Updates from: 06/22/2021 03:12:43
Category Microsoft Docs article Related commit history on GitHub Change details
admin Cortana Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/cortana-integration.md
description: "Users with valid work or school accounts can get Cortana in Micros
# Cortana in Microsoft 365
-Cortana, your personal productivity assistant, offers AI-powered experiences to save time and focus attention on what matters most. Cortana will help your users increase their personal productivity for their whole day across both work and life. When signed in with valid work or school accounts, users can get cloud-based assistance services with Cortana in Microsoft 365 experiences that meet Office 365ΓÇÖs enterprise-level privacy, security, and compliance promises (ΓÇ£Cortana enterprise servicesΓÇ¥).
+Cortana, your personal productivity assistant, offers AI-powered experiences to save time and focus attention on what matters most. Cortana is designed to deliver features that safely and securely process and reason over Office 365 data like emails, files, chats, etc., to save time, increase efficiency, and enhance your usersΓÇÖ productivity.
-As a personal productivity assistant, Cortana is designed to deliver features that safely and securely process and reason over Office 365 data like emails, files, chats, etc., to save time, increase efficiency, and enhance your usersΓÇÖ productivity.
+When signed in with valid work or school accounts, users can get cloud-based assistance services with Cortana in Microsoft 365 experiences that meet Office 365ΓÇÖs enterprise-level privacy, security, and compliance promises (ΓÇ£**Cortana enterprise services**ΓÇ¥).
-Moving forward, we're focusing Cortana on enterprise productivity.
+
+- **Cortana enterprise services include** Cortana in Windows 10 (version 2004 and later), Outlook for iOS and Android, Microsoft Teams mobile apps for iOS and Android and [Microsoft Teams displays](/microsoftteams/devices/teams-displays).
+
+- These different experiences are subject to separate licensing terms and have separate opt-out steps described below.
- Consistent with other Office 365 services, Cortana enterprise services meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products). - New Microsoft 365 experiences, such as the Briefing email and Play My Emails, will be enabled using Cortana enterprise services and fully comply with those promises. These features are currently available worldwide (standard multi-tenant). For more information on finding the usage location, please visit [View additional property values for accounts](../../enterprise/view-user-accounts-with-microsoft-365-powershell.md?view=o365-worldwide#view-additional-property-values-for-accounts). -- Users may connect to Cortana enterprise services described here through Cortana in Windows 10 (version 2004 and later), as well as client applications, such as Outlook for iOS and Android, subject to separate licensing terms. --- Existing consumer experiences, including Cortana in Windows 10 (version 1909 and earlier) and the Cortana app on iOS and Android, are governed by the [Microsoft Services Agreement](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) (see ΓÇ£Existing services for consumersΓÇ¥ section below). These terms will also govern Cortana enterprise services provided to the user when signed in with their consumer credentials.
+- Existing consumer experiences, including Cortana in Windows 10 (version 1909 and earlier), are governed by the [Microsoft Services Agreement](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) (see ΓÇ£Existing services for consumersΓÇ¥ section below). These terms will also govern Cortana enterprise services provided to the user when signed in with their consumer credentials.
## What data is processed by Cortana enterprise services?
Cortana in Windows 10, version 2004 and later, meets the same enterprise-level p
### How to opt out of Cortana in Windows 10
-Admins can configure Cortana in Windows 10 for their organization using the Experience\AllowCortana MDM policy or via the Group Policy: Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana.
+Opting out of Cortana in Windows 10 does not opt out of other experiences which are controlled separately. Admins can configure Cortana in Windows 10 for their organization using the Experience\AllowCortana MDM policy or via the Group Policy: Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana.
Beginning with Windows 10, version 2004, Cortana is a Universal Windows Platform (UWP) app preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store).
Beginning with Windows 10, version 2004, Cortana is a Universal Windows Platform
### Cortana voice assistance in Teams > [!NOTE]
-> Cortana voice assistance is supported in Microsoft Teams mobile apps for iOS and Android and Microsoft Teams displays for users in the United States, United Kingdom, Canada, India, and Australia. Microsoft Teams Rooms on Windows is only supported for users in the United States. Cortana voice assistance isn't currently available for GCC, GCC-High, DoD, EDU tenants. Expansion to additional languages and regions will happen as part of future releases.
+> Cortana voice assistance is supported in Microsoft Teams mobile apps for iOS and Android and [Microsoft Teams displays](/microsoftteams/devices/teams-displays) in the English language for users in the United States, United Kingdom, Canada, India, and Australia. Microsoft Teams Rooms on Windows is only supported for users in the United States. Cortana voice assistance isn't currently available for GCC, GCC-High, DoD, EDU tenants. Expansion to additional languages and regions will happen as part of future releases and admin customers will be notified through Message Center and the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=65346).
Cortana voice assistance in the Teams mobile app and on Microsoft Teams display devices enables Microsoft 365 Enterprise users to streamline communication, collaboration, and meeting-related tasks using spoken natural language. Users can speak to Cortana by selecting the microphone button located in the upper right of the Teams mobile app, or by saying “Cortana” in the Microsoft Teams display. To quickly connect with their team hands-free and while on the go, users can say queries such as “call Megan” or “send a message to my next meeting”. Users can also join meetings by saying “join my next meeting” and use voice assistance to share files, check their calendar, and more. These voice assistance experiences are delivered using Cortana enterprise-grade services that fully comply with Office 365's privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products).
Initially, this new conversational AI capability with Cortana will be available
### Conversational AI with Cortana in Outlook with iOS is an opt-in experience
-Individual users will be prompted to opt in to the conversational AI experience the first time they select the ΓÇ£Ask CortanaΓÇ¥ mic button in Outlook on iOS.
+Individual users will be prompted to opt in to the conversational AI experience the first time they select the ΓÇ£Use VoiceΓÇ¥ mic button in Outlook on iOS.
### Play My Emails
Play My Emails (as connected to through Outlook mobile) is a voice-driven, hands
Cortana will call out when an email is protected and briefly pause before reading the message to give users enough time to pause playback or skip to the next message. Similar to a private phone call, users should exercise caution when initiating playback in locations where confidential information could potentially be overheard. In these instances, it's recommended that employees of your organization wear headphones in appropriate environments when using Play My Emails in Outlook mobile.
-### Opt out of Play My Emails
+### How to opt out of Play My Emails
Individuals can opt out of Play My Emails using the following steps.
For services governed by the [Microsoft Services Agreement](https://go.microsoft
[Cortana voice assistance in Teams](/microsoftteams/cortana-in-teams) (article)\ [Configure Cortana in Windows 10](/windows/configuration/cortana-at-work/cortana-at-work-overview) (article)\ [What can you do with Play My Emails from Cortana?](https://support.microsoft.com/help/4558256)+
commerce Manage Billing Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-notifications.md
You must be a Global admin to do the steps described in this article. Billing ad
## Change the language you receive email in
-> [!NOTE]
-> Billing admins can also do the steps in this section.
- Billing notification emails are sent in your organizationΓÇÖs preferred language. To change the preferred language, use the following steps. 1. In the Microsoft 365 admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page.
In addition to your Global and Billing admins, we send billing notifications to
## Receive your organization's invoices as email attachments
+> [!NOTE]
+> Billing admins can also do the steps in this section.
+ You can have a copy of your organization's invoice attached as a PDF file to invoice notification emails when a new invoice is ready. Use the following steps to receive invoices as attachments. 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page.
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
Title: "Alert policies in the security and compliance centers"
+ Title: "Microsoft 365 alert policies"
f1.keywords: - NOCSH audience: Admin-+ localization_priority: Normal
search.appverid: - MET150 - MOE150 - seo-marvel-apr2020
-description: "Create alert policies in the security and compliance center in Office 365 and Microsoft 365 to monitor potential threats, data loss, and permissions issues."
+description: "Create alert policies in the Microsoft 365 compliance center to monitor potential threats, data loss, and permissions issues."
-# Alert policies in the security and compliance center
+# Alert policies in the Microsoft 365 compliance center
-You can use the alert policy and alert dashboard tools in the Microsoft 365 security and compliance centers to create alert policies and then view the alerts generated when users perform activities that match the conditions of an alert policy. There are several default alert policies that help you monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.
+You can use the alert policy and alert dashboard tools in the Microsoft 365 compliance center to create alert policies and then view the alerts generated when users perform activities that match the conditions of an alert policy. There are several default alert policies that help you monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.
-Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to all users in your organization, set a threshold level for when an alert is triggered, and decide whether to receive email notifications when alerts are triggered. There's also a **View alerts** page in the security and compliance center where you can view and filter alerts, set an alert status to help you manage alerts, and then dismiss alerts after you've addressed or resolved the underlying incident.
+Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to all users in your organization, set a threshold level for when an alert is triggered, and decide whether to receive email notifications when alerts are triggered. There's also a **Alerts** page in the compliance center where you can view and filter alerts, set an alert status to help you manage alerts, and then dismiss alerts after you've addressed or resolved the underlying incident.
> [!NOTE] > Alert policies are available for organizations with a Microsoft 365 Enterprise, Office 365 Enterprise, or Office 365 US Government E1/F1/G1, E3/F3/G3, or E5/G5 subscription. Advanced functionality is only available for organizations with an E5/G5 subscription, or for organizations that have an E1/F1/G1 or E3/F3/G3 subscription and a Microsoft Defender for Office 365 P2 or a Microsoft 365 E5 Compliance or an E5 eDiscovery and Audit add-on subscription. The functionality that requires an E5/G5 or add-on subscription is highlighted in this topic. Also note that alert policies are available in Office 365 GCC, GCC High, and DoD US government environments.
Alert policies let you categorize the alerts that are triggered by a policy, app
Here's a quick overview of how alert policies work and the alerts that are triggers when user or admin activity matches the conditions of an alert policy.
-![Overview of how alert policies work](../media/e02a622d-b429-448b-8107-dd1a4770b4e0.png)
+![Overview of how alert policies work](../media/M365-AlertPolicies-Overview.png)
-1. An admin in your organization creates, configures, and turns on an alert policy by using the **Alert policies** page in the security and compliance center. You can also create alert policies by using the [New-ProtectionAlert](/powershell/module/exchange/new-protectionalert) cmdlet in Security & Compliance Center PowerShell.
+1. An admin in your organization creates, configures, and turns on an alert policy by using the **Alert policies** page in the compliance center. You can also create alert policies by using the [New-ProtectionAlert](/powershell/module/exchange/new-protectionalert) cmdlet in Security & Compliance Center PowerShell.
- To create alert policies, you have to be assigned the Manage Alerts role or the Organization Configuration role in the security and compliance center.
+ To create alert policies, you have to be assigned the Manage Alerts role or the Organization Configuration role in the compliance center.
> [!NOTE] > It takes up to 24 hours after creating or updating an alert policy before alerts can be triggered by the policy. This is because the policy has to be synced to the alert detection engine. 2. A user performs an activity that matches the conditions of an alert policy. In the case of malware attacks, infected email messages sent to users in your organization trigger an alert.
-3. Microsoft 365 generates an alert that's displayed on the **View alerts** page in the Security & Compliance Center. Also, if email notifications are enabled for the alert policy, Microsoft sends a notification to a list of recipients. The alerts that an admin or other users can see that on the View alerts page is determined by the roles assigned to the user. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts).
+3. Microsoft 365 generates an alert that's displayed on the **Alerts** page in Microsoft 365 compliance center. Also, if email notifications are enabled for the alert policy, Microsoft sends a notification to a list of recipients. The alerts that an admin or other users can see that on the Alerts page is determined by the roles assigned to the user. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts).
-4. An admin manages alerts in the security and compliance center. Managing alerts consists of assigning an alert status to help track and manage any investigation.
+4. An admin manages alerts in the compliance center. Managing alerts consists of assigning an alert status to help track and manage any investigation.
## Alert policy settings
-An alert policy consists of a set of rules and conditions that define the user or admin activity that generates an alert, a list of users who trigger the alert if they perform the activity, and a threshold that defines how many times the activity has to occur before an alert is triggered. You also categorize the policy and assign it a severity level. These two settings help you manage alert policies (and the alerts that are triggered when the policy conditions are matched) because you can filter on these settings when managing policies and viewing alerts in the security and compliance center. For example, you can view alerts that match the conditions from the same category or view alerts with the same severity level.
+An alert policy consists of a set of rules and conditions that define the user or admin activity that generates an alert, a list of users who trigger the alert if they perform the activity, and a threshold that defines how many times the activity has to occur before an alert is triggered. You also categorize the policy and assign it a severity level. These two settings help you manage alert policies (and the alerts that are triggered when the policy conditions are matched) because you can filter on these settings when managing policies and viewing alerts in the compliance center. For example, you can view alerts that match the conditions from the same category or view alerts with the same severity level.
