskTimes
+```
+
+For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+
+## WMI for scheduling scans when an endpoint is not in use
+
+Use the [Set method of the MSFT_MpPreference class](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) for the following properties:
+
+```WMI
+ScanOnlyIfIdleEnabled
+```
+
+For more information about APIs and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+
+> [!NOTE]
+> When you schedule scans for times when endpoints are not in use, scans do not honor the CPU throttling configuration and will take full advantage of the resources available to complete the scan as fast as possible.
++
+## WMI for scheduling scans to complete remediation
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+RemediationScheduleDay
+RemediationScheduleTime
+```
+
+For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+
+## WMI for scheduling daily scans
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+ScanScheduleQuickScanTime
+```
+
+For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+
security Schedule Antivirus Scans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans.md
+
+ Title: Schedule regular quick and full scans with Microsoft Defender Antivirus
+description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localization_priority: Normal
+++ Last updated : 06/09/2021++
+ms.technology: mde
+++
+# Configure scheduled quick or full Microsoft Defender Antivirus scans
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+In addition to always-on, real-time protection and [on-demand antivirus](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled antivirus scans. You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or when an endpoint is not being used. You can also set up special scans to complete remediation actions if needed.
+
+## What do you want to do?
+
+- [Learn about quick scans, full scans, and custom scans](#quick-scan-full-scan-and-custom-scan)
+- [Use Group Policy to schedule antivirus scans](schedule-antivirus-scans-group-policy.md)
+- [Use Windows PowerShell to Schedule antivirus scans](schedule-antivirus-scans-powershell.md)
+- [Use Windows Management Instrumentation to schedule antivirus scans](schedule-antivirus-scans-wmi.md)
+
+## Keep the following points in mind
+
+- By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
+
+- If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
+
+## Quick scan, full scan, and custom scan
+
+When you set up scheduled scans, you can specify whether the scan should be a full or quick scan. In most cases, a quick scan is recommended.
+
+| Quick scan | Full scan | Custom scan |
+||||
+| (Recommended) A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <p>Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware. <p>In most cases, a quick scan is sufficient and is the recommended option for scheduled scans. | A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so). <p>A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.<p>When the full scan is complete, new security intelligence is available, and a new scan is then required to make sure that no other threats are detected with the new security intelligence. <p>Because of the time and resources involved in a full scan, in general, Microsoft does not recommend scheduling full scans. | A custom scan is a quick scan that runs on the files and folders you specify. For example, you can opt to scan a USB drive, or a specific folder on your device's local drive. <p> |
+
+> [!NOTE]
+> By default, quick scans run on mounted removable devices, such as USB drives.
+
+## How do I know which scan type to choose?
+
+Use the following table to choose a scan type.
+
+| Scenario | Recommended scan type |
+|||
+| You want to set up regular, scheduled scans | Quick scan <p>A quick scan checks the processes, memory, profiles, and certain locations on the device. Combined with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they are opened and closed, and whenever a user navigates to a folder. |
+| Threats, such as malware, are detected on an individual device | Quick scan <p>In most cases, a quick scan will catch and clean up detected malware. |
+| You want to run an [on-demand scan](run-scan-microsoft-defender-antivirus.md) | Quick scan |
+| You want to make sure a portable device, such as a USB drive, does not contain malware | Custom scan <p>A custom scan enables you to select specific locations, folders, or files, and runs a quick scan. |
+
+## What else do I need to know about quick and full scans?
+
+- Malicious files can be stored in locations that are not included in a quick scan. However, always-on real-time protection reviews all files that are opened and closed, and any files that are in folders that are accessed by a user. The combination of real-time protection and a quick scan helps provide strong protection against malware.
+
+- On-access protection with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) helps ensure that all the files accessed on the system are being scanned with the latest security intelligence and cloud machine learning models.
+
+- When real-time protection detects malware and the extent of the affected files is not determined initially, Microsoft Defender Antivirus initiates a full scan as part of the remediation process.
+
+- A full scan can detect malicious files that were not detected by other scans, such as a quick scan. However, a full scan can take a while and use valuable system resources to complete.
+
+- If a device is offline for an extended period of time, a full scan can take longer to complete.
+
security Scheduled Catch Up Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus.md
- Title: Schedule regular quick and full scans with Microsoft Defender Antivirus
-description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
-localization_priority: Normal
--- Previously updated : 06/04/2021-----
-# Configure scheduled quick or full Microsoft Defender Antivirus scans
-
-**Applies to:**
--- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)--
-> [!NOTE]
-> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
-
-In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
-
-You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
-
-This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10).
-
-## To configure the Group Policy settings described in this article
-
-1. On your Group Policy management machine, in the Group Policy Editor, go to **Computer configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Scan**.
-
-2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
-
-3. Specify settings for the Group Policy Object, and then select **OK**.
-
-4. Repeat steps 1-4 for each setting you want to configure.
-
-5. Deploy your Group Policy Object as you normally do. If you need help with Group Policy Objects, see [Create a Group Policy Object](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object).
-
-Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
-
-## Quick scan versus full scan and custom scan
-
-When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
--
-|Quick scan |Full scan | Custom scan |
-||||
-|A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <p>In most cases, a quick scan is sufficient and is recommended for scheduled scans. |A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so). <p>A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.<p>When the full scan is complete, new security intelligence is available, and a new scan is required to make sure that no other threats are detected with the new security intelligence. | A custom scan is a quick scan that runs on the files and folders you specify. For example, you can opt to scan a USB drive, or a specific folder on your device's local drive. <p> |
-
->[!NOTE]
->By default, quick scans run on mounted removable devices, such as USB drives.
-
-### How do I know which scan type to choose?
-
-Use the following table to choose a scan type.
--
-|Scenario |Recommended scan type |
-|||
-|You want to set up regular, scheduled scans | Quick scan <p>A quick scan checks the processes, memory, profiles, and certain locations on the device. Combined with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they are opened and closed, and whenever a user navigates to a folder. |
-|Threats, such as malware, are detected on an individual device | Quick scan <p>In most cases, a quick scan will catch and clean up detected malware. |
-|You want to run an [on-demand scan](run-scan-microsoft-defender-antivirus.md) | Quick scan |
-| You want to make sure a portable device, such as a USB drive, does not contain malware | Custom scan <p>A custom scan enables you to select specific locations, folders, or files and runs a quick scan. |
-
-### What else do I need to know about quick and full scans?
--- Malicious files can be stored in locations that are not included in a quick scan. However, always-on real-time protection reviews all files that are opened and closed, and any files that are in folders that are accessed by a user. The combination of real-time protection and a quick scan helps provide strong protection against malware.--- On-access protection with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) helps ensure that all the files accessed on the system are being scanned with the latest security intelligence and cloud machine learning models.--- When real-time protection detects malware and the extent of the affected files is not determined initially, Microsoft Defender Antivirus initiates a full scan as part of the remediation process.--- A full scan can detect malicious files that were not detected by other scans, such as a quick scan. However, a full scan can take a while and use valuable system resources to complete.--- If a device is offline for an extended period of time, a full scan can take longer to complete. -
-## Set up scheduled scans
-
-Scheduled scans run on the day and time that you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
-
-> [!NOTE]
-> If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
-
-### Use Group Policy to schedule scans
-
-|Location | Setting | Description | Default setting (if not configured) |
-|:|:|:|:|
-|Scan | Specify the scan type to use for a scheduled scan | Quick scan |
-|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never |
-|Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
-|Root | Randomize scheduled task times |In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 4 hours. <p>In [SCEP](/mem/intune/protect/certificates-scep-configure), randomize scans to any interval plus or minus 30 minutes. This can be useful in virtual machines or VDI deployments. | Enabled |
--
-### Use PowerShell cmdlets to schedule scans
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -ScanParameters
-Set-MpPreference -ScanScheduleDay
-Set-MpPreference -ScanScheduleTime
-Set-MpPreference -RandomizeScheduleTaskTimes
-
-```
-
-For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-### Use Windows Management Instruction (WMI) to schedule scans
-
-Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
-
-```WMI
-ScanParameters
-ScanScheduleDay
-ScanScheduleTime
-RandomizeScheduleTaskTimes
-```
-
-For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
--
-## Start scheduled scans only when the endpoint is not in use
-
-You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
-
-> [!NOTE]
-> These scans will not honor the CPU throttling configuration and take full advantage of the resources available to complete the scan as fast as possible.
-
-### Use Group Policy to schedule scans
-
-|Location | Setting | Description | Default setting (if not configured) |
-|:|:|:|:|
-|Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled |
-
-### Use PowerShell cmdlets
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -ScanOnlyIfIdleEnabled
-```
-
-For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
-
-### Use Windows Management Instruction (WMI)
-
-Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
-
-```WMI
-ScanOnlyIfIdleEnabled
-```
-
-For more information about APIs and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
-
-<a id="remed"></a>
-## Configure when full scans should be run to complete remediation
-
-Some threats might require a full scan to complete their removal and remediation. You can specify when these scans should occur with Group Policy, PowerShell, or WMI.
-
-### Use Group Policy to schedule remediation-required scans
-
-| Location | Setting | Description | Default setting (if not configured) |
-|||||
-|Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never |
-|Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
-
-### Use PowerShell cmdlets
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -RemediationScheduleDay
-Set-MpPreference -RemediationScheduleTime
-```
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-### Use Windows Management Instruction (WMI)
-
-Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
-
-```WMI
-RemediationScheduleDay
-RemediationScheduleTime
-```
-
-For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
--
-## Set up daily quick scans
-
-You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
-
-### Use Group Policy to schedule daily scans
-
-|Location | Setting | Description | Default setting (if not configured) |
-|:|:|:|:|
-|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
-|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
-
-### Use PowerShell cmdlets to schedule daily scans
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -ScanScheduleQuickScanTime
-```
-
-For more information about how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
-
-### Use Windows Management Instruction (WMI) to schedule daily scans
-
-Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
-
-```WMI
-ScanScheduleQuickScanTime
-```
-
-For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
--
-## Enable scans after protection updates
-
-You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy.
-
-### Use Group Policy to schedule scans after protection updates
-
-|Location | Setting | Description | Default setting (if not configured)|
-|:|:|:|:|
-|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled |
-
-## See also
--- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)-- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)-- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)-- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)-- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) -- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Threat Protection Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-integration.md
Suspicious activities are processes running under a user context. The integratio
The Skype for Business integration provides a way for analysts to communicate with a potentially compromised user or device owner through a simple button from the portal. ## Microsoft 365 Defender
-With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
+With Microsoft 365 Defender, Microsoft Defender for Endpoint, and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
-[Learn more about Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-threat-protection)
+[Learn more about Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
## Related topics
security Api Get Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-get-incident.md
+
+ Title: Get incident API
+description: Learn how to use the Get incidents API to get a single incident in Microsoft 365 Defender.
+keywords: apis, graph api, supported apis, get, file, hash
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+MS.technology: mde
+++
+# Get incident information API
++
+**Applies to:**
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
++++
+## API description
+Retrieves a specific incident by its ID
++
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
++
+## Permissions
+One of the following permissions is required to call this API.
+
+Permission type | Permission | Permission display name
+:|:|:
+Application | Incident.Read.All | 'Read all Incidents'
+Application | Incident.ReadWrite.All | 'Read and write all Incidents'
+Delegated (work or school account) | Incident.Read | 'Read Incidents'
+Delegated (work or school account) | Incident.ReadWrite | 'Read and write Incidents'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data'
+>- The response will only include incidents that the user is exposed to
+
+## HTTP request
+
+```console
+GET .../api/incidents/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:|:|:
+Authorization | String | Bearer {token}. **Required**.
++
+## Request body
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, and the incident entity in the response body.
+If incident with the specified id was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```http
+GET https://api.security.microsoft.com/api/incidents/{id}
+```
security Api Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-incident.md
Method | Return Type | Description
-|-|- [List incidents](api-list-incidents.md) | [Incident](api-incident.md) list | Get a list of incidents. [Update incident](api-update-incidents.md) | [Incident](api-incident.md) | Update a specific incident.
+[Get incident](api-get-incident.md) | [Incident](api-incident.md) | Get a single incident.
## Request body, response, and examples
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
This table is a quick reference of Email & Collaboration areas where change has
|Area|Description of change| ||| |[Email entity page](../office-365-security/mdo-email-entity-page.md)|This page **unifies** email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is *centralized*. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling.|
-|[Investigation](../office-365-security/office-365-air.md#changes-are-coming-soon-in-your-security-center)|Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.|
+|[Investigation](../office-365-security/office-365-air.md#changes-are-coming-soon-in-your-microsoft-365-defender-portal)|Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.|
|[Alert view](../../compliance/alert-policies.md)|The **View alerts** flyout pane in the Office Security and Compliance center now includes links to Microsoft 365 Defender. Click on the **Open Alert Page** link and Microsoft 365 Defender opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue.| |[Attack Simulation training](../office-365-security/attack-simulation-training-insights.md)|Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage.| |
security Admin Review Reported Message https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can now send templated messages back to end users after they review reported messages. This can be customized for your organization and based on your adminΓÇÖs verdict as well.
+In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can now send templated messages back to end users after they review reported messages. This can be customized for your organization and based on your admin's verdict as well.
This feature is designed to give feedback to your users but does not change the verdicts of messages in the system. To help Microsoft update and improve its filters, you will need to submit messages for analysis using [Admin submission](admin-submission.md).
You will only be able to mark and notify users of review results if the message
## What do you need to know before you begin?
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.
+ - To modify the configuration for User submissions, you need to be a member of one of the following role groups:
- - Organization Management or Security Administrator in the [Microsoft 365 security center](permissions-microsoft-365-security-center.md).
- - Organization Management in [Exchange Online](/Exchange/permissions-exo/permissions-exo).
+ - Organization Management or Security Administrator in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
+ - Organization Management in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups).
-- You'll also need access to the Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that says *Specify an email address in your domain*. For more information about enabling or disabling access to Exchange Online PowerShell, see the following topics:
+- You'll also need access to Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that says *Specify an email address in your domain*. For more information about enabling or disabling access to Exchange Online PowerShell, see the following topics:
- [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell) - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) ## Configure the messages used to notify users
-1. In the [Microsoft 365 security center](../defender/overview-security-center.md), go to **Policies & rules** \> **Threat policies** \> **User reported message settings**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Others** section \> **User reported message settings**.
-2. If you want to specify the sender display name, check the box for **Specify Office 365 email address to use as sender** under the **Email notifications for admin review results** section, and enter in the name you wish to use. This is the email address that will be visible in Outlook and where replies will go to.
+2. On the **User submissions** page, if you want to specify the sender display name, check the box for **Specify Office 365 email address to use as sender** under the **Email notifications for admin review results** section, and enter in the name you wish to use. This is the email address that will be visible in Outlook and where replies will go to.
3. If you want to customize any of the templates, click **Customize email notification**. In this flyout, you will be able to customize only the following: - Phishing
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
- m365initiative-defender-office365 - seo-marvel-apr2020
-description: Admins can learn how to use the Submissions portal in the Security & Compliance Center to submit suspicious emails, suspected phishing mails, spam, and other potentially harmful messages, URLs, and files to Microsoft for scanning.
+description: Admins can learn how to use the Submissions portal in the Microsoft 365 Defender portal to submit suspicious emails, suspected phishing mails, spam, and other potentially harmful messages, URLs, and email attachments to Microsoft for rescanning.
ms.technology: mdo ms.prod: m365-security
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
-In Microsoft 365 organizations with mailboxes in Exchange Online, admins can use the Submissions portal in the Security & Compliance Center to submit email messages, URLs, and attachments to Microsoft for scanning.
+In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the Submissions portal in the Microsoft 365 Defender portal to submit email messages, URLs, and attachments to Microsoft for scanning.
When you submit an email message, you will get:
-1. **Email authentication check**: Details on whether email authentication passed or failed when it was delivered.
-2. **Policy hits**: Information about any policies that may have allowed or blocked the incoming email into your tenant, overriding our service filter verdicts.
-3. **Payload reputation/detonation**: Examination of any URLs and attachments in the message.
-4. **Grader analysis**: Review done by human graders in order to confirm whether or not messages are malicious.
+- **Email authentication check**: Details on whether email authentication passed or failed when it was delivered.
+- **Policy hits**: Information about any policies that may have allowed or blocked the incoming email into your tenant, overriding our service filter verdicts.
+- **Payload reputation/detonation**: Examination of any URLs and attachments in the message.
+- **Grader analysis**: Review done by human graders in order to confirm whether or not messages are malicious.
> [!IMPORTANT] > Payload reputation/detonation and grader analysis are not done in all tenants. Information is blocked from going outside the organization when data is not supposed to leave the tenant boundary for compliance purposes.
For other ways to submit email messages, URLs, and attachments to Microsoft, see
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Submission** page, use <https://protection.office.com/reportsubmission>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.
- To submit messages and files to Microsoft, you need to be a member of one of the following role groups:-
- - **Organization Management** or **Security Reader** in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
-
+ - **Organization Management** or **Security Reader** in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
- **Organization Management** in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups).
- Note that membership in this role group is required to [View user submissions to the custom mailbox](#view-user-submissions-to-the-custom-mailbox) as described later in this article.
+ Note that membership in this role group is required to [View user submissions to the custom mailbox](#view-user-submissions-to-microsoft) as described later in this article.
- For more information about how users can submit messages and files to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md). ## Report suspicious content to Microsoft
-1. In the Security & Compliance Center, go to **Threat management** \> **Submissions**, verify that you're on the **Admin submissions** tab, and then click **New submission**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Submissions**.
-2. Use **New submission** flyout that appears to submit the message, URL, or attachment as described in the following sections.
