+ Title: "About the Exchange Administrator role"

+description: "Exchange administrators manage your organization's email and mailboxes and, for example, recover deleted items in a user's mailbox."

+# About the Exchange Administrator role

+To help you administer Microsoft 365, you can [assign](assign-admin-roles.md) users permissions to manage your organization's email and mailboxes from the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>. You do this by assigning them to the Exchange Administrator role.

+> [!TIP]

+> When you assign someone to the Exchange Administrator role, we recommend assigning them to the Service Support Administrator role. This way they can see important information in the Microsoft 365 admin center, such as the health of the Exchange Online service, and change and release notifications.

+Here are some of the key tasks users can do when they are assigned to the Exchange Administrator role:

+- [Use Microsoft Teams admin role](/MicrosoftTeams/using-admin-roles)

+3. Type your username and password, and then select **Sign in**.

+1. Go to <a href="https://office.com" target="_blank">https://office.com</a>.

+3. [Set up your security capabilities](m365bp-security-overview.md).

+ - When the auto-labeling policy includes locations for SharePoint or OneDrive, the label must be configured for the **Assign permissions now** setting, and **User access to content expires** must be set to **Never**.

+Collections in eDiscovery (Premium) help eDiscovery managers quickly scope a search for content across email, documents, Teams reactions, and other content in Microsoft 365. Collections provide managers with an estimate of the content that may be relevant to the case. This allows managers to make quick, informed decisions about the size and scope of content relevant to a case. eDiscovery managers can create a collection to search custodial data sources (such as mailboxes and SharePoint sites) and by using specific search criteria (such as keywords and date ranges) to quickly define the scope of their collection.

+- **Remove message in Teams**: Using the **Remove message in Teams** control, you can block inappropriate messages and content identified in alerts from Microsoft Teams channels and 1:1 and group chats. This includes Teams chat messages reported by users and chat messages detected using machine-learning and classifier-based communication compliance policies. Removed messages and content are replaced with a policy tip that explains that it's blocked and the policy that applies to its removal from view. Recipients are provided a link in the policy tip to learn more about the applicable policy and the review process. The sender receives a policy tip for the blocked message and content but can review the details of the blocked message and content for context regarding the removal.

+- To view alerts and alert policies: the **Security reader** role in Azure AD

+- To create or update alert policies: the **Compliance administrator**, **Compliance data administrator**, **Security administrator**, or **Security operator** role in Azure AD

+| **Compliance Manager Contributor**| Yes | Yes |

+| **Global administrator**| Yes | Yes |

+|Total number of documents that can be added to a case (for all review sets in a case).|Up to 40 million (New case format)|

+|Total file size per load set. This includes loading non-Office 365 into a review set.|Up to 1TB (New case format)|

+There are six categories of Teams content that you can collect and process using eDiscovery (Premium):

+- **Teams reactions**. Reactions applied to chat messages, posts, and attachments in a Teams conversation.

+|Teams reactions|Messages in group chats are stored in the Exchange Online mailbox of all chat participants.|Files shared in group chats are stored in the OneDrive for Business account of the person who shared the file.|

+> See the [Get started driving adoption of SharePoint Syntex](./adoption-getstarted.md) for more information about form processing and document understanding scenario examples.

+## Comparison of form processing and document understanding

+Use the following table to understand when to use form processing and when to use document understanding.

+| Feature | Form processing | Document understanding |

+| Model type - when to use each | Structured and semi-structured file formats, for example PDFs for forms content such as invoices or purchase orders where the layout and formatting is similar. | Unstructured or semi-structured file formats, for example, Office documents where there are differences in the layout, but still similar information to be extracted. |

+| Supported file types| Train on PDF, JPG, PNG format, total 50 MB and 500 pages.| Train on 5-10 PDF, Office, or email files, including negative examples.<br>Office files are truncated at 64K characters. OCR-scanned files are limited to 20 pages.|

+| Transactional cost | Uses AI Builder credits.<br>3.5K credits are included for each SharePoint Syntex license per month.<br>1M credits will allow processing of 2,000 file pages.<br>| Not applicable |

+| Supported languages| Language support for more than [73 languages](/power-platform-release-plan/2021wave2/ai-builder/form-processing-new-language-support). | Models work on all Latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese.|

+To use SharePoint Syntex, your organization must have a subscription to SharePoint Syntex, and each SharePoint Syntex user must have a license. If you cancel your SharePoint Syntex subscription at a future date (or your trial expires), users will no longer be able to create, publish, or run document understanding or form processing models. Additionally, term store reports, SKOS taxonomy import, and content type push will no longer be available. No models, content, or metadata will be deleted and site permissions will not be changed.

+> SharePoint Syntex is an add-on license and requires users also to have a license for Microsoft 365.

+## Cost of training and running models

+The cost of training and running document understanding models is included in the cost of a SharePoint Syntex license. However, form processing models use AI Builder capacity, for both training and runtime processing. Capacity must be allocated to the Power Apps environment where you will use AI Builder.

+For each SharePoint Syntex license, you are allocated 3,500 AI Builder credits per license, per month pooled at the tenant level, with a maximum allocation of 1 million credits per month. This allocation is renewed each month for each active SharePoint Syntex license. (Unused credits don't roll over from month to month.)

+<!--China endpoints version 2022060100-->

+<!--File generated 2022-06-01 08:00:09.1278-->

+18 | Default<BR>Required | No | `*.aadrm.cn, *.protection.partner.outlook.cn` |

+<!--USGovDoD endpoints version 2022060100-->

+<!--File generated 2022-06-01 08:00:04.9385-->

+-- | -- | | | -

+20 | Default<BR>Required | No | `*.svc.ms, az741266.vo.msecnd.net, spoprod-a.akamaihd.net, static.sharepointonline.com` | **TCP:** 443, 80

+30 | Default<BR>Required | No | `*.aadrm.us, *.informationprotection.azure.us` | **TCP:** 443

+31 | Default<BR>Required | No | `pf.events.data.microsoft.com, pf.pipe.aria.microsoft.com` | **TCP:** 443, 80

+<!--USGovGCCHigh endpoints version 2022060100-->

+<!--File generated 2022-06-01 08:00:06.2025-->

+-- | -- | | - | -

+20 | Default<BR>Required | No | `*.svc.ms, az741266.vo.msecnd.net, spoprod-a.akamaihd.net, static.sharepointonline.com` | **TCP:** 443, 80

+31 | Allow<BR>Required | Yes | `*.gov.skypeforbusiness.us, *.gov.teams.microsoft.us, gov.teams.microsoft.us` | **TCP:** 443, 80

+30 | Default<BR>Required | No | `*.aadrm.us, *.informationprotection.azure.us` | **TCP:** 443

+32 | Default<BR>Required | No | `tb.events.data.microsoft.com, tb.pipe.aria.microsoft.com` | **TCP:** 443, 80

+<!--Worldwide endpoints version 2022060100-->

+<!--File generated 2022-06-01 08:00:02.7692-->

+ | - | | - | -

+11 | Optimize<BR>Required | Yes | `13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 2603:1063::/38` | **UDP:** 3478, 3479, 3480, 3481

+12 | Allow<BR>Required | Yes | `*.lync.com, *.teams.microsoft.com, teams.microsoft.com`<BR>`13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42` | **TCP:** 443, 80

+13 | Allow<BR>Required | Yes | `*.broadcast.skype.com, broadcast.skype.com`<BR>`13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42` | **TCP:** 443

+22 | Allow<BR>Optional<BR>**Notes:** Teams: Messaging interop with Skype for Business | Yes | `*.skypeforbusiness.com`<BR>`13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42` | **TCP:** 443

+Lighthouse baseline configurations are designed to make sure all managed tenants are secure and compliant. Select **Baselines** from the left navigation pane to view the default baseline that applies to all tenants. To view the deployment steps included in the default baseline, select **View baseline** to open the **Default baseline** page. Select any of the deployment steps to view deployment details and user impact.

+| Set up Exchange Online Protection and Microsoft Defender for Office 365 | A policy to apply recommended anti-spam, anti-malware, anti-phishing, safe links and safe attachment policies to your tenants Exchange Online mailboxes. |

+ Title: "What's new in Microsoft 365 Lighthouse"

+f1.keywords: CSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolio

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, see what's been added, changed, and fixed in Microsoft 365 Lighthouse each month."

+# What's new in Microsoft 365 Lighthouse

+We're continuously adding new features to [Microsoft 365 Lighthouse](m365-lighthouse-overview.md), fixing issues we learn about, and making changes based on your feedback. Review this article to discover what we've been working on.

+> [!NOTE]

+> Some features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, you should see it soon.

+## May 2022

+### Redesigned left navigation pane

+We've given the left navigation pane in Microsoft 365 Lighthouse a new look. You'll notice a sleeker design, with top-level nodes like Tenants, Users, and Devices that expand to show related subnodes, like Risky users, Device compliance, and Threat management. This navigation model aligns with the model used by other Microsoft 365 admin centers.

+### Enriched user details pane

+We've redesigned the user details pane to include more user information and more actions that you can take to better manage users. It now has the same look and feel as the user details pane in the Microsoft 365 admin center. To access the user details pane in Microsoft 365 Lighthouse, select **Users** from the left navigation pane, and then select either **Search users** or **Risky users**. Select any user to open the details pane.

+## April 2022

+### Delegated access type and roles on Tenants page

+We've updated the **Tenants** page to list the Managed Service Provider (MSP)'s delegated access type (None, DAP, GDAP, or Both DAP & GDAP) per customer under the **Delegated access** column. We've also added a new column titled **Your roles** that lists the DAP and GDAP roles per customer for a signed-in user. These two enhancements to the **Tenants** page will make it easier for partner technicians to understand which types of delegated administrative permissions are available for each customer and which delegated roles have explicitly been granted to them.

+To learn more, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md).

+## March 2022

+### Windows 365 Business integration and management actions

+Based on user feedback, we've integrated Windows 365 Business into Microsoft 365 Lighthouse. This will help you manage and monitor all of your customers' Cloud PCs from a single location.