-To view and create alert policies, go to [https://protection.office.com](https://protection.office.com) and then select **Alerts** \> **Alert policies**.
+**To view and create alert policies:**
-![In the security and compliance center, select Alerts, then select Alert policies to view and create alert policies](../media/09ebd451-8e84-44e1-aefc-63e70bba4d97.png)
+Go to <https://compliance.microsoft.com> and then select **Policies** > **Alert** > **Alert policies**. Alternatively, you can go directly to <https://compliance.microsoft.com/alertpolicies>.
+
+![In the compliance center, select Policies,and under Alert, select Alert policies to view and create alert policies](../media/LaunchAlertPoliciesMCC.png)
An alert policy consists of the following settings and conditions. -- **Activity the alert is tracking** - You create a policy to track an activity or in some cases a few related activities, such a sharing a file with an external user by sharing it, assigning access permissions, or creating an anonymous link. When a user performs the activity defined by the policy, an alert is triggered based on the alert threshold settings.
+- **Activity the alert is tracking**. You create a policy to track an activity or in some cases a few related activities, such a sharing a file with an external user by sharing it, assigning access permissions, or creating an anonymous link. When a user performs the activity defined by the policy, an alert is triggered based on the alert threshold settings.
> [!NOTE] > The activities that you can track depend on your organization's Office 365 Enterprise or Office 365 US Government plan. In general, activities related to malware campaigns and phishing attacks require an E5/G5 subscription or an E1/F1/G1 or E3/F3/G3 subscription with an [Defender for Office 365](../security/office-365-security/defender-for-office-365.md) Plan 2 add-on subscription. -- **Activity conditions** - For most activities, you can define additional conditions that must be met to trigger an alert. Common conditions include IP addresses (so that an alert is triggered when the user performs the activity on a computer with a specific IP address or within an IP address range), whether an alert is triggered if a specific user or users perform that activity, and whether the activity is performed on a specific file name or URL. You can also configure a condition that triggers an alert when the activity is performed by any user in your organization. The available conditions are dependent on the selected activity.
+- **Activity conditions**. For most activities, you can define additional conditions that must be met to trigger an alert. Common conditions include IP addresses (so that an alert is triggered when the user performs the activity on a computer with a specific IP address or within an IP address range), whether an alert is triggered if a specific user or users perform that activity, and whether the activity is performed on a specific file name or URL. You can also configure a condition that triggers an alert when the activity is performed by any user in your organization. The available conditions are dependent on the selected activity.
-- **When the alert is triggered** - You can configure a setting that defines how often an activity can occur before an alert is triggered. This allows you to set up a policy to generate an alert every time an activity matches the policy conditions, when a certain threshold is exceeded, or when the occurrence of the activity the alert is tracking becomes unusual for your organization.
+- **When the alert is triggered**. You can configure a setting that defines how often an activity can occur before an alert is triggered. This allows you to set up a policy to generate an alert every time an activity matches the policy conditions, when a certain threshold is exceeded, or when the occurrence of the activity the alert is tracking becomes unusual for your organization.
- ![Configure how alerts are triggered, based on when the activity occurs, a threshold, or unusual activity for your organization](../media/97ee1ed2-e7a9-47a2-a980-5f9f63872c65.png)
+ ![Configure how alerts are triggered, based on when the activity occurs, a threshold, or unusual activity for your organization](../media/howalertsaretriggered.png)
If you select the setting based on unusual activity, Microsoft establishes a baseline value that defines the normal frequency for the selected activity. It takes up to seven days to establish this baseline, during which alerts won't be generated. After the baseline is established, an alert is triggered when the frequency of the activity tracked by the alert policy greatly exceeds the baseline value. For auditing-related activities (such as file and folder activities), you can establish a baseline based on a single user or based on all users in your organization; for malware-related activities, you can establish a baseline based on a single malware family, a single recipient, or all messages in your organization. > [!NOTE] > The ability to configure alert policies based on a threshold or based on unusual activity requires an E5/G5 subscription, or an E1/F1/G1 or E3/F3/G3 subscription with a Microsoft Defender for Office 365 P2, Microsoft 365 E5 Compliance, or Microsoft 365 eDiscovery and Audit add-on subscription. Organizations with an E1/F1/G1 and E3/F3/G3 subscription can only create alert policies where an alert is triggered every time that an activity occurs. -- **Alert category** - To help with tracking and managing the alerts generated by a policy, you can assign one of the following categories to a policy.
+- **Alert category**. To help with tracking and managing the alerts generated by a policy, you can assign one of the following categories to a policy.
- Data loss prevention
An alert policy consists of the following settings and conditions.
- Others
- When an activity occurs that matches the conditions of the alert policy, the alert that's generated is tagged with the category defined in this setting. This allows you to track and manage alerts that have the same category setting on the **View alerts** page in the security and compliance center because you can sort and filter alerts based on category.
+ When an activity occurs that matches the conditions of the alert policy, the alert that's generated is tagged with the category defined in this setting. This allows you to track and manage alerts that have the same category setting on the **Alerts** page in the compliance center because you can sort and filter alerts based on category.
-- **Alert severity** - Similar to the alert category, you assign a severity attribute (**Low**, **Medium**, **High**, or **Informational**) to alert policies. Like the alert category, when an activity occurs that matches the conditions of the alert policy, the alert that's generated is tagged with the same severity level that's set for the alert policy. Again, this allows you to track and manage alerts that have the same severity setting on the **View alerts** page. For example, you can filter the list of alerts so that only alerts with a **High** severity are displayed.
+- **Alert severity**. Similar to the alert category, you assign a severity attribute (**Low**, **Medium**, **High**, or **Informational**) to alert policies. Like the alert category, when an activity occurs that matches the conditions of the alert policy, the alert that's generated is tagged with the same severity level that's set for the alert policy. Again, this allows you to track and manage alerts that have the same severity setting on the **Alerts** page. For example, you can filter the list of alerts so that only alerts with a **High** severity are displayed.
> [!TIP] > When setting up an alert policy, consider assigning a higher severity to activities that can result in severely negative consequences, such as detection of malware after delivery to users, viewing of sensitive or classified data, sharing data with external users, or other activities that can result in data loss or security threats. This can help you prioritize alerts and the actions you take to investigate and resolve the underlying causes. -- **Email notifications** - You can set up the policy so that email notifications are sent (or not sent) to a list of users when an alert is triggered. You can also set a daily notification limit so that once the maximum number of notifications has been reached, no more notifications are sent for the alert during that day. In addition to email notifications, you or other administrators can view the alerts that are triggered by a policy on the **View alerts** page. Consider enabling email notifications for alert policies of a specific category or that have a higher severity setting.
+- **Email notifications**. You can set up the policy so that email notifications are sent (or not sent) to a list of users when an alert is triggered. You can also set a daily notification limit so that once the maximum number of notifications has been reached, no more notifications are sent for the alert during that day. In addition to email notifications, you or other administrators can view the alerts that are triggered by a policy on the **Alerts** page. Consider enabling email notifications for alert policies of a specific category or that have a higher severity setting.
## Default alert policies Microsoft provides built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. On the **Alert policies** page, the names of these built-in policies are in bold and the policy type is defined as **System**. These policies are turned on by default. You can turn off these policies (or back on again), set up a list of recipients to send email notifications to, and set a daily notification limit. The other settings for these policies can't be edited.
-The following table lists and describes the available default alert policies and the category each policy is assigned to. The category is used to determine which alerts a user can view on the View alerts page. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts).
+The following table lists and describes the available default alert policies and the category each policy is assigned to. The category is used to determine which alerts a user can view on the Alerts page. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts).
The table also indicates the Office 365 Enterprise and Office 365 US Government plan required for each one. Some default alert policies are available if your organization has the appropriate add-on subscription in addition to an E1/F1/G1 or E3/F3/G3 subscription.
The table also indicates the Office 365 Enterprise and Office 365 US Government
|**Unusual volume of file deletion**|Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. This policy has a **Medium** severity setting.|Information governance|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription| |**Unusual increase in email reported as phish**|Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail. This policy has a **Medium** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription| |**User impersonation phish delivered to inbox/folder**<sup>1,</sup><sup>2</sup>|Generates an alert when Microsoft detects that an admin or user override has allowed the delivery of a user impersonation phishing message to the inbox (or other user-accessible folder) of a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **Medium** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**User restricted from sending email**|Generates an alert when someone in your organization is restricted from sending outbound mail. This typically results when an account is compromised, and the user is listed on the **Restricted Users** page in the Security & Compliance Center. (To access this page, go to **Threat management > Review > Restricted Users**). This policy has a **High** severity setting. For more information about restricted users, see [Removing a user, domain, or IP address from a block list after sending spam email](/office365/securitycompliance/removing-user-from-restricted-users-portal-after-spam).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**User restricted from sending email**|Generates an alert when someone in your organization is restricted from sending outbound mail. This typically results when an account is compromised, and the user is listed on the **Restricted Users** page in the Microsoft 365 compliance center. (To access this page, go to **Threat management > Review > Restricted Users**). This policy has a **High** severity setting. For more information about restricted users, see [Removing a user, domain, or IP address from a block list after sending spam email](/office365/securitycompliance/removing-user-from-restricted-users-portal-after-spam).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
|**User restricted from sharing forms and collecting responses**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High** severity setting.|Threat management|E1, E3/F3, or E5| |||||
The unusual activity monitored by some of the built-in policies is based on the
## Viewing alerts
-When an activity performed by users in your organization matches the settings of an alert policy, an alert is generated and displayed on the **View alerts** page in the security and compliance center. Depending on the settings of an alert policy, an email notification is also sent to a list of specified users when an alert is triggered. For each alert, the dashboard on the **View alerts** page displays the name of the corresponding alert policy, the severity and category for the alert (defined in the alert policy), and the number of times an activity has occurred that resulted in the alert being generated. This value is based on the threshold setting of the alert policy. The dashboard also shows the status for each alert. For more information about using the status property to manage alerts, see [Managing alerts](#managing-alerts).
+When an activity performed by users in your organization matches the settings of an alert policy, an alert is generated and displayed on the **Alerts** page in the compliance center. Depending on the settings of an alert policy, an email notification is also sent to a list of specified users when an alert is triggered. For each alert, the dashboard on the **Alerts** page displays the name of the corresponding alert policy, the severity and category for the alert (defined in the alert policy), and the number of times an activity has occurred that resulted in the alert being generated. This value is based on the threshold setting of the alert policy. The dashboard also shows the status for each alert. For more information about using the status property to manage alerts, see [Managing alerts](#managing-alerts).
-To view alerts, go to [https://protection.office.com](https://protection.office.com) and then select **Alerts** \> **View alerts**.
+To view alerts, go to <https://compliance.microsoft.com> and then select **Alerts**. Alternatively, you can go directly to <https://compliance.microsoft.com/compliancealerts>.
-![In the security and compliance, select Alerts, then select View alerts to view alerts](../media/ec5ea59b-bf61-459f-8b65-970ab4bb8bcc.png)
+![In the Microsoft 365 compliance center, select Alerts](../media/ViewAlertsMCC.png)
-You can use the following filters to view a subset of all the alerts on the **View alerts** page.
+You can use the following filters to view a subset of all the alerts on the **Alerts** page.
- **Status.** Use this filter to show alerts that are assigned a particular status. The default status is **Active**. You or other administrators can change the status value.
You can use the following filters to view a subset of all the alerts on the **Vi
- **Tags.** Use this filter to show alerts from one or more user tags. Tags are reflected based on tagged mailboxes or users that appear in the alerts. See [User tags in Office 356 ATP](../security/office-365-security/user-tags.md) to learn more. -- **Source.** Use this filter to show alerts triggered by alert policies in the security and compliance center or alerts triggered by Office 365 Cloud App Security policies, or both. For more information about Office 365 Cloud App Security alerts, see [Viewing Cloud App Security alerts](#viewing-cloud-app-security-alerts).
+- **Source.** Use this filter to show alerts triggered by alert policies in the compliance center or alerts triggered by Office 365 Cloud App Security policies, or both. For more information about Office 365 Cloud App Security alerts, see [Viewing Cloud App Security alerts](#viewing-cloud-app-security-alerts).
> [!IMPORTANT] > Filtering and sorting by user tags is currently in public preview.
You can use the following filters to view a subset of all the alerts on the **Vi
## Alert aggregation
-When multiple events that match the conditions of an alert policy occur with a short period of time, they are added to an existing alert by a process called *alert aggregation*. When an event triggers an alert, the alert is generated and displayed on the **View alerts** page and a notification is sent. If the same event occurs within the aggregation interval, then Microsoft 365 adds details about the new event to the existing alert instead of triggering a new alert. The goal of alert aggregation is to help reduce alert "fatigue" and let you focus and take action on fewer alerts for the same event.