+2. On the **Submissions** page, verify that the **Submitted for analysis** tab is selected, and then click ![Ad icon](../../media/m365-cc-sc-create-icon.png) **Submit to Microsoft for analysis**.
-### Submit a questionable email to Microsoft
+3. Use the **Submit to Microsoft for review** flyout that appears to submit the message, URL, or email attachment as described in the following sections.
-1. In the **Object type** section, select **Email**. In the **Submission format** section, use one of the following options:
+### Submit a questionable email to Microsoft
- - **Network Message ID**: This is a GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header in the message, or in the **X-MS-Office365-Filtering-Correlation-Id** header in quarantined messages.
+1. In the **Select the submission type** box, verify that **Email** is selected in the drop down list.
- - **File**: Click **Choose file**. In the dialog that opens, find and select the .eml or .msg file, and then click **Open**.
+2. In the **Add the network message ID or upload the email file** section, use one of the following options:
+ - **Add the email network message ID**: This is a GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header in the message or in the **X-MS-Office365-Filtering-Correlation-Id** header in quarantined messages.
+ - **Upload the email file (.msg or .eml)**: Click **Browse files**. In the dialog that opens, find and select the .eml or .msg file, and then click **Open**.
> [!NOTE] > The ability to submit messages as old as 30 days has been temporarily suspended for Defender for Office 365 customers. Admins will only be able to go back 7 days.
-2. In the **Recipients** section, specify one or more recipients that you would like to run a policy check against. The policy check will determine if the email bypassed scanning due to user or organization policies.
+3. In the **Choose a recipient who had an issue** box, specify the recipient that you would like to run a policy check against. The policy check will determine if the email bypassed scanning due to user or organization policies.
-3. In the **Reason for submission** section, select one of the following options:
+4. In the **Select a reason for submitting to Microsoft** section, select one of the following options:
+ - **Should not have been blocked (false positive)**
+ - **Should have been blocked**: In the **The email should have been categorized as** section that appears, select one of the following values (if you're not sure, use your best judgement):
+ - **Phish**
+ - **Spam**
+ - **Malware**
- - **Should not have been blocked**
-
- - **Should have been blocked**: Select **Spam**, **Phishing**, or **Malware**. If you're not sure, use your best judgment.
-
-4. When you're finished, click the **Submit** button.
+5. When you're finished, click the **Submit** button.
![New URL submission example](../../media/submission-flyout-email.PNG) ### Send a suspect URL to Microsoft
-1. In the **Object type** section, select **URL**. In the box that appears, enter the full URL (for example, `https://www.fabrikam.com/marketing.html`).
-
-2. In the **Reason for submission** section, select one of the following options:
+1. In the **Select the submission type** box, select **URL** from the drop down list.
- - **Should not have been blocked**
+2. In the **URL** box that appears, enter the full URL (for example, `https://www.fabrikam.com/marketing.html`).
- - **Should have been blocked**: Select **Phishing** or **Malware**.
+3. In the **Select a reason for submitting to Microsoft** section, select one of the following options:
+ - **Should not have been blocked (false positive)**
+ - **Should have been blocked**: In the **This URL should have been categorized as** section that appears, select **Phish** or **Malware**.
-3. When you're finished, click the **Submit** button.
+4. When you're finished, click the **Submit** button.
![New Email submission example](../../media/submission-url-flyout.png)
-### Submit a suspected file to Microsoft
-
-1. In the **Object type** section, select **Attachment**.
+### Submit a suspected email attachment to Microsoft
-2. Click **Choose File**. In the dialog that opens, find and select the file, and then click **Open**.
+1. In the **Select the submission type** box, select **File** from the drop down list.
-3. In the **Reason for submission** section, select one of the following options:
+2. In the **File** section that appears, click **Browse files**. In the dialog that opens, find and select the file, and then click **Open**.
- - **Should not have been blocked**
-
- - **Should have been blocked**: **Malware** is the only choice, and is automatically selected..
+3. In the **Select a reason for submitting to Microsoft** section, select one of the following options:
+ - **Should not have been blocked (false positive)**
+ - **Should have been blocked**: In the **This URL should have been categorized as** section that appears, **Malware** is the only choice, and is automatically selected.
4. When you're finished, click the **Submit** button. ![New Attachment submission example](../../media/submission-file-flyout.PNG)
-## View items Submitted for analysis
-
-In the Security & Compliance Center, go to **Threat management** \> **Submissions**, verify that you're on the **Submitted for analysis** tab
+## View admin submissions to Microsoft
-Near the top of the page, you can enter a start date, an end date, and (by default) you can filter by **Submission ID** (a GUID value that's assigned to every submission) by entering a value in the box and clicking ![Refresh button](../../media/scc-quarantine-refresh.png). You can enter multiple values separated by commas.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Submissions**.
-To change the filter criteria, click the **Submission ID** button and choose one of the following values:
+2. On the **Submissions** page, verify that the **Submitted for analysis** tab is selected.
-- **Sender**-- **Subject/URL/File name**-- **Submitted by**-- **Submission type**-- **Status**
+ - You can sort the entries by clicking on an available column header. Click **Customize columns** to show a maximum of seven columns. The default values are marked with an asterisk (<sup>\*</sup>):
+ - **Submission name**<sup>\*</sup>
+ - **Sender**<su>\*</sup>
+ - **Date submitted**<sup>\*</sup>
+ - **Submission type**<sup>\*</sup>
+ - **Reason for submitting**<sup>\*</sup>
+ - **Rescan status**<sup>\*</sup>
+ - **Rescan result**<sup>\*</sup>
+ - **Filter verdict**
+ - **Delivery/Block reason**
+ - **Submission ID**
+ - **Network Message ID/Object ID**
+ - **Direction**
+ - **Sender IP**
+ - **Bulk compliant level (BCL)**
+ - **Destination**
+ - **Policy action**
+ - **Submitted by**
-![New Filter options for admin submissions](../../media/admin-submission-email-filter-options.png)
+ When you're finished, click **Apply**.
-To export the results, click **Export** near the top of the page and select **Chart data** or **Table**. In the dialog that appears, save the .csv file.
+ - To filter the entries, click **Filter**. The available filters are:
+ - **Date submitted**: **Start date** and **End date**.
+ - **Submission type**: **Email**, **URL**, or **File**.
+ - **Submission ID**: A GUID value that's assigned to every submission.
+ - **Network Message ID**
+ - **Sender**
-Below the graph, there are three tabs: **Email** (default), **URL**, and **Attachment**.
+ When you're finished, click **Apply**.
-### View admin email submissions
+ ![New Filter options for admin submissions](../../media/admin-submission-email-filter-options.png)
-Click the **Email** tab.
+ - To group the entries, click **Group** and select one of the following values from the drop down list:
+ - **None**
+ - **Type**
+ - **Reason**
+ - **Status**
+ - **Rescan result**
-You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
+ - To export the entries, click **Export**. In the dialog that appears, save the .csv file.
-- **Date**-- **Submission ID**: A GUID value that's assigned to every submission.-- **Submitted by**<sup>\*</sup>-- **Subject**<sup>\*</sup>-- **Sender**-- **Sender IP**<sup>\*</sup>-- **Submission type**-- **Delivery reason**-- **Status**<sup>\*</sup>
+### Admin submission rescan details
- <sup>\*</sup> If you click this value, detailed information is displayed in a flyout.
-
-#### Admin submission rescan details
-
-Messages that are submitted in admin submissions are rescanned and results shown in the details flyout:
+Messages that are submitted in admin submissions are rescanned and results shown in the submissions detail flyout:
- If there was a failure in the sender's email authentication at the time of delivery. - Information about any policy hits that could have affected or overridden the verdict of a message.
Messages that are submitted in admin submissions are rescanned and results shown
If an override was found, the rescan should complete in several minutes. If there wasn't a problem in email authentication or delivery wasn't affected by an override, then the feedback from graders could take up to a day.
-### View admin URL submissions
-
-Click the **URL** tab.
-
-You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
--- **Date**-- **Submission ID**-- **Submitted by**<sup>\*</sup>-- **URL**<sup>\*</sup>-- **Submission type**-- **Status**<sup>\*</sup>-
- <sup>\*</sup> If you click this value, detailed information is displayed in a flyout.
-
-### View admin attachment submissions
-
-Click the **Attachments** tab.
-
-You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
--- **Date**-- **Submission ID**-- **Submitted by**<sup>\*</sup>-- **File name**<sup>\*</sup>-- **Submission type**-- **Status**<sup>\*</sup>-
- <sup>\*</sup> If you click this value, detailed information is displayed in a flyout.
- ## View user submissions to Microsoft
-If you've deployed the [Report Message add-in](enable-the-report-message-add-in.md), the [Report Phishing add-in](enable-the-report-phish-add-in.md), or people use the [built-in reporting in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md), you can see what users are reporting on the **User submissions** tab.
-
-1. In the Security & Compliance Center, go to **Threat management** \> **Submissions**.
-
-2. Select the **User submissions** tab, and then click **New submission**.
-
-You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
--- **Submitted on**-- **Submitted by**<sup>\*</sup>-- **Subject**<sup>\*</sup>-- **Sender**-- **Sender IP**<sup>\*</sup>-- **Submission type**-
-<sup>\*</sup> If you click this value, detailed information is displayed in a flyout.
-
-Near the top of the page, you can enter a start date, an end date, and (by default) you can filter by **Sender** by entering a value in the box and clicking ![Refresh button](../../media/scc-quarantine-refresh.png). You can enter multiple values separated by commas.
-
-To change the filter criteria, click the **Sender** button and choose one of the following values:
--- **Sender domain**-- **Subject**-- **Submitted by**-- **Submission type**-- **Sender IP**
+If you've deployed the [Report Message add-in](enable-the-report-message-add-in.md), the [Report Phishing add-in](enable-the-report-phish-add-in.md), or people use the [built-in reporting in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md), you can see what users are reporting on the **User reported message** tab.
-![New Filter options for user submissions](../../media/user-submissions-filter-options.png)
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Submissions**.
-To export the results, click **Export** near the top of the page and select **Chart data** or **Table**. In the dialog that appears, save the .csv file.
+2. On the **Submissions** page, select the **User reported messages** tab.
-## View user submissions to the custom mailbox
+ - You can sort the entries by clicking on an available column header. Click **Customize columns** to show a maximum of seven columns. The default values are marked with an asterisk (<sup>\*</sup>):
-**If** you've [configured a custom mailbox](user-submission.md) to receive user reported messages, you can view and also submit messages that were delivered to the reporting mailbox.
+ - **Email subject**<sup>\*</sup>
+ - **Reported by**<su>\*</sup>
+ - **Date reported**<sup>\*</sup>
+ - **Sender**<sup>\*</sup>
+ - **Reported reason**<sup>\*</sup>
+ - **Rescan result**<sup>\*</sup>
+ - **Message reported ID**
+ - **Network Message ID**
+ - **Sender IP**
+ - **Phish simulation**
-1. In the Security & Compliance Center, go to **Threat management** \> **Submissions**.
+ When you're finished, click **Apply**.
-2. Select the **Custom mailbox** tab.
+ - To filter the entries, click **Filter**. The available filters are:
+ - **Date reported**: **Start date** and **End date**.
+ - **Reported by**
+ - **Email subject**
+ - **Message reported ID**
+ - **Network Message ID**
+ - **Sender**
+ - **Reported reason**: **Not junk**, **Phish**, or **Spam**.
+ - **Phish simulation**: **Yes** or **No**
-You can click the **Column options** button near the bottom of the page to add or remove columns from the view:
+ When you're finished, click **Apply**.
-- **Submitted on**-- **Submitted by**<sup>\*</sup>-- **Subject**<sup>\*</sup>-- **Sender**-- **Sender IP**<sup>\*</sup>-- **Submission type**
+ ![New Filter options for user submissions](../../media/user-submissions-filter-options.png)
-Near the top of the page, you can enter a start date, an end date, and you can filter by **Submitted by** by entering a value in the box and clicking ![Refresh button](../../media/scc-quarantine-refresh.png). You can enter multiple values separated by commas.
+ - To group the entries, click **Group** and select one of the following values from the drop down list:
+ - **None**
+ - **Reason**
+ - **Sender**
+ - **Reported by**
+ - **Rescan result**
+ - **Phish simulation**
-To export the results, click **Export** near the top of the page and select **Chart data** or **Table**. In the dialog that appears, save the .csv file.
+ - To export the entries, click **Export**. In the dialog that appears, save the .csv file.
> [!NOTE]
-> If organizations are configured to send to custom mailbox only, reported messages will not be sent for rescan and results in the User reported messages portal will always be empty.
+> If organizations are configured to send user reported messages to the custom mailbox only, reported messages will not be sent for rescan and the results in **User reported messages** will always be empty.
-## Undo user submissions
+### Undo user submissions
Once a user submits a suspicious email to the custom mailbox, the user and admin don't have an option to undo the submission. If the user would like to recover the email, it will be available for recovery in the Deleted Items or Junk Email folders.
Once a user submits a suspicious email to the custom mailbox, the user and admin
If you've configured the custom mailbox to intercept user-reported messages without sending the messages to Microsoft, you can find and send specific messages to Microsoft for analysis. This effectively moves a user submission to an admin submission.
-On the **User reported messages** tab, select a message in the list, click the **Action** button, and make one of the following selections:
+On the **User reported messages** tab, select a message in the list, click **Submit to Microsoft for analysis**, and then select one of the following values from the drop down list:
- **Report clean** - **Report phishing** - **Report malware** - **Report spam**
+- **Trigger investigation**
![New Options on the Action button](../../media/user-submission-custom-mailbox-action-button.png)
security Advanced Spam Filtering Asf Options https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-spam-filtering-asf-options.md
In all Microsoft 365 organizations, the Advanced Spam Filter (ASF) settings in a
> - The presence of filtered messages in quarantine. > - The specific `X-CustomSpam:` X-header fields that are added to messages as described in this article.
-The following sections describe the ASF settings and options that are available in anti-spam policies in the Microsoft 365 security center, and in Exchange Online PowerShell or standalone EOP PowerShell ([New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy) and [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy)). For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
+The following sections describe the ASF settings and options that are available in anti-spam policies in the Microsoft 365 Defender portal, and in Exchange Online PowerShell or standalone EOP PowerShell ([New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy) and [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy)). For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
## Enable, disable, or test ASF settings
For each ASF setting, the following options are available in anti-spam policies:
- **Test**: ASF adds the corresponding X-header field to the message. What happens to the message is determined by the **Test mode** (*TestModeAction*) value: - **None**: Message delivery is unaffected by the ASF detection. The message is still subject to other types of filtering and rules in EOP. - **Add default X-header text (*AddXHeader*)**: The X-header value `X-CustomSpam: This message was filtered by the custom spam filter option` is added to the message. You can use this value in Inbox rules or mail flow rules (also known as transport rules) to affect the delivery of the message.
- - **Send Bcc message (*BccMessage*)**: The specified email addresses (the *TestModeBccToRecipients* parameter value in PowerShell) are added to the Bcc field of the message, and the message is delivered to the additional Bcc recipients. In the security center, you separate multiple email addresses by semicolons (;). In PowerShell, you separate multiple email addresses by commas.
+ - **Send Bcc message (*BccMessage*)**: The specified email addresses (the *TestModeBccToRecipients* parameter value in PowerShell) are added to the Bcc field of the message, and the message is delivered to the additional Bcc recipients. In the Microsoft 365 Defender portal, you separate multiple email addresses by semicolons (;). In PowerShell, you separate multiple email addresses by commas.
**Notes**:
security Air Report False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-report-false-positives-negatives.md
In most cases, if a remediation action was taken on an email message, email atta
With Threat Explorer, your security operations team can find an email affected by an action and potentially undo the action.
+<br>
+
+****
+ |Scenario|Undo Options|Learn more| ||||
-|An email message was routed to a user's Junk Email folder|- Move the message to the user's Deleted Items folder<br/>- Move the message to the user's Inbox<br/>- Delete the message|[Find and investigate malicious email that was delivered in Office 365](investigate-malicious-email-that-was-delivered.md)|
-|An email message or a file was quarantined|- Release the email or file<br/>- Delete the email or file|[Manage quarantined messages as an admin](manage-quarantined-messages-and-files.md)|
+|An email message was routed to a user's Junk Email folder|<ul><li>Move the message to the user's Deleted Items folder</li><li>Move the message to the user's Inbox</li><li>Delete the message</li></ul>|[Find and investigate malicious email that was delivered in Office 365](investigate-malicious-email-that-was-delivered.md)|
+|An email message or a file was quarantined|<ul><li>Release the email or file</li><li> Delete the email or file</li></ul>|[Manage quarantined messages as an admin](manage-quarantined-messages-and-files.md)|
| ### Undo an action in the Action center In the Action center, you can see remediation actions that were taken and potentially undo the action.
-1. Go to the Microsoft 365 security center (<https://security.microsoft.com>).
+1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>).
2. In the navigation pane, select **Action center**. 3. Select the **History** tab to view the list of completed actions. 4. Select an item. Its flyout pane opens.
security Air Review Approve Pending Completed Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions.md
description: Learn about remediation actions in automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2. ms.technology: mdo ms.prod: m365-security Previously updated : 01/29/2021 Last updated : 06/10/2021 # Review and manage remediation actions in Office 365
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+ As automated investigations on email & collaboration content result in verdicts, such as *Malicious* or *Suspicious*, certain remediation actions are created. In Microsoft Defender for Office 365, remediation actions can include:+ - Blocking a URL (time-of-click) - Soft deleting email messages or clusters - Quarantining email or email attachments
As automated investigations on email & collaboration content result in verdicts,
These remediation actions are not taken unless and until your security operations team approves them. We recommend reviewing and approving any pending actions as soon as possible so that your automated investigations complete in a timely manner. In some cases, you can undo a remediation action.