+In addition to integrating with Windows 365 Business Cloud PCs in Microsoft 365 Lighthouse, you can now take the following management actions:

+- Restart

+- Reprovision

+- Rename

+

+To learn more about the new features, see [Overview of the Windows 365 (Cloud PCs) page in Microsoft 365 Lighthouse](m365-lighthouse-win365-page-overview.md).

+### Microsoft 365 Lighthouse partner amendment

+Now that Microsoft 365 Lighthouse is in General Availability, we require our current partners to sign an updated Microsoft 365 Lighthouse partner amendment. All Microsoft 365 Lighthouse partners who signed up during the preview period will be prompted to complete this new agreement in the coming weeks. Completion will require Global Administrator rights in the partner tenant and must be completed within 90 days to continue accessing the Microsoft 365 Lighthouse portal.

+## February 2022

+### Granular Delegated Access Permissions (GDAP) roles

+Microsoft 365 Lighthouse now includes the capability for MSPs to use Granular Delegated Admin Privileges (GDAP) roles. With the latest update, MSPs can leverage GDAP roles for their technicians that enable the principle of least privilege access in Microsoft 365 Lighthouse. This capability reduces the risks inherent in the broad permissions of the Delegated Access Permissions (DAP) role of the Admin Agent by enabling granular controls on the customers' data and settings that each technician will be able to work with.

+To learn more about GDAP in Microsoft 365 Lighthouse, see [Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md).

+### Capability to notify users to act on non-compliant devices

+As part of the device compliance baseline step, we've added the capability to notify users in a customer tenant to act on non-compliant devices. With this change, once you apply the device compliance deployment step for any customer tenant, the device compliance policy created in that tenant will automatically send a notification to users when their device becomes non-compliant reminding them to take appropriate action to bring the device back into compliance.

+### Deployment validation and reporting

+Microsoft 365 Lighthouse can now test tenant configurations for deployment steps with Conditional Access policies.

+This new functionality detects existing policies within the customer tenants that you manage and compares them to your deployment plan. Microsoft 365 Lighthouse then provides status designations for deployment steps and deployment step processes to help you understand which deployment processes have already been completed, which ones need to be addressed, and where the settings prescribed by the deployment plan are equal to, missing from, or in conflict with the settings included in the existing policies. Knowing this information makes identifying, prioritizing, and resolving policy conflicts faster, easier, and more effective.

+### Deployment step to configure Microsoft Defender Firewall

+Microsoft 365 Lighthouse has added the Configure Microsoft Defender Firewall deployment step to its default baseline. This step helps MSPs secure customer tenant devices through the default firewall configuration for Windows 10 (and later) devices. Microsoft Defender Firewall blocks unauthorized network traffic flowing into or out of customer tenant devices and reduces the risk of network security threats. A Microsoft Defender Firewall Rules feature is currently under development.

+Microsoft Defender Firewall is turned on by default on Windows 10 (and later) devices. If your customer tenant doesn't have this configured, follow these steps:

+1. On the **Tenants** page in Microsoft 365 Lighthouse, select the customer tenant to open the tenant's **Overview** page.

+2. Select the **Deployment Plan** tab.

+3. From the list of deployment steps, select **Configure Microsoft Defender Firewall**.

+4. Select **Review and deploy** to deploy this configuration to the customer tenant.

+### Increase in maximum license limit

+We're making it possible to manage more of your customers in Microsoft 365 Lighthouse by increasing the maximum license limit for customer onboarding. Customers with up to 1000 user licenses can now be onboarded to Microsoft 365 Lighthouse. We'll continue to evaluate this requirement in future Microsoft 365 Lighthouse releases.

+For more information, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md).

+### Support for advisor customers

+We've changed our onboarding requirements to allow existing customer tenants with advisor relationships to be onboarded to Microsoft 365 Lighthouse. Customers with both reseller and advisor contracts are now eligible to be in Microsoft 365 Lighthouse if they meet the requirements for delegated access permissions, have the required licenses, and don't exceed the maximum user count.

+For more information, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md).

+## January 2022

+### Capability to view audit logs in Microsoft 365 Lighthouse

+Microsoft 365 Lighthouse now includes the capability to view audit logs. You can review past actions to find misconfigurations and risky actions for remediation, support process and security investigation, train employees, and meet compliance and auditing requirements. With the latest update, you can:

+- View audit logs to see all actions taken inside Microsoft 365 Lighthouse, including what changed in which customer tenant, when it was changed, and who changed it.

+- Search and filter audit logs to find specific information.

+- Export logs so you can analyze and retain them.

+

+In the left navigation pane of Microsoft 365 Lighthouse, select **Audit logs**. Or, [go directly to the Audit logs page now](https://lighthouse.microsoft.com/#blade/Microsoft_Intune_MTM/Audit.ReactView) to check it out.

+## November 2021

+### Microsoft 365 services usage data

+You can now view usage data for Microsoft 365 services from within Microsoft 365 Lighthouse. Understanding how customers use their Microsoft 365 services is critical to helping them get the most out of their IT investments. Instead of using multiple resources to view information across your customers' various productivity, security, and compliance services, Microsoft 365 Lighthouse aggregates them into one simple, powerful view.

+These insights can help inform your customer engagements and deliver more value to your customers by empowering you to help them understand which services their users actively use and where there may be opportunities to enhance their security or productivity.

+For more information, see [Overview of the Tenants page in Microsoft 365 Lighthouse: Microsoft 365 usage card](m365-lighthouse-tenants-page-overview.md#microsoft-365-usage-card).

+### Exchange Online Protection and Microsoft 365 Defender for Office 365 default baseline step

+We've added a new step to the default baseline to include guidance for enabling Security Policies for Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO). EOP and MDO help protect users from spam, phishing, and malware emails by sending the emails to the user's quarantine or junk mail folder (coming soon). The deployment plan guides you in setting up EOP and MDO, further expanding your security stance during your next customer tenant deployment plan review.

+### Default tenant tags

+You can now designate certain tenant tags as *default* from the **Manage tags** pane on the **Tenants** page, so the next time you sign in to Microsoft 365 Lighthouse, all your views and insights will be filtered by default to show only the tenants that have a default tag. Default tags can help you focus on insights for high-priority customer tenants.

+## October 2021

+### Capability to filter by multiple tenant tags

+It's now possible to filter data by multiple tenant tags at the same time. This functionality can help you more easily filter the existing views and insights that are available in Microsoft 365 Lighthouse to show relevant customer tenants.

+### Capability to assign baseline configurations to specific Azure Active Directory groups

+We've added the capability to assign baseline configurations to specific Azure Active Directory (Azure AD) groups of your customer tenants from within Microsoft 365 Lighthouse. From any deployment step page, browse and select the specific Azure AD groups that you want to include or exclude, and then deploy the configurations to your customer tenant.

+### Improvements to Risky users page

+You can now easily view and understand the reasons for a user's risk from within Microsoft 365 Lighthouse. In the left navigation pane of Microsoft 365 Lighthouse, select **Users**, and then select the **Risky users** tab. Select **View risk detections** in the **Details** column for any user. From here, you can review the details of the risk and then select **Confirm user compromised** or **Dismiss user risk**. You can also confirm or dismiss a risk for multiple users at the same time from the **Risky users** page. The ability to dismiss a user's risk can be useful when password reset isn't an option or if you believe the affected user is no longer at risk.

+### Capability to provide feedback on Microsoft 365 Lighthouse

+Your feedback matters and is important to us, so we've added new feedback functionality that will occasionally (no more than once a month) prompt you to provide feedback. You can also provide feedback at any time by selecting the feedback icon in the upper-right corner of Microsoft 365 Lighthouse.

+## September 2021

+### Tenant filter changes

+We've made some changes to the tenant filtering experience to help you quickly view and manage tenants and tags from any page within Microsoft 365 Lighthouse. Select the **Tenants** filter at the top of any page and then browse or enter the tenant or tag name that you want to filter by.

+## August 2021

+### In-product email workflows to communicate with users

+We've made it easier to communicate with users in your customer tenants about actions they're required to take. From the list of users not registered for multifactor authentication (MFA) or self-service password reset, you can now select one or more users and send them an email message using a downloadable email template.

+### Capability to take action on noncompliant devices

+We've introduced the capability to sync or restart one or more devices across multiple customer tenants. This functionality helps ensure that your customers' devices are protected from risk. To check out this functionality, select **Devices** from the left navigation pane in Microsoft 365 Lighthouse, and then select the **Devices** tab. Look for the **Sync** and **Restart** options above the devices list. You can also access these options from the device details pane of any device.

+### Capability to monitor and manage Windows 365 Cloud PCs

+We've added the capability to monitor on-premises connections and provision and manage Windows 365 Cloud PCs across all of your customer tenants. The new **Windows 365** page provides detailed information about all of your tenants' Cloud PCs in one convenient location.

+### Support for Microsoft 365 E3 customers

+We've changed our onboarding requirements to allow you to onboard Microsoft 365 E3 customers to Microsoft 365 Lighthouse. To qualify to be managed in Microsoft 365 Lighthouse, each customer must meet the following requirements:

+- Must have delegated access set up for the MSP to be able to manage the customer tenant

+- Must have at least one Microsoft 365 Business Premium or Microsoft 365 E3 license

+- Must have no more than 500 licensed users

+For more information about requirements, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md).

+## June 2021

+### Capability to add custom tags to customer tenants

+You can now create and apply custom tags to the customer tenants that you manage in Microsoft 365 Lighthouse. Use these tags to help you organize your tenants, or use them to more easily filter your tenant list to show insights for relevant sets of customer tenants.