+When multiple events that match the conditions of an alert policy occur with a short period of time, they are added to an existing alert by a process called *alert aggregation*. When an event triggers an alert, the alert is generated and displayed on the **Alerts** page and a notification is sent. If the same event occurs within the aggregation interval, then Microsoft 365 adds details about the new event to the existing alert instead of triggering a new alert. The goal of alert aggregation is to help reduce alert "fatigue" and let you focus and take action on fewer alerts for the same event.
The length of the aggregation interval depends on your Office 365 or Microsoft 365 subscription.
Keep the following things in mind about alert aggregation:
## RBAC permissions required to view alerts
-The Role Based Access Control (RBAC) permissions assigned to users in your organization determine which alerts a user can see on the **View alerts** page. How is this accomplished? The management roles assigned to users (based on their membership in role groups in the Security & Compliance Center) determine which alert categories a user can see on the **View alerts** page. Here are some examples:
+The Role Based Access Control (RBAC) permissions assigned to users in your organization determine which alerts a user can see on the **Alerts** page. How is this accomplished? The management roles assigned to users (based on their membership in role groups in the Microsoft 365 compliance center) determine which alert categories a user can see on the **Alerts** page. Here are some examples:
- Members of the Records Management role group can view only the alerts that are generated by alert policies that are assigned the **Information governance** category.
The Role Based Access Control (RBAC) permissions assigned to users in your organ
This design (based on RBAC permissions) lets you determine which alerts can be viewed (and managed) by users in specific job roles in your organization.
-The following table lists the roles that are required to view alerts from the six different alert categories. The first column in the tables lists all roles in the Security & Compliance Center. A check mark indicates that a user who is assigned that role can view alerts from the corresponding alert category listed in the top row.
+The following table lists the roles that are required to view alerts from the six different alert categories. The first column in the tables lists all roles in the Microsoft 365 compliance center. A check mark indicates that a user who is assigned that role can view alerts from the corresponding alert category listed in the top row.
To see which category a default alert policy is assigned to, see the table in [Default alert policies](#default-alert-policies).
To see which category a default alert policy is assigned to, see the table in [D
> ```powershell > $RoleGroups | foreach {Write-Output -InputObject `r`n,$_.Name,"--"; Get-RoleGroup $_.Identity | Select-Object -ExpandProperty Roles} > ```
->
-> You can also view the roles assigned to a role group in the Security & Compliance Center. Go to the **Permissions** page, and select a role group. The assigned roles are listed on the flyout page.
+>
+> You can also view the roles assigned to a role group in the Microsoft 365 compliance center. Go to the **Permissions** page, and select a role group. The assigned roles are listed on the flyout page.
## Managing alerts
-After alerts have been generated and displayed on the **View alerts** page in the security and compliance center, you can triage, investigate, and resolve them. Here are some tasks you can perform to manage alerts.
+After alerts have been generated and displayed on the **Alerts** page in the compliance center, you can triage, investigate, and resolve them. Here are some tasks you can perform to manage alerts.
- **Assign a status to alerts.** You can assign one of the following statuses to alerts: **Active** (the default value), **Investigating**, **Resolved**, or **Dismissed**. Then, you can filter on this setting to display alerts with the same status setting. This status setting can help track the process of managing alerts.
After alerts have been generated and displayed on the **View alerts** page in th
- The user (or list of users) who triggered the alert. This is included only for alert policies that are set up to track a single user or a single activity.
- - The number of times the activity tracked by the alert was performed. This number may not match that actual number of related alerts listed on the View alerts page because more alerts may have been triggered.
+ - The number of times the activity tracked by the alert was performed. This number may not match that actual number of related alerts listed on the Alerts page because more alerts may have been triggered.
- A link to an activity list that includes an item for each activity that was performed that triggered the alert. Each entry in this list identifies when the activity occurred, the name of the actual operation (such as "FileDeleted"), the user who performed the activity, the object (such as a file, an eDiscovery case, or a mailbox) that the activity was performed on, and the IP address of the user's computer. For malware-related alerts, this links to a message list.
After alerts have been generated and displayed on the **View alerts** page in th
- **Suppress email notifications.** You can turn off (or suppress) email notifications from the flyout page for an alert. When you suppress email notifications, Microsoft won't send notifications when activities or events that match the conditions of the alert policy occur. But alerts will be triggered when activities performed by users match the conditions of the alert policy. You can also turn off email notifications by editing the alert policy. -- **Resolve alerts.** You can mark an alert as resolved on the flyout page for an alert (which sets the status of the alert to **Resolved**). Unless you change the filter, resolved alerts aren't displayed on the **View alerts** page.
+- **Resolve alerts.** You can mark an alert as resolved on the flyout page for an alert (which sets the status of the alert to **Resolved**). Unless you change the filter, resolved alerts aren't displayed on the **Alerts** page.
## Viewing Cloud App Security alerts
-Alerts that are triggered by Office 365 Cloud App Security policies are now displayed on the **View alerts** page in the security and compliance center. This includes alerts that are triggered by activity policies and alerts that are triggered by anomaly detection policies in Office 365 Cloud App Security. This means you can view all alerts in the security and compliance center. Office 365 Cloud App Security is only available for organizations with an Office 365 Enterprise E5 or Office 365 US Government G5 subscription. For more information, see [Overview of Cloud App Security](/cloud-app-security/what-is-cloud-app-security).
+Alerts that are triggered by Office 365 Cloud App Security policies are now displayed on the **Alerts** page in the compliance center. This includes alerts that are triggered by activity policies and alerts that are triggered by anomaly detection policies in Office 365 Cloud App Security. This means you can view all alerts in the compliance center. Office 365 Cloud App Security is only available for organizations with an Office 365 Enterprise E5 or Office 365 US Government G5 subscription. For more information, see [Overview of Cloud App Security](/cloud-app-security/what-is-cloud-app-security).
-Organizations that have Microsoft Cloud App Security as part of an Enterprise Mobility + Security E5 subscription or as a standalone service can also view Cloud App Security alerts that are related to Office 365 apps and services in the Security & Compliance Center.
+Organizations that have Microsoft Cloud App Security as part of an Enterprise Mobility + Security E5 subscription or as a standalone service can also view Cloud App Security alerts that are related to Microsoft 365 apps and services in the Microsoft 365 compliance center.
-To display only Cloud App Security alerts in the security and compliance center, use the **Source** filter and select **Cloud App Security**.
+To display only Cloud App Security alerts in the compliance center, use the **Source** filter and select **Cloud App Security**.
![Use the Source filter to display only Cloud App Security alerts](../media/FilterCASAlerts.png)
-Similar to an alert triggered by an alert policy in the security and compliance center, you can select a Cloud App Security alert to display a flyout page with details about the alert. The alert includes a link to view the details and manage the alert in the Cloud App Security portal and a link to the corresponding Cloud App Security policy that triggered the alert. See [Monitor alerts in Cloud App Security](/cloud-app-security/monitor-alerts).
+Similar to an alert triggered by an alert policy in the compliance center, you can select a Cloud App Security alert to display a flyout page with details about the alert. The alert includes a link to view the details and manage the alert in the Cloud App Security portal and a link to the corresponding Cloud App Security policy that triggered the alert. See [Monitor alerts in Cloud App Security](/cloud-app-security/monitor-alerts).
![Alert details contain links to the Cloud App Security portal](../media/CASAlertDetail.png) > [!IMPORTANT]
-> Changing the status of a Cloud App Security alert in the security and compliance center won't update the resolution status for the same alert in the Cloud App Security portal. For example, if you mark the status of the alert as **Resolved** in the security and compliance center, the status of the alert in the Cloud App Security portal is unchanged. To resolve or dismiss a Cloud App Security alert, manage the alert in the Cloud App Security portal.
+> Changing the status of a Cloud App Security alert in the compliance center won't update the resolution status for the same alert in the Cloud App Security portal. For example, if you mark the status of the alert as **Resolved** in the compliance center, the status of the alert in the Cloud App Security portal is unchanged. To resolve or dismiss a Cloud App Security alert, manage the alert in the Cloud App Security portal.
compliance Archive Ciscojabberonoracle Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ciscojabberonoracle-data.md
description: "Learn how to set up and use a connector in the Microsoft 365 compliance center to import and archive data from Cisco Jabber on Oracle to Microsoft 365."
-# Set up a connector to archive Cisco Jabber on Oracle data (preview)
+# Set up a connector to archive Cisco Jabber on Oracle data
Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Cisco Jabber on Oracle platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Cisco Jabber on Oracle](https://www.veritas.com/insights/merge1/jabber) connector that is configured to capture items from the third-party data source (on a regular basis) and import those items to Microsoft 365. The connector converts the content such as files and file operations, comments, and shared content from Cisco Jabber on Oracle to an email message format and then imports those items to the user's mailbox in Microsoft 365.
After you create the Cisco Jabber on Oracle connector, you can view the connecto
## Known issues -- At this time, we don't support importing attachments or items larger than 10 MB but support for larger items will be available at a later date.
+- At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive Ciscojabberonpostgresql Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ciscojabberonpostgresql-data.md
description: "Learn how to set up and use a connector in the Microsoft 365 compliance center to import and archive data from Cisco Jabber on PostgreSQL to Microsoft 365."
-# Set up a connector to archive Cisco Jabber on PostgreSQL data (preview)
+# Set up a connector to archive Cisco Jabber on PostgreSQL data
Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Cisco Jabber platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Cisco Jabber on PostgreSQL](https://www.veritas.com/insights/merge1/jabber) connector that is configured to capture items from the third-party data source (on a regular basis) and import those items to Microsoft 365. The connector converts the content such as messages, chats, and shared content from Cisco Jabber on PostgreSQL to an email message format and then imports those items to the user's mailbox in Microsoft 365.
After you create the Cisco Jabber on PostgreSQL connector, you can view the conn
## Known issues -- At this time, we don't support importing attachments or items larger than 10 MB but support for larger items will be available at a later date.
+- At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive Signal Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-signal-archiver-data.md
+
+ Title: "Set up a connector to archive Signal communications data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Admins can set up a TeleMessage connector to import and archive Signal communications data in Microsoft 365. This lets you archive data from third-party data sources in Microsoft 365 so you can use compliance features such as legal hold, content search, and retention policies to manage your organization's third-party data."
++
+# Set up a connector to archive Signal communications data (preview)
+
+Use the TeleMessage connector in the Microsoft 365 compliance center to import and archive Signal chats, attachments, files, and deleted messages and calls. After you set up and configure a connector, it connects to your organization's TeleMessage account, and imports the mobile communication of employees using the TeleMessage Signal Archiver to mailboxes in Microsoft 365.
+
+After Signal Archiver connector data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, Content search, and Microsoft 365 retention policies to Signal communications data. For example, you can search Signal communication using Content search or associate the mailbox that contains the Signal Archiver connector data with a custodian in an Advanced eDiscovery case. Using a Signal Archiver connector to import and archive data in Microsoft 365 can help your organization stay compliant with corporate governance regulations and regulatory policies.
+
+## Overview of archiving Signal communications data
+
+The following overview explains the process of using a connector to archive  Signal communication data in Microsoft 365.
+
+![Signal communications archiving workflow](../media/SignalConnectorWorkflow.png)
+
+1. Your organization works with TeleMessage to set up a Signal Archiver connector. For more information, see [Activating the TeleMessage Signal Archiver for Microsoft 365](https://www.telemessage.com/microsoft-365-activation-for-signal-archiver/).
+
+2. In real time, your organization's Signal data is copied to the TeleMessage site.
+
+3. The Signal Archiver connector that you create in the Microsoft 365 compliance center connects to the TeleMessage site every day and transfers the email messages from the previous 24 hours to a secure Azure Storage area in the Microsoft Cloud.
+
+4. The connector imports the mobile communication items to the mailbox of a specific user. A new folder named Signal Archiver will be created in the specific user's mailbox and the items will be imported to it. The connector does the mapping by using the value of the *User's Email address* property. Every email message contains this property, which is populated with the email address of every participant of the email message.
+
+> In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the User ΓÇÿs email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
+
+## Before you set up a connector
+
+- Order the [Signal Archiver service from TeleMessage](https://www.telemessage.com/mobile-archiver/order-mobile-archiver-for-o365/) and get a valid administration account for your organization. You'll need to sign into this account when you create the connector in the compliance center.
+
+- Register all users that require Signal archiving in the TeleMessage account. When registering users, be sure to use the same email address that's used for their Microsoft 365 account.
+
+- Install the Signal Archiver app on the mobile phones of your employees and activate it. The Signal Archiver app allows them to communicate and chat with other Signal users.
+
+- The user who creates a Signal Archiver connector in Step 3 must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Create a Signal Archiver connector
+
+After you've completed the prerequisites described in the previous section, you can create the Signal Archiver connector in the Microsoft 365 compliance center. The connector uses the information you provide to connect to the TeleMessage site and transfers Signal communications data to the corresponding user mailbox boxes in Microsoft 365.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Signal Archiver**.