-**Applies to**
-- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- ## Approve (or reject) pending actions
-1. Go to the Microsoft 365 security center (<https://security.microsoft.com>) and sign in.
+1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
2. In the navigation pane, select **Action center**. 3. On the **Pending** tab, review the list of actions that are awaiting approval. 4. Select an item in the list. Its flyout pane opens.
These remediation actions are not taken unless and until your security operation
- Select **Approve** to initiate a pending action. - Select **Reject** to prevent a pending action from being taken.
-## Undo one remediation action
+## Change or undo one remediation action
1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
-2. On the **History** tab, select an action that you want to undo.
+2. On the **History** tab, select an action that you want to change or undo.
3. In the pane on the right side of the screen, select **Undo**.
-## Undo multiple remediation actions
+## Change or undo multiple remediation actions
1. Go to the Action center (<https://security.microsoft.com/action-center>) and sign in.
-2. On the **History** tab, select the actions that you want to undo. Make sure to select items that have the same Action type. A flyout pane opens.
+2. On the **History** tab, select the actions that you want to change or undo. Make sure to select items that have the same Action type. A flyout pane opens.
3. In the flyout pane, select Undo. ## To remove a file from quarantine across multiple devices
security Air View Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-view-investigation-results.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-When an [automated investigation](office-365-air.md) occurs in [Microsoft Defender for Office 365](defender-for-office-365.md), details about that investigation are available during and after the automated investigation process. If you have the necessary permissions, you can view those details in the Microsoft 365 security center. Investigation details provide you with up-to-date status, and the ability to approve any pending actions.
+When an [automated investigation](office-365-air.md) occurs in [Microsoft Defender for Office 365](defender-for-office-365.md), details about that investigation are available during and after the automated investigation process. If you have the necessary permissions, you can view those details in the Microsoft 365 Defender portal. Investigation details provide you with up-to-date status, and the ability to approve any pending actions.
> [!TIP]
-> Check out the new, unified investigation page in the Microsoft 365 security center. To learn more, see [(NEW!) Unified investigation page](../defender/m365d-autoir-results.md#new-unified-investigation-page).
+> Check out the new, unified investigation page in the Microsoft 365 Defender portal. To learn more, see [(NEW!) Unified investigation page](../defender/m365d-autoir-results.md#new-unified-investigation-page).
## Investigation status The investigation status indicates the progress of the analysis and actions. As the investigation runs, status changes to indicate whether threats were found, and whether actions have been approved.
+<br>
+
+****
+ |Status|Description|
-|:|:|
+|||
|**Starting**|The investigation has been triggered and waiting to start runningΓÇï.| |**Running**|The investigation process has started and is underway. This state also occurs when [pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions) are approved.| |**No Threats Found**|The investigation has finished and no threats (user account, email message, URL, or file) were identified. <p> **TIP**: If you suspect something was missed (such as a false negative), you can take action using [Threat Explorer](threat-explorer.md)ΓÇï.|
The investigation status indicates the progress of the analysis and actions. As
## View details of an investigation
-1. Go to the Microsoft 365 security center (<https://security.microsoft.com>) and sign in.
+1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
2. In the navigation pane, select **Action center**. 3. On either the **Pending** or **History** tabs, select an action. Its flyout pane opens. 4. In the flyout pane, select **Open investigation page**.
The investigation status indicates the progress of the analysis and actions. As
Certain kinds of alerts trigger automated investigation in Microsoft 365. To learn more, see [alert policies that trigger automated investigations](office-365-air.md#which-alert-policies-trigger-automated-investigations).
-1. Go to the Microsoft 365 security center (<https://security.microsoft.com>) and sign in.
+1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and sign in.
2. In the navigation pane, select **Action center**. 3. On either the **Pending** or **History** tabs, select an action. Its flyout pane opens.
-4. In the flyout pane, select **Open investigation page**.
+4. In the flyout pane, select **Open investigation page**.
5. Select the **Alerts** tab to view a list of all of the alerts associated with that investigation. 6. Select an item in the list to open its flyout pane. There, you can view more information about the alert.
security Anti Malware Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection.md
ms.prod: m365-security
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: - **Viruses** that infect other programs and data, and spread through your computer or network looking for programs to infect.- - **Spyware** that that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.- - **Ransomware** that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect and remove the malware payload that's associated with the ransomware. EOP offers multi-layered malware protection that's designed to catch all known malware traveling into or out of your organization. The following options help provide anti-malware protection: - **Layered defenses against malware**: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.- - **Real-time threat response**: During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.- - **Fast anti-malware definition deployment**: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. In EOP, messages that are found to contain malware in *any* attachments are quarantined, and can only be released from quarantine by an admin. For more information, see [Manage quarantined messages and files as an admin in EOP](manage-quarantined-messages-and-files.md).
Anti-malware policies control the settings and notification options for malware
You can replace the default text in the **Malware Alert Text.txt** file with your own custom text. -- **Common attachments filter**: There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these type of files for malware, when you should probably block them all, anyway? That's where the common attachments filter comes in. It's disabled by default, but when you enable it, the file types you specify are automatically treated as malware. You can use the default list of file types or customize the list. The default file types are: `.ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs`.
+- **Common attachments filter**: There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these types of files for malware, when you should probably block them all, anyway? That's where the common attachments filter comes in. It's disabled by default, but when you enable it, the file types you specify are automatically treated as malware. You can use the default list of file types or customize the list. The default file types are: `.ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs`.
The common attachments filter uses best effort true-typing to detect the file type regardless of the file name extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is used.
Anti-malware policies control the settings and notification options for malware
For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-### Anti-malware policies in the Microsoft 365 security center vs PowerShell
+### Anti-malware policies in the Microsoft 365 Defender portal vs PowerShell
The basic elements of an anti-malware policy are: - **The malware filter policy**: Specifies the recipient notification, sender and admin notification, ZAP, and the common attachments filter settings. - **The malware filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.
-The difference between these two elements isn't obvious when you manage anti-malware polices in the security center:
+The difference between these two elements isn't obvious when you manage anti-malware polices in the Microsoft 365 Defender portal:
- When you create an anti-malware policy, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both. - When you modify an anti-malware policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (recipient notification, sender and admin notification, ZAP, and the common attachments filter) modify the associated malware filter policy.
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
-If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes [Threat Investigation and Response capabilities](office-365-ti.md), you can use Attack simulation training in the Microsoft Security Center to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.
+**Applies to**
+ [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+
+If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes [Threat Investigation and Response capabilities](office-365-ti.md), you can use Attack simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.
> [!NOTE] > Attack simulation training replaces the old Attack Simulator v1 experience that's described in [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md). ## What do you need to know before you begin? -- To open the Microsoft Security Center, go to <https://security.microsoft.com>. Attack simulation training is available at **Email and collaboration** \> **Attack simulation training**. To go directly to Attack simulation training, open <https://security.microsoft.com/attacksimulator>.
+- To open the Microsoft 365 Defender portal, go to <https://security.microsoft.com>. Attack simulation training is available at **Email and collaboration** \> **Attack simulation training**. To go directly to Attack simulation training, open <https://security.microsoft.com/attacksimulator>.
- For more information about the availability of Attack simulation training across different Microsoft 365 subscriptions, see [Microsoft Defender for Office 365 service description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description).
If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 P
- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information see [Microsoft 365 data locations](../../enterprise/o365-data-locations.md). Attack simulation is available in the following regions: NAM, APC, EUR, IND, CAN, AUS, FRA, GBR, JPN, and KOR. -- As of June 15 2021, Attack simulation training is available in GCC. If your organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training in the Microsoft Security Center to run realistic attack scenarios in your organization as described in this article. Attack simulation training is not yet available in GCC High or DoD environments.
+- As of June 15 2021, Attack simulation training is available in GCC. If your organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization as described in this article. Attack simulation training is not yet available in GCC High or DoD environments.
> [!NOTE] > Attack simulation training offers a subset of capabilities to E3 customers as a trial. The trial offering contains the ability to use a Credential Harvest payload and the ability to select 'ISA Phishing' or 'Mass Market Phishing' training experiences. No other capabilities are part of the E3 trial offering.
security Attack Simulation Training Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md
localization_priority: Normal
- M365-security-compliance - m365initiative-defender-office365
-description: Admins can learn how Attack simulation training in the Microsoft 365 security center affects employees and can gain insights from simulation and training outcomes.
+description: Admins can learn how Attack simulation training in the Microsoft 365 Defender portal affects employees and can gain insights from simulation and training outcomes.
ms.technology: mdo # Gain insights through Attack simulation training
+**Applies to**
+ [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+ Within Attack simulation training, Microsoft provides you with insights based on outcomes of simulations and trainings that employees went through. These insights will help keep you informed on the threat readiness progress of your employees, as well as recommend next steps to better prepare your employees and your environment for attacks.
-We are continuously working on expanding the insights that are available to you. Behavior impact and recommended actions are currently available. To start, head over to [Attack simulation training in the Microsoft 365 security center](https://security.microsoft.com/attacksimulator?viewid=overview).
+We are continuously working on expanding the insights that are available to you. Behavior impact and recommended actions are currently available. To start, head over to [Attack simulation training in the Microsoft 365 Defender portal](https://security.microsoft.com/attacksimulator?viewid=overview).
## Behavior impact on compromise rate
security Attack Simulation Training Payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
ms.technology: mdo
# Create a custom payload for Attack simulation training
+**Applies to**
+ [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+ Microsoft offers a robust payload catalog for various social engineering techniques to pair with your attack simulation training. However, you might want to create custom payloads that will work better for your organization. This article describes how to create a payload in Attack simulation training in Microsoft Defender for Office 365. You can create a payload by clicking on **Create a payload** in either the [dedicated **Payloads** tab](https://security.microsoft.com/attacksimulator?viewid=payload) or within the [simulation creation wizard](attack-simulation-training.md#selecting-a-payload).
security Attack Simulation Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training.md
ms.technology: mdo
# Simulate a phishing attack
+**Applies to**
+ [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
+ Attack simulation training in Microsoft Defender for Office 365 lets you run benign cyberattack simulations on your organization to test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using attack simulation training. For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
-To launch a simulated phishing attack, open the [Microsoft 365 security center](https://security.microsoft.com/), go to **Email & collaboration** \> **Attack simulation training**, and switch to the [**Simulations**](https://security.microsoft.com/attacksimulator?viewid=simulations) tab.
+To launch a simulated phishing attack, open the Microsoft 365 Defender portal (<https://security.microsoft.com/>), go to **Email & collaboration** \> **Attack simulation training**, and switch to the **[Simulations](https://security.microsoft.com/attacksimulator?viewid=simulations)** tab.
Under **Simulations**, select **+ Launch a simulation**.
-![Launch a simulation button in Microsoft 365 security center](../../media/attack-sim-preview-launch.png)
+![Launch a simulation button in the Microsoft 365 Defender portal](../../media/attack-sim-preview-launch.png)
> [!NOTE] > At any point during simulation creation, you can save and close to continue configuring the simulation at a later time.
Select from 4 different techniques, curated from the [MITRE ATT&CK® framework](
> [!TIP] > Clicking on **View details** within the description of each technique will display further information and the simulation steps for the technique. >
-> ![Simulation steps for credential harvest within attack simulation training in Microsoft 365 security center](../../media/attack-sim-preview-sim-steps.png)
+> ![Simulation steps for credential harvest within attack simulation training in the Microsoft 365 Defender portal](../../media/attack-sim-preview-sim-steps.png)
After you've selected the technique and clicked on **Next**, give your simulation a name and optionally a description.
Payloads have a number of data points to help you choose:
- **Complexity**, available through **filters**, is calculated based on the number of indicators within the payload that clue targets in on it being an attack. More indicators lead to lower complexity. - **Source**, available through **filters**, indicates whether the payload was created on your tenant or is a part of Microsoft's pre-existing payload catalog (global).
-![Selected payload within attack simulation training in Microsoft 365 security center](../../media/attack-sim-preview-select-payload.png)
+![Selected payload within attack simulation training in the Microsoft 365 Defender portal](../../media/attack-sim-preview-select-payload.png)
Select a payload from the list to see a preview of the payload with additional information about it.
Now it's time to select this simulation's audience. You can choose to **include
When you choose to **include only specific users and groups** you can either: - **Add users**, which allows you to leverage search for your tenant, as well as advanced search and filtering capabilities, like targeting users who haven't been targeted by a simulation in the last 3 months.
- ![User filtering in attack simulation training on Microsoft 365 security center](../../media/attack-sim-preview-user-targeting.png)
+
+ ![User filtering in attack simulation training in the Microsoft 365 Defender portal](../../media/attack-sim-preview-user-targeting.png)
+ - **Import from CSV** allows you to import a predefined set of users for this simulation. ## Assigning training
Select the **training due date** to make sure employees finish their training in
> [!NOTE] > If you choose to select courses and modules yourself, you'll still be able to see the recommended content as well as all available courses and modules. >
-> ![Adding recommended training within attack simulation training in Microsoft 365 security center](../../media/attack-sim-preview-add-training.png)
+> ![Adding recommended training within attack simulation training in the Microsoft 365 Defender portal](../../media/attack-sim-preview-add-training.png)
In the next steps you'll need to **Add trainings** if you opted to select it yourself, and customize your training landing page. You'll be able to preview the training landing page, as well as change the header and body of it.
security Attack Simulator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulator.md
If your organization has Microsoft Defender for Office 365 Plan 2, which include
> [!NOTE] >
-> Attack Simulator as described in this article is now read-only and has been replaced by **Attack simulation training** in the **Email & collaboration** node in the [Microsoft 365 security center](https://security.microsoft.com). For more information, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
+> Attack Simulator as described in this article is now read-only and has been replaced by **Attack simulation training** in the **Email & collaboration** node in the Microsoft 365 Defender portal at <https://security.microsoft.com>. For more information, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
>
-> The ability to launch new simulations from this version of Attack Simulator has been disabled. However, you can still access reports for up to 90 days from January 24, 2021.
+> The ability to launch new simulations from this version of Attack Simulator has been disabled. However, you can still access reports until April 24, 2021.
## What do you need to know before you begin?
security Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md
ms.prod: m365-security
**Applies to** - [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
-Campaign Views is a feature in Microsoft Defender for Office 365 Plan 2 (for example, Microsoft 365 E5 or organizations with an Defender for Office 365 Plan 2 add-on). Campaign Views in the Microsoft 365 security center identifies and categorizes phishing attacks in the service. Campaign Views can help you to:
+Campaign Views is a feature in Microsoft Defender for Office 365 Plan 2 (for example, Microsoft 365 E5 or organizations with an Defender for Office 365 Plan 2 add-on). Campaign Views in the Microsoft 365 Defender portal identifies and categorizes phishing attacks in the service. Campaign Views can help you to:
- Efficiently investigate and respond to phishing attacks. - Better understand the scope of the attack.
Microsoft leverages the vast amounts of anti-phishing, anti-spam, and anti-malwa
A campaign might be short-lived, or could span several days, weeks, or months with active and inactive periods. A campaign might be launched against your specific organization, or your organization might be part of a larger campaign across multiple companies.
-## Campaign Views in the security center
+## Campaign Views in the Microsoft 365 Defender portal
-Campaign Views is available in the [Microsoft 365 security center](https://security.microsoft.com) at **Email & collaboration** \> **Campaigns**, or directly at <https://security.microsoft.com/campaigns>.
+Campaign Views is available in the Microsoft 365 Defender portal (<https://security.microsoft.com>) at **Email & collaboration** \> **Campaigns**, or directly at <https://security.microsoft.com/campaigns>.
-![Campaigns overview in the Microsoft 365 security center](../../media/campaigns-overview.png)
+![Campaigns overview in the Microsoft 365 Defender portal](../../media/campaigns-overview.png)
You can also get to Campaign Views from:
You can also get to Campaign Views from:
- **Email & collaboration** \> **Explorer** \> **View** \> **Phish** \> **Campaign** tab - **Email & collaboration** \> **Explorer** \> **View** \> **Malware** \> **Campaign** tab
-To access Campaign Views, you need to be a member of the **Organization Management**, **Security Administrator**, or **Security Reader** role groups in the security center. For more information, see [Permissions in the Microsoft 365 compliance center and Microsoft 365 security center](permissions-microsoft-365-security-center.md).
+To access Campaign Views, you need to be a member of the **Organization Management**, **Security Administrator**, or **Security Reader** role groups in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
## Campaigns overview
security Configuration Analyzer For Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Configuration analyzer in the Microsoft 365 security center provides a central location to find and fix security policies where the settings are below the Standard protection and Strict protection profile settings in [preset security policies](preset-security-policies.md).
+Configuration analyzer in the Microsoft 365 Defender portal provides a central location to find and fix security policies where the settings are below the Standard protection and Strict protection profile settings in [preset security policies](preset-security-policies.md).
The following types of policies are analyzed by the configuration analyzer:
The **Standard** and **Strict** policy setting values that are used as baselines
## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com>. To go directly to the **Configuration analyzer** page, use <https://security.microsoft.com/configurationAnalyzer>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Configuration analyzer** page, use <https://security.microsoft.com/configurationAnalyzer>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). -- You need to be assigned permissions in the security center before you can do the procedures in this article:
+- You need to be assigned permissions in the Microsoft 365 Defender portal before you can do the procedures in this article:
- To use the configuration analyzer **and** make updates to security policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups. - For read-only access to the configuration analyzer, you need to be a member of the **Global Reader** or **Security Reader** role groups.