+### Baselines to standardize your customer tenant deployments

+With the new baselines feature, you can now deploy standard configurations to help secure users, devices, and data in customer tenants. The default baseline currently contains the following deployment steps (with more coming soon):

+- Require MFA for admins

+- Require MFA for users

+- Block Legacy Authentication

+- Enroll Windows Devices in Microsoft Endpoint Manager ΓÇô Azure AD Join

+- Configure Defender AV policy for Windows devices

+- Configure Compliance Policy for Windows devices

+To act on these deployment steps, select **Tenants** from the left navigation pane in Microsoft 365 lighthouse, select a tenant from the tenants list, and then select the **Deployment plan** tab.

+## May 2021

+### Enhancements to Tenants page

+We've made the following enhancements to the **Tenants** page:

+- Added a list of total counts by issue to the top of the page

+- Provided the capability to hover over a status in the **Status** column of the tenants list to see restriction details

+- Improved the status labels

+Intune Name: `Block abuse of exploited vulnerable signed drivers`

+- Windows 2012 R2

+- Windows 2016

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+**Applies to:**

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- Supported on machines on Windows 10, version 1709 or later, Windows 11, Windows Server 2016, Windows Server 2012 R2, Windows Server 2019, Windows Server 2022, and Android and iOS devices.

+- For support of indicators on iOS, see [Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-custom-indicators).

+- For support of indicators on Android, see [Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-configure#configure-custom-indicators).

+## 101.70.18 (20.122042.17018.0)

+- Fixed a bug where the installation package was sometimes hanging indefinitely during product updates

+- Fixed a bug where the product sometimes was incorrectly detecting files inside the quarantine folder

+- Performance improvements & other bug fixes

+| Defender Vulnerability Management <p> _Core capabilities part of Defender for Endpoint Plan 2_| Defender Vulnerability Management add-on <p> _Additional capabilities for Defender for Endpoint Plan 2_| Defender Vulnerability Management Standalone <p> _Full vulnerability Management capabilities_|

+|:|:|:|

+ [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Software assessment](tvm-software-inventory.md) <p> | [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md) | [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Software assessment](tvm-software-inventory.md) <p> [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md)|

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **End user notifications**. To go directly to the **Simulation content library** tab where you can select **End user notifications**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

+2. On the **Tenant notifications** tab, click  **Create new** to start the end user notification wizard.

+ > [!NOTE]

+ > At any point during the creation wizard, you can click **Save and close** to save your progress and continue configuring the notification later. You can pick up where you left off by selecting the notification on the **Tenant notifications** tab in **End user notifications**, and then clicking  **Edit automation**. The partially-completed notification will have the **Status** value **Draft**.

+3. On the **Define details** page**, configure the following settings:

+4. On the **Define content** page, the only setting that's available is the **Add content in business language** button. When you click it, an **Add content in default language** flyout appears that contains the following settings:

+5. On the **Review notification** page, you can review the details of your notification.

+The end-user notification wizard opens with the settings and values of the selected notification. The steps are the same as described in the [Create end-user notifications](#create-end-user-notifications) section.

+For step by step instructions on how to create a payload for use within a simulation, see [Create a custom payload for Attack simulation training](attack-simulation-training-payloads.md#create-payloads).

+[create a payload for training your people](attack-simulation-training-payloads.md#create-payloads)

+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, payload automations (also known as _payload harvesting_) collect information from real-world phishing attack messages that were reported by users in your organization. Although the numbers of these messages are likely low in your organization, you can specify the conditions to look for in phishing attacks (for example, recipients, social engineering technique, sender information, etc.). Attack simulation training will then mimic the messages and payloads used in the attack to automatically launch harmless simulations to targeted users.

+To see the available payload automations, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Automations** tab \> and then select **Payload automations**. To go directly to the **Automations** tab where you can select **Payload automations**, use <https://security.microsoft.com/attacksimulator?viewid=automations>.

+The following information is shown for each payload automation:

+- **Automation name**

+- **Type**: The value is **Payload**.

+- **Items collected**

+- **Last modified**

+- **Status**: The value is **Ready** or **Draft**.

+When you select a payload automation from the list, a details flyout appears with the following information:

+- **General** tab: Displays basic information about the simulation automation.

+- **Run history** tab: This tab is available only for payload automations with the **Status** value **Ready**.

+## Create payload automations

+To create a payload automation, do the following steps:

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com/>, go to **Email & collaboration** \> **Attack simulation training** \> **Automations** tab \> **Payload automations**. To go directly to the **Automations** tab where you can select **Payload automations**, use <https://security.microsoft.com/attacksimulator?viewid=automations>.

+ Click  **Create automation**.

+ > [!NOTE]

+ > At any point during the creation wizard, you can click **Save and close** to save your progress and continue configuring the payload automation later. You can pick up where you left off by selecting the payload automation in **Payload automations**, and then clicking  **Edit automation**. The partially-completed payload automation will have the **Status** value **Draft**.

+2. On the **Automation name** page, configure the following settings:

+ - **Name**: Enter a unique, descriptive name for the payload automation.

+ - **Description**: Enter an optional detailed description for the payload automation.

+ When you're finished, click **Next**.

+3. On the **Run conditions** page, select the conditions of the real phishing attack that determines when the automation will run.

+ Click  **Add condition** and select from one of the following conditions:

+ - **No. of users targeted in the campaign**: Configure the following settings:

+ - **Equal to**, **Less than**, **Greater than**, **Less than or equal to**, or **Greater than or equal to**.

+ - **Enter value**: The number of users that were targeted by the phishing campaign.

+ - **Campaigns with a specific phish technique**: Select one of the available values:

+ - **Credential harvest**

+ - **Malware attachment**

+ - **Link in attachment**

+ - **Link to malware**

+ - **Drive-by URL**

+ - **Specific sender domain**: Enter a sender email domain value (for example, contoso.com).

+ - **Specific sender name**: Enter a sender name value.

+ - **Specific sender email**: Enter a sender email address.

+ - **Specific user and group recipients**: Start typing the name or email address of the user or group. When it appears, select it.

+ You can use each condition only once. Multiple conditions use AND logic (\<Condition1\> and \<Condition2\>).

+ To add another condition, click  **Add condition**.

+ To remove a condition after you've added it, click .

+ When you're finished, click **Next**.

+4. On the **Review automation** page, you can review the details of your payload automation.

+ You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

+ When you're finished, click **Submit**.

+5. On the **New automation created** page, you can use the links to turn on the automation or go to the **Simulations** page.

+ When you're finished, click **Done**.

+Back on the **Payload automations** in **Automations**, the login page that you created is now list.

+## Turn payload automations on or off

+You can only turn on or turn off payload automations where the **Status** value is **Ready**. You can't turn on or turn off incomplete payload automations where the **Status** value is **Draft**.

+To turn on a payload automation, select it from the list by clicking the check box. Click the  **Turn on** icon that appears, and then click **Confirm** in the dialog.

+To turn off a payload automation, select it from the list by clicking the check box. Click the  **Turn on** icon that appears, and then click **Confirm** in the dialog.

+## Modify payload automations

+To modify an existing payload automation in **Payload automations**, do one of the following steps:

+- Select the payload automation from the list by clicking the check box. Click the  **Edit automation** icon that appears.

+- Select the payload automation from the list by clicking anywhere in the row except the check box. In the details flyout that opens, on the **General** tab, click **Edit** in the **Name**, **Description**, or **Run conditions** sections.

+The payload automation wizard opens with the settings and values of the selected payload automation. The steps are the same as described in the [Create payload automations](#create-payload-automations) section.

+## Remove payload automations

+To remove a payload automation, select the payload automation from the list by clicking the check box. Click the  **Delete** icon that appears, and then click **Confirm** in the dialog.

+## Related links

+[Get started using Attack simulation training](attack-simulation-training-get-started.md)

+[Simulation automations for Attack simulation training](attack-simulation-training-simulation-automations.md)

+[Gain insights through Attack simulation training](attack-simulation-training-insights.md)

+ Title: Payloads for Attack simulation training

+description: Admins can learn how to create and manage payloads for Attack simulation training in Microsoft Defender for Office 365 Plan 2.

+# Payloads for Attack simulation training in Defender for Office 365

+In Attack simulation training, a _payload_ is the phishing email message and links or attachment content that's are presented to users in simulations. Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 offers a robust built-in payload catalog for the available social engineering techniques. However, you might want to create custom payloads that will work better for your organization.

+To see the available payloads, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **Payloads**. To go directly to the **Simulation content library** tab where you can select **Payloads**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

+**Payloads** in the **Simulation content library** tab has two tabs:

+- **Global payloads**: Contains the built-in, non-modifiable payloads.

+- **Tenant payloads**: Contains the custom payloads that you've created.

+The following information is shown for each payload:

+- **Payload name**

+- **Type**: Currently, this value is always **Social engineerings**.

+- **Language**: If the payload contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).

+- **Source**: For built-in payloads, the value is **Global**. For custom payloads, the value is **Tenant**.

+- **Simulations launched**: The number of launched simulations that use the payload.

+- **Compromised rate (%)**: For built-in payloads, this value is the predicted average compromise rate for Attack simulation training simulations that use the same type of payload across all other Microsoft 365 organizations.

+- **Created by**: For built-in payloads, the value is **Microsoft**. For custom payloads, the value is the UPN of the user who created the payload.

+- **Last modified**

+- **Technique**: One of the available [social engineering techniques](attack-simulation-training.md#select-a-social-engineering-technique):

+ - **Credential harvest**

+ - **Malware attachment**

+ - **Link in attachment**

+ - **Link to malware**

+ - **Drive-by URL**

+- **Status**: The value is **Ready** or **Draft**. On the **Global payloads** tab, the value is always **Ready**.

+To find a payload in the list, use the  **Search** box to find the name of the payload.

+Click  to filter the payloads by one or of the following values:

+- **Complexity**: **High**, **Medium**, and **Low**.

+- **Language**

+- **Add tag(s)**

+- **Theme**

+- **Brand**

+- **Industry**

+- **Current event**: **Yes** or **No**.

+- **Controversial**: **Yes** or **No**.

+To remove one or more columns that are displayed, click  **Customize columns**. By default, the only column that's not shown is **Platform**, and that value is currently always **Email**.