+
+2. On the **Signal Archiver** product description page, click **Add connector.**
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. On the **Login to TeleMessage** page, under Step 3, enter the required information in the following boxes and then click **Next**.
+
+ - **Username:** Your TeleMessage username.
+
+ - **Password:** Your TeleMessage password.
+
+5. After the connector is created, you can close the pop-up window and go to the next page.
+
+6. On the **User mapping** page, enable automatic user mapping. To enable custom mapping, upload a CSV file that contains the user mapping information, and then click **Next**.
+
+7. Review your settings, and then click **Finish** to create the connector.
+
+8. Go to the Connectors tab in **Data connectors** page to see the progress of the import process for the new connector.
+
+## Known issues
+
+- At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive Skypeforbusiness Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-skypeforbusiness-data.md
+
+ Title: "Set up a connector to archive Skype for Business data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a connector in the Microsoft 365 compliance center to import and archive data from Skype for Business to Microsoft 365."
++
+# Set up a connector to archive Skype for Business data (preview)
+
+Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Skype for Business platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Skype for Business](https://www.veritas.com/en/au/insights/merge1/skype-for-business) connector that is configured to capture items from the third-party data source (on a regular basis) and import those items to Microsoft 365. The connector converts the content such as messages between users, persistent chats, and conference messages from Skype for Business to an email message format and then imports those items to the userΓÇÖs mailbox in Microsoft 365.
+
+After Skype for Business data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels. Using a Skype for Business connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Skype for Business data
+
+The following overview explains the process of using a connector to archive the Skype for Business data in Microsoft 365.
+
+![Archiving workflow for Skype for Business data](../media/SkypeforBusinessConnectorWorkflow.png)
+
+1. Your organization works with Skype for Business to set up and configure a Skype for Business site.
+
+2. Once every 24 hours, Skype for Business items are copied to the Veritas Merge1 site. The connector also converts Skype for Business items to an email message format.
+
+3. The Skype for Business connector that you create in the Microsoft 365 compliance center, connects to the Veritas Merge1 site every day, and transfers the Skype for Business content to a secure Azure Storage location in the Microsoft cloud.
+
+4. The connector imports the converted items to the mailboxes of specific users using the value of the *Email* property of the automatic user mapping as described in [Step 3](#step-3-map-users-and-complete-the-connector-setup). A subfolder in the Inbox folder named **Skype for Business** is created in the user mailboxes, and items are imported to that folder. The connector does this by using the value of the *Email* property. Every Skype for Business item contains this property, which is populated with the email address of every participant of the item.
+
+## Before you set up a connector
+
+- Create a Merge1 account for Microsoft connectors. To do this, contact [Veritas Customer Support](https://www.veritas.com/form/requestacall/ms-connectors-contact.html). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Skype for Business connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up the Skype for Business connector
+
+The first step is to access to the **Data Connectors** page in the Microsoft 365 compliance center and create a connector for Skype for Business data.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** > **Skype for Business**.
+
+2. On the **Skype for Business** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector, and then click **Next**.
+
+5. Sign in to your Merge1 account to configure the connector.
+
+## Step 2: Configure the Skype for Business on the Veritas Merge1 site
+
+The second step is to configure the Skype for Business connector on the Veritas Merge1 site. For information about how to configure the Skype for Business connector, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20Skype%20for%20Business%20%20User%20Guide.pdf).
+
+After you click **Save & Finish**, the **User mapping** page in the connector wizard in the Microsoft 365 compliance center is displayed.
+
+## Step 3: Map users and complete the connector setup
+
+To map users and complete the connector setup in the Microsoft 365 compliance center, follow these steps:
+
+1. On the **Map Skype for Business users to Microsoft 365 users** page, enable automatic user mapping. The Skype for Business items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that userΓÇÖs mailbox.
+
+2. Click **Next**, review your settings, and then go to the **Data connectors** page to see the progress of the import process for the new connector.
+
+## Step 4: Monitor the Skype for Business connector
+
+After you create the Skype for Business connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com/> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the **Skype for Business** connector to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+- At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive Telegram Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-telegram-archiver-data.md
+
+ Title: "Set up a connector to archive Telegram communications data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Admins can set up a TeleMessage connector to import and archive Telegram communications data in Microsoft 365. This lets you archive data from third-party data sources in Microsoft 365 so you can use compliance features such as legal hold, content search, and retention policies to manage your organization's third-party data."
++
+# Set up a connector to archive Telegram communications data (preview)
+
+Use the TeleMessage connector in the Microsoft 365 compliance center to import and archive Telegram chats, attachments, files, and deleted messages and calls. After you set up and configure a connector, it connects to your organization's TeleMessage account, and imports the mobile communication of employees using the Telegram Archiver to mailboxes in Microsoft 365.
+
+After Telegram Archiver connector data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, Content search, and Microsoft 365 retention policies to Telegram communication data. For example, you can search Telegram communication using Content Search or associate the mailbox that contains the Telegram Archiver connector data with a custodian in an Advanced eDiscovery case. Using a Telegram Archiver connector to import and archive data in Microsoft 365 can help your organization stay compliant with corporate governance regulations and regulatory policies.
+
+## Overview of archiving Telegram communications data
+
+The following overview explains the process of using a connector to archive  Telegram communications data in Microsoft 365.
+
+![Telegram communications archiving workflow](../media/TelegramConnectorWorkflow.png)
+
+1. Your organization works with TeleMessage to set up a Telegram Archiver connector. For more information, see [Activating the TeleMessage Telegram Archiver for Microsoft 365](https://www.telemessage.com/microsoft-365-activation-for-telegram-archiver/).
+
+2. In real time, your organization's Telegram data is copied to the TeleMessage site.
+
+3. The Telegram Archiver connector that you create in the Microsoft 365 compliance center connects to the TeleMessage site every day and transfers the email messages from the previous 24 hours to a secure Azure Storage area in the Microsoft Cloud.
+
+4. The connector imports the mobile communication items to the mailbox of a specific user. A new folder named Telegram Archiver will be created in the specific user's mailbox and the items will be imported to it. The connector does this mapping by using the value of the *User's Email address* property. Every email message contains this property, which is populated with the email address of every participant of the email message.
+
+> In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the User ΓÇÿs email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
+
+## Before you set up a connector
+
+- Order the [Telegram archiving service from TeleMessage](https://www.telemessage.com/mobile-archiver/order-mobile-archiver-for-o365/) and get a valid administration account for your organization. You'll need to sign into this account when you create the connector in the compliance center.
+
+- Register all users that require Telegram archiving in the TeleMessage account. When registering users, be sure to use the same email address that's used for their Microsoft 365 account.
+
+- Install the Telegram Archiver app on the mobile phones of your employees and activate it. The Telegram Archiver app allows them to communicate and chat with other Telegram users.
+
+- The user who creates a Telegram Archiver connector in Step 3 must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Create a Telegram Archiver connector
+
+After you've completed the prerequisites described in the previous section, you can create the Telegram Archiver connector in the Microsoft 365 compliance center. The connector uses the information you provide to connect to the TeleMessage site and transfers Telegram communications data to the corresponding user mailbox boxes in Microsoft 365.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > T**elegram Archiver**.
+
+2. On the **Telegram Archiver** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. On the **Login to TeleMessage** page, under Step 3, enter the required information in the following boxes and then click **Next**.
+
+ - **Username:** Your TeleMessage username.
+
+ - **Password:** Your TeleMessage password.
+
+5. After the connector is created, you can close the pop-up window and go to the next page.
+
+6. On the **User mapping** page, enable automatic user mapping. To enable custom mapping, upload a CSV file that contains the user mapping information, and then click **Next**.
+
+7. Review your settings, and then click **Finish** to create the connector.
+
+8. Go to the Connectors tab in **Data connectors** page to see the progress of the import process for the new connector.
+
+## Known issues
+
+- At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive Wechat Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-wechat-data.md
description: "Set up and use a connector in the Microsoft 365 compliance center to import and archive WeChat data in Microsoft 365."
-# Set up a connector to archive WeChat data (preview)
+# Set up a connector to archive WeChat data
Use the TeleMessage connector in the Microsoft 365 compliance center to import and archive WeChat and WeCom calls, chats, attachments, files, and recalled messages. After you set up and configure a connector, it connects to your organization's TeleMessage account, and imports the mobile communication of employees using the TeleMessage WeChat Archiver to mailboxes in Microsoft 365.
compliance Archive Whatsapp Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-whatsapp-data.md
description: "Admins can set up a TeleMessage connector to import and archive Wh
Use the TeleMessage connector in the Microsoft 365 compliance center to import and archive WhatsApp calls, chats, attachments, files, and deleted messages. After you set up and configure a connector, it connects to your organization's TeleMessage account once every day, and imports the mobile communication of employees using the TeleMessage WhatsApp Phone Archiver or TeleMessage WhatsApp Cloud Archiver to mailboxes in Microsoft 365.
-After WhatsApp data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, Content Search, and Microsoft 365 retention policies to WhatsApp data. For example, you can search WhatsApp messages using Content Search or associate the mailbox that contains WhatsApp messages with a custodian in an Advanced eDiscovery case. Using a WhatsApp connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+After WhatsApp data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, Content search, and Microsoft 365 retention policies to WhatsApp data. For example, you can search WhatsApp messages using Content search or associate the mailbox that contains WhatsApp messages with a custodian in an Advanced eDiscovery case. Using a WhatsApp connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
## Overview of archiving WhatsApp data
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
The following table lists the third-party data connectors available in the Micro
|[Reuters FX <sup>2</sup>](archive-reutersfx-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Salesforce Chatter <sup>2</sup>](archive-salesforcechatter-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||| |[ServiceNow <sup>2</sup>](archive-servicenow-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[Signal <sup>1</sup>](archive-signal-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Skype for Business <sup>2</sup>](archive-skypeforbusiness-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[Slack eDiscovery <sup>2</sup>](archive-slack-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Symphony <sup>2</sup>](archive-symphony-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Telegram <sup>1</sup>](archive-telegram-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[TELUS Network <sup>1</sup>](archive-telus-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Text-delimited <sup>2</sup>](archive-text-delimited-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||| |[Twitter](archive-twitter-data-with-sample-connector.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
It's possible that a retention policy that's applied to Microsoft 365 groups, Sh
### Retention policy for Yammer locations > [!NOTE]
-> Retention policies for Yammer are rolling out in preview. If you don't yet see the new locations for Yammer, try again in a few weeks.
+> Retention policies for Yammer are in preview.
> > To use this feature, your Yammer network must be [Native Mode](/yammer/configure-your-yammer-network/overview-native-mode), not Hybrid Mode.
It's possible that a retention policy that's applied to Microsoft 365 groups, Sh
3. For **Decide if you want to retain content, delete it, or both** page of the wizard, specify the configuration options for retaining and deleting content. You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see [Settings for retaining and deleting content](#settings-for-retaining-and-deleting-content) on this page.
-
- Do not select **Use advanced retention settings** because this option isn't supported for Yammer locations.