- For more information, see [Permissions in the Microsoft 365 security center](permissions-microsoft-365-security-center.md).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
> [!NOTE] >
- > - Adding users to the corresponding Azure Active Directory role gives users the required permissions in the security center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ > - Adding users to the corresponding Azure Active Directory role gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
> > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
-## Use the configuration analyzer in the security center
+## Use the configuration analyzer in the Microsoft 365 Defender portal
-In the security center, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Templated policies** section \> **Configuration analyzer**.
+In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Templated policies** section \> **Configuration analyzer**.
-The configuration analyzer has two main tabs:
+The **Configuration analyzer** page has two main tabs:
- **Settings and recommendations**: You pick **Standard** or **Strict** and compare those settings to your existing security policies. In the results, you can adjust the values of your settings to bring them up to the same level as Standard or Strict. - **Configuration drift analysis and history**: This view allows you to track policy changes over time.
security Configure Advanced Delivery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md
Messages that are identified by the advanced delivery policy aren't security thr
## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com>. To go directly to the **Advanced delivery** page, open <https://security.microsoft.com/advanceddelivery>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Advanced delivery** page, open <https://security.microsoft.com/advanceddelivery>.
- You need to be assigned permissions before you can do the procedures in this article:
- - To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the **Security Administrator** role group in the **security center** and a member of the **Organization Management** role group in **Exchange Online**.
+ - To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the **Security Administrator** role group in the **Microsoft 365 Defender portal** and a member of the **Organization Management** role group in **Exchange Online**.
- For read-only access to the advanced delivery policy, you need to be a member of the **Global Reader** or **Security Reader** role groups.
- For more information, see [Permissions in the Microsoft 365 security center](permissions-microsoft-365-security-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
> [!NOTE]
- > Adding users to the corresponding Azure Active Directory role gives users the required permissions in the security center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ > Adding users to the corresponding Azure Active Directory role gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
-## Use the security center to configure SecOps mailboxes in the advanced delivery policy
+## Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy
-1. In the security center, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Rules** section \> **Advanced delivery**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Rules** section \> **Advanced delivery**.
2. On the **Advanced delivery** page, verify that the **SecOps mailbox** tab is selected, and then do one of the following steps: - Click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**.
Messages that are identified by the advanced delivery policy aren't security thr
The SecOps mailbox entries that you configured are displayed on the **SecOps mailbox** tab. To make changes, click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit** on the tab.
-## Use the security center to configure third-party phishing simulations in the advanced delivery policy
+## Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy
-1. In the security center, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Rules** section \> **Advanced delivery**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Rules** section \> **Advanced delivery**.
2. On the **Advanced delivery** page, select the **Phishing simulation** tab, and then do one of the following steps: - Click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**.
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
Admins can view, edit, and configure (but not delete) the default anti-malware policy to meet the needs of their organizations. For greater granularity, you can also create custom anti-malware policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
-You can configure anti-malware policies in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+You can configure anti-malware policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com>. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
You can configure anti-malware policies in the Microsoft 365 security center or
- For our recommended settings for anti-malware policies, see [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings).
-## Use the security center to create anti-malware policies
+## Use the Microsoft 365 Defender portal to create anti-malware policies
-Creating a custom anti-malware policy in the security center creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.
+Creating a custom anti-malware policy in the Microsoft 365 Defender portal creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-Malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-Malware**.
2. On the **Anti-malware** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom anti-malware policy in the security center creates the malware
7. On the confirmation page that appears, click **Done**.
-## Use the security center to view anti-malware policies
+## Use the Microsoft 365 Defender portal to view anti-malware policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, the following properties are displayed in the list of anti-malware policies:
Creating a custom anti-malware policy in the security center creates the malware
3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
-## Use the security center to modify anti-malware policies
+## Use the Microsoft 365 Defender portal to modify anti-malware policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, select a policy from the list by clicking on the name.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the security center to create anti-malware policies](#use-the-security-center-to-create-anti-malware-policies) section in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create anti-malware policies](#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies) section in this article.
For the default anti-malware policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the followin
You can't disable the default anti-malware policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
Back on the main policy page, the **Status** value of the policy will be **On**
By default, anti-malware policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
**Notes**: -- In the security center, you can only change the priority of the anti-malware policy after you create it. In PowerShell, you can override the default priority when you create the malware filter rule (which can affect the priority of existing rules).
+- In the Microsoft 365 Defender portal, you can only change the priority of the anti-malware policy after you create it. In PowerShell, you can override the default priority when you create the malware filter rule (which can affect the priority of existing rules).
- Anti-malware policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-malware policy has the priority value **Lowest**, and you can't change it.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
4. When you're finished, click **Close** in the policy details flyout.
-## Use the security center to remove custom anti-malware policies
+## Use the Microsoft 365 Defender portal to remove custom anti-malware policies
-When you use the security center to remove a custom anti-malware policy, the malware filter rule and the corresponding malware filter policy are both deleted. You can't remove the default anti-malware policy.
+When you use the Microsoft 365 Defender portal to remove a custom anti-malware policy, the malware filter rule and the corresponding malware filter policy are both deleted. You can't remove the default anti-malware policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
When you use the security center to remove a custom anti-malware policy, the mal
## Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-malware policies
-For more information about anti-spam policies in PowerShell, see [Anti-malware policies in the Microsoft 365 security center vs PowerShell](anti-malware-protection.md#anti-malware-policies-in-the-microsoft-365-security-center-vs-powershell).
+For more information about anti-spam policies in PowerShell, see [Anti-malware policies in the Microsoft 365 Defender portal vs PowerShell](anti-malware-protection.md#anti-malware-policies-in-the-microsoft-365-defender-portal-vs-powershell).
### Use PowerShell to create anti-malware policies
Creating an anti-malware policy in PowerShell is a two-step process:
**Notes**: - You can create a new malware filter rule and assign an existing, unassociated malware filter policy to it. A malware filter rule can't be associated with more than one malware filter policy.-- There are two settings that you can configure on new anti-malware policies in PowerShell that aren't available in the security center until after you create the policy:
+- There are two settings that you can configure on new anti-malware policies in PowerShell that aren't available in the Microsoft 365 Defender portal until after you create the policy:
- Create the new policy as disabled (_Enabled_ `$false` on the **New-MalwareFilterRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-MalwareFilterRule** cmdlet).-- A new malware filter policy that you create in PowerShell isn't visible in the security center until you assign the policy to a malware filter rule.
+- A new malware filter policy that you create in PowerShell isn't visible in the Microsoft 365 Defender portal until you assign the policy to a malware filter rule.
#### Step 1: Use PowerShell to create a malware filter policy
For detailed syntax and parameter information, see [Get-MalwareFilterRule](/powe
Other than the following items, the same settings are available when you modify a malware filter policy in PowerShell as when you create the policy as described in the [Step 1: Use PowerShell to create a malware filter policy](#step-1-use-powershell-to-create-a-malware-filter-policy) section earlier in this article. - The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, unmodifiable **Lowest** priority, and you can't delete it) is only available when you modify a malware filter policy in PowerShell.-- You can't rename a malware filter policy (the **Set-MalwareFilterPolicy** cmdlet has no _Name_ parameter). When you rename an anti-malware policy in the security center, you're only renaming the malware filter _rule_.
+- You can't rename a malware filter policy (the **Set-MalwareFilterPolicy** cmdlet has no _Name_ parameter). When you rename an anti-malware policy in the Microsoft 365 Defender portal, you're only renaming the malware filter _rule_.
To modify a malware filter policy, use this syntax:
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
Admins can view, edit, and configure (but not delete) the default anti-phishing policy. For greater granularity, you can also create custom anti-phishing policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
-Organizations with Exchange Online mailboxes can configure anti-phishing policies in the Microsoft 365 security center or in Exchange Online PowerShell. Standalone EOP organizations can only use the security center.
+Organizations with Exchange Online mailboxes can configure anti-phishing policies in the Microsoft 365 Defender portal or in Exchange Online PowerShell. Standalone EOP organizations can only use the Microsoft 365 Defender portal.
For information about creating and modifying the more advanced anti-phishing policies that are available in Microsoft Defender for Office 365, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
The basic elements of an anti-phishing policy are:
- **The anti-phish policy**: Specifies the phishing protections to enable or disable, and the actions to apply options. - **The anti-phish rule**: Specifies the priority and recipient filters (who the policy applies to) for an anti-phish policy.
-The difference between these two elements isn't obvious when you manage anti-phishing policies in the security center:
+The difference between these two elements isn't obvious when you manage anti-phishing policies in the Microsoft 365 Defender portal:
- When you create an anti-phishing policy, you're actually creating an anti-phish rule and the associated anti-phish policy at the same time using the same name for both. - When you modify an anti-phishing policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the anti-phish rule. All other settings modify the associated anti-phish policy.
To increase the effectiveness of anti-phishing protection, you can create custom
## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
To increase the effectiveness of anti-phishing protection, you can create custom
- For information about where anti-phishing policies are applied in the filtering pipeline, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-## Use the security center to create anti-phishing policies
+## Use the Microsoft 365 Defender portal to create anti-phishing policies
-Creating a custom anti-phishing policy in the security center creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
+Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom anti-phishing policy in the security center creates the anti-p
8. On the confirmation page that appears, click **Done**.
-## Use the security center to view anti-phishing policies
+## Use the Microsoft 365 Defender portal to view anti-phishing policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, the following properties are displayed in the list of anti-phishing policies:
Creating a custom anti-phishing policy in the security center creates the anti-p
3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
-## Use the security center to modify anti-phishing policies
+## Use the Microsoft 365 Defender portal to modify anti-phishing policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the security center to create anti-phishing policies](#use-the-security-center-to-create-anti-phishing-policies) section earlier in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
For the default anti-phishing policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the followin
You can't disable the default anti-phishing policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
Back on the main policy page, the **Status** value of the policy will be **On**
By default, anti-phishing policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
**Notes**: -- In the security center, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules).
+- In the Microsoft 365 Defender portal, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules).
- Anti-phishing policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-phishing policy has the priority value **Lowest**, and you can't change it.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
4. When you're finished, click **Close** in the policy details flyout.
-## Use the security center to remove custom anti-phishing policies
+## Use the Microsoft 365 Defender portal to remove custom anti-phishing policies
-When you use the security center to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
+When you use the Microsoft 365 Defender portal to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
Creating an anti-phishing policy in PowerShell is a two-step process:
- You can create a new anti-phish rule and assign an existing, unassociated anti-phish policy to it. An anti-phish rule can't be associated with more than one anti-phish policy. -- You can configure the following settings on new anti-phish policies in PowerShell that aren't available in the security center until after you create the policy:
+- You can configure the following settings on new anti-phish policies in PowerShell that aren't available in the Microsoft 365 Defender portal until after you create the policy:
- Create the new policy as disabled (_Enabled_ `$false` on the **New-AntiPhishRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-AntiPhishRule** cmdlet). -- A new anti-phish policy that you create in PowerShell isn't visible in the security center until you assign the policy to an anti-phish rule.
+- A new anti-phish policy that you create in PowerShell isn't visible in the Microsoft 365 Defender portal until you assign the policy to an anti-phish rule.
#### Step 1: Use PowerShell to create an anti-phish policy
For detailed syntax and parameter information, see [Get-AntiPhishRule](/powershe
Other than the following items, the same settings are available when you modify an anti-phish policy in PowerShell as when you create a policy as described in [Step 1: Use PowerShell to create an anti-phish policy](#step-1-use-powershell-to-create-an-anti-phish-policy) earlier in this article. - The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, always **Lowest** priority, and you can't delete it) is only available when you modify an anti-phish policy in PowerShell.-- You can't rename an anti-phish policy (the **Set-AntiPhishPolicy** cmdlet has no _Name_ parameter). When you rename an anti-phishing policy in the security center, you're only renaming the anti-phish _rule_.
+- You can't rename an anti-phish policy (the **Set-AntiPhishPolicy** cmdlet has no _Name_ parameter). When you rename an anti-phishing policy in the Microsoft 365 Defender portal, you're only renaming the anti-phish _rule_.
To modify an anti-phish policy, use this syntax:
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
To verify that you've successfully configured anti-phishing policies in EOP, do any of the following steps: -- In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
security Configure Global Settings For Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-global-settings-for-safe-links.md
But, Safe Links also uses the following global settings that you configure outsi
- The **Block the following URLs** list. This setting applies to all users who are included in any active Safe Links policies. For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links) - Safe Links protection for Office 365 apps. These settings apply to all users in the organization who are licensed for Defender for Office 365, regardless of whether the users are included in active Safe Links policies or not. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).
-You can configure the global Safe Links settings in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).
+You can configure the global Safe Links settings in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).
## What do you need to know before you begin? - There is no built-in or default Safe Links policy, so you need to create at least one Safe Links policy in order for the **Block the following URLs** list to be active. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md). -- You open the security center at <https://security.microsoft.com>. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
You can configure the global Safe Links settings in the Microsoft 365 security c
- [New features are continually being added to Microsoft Defender for Office 365](defender-for-office-365.md#new-features-in-microsoft-defender-for-office-365). As new features are added, you may need to make adjustments to your existing Safe Links policies.
-## Configure the "Block the following URLs" list in the security center
+## Configure the "Block the following URLs" list in the Microsoft 365 Defender portal
The **Block the following URLs** list identifies the links that should always be blocked by Safe Links scanning in supported apps. For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links).
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
2. On the **Safe Links** page, click **Global settings**. In the **Safe Links policy for your organization** fly out that appears, go to the **Block the following URLs** box.
You can use the **Get-AtpPolicyForO365** cmdlet to view existing entries in the
Set-AtpPolicyForO365 -BlockUrls @{Add="adatum.com"; Remove="fabrikam"} ```
-## Configure Safe Links protection for Office 365 apps in the security center
+## Configure Safe Links protection for Office 365 apps in the Microsoft 365 Defender portal
Safe Links protection for Office 365 apps applies to documents in supported Office desktop, mobile, and web apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
2. On the **Safe Links** page, click **Global settings**. In the **Safe Links policy for your organization** fly out that appears, configure the following settings in the **Settings that apply to content in supported Office 365 apps** section:
For detailed syntax and parameter information, see [Set-AtpPolicyForO365](/power
To verify that you've successfully configured the global settings for Safe Links (the **Block the following URLs** list and the Office 365 app protection settings), do any of the following steps: -- In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links** \> click **Global settings**, and verify the settings in the fly out that appears.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links** \> click **Global settings**, and verify the settings in the fly out that appears.
- In Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command and verify the settings:
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
Anti-phishing policies in [Microsoft Defender for Office 365](defender-for-offic
Admins can view, edit, and configure (but not delete) the default anti-phishing policy. For greater granularity, you can also create custom anti-phishing policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
-You can configure anti-phishing policies in Defender for Office 365 in the Microsoft 365 security center or in Exchange Online PowerShell.
+You can configure anti-phishing policies in Defender for Office 365 in the Microsoft 365 Defender portal or in Exchange Online PowerShell.
For information about configuring the more limited in anti-phishing policies that are available in Exchange Online Protection (that is, organizations without Defender for Office 365), see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
The basic elements of an anti-phishing policy are:
- **The anti-phish policy**: Specifies the phishing protections to enable or disable, and the actions to apply options. - **The anti-phish rule**: Specifies the priority and recipient filters (who the policy applies to) for an anti-phish policy.
-The difference between these two elements isn't obvious when you manage anti-phishing policies in the security center:
+The difference between these two elements isn't obvious when you manage anti-phishing policies in the Microsoft 365 Defender portal:
- When you create a policy, you're actually creating an anti-phish rule and the associated anti-phish policy at the same time using the same name for both. - When you modify a policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the anti-phish rule. All other settings modify the associated anti-phish policy.
To increase the effectiveness of anti-phishing protection in Defender for Office
## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
To increase the effectiveness of anti-phishing protection in Defender for Office
- For information about where anti-phishing policies are applied in the filtering pipeline, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-## Use the security center to create anti-phishing policies
+## Use the Microsoft 365 Defender portal to create anti-phishing policies
-Creating a custom anti-phishing policy in the security center creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
+Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
Creating a custom anti-phishing policy in the security center creates the anti-p
8. On the confirmation page that appears, click **Done**.
-## Use the security center to view anti-phishing policies
+## Use the Microsoft 365 Defender portal to view anti-phishing policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, the following properties are displayed in the list of anti-phishing policies:
Creating a custom anti-phishing policy in the security center creates the anti-p
3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
-## Use the security center to modify anti-phishing policies
+## Use the Microsoft 365 Defender portal to modify anti-phishing policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the security center to create anti-phishing policies](#use-the-security-center-to-create-anti-phishing-policies) section earlier in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.
For the default anti-phishing policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the followin
You can't disable the default anti-phishing policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
Back on the main policy page, the **Status** value of the policy will be **On**
By default, anti-phishing policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
**Notes**: -- In the security center, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules).
+- In the Microsoft 365 Defender portal, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules).
- Anti-phishing policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-phishing policy has the priority value **Lowest**, and you can't change it.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
4. When you're finished, click **Close** in the policy details flyout.
-## Use the security center to remove custom anti-phishing policies
+## Use the Microsoft 365 Defender portal to remove custom anti-phishing policies
-When you use the security center to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
+When you use the Microsoft 365 Defender portal to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
Creating an anti-phishing policy in PowerShell is a two-step process:
**Notes**: - You can create a new anti-phish rule and assign an existing, unassociated anti-phish policy to it. An anti-phish rule can't be associated with more than one anti-phish policy.-- You can configure the following settings on new anti-phish policies in PowerShell that aren't available in the security center until after you create the policy:
+- You can configure the following settings on new anti-phish policies in PowerShell that aren't available in the Microsoft 365 Defender portal until after you create the policy:
- Create the new policy as disabled (_Enabled_ `$false` on the **New-AntiPhishRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-AntiPhishRule** cmdlet).-- A new anti-phish policy that you create in PowerShell isn't visible in the security center until you assign the policy to an anti-phish rule.