+When you select a payload from the list, a details flyout appears with the following information:

+- **Overview** tab: View the payload as users will see it. Payload properties are also visible:

+ - **Payload description**

+ - **From name**

+ - **From email**

+ - **Email subject**

+ - **Source**: For built-in payloads, the value is **Global**. For custom payloads, the value is **Tenant**.

+ - **Theme**

+ - **Brand**

+ - **Industry**

+ - **Controversial**

+ - **Current event**

+ - **Tags**

+- **Simulations launched** tab:

+ - **Simulation name**

+ - **Click rate**

+ - **Compromised rate**

+ - **Action**

+## Create payloads

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> **Payloads** \> **Tenant payloads** tab. To go directly to the **Simulation content library** tab where you can select **Payloads** and the **Tenant payloads** tab, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

+ Click  **Create a payload** on the **Tenant payloads** tab in **Payloads** to start the create payload wizard.

+ 

+ > [!NOTE]

+ > .

+ >

+ > At any point during the creation wizard, you can click **Save and close** to save your progress and continue configuring the payload later. You can pick up where you left off by selecting the notification on the **Tenant payloads** tab in **Payloads**, and then clicking  **Edit payload**. The partially-completed payload will have the **Status** value **Draft**.

+2. On the **Select type** page, the only value that you can currently select is **Email**.

+ Click **Next**.

+3. On the **Select technique** page, the available options are the same as on the **Select technique** page in the simulation creation wizard:

+ - **Credential harvest**

+ - **Malware attachment**

+ - **Link in attachment**

+ - **Link to malware**

+ - **Drive-by URL**

+ For more information, see [Simulate a phishing attack with Attack simulation training in Defender for Office 365](attack-simulation-training.md).

+ When you're finished, click **Next**.

+4. On the **Payload name** page, configure the following settings:

+ - **Name**: Enter a unique, descriptive name for the payload.

+ - **Description**: Enter an optional detailed description for the payload.

+ When you're finished, click **Next**.

+5. On the **Configure payload** page, it's time to build your payload. Many of the available settings are determined by the selection you made on the **Select technique** page (for example, links vs. attachments).

+ - **Sender details** section: Configure the following settings:

+ - **From name**

+ - **Use first name as display name**: By default, this setting is not selected.

+ - **From email**: If you choose an internal email address for your payload's sender, the payload will appear to come from a fellow employee. This sender email address will increase a user's susceptibility to the payload, and will help educate employees on the risk of internal threats.

+ - **Email subject**

+ - **Attachment details** section: This section is available only if you selected **Malware attachment**, **Link in attachment**, or **Link to malware** on the **Select technique** page. Configure the following settings:

+ - **Name your attachment**

+ - **Select an attachment type**: Currently, the only available value is **Docx**.

+ - **Link for attachment** section: This section is available only if you selected **Link to malware** on the **Select technique** page. In the **Select a URL you want to be your malware attachment link** box, select one of the available URLs (the same URLs that are described for the **Phishing link** section).

+ Later, you'll embed the URL in the body of the message.

+ - **Phishing link** section: This section is available only if you selected **Credential harvest**, **Link in attachment**, or **Drive-by URL** on the **Select technique** page.

+ For **Credential harvest** or **Drive-by URL**, the name of the box is **Select a URL you want to be your phishing link**. Later, you'll embed the URL in the body of the message.

+ For **Link in attachment**, the name of the box is **Select a URL in this attachment that you want to be your phishing link**. Later, you'll embed the URL in the attachment.

+ Select one of the available URL values:

+

+ - <https://www.mcsharepoint.com>

+ - <https://www.attemplate.com>

+ - <https://www.doctricant.com>

+ - <https://www.mesharepoint.com>

+ - <https://www.officence.com>

+ - <https://www.officenced.com>

+ - <https://www.officences.com>

+ - <https://www.officentry.com>

+ - <https://www.officested.com>

+ - <https://www.prizegives.com>

+ - <https://www.prizemons.com>

+ - <https://www.prizewel.com>

+ - <https://www.prizewings.com>

+ - <https://www.shareholds.com>

+ - <https://www.sharepointen.com>

+ - <https://www.sharepointin.com>

+ - <https://www.sharepointle.com>

+ - <https://www.sharesbyte.com>

+ - <https://www.sharession.com>

+ - <https://www.sharestion.com>

+ - <https://www.templateau.com>

+ - <https://www.templatent.com>

+ - <https://www.templatern.com>

+ - <https://www.windocyte.com>

+ > [!NOTE]

+ > A URL reputation service might identify one or more of these URLs as unsafe. Check the availability of the URL in your supported web browsers before you use the URL in a simulation. For more information, see [Phishing simulation URLs blocked by Google Safe Browsing](attack-simulation-training-faq.md#phishing-simulation-urls-blocked-by-google-safe-browsing).

+ - **Attachment content** section: This section is available only if you selected **Link in attachment** on the **Select technique** page.

+ A rich text editor is available for you to create the content in your file attachment payload.

+ Use the **Phishing link** control to add the previously selected phishing URL into the attachment.

+ - Common settings on the **Configure payload** page:

+ - **Add tag(s)**

+

+ - **Theme**: The available values are: **Account Activation**, **Account Verification**, **Billing**, **Clean up Mail**, **Document Received**, **Expense**, **Fax**, **Finance Report**, **Incoming Messages**, **Invoice**, **Item Received**, **Login Alert**, **Mail Received**, **Other**, **Password**, **Payment**, **Payroll**, **Personalized Offer**, **Quarantine**, **Remote Work**, **Review Message**, **Security Update**, **Service Suspended**, **Signature Required**, **Upgrade Mailbox Storage**, **Verify mailbox**, or **Voicemail**.

+

+ - **Brand**: The available values are: **American Express**, **Capital One**, **DHL**, **DocuSign**, **Dropbox**, **Facebook**, **First American**, **Microsoft**, **Netflix**, **Scotiabank**, **SendGrid**, **Stewart Title**, **Tesco**, **Wells Fargo**, **Syrinx Cloud**, or **Other**.

+ - **Industry**: The available values are: **Banking**, **Business services**, **Consumer services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier services**, **IT**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real estate**, or **Other**.

+ - **Current event**: The available values are **Yes** or **No**.

+ - **Controversial**: The available values are **Yes** or **No**.

+ - **Language** section: Select the language for the payload. The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**.

+ - **Email message** section:

+ - You can click **Import email** and then **Choose file** to import an existing plain text message file.

+ - On the **Text** tab, a rich text editor is available for you to create your email message payload.

+ - Use the **Dynamic tag** control to personalize the email message for each user by inserting the available tags:

+ - **Insert user name**: The value that's added in the message body is `${userName}`.

+ - **Insert first name**: The value that's added in the message body is `${firstName}`.

+ - **Insert last name**: The value that's added in the message body is `${lastName}`.

+ - **Insert UPN**: The value that's added in the message body is `${upn}`.

+ - **Insert email**: The value that's added in the message body is `${emailAddress}`.

+ - **Insert Department**: The value that's added in the message body is `${department}`.

+ - **Insert Manager**: The value that's added in the message body is `${manager}`.

+ - **Insert Mobile phone**: The value that's added in the message body is `${mobilePhone}`.

+ - **Insert City**: The value that's added in the message body is `${city}`.

+ - **Insert date**: The value that's added in the message body is `${date|MM/dd/yyyy|offset}`.

+ :::image type="content" source="../../media/attack-sim-training-payloads-configure-payload-email-message.png" alt-text="The Email message section on the Configure payload page in the payload creation wizard in Attack simulation training in Microsoft Defender for Office 365" lightbox="../../media/attack-sim-training-payloads-configure-payload-email-message.png":::

+ - **Phishing link** control: This control is available only if you selected **Credential harvest**, **Link in attachment**, or **Drive-by URL** on the **Select technique** page. Use this control to name and insert the URL that you previously selected in the **Phishing link** section.

+ - **Malware attachment link** control: This control is available only if you selected **Link to malware** on the **Select technique** page. Use this control to name and insert the URL that you previously selected in the **Link for attachment** section.

+ When you click **Phishing link** or **Malware attachment link**, a dialog opens that asks you to name the link. When you're finished, click **Confirm**.

+ The value that's added in the message body (visible on the **Code** tab) is `<a href="${phishingUrl}" target="_blank">Name value you specified</a>`.

+ - On the **Code** tab, you can view and modify the HTML code directly. Formatting and other controls like **Dynamic tag** and **Phishing link** or **Malware attachment link** aren't available.

+ - The **Replace all links in the email message with the phishing link** toggle is available only if you selected **Credential harvest**, **Link to malware**, or **Drive-by URL** on the **Select technique** page. This toggle can save time by replacing all links in the message with the previously selected **Phishing link** or **Link for attachment** URL. To do this, toggle the setting to on .

+ When you're finished, click **Next**.

+6. The **Add indicators** page is available only if you selected **Credential harvest**, **Link in attachment**, or **Drive-by URL** on the **Select technique** page.

+ Indicators help employees identify the tell-tale signs of phishing messages.

+ On the **Add indicators** page, click **Add indicator**. In the flyout that appears, configure the following settings:

+ - **Select and indicator you would like to use** and **Where do you want to place this indicator on the payload?**:

+ These values are interrelated. Where you can place the indicator depends on the type of indicator. The available values are described in the following table:

+ |Indicator type|Indicator location|

+ |||

+ |**Attachment type**|Message body|

+ |**Distracting detail**|Message body|

+ |**Domain spoofing**|Message body <p> From email address|

+ |**Generic greeting**|Message body|

+ |**Humanitarian appeals**|Message body|

+ |**Inconsistency**|Message body|

+ |**Lack of sender details**|Message body|

+ |**Legal language**|Message body|

+ |**Limited time offer**|Message body|

+ |**Logo imitation or dated branding**|Message body|

+ |**Mimics a work or business process**|Message body|

+ |**No/minimal branding**|Message body|

+ |**Poses as friend, colleague, supervisor, or authority figure**|Message body|

+ |**Request for sensitive information**|Message body|

+ |**Security indicators and icons**|Message body <p> Message subject|

+ |**Sender display name and email address**|From name <p> From email address|

+ |**Sense of urgency**|Message body <p> Message subject|

+ |**Spelling and grammar irregularities**|Message body <p> Message subject|

+ |**Threatening language**|Message body <p> Message subject|

+ |**Too good to be true offers**|Message body|

+ |**Unprofessional looking design or formatting**|Message body|

+ |**URL hyperlinking**|Message body|

+ |**You're special**|Message body|

+ This list is curated to contain the most common clues that appear in phishing messages.