4. For the **Choose locations** page, select **Let me choose specific locations**. Then toggle on one or both of the locations for Yammer: **Yammer community message** and **Yammer user messages**.
compliance Get Started With Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
All scenarios require you to [Create and configure sensitivity labels and their
|Discover, label, and protect files stored in data stores that are on premises |[Deploying the Azure Information Protection scanner to automatically classify and protect files](/azure/information-protection/deploy-aip-scanner)| |Discover, label, and protect files stored in data stores that are in the cloud|[Discover, classify, label, and protect regulated and sensitive data stored in the cloud](/cloud-app-security/best-practices#discover-classify-label-and-protect-regulated-and-sensitive-data-stored-in-the-cloud)| |Apply and view labels in Power BI, and protect data when it's saved outside the service|[Sensitivity labels in Power BI](/power-bi/admin/service-security-sensitivity-label-overview)|
-|Monitor and understand how sensitivity labels are being used in my organization|[Know your data - data classification overview](data-classification-overview.md) <br /><br /> [Get started with data classification](data-classification-overview.md)|
+|Monitor and understand how sensitivity labels are being used in my organization|[Learn about data classification](data-classification-overview.md)|
|Extend sensitivity labels to third-party apps and services|[Microsoft Information Protection SDK](/information-protection/develop/overview#microsoft-information-protection-sdk)| |Extend sensitivity labels across content in Azure Blob Storage, Azure files, Azure Data Lake Storage Gen1, and Azure Data Lake Storage Gen12|[Automatically label your content in Azure Purview](/azure/purview/create-sensitivity-label) |
compliance Information Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-protection.md
To help prevent accidental oversharing of sensitive information, use the followi
|:|:|:| |[Data loss prevention](dlp-learn-about-dlp.md)| Helps prevent unintentional sharing of sensitive items. | [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md)| |[Endpoint data loss prevention](endpoint-dlp-learn-about.md)| Extends DLP capabilities to items that are used and shared on Windows 10 computers. | [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)|
-|[Microsoft Compliance Extension (preview)](dlp-chrome-learn-about.md) | Extends DLP capabilities to the Chrome browser | [Get started with the Microsoft Compliance Extension (preview)](dlp-chrome-get-started.md)|
+|[Microsoft Compliance Extension](dlp-chrome-learn-about.md) | Extends DLP capabilities to the Chrome browser | [Get started with the Microsoft Compliance Extension](dlp-chrome-get-started.md)|
|[Microsoft 365 data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-learn.md)|Extends DLP monitoring of file activities and protective actions for those files to on-premises file shares and SharePoint folders and document libraries.|[Get started with Microsoft 365 data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-get-started.md)| |[Protect sensitive information in Microsoft Teams chat and channel messages](dlp-microsoft-teams.md) | Extends some DLP functionality to Teams chat and channel messages | [Learn about the default data loss prevention policy in Microsoft Teams (preview)](dlp-teams-default-policy.md)|
compliance Legacy Ediscovery Retirement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/legacy-ediscovery-retirement.md
description: "In-Place eDiscovery and In-Place Hold (and the corresponding Power
# Retirement of legacy eDiscovery tools > [!IMPORTANT]
-> Microsoft has been evaluating the public health situation, and we understand the impact this is having on our customers. We want to be strong partners and responsible global citizens. To ease one of the many burdens you are facing, we are going to delay the scheduled retirement for the legacy eDiscovery tools described in this article by three months. **The updated retirement dates are reflected below.**
+> The functionality of the legacy eDiscovery tools described in this article has either been removed from the Microsoft 365 service or is still available, but no longer supported. Any functionality that's still available may be removed without notice. If you're still using any of these legacy tools, consider migrating to the eDiscovery tools in the Microsoft 365 compliance center or one of the alternatives described in this article.
Over the years, Microsoft has provided eDiscovery tools that let you search, preview, and export email content from Exchange Online. However, these tools no longer offer an effective way to search for non-Exchange content in other Microsoft 365 services, such as SharePoint Online and Microsoft 365 Groups. To address this, Microsoft offers other eDiscovery tools that help you search for a wide variety of Microsoft 365 content. And we've been working hard to incorporate the most current and powerful eDiscovery functionality in the [Microsoft 365 compliance center](https://compliance.microsoft.com). This allows organizations to respond to legal, internal, and other document requests for content across many Microsoft 365 services, including Exchange Online.
The following table describes other tools that you can use to replace the existi
<tr class=even> <td>Copy messages from one mailbox to a different mailbox</td> <td><a href="/exchange/recipients-in-exchange-online/manage-permissions-for-recipients">Assign permissions to a mailbox</a></td>
- <td>To give a person access to another user's email (such as when an employee leaves your organization and you need to give another person access to the former employee's email), we recommended that you assign that person permissions to access the former employee's mailbox. So instead of copying mailbox items to another user mailbox or a shared mailbox, just assign a user permissions to access the source mailbox.</td>
+ <td>To give a person access to another user's email (such as when an employee leaves your organization and you need to give another person access to the former employee's email), we recommended that you assign that person permissions to access the former employee's mailbox. So instead of copying mailbox items to another user mailbox or a shared mailbox, just assign a user the permissions necessary to access the source mailbox.</td>
</tr> <tr class="odd">
The following table describes other tools that you can use to replace the existi
</tr> <tr class="even"> <td>Delete bulk email from a mailbox</td>
-<td><p><a href="/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes?view=o365-worldwide"><span class="underline">Set up an archive and deletion policy for mailboxes</span></a></p>
+<td><p><a href="/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes"><span class="underline">Set up an archive and deletion policy for mailboxes</span></a></p>
<p></p></td> <td><p>Admins can create an archiving and deletion policy that automatically moves items to a user's archive mailbox and automatically deletes items from the mailbox.</p> </td>
The following table describes other tools that you can use to replace the existi
<tr class=odd> <td>Copy messages from one mailbox to a different mailbox</td> <td><a href="/exchange/recipients-in-exchange-online/manage-permissions-for-recipients">Assign permissions to a mailbox</a></td>
- <td>To give a person access to another user's email (such as when an employee leaves your organization and you need to give another person access to the former employee's email), we recommended that you assign that person permissions to access the former employee's mailbox. So instead of copying mailbox items to another user mailbox or a shared mailbox, just assign a user permissions to access the source mailbox.</td>
+ <td>To give a person access to another user's email (such as when an employee leaves your organization and you need to give another person access to the former employee's email), we recommended that you assign that person permissions to access the former employee's mailbox. So instead of copying mailbox items to another user mailbox or a shared mailbox, just assign a user permission to access the source mailbox.</td>
</tr> <tr class=even> <td>Purge messages from a mailbox</td>
The following table describes other tools that you can use to replace the existi
<tr class="odd"> <td>Purge messages from a mailbox</td> <td><a href="/exchange/recipients-in-exchange-online/manage-permissions-for-recipients">Assign permissions to a mailbox</a></td>
-<td>To purge messages from a mailbox, assign an administrator permissions to access the employee's mailbox. Messages can be deleted and recycled as needed taking advantage of the built in search and viewing capabilities in Outlook.</td>
+<td>To purge messages from a mailbox, assign an administrator permissions to access the employee's mailbox. Messages can be deleted and recycled as needed taking advantage of the built-in search and viewing capabilities in Outlook.</td>
</tr> </tbody> </table>
To access Advanced eDiscovery v2.0:
2. In the left navigation pane of the Microsoft 365 compliance center, click **Show all**, and then click **eDiscovery > Advanced**.
-At this time, we recommend that you begin to transition your eDiscovery workflow to the new Advanced eDiscovery functionality. If required, you can archive your Advanced eDiscovery 1.0 cases by exporting the content and storing it offline. Although you'll still be able to access Advanced eDiscovery v1.0 in existing cases until December 31, 2020, Microsoft Support won't provide support after October 1, 2020. See the following timeline for more details.
+At this time, we recommend that you begin to transition your eDiscovery workflow to the new Advanced eDiscovery functionality. If necessary, you can archive your Advanced eDiscovery 1.0 cases by exporting the content and storing it offline. Although you'll still be able to access Advanced eDiscovery v1.0 in existing cases until December 31, 2020, Microsoft Support won't provide support after October 1, 2020. See the following timeline for more details.
### Scope of affected organizations
compliance Retention Policies Yammer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-yammer.md
description: "Learn about retention policies that apply to Yammer."
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).* > [!NOTE]
-> This feature is in preview and not yet available for all customers.
+> This feature is in preview and subject to change.
The information in this article supplements [Learn about retention](retention.md) because it has information that's specific to Yammer.
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
When retention labels mark items as a record or a regulatory record, these label
#### Monitoring retention labels
-From the Microsoft 365 compliance center, use **Data classification** > **Overview** to monitor how your retention labels are being used in your tenant, and identify where your labeled items are located. For more information, including important prerequisites, see [Know your data - data classification overview](data-classification-overview.md).
+From the Microsoft 365 compliance center, select **Data classification** and the **Overview** page to monitor how your retention labels are being used in your tenant, and identify where your labeled items are located. For more information, including important prerequisites, see [Learn about data classification](data-classification-overview.md).
You can then drill down into details by using [content explorer](data-classification-content-explorer.md) and [activity explorer](data-classification-activity-explorer.md). > [!TIP] >Consider using some of the other data classification insights, such as trainable classifiers and sensitive info types, to help you identify content that you might need to retain or delete, or manage as records.
-The Office 365 Security & Compliance Center has the equivalent overview information for retention labels from **Information governance** > **Dashboard**, and more detailed information from **Information governance** > **Label activity explorer**. For more information about monitoring retention labels from this older admin center, see the following documentation:
-- [View the data governance reports](view-the-data-governance-reports.md)-- [Get started with data classification](data-classification-overview.md).-- [View label activity for documents](view-label-activity-for-documents.md)- #### Using Content Search to find all content with a specific retention label After retention labels are applied to content, either by users or auto-applied, you can use content search to find all items that have a specific retention label applied.
compliance Sensitivity Labels Sharepoint Onedrive Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md
Use the OneDrive sync app version 19.002.0121.0008 or later on Windows, and vers
- If an admin changes settings for a published label that's already applied to files downloaded to users' sync client, users might be unable to save changes they make to the file in their OneDrive Sync folder. This scenario applies to files that are labeled with encryption, and also when the label change is from a label that didn't apply encryption to a label that does apply encryption. Users see a [red circle with a white cross icon error](https://support.office.com/article/what-do-the-onedrive-icons-mean-11143026-8000-44f8-aaa9-67c985aa49b3), and they are asked to save new changes as a separate copy. Instead, they can close and reopen the file, or use Office for the web. -- If a labeled document is uploaded to SharePoint or OneDrive and the label applied encryption by using an account from a service principal name, the document can't be opened in Office for the web. Example scenarios include Microsoft Cloud App Security and a file sent to Teams by email.- - Users can experience save problems after going offline or into a sleep mode when instead of using Office for the web, they use the desktop and mobile apps for Word, Excel, or PowerPoint. For these users, when they resume their Office app session and try to save changes, they see an upload failure message with an option to save a copy instead of saving the original file. - Documents that have been encrypted in the following ways can't be opened in Office for the web:
compliance Set Up An Archive And Deletion Policy For Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes.md
In Step 4, you have to assign the new retention policy to existing mailboxes. Bu
|Never Delete <br/> |This tag prevents items from being deleted by a retention policy. <br/> |Built-in <br/> |Personal; this tag can be applied by users. <br/> | |Personal 1 year move to archive <br/> |Moves items to the archive mailbox after 1 year. <br/> |Built-in <br/> |Personal; this tag can be applied by users. <br/> |
- > <sup>\*</sup> Users can use the Recover Deleted Items tool in Outlook and Outlook on the web (formerly known as Outlook Web App) to recover a deleted item within the deleted item retention period, which by default is 14 days in Exchange Online. An administrator can use Windows PowerShell to increase the deleted item retention period to a maximum of 30 days. For more information, see: [Recover deleted items in Outlook for Windows](https://support.office.com/article/49e81f3c-c8f4-4426-a0b9-c0fd751d48ce) and [Change the deleted item retention period for a mailbox in Exchange Online](https://www.microsoft.com/?ref=go)
+ > <sup>\*</sup> Users can use the Recover Deleted Items tool in Outlook and Outlook on the web (formerly known as Outlook Web App) to recover a deleted item within the deleted item retention period, which by default is 14 days in Exchange Online. An administrator can use Windows PowerShell to increase the deleted item retention period to a maximum of 30 days. For more information, see: [Recover deleted items in Outlook for Windows](https://support.office.com/article/49e81f3c-c8f4-4426-a0b9-c0fd751d48ce) and [Change the deleted item retention period for a mailbox in Exchange Online](/exchange/recipients-in-exchange-online/manage-user-mailboxes/change-deleted-item-retention)
-- Using the **Recoverable Items 14 days Move to Archive** retention tag helps free up storage space in the Recoverable Items folder in the user's primary mailbox. This is useful when a user's mailbox is placed on hold, which means nothing is ever permanently deleted the user's mailbox. Without moving items to the archive mailbox, it's possible the storage quota for the Recoverable Items folder in the primary mailbox will be reached. For more information about this and how to avoid it, see [Increase the Recoverable Items quota for mailboxes on hold](./increase-the-recoverable-quota-for-mailboxes-on-hold.md).
+- Using the **Recoverable Items 14 days Move to Archive** retention tag helps free up storage space in the Recoverable Items folder in the user's primary mailbox. This is useful when a user's mailbox is placed on hold, which means nothing is ever permanently deleted the user's mailbox. Without moving items to the archive mailbox, it's possible the storage quota for the Recoverable Items folder in the primary mailbox will be reached. For more information about this and how to avoid it, see [Increase the Recoverable Items quota for mailboxes on hold](./increase-the-recoverable-quota-for-mailboxes-on-hold.md).
compliance View Label Activity For Documents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-label-activity-for-documents.md
- Title: "View label activity for documents"-- NOCSH--- Previously updated : 5/9/2018----- M365-security-compliance-- SPO_Content
-localization_priority: Priority
-- MOE150-- MET150-
-description: Learn how to use the Label Activity Explorer in the Microsoft 365 Security & Compliance Center to search and view label activity.
--
-# View label activity for documents
-
-After you create your labels, you'll want to verify that they're being applied to content as you intended. With the Label Activity Explorer in the Security &amp; Compliance Center, you can quickly search and view label activity for all content across SharePoint and OneDrive for Business over the past 30 days. This is real-time data that gives you a clear view into what's happening in your tenant.