+- A new anti-phish policy that you create in PowerShell isn't visible in the Microsoft 365 Defender portal until you assign the policy to an anti-phish rule.
#### Step 1: Use PowerShell to create an anti-phish policy
Other than the following items, the same settings are available when you modify
- The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, always **Lowest** priority, and you can't delete it) is only available when you modify an anti-phish policy in PowerShell. -- You can't rename an anti-phish policy (the **Set-AntiPhishPolicy** cmdlet has no _Name_ parameter). When you rename an anti-phishing policy in the security center, you're only renaming the anti-phish _rule_.
+- You can't rename an anti-phish policy (the **Set-AntiPhishPolicy** cmdlet has no _Name_ parameter). When you rename an anti-phishing policy in the Microsoft 365 Defender portal, you're only renaming the anti-phish _rule_.
To modify an anti-phish policy, use this syntax:
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
To verify that you've successfully configured anti-phishing policies in Defender for Office 365, do any of the following steps: -- In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, and run the following command and verify the settings:
security Configure The Connection Filter Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-connection-filter-policy.md
If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standa
- **Safe list**: The *safe list* is a dynamic allow list in the Microsoft datacenter that requires no customer configuration. Microsoft identifies these trusted email sources from subscriptions to various third-party lists. You enable or disable the use of the safe list; you can't configure the source email servers on the safe list. Spam filtering is skipped on incoming messages from the email servers on the safe list.
-This article describes how to configure the default connection filter policy in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes). For more information about how EOP uses connection filtering is part of your organization's overall anti-spam settings, see see [Anti-spam protection](anti-spam-protection.md).
+This article describes how to configure the default connection filter policy in the Microsoft 365 Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes). For more information about how EOP uses connection filtering is part of your organization's overall anti-spam settings, see see [Anti-spam protection](anti-spam-protection.md).
> [!NOTE] > The IP Allow List, safe list, and the IP Block List are one part of your overall strategy to allow or block email in your organization. For more information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md) and [Create blocked sender lists](create-block-sender-lists-in-office-365.md). ## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com>. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
This article describes how to configure the default connection filter policy in
- The IP Allow List and the IP Block List each support a maximum of 1273 entries, where an entry is a single IP address, an IP address range, or a Classless InterDomain Routing (CIDR) IP.
-## Use the security center to modify the default connection filter policy
+## Use the Microsoft 365 Defender portal to modify the default connection filter policy
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select **Connection filter policy (Default)** from the list by clicking on the name of the policy.
This article describes how to configure the default connection filter policy in
4. Back on the policy details flyout, click **Close**.
-## Use the security center to view the default connection filter policy
+## Use the Microsoft 365 Defender portal to view the default connection filter policy
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, the following properties are displayed in the list of policies:
For detailed syntax and parameter information, see [Set-HostedConnectionFilterPo
To verify that you've successfully modified the default connection filter policy, do any of the following steps: -- In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam** \> select **Connection filter policy (Default)** from the list by clicking on the name of the policy, and verify the settings.
+- In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam** \> select **Connection filter policy (Default)** from the list by clicking on the name of the policy, and verify the settings.
- In Exchange Online PowerShell or standalone EOP PowerShell, run the following command and verify the settings:
security Configure The Outbound Spam Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md
EOP uses outbound spam policies as part of your organization's overall defense a
Admins can view, edit, and configure (but not delete) the default outbound spam policy. For greater granularity, you can also create custom outbound spam policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
-You can configure outbound spam policies in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+You can configure outbound spam policies in the Microsoft 365 Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
The basic elements of an outbound spam policy in EOP are: - **The outbound spam filter policy**: Specifies the actions for outbound spam filtering verdicts and the notification options. - **The outbound spam filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a outbound spam filter policy.
-The difference between these two elements isn't obvious when you manage outbound spam polices in the security center:
+The difference between these two elements isn't obvious when you manage outbound spam polices in the Microsoft 365 Defender portal:
- When you create a policy, you're actually creating a outbound spam filter rule and the associated outbound spam filter policy at the same time using the same name for both. - When you modify a policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the outbound spam filter rule. All other settings modify the associated outbound spam filter policy.
To increase the effectiveness of outbound spam filtering, you can create custom
## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com>. To go directly to the **Anti-spam settings** page, use <https://security.microsoft.com/antispam>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-spam settings** page, use <https://security.microsoft.com/antispam>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
To increase the effectiveness of outbound spam filtering, you can create custom
- The default [alert policies](../../compliance/alert-policies.md) named **Email sending limit exceeded**, **Suspicious email sending patterns detected**, and **User restricted from sending email** already send email notifications to members of the **TenantAdmins** (**Global admins**) group about unusual outbound email activity and blocked users due to outbound spam. For more information, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). We recommend that you use these alert policies instead of the the notification options in outbound spam policies.
-## Use the security center to create outbound spam policies
+## Use the Microsoft 365 Defender portal to create outbound spam policies
-Creating a custom outbound spam policy in the security center creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
+Creating a custom outbound spam policy in the Microsoft 365 Defender portal creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Outbound** from the drop down list.
Creating a custom outbound spam policy in the security center creates the spam f
- The activity alert named **User restricted from sending email** notifies admins (via email and on the **View alerts** page). - Any recipients specified in the **Notify specific people if a sender is blocked due to sending outbound spam** setting in the policy are also notified. - The user will be unable to send any more messages until the following day, based on UTC time. There is no way for the admin to override this block.
- - **Restrict the user from sending mail**: Email notifications are sent, the user is added to **Restricted users** <https://security.microsoft.com/restrictedusers> in the security center, and the user can't send email until they're removed from **Restricted users** by an admin. After an admin removes the user from the list, the user won't be restricted again for that day. For instructions, see [Removing a user from the Restricted Users portal after sending spam email](removing-user-from-restricted-users-portal-after-spam.md).
+ - **Restrict the user from sending mail**: Email notifications are sent, the user is added to **Restricted users** <https://security.microsoft.com/restrictedusers> in the Microsoft 365 Defender portal, and the user can't send email until they're removed from **Restricted users** by an admin. After an admin removes the user from the list, the user won't be restricted again for that day. For instructions, see [Removing a user from the Restricted Users portal after sending spam email](removing-user-from-restricted-users-portal-after-spam.md).
- **No action, alert only**: Email notifications are sent. - **Forwarding rules**: Use the settings in this section to control automatic email forwarding by **Exchange Online mailboxes** to external senders. For more information, see [Control automatic external email forwarding in Microsoft 365](external-email-forwarding.md).
Creating a custom outbound spam policy in the security center creates the spam f
7. On the confirmation page that appears, click **Done**.
-## Use the security center to view outbound spam policies
+## Use the Microsoft 365 Defender portal to view outbound spam policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, look for one of the following values: - The **Type** value is **Custom outbound spam policy**
Creating a custom outbound spam policy in the security center creates the spam f
3. When you select an outbound spam policy by clicking on the name, the policy settings are displayed in a flyout.
-## Use the security center to modify outbound spam policies
+## Use the Microsoft 365 Defender portal to modify outbound spam policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select an outbound spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom outbound spam policy**. - The default policy named **Anti-spam outbound policy (Default)**.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the security center to create outbound spam policies](#use-the-security-center-to-create-outbound-spam-policies) section in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create outbound spam policies](#use-the-microsoft-365-defender-portal-to-create-outbound-spam-policies) section in this article.
For the default outbound spam policy, the **Applied to** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy, set the policy priority order, or configure the e
You can't disable the default outbound spam policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name.
Back on the main policy page, the **Status** value of the policy will be **On**
By default, outbound spam policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
**Notes**: -- In the security center, you can only change the priority of the outbound spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules).
+- In the Microsoft 365 Defender portal, you can only change the priority of the outbound spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules).
- Outbound spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default outbound spam policy has the priority value **Lowest**, and you can't change it.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
4. When you're finished, click **Close** in the policy details flyout.
-## Use the security center to remove custom outbound spam policies
+## Use the Microsoft 365 Defender portal to remove custom outbound spam policies
-When you use the security center to remove a custom outbound spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default outbound spam policy.
+When you use the Microsoft 365 Defender portal to remove a custom outbound spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default outbound spam policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
Creating an outbound spam policy in PowerShell is a two-step process:
**Notes**: - You can create a new outbound spam filter rule and assign an existing, unassociated outbound spam filter policy to it. An outbound spam filter rule can't be associated with more than one outbound spam filter policy.
- - You can configure the following settings on new outbound spam filter policies in PowerShell that aren't available in the security center until after you create the policy:
+ - You can configure the following settings on new outbound spam filter policies in PowerShell that aren't available in the Microsoft 365 Defender portal until after you create the policy:
- Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedOutboundSpamFilterRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedOutboundSpamFilterRule** cmdlet).
- - A new outbound spam filter policy that you create in PowerShell isn't visible in the security center until you assign the policy to an outbound spam filter rule.
+ - A new outbound spam filter policy that you create in PowerShell isn't visible in the Microsoft 365 Defender portal until you assign the policy to an outbound spam filter rule.
#### Step 1: Use PowerShell to create an outbound spam filter policy
For detailed syntax and parameter information, see [Get-HostedOutboundSpamFilter
The same settings are available when you modify a malware filter policy in PowerShell as when you create the policy as described in the [Step 1: Use PowerShell to create an outbound spam filter policy](#step-1-use-powershell-to-create-an-outbound-spam-filter-policy) section earlier in this article. > [!NOTE]
-> You can't rename an outbound spam filter policy (the **Set-HostedOutboundSpamFilterPolicy** cmdlet has no _Name_ parameter). When you rename an outbound spam policy in the security center, you're only renaming the outbound spam filter _rule_.
+> You can't rename an outbound spam filter policy (the **Set-HostedOutboundSpamFilterPolicy** cmdlet has no _Name_ parameter). When you rename an outbound spam policy in the Microsoft 365 Defender portal, you're only renaming the outbound spam filter _rule_.
To modify an outbound spam filter policy, use this syntax:
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
Admins can view, edit, and configure (but not delete) the default anti-spam policy. For greater granularity, you can also create custom anti-spam policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
-You can configure anti-spam policies in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+You can configure anti-spam policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
The basic elements of an anti-spam policy are: - **The spam filter policy**: Specifies the actions for spam filtering verdicts and the notification options. - **The spam filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a spam filter policy.
-The difference between these two elements isn't obvious when you manage anti-spam polices in the security center:
+The difference between these two elements isn't obvious when you manage anti-spam polices in the Microsoft 365 Defender portal:
- When you create an anti-spam policy, you're actually creating a spam filter rule and the associated spam filter policy at the same time using the same name for both. - When you modify an anti-spam policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the spam filter rule. All other settings modify the associated spam filter policy.
To increase the effectiveness of spam filtering, you can create custom anti-spam
## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com>. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
To increase the effectiveness of spam filtering, you can create custom anti-spam
- For our recommended settings for anti-spam policies, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
-## Use the security center to create anti-spam policies
+## Use the Microsoft 365 Defender portal to create anti-spam policies
-Creating a custom anti-spam policy in the security center creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
+Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Inbound** from the drop down list.
Creating a custom anti-spam policy in the security center creates the spam filte
9. On the confirmation page that appears, click **Done**.
-## Use the security center to view anti-spam policies
+## Use the Microsoft 365 Defender portal to view anti-spam policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, look for one of the following values: - The **Type** value is **Custom anti-spam policy**
Creating a custom anti-spam policy in the security center creates the spam filte
3. When you select an anti-spam policy by clicking on the name, the policy settings are displayed in a flyout.
-## Use the security center to modify anti-spam policies
+## Use the Microsoft 365 Defender portal to modify anti-spam policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**. - The default policy named **Anti-spam inbound policy (Default)**.
-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the security center to create anti-spam policies](#use-the-security-center-to-create-anti-spam-policies) section in this article.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section in this article.
For the default anti-spam policy, the **Applied to** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy, set the policy priority order, or configure the e
You can't disable the default anti-spam policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
Back on the main policy page, the **Status** value of the policy will be **On**
By default, anti-spam policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
**Notes**: -- In the security center, you can only change the priority of the anti-spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules).
+- In the Microsoft 365 Defender portal, you can only change the priority of the anti-spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules).
- Anti-spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-spam policy has the priority value **Lowest**, and you can't change it.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When a spam filtering verdict quarantines a message, you can configure end-user spam notifications to let recipients know what happened to messages that were sent to them. For more information about these notifications, see [End-user spam notifications in EOP](use-spam-notifications-to-release-and-report-quarantined-messages.md).
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**.
When a spam filtering verdict quarantines a message, you can configure end-user
4. Back on the policy details flyout, click **Close**.
-## Use the security center to remove custom anti-spam policies
+## Use the Microsoft 365 Defender portal to remove custom anti-spam policies
-When you use the security center to remove a custom anti-spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default anti-spam policy.
+When you use the Microsoft 365 Defender portal to remove a custom anti-spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default anti-spam policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
In Exchange Online PowerShell or standalone EOP PowerShell, the difference betwe
The following anti-spam policy settings are only available in PowerShell: -- The _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting were explained in the [Use the security center to create anti-spam policies](#use-the-security-center-to-create-anti-spam-policies) section earlier in this article.
+- The _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting were explained in the [Use the Microsoft 365 Defender portal to create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article.
- The following settings for end-user spam quarantine notifications: - The _DownloadLink_ parameter that shows or hides the link to the Junk Email Reporting Tool for Outlook.
Creating an anti-spam policy in PowerShell is a two-step process:
**Notes**: - You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy.-- You can configure the following settings on new spam filter policies in PowerShell that aren't available in the security center until after you create the policy:
+- You can configure the following settings on new spam filter policies in PowerShell that aren't available in the Microsoft 365 Defender portal until after you create the policy:
- Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedContentFilterRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedContentFilterRule** cmdlet). -- A new spam filter policy that you create in PowerShell isn't visible in the security center until you assign the policy to a spam filter rule.
+- A new spam filter policy that you create in PowerShell isn't visible in the Microsoft 365 Defender portal until you assign the policy to a spam filter rule.
#### Step 1: Use PowerShell to create a spam filter policy
For detailed syntax and parameter information, see [Get-HostedContentFilterRule]
Other than the following items, the same settings are available when you modify a spam filter policy in PowerShell as when you create the policy as described in the [Step 1: Use PowerShell to create a spam filter policy](#step-1-use-powershell-to-create-a-spam-filter-policy) section earlier in this article. - The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, always **Lowest** priority, and you can't delete it) is only available when you modify a spam filter policy in PowerShell.-- You can't rename a spam filter policy (the **Set-HostedContentFilterPolicy** cmdlet has no _Name_ parameter). When you rename an anti-spam policy in the security center, you're only renaming the spam filter _rule_.
+- You can't rename a spam filter policy (the **Set-HostedContentFilterPolicy** cmdlet has no _Name_ parameter). When you rename an anti-spam policy in the Microsoft 365 Defender portal, you're only renaming the spam filter _rule_.
To modify a spam filter policy, use this syntax:
security Email Security In Microsoft Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-security-in-microsoft-defender.md
This article explains how to view and investigate malware and phishing attempts
To see malware detected in email sorted by Microsoft 365 technology, use the [Email > Malware](threat-explorer-views.md#email--malware) view of Explorer (or Real-time detections). Malware is the default view, so it may be selected as soon as you open Explorer.
-1. In the Security & Compliance Center (<https://protection.office.com>), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.)
-If you're in the converged Microsoft 365 security center (https://security.microsoft.com/) scroll to **Email & collaboration** > **Explorer**.
+1. In the Security & Compliance Center (<https://protection.office.com>), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.)
+
+ If you're in the converged Microsoft 365 Defender portal (<https://security.microsoft.com>) scroll to **Email & collaboration** > **Explorer**.
From here, start at the View, choose a particular frame of time to investigate (if needed), and focus your filters, as per the [Explorer walk- through](threat-hunting-in-threat-explorer.md#threat-explorer-walk-through).
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
As a recipient of a quarantined message, what you can do to the message as a reg
|Phishing (not high confidence phishing)|![Check mark](../../media/checkmark.png)||![Check mark](../../media/checkmark.png)| |
-You view and manage your quarantined messages in the Microsoft 365 security center or (if an admin has set this up) in [end-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md).
+You view and manage your quarantined messages in the Microsoft 365 Defender portal or (if an admin has set this up) in [end-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md).
## What do you need to know before you begin? -- To open the security center, go to <https://security.microsoft.com>. To open the Quarantine page directly, go to <https://security.microsoft.com/quarantine>.
+- To open the Microsoft 365 Defender portal, go to <https://security.microsoft.com>. To open the Quarantine page directly, go to <https://security.microsoft.com/quarantine>.
- Admins can configure how long messages are kept in quarantine before they're permanently deleted in anti-spam policies. Messages that have expired from quarantine are unrecoverable. For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
You view and manage your quarantined messages in the Microsoft 365 security cent
## View your quarantined messages
-1. In the security center, go to **Email & collaboration** \> **Review** \> **Quarantine**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Review** \> **Quarantine**.