+ If you select the email message subject or the message body as the location for the indicator, a **Select text** button appears. Click this button to select the text in the message subject or message body where you want the indicator to appear. When you're finished, click **Select**.

+ :::image type="content" source="../../media/attack-sim-training-payloads-add-indicators-select-location.png" alt-text="The Selected text location in the message body to add to an indicator in the payload creation wizard in Attack simulation training" lightbox="../../media/attack-sim-training-payloads-add-indicators-select-location.png":::

+ - **Indicator description**: You can accept the default description for the indicator or you can customize it.

+ - **Indicator preview**: To see what the current indicator looks like, click anywhere within the section.

+ When you're finished, click **Add**

+ Repeat these steps to add multiple indicators.

+ Back on the **Add indicators** page, you can review the indicators you selected:

+ - To edit an existing indicator, select it from the list and then click  **Edit indicator**.

+ - To delete an existing indicator, select it from the list and then click  **Delete**.

+ - To move indicators up or down in the list, select the indicator from the list, and then click  **Move up** or  **Move down**.

+ When you're finished, click **Next**.

+7. On the **Review payload** page, you can review the details of your payload.

+ Click the  **Send a test** button to send a copy of the payload email to yourself (the currently logged in user) for inspection.

+ Click the  **Preview indicator** button open the payload in a preview flyout. The preview includes all payload indicators that you've created.

+ On the main **Review payload** page, you can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

+ When you're finished, click **Submit**. On the confirmation page that appears, click **Done**.

+ :::image type="content" source="../../media/attack-sim-training-payloads-review-payload.png" alt-text="The Review payload page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-payloads-review-payload.png":::

+## Modify payloads

+You can't modify built-in payloads on the **Global payloads** tab. You can only modify custom payloads on the **Tenant payloads** tab.

+To modify an existing payload on the **Tenant payloads** tab, do one of the following steps:

+- Select the payload from the list by clicking the check box. Click the  **Edit payload** icon that appears.

+- Select the payload from the list by clicking anywhere in the row except the check box. In the details flyout that opens, click **Edit payload**.

+The payload wizard opens with the settings and values of the selected payload. The steps are the same as described in the [Create payloads](#create-payloads) section.

+## Copy payloads

+To copy an existing payload on the **Tenant payloads** or **Global payloads** tabs, select the payload from the list by clicking the check box, and then click the  **Copy payload** icon that appears.

+The create payload wizard opens with the settings and values of the selected payload. The steps are the same as described in the [Create payloads](#create-payloads) section.

+> [!NOTE]

+> When you copy a built-in payload on the **Global payloads** tab, be sure to change the **Name** value. If you don't, the payload will appear on the **Tenant payloads** page with the same name as the built-in payload.

+## Send a test

+On the **Tenant payloads** or **Global payloads** tabs, you can send a copy of the payload email to yourself (the currently logged in user) for inspection.

+Select the payload from the list by clicking the check box, and then click the  **Send a test** button that appears.

+To create your own payload, click .

+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

+# Configure and review Priority accounts in Microsoft Defender for Office 365

+## Configure Priority account protection

+### Enable the Priority account tag

+Microsoft Defender for Office 365 supports priority accounts as tags that can be used as filters in alerts, reports, incidents, and more.

+- [Alerts](alerts.md)

+- [Custom alert policies](../../compliance/alert-policies.md#viewing-alerts)

+- [Threat Explorer and real-time detections](threat-explorer.md)

+- [Compromised user report](view-email-security-reports.md#compromised-users-report)

+- [Email entity page](mdo-email-entity-page.md#other-innovations)

+- [Threat protection status report](view-email-security-reports.md#threat-protection-status-report)

+- [Top senders and recipients report](view-email-security-reports.md#top-senders-and-recipients-report)

+- [Attack simulation](attack-simulation-training.md#target-users)

+- [Campaign Views](campaigns.md)

+- [Admin and user submissions](admin-submission.md)

+- [Quarantine](quarantine.md)

+-  **Release messages**: Delivers the messages to your Inbox.

+ - Only members of the **Security Administrators** role group can see and use the **Submit the message to Microsoft to improve detection (false positive)** and **Allow messages like this** options.

+ Title: Connect Microsoft Defender for Office 365 to Microsoft Sentinel

+description: The steps to connect Microsoft Defender for Office 365 to Sentinel. Add your Microsoft Defender for Office 365 data (*and* data from the rest of the Microsoft 365 Defender suite), including incidents, to Microsoft Sentinel for a single pane of glass into your security.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Connect Microsoft Defender for Office 365 to Microsoft Sentinel

+You can ingest your Microsoft Defender for Office 365 data (*and* data from the rest of the Microsoft 365 Defender suite), including incidents, into Microsoft Sentinel.

+Take advantage of rich security information events management (SIEM) combined with data from other Microsoft 365 sources, synchronization of incidents and alerts, and advanced hunting.

+> [!IMPORTANT]

+> The Microsoft 365 Defender connector is currently in **PREVIEW**. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.>

+## What you will need

+- Microsoft Defender for Office 365 Plan 2 or higher.

+- Microsoft Sentinel [Quickstart guide](/azure/sentinel/quickstart-onboard).

+- Sufficient permissions (Security Administrator in M365 & Read / Write permissions in Sentinel).

+## Add the Microsoft 365 Defender Connector

+1. [Login to the Azure Portal](https://portal.azure.com) and navigate to **Microsoft Sentinel** > Pick the relevant workspace to intergrate with Microsoft 365 Defender

+ 1. On the left-hand navigation menu underneath the heading **Configuration** > choose **Data connectors**.

+2. When the page loads, **search for** Microsoft 365 Defender **and select the Microsoft 365 Defender (preview) connector**.

+3. On the right-hand flyout, select **Open Connector Page**.

+4. Under the **Configuration** section of the page that loads, select **Connect incidents & alerts**, leaving Turn off all Microsoft incident creation rules for these products ticked.

+5. Scroll to **Microsoft Defender for Office 365** in the **Connect events** section of the page. Select **EmailEvents, EmailUrlInfo, EmailAttachmentInfo & EmailPostDeliveryEvents** then **Apply Changes** at the bottom of the page. (Choose tables from other Defender products if helpful and applicable, during this step.)

+## Next Steps

+Admins will now be able to see incidents, alerts, and raw data in Microsoft Sentinel and use this data for *advanced hunting*, pivoting on existing and new data from Microsoft Defender.

+## More Information

+[Connect Microsoft 365 Defender data to Microsoft Sentinel | Microsoft Docs](/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)

+[Connect Microsoft Teams to Microsoft Sentinel](/microsoftteams/teams-sentinel-guide)

+ Title: Ensuring you always have the optimal security controls with preset security policies

+description: The steps to ensure you always have the best security controls with preset security policies. Preset policies let you select a security profile of either Standard or Strict. Microsoft will manage and maintain security controls across Microsoft Defender for Office 365 for you.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Ensuring you always have the optimal security controls with preset security policies

+Preset security policies allow you to select a security profile of either Standard or Strict, and have Microsoft manage and maintain security controls across Microsoft Defender for Office 365 for you.

+As new controls are added or if the best practice setting for a security control changes with the evolving threat landscape, Microsoft will automatically update security control settings for users assigned to a Standard or Strict preset security policy. By using Security Preset policies, you will always have MicrosoftΓÇÖs recommended, best practice configuration for your users.

+## What you will need

+- Microsoft Defender for Office 365 Plan 1

+- Sufficient permissions (Security Administrator role)

+- 5 minutes to perform the steps below.

+## Choosing between Standard and Strict policies

+Our Strict preset security policy has more aggressive limits and settings for security controls that will result in more aggressive detections and will involve the admin in making decisions on which blocked emails are released to end users.

+- Collect the list of your users that require more aggressive detections even if it means more good mail will get flagged as suspicious. These are typically your executive staff, executive support staff, and historically highly targeted users.

+- Ensure that the selected users have admin coverage to review and release emails if the end user thinks that the mail might be good and requests that the message be released to them.

+- If the criteria above are met, then the user should be placed in the Strict preset security policy. Otherwise the user should be placed in the Standard preset security policy.

+> [!TIP]

+> For information on what Standard and Strict security polices are, see this [article](../../office-365-security/recommended-settings-for-eop-and-office365.md).

+## Enable Security Presets

+Once youΓÇÖve chosen between the Standard and Strict security preset policies for your users, it takes a few further steps to assign users to each preset.

+1. Identify the users, groups, or domains you would like to include in Standard and Strict security presets.

+1. Login to the Microsoft Security portal at https://security.microsoft.com.

+1. On the left nav, under **Email & collaboration**, select **Policies & rules**.

+1. Select **Threat policies**.

+1. Select **Preset Security Policies** underneath the **Templated policies** heading

+1. Select **Manage** underneath the Standard protection preset.

+1. Add the users, groups, or domains you want to apply the Standard preset to, in the EOP protections apply to section. Click the **Next** button.

+1. Add the users, groups, or domains you want to apply the Standard preset to, in the MDO protections apply to section. Click the **Next** button.

+1. Click on the **Confirm** button.

+1. Select the **Manage** link in the Strict protection preset.

+1. Add the users, groups, or domains you want to apply the Standard preset to, in the EOP protections apply to section. Click the **Next** button.