-
-For example, with the Label Activity Explorer, you can:
-
-- View how many times each label was applied on each day (up to 30 days).
-
-- See who labeled exactly which file on which date, along with a link to the site where that file resides.
-
-- View which files had labels changed or removed, what the old and new labels are, and who made the change.
-
-- Filter the data to see all the label activity for a specific label, file, or user. You can also filter label activity by location (SharePoint or OneDrive for Business) and whether the label was applied manually or auto-applied.
-
-- View label activity for folders as well as individual documents. Coming soon is the ability to show how many files inside that folder got labeled as a result of the folder getting labeled.
-
-You can find the Label Activity Explorer in the Security &amp; Compliance Center > **Information governance** > **Label activity explorer**.
-
-Note that the Label Activity Explorer requires an Office 365 Enterprise E5 subscription.
-
-![Label Activity Explorer](../media/671ca0cd-1457-40b4-9917-b663360afd95.png)
-
-## View label activities for files or folders
-
-At the top of the Label Activity Explorer, you can choose whether to view activities for files or folders. Note that folder activity includes only the folder itself, not the files inside the folder.
-
-You might want to see label activity for folders because if you label a folder, all files inside that folder also get that label (except for files that have had a label applied explicitly to them). Therefore, labeling folders might affect a significant number of files. For more information, see [Applying a default retention label to all content in a SharePoint library, folder, or document set](create-apply-retention-labels.md#applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set).
-
-![Dropdown menu showing label activities for files and folders](../media/11030584-f52d-49eb-86f3-7ead16a3b704.png)
-
-### Label activities
-
- **Label activities** includes all label actions: **adding**, **removing**, or **changing** a label. You can use this view to get a comprehensive look at how many files each label's been applied to per day.
-
-### Label changes
-
- **Label changes** includes the potentially risky actions of **removing** or **changing** a label. You can use this view to quickly see such risky actions and the user who performed them. In the activity list below the chart, you can select a file, and then click a link to that file in the details pane on the right.
-
-![Details pane for labels activity](../media/eb580fd4-b5be-4fda-9ba5-c1256777310d.png)
-
-## Filter label activity
-
-You can quickly filter the data to see all the label activity for a specific label, file, or user. You can also filter label activity by location (SharePoint or OneDrive for Business) and whether the label was applied manually or auto-applied.
-
-![Filters for label activity](../media/9de92985-120f-48b4-96a7-ef7ec8a71ff0.png)
-
-
compliance View The Data Governance Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-the-data-governance-reports.md
- Title: "View the data governance reports"-- NOCSH--- Previously updated : 6/8/2018---
-localization_priority: Priority
-- MOE150-- MET150
-description: "With the data governance reports in the Security & Compliance Center, you can quickly view whether your labels are being applied to content as you intended."
---
-# View the data governance reports
-
-After you create your labels, you'll want to verify that they're being applied to content as you intended. With the data governance reports in the Security &amp; Compliance Center, you can quickly view:
-
-- **Top 5 labels** This report shows the count of the top 5 labels that have been applied to content. Click this report to view a list of all labels that have been recently applied to content. You can see each label's count, location, how it was applied, its retention actions, whether it's a record, and its disposition type.
-
-- **Manual vs Auto apply** This report shows the count of all content that's been labeled manually or automatically, and the percentage of content that's been labeled manually vs automatically.
-
-- **Records tagging** This report shows the count of all content that's been tagged as a record or non-record, and the percentage of content that's been tagged as a record vs. non-record.
-
-- **Labels trend over the past 90 days** This report shows the count and location of all labels that have been applied in the last 90 days.
-
-All these reports show labeled content from Exchange, SharePoint, and OneDrive for Business.
-
-You can find these reports in the Security &amp; Compliance Center \> **Information governance** \> [**Dashboard**](https://protection.office.com/datamanagement/dashboard).
-
-![Chart showing label trends over past 90 days](../media/0cc06c18-d3b1-4984-8374-47655fb38dd2.png)
-
-You can filter the data governance reports by date (up to 90 days) and location (Exchange, SharePoint, and OneDrive for Business). The most recent data can take up to 24 hours to appear in the reports.
-
-![Filters for data governance reports](../media/77e60284-edf3-42d7-aee7-f72b2568f722.png)
-
-
contentunderstanding Solution Manage Contracts In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-in-microsoft-365.md
Title: "Manage contracts using a Microsoft 365 solution"
+ Title: Manage contracts using a Microsoft 365 solution
search.appverid: localization_priority: None ROBOTS:
-description: "Learn how to manage contracts using a Microsoft 365 solution of SharePoint Syntex, SharePoint Lists, Microsoft Teams, and Power Automate."
+description: Learn how to manage contracts using a Microsoft 365 solution of SharePoint Syntex, SharePoint Lists, Microsoft Teams, and Power Automate.
# Manage contracts using a Microsoft 365 solution
contentunderstanding Solution Manage Contracts Step1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-step1.md
Title: "Step 1. Use SharePoint Syntex to identify contract files and extract data"
+ Title: Step 1. Use SharePoint Syntex to identify contract files and extract data
ms.prod: microsoft-365-enterprise
search.appverid: localization_priority: None ROBOTS:
-description: "Learn how to use SharePoint Syntex to identify contract files and extract data by using a Microsoft 365 solution."
+description: Learn how to use SharePoint Syntex to identify contract files and extract data by using a Microsoft 365 solution.
# Step 1. Use SharePoint Syntex to identify contract files and extract data
Your organization needs a way to identify and classify all contract documents fr
![Contracts in document library](../media/content-understanding/doc-lib-solution.png)
-5. If you have retention requirements for your contracts, you can also use your model to [apply a retention label](apply-a-retention-label-to-a-model.md) that will prevent your contracts from being deleted for a specified period of time.
+5. If you have retention or security requirements for your contracts, you can also use your model to apply a [retention label](apply-a-retention-label-to-a-model.md) or a [sensitivity label](apply-a-sensitivity-label-to-a-model.md) that will prevent your contracts from being deleted for a specified period of time or to restrict who can access the contracts.
## Steps to create and train your model
To apply your model to a SharePoint document library:
![Screenshot of the Contract home page showing the Libraries with this model section.](../media/content-understanding/contract-libraries-with-this-model.png)
+7. Under **Settings** > **Library settings**:
+
+ - Add a column named **Status** and select **Choice** as the column type.
+ - Apply the **In review**, **Approved**, and **Rejected** values.
+ After you apply the model to the document library, you can begin uploading documents to the site and see the results. ## Next step
contentunderstanding Solution Manage Contracts Step2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-step2.md
Title: "Step 2. Use Microsoft Teams to create your contract management channel"
+ Title: Step 2. Use Microsoft Teams to create your contract management channel
ms.prod: microsoft-365-enterprise
search.appverid: localization_priority: None ROBOTS:
-description: "Learn how to use Microsoft Teams to create your contract management channel by using a Microsoft 365 solution."
+description: Learn how to use Microsoft Teams to create your contract management channel by using a Microsoft 365 solution.
# Step 2. Use Microsoft Teams to create your contract management channel
When your organization sets up a contracts management solution, you need a centr
![Posts tab.](../media/content-understanding/posts.png) -- **Have a location for members to see approved contracts to know when they can be submitted for payment.** In Teams, you can create a **For Payment** channel that will list all contracts that will need to be submitted to payment. You can easily extend this solution to instead write this information directly to a third-party financial application (for example, Dynamics CRM).
+- **Have a location for members to see approved contracts to know when they can be submitted for payment.** In SharePoint, you'll need to create a **For Payout** list and include columns for **Client**, **Contractor**, and **Fee amount**, selecting **Single line of text** as the column type. You'll need to add the **For Payout** list as a Teams tab in the Contract Management channel, similar to [what you'll do for the **Contracts** tab](solution-manage-contracts-step2.md#attach-your-sharepoint-document-library-to-the-contracts-tab). The **For Payout** tab will list all contracts that will need to be submitted for payment. You can easily extend this solution to instead write this information directly to a third-party financial application (for example, Dynamics CRM).
+ ## Attach your SharePoint document library to the Contracts tab
After you create a **Contracts** tab in your Contracts Management channel, you n
After you attach the SharePoint document library, you'll be able to view any classified contracts through a default list view.
- ![List view.](../media/content-understanding/list-view.png)
+ ![List view of SharePoint library.](../media/content-understanding/list-view.png)
## Customize your Contracts tab tile view
After you attach the SharePoint document library, you'll be able to view any cla
While Teams lets you view your contracts in a tile view, you might want to customize it to view the contract data you want to make visible in the contract card. For example, for the **Contracts** tab, it is important for members to see the client, contractor, and fee amount on the contract card. All of these fields were extracted from each contract through your SharePoint Syntex model that was applied to your document library. You also want to be able to change the tile header bar to different colors for each status so that members can easily see where the contract is in the approval process. For example, all approved contracts will have a blue header bar.
- ![List view.](../media/content-understanding/tile.png)
+ ![Tile view of SharePoint library.](../media/content-understanding/tile.png)
The custom tile view you use requires you to make changes to the JSON file used to format the current tile view. You can reference the JSON file used to create the card view by looking at the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20assets/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file. In the following sections, you'll see specific sections of the code for features that are in the contract cards. If you want to see or make changes to the JSON code for your view in your Teams channel, in the Teams channel, select the view drop-down menu, and then select **Format current view**.
- ![json format.](../media/content-understanding/jason-format.png)
+ ![Screenshot of json format in Teams channel.](../media/content-understanding/jason-format.png)
## Card size and shape
This section defines how the "Contractor" will display on the card, and uses the
}, ```
-### Fee Amount
+### Fee amount
This section defines how the "Fee Amount" will display on the card, and uses the value for the specific contract.
contentunderstanding Solution Manage Contracts Step3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-step3.md
The following code is the JSON used for this step in the Power Automate flow.
```
-## Conditional
+## Conditional context
-In your flow, next you need to create a condition in which your contract will be either approved or rejected.
+In your flow, next you need to create a condition in which your contract will be either [approved](#if-the-contract-is-approved) or [rejected](#if-the-contract-is-rejected).
![Conditional.](../media/content-understanding/condition.png)
When a contract has been approved, the following things occur:
![Flow item to move to Pay Out.](../media/content-understanding/ready-for-payout.png)
+ To get the expressions for the information needed from the Teams card, use the values shown in the following table.
+
+ |Name |Expression |
+ ||--|
+ | Approval state | body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId'] |
+ | Approved by | body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['responder']['displayName'] |
+ | Approval date | body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['responseTime'] |
+ | Comment | body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']['acComments'] |
+
+ The following example shows how to use the formula box in Power Automate to write an expression.
+
+ ![Screenshot in Power Automate showing an expression formula.](../media/content-understanding/expression-formula-power-automate.png)
+ - An adaptive card stating that the contract has been approved is created and posted to the Contract Management channel. ![Contract approval posted.](../media/content-understanding/adaptive-card-approval.png)
When a contract has been rejected, the following things occur:
- In your flow, you check out the contract file, change the status to **Rejected**, and then check the file back in.
- ![Flow status rejected.](../media/content-understanding/reject-flow.png)
+ ![Flow status rejected in contract file.](../media/content-understanding/reject-flow.png)
- In your flow, you create an adaptive card stating that the contract has been rejected.
- ![Flow status rejected.](../media/content-understanding/reject-flow-item.png)
+ ![Flow status shows rejected on adaptive card.](../media/content-understanding/reject-flow-item.png)
The following code is the JSON used for this step in the Power Automate flow.
enterprise Connect To Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/connect-to-microsoft-365-powershell.md
Title: "Connect to Microsoft 365 with PowerShell"
Previously updated : 07/17/2020 audience: ITPro
There are two versions of the PowerShell module that you can use to connect to M
Currently, the Azure Active Directory PowerShell for Graph module doesn't completely replace the functionality of the Microsoft Azure Active Directory Module for Windows PowerShell module for user, group, and license administration. In some cases, you need to use both versions. You can safely install both versions on the same computer.
+>[!Note]
+>You can also connect with the [Azure Cloud Shell](#connect-with-the-azure-cloud-shell) from the Microsoft 365 admin center.
+>
++ ## What do you need to know before you begin?
If you get an error message, check the following issues:
(dir "C:\Program Files\WindowsPowerShell\Modules\MSOnline").Name ```
+## Connect with the Azure Cloud Shell
+
+To connect with and use the Azure Cloud Shell from the Microsoft 365 admin center, select the PowerShell window icon from the upper-right corner of the task bar. In the **Welcome to Azure Cloud Shell** pane, select **PowerShell**.
+
+You will need an active Azure subscription for your organization that is tied to your Microsoft 365 subscription. If you don't already have one, you can create one. Once you have an Azure subscription, a PowerShell window opens from which you can run PowerShell commands and scripts.