2. You can sort the results by clicking on an available column header. Click **Modify columns** to show a maximum of seven columns. The default values are marked with an asterisk (<sup>\*</sup>):
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
Title: Order and precedence of email protection
-keywords: security, malware, Microsoft 365, M365, security center, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity
+keywords: security, malware, Microsoft 365, M365, security center, Microsoft 365 Defender portal, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity
f1.keywords: - NOCSH
security Impersonation Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/impersonation-insight.md
Domain impersonation is different from [domain spoofing](anti-spoofing-protectio
Impersonation protection is part of the anti-phishing policy settings that are exclusive to Microsoft Defender for Office 365. For more information about these settings, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
-You can use the impersonation insight in the Microsoft 365 security center to quickly identify messages from impersonated senders or sender domains that you've configured for impersonation protection.
+You can use the impersonation insight in the Microsoft 365 Defender portal to quickly identify messages from impersonated senders or sender domains that you've configured for impersonation protection.
## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com>. To go directly to the impersonation insight on the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>. To go directly to the **Impersonation insight** page, use <https://security.microsoft.com/impersonationinsight>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the impersonation insight on the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>. To go directly to the **Impersonation insight** page, use <https://security.microsoft.com/impersonationinsight>.
-- You need to be assigned permissions in the security center before you can do the procedures in this article:
+- You need to be assigned permissions in the Microsoft 365 Defender portal before you can do the procedures in this article:
- **Organization Management** - **Security Administrator** - **Security Reader** - **Global Reader**
- For more information, see [Permissions in the security center](permissions-in-the-security-and-compliance-center.md).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
- **Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the security center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ **Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
- You enable and configure impersonation protection in anti-phishing policies in Microsoft Defender for Office 365. Impersonation protection is not enabled by default. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
-## Open the impersonation insight in the security center
+## Open the impersonation insight in the Microsoft 365 Defender portal
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, the impersonation insight looks like this:
security Integrate Office 365 Ti With Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde.md
Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoi
[Microsoft Defender for Office 365](defender-for-office-365.md)
-[Microsoft Defender for Endpoint](/windows/security/threat-protection)
+[Microsoft Defender for Endpoint](/windows/security/threat-protection)
security Learn About Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
When a sender spoofs an email address, they appear to be a user in one of your o
- The sender is on a mailing list (also known as a discussion list), and the mailing list relays email from the original sender to all the participants on the mailing list. - An external company sends email on behalf of another company (for example, an automated report or a software-as-a-service company).
-You can use the **spoof intelligence insight** in the Microsoft 365 security center to quickly identify spoofed senders who are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks), and manually allow those senders.
+You can use the **spoof intelligence insight** in the Microsoft 365 Defender portal to quickly identify spoofed senders who are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks), and manually allow those senders.
By allowing known senders to send spoofed messages from known locations, you can reduce false positives (good email marked as bad). By monitoring the allowed spoofed senders, you provide an additional layer of security to prevent unsafe messages from arriving in your organization. Likewise, you can review spoofed senders that were allowed by spoof intelligence and manually block those senders from the spoof intelligence insight.
-The rest of this article explains how to use the spoof intelligence insight in the security center and in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+The rest of this article explains how to use the spoof intelligence insight in the Microsoft 365 Defender portal and in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
> [!NOTE] >
The rest of this article explains how to use the spoof intelligence insight in t
## What do you need to know before you begin? -- You open the security center at <https://security.microsoft.com/>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>. To go directly to the **Spoof intelligence insight** page, use <https://security.microsoft.com/spoofintelligence>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>. To go directly to the **Spoof intelligence insight** page, use <https://security.microsoft.com/spoofintelligence>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
The rest of this article explains how to use the spoof intelligence insight in t
- For our recommended settings for spoof intelligence, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365-atp.md#eop-anti-phishing-policy-settings).
-## Open the spoof intelligence insight in the security center
+## Open the spoof intelligence insight in the Microsoft 365 Defender portal
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
2. On the **Anti-phishing** page, the spoof intelligence insight looks like this:
security Manage Quarantined Messages And Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files.md
Admins can view, release, and delete all types of quarantined messages for all u
Admins in organizations with Microsoft Defender for Office 365 can also view, download, and delete quarantined files in SharePoint Online, OneDrive for Business, and Microsoft Teams.
-You view and manage quarantined messages in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+You view and manage quarantined messages in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
## What do you need to know before you begin? -- To open the security center, go to <https://security.microsoft.com>. To open the Quarantine page directly, go to <https://security.microsoft.com/quarantine>.
+- To open the Microsoft 365 Defender portal, go to <https://security.microsoft.com>. To open the Quarantine page directly, go to <https://security.microsoft.com/quarantine>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
You view and manage quarantined messages in the Microsoft 365 security center or
When a message expires from quarantine, you can't recover it.
-## Use the security center to manage quarantined email messages
+## Use the Microsoft 365 Defender portal to manage quarantined email messages
### View quarantined email
-1. In the security center, go to **Email & collaboration** \> **Review** \> **Quarantine**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Review** \> **Quarantine**.
2. On the **Quarantine** page, verify that **View quarantined** is set to the default value **email**.
When you select multiple quarantined messages in the list (up to 100), the **Bul
When you're finished, click **Close**.
-## Use the security center to manage quarantined files in Defender for Office 365
+## Use the Microsoft 365 Defender portal to manage quarantined files in Defender for Office 365
> [!NOTE] > The procedures for quarantined files in this section are available only to Microsoft Defender for Office 365 Plan 1 and Plan 2 subscribers.
In organizations with Defender for Office 365, admins can manage quarantined fil
### View quarantined files
-1. In the security center, go to **Email & collaboration** \> **Review** \> **Quarantine**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Review** \> **Quarantine**.
2. On the **Quarantine** page, change **View quarantined** to the value **files**. You can sort on a field by clicking on an available column header.
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
Admins of Microsoft Defender for Office 365 (or MDO) E5, and MDO P1 and P2 have
## Reach the email entity page
-Either of the existing Security & Compliance center (protection.office.com) or new Microsoft 365 Security center (security.microsoft.com) will let you see and use the email entity page..
+Either the existing Security & Compliance center or new Microsoft 365 Defender portal will let you see and use the email entity page.
+
+<br>
+
+****
|Center|URL|Navigation| ||||
-|Security & Compliance |protection.office.com|Threat Management \> Explorer|
-|Microsoft 365 security center |security.microsoft.com|Email & Collaboration \> Explorer|
+|Security & Compliance Center|<https://protection.office.com>|Threat Management \> Explorer|
+|Microsoft 365 Defender portal|<https://security.microsoft.com>|Email & Collaboration \> Explorer|
+|
In Threat Explorer, select the subject of an email you're investigating. A gold bar will display at the top of the email fly-out for that mail. This invitation to the new page, reads 'Try out our new email entity page with enriched data...'. Select to view the new page.
Admins can preview emails in Cloud mailboxes, ***if*** the mails are still prese
### Detonation details
-These details are specific to email attachments and URLs.
+These details are specific to email attachments and URLs. Users can see these details by going to Explorer and applying the *detection technology* filter set to file detonation or URL detonation. Emails filtered for file detonation will contain a malicious file with detonation details, and those filtered for URLs contain a malicious URL and its detonation details.
+
+Users will see enriched detonation details for known malicious attachments or URLs found in their emails, which got detonated for their specific tenant. It will comprise of Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated.
-Users will see enriched detonation details for known malicious attachments or hyperlinks found in their mailboxes, including Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated.
+1. *Detonation chain*. A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs effected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious.
+ > [!NOTE]
+ > This may show just the top level item if none of the entities linked to it were found to be problematic, or were detonated.
-- *Detonation chain*: A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs effected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious.-- *Detonation summary*: This gives information on:
- - Detonation time range.
- - Verdict of the attached file, or URL.
- - Related info (file number, URLs, IPs, or Domains), which are other entities examined during detonation.
-- *Detonation screenshot*: This shows screenshot(s) taken during detonation process.-- *Detonation details*: These are the exact behavior details of each process that took place during the detonation.
+1. *Detonation Summary* gives a basic summary for detonation such as *analysis time*, the time when detonation occurred, OS and application, the operating system and application in which the detonation occurred, file size, and verdict reason.
+1. *Screenshots* shows the screenshots captured during detonation. There can be multiple screenshots during detonation. No screenshots are captured for
+ - Container type files like .zip or .rar.
+ - If a URL opens into a link that directly downloads a file. However, you will see the downloaded file in the detonation chain.
+1. *Behavior Details* are an export that shows behavior details like exact events that took place during detonation, and observables that contain URLs, IPs, domains, and files that were found during detonation (and can either be problematic or benign). Be aware, there may be no behavior details for:
+ - Container files like .zip or .rar that are holding other files.
:::image type="content" source="../../media/email-entities-6-detonation-page.png" alt-text="Screenshot of the detonation summary showing the chain, summary, detonation details, and screenshot under the heading *Deep Analysis*.":::
Users will see enriched detonation details for known malicious attachments or hy
*Email details*: Details required for a deeper understanding of email available in the *Analysis* tab. -- *Exchange Transport Rules (ETRs or Mailflow rules)*: These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. These can be only created and modified in the Exchange admin center, but if any ETR applies to a message, the ETR name and GUID will be shown here. Valuable information for tracking purposes.
+- *Exchange Transport Rules (ETRs or mail flow rules)*: These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. These can be only created and modified in the Exchange admin center, but if any ETR applies to a message, the ETR name and GUID will be shown here. Valuable information for tracking purposes.
- *System Overrides*: This is a means of making exceptions to the delivery location intended for a message by overriding the delivery location given by system (as per the threat and detection tech).
security Mdo For Spo Odb And Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-for-spo-odb-and-teams.md
To learn more about the user experience when a file has been detected as malicio
Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams will show up in [reports for Microsoft Defender for Office 365](view-reports-for-mdo.md) and in [Explorer (and real-time detections)](threat-explorer.md).
-As of May 2018, when a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine. For more information, see [Use the security center to manage quarantined files in Defender for Office 365](manage-quarantined-messages-and-files.md#use-the-security-center-to-manage-quarantined-files-in-defender-for-office-365).
+As of May 2018, when a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine. For more information, see [Use the Microsoft 365 Defender portal to manage quarantined files in Defender for Office 365](manage-quarantined-messages-and-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-files-in-defender-for-office-365).
## Keep these points in mind
security Monitor For Leaks Of Personal Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data.md
After you create your data loss prevention (DLP) policies, you'll want to verify
You can use the DLP reports to: - Focus on specific time periods and understand the reasons for spikes and trends.- - Discover business processes that violate your organization's DLP policies.- - Understand any business impact of the DLP policies.- - View the justifications submitted by users when they resolve a policy tip by overriding the policy or reporting a false positive.- - Verify compliance with a specific DLP policy by showing any matches for that policy.- - View a list of files with sensitive data that matches your DLP policies in the details pane. In addition, you can use the DLP reports to fine-tune your DLP policies as you run them in test mode.
-DLP reports are in the security center and the compliance center. Navigate to Reports \> View reports. Under Data loss prevention (DLP), go to either DLP policy and rule matches or DLP false positives and overrides.
+DLP reports are in the Microsoft 365 compliance center. Go to **Reports** \> **Organizational data** section to find the **DLP policy matches**, **DLP incidents**, and **DLP false positives and overrides** reports.
For more information, see [View the reports for data loss prevention](../../compliance/view-the-dlp-reports.md). ![Report showing DLP policy matches](../../media/Monitor-for-leaks-of-personal-data-image2.png)
-## audit log and alert policies
+## Audit log and alert policies
The audit log contains events from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, Sway, and other services.
-The security center and compliance center provide two ways to monitor and report against the audit log:
--- Set up alert policies, view alerts, and monitor trendsΓÇöUse the alert policy and alert dashboard tools in either the security center or compliance center.
+The Microsoft 365 Defender portal and the Microsoft 365 compliance center provide two ways to monitor and report against the audit log:
+- Set up alert policies, view alerts, and monitor trendsΓÇöUse the alert policy and alert dashboard tools in either the Microsoft 365 Defender portal or the Microsoft 365 compliance center.
- Search the audit log directly: Search for all events in a specified date rage. Or you can filter the results based on specific criteria, such as the user who performed the action, the action, or the target object. Information compliance and security teams can use these tools to proactively review activities performed by both end users and administrators across services. Automatic alerts can be configured to send email notifications when certain activities occur on specific site collections - for example when content is shared from sites known to contain GDPR-related information. This allows those teams to follow up with users to ensure that corporate security policies are followed, or to provide additional training.
Solutions are available that subscribe to the Unified Audit Logs through the Mic
More information about alert policies and searching the audit log: - [Alert policies in Microsoft 365](../../compliance/alert-policies.md)- - [Search the audit log for user and admin activity in Office 365](../../compliance/search-the-audit-log-in-security-and-compliance.md) (introduction)- - [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md)- - [Search the audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md)- - [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) (cmdlet)- - [Detailed properties in the audit log](../../compliance/detailed-properties-in-the-office-365-audit-log.md) ## Microsoft Cloud App Security
These attribute types are coming soon to Cloud App Security:
If you haven't yet started to use Cloud App Security, begin by starting it up. To access Cloud App Security: <https://portal.cloudappsecurity.com>.
-Note: Be sure to enable 'Automatically scan files for Azure Information Protection classification labels' (in General settings) when getting started with Cloud App Security or before you assign labels. After setup, Cloud App Security does not scan existing files again until they are modified.
+> [!NOTE]
+> Be sure to enable 'Automatically scan files for Azure Information Protection classification labels' (in General settings) when getting started with Cloud App Security or before you assign labels. After setup, Cloud App Security does not scan existing files again until they are modified.
![Dashboard showing information about alerts](../../media/Monitor-for-leaks-of-personal-data-image4.png) More information: - [Deploy Cloud App Security](/cloud-app-security/getting-started-with-cloud-app-security)- - [More information about Microsoft Cloud App Security](https://www.microsoft.com/cloud-platform/cloud-app-security)- - [Block downloads of sensitive information using the Microsoft Cloud App Security proxy](/cloud-app-security/use-case-proxy-block-session-aad) ## Example file and activity policies to detect sharing of personal data
More information:
Alert when a file containing a credit card number is shared from an approved cloud app.
+<br>
+ **** |Control|Settings|
Notes:
- Box monitoring requires a connector be configured using the API Connector SDK. - This policy requires capabilities that are currently in private preview.
+<br>
+ **** |Control|Settings|
Notes:
Similar policies: - Detect large downloads of Customer data or HR DataΓÇöAlert when a large number of files containing customer data or HR data have been detected being downloaded by a single user within a short period of time.-- Detect Sharing of Customer and HR DataΓÇöAlert when files containing Customer or HR Data are shared.
+- Detect Sharing of Customer and HR DataΓÇöAlert when files containing Customer or HR Data are shared.
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
This article describes:
- The [overall flow of AIR](#the-overall-flow-of-air); - [How to get AIR](#how-to-get-air); and - The [required permissions](#required-permissions-to-use-air-capabilities) to configure or use AIR capabilities.-- Changes that are coming soon to your security center
+- Changes that are coming soon to your Microsoft 365 Defender portal
This article also includes [next steps](#next-steps), and resources to learn more.
In addition, make sure to [review your organization's alert policies](../../comp
## Which alert policies trigger automated investigations?
-Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](../../compliance/alert-policies.md#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 security center, and how they're generated:
+Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](../../compliance/alert-policies.md#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 Defender portal, and how they're generated:
+
+<br>
+
+****
|Alert|Severity|How the alert is generated| ||||
Microsoft 365 provides many built-in alert policies that help identify Exchange
Permissions are granted through certain roles, such as those that are described in the following table:
+<br>
+
+****
+ |Task|Role(s) required| ||| |Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <p> These roles can be assigned in [Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) or in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).| |Start an automated investigation <p> or <p> Approve or reject recommended actions|One of the following roles, assigned in [Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) or in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md): <ul><li>Global Administrator</li><li>Security Administrator</li><li>Security Operator</li><li>Security Reader <br> and </li><li>Search and Purge (this role is assigned only in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md). You might have to create a new role group there and add the Search and Purge role to that new role group.</li></ul>|
+|
## Required licenses
Permissions are granted through certain roles, such as those that are described
- Your organization's security operations team (including security readers and those with the **Search and Purge** role) - End users
-## Changes are coming soon in your security center
+## Changes are coming soon in your Microsoft 365 Defender portal
-If you're already using AIR capabilities in Microsoft Defender for Office 365, you're about to see some changes in the [improved Microsoft 365 security center](../defender/overview-security-center.md).
+If you're already using AIR capabilities in Microsoft Defender for Office 365, you're about to see some changes in the [improved Microsoft 365 Defender portal](../defender/overview-security-center.md).
:::image type="content" source="../../media/m3d-action-center-unified.png" alt-text="Unified Action center":::
-The new and improved security center brings together AIR capabilities in [Microsoft Defender for Office 365](defender-for-office-365.md) and in [Microsoft Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.
+The new and improved Microsoft 365 Defender portal brings together AIR capabilities in [Microsoft Defender for Office 365](defender-for-office-365.md) and in [Microsoft Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.
> [!TIP]
-> The new Microsoft 365 security center (<https://security.microsoft.com>) replaces the following centers:
+> The new Microsoft 365 Microsoft 365 Defender portal (<https://security.microsoft.com>) replaces the following centers:
> > - Office 365 Security & Compliance Center (<https://protection.office.com>) > - Microsoft Defender Security Center (<https://securitycenter.windows.com>)
The new and improved security center brings together AIR capabilities in [Micros
The following table lists changes and improvements coming to AIR in Microsoft Defender for Office 365.