+1. Add the users, groups, or domains you want to apply the Standard preset to, in the MDO protections apply to section. Click the **Next** button.

+1. Click on the **Confirm** button.

+> [!TIP]

+> To learn more about preset polcies click [here](../../office-365-security/preset-security-policies.md)

+## Next Steps

+Use config analyzer to determine if your users are configured per MicrosoftΓÇÖs best practices.

+> [!TIP]

+> Configuration analyzer allows admins to find and fix security policies where the settings are below the Standard or Strict protection profile settings in preset security policies. Find out more about Configuration analyzer [here](../../office-365-security/configuration-analyzer-for-security-policies.md).

+Secure Presets are always suggested because it ensures you are always exercising Microsoft best practices. However, in some cases customized configurations are required. Learn about custom policies [here](../../office-365-security/tenant-wide-setup-for-increased-security.md).

+ Title: How to configure quarantine permissions and policies

+description: The steps to configure quarantine policies and permissions across different groups, including AdminOnlyPolicy, limited access, full access, and providing security admins and users with a simple way to manage false positive folders.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# How to configure quarantine permissions and policies

+Providing security admins and users with a very simple way to manage false positive folders is vital given the increased demand for a more aggressive security posture with the evolution of hybrid work. Taking a prescriptive approach, admins and users can achieve this with the guidance below.

+> [!TIP]

+> For a short video aimed at admins trying to set quarantine permissions and policies, [see this link](https://www.youtube.com/watch?v=vnar4HowfpY). If you are an end user opt for this [1 minute overview](https://www.youtube.com/watch?v=s-vozLO43rI) of the process.

+## What you will need

+- Sufficient permissions (Security Administrator role)

+- 5 minutes to perform the steps below.

+## Creating Custom quarantine policies with Request release flow

+Our custom polices give admins the ability to decide what items their users can triage in the ***False positive*** folder with an extended ability of allowing the user to request the *release* of those items from the folder.

+1. Decide what verdicts category (bulk, spam, phish, high confidence phish, or malware) of items you want your user to triage and not triage.

+1. For those categories that you donΓÇÖt want the users to triage, assign the items to the **AdminOnlyPolicy**. As for the category you want users to triage with limited access, you can *create a custom policy* with a request release access and assign users to that category.

+1. It's **strongly recommended** that malware and high confidence phish items be assigned to **AdminOnlyPolicy**, regular confidence phish items be assigned *limited access with request release*, while bulk and spam can be left as full access for users.

+> [!IMPORTANT]

+> For more information on how granular custom policies can be created, see [Quarantine policies - Office 365 | Microsoft Docs](../../office-365-security/quarantine-policies.md).

+## Assigning quarantine polices and enabling notification with organization branding

+Once it has been decided the categories of items users can triage or not-triage, and created the corresponding quarantine polices, admins should to assign these policies to the respective users and enable notifications.

+1. Identify the users, groups, or domains that you would like to include in the *full access* category vs. the *limited access* category, versus the *Admin-Only* category.

+1. Sign in to the [Microsoft Security portal](https://security.microsoft.com).

+1. Select **Email & collaboration** > **Policies & rules**.

+1. Select **Threat policies**.

+1. Select each of the following: **Anti-spam policies**, **Anti-phishing policy**, **Anti-Malware policy**.

+1. Select **Create policy** and choose **Inbound**.

+1. Add policy Name, users, groups, or domains to apply the policy to, and **Next**.

+1. In the **Actions** tab, select **Quarantine message** for categories. You will notice an additional panel for *select quarantine policy*, use that dropdown to select the quarantine policy you created earlier.

+1. Move on to the **Review** section and click the **Confirm** button to create the new policy.

+1. Repeat these same steps for the other policies: **Anti-phishing policy**, **Anti-Malware policy**, and **Safe Attachment policy**.

+> [!TIP]

+> For more detailed information on what you've learned so far, see [Configure spam filter policies - Office 365 | Microsoft Docs ](../../office-365-security/configure-your-spam-filter-policies.md)| [Configure anti-phishing policies in EOP - Office 365 | Microsoft Docs](../../office-365-security/configure-anti-phishing-policies-eop.md) | [Configure anti-malware policies - Office 365 | Microsoft Docs](../../office-365-security/configure-anti-malware-policies.md)| [Set up Safe Attachments policies in Microsoft Defender for Office 365 - Office 365 | Microsoft Docs](../../office-365-security/set-up-safe-attachments-policies.md)

+## Next Steps

+- Use **Global policy** available in quarantine policy to enable your organization branding logo, display name, and disclaimer.

+- Also set the **User frequency to 1 day** for the quarantine notification.

+## More information

+Learn more about organization branding and notification settings here [Quarantine policies - Office 365 | Microsoft Docs](../../office-365-security/quarantine-policies.md)

+ Title: (False Negatives) How to handle malicious emails that are delivered to recipients using Microsoft Defender for Office 365

+description: The steps to handle malicious emails coming through to end users and inboxes (as False Negatives) with Microsoft Defender for Office 365 in order to prevent loss of business.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365

+Microsoft Defender for Office 365 helps deal with malicious emails (False Negative) that are delivered to recipients and that put your organizational productivity at risk.

+Defender for Office 365 can help you understand why emails are getting delivered, how to resolve the situation quickly, and how to prevent similar situations from happening in the future.

+## What you'll need

+- Microsoft Defender for Office 365 Plan 1 and 2 (included as part of E3, E5). EOP customers can also leverage this.

+- Sufficient permissions (Security Administrator role).

+- 5-10 minutes to perform the steps below.

+## Handling malicious emails in the Inbox folder of end users

+1. Ask end users to report the email as **phishing** or **junk** using Microsoft Message Add-in or Microsoft Phish add-in or the Outlook buttons.

+2. End users can also add the sender to the [block senders list](https://support.microsoft.com/en-us/office/block-a-mail-sender-b29fd867-cac9-40d8-aed1-659e06a706e4#:~:text=1%20On%20the%20Home%20tab%2C%20in%20the%20Delete,4%20Click%20OK%20in%20both%20open%20dialog%20boxes..) in Outlook to prevent emails from this sender's mail from arrive at Inboxes.

+3. Admins can triage the user reported messages from [user reported content](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#view-user-submissions-to-microsoft) portal.

+4. From those reported messages, admins can **submit to** [Microsoft for analysis](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#notify-users-from-within-the-portal) to learn why that email was allowed in the first place.

+5. If needed, while submitting to Microsoft for analysis, admins can create a [block for the sender](/microsoft-365/security/office-365-security/manage-tenant-blocks?view=o365-worldwide) to mitigate the problem.

+6. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.

+## Handling malicious emails in junk folder of end users

+1. Ask end users to report the email as **phishing** using Microsoft Message Add-in, or Microsoft Phish Add-in, or the Outlook buttons.

+2. Admins can triage the user reported messages from the [user reported content](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#view-user-submissions-to-microsoft) portal.

+3. From those reported messages admins can **submit to** [Microsoft for analysis](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#notify-users-from-within-the-portal) and learn why that email was allowed in the first place.

+4. If needed, while submitting to Microsoft for analysis, admins can create a [block for the sender](/microsoft-365/security/office-365-security/manage-tenant-blocks?view=o365-worldwide) to mitigate the problem.

+5. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.

+## Handling malicious emails landing in the quarantine folder of end users

+1. End users receive an [email digest](/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages?view=o365-worldwide) about quarantined messages as per the settings enabled by admins.

+2. End users can preview the messages in quarantine, block the sender, and submit those messages to Microsoft for analysis.

+## Handling malicious emails landing in the quarantine folder of admins

+1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-worldwide).

+2. Admins can submit any malicious, or suspect messages to Microsoft for analysis, and create a block to mitigate the situation while waiting for verdict.

+3. Once the results for submissions are available, read the verdict to learn why the emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.

+ Title: (False Positives) How to handle legitimate emails getting blocked from delivery using Microsoft Defender for Office 365

+description: The steps to handle legitimate email getting blocked(False Positive) by Microsoft Defender for Office 365 in order to prevent lose of business.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# How to handle Legitimate emails getting blocked (False Positive), using Microsoft Defender for Office 365

+Microsoft Defender for Office 365 helps deal with important legitimate business emails that are mistakenly blocked as threats (False Positives). Defender for Office 365 can help admins understand *why* legitimate emails are being blocked, how to resolve the situation quickly, and prevent similar situations from happening in the future.

+## What you'll need

+- Microsoft Defender for Office 365 Plan 1 or 2 (included as part of E3, E5). EOP customers can also leverage this feature.

+- Sufficient permissions (Security Administrator role).

+- 5-10 minutes to perform the steps below.

+## Handling legitimate emails in to Junk folder of end users

+1. Ask end users to report the email as **not junk** using Microsoft Message Add-in or the Outlook buttons.

+2. End users can also add the sender to the [**safe sender list**](https://support.microsoft.com/en-us/office/safe-senders-in-outlook-com-470d4ee6-e3b6-402b-8cd9-a6f00eda7339) in Outlook to prevent the email from these senders landing in Junk folder.

+3. Admins can triage the user-reported messages from [user-reported content](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#view-user-submissions-to-microsoft) portal.

+4. From those reported messages admins can submit to [**Microsoft for analysis**](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#notify-users-from-within-the-portal) and understand why was that email blocked in the first place.

+5. If needed, while submitting to Microsoft for analysis, admins can judiciously create an [**allow** for a sender](/microsoft-365/security/office-365-security/manage-tenant-allows?view=o365-worldwide#add-sender-allows-using-the-submissions-portal) to mitigate the problem.

+6. Once the results from the admin submission are available, read it to understand why emails were blocked and how your tenant setup could be improved to *prevent* similar situations from happening in the future.

+## Handling legitimate emails that are in quarantine folder of end users

+1. An end user receives an [email digest](/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages?view=o365-worldwide) about quarantined messages as per the settings enabled by security admins.