+<br>
+
+****
+ |Item|What's changing?| ||| |**Investigations** page|The updated **Investigations** page is more consistent with what you see in [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). You'll see some general format and styling changes that align with the new, unified **Investigations** view. For example, the investigation graph has a more unified format.|
security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/overview.md
Gains with **Defender for Office 365, Plan 2** (to date):
So, Microsoft Defender for Office 365 P2 expands on the ***investigation and response*** side of the house, and adds a new hunting strength. Automation.
-In Microsoft Defender for Office 365 P2, the primary hunting tool is called **Threat Explorer** rather than Real-time detections. If you see Threat Explorer when you navigate to the Security center, you're in Microsoft Defender for Office 365 P2.
+In Microsoft Defender for Office 365 P2, the primary hunting tool is called **Threat Explorer** rather than Real-time detections. If you see Threat Explorer when you navigate to the Microsoft 365 Defender portal, you're in Microsoft Defender for Office 365 P2.
To get into the details of Microsoft Defender for Office 365 P1 and P2, **[jump to this article](defender-for-office-365.md)**.
security Permissions Microsoft 365 Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-microsoft-365-security-center.md
Title: Permissions in the Microsoft 365 security center
+ Title: Permissions in the Microsoft 365 Defender portal
f1.keywords: - NOCSH
search.appverid: - MOE150 - MET150
-description: Admins can learn how to manage permissions in the Microsoft 365 security center for all tasks related to security.
+description: Admins can learn how to manage permissions in the Microsoft 365 Defender portal for all tasks related to security.
ms.technology: mdo ms.prod: m365-security
-# Permissions in the Microsoft 365 security center
+# Permissions in the Microsoft 365 Defender portal
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
You need to manage security scenarios that span all the Microsoft 365 services. And you need the flexibility to give the right admin permissions to the right people in your organization.
-The Microsoft 365 security center at <https://security.microsoft.com> supports directly managing permissions for users who perform security tasks in Microsoft 365. By using the security center to manage permissions, you can manage permissions centrally for all tasks related to security.
+The Microsoft 365 Defender portal at <https://security.microsoft.com> supports directly managing permissions for users who perform security tasks in Microsoft 365. By using the Microsoft 365 Defender portal to manage permissions, you can manage permissions centrally for all tasks related to security.
-To manage permissions in the security center, go to **Permissions & roles** or <https://security.microsoft.com/securitypermissions>. You need to be a **global administrator** or a member of the **Organization Management** role group in the security center. Specifically, the **Role Management** role allows users to view, create, and modify role groups in the security center, and by default, that role is assigned only to the **Organization Management** role group.
+To manage permissions in the Microsoft 365 Defender portal, go to **Permissions & roles** or <https://security.microsoft.com/securitypermissions>. You need to be a **global administrator** or a member of the **Organization Management** role group in the Microsoft 365 Defender portal. Specifically, the **Role Management** role allows users to view, create, and modify role groups in the Microsoft 365 Defender portal, and by default, that role is assigned only to the **Organization Management** role group.
+
+> [!NOTE]
+> For information about permissions in the Microsoft 365 compliance center, see [Permissions in the Microsoft 365 compliance center](../../compliance/microsoft-365-compliance-center-permissions.md).
## Relationship of members, roles, and role groups
-Permissions in the security center are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services, so if you're familiar with the permission structure in these services, granting permissions in the security center will be very familiar.
+Permissions in the Microsoft 365 Defender portal are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services, so if you're familiar with the permission structure in these services, granting permissions in the Microsoft 365 Defender portal will be very familiar.
A **role** grants the permissions to do a set of tasks.
-A **role group** is a set of roles that lets people do their jobs in the security center. For example, the Attack Simulator Administrators role group includes the Attack Simulator Admin role to create and manage all aspects of attack simulation training.
+A **role group** is a set of roles that lets people do their jobs in the Microsoft 365 Defender portal. For example, the Attack Simulator Administrators role group includes the Attack Simulator Admin role to create and manage all aspects of attack simulation training.
-The security center includes default role groups for the most common tasks and functions that you'll need to assign. Generally, we recommend simply adding individual users as **members** to the default role groups.
+The Microsoft 365 Defender portal includes default role groups for the most common tasks and functions that you'll need to assign. Generally, we recommend simply adding individual users as **members** to the default role groups.
![Diagram showing relationship of role groups to roles and members](../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png)
-## Roles and role groups in the security center
+## Roles and role groups in the Microsoft 365 Defender portal
-The following types of roles and role groups are available in **Permissions & roles** in the security center:
+The following types of roles and role groups are available in **Permissions & roles** in the Microsoft 365 Defender portalr:
-- **Azure AD roles**: You can view the roles and assigned users, but you can't manage them directly in the security center. Azure AD roles are central roles that assign permissions for **all** Microsoft 365 services.
+- **Azure AD roles**: You can view the roles and assigned users, but you can't manage them directly in the Microsoft 365 Defender portal. Azure AD roles are central roles that assign permissions for **all** Microsoft 365 services.
-- **Email & collaboration roles**: These are the same role groups that are available in the Security & Compliance Center, but you can manage them directly in the security center. The permissions that you assign here are specific to the Microsoft 365 security center, the Microsoft 365 compliance center, and the Security & Compliance Center, and don't cover all of the permissions that are needed in other Microsoft 365 workloads.
+- **Email & collaboration roles**: These are the same role groups that are available in the Security & Compliance Center, but you can manage them directly in the Microsoft 365 Defender portal. The permissions that you assign here are specific to the Microsoft 365 Defender portal, the Microsoft 365 compliance center, and the Security & Compliance Center, and don't cover all of the permissions that are needed in other Microsoft 365 workloads.
-![Permissions & roles page in the Microsoft 365 security center](../../media/m365-sc-permissions-and-roles-page.png)
+![Permissions & roles page in the Microsoft 365 Defender portal](../../media/m365-sc-permissions-and-roles-page.png)
-### Azure AD roles in the security center
+### Azure AD roles in the Microsoft 365 Defender portal
When you go **Email & collaboration roles** \> **Permissions & roles** \> **Azure AD roles** \> **Roles** (or directly to <https://security.microsoft.com/aadpermissions>) you'll see the Azure AD roles that are described in this section.
For more information, see [View and assign administrator roles in Azure Active D
|**Attack payload author**|Create attack payloads but not actually launch or schedule them. For more information, see [Attack Payload Author](/azure/active-directory/roles/permissions-reference#attack-payload-author).| |
-### Email & collaboration roles in the security center
+### Email & collaboration roles in the Microsoft 365 Defender portal
When you go to **Email & collaboration roles** \> **Permissions & roles** \> **Email & collaboration roles** \> **Roles** (or directly to <https://security.microsoft.com/emailandcollabpermissions>) you'll see the same role groups that are available in the Security & Compliance Center. For complete information about these role groups, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)
-#### Modify Email & collaboration role membership in the security center
+#### Modify Email & collaboration role membership in the Microsoft 365 Defender portal
-1. In the security center, go to **Email & collaboration roles** \> **Permissions & roles** \> **Email & collaboration roles** \> **Roles**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration roles** \> **Permissions & roles** \> **Email & collaboration roles** \> **Roles**.
2. In the **Permissions** page that opens, select the role group that you want to modify from the list. You can click on the **Name** column header to sort the list by name, or you can click **Search** ![Search icon](../../media/m365-cc-sc-search-icon.png) to find the role group.
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
In other words, the settings of the **Strict protection** policy override the se
### What do you need to know before you begin? -- You open the Microsoft 365 security center at <https://security.microsoft.com>. To go directly to the **Preset security policies** page, use <https://security.microsoft.com/presetSecurityPolicies>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Preset security policies** page, use <https://security.microsoft.com/presetSecurityPolicies>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
In other words, the settings of the **Strict protection** policy override the se
**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
-### Use the security center to assign preset security policies to users
+### Use the Microsoft 365 Defender portal to assign preset security policies to users
-1. In the security center, go to **Email & collaboration** \> **Policies & Rules** \> **Threat Policies** \> **Templated policies** section \> **Preset Security Policies**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & Rules** \> **Threat Policies** \> **Templated policies** section \> **Preset Security Policies**.
2. Under **Standard protection** or **Strict protection**, click **Edit**.
In other words, the settings of the **Strict protection** policy override the se
5. On the **Review and confirm your changes** page, verify your selections, and then click **Confirm**.
-### Use the security center to modify the assignments of preset security policies
+### Use the Microsoft 365 Defender portal to modify the assignments of preset security policies
-The steps to modify the assignment of the **Standard protection** or **Strict protection** security policy are the same as when you initially [assigned the preset security policies to users](#use-the-security-center-to-assign-preset-security-policies-to-users).
+The steps to modify the assignment of the **Standard protection** or **Strict protection** security policy are the same as when you initially [assigned the preset security policies to users](#use-the-microsoft-365-defender-portal-to-assign-preset-security-policies-to-users).
To disable the **Standard protection** or **Strict protection** security policies while still preserving the existing conditions and exceptions, slide the toggle to **Disabled** ![Toggle Off](../../media/scc-toggle-off.png). To enable the policies, slide the toggle to **Enabled** ![Toggle On](../../media/scc-toggle-on.png).
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
To learn more about alerts, see [Create activity alerts in the Security & Compli
> When you're finished configuring, use these links to start workload investigations: > >- [Threat protection status report](view-email-security-reports.md#threat-protection-status-report)
->- [Use the security center to manage quarantined files in Defender for Office 365](manage-quarantined-messages-and-files.md#use-the-security-center-to-manage-quarantined-files-in-defender-for-office-365)
+>- [Use the Microsoft 365 Defender portal to manage quarantined files in Defender for Office 365](manage-quarantined-messages-and-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-files-in-defender-for-office-365)
>- [What to do when a malicious file is found in SharePoint Online, OneDrive, or Microsoft Teams](https://support.microsoft.com/office/01e902ad-a903-4e0f-b093-1e1ac0c37ad2) >- [Manage quarantined messages and files as an administrator in Microsoft 365](manage-quarantined-messages-and-files.md)
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
To automatically apply the Standard or Strict settings to users, see [Preset sec
> [!NOTE] > The junk email rule needs to be enabled on mailboxes in order for filtering to work properly. It's enabled by default, but you should check it if filtering does not seem to be working. For more information, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).
-This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users. The tables contain the settings in the Microsoft 365 security center and PowerShell (Exchange Online PowerShell or standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).
+This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users. The tables contain the settings in the Microsoft 365 Defender portal and PowerShell (Exchange Online PowerShell or standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).
> [!TIP] > The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help you (admins) find the current values of these settings. Specifically, the **Get-ORCAReport** cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at <https://www.powershellgallery.com/packages/ORCA/>.
security Reports And Insights In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance.md
A wide variety of reports are available in the Security & Compliance Center. (Go
|Type of information|How to get there|Where to go to learn more| ||||
-|**Security & Compliance Center reports** (all up) <p> Top insights and recommendations, and links to Security & Compliance reports, including data loss prevention reports, labels, email security reports, Defender for Office 365 reports, and more|In the Security & Compliance Center, go to **Reports** \> **Dashboard**|[Monitor and view reports in the Microsoft 365 security center](../defender/overview-security-center.md)|
+|**Security & Compliance Center reports** (all up) <p> Top insights and recommendations, and links to Security & Compliance reports, including data loss prevention reports, labels, email security reports, Defender for Office 365 reports, and more|In the Security & Compliance Center, go to **Reports** \> **Dashboard**||
|**Data loss prevention** <p> Data loss prevention policy matches, false positives and overrides, and links to create or edit policies|In the Security & Compliance Center, go to **Data loss prevention** \> **Policy**|[View the reports for data loss prevention](../../compliance/view-the-dlp-reports.md)| |**Data governance** <p> Information about how labels are applied, labels classified as records, label trends, and more|In the Security & Compliance Center, go to **Information governance** \> **Dashboard**|[View the data governance reports](../../compliance/view-the-data-governance-reports.md)| |**Threat management dashboard** (this is also referred to as the Security dashboard) <p> Threat detections, malware trends, top targeted users, details about sent and received email messages, and more|In the Security & Compliance Center, go to **Threat management** \> **Dashboard**|[View reports for Defender for Office 365](view-reports-for-mdo.md)|
A wide variety of reports are available in the Security & Compliance Center. (Go
## Related topics
-[Monitor and view reports in the Microsoft 365 security center](../defender/overview-security-center.md)
+[Monitor and view reports in the Microsoft 365 Defender portal](../defender/overview-security-center.md)
[Protect against threats in Office 365](protect-against-threats.md)
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
The following Safe Links settings are available for Office 365 apps:
- **Do not let users click through safe links to original URL**: Allows or blocks users from clicking through the [warning page](#warning-pages-from-safe-links) to the original URL in in the desktop versions Word, Excel, PowerPoint, and Visio. The default and recommended value is **On**.
-To configure the Safe Links settings for Office 365 apps, see [Configure Safe Links protection for Office 365 apps](configure-global-settings-for-safe-links.md#configure-safe-links-protection-for-office-365-apps-in-the-security-center).
+To configure the Safe Links settings for Office 365 apps, see [Configure Safe Links protection for Office 365 apps](configure-global-settings-for-safe-links.md#configure-safe-links-protection-for-office-365-apps-in-the-microsoft-365-defender-portal).
For more information about the recommended values for Standard and Strict policy settings, see [Global settings for Safe Links](recommended-settings-for-eop-and-office365.md#global-settings-for-safe-links).
The **Block the following URLs** list defines the links that are always blocked
When a user in an active Safe Links policy clicks a blocked link in a supported app, they're taken to the [Blocked URL warning](#blocked-url-warning) page.
-You configure the list of URLs in the global settings for Safe Links. For instructions, see [Configure the "Block the following URLs" list](configure-global-settings-for-safe-links.md#configure-the-block-the-following-urls-list-in-the-security-center).
+You configure the list of URLs in the global settings for Safe Links. For instructions, see [Configure the "Block the following URLs" list](configure-global-settings-for-safe-links.md#configure-the-block-the-following-urls-list-in-the-microsoft-365-defender-portal).
**Notes**:
security Security Roadmap https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-roadmap.md
These tasks can be accomplished quickly and have low impact to users.
|Area|Tasks| |||
-|Security management|<ul><li>Check Secure Score and take note of your current score (<https://securescore.office.com>).</li><li>Turn on audit logging for Office 365. See [Search the audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md).</li><li>[Configure Microsoft 365 for increased security](tenant-wide-setup-for-increased-security.md).</li><li>Regularly review dashboards and reports in the Microsoft 365 security center and Cloud App Security.</li></ul>|
+|Security management|<ul><li>Check Secure Score and take note of your current score (<https://securescore.office.com>).</li><li>Turn on audit logging for Office 365. See [Search the audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md).</li><li>[Configure Microsoft 365 for increased security](tenant-wide-setup-for-increased-security.md).</li><li>Regularly review dashboards and reports in the Microsoft 365 Defender portal and Cloud App Security.</li></ul>|
|Threat protection|[Connect Microsoft 365 to Microsoft Cloud App Security](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security) to start monitoring using the default threat detection policies for anomalous behaviors. It takes seven days to build a baseline for anomaly detection. <p> Implement protection for admin accounts:<ul><li>Use dedicated admin accounts for admin activity.</li><li>Enforce multi-factor authentication (MFA) for admin accounts.</li><li>Use a [highly secure Windows 10 device](/windows-hardware/design/device-experiences/oem-highly-secure) for admin activity.</li></ul>| |Identity and access management|<ul><li>[Enable Azure Active Directory Identity Protection](/azure/active-directory/active-directory-identityprotection-enable).</li><li>For federated identity environments, enforce account security (password length, age, complexity, etc.).</li></ul>| |Information protection|Review example information protection recommendations. Information protection requires coordination across your organization. Get started with these resources:<ul><li>[Office 365 Information Protection for GDPR](/compliance/regulatory/gdpr)</li><li>[Configure Teams with three tiers of protection](../../solutions/configure-teams-three-tiers-protection.md) (includes sharing, classification, data loss prevention, and Azure Information Protection)</li></ul>|
These tasks take a bit more time to plan and implement but greatly increase your
|Area|Task| |||
-|Security management|<ul><li>Check Secure Score for recommended actions for your environment (<https://securescore.office.com>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 security center, Cloud App Security, and SIEM tools.</li><li>Look for and implement software updates.</li><li>Conduct attack simulations for spear-phishing, password-spray, and brute-force password attacks using [Attack Simulator](attack-simulator.md) (included with [Office 365 Threat Intelligence](office-365-ti.md)).</li><li>Look for sharing risk by reviewing the built-in reports in Cloud App Security (on the Investigate tab).</li><li>Check [Compliance Manager](../../compliance/compliance-manager.md) to review status for regulations that apply to your organization (such as GDPR, NIST 800-171).</li></ul>|
+|Security management|<ul><li>Check Secure Score for recommended actions for your environment (<https://securescore.office.com>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Cloud App Security, and SIEM tools.</li><li>Look for and implement software updates.</li><li>Conduct attack simulations for spear-phishing, password-spray, and brute-force password attacks using [Attack Simulator](attack-simulator.md) (included with [Office 365 Threat Intelligence](office-365-ti.md)).</li><li>Look for sharing risk by reviewing the built-in reports in Cloud App Security (on the Investigate tab).</li><li>Check [Compliance Manager](../../compliance/compliance-manager.md) to review status for regulations that apply to your organization (such as GDPR, NIST 800-171).</li></ul>|
|Threat protection|Implement enhanced protections for admin accounts: <ul><li>Configure [Privileged Access Workstations](/security/compass/privileged-access-devices) (PAWs) for admin activity.</li><li>Configure [Azure AD Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure).</li><li>Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Cloud App Security, and other services, including AD FS. The audit log stores data for only 90 days. Capturing this data in SIEM tool allows you to store data for a longer period.</li></ul>| |Identity and access management|<ul><li>Enable and enforce MFA for all users.</li><li>Implement a set of [conditional access and related policies](microsoft-365-policies-configurations.md).</li></ul>| |Information protection| Adapt and implement information protection policies. These resources include examples: <ul><li>[Office 365 Information Protection for GDPR](/compliance/regulatory/gdpr)</li><li>[Configure Teams with three tiers of protection](../../solutions/configure-teams-three-tiers-protection.md)</li></ul> <p> Use data loss prevention policies and monitoring tools in Microsoft 365 for data stored in Microsoft 365 (instead of Cloud App Security). <p> Use Cloud App Security with Microsoft 365 for advanced alerting features (other than data loss prevention).|
These are important security measures that build on previous work.
|Area|Task| |||
-|Security management|<ul><li>Continue planning next actions by using Secure Score (<https://securescore.office.com>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 security center, Cloud App Security, and SIEM tools.</li><li>Continue to look for and implement software updates.</li><li>Integrate eDiscovery into your legal and threat response processes.</li></ul>|
+|Security management|<ul><li>Continue planning next actions by using Secure Score (<https://securescore.office.com>).</li><li>Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Cloud App Security, and SIEM tools.</li><li>Continue to look for and implement software updates.</li><li>Integrate eDiscovery into your legal and threat response processes.</li></ul>|
|Threat protection|<ul><li>Implement [Secure Privileged Access](/windows-server/identity/securing-privileged-access/securing-privileged-access) (SPA) for identity components on premises (AD, AD FS).</li><li>Use Cloud App Security to monitor for insider threats.</li><li>Discover shadow IT SaaS usage by using Cloud App Security.</li></ul>| |Identity and access management|<ul><li>Refine policies and operational processes.</li><li>Use Azure AD Identity Protection to identify insider threats.</li></ul>| |Information protection|Refine information protection policies: <ul><li>Microsoft 365 and Office 365 sensitivity labels and data loss prevention (DLP), or Azure Information Protection.</li><li>Cloud App Security policies and alerts.</li></ul>| |
-Also see: [How to mitigate rapid cyberattacks such as Petya and WannaCrypt](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/21/how-to-mitigate-rapid-cyberattacks-such-as-petya-and-wannacrypt/).
+Also see: [How to mitigate rapid cyberattacks such as Petya and WannaCrypt](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/21/how-to-mitigate-rapid-cyberattacks-such-as-petya-and-wannacrypt/).
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
This topic walks you through recommended configuration for tenant-wide settings
Office 365 Secure Score analyzes your organization's security based on your regular activities and security settings and assigns a score. Begin by taking note of your current score. Adjusting some tenant-wide settings will increase your score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment that do not negatively affect productivity for your users. See [Microsoft Secure Score](../defender/microsoft-secure-score.md).
-## Tune threat management policies in the Microsoft 365 security center
+## Tune threat management policies in the Microsoft 365 Defender portal
-The Microsoft 365 security center includes capabilities that protect your environment. It also includes reports and dashboards you can use to monitor and take action. Some areas come with default policy configurations. Some areas do not include default policies or rules. Visit these policies under threat management to tune threat management settings for a more secure environment.
+The Microsoft 365 Defender portal includes capabilities that protect your environment. It also includes reports and dashboards you can use to monitor and take action. Some areas come with default policy configurations. Some areas do not include default policies or rules. Visit these policies under threat management to tune threat management settings for a more secure environment.
<br>
The Microsoft 365 security center includes capabilities that protect your enviro
|**Safe Attachments in Microsoft Defender for Office 365**|No|On the main page for Safe Attachments, click **Global settings** and turn on this setting: <ul><li>**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**</li></ul> <p> Create a Safe Attachments policy with these settings: <ul><li> **Block**: Select **Block** as the unknown malware response.</li><li>**Enable redirect**: Check this box and enter an email address, such as an admin or quarantine account.</li><li>**Apply the above selection if malware scanning for attachments times out or error occurs**: Check this box.</li><li>***Applied to**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) and [Set up Safe Attachments policies](set-up-safe-attachments-policies.md)| |**Safe Links in Microsoft Defender for Office 365**|Yes|On the main page for Safe Links, click **Global settings**: <ul><li>**Use Safe Links in: Office 365 applications**: Verify this setting is turned on.</li><li>**Do not track when users click Safe Links**: Turn this setting off to track user clicks.</li></ul> <p> Create a Safe Links policy with these settings: <ul><li>**Select the action for unknown potentially malicious URLs in messages**: Verify this setting is **On**.</li><li>**Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Verify this setting is **On**.</li><li>**Apply real-time URL scanning for suspicious links and links that point to files**: Check this box.</li><li>**Wait for URL scanning to complete before delivering the message**: Check this box.</li><li>**Apply Safe Links to email messages sent within the organization**: Check this box</li><li>**Do not allow users to click through to original URL**: Check this box.</li><li>**Applied To**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Set up Safe Links policies](set-up-safe-links-policies.md).| |**Anti-Spam (Mail filtering)**|Yes| What to watch for: Too much spam ΓÇö Choose the Custom settings and edit the Default spam filter policy. More information: [Microsoft 365 Email Anti-Spam Protection](anti-spam-protection.md).|
-|***Email Authentication***|Yes|Email authentication uses a Domain Name System (DNS) to add verifiable information to email messages about the sender of an email. Microsoft 365 sets up email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also use email authentication for custom domains. Three authentication methods are used: <ul><li>Sender Policy Framework (or SPF).</li><ul><li>For setup, see [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md).</li></ul> <li>DomainKeys Identified Mail (DKIM).</li><ul><li>See [Use DKIM to validate outbound email sent from your custom domain](use-dkim-to-validate-outbound-email.md).</li><li>After you've configured DKIM, enable it in the security center.</li></ul><li>Domain-based Message Authentication, Reporting, and Conformance (DMARC).</li><ul><li>For DMARC setup [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).</li></ul></ul>|
+|***Email Authentication***|Yes|Email authentication uses a Domain Name System (DNS) to add verifiable information to email messages about the sender of an email. Microsoft 365 sets up email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also use email authentication for custom domains. Three authentication methods are used: <ul><li>Sender Policy Framework (or SPF).</li><ul><li>For setup, see [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md).</li></ul> <li>DomainKeys Identified Mail (DKIM).</li><ul><li>See [Use DKIM to validate outbound email sent from your custom domain](use-dkim-to-validate-outbound-email.md).</li><li>After you've configured DKIM, enable it in the Microsoft 365 Defender portal.</li></ul><li>Domain-based Message Authentication, Reporting, and Conformance (DMARC).</li><ul><li>For DMARC setup [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).</li></ul></ul>|
| > [!NOTE]
Visit these reports and dashboards to learn more about the health of your enviro
|Dashboard|Description| |||
-|[Threat management dashboard](security-dashboard.md)|In the **Threat management** section of the security center, use this dashboard to see threats that have already been handled, and as a handy tool for reporting out to business decision makers on what threat investigation and response capabilities have already done to secure your business.|
-|[Threat Explorer (or real-time detections)](threat-explorer.md)|This is also in the **Threat management** section of the security center. If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list.|
-|Reports ΓÇö Dashboard|In the **Reports** section of security center, view audit reports for your SharePoint Online and Exchange Online organizations. You can also access Azure Active Directory (Azure AD) user sign-in reports, user activity reports, and the Azure AD audit log from the **View reports** page.|
+|[Threat management dashboard](security-dashboard.md)|In the **Threat management** section of the Microsoft 365 Defender portal, use this dashboard to see threats that have already been handled, and as a handy tool for reporting out to business decision makers on what threat investigation and response capabilities have already done to secure your business.|
+|[Threat Explorer (or real-time detections)](threat-explorer.md)|This is also in the **Threat management** section of the Microsoft 365 Defender portal. If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list.|
+|Reports ΓÇö Dashboard|In the **Reports** section of Microsoft 365 Defender portal, view audit reports for your SharePoint Online and Exchange Online organizations. You can also access Azure Active Directory (Azure AD) user sign-in reports, user activity reports, and the Azure AD audit log from the **View reports** page.|
|
-![Security center Dashboard](../../media/870ab776-36d2-49c7-b615-93b2bc42fce5.png)
+![Microsoft 365 Defender portal Dashboard](../../media/870ab776-36d2-49c7-b615-93b2bc42fce5.png)
## Configure additional Exchange Online tenant-wide settings
-Many of the controls for security and protection in the Exchange admin center are also included in the security center. You do not need to configure these in both places. Here are a couple of additional settings that are recommended.
+Here are a couple of additional settings that are recommended.
<br>
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
Use the following articles to configure the prerequisites required so user repor
- Turn off URL scanning on messages in the custom mailbox. Use [Set up Safe Links policies in Defender for Office 365](set-up-safe-links-policies.md) to create a Safe Links policy with the setting **Off** for **Select the action for unknown potentially malicious URLs in messages**. -- Create an anti-malware policy to turn off Malware Zero-hour Auto Purge. See [Use the Security & Compliance Center to create anti-malware policies](configure-your-spam-filter-policies.md#use-the-security-center-to-create-anti-spam-policies) to set **Malware Zero-hour Auto Purge** to **Off**.
+- Create an anti-malware policy to turn off Malware Zero-hour Auto Purge. See [Use the Security & Compliance Center to create anti-malware policies](configure-your-spam-filter-policies.md#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) to set **Malware Zero-hour Auto Purge** to **Off**.
-- Create a spam filter policy to disable zero-hour auto purge (ZAP) for spam and phishing in the custom mailbox. See [Use the Security & Compliance Center to create anti-spam policies](configure-your-spam-filter-policies.md#use-the-security-center-to-create-anti-spam-policies) and clear the **On** checkboxes for **Spam ZAP** and **Phish ZAP**.
+- Create a spam filter policy to disable zero-hour auto purge (ZAP) for spam and phishing in the custom mailbox. See [Use the Security & Compliance Center to create anti-spam policies](configure-your-spam-filter-policies.md#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) and clear the **On** checkboxes for **Spam ZAP** and **Phish ZAP**.
- Disable the junk email rule in the custom mailbox. Use [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md) to disable the junk email rule. Once disabled, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action **Move message to Junk Email folder** or the safelist collection on the mailbox.
security User Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags.md
If your organization has Defender for Office 365 Plan 2 (included in your subscr
After you apply system tags or custom tags to users, you can use those tags as filters in alerts, reports, and investigations: -- [Alerts in the Security & Compliance Center](alerts.md)
+- [Alerts](alerts.md)
+- [Custom alert policies](alert-policies.md#viewing-alerts)
- [Threat Explorer and real-time detections](threat-explorer.md)
+- [Email entity page](mdo-email-entity-page.md#other-innovations)
- [Threat protection status report](view-email-security-reports.md#threat-protection-status-report) - [Campaign Views](campaigns.md) - For priority accounts, you can use the [Email issues for priority accounts report](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report) in the Exchange admin center (EAC).
-This article explains how to configure user tags in the Security & Compliance Center. There are no cmdlets in Security & Compliance Center to manage user tags.
+This article explains how to configure user tags in the Microsoft 365 Defender portal. There are no cmdlets in Microsoft 365 Defender portal to manage user tags.
To see how user tags are part of the strategy to help protect high-impact user accounts, see [Security recommendations for priority accounts in Microsoft 365](security-recommendations-for-priority-accounts.md).
-> [!NOTE]
-> If you use the unified Microsoft 365 security center, you can set tags here: https://security.microsoft.com/securitysettings/userTags.
- ## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **User tags** page, open <https://protection.office.com/userTags>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **User tags** page, open <https://security.microsoft.com/securitysettings/userTags>.
-- You need to be assigned permissions in the Security & Compliance Center before you can do the procedures in this article:
+- You need to be assigned permissions in the Microsoft 365 Defender portal before you can do the procedures in this article:
- To create, modify, and delete user tags, you need to be a member of the **Organization Management** or **Security Administrator** role groups. - To add and remove members from existing user tags, you need to be a member of the **Organization Management**, **Security Administrator**, or **Security Operator** role groups - For read-only access to user tags, you need to be a member of the **Global Reader** or **Security Reader** role groups.
- For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
> [!NOTE] >
- > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
> > - User tag management is controlled by the **Tag Reader** and **Tag Manager** roles.
To see how user tags are part of the strategy to help protect high-impact user a
- For information about securing _privileged accounts_ (admin accounts), see [this topic](/azure/architecture/framework/security/critical-impact-accounts).
-## Use the Security & Compliance Center to create user tags
+## Use the Microsoft 365 Defender portal to create user tags
-1. In the Security & Compliance Center, go to **Threat management** \> **User tags**.
+1. In the Microsoft 365 Defender portal, go to **Settings** \> **Email & collaboration** \> **User tags**.
-2. On the **User tags** page that opens, click **Create tag**.
+2. On the **User tags** page, click ![Create tag icon](../../media/m365-cc-sc-create-icon.png) **Create tag**.
-3. The **Create tag** wizard opens in a new fly out. On the **Define tag** page, configure the following settings:
- - **Name**: Enter a unique, descriptive name for the tag. This is the value that you'll see and use.
+3. The **Create tag** wizard opens in a new flyout. On the **Define tag** page, configure the following settings:
+ - **Name**: Enter a unique, descriptive name for the tag. This is the value that you'll see and use. Note that you can't rename a tag after you create it.
- **Description**: Enter an optional description for the tag. When you're finished, click **Next**.
-4. On the **Assign users** page, do either of the following steps:
-
- - Click **Add users**. In the fly out that appears, do any of the following steps to add individual users or groups:
+4. On the **Assign members** page, do either of the following steps:
+ - Click ![Add members icon](../../media/m365-cc-sc-create-icon.png) **Add members**. In the fly out that appears, do any of the following steps to add individual users or groups:
- Click in the box and scroll through the list to select a user or group. - Click in the box and start typing to filter the list and select a user or group. - To add additional values, click in an empty area in the box.
- - To remove individual entries from the box, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the user or group in the box.
- - To remove existing entries from the list below the box, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) the entry.
+ - To remove individual entries, click ![Remove entry icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the entry in the box.
+ - To remove all entries, click ![Remove entry icon](../../media/m365-cc-sc-remove-selection-icon.png) on the **Selected nn users and nn groups** item below the box.
When you're finished, click **Add**.
+ Back on the **Assign members** page, you can also remove entries by clicking ![Delete icon](../../media/m365-cc-sc-delete-icon.png) next to the entry.
+ - Click **Import** to select a text file that contains the email addresses of the users or groups. Be sure the text file contains one entry per line. When you're finished, click **Next**.
-5. On the **Review tag** page, review your settings. You can click **Edit** in the specific section to make changes.
+5. On the **Review tag** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+
+ When you're finished, click **Submit**, and then click **Done**.
- When you're finished, click **Submit**.
+## Use the Microsoft 365 Defender portal to view user tags
-## Use the Security & Compliance Center to view user tags
+1. In the Microsoft 365 Defender portal, go to **Settings** \> **Email & collaboration** \> **User tags**.
-1. In the Security & Compliance Center, go to **Threat management** \> **User tags**.
+2. On the **User tags** page, the following properties are displayed in the list of user tags:
-2. On the **User tags** page that opens, select the user tag that you want to view (don't click on the checkbox).
+ - **Tag**: The name of the user tag. Note that this includes the built-in **Priority account** system tag.
+ - **Applied to**: The number of members
+ - **Last modified**
+ - **Created on**
-3. In the read-only details fly out that appears, review the settings.
+3. When you select a user tag by clicking on the name, the details are displayed in a flyout.
- When you're finished, click **Close**.
+## Use the Microsoft 365 Defender portal to modify user tags
-## Use the Security & Compliance Center to modify user tags
+1. In the Microsoft 365 Defender portal, go to **Settings** \> **Email & collaboration** \> **User tags**.
-1. In the Security & Compliance Center, go to **Threat management** \> **User tags**.
+2. On the **User tags** page, select the user tag from the list, and then click ![Edit tag icon](../../media/m365-cc-sc-edit-icon.png) **Edit tag**.
-2. On the **User tags** page that opens, select the user tag that you want to view, and then click **Edit tag**.
+3. In the details flyout that appears, the same wizard and settings are available as described in the [Use the Microsoft 365 Defender portal to create user tags](#use-the-microsoft-365-defender-portal-to-create-user-tags) section earlier in this article.
-3. The policy wizard opens in an **Edit tag** fly out. Click **Next** to review and modify the settings.
+ **Notes**:
- When you're finished, click **Submit**.
+ - The **Define tag** page is not available for the built-in **Priority account** system tag, so you can't rename this tag or change the description.
+ - You can't rename a custom tag, but you can change the description.
-## Use the Security & Compliance Center to remove user tags
+## Use the Microsoft 365 Defender portal to remove user tags
> [!NOTE]
-> You can't remove the built-in **Priority account** tag.
+> You can't remove the built-in **Priority account** system tag.
+
+1. In the Microsoft 365 Defender portal, go to **Settings** \> **Email & collaboration** \> **User tags**.
-1. In the Security & Compliance Center, go to **Threat management** \> **User tags**.
+2. On the **User tags** page, select the user tag from the list, and then click ![Delete tag icon](../../media/m365-cc-sc-delete-icon.png) **Delete tag**.
-2. On the **User tags** page that opens, select the user tag that you want to remove, click **Delete tag**, and then select **Yes, remove** in the warning that appears.
+3. Read the warning in the confirmation dialog that appears, and then click **Yes, remove**.