+2. End users can preview the messages in quarantine, block the sender, release the messages, submit those messages to Microsoft for analysis, and request release of those emails from admins.

+## Handling legitimate emails emails in quarantine folder of an admin

+1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-worldwide).

+2. Admins can release the message from quarantine while submitting it to Microsoft for analysis, and create an allow to mitigate the situation.

+3. Once the results for submissions are available, admins should read the verdict to understand why emails were blocked, and how the tenant setup could be improved to prevent similar situations from happening in the future.

+ Title: How to prioritize and manage Automated Investigations and Response (AIR).

+description: How to steps to analyze and approve AIR actions directly from the Action Center. When alerts are triggered, Automated Investigation and Response (AIR) determines the scope of impact of a threat in your organization and provided recommended remediation actions.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Prioritize and manage Automated Investigations and Response (AIR)

+Automated Investigation and Response (AIR) saves your security operations team time and effort.

+- When alerts are triggered, automated investigation will determine the scope of impact of a threat in your organization and provide recommended remediation actions.

+- Security teams can save time by leveraging AIR automation to reduce the need for manual hunting.

+- These investigations can identify emails that haven't been cleaned-up by Zero-hour Auto Purge (ZAP) or other remediation.

+- AIR investigations also identify mailbox configurations that may be risky or indicate a compromised mailbox.

+Investigation actions (and investigations) are accessible from several points in the Microsoft Security portal: via *Incidents*, via *Alerts*, or via *Action Center*. Which admins use is based on the workflow an admin is pursuing.

+## Why use the Action Center workflow

+As automated investigations on *Email & collaboration* content results in verdicts, such as *Malicious* or *Suspicious*, certain remediation actions are created. The remediation actions suggested aren't carried out automatically. SecOps must navigate to each investigation to *approve* those suggested actions. In the *Action Center* all the pending actions are aggregated for quick approval.

+## What youΓÇÖll need

+- Microsoft Defender for Office 365 Plan 2 or higher

+- Sufficient permissions (Security reader, security operations, or security administrator, plus [Search and purge](../permissions-microsoft-365-security-center.md) role)

+## Steps to analyze and approve AIR actions directly from the Action Center

+1. Navigate to [Microsoft 365 Defender portal](https://security.microsoft.com/action-center) and sign in.

+2. When the Action center loads, filter and prioritize by clicking columns to sort the actions, or press **Filters** to apply a filter such as *entity type* (for a particular URL) or action type (such as soft delete email).

+3. A flyout will open once an action is clicked. It will appear on right-hand side of the screen for review.

+4. For more information about why an action is requested, select **Open investigation page** in the flyout to learn more about the investigation or alerts linked to this action. (Admins can also approve actions seen on the investigation page by selecting the *Pending Actions* tab.)

+5. Otherwise, select **Approve** to take the recommended action directly from the Action Center.

+6. Reject the action, if you determine it's unnecessary.

+## Check AIR history

+1. Navigate to the [Microsoft 365 Defender portal](https://security.microsoft.com) and sign in.

+2. In the left-hand navigation pane, expand **Action & submissions** then click **Action Center**.

+3. When the Action Center loads press the **History** tab.

+4. View the history of AIR, including decisions made, source of action, and admin who made the decision,if appropriate.

+## More Information

+[View the results of an automated investigation in Microsoft 365 - Office 365 | Microsoft Docs](../air-view-investigation-results.md)

+[Learn about approving and rejecting pending actions from the Investigation page](../air-review-approve-pending-completed-actions.md)

+ Title: How to prioritize, Manage, Investigate & Respond to Incidents in Microsoft 365 Defender

+description: The steps to manage alerts triggered in Microsoft 365 Defender. Automated investigation and response (AIR) hunt across the subscription and determines the impact and scope of a threat, and combines the information into a single Incident.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Prioritize, Manage, Investigate & Respond to Incidents in Microsoft 365 Defender

+When alerts are triggered in Microsoft 365 Defender, automated investigation and response (AIR) will trigger to hunt across an organization's subscription, determine the impact and scope of the threat, and collate the information into a single Incident so that admins donΓÇÖt have to manage multiple incidents.

+## What youΓÇÖll need

+- Microsoft Defender for Office 365 Plan 2 or higher

+- Sufficient permissions (Security reader, security operations, or security administrator, plus [Search and purge](../permissions-microsoft-365-security-center.md) role)

+## Prioritize & manage Incidents

+Navigate to the security portal Incidents page https://security.microsoft.com/incidents.

+When the Incident page loads you can filter and prioritize by clicking columns to sort the actions or press Filters to apply a filter such as data source, tags or state.

+Now you have a prioritized list of incidents, from which you can select to rename, assign, classify, tag, change the status or add comments via the Manage incidents button.

+Use the filters to make sure Microsoft Defender for Office items are included.

+If you are looking for specific alerts, either use the incident search capability (*Search for name or ID*) or consider using the alert queue filtering on a specific alert.

+## Investigate & Respond to Incidents

+After you have prioritized your incident queue, click on the Incident youΓÇÖd like to investigate to load the incidents Overview page. There will be useful information such as *MITRE ATT&CK techniques observed* and a *timeline of the attack*.

+The tabs at the top of the incident page allow you to explore more details such as the affected users, mailboxes, endpoints, and et cetera.

+The *Evidence and Response* tab shows items identified as related to the original alert via the investigation.

+Any items showing as *Pending Action* within Evidence and Response are awaiting approval from an administrator. Sorting by the remediation status column in the *All Evidence* view is recommended, followed by clicking the entity or cluster to load the flyout menu where you can then approve the actions if appropriate.

+If you need to understand the items involved further, you can use the incident graph to see the visual linkage of the evidence and entities involved. Alternatively, you can review the underlying investigations, which will show more of the entities and items involved in the security event.

+## Next Steps

+You can start using *Action Center* to act on pending action items from all incidents in your organization if you want to focus on the action items AIR needs approval for.

+## More Information

+[Manage incidents in Microsoft 365 Defender | Microsoft Docs](../../defender/manage-incidents.md)

+[How automated investigation and response works in Microsoft Defender for Office 365](../automated-investigation-response-office.md)

+[Remediation actions in Microsoft Defender for Office 365](../air-remediation-actions.md)

+ Title: How to run attack simulations for your team

+description: The steps to send an Attack Simulation payload to your target users for your team or organization for training. Simulated attacks can help you identify and find vulnerable users, policies and practices before a real attack impacts your organization.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# How to run attack simulations for your team

+Attack simulation training allows you to run realistic but benign cyber attack scenarios in your organization. Simulated attacks can help you identify and find vulnerable users, policies and practices before a real attack impacts your organization, leveraging inbuilt or custom training to reduce risk and better educate end users about threats.

+## What you'll need

+- Microsoft Defender for Office 365 Plan 2 (included as part of E5)

+- Sufficient permissions (Security Administrator role)

+- 5-10 minutes to perform the steps below.

+## Send a payload to target users

+1. Navigate to [Attack Simulation Training](https://security.microsoft.com/attacksimulator ) in your subscription.

+1. Choose **Simulations** from the top navigation bar.

+1. Select **Launch a simulation**.

+1. Pick the technique youΓÇÖd like to use from the flyout, and press **Next**.

+1. Name the Simulation with something relevant / memorable and press **Next**.

+1. Pick a relevant payload from the wizard, review the details and customize if appropriate, when you are happy with the choice, press **Next**.

+1. Choose who to target with the payload. If choosing the entire organization highlight the radio button and press **Next**.

+1. Otherwise, select **Add Users** and then search or filter the users with the wizard. Select Add User(s) and then **Next**.

+1. Under **Select training content preference**, leave the default *Microsoft training experience (Recommended)* or select *Redirect to a custom URL* if you want to use the custom URL. If you don't want to assign any training, then select *No training*.

+ - You can either let Microsoft assign training courses by selecting *Assign training for me* or you can choose specific modules with *Select training courses and modules myself*

+ - Select a Due Date (30, 15, or 7 days) from the drop-down menu.

+ - Click **Next** to continue.

+1. Customize the landing page displayed when a user is phished if appropriate, or otherwise leave the Microsoft Default.

+ 1. Under **Payload indicators**, check the box to add payload indicators to email. Adding payloads will help users to learn how to identify the phishing email. Select *Open preview panel* to view the message.

+ 1. Click **Next** to continue.

+1. Choose if youΓÇÖd like end user notifications, and if so, select the delivery preferences and customize where needed.

+ 1. Notice that you can also select *default language* for the notification under the **Select default language** drop-down menu.

+1. Select when to launch the simulation, and how long it should be valid for. You can also enable *region aware time zone delivery*. This option will deliver simulated attack messages to your employees during *their working hours* based on their region. Select **Next**.

+1. Send a test if you're ready. Review the summary of choices. Click **Submit**.

+### Further reading

+To learn how Attack Simulation works see [Simulate a phishing attack with Attack simulation training - Office 365 | Microsoft Docs](../../office-365-security/attack-simulation-training.md)

+ Title: How to setup automated attacks and training within Attack simulation training

+description: The steps to automate Attack Simulation training and send a payload to target users. By following this guide, you will learn to create automated attack flows with specific techniques and payloads.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# How to setup automated attacks and training within Attack simulation training

+Attack simulation training lets you run benign attack simulations on your organization to assess your phishing risk and teach your users how to better avoid phish attacks. By following this guide, you will configure automated flows with specific techniques and payloads that run when the specified conditions are met, launching simulations against your organization.

+## What youΓÇÖll need

+- Microsoft Defender for Office 365 Plan 2 (included as part of E5).

+- Sufficient permissions (Security Administrator role).

+- 5-10 minutes to perform the steps below.

+## Send a payload to target users

+1. Navigate to [Attack simulation training](https://security.microsoft.com/attacksimulator).

+1. Choose **Simulation automations** from the top navigation bar.

+1. Press **Create automation**.

+1. Name the Simulation automation with something relevant and memorable. *Next*.

+1. Pick the techniques youΓÇÖd like to use from the flyout. *Next*.

+1. Manually select up to 20 payloads youΓÇÖd like to use for this automation, or alternatively select Randomize. *Next*.

+1. If you picked OAuth as a Payload, youΓÇÖll need to enter the name, logo and scope (permissions) youΓÇÖd like the app to have when itΓÇÖs used in a simulation. *Next*.

+1. Choose who to target with the payload, if choosing the entire organization highlight the radio button. *Next*.

+1. Otherwise, select **Add Users** and then search or filter the users with the wizard, press Add User(s). *Next*.

+1. Customize the training if appropriate, otherwise leave Assign training for me (recommended) selected. *Next*.

+1. Customize the landing page displayed when a user is phished if appropriate, otherwise leave as the Microsoft Default. *Next*.

+1. Choose if youΓÇÖd like end user notifications, if so select the delivery preferences and customize where appropriate. *Next*.

+1. For Simulation schedule, you can either select **Randomized** or **Fixed**, the recommended option is Randomized, once selected, select *Next*.

+1. Depending on your choice of Randomized or Fixed, the schedule details may differ, but select preferences on the choice, including the start and end dates of the automation. *Next*.

+1. For **Launch Details**, select any final options you want, such as using unique payloads, or targeting repeat offenders and then select *Next*.

+1. **Submit** and the Simulation automation is setup.

+## Learn More

+Full guidance can be found at [Simulation automations for Attack simulation training - Office 365 | Microsoft Docs](../../office-365-security/attack-simulation-training-simulation-automations.md).

+ Title: Optimize and correct security policies with configuration analyzer

+description: The steps to optimize and correct security policies with configuration analyzer. Configuration analyzer is a central location and single pane of glass for administering and viewing the email security policies you have configured in your tenant.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Optimize and correct security policies with configuration analyzer

+Configuration analyzer is a central location and single pane of glass for administering and viewing the email security policies you have configured in your tenant. You can perform a side-to-side comparison of your settings to our Standard and Strict recommended settings, apply recommendations and view historical changes that affected your posture.

+## What youΓÇÖll need

+- Microsoft Defender for Office 365 Plan 1

+- Sufficient permissions (Security Administrator role)

+- 5 minutes to perform the steps below.

+## Compare settings and apply recommendations

+1. Navigate to [https://security.microsoft.com/configurationAnalyzer](https://security.microsoft.com/configurationAnalyzer).

+1. Pick either **Standard recommendations** or **Strict recommendations** from the top menu based on the side-to-side comparison youΓÇÖd like to make.

+1. Recommendations for policy changes will be displayed. (If applicable)

+1. You can then select a recommendation, note the recommended action, policy which the recommendation is applicable to, setting name & current configuration etc.

+1. With a recommendation selected, you can press **Apply recommendation** and then **OK** on the confirmation message that appears.

+1. If you wish to manually edit a policy, or confirm settings directly within the policy, you can press **View policy** instead of **Apply recommendation** which will load a new tab and take you directly to the affected policy for ease.

+## View historical configuration changes

+While in **Configuration analyzer** you can select **Configuration drift analysis and history** from the top menu bar.

+The page which loads will show you the modifications to your security policies in the timeframe selected by the filters, along with data about the change and if it increased or decreased your overall posture.

+To learn more details about Configuration Analyzer, see [Configuration analyzer for security policies - Office 365 | Microsoft Docs](../../office-365-security/configuration-analyzer-for-security-policies.md).

+ Title: Protect your c-suite with Priority account protection in Microsoft Defender for Office 365 Plan 2

+description: The steps to protect your c-suite with priority account protection. Tagging an account as a Priority account will enable the additional protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Protect your c-suite with priority account protection

+Priority account protection helps IT and security teams ensure a high quality of service and protection for the critical people within your organization. Tagging an account as a priority account will enable the additional protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations.

+## What youΓÇÖll need

+- Microsoft Defender for Office 365 Plan 2 (included as part of E5 plans)

+- Sufficient permissions (Security Administrator role)

+- 5 minutes to perform the steps below.

+## Tag Priority users

+1. Identify the users, groups, or domains you would like to tag as priority accounts.

+1. Login to the [Microsoft Security Portal](https://security.microsoft.com/) and navigate to Settings on the left navigation bar.

+1. Select Email & collaboration on the page that loads and then click User tags

+1. On the User tags page, select the Priority account tag and press Edit tag

+1. On the flyout that appears, select Add members

+1. Search for the users you wish to tag, select one or more users and press Add

+1. Review the members you have selected and press Next

+1. Press Submit to confirm the changes

+To learn what priority account tags are see [Manage and monitor priority accounts - Microsoft 365 admin | Microsoft Docs](../../../admin/setup/priority-accounts.md).

+## Next Steps

+[Review the differentiated protection for users tagged as priority accounts](../../office-365-security/configure-review-priority-account.md).

+## PowerShell configuration

+If you want to achieve these steps via PowerShell, you can do this using the following cmdlets:

+1. View a list of priority accounts: **Get-User -IsVIP | select Identity**

+1. Add user to list of priority accounts: **Set-User -VIP:$true -Identity \<Identity\>**

+1. Remove user from list of priority accounts: **Set-User -VIP:$false -Identity \<Identity\>**

+ Title: Search for emails and remediate threats using Threat Explorer in Microsoft 365 Defender

+description: The steps to do manual remediation in Threat Explorer in Microsoft 365 Defender, including how to get the best performance and scenarios that call for remediation.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Steps to use manual email remediation in Threat Explorer

+Email remediation is an already existing feature that helps admins act on emails that are threats.

+## What youΓÇÖll need

+- Microsoft Defender for Office 365 Plan 2

+- Sufficient permissions (be sure to grant the account [Search and Purge](https://sip.security.microsoft.com/securitypermissions) role)

+## Create and track the remediation

+1. **Select a threat to remediate** in [Threat Explorer](https://security.microsoft.com/threatexplorer) and select the **Message Actions** button, which will offer you options such as *Soft Delete* or *Hard Delete*.

+1. The side pane will open and ask for details like a name for the remediation, severity, and description. Once the information is reviewed, press **Submit**.

+1. As soon as the admin approves this action, they will see the Approval ID and a link to the Microsoft 365 Defender Action Center [here](https://security.microsoft.com/action-center/history). This page is where **actions can be tracked**.

+ 1. **Admin action alert** - A system alert shows up in the alert queue with the name ΓÇÿAdministrative action submitted by an AdministratorΓÇÖ. This indicates that an admin took the action of remediating an entity. It gives details such as the name of the admin who took the action, and the investigation link and time. This makes admins aware of each important action, like remediation, taken on entities.

+ 1. **Admin action investigation** - Since the analysis on entities was already done by the admin and thatΓÇÖs what led to the action taken, no additional analysis is done by the system. It shows details such as related alert, entity selected for remediation, action taken, remediation status, entity count, and approver of the action. This allows admins to keep track of the investigation and actions carried out *manually*--an admin action investigation.

+1. **Action logs in unified action center** - History and action logs for email actions like soft delete and move to deleted items folder, are *all available in a centralized view* under the unified **Action Center** > **History tab**.

+1. **Filters in unified action center** - There are multiple filters such as remediation name, approval ID, Investigation ID, status, action source, and action type. These are useful for finding and tracking email actions in unified Action center.

+> [!IMPORTANT]

+> Performance

+>For better performance, remediation should be done in batches of *50,000 or fewer*. Narrow down the search result by using *latest delivery location* and trigger email remediation if the email is in remediable folder like Inbox, Junk, Deleted, for example.

+## Scenarios that call for email remediation

+Here are scenarios of email remediation:

+1. As part of an investigation SecOps identifies a threat in an end-userΓÇÖs mailbox and wants to clear out the problem email(s).

+1. When suggested email actions in Automated Investigation and Response (AIR) are approved by SecOps, remediation action triggers automatically for the given email or email cluster.

+Two manual email remediation scenarios:

+1. The main scenario:

+ 1. Manual actions taken on emails (for example, using Threat Explorer or Advanced Hunting) are only visible in the legacy Defender for Office 365 Action Center (Email and Collaboration > Review > Action Center in Action center - Microsoft 365 security).

+1. Two-step approval scenario:

+ 1. Manual actions pending approval using the two-step approval process (1. The email was added to remediation by one analyst, 2. The email was reviewed and approved by another analyst).

+Given the common scenarios, email remediation can be triggered in three different ways.

+1. **Query based remediation**: By selecting all the search results with a query (200,000 emails can be submitted at a maximum).

+1. **Handpicked remediation**: Selecting emails one-by-one by clicking on the check box (100 emails can be submitted at one time).

+1. **Query based remediation with exclusions**: Selecting all emails, and then manually removing a few messages (the query can hold a maximum of 1,000 emails and the maximum number of exclusions is 100).

+## Next Steps

+1. Go to the [Microsoft 365 Defender portal](https://security.microsoft.com) and sign in.

+1. In the navigation pane, select **Action center**.

+1. Go to the **History** tab, click on any waiting approval list. It opens up a side pane.

+1. Track the action status in the unified action center.

+## More information

+[Learn more about email remediation](../../office-365-security/air-review-approve-pending-completed-actions.md)

+- [Identify the custom mailbox as a SecOps mailbox in the advanced delivery policy](configure-advanced-delivery.md#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy)

+- [Create an anti-malware policy](configure-your-spam-filter-policies.md#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) for the custom mailbox where zero-hour auto purge (ZAP) for malware is turned off (**Protection settings** section \> **Enable zero-hour auto purge for malware** is not selected).

+- [Create a Safe Links policy](set-up-safe-links-policies.md) for the custom mailbox where Safe Links scanning is turned off (**Select the action for unknown potentially malicious URLs in messages** section \> **Off**).

+- [Create a Safe Attachments policy](set-up-safe-attachments-policies.md) for the custom mailbox where Safe Attachments scanning is turned off (**Safe Attachments unknown malware response** section \> **Off**).