+
+For more information, see [Azure Cloud Shell](/azure/cloud-shell/overview).
+ ## See also - [Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
Prepare the source tenant:
6. The script will pause and ask you to accept or consent to the Exchange mailbox migration application that was created during this process. Here is an example. ```powershell
+ PS C:\PowerShell\> # Note: the below User.Invite.All permission is optional, and will only be used to retrieve access token to send invitation email to source tenant
PS C:\PowerShell\> .\SetupCrossTenantRelationshipForTargetTenant.ps1 -ResourceTenantDomain contoso.onmicrosoft.com -ResourceTenantAdminEmail admin@contoso.onmicrosoft.com -TargetTenantDomain fabrikam.onmicrosoft.com -ResourceTenantId ksagjid39-ede2-4d2c-98ae-874709325b00 -SubscriptionId e4ssd05d-a327-49ss-849a-sd0932439023 -ResourceGroup "Cross-TenantMoves" -KeyVaultName "Cross-TenantMovesVault" -CertificateName "Contoso-Fabrikam-cert" -CertificateSubject "CN=Contoso_Fabrikam" -AzureResourceLocation "Brazil Southeast" -AzureAppPermissions Exchange, MSGraph -UseAppAndCertGeneratedForSendingInvitation -KeyVaultAuditStorageAccountName "t2tstorageaccount" -KeyVaultAuditStorageResourceGroup "Demo" cmdlet Get-Credential at command pipeline position 1
Prepare the source tenant:
Pay-As-You-Go (ewe23423-a3327-34232-343... Admin@fabrikam... Pay-As-You-Go AzureCloud dsad938432-dd8e-s9034-bf9a-83984293n43 Auditing setup successfully for Cross-TenantMovesVault Exchange application given access to KeyVault Cross-TenantMovesVault
- Application fabrikam_Friends_contoso_2520 created successfully in fabrikam.onmicrosoft.com tenant with following permissions. MSGraph - Directory.ReadWrite.All. Exchange - Mailbox.Migration
+ Application fabrikam_Friends_contoso_2520 created successfully in fabrikam.onmicrosoft.com tenant with following permissions. MSGraph - User.Invite.All. Exchange - Mailbox.Migration
Admin consent URI for fabrikam.onmicrosoft.com tenant admin is - https://login.microsoftonline.com/fabrikam.onmicrosoft.com/adminconsent?client_id=6fea6ere-0dwe-404d-ad35-c71a15cers5c&redirect_uri=https://office.com Admin consent URI for contoso.onmicrosoft.com tenant admin is -
knowledge Edit A Topic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/edit-a-topic.md
Title: 'Edit an existing topic in Microsoft Viva Topics '
-description: 'How to edit an existing topic in Microsoft Viva Topics.'
--
+ Title: Edit an existing topic in Microsoft Viva Topics
++ audience: admin
- m365initiative-viva-topics localization_priority: Normal-
+description: Learn how to edit an existing topic in Microsoft Viva Topics.
localization_priority: Normal
</br>
-In Viva Topics, you can edit an existing topic. You may need to do this if you want to correct or add additional information to an existing topic page.
+In Viva Topics, you can edit an existing topic. You might need to do this if you want to correct or add additional information to an existing topic page.
> [!Note]
-> While information in a topic that is gathered by AI is [security trimmed](topic-experiences-security-trimming.md), note that topic description and people information that you manually add when editing an existing topic is visible to all users who have permissions to view topics.
+> While information in a topic that is gathered by AI is [security trimmed](topic-experiences-security-trimming.md), the topic description and people information that you manually add when editing an existing topic is visible to all users who have permissions to view topics.
## Requirements To edit an existing topic, you need to: - Have a Viva Topics license.-- Have permissions to [**Who can create or edit topics**](./topic-experiences-user-permissions.md). Knowledge admins can give users this permission in the Viva Topics topic permissions settings.
+- Have permissions to [create or edit topics](./topic-experiences-user-permissions.md). Knowledge admins can give users this permission in the Viva Topics topic permissions settings.
> [!Note]
-> Users who have permission to manage topics in the Topic center (knowledge managers) already have permissions to create and edit topics.
+> Users who have permission to manage topics in the topic center (knowledge managers) already have permissions to create and edit topics.
## How to edit a topic page
-Users who have the **Who can create or edit topics** permission can edit a topic by opening the topic page from a topic highlight, and then selecting the <b>Edit</b> button on the top right of the topic page. The topic page can also be opened from the topic center home page where you can find all the topics that you have a connection to.
+Users who have the *Who can create or edit topics* permission can edit a topic by opening the topic page from a topic highlight, and then selecting the **Edit** button on the top right of the topic page. The topic page can also be opened from the topic center home page where you can find all the topics that you have a connection to.
- ![Edit button](../media/knowledge-management/edit-button.png) </br>
+ ![Screenshot showing the Edit button.](../media/knowledge-management/edit-button.png) </br>
-Knowledge managers can also edit topics directly from the Manage Topics page by selecting the topic, and then selecting <b>Edit</b> in the toolbar.
+Knowledge managers can also edit topics directly from the **Manage topics** page by selecting the topic, and then selecting **Edit** in the toolbar.
- ![Edit topic in Manage Topics](../media/knowledge-management/manage-topics-edit.png) </br>
+ ![Screenshot showing Edit topic on Manage topics page.](../media/knowledge-management/manage-topics-edit.png)
### To edit a topic page 1. On the topic page, select **Edit**. This lets you make changes as needed to the topic page.
- ![Edit control](../media/knowledge-management/topic-page-edit.png) </br>
+ ![Screenshot showing the Edit button on the topic page.](../media/knowledge-management/topic-page-edit.png)
+
+2. In the **Alternate names** section, type any other names that the topic might be referred to.
-2. In the <b>Alternate Names</b> section, type any other names that the topic might be referred to.
+ ![Screenshot showing the Alternate names section.](../media/knowledge-management/alt-names.png)
- ![Alternate names](../media/knowledge-management/alt-names.png) </br>
-3. In the <b>Description</b> section, type a couple of sentences that describes the topic. Or if a description already exists, update it if needed.
+3. In the **Description** section, type a couple of sentences that describes the topic. Or if a description already exists, update it if needed.
- ![Description section](../media/knowledge-management/description.png)</br>
+ ![Screenshot showing the Description section.](../media/knowledge-management/description.png)</br>
-4. In the <b>Pinned people</b> section, you can "pin" a person to show them as having a connection the topic (for example, an owner of a connected resource). Begin by typing their name or email address in the <b>Add a new user</b> box, and then selecting the user you want to add from the search results. You can also "unpin" them by selecting the <b>Remove from list</b> icon on the user card.
+4. In the **Pinned people** section, you can "pin" a person to show them as having a connection the topic (for example, an owner of a connected resource). Begin by typing their name or email address in the **Add a new user** box, and then selecting the user you want to add from the search results. You can also "unpin" them by selecting the **Remove from list** icon on the user card.
- ![Add pinned people](../media/knowledge-management/pinned-people.png)</br>
+ ![Screenshot showing the Add pinned people section.](../media/knowledge-management/pinned-people.png)</br>
- The <b>Suggested people</b> section shows users that AI thinks might be connected to the topic from their connection to resources about the topic. You can change their status from Suggested to Pinned by selecting the pin icon on the user card.
+ The **Suggested people** section shows users that AI thinks might be connected to the topic from their connection to resources about the topic. You can change their status from Suggested to Pinned by selecting the pin icon on the user card.
- ![Pin a suggested people](../media/knowledge-management/suggested-people.png)</br>
+ ![Screenshot showing pinning suggested people.](../media/knowledge-management/suggested-people.png)
-5. In the <b>Pinned files and pages</b> section, you can add or "pin" a file or SharePoint site page that is associated to the topic.
+5. In the **Pinned files and pages** section, you can add or "pin" a file or SharePoint site page that is associated to the topic.
- ![Pinned files and pages section](../media/knowledge-management/pinned-files-and-pages.png)</br>
+ ![Screenshot showing the Pinned files and pages section.](../media/knowledge-management/pinned-files-and-pages.png)
- To add a new file, select <b>Add</b>, select the SharePoint site from your Frequent or Followed sites, and then select the file from the site's document library.
+ To add a new file, select **Add**, select the SharePoint site from your Frequent or Followed sites, and then select the file from the site's document library.
- You can also use the <b>From a link</b> option to add a file or page by providing the URL.
+ You can also use the **From a link** option to add a file or page by providing the URL.
> [!Note] > Files and pages that you add must be located within the same Microsoft 365 tenant. If you want to add a link to an external resource in the topic, you can add it through the canvas icon in step 9.
-6. The <b>Suggested files and pages</b> section shows files and pages that AI suggests to be associated to the topic.
+6. The **Suggested files and pages** section shows files and pages that AI suggests to be associated to the topic.
- ![Suggested files and pages section](../media/knowledge-management/suggested-files-and-pages.png)</br>
+ ![Screenshot showing the Suggested files and pages section.](../media/knowledge-management/suggested-files-and-pages.png)
You can change a suggested file or page to a pinned file or page by selecting the pinned icon.
+7. In the **Pinned sites** section, you can add or ΓÇ£pinΓÇ¥ a site that is associated to the topic.
+
+ ![Screenshot showing the Pinned sites section.](../media/knowledge-management/pinned-sites-section.png)
+
+ To add a new site, select **Add** and then either search for the site, or select it from your list of Frequent or Recent sites.
+
+ ![Screenshot showing Add or remove a pinned site section.](../media/knowledge-management/add-or-remove-pinned-sites.png)
+
+8. The **Suggested sites** section shows the sites that AI suggests to be associated to the topic.
+
+ ![Screenshot of Suggested sites section](../media/knowledge-management/suggested-sites-section.png)
+
+ You can change a suggested site to a pinned site by selecting the pinned icon.
++
+<!
+ 7. The <b>Related sites</b> section shows sites that have information about the topic. ![Related sites section](../media/knowledge-management/related-sites.png)</br>
Knowledge managers can also edit topics directly from the Manage Topics page by
![Confirm remove](../media/knowledge-management/remove-related-confirm.png)</br>
+>
9. You can also add static items to the page ΓÇö such as text, images, or links - by selecting the canvas icon, which you can find below the short description. Selecting it will open the SharePoint toolbox from which you can choose the item you want to add to the page.
- ![Canvas icon](../media/knowledge-management/webpart-library.png)</br>
+ ![Screenshot showing the Canvas icon.](../media/knowledge-management/webpart-library.png)
10. Select **Publish** or **Republish** to save your changes. **Republish** will be your available option if the topic has been published previously.
-## See also
lti Teams Classes Lms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-classes-lms.md
Before managing the integration within Blackboard Learn Ultra, the Microsoft Off
2. Redirect the Microsoft Identity Platform Admin Consent Endpoint according to the following example:
- `https://login.microsoftonline.com/{tenant}/adminconsent?client\_id=2d94989f-457a-47c1-a637-e75acdb11568`
+ `https://login.microsoftonline.com/{tenant}/adminconsent?client_id=2d94989f-457a-47c1-a637-e75acdb11568`
> [!NOTE] > Replace {tenant} with your organizationΓÇÖs Microsoft tenant ID.
security Customize Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction.md
See the [attack surface reduction](attack-surface-reduction.md) topic for detail
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Microsoft Defender Exploit Guard** > **Attack surface reduction**.
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
security Device Discovery Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md
ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, NBNS, SSDP, TCP (
## Which protocols do you use for active probing in Standard discovery? When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols:
-ARP, FTP, HTTP, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL
+ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, CrestonCIP, IphoneSync
## How can I exclude targets from being probed with Standard discovery? If there are devices on your network which should not be actively probed, you can also define a list of exclusions to prevent them from being scanned. The configuration is available in the device discovery settings page.
You may notice differences between the number of listed devices under "can be on
## Can I onboard unmanaged devices that were found? Yes. Unmanaged endpoints in your network introduce vulnerabilities and risks to your network. Onboarding them to the service can increase the security visibility on them. -
+## I've noticed that unmanaged device health state is always "Active", why is that?
+Temporarily, unmanaged device health state will be "Active" during the standard retention period of the device inventory, regardless of their actual state.
security Get Assessment Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-methods-properties.md
Method | Data type | Description
:|:|: Export software vulnerabilities assessment **(JSON response)** | Investigation collection See: [3.2 Properties (JSON response)](#32-properties-json-response) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Export software vulnerabilities assessment **(via files)** | Investigation entity See: [3.3 Properties (via files)](#33-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
-**Delta export** software vulnerabilities assessment **(JSON response)** | Investigation collection See: [3.4 Properties Delta export (JSON response)](#34-properties-delta-export-json-response) | Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp. <br><br> The API pulls data in your organization as JSON responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export OData API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export OData API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
+**Delta export** software vulnerabilities assessment **(JSON response)** | Investigation collection See: [3.4 Properties Delta export (JSON response)](#34-properties-delta-export-json-response) | Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp. <br><br> The API pulls data in your organization as JSON responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
### 3.2 Properties (JSON response)
security Get Assessment Secure Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-secure-config.md
There are different API calls to get different types of data. Because the amount
- Download all the files using the download URLs and process the data as you like.
-Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+Data that is collected (using either _JSON response_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
> [!Note] >
security Get Assessment Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md
There are different API calls to get different types of data. Because the amount
- Download all the files using the download URLs and process the data as you like.
-Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+Data that is collected (using either _Json response_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
> [!Note] >
security Get Assessment Software Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities.md
There are different API calls to get different types of data. Because the amount
- Download all the files using the download URLs and process the data as you like. 3. [Delta export software vulnerabilities assessment **JSON response**](#3-delta-export-software-vulnerabilities-assessment-json-response) Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp.
-The API pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. <br><br> Unlike the full "software vulnerabilities assessment (JSON response)" - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export OData API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export JSON response API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
+The API pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. <br><br> Unlike the full "software vulnerabilities assessment (JSON response)" - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export JSON response API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
-Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+Data that is collected (using either _Json response_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
> [!Note] >
GET /api/machines/SoftwareVulnerabilityChangesByMachine
### 3.5 Properties
-Each returned record contains all the data from the full export software vulnerabilities assessment by device OData API, plus two additional fields: _**EventTimestamp**_ and _**Status**_.
+Each returned record contains all the data from the full export software vulnerabilities assessment by device API, plus two additional fields: _**EventTimestamp**_ and _**Status**_.
>[!NOTE] >- Some additional columns might be returned in the response. These columns are temporary and might be removed, so please use only the documented columns.
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
This profile contains a license information for Microsoft Defender for Endpoint,
> [!div class="mx-imgBorder"] > ![Custom Configuration Profile creation](images/mdatp-6-systemconfigurationprofiles-1.png)
-1. Choose a name for the profile, e.g., "MDATP onboarding for macOS". Click **Next**.
+1. Choose a name for the profile, e.g., "MDE onboarding for macOS". Click **Next**.
> [!div class="mx-imgBorder"] > ![Custom Configuration Profile - name](images/mdatp-6-systemconfigurationprofiles-2.png)
-1. Choose a name for the configuration profile name, e.g., "MDATP onboarding for macOS".
+1. Choose a name for the configuration profile name, e.g., "MDE onboarding for macOS".
1. Select intune/WindowsDefenderATPOnboarding.xml that you extracted from the onboarding package above as configuration profile file. > [!div class="mx-imgBorder"]
This profile is needed for macOS 10.15 (Catalina) or older. It will be ignored o
Download [**fulldisk.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
-Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "MDATP Full Disk Access" as profile name, and downloaded **fulldisk.mobileconfig** as Configuration profile name.
+Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "MDE Full Disk Access" as profile name, and downloaded **fulldisk.mobileconfig** as Configuration profile name.
### Network Filter
As part of the Endpoint Detection and Response capabilities, Microsoft Defender
Download [**netfilter.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
-Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "MDATP Network Filter" as profile name, and downloaded **netfilter.mobileconfig** as Configuration profile name.
+Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "MDE Network Filter" as profile name, and downloaded **netfilter.mobileconfig** as Configuration profile name.
### Notifications
This profile is used to allow Microsoft Defender for Endpoint on macOS and Micro
Download [**notif.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
-Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "MDATP Network Filter" as profile name, and downloaded **notif.mobileconfig** as Configuration profile name.
+Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "MDE Notifications" as profile name, and downloaded **notif.mobileconfig** as Configuration profile name.
### View Status
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
You'll need to take the following steps:
![Image of upload file property List file](images/jamfpro-plist-file.png)
-7. Select **Open** and select the onboarding file.
+6. Select **Open** and select the onboarding file.
![Image of onboarding file](images/jamfpro-plist-file-onboard.png)
-8. Select **Upload**.
+7. Select **Upload**.
![Image of uploading plist file](images/jamfpro-upload-plist.png) -
-9. Select the **Scope** tab.
+8. Select the **Scope** tab.
![Image of scope tab](images/jamfpro-scope-tab.png)
-10. Select the target computers.
+9. Select the target computers.
![Image of target computers](images/jamfpro-target-computer.png) ![Image of targets](images/jamfpro-targets.png)
-11. Select **Save**.
+10. Select **Save**.
![Image of deployment target computers](images/jamfpro-deployment-target.png) ![Image of target computers selected](images/jamfpro-target-selected.png)
-12. Select **Done**.
+11. Select **Done**.
![Image of target group computers](images/jamfpro-target-group.png)
You'll need to take the following steps:
## Step 3: Configure Microsoft Defender for Endpoint settings
-1. Use the following Microsoft Defender for Endpoint configuration settings:
+You can either use JAMF Pro GUI to edit individual settings of the Microsoft Defender configuration,
+or use the legacy method by creating a configuration Plist in a text editor, and uploading it to JAMF Pro.
+
+Note that you must use exact `com.microsoft.wdav` as the **Preference Domain**, Microsoft Defender uses only this name and `com.microsoft.wdav.ext` to load its managed settings!
+
+(The `com.microsoft.wdav.ext` version may be used in rare cases when you prefer to use GUI method, but also need to configure a setting that has not been added to the schema yet.)
+
+### GUI method
+
+1. Download schema.json file from [Defender's GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/schema) and save it to a local file:
+
+ ```bash
+ curl -o ~/Documents/schema.json https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/schema/schema.json
+ ```
+
+2. Create a new Configuration Profile under Computers -> Configuration Profiles, enter the following details on the **General** tab:
+
+ ![New profile](images/644e0f3af40c29e80ca1443535b2fe32.png)
+
+ - Name: MDATP MDAV configuration settings
+ - Description:\<blank\>
+ - Category: None (default)
+ - Level: Computer Level (default)
+ - Distribution Method: Install Automatically (default)
+
+3. Scroll down to the **Application & Custom Settings** tab, select **External Applications**, click **Add** and use **Custom Schema** as Source to use for the preference domain.
+
+ ![Add custom schema](images/4137189bc3204bb09eed3aabc41afd78.png)
+
+4. Enter `com.microsoft.wdav` as the Preference Domain, click on **Add Schema** and **Upload** the schema.json file downloaded on Step 1. Click **Save**.
+
+ ![Upload schema](images/a6f9f556037c42fabcfdcb1b697244cf.png)
+
+5. You can see all supported Microsoft Defender configuration settings below, under **Preference Domain Properties**. Click **Add/Remove properties** to select the settings that you want to be managed, and click **Ok** to save your changes. (Settings left unselected will not be included into the managed configuration, an end user will be able to configure those settings on their machines.)
+
+ ![Select managed settings](images/817b3b760d11467abe9bdd519513f54f.png)
+
+6. Change values of the settings to desired values. You can click **More information** to get documentation for a particular setting. (You may click **Plist preview** to inspect what the configuration plist will look like. Click **Form editor** to return to the visual editor.)
+
+ ![Change settings values](images/a14a79efd5c041bb8974cb5b12b3a9b6.png)
+
+7. Select the **Scope** tab.
+
+ ![Configuration profile scope](images/9fc17529e5577eefd773c658ec576a7d.png)
+
+8. Select **Contoso's Machine Group**.
+
+9. Select **Add**, then select **Save**.
+
+ ![Configuration settings - add](images/cf30438b5512ac89af1d11cbf35219a6.png)
+
+ ![Configuration settings - save](images/6f093e42856753a3955cab7ee14f12d9.png)
+
+10. Select **Done**. You'll see the new **Configuration profile**.
+
+ ![Configuration settings - done](images/dd55405106da0dfc2f50f8d4525b01c8.png)
+
+Microsoft Defender adds new settings over time. These new settings will be added to the schema, and a new version will be published to Github.
+All you need to do to have updates is to download an updated schema, edit existing configuration profile, and **Edit schema** at the **Application & Custom Settings** tab.
+
+### Legacy method
+
+1. Use the following Microsoft Defender for Endpoint configuration settings:
- enableRealTimeProtection - passiveMode
-
+ >[!NOTE] >Not turned on by default, if you are planning to run a third-party AV for macOS, set it to `true`.
You'll need to take the following steps:
- excludedFileName - exclusionsMergePolicy - allowedThreats
-
+ >[!NOTE] >EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.
-
+ - disallowedThreatActions - potentially_unwanted_application - archive_bomb
You'll need to take the following steps:
- automaticSampleSubmission - tags - hideStatusMenuIcon
-
+ For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile). ```XML
You'll need to take the following steps:
2. Save the file as `MDATP_MDAV_configuration_settings.plist`.
+3. In the Jamf Pro dashboard, open **Computers**, and there **Configuration Profiles**. Click **New(* and switch to the **General** tab.
-3. In the Jamf Pro dashboard, select **General**.
-
- ![Image of the new Jamf Pro dashboard](images/644e0f3af40c29e80ca1443535b2fe32.png)
+ ![New profile](images/644e0f3af40c29e80ca1443535b2fe32.png)
4. Enter the following details:
You'll need to take the following steps:
![Image of configuration settings config profile image](images/dd55405106da0dfc2f50f8d4525b01c8.png) - ## Step 4: Configure notifications settings These steps are applicable of macOS 10.15 (Catalina) or newer.
security Microsoft Defender Endpoint Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md
This topic describes how to install, configure, update, and use Defender for End
### System Requirements -- Android devices running Android 6.0 and above.
+- Mobile phones running Android 6.0 and above. **Tablets and other mobile devices running Android are not currently supported.**
+ - Intune Company Portal app is downloaded from [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) and installed. Device enrollment is required for Intune device compliance policies to be enforced.
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
RSS feed: Get notified when this page is updated by copying and pasting the foll
``` ## April 2021-- Improved Microsoft 365 security center <br> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. This is the new home to manage your security controls. [Learn what's new](./overview-security-center.md).
+- Microsoft 365 Defender<br> The improved [Microsoft 365 Defender](https://security.microsoft.com) portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. [Learn what's new](./overview-security-center.md).
- [Microsoft 365 Defender threat analytics report](threat-analytics.md)<br> Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders.
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
When you use the Microsoft 365 Defender portal to remove a custom anti-malware p
1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
-2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
+2. On the **Anti-malware page**, select a custom policy from the list by clicking on the name.
-3. In the confirmation dialog that appears, click **Yes**.
+3. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
+
+4. In the confirmation dialog that appears, click **Yes**.
## Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-malware policies
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-2. On the **Anti-phishing** page, the following properties are displayed in the list of anti-phishing policies:
+2. On the **Anti-phishing** page, the following properties are displayed in the list of policies:
- **Name** - **Status**
When you use the Microsoft 365 Defender portal to remove a custom anti-phishing
1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
+2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
+
+3. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
-3. In the confirmation dialog that appears, click **Yes**.
+4. In the confirmation dialog that appears, click **Yes**.
## Use Exchange Online PowerShell to configure anti-phishing policies
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
When you use the Microsoft 365 Defender portal to remove a custom anti-phishing
1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
+2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name of the policy.
-3. In the confirmation dialog that appears, click **Yes**.
+3. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
+
+4. In the confirmation dialog that appears, click **Yes**.
## Use Exchange Online PowerShell to configure anti-phishing policies
security Install App Guard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/install-app-guard.md
Upon being opened, the file should display a few visual indicators that the file
## Configure Application Guard for Office Office supports the following policies to enable you to configure the capabilities of Application Guard for Office. These policies can be configured through Group policies or through the [Office cloud policy service](/DeployOffice/overview-office-cloud-policy-service).
-See configuration set by your administrator by reviewing group policy settings in **User Configuration\\Administrative Templates\\Microsoft Office 2016\\Security Settings\\Trust Center\\Application Guard**.
> [!NOTE]
When this heuristic is met, Office will pre-create an Application Guard containe
## Known issues * Selecting web links (`http` or `https`) doesn't open the browser.
-* Pasting rich text format (RTF) content or images in Office documents opened with Application Guard isn't supported at this time.
-* The default setting for unsupported file types protection policy is to block opening untrusted unsupported file types of Information Rights Management (IRM), CSV, or HTML.
+* The default setting for copy-paste protection policy is to enable clipboard access to text only.
+* The default setting for unsupported file types protection policy is to block opening untrusted unsupported file types that are encrypted or have Information Rights Management (IRM) set. This includes files that have Microsoft Information Protection sensitivity labels using encryption (confidential or highly confidential).
+* CSV and HTML files are not supported at this time.
+* Application Guard for Office currently does not work with NTFS compressed volumes. If you are seeing an error "ERROR_VIRTUAL_DISK_LIMITATION" please try uncompressing the volume.
* Updates to .NET might cause files to fail to open in Application Guard. As a workaround, users can restart their device when they come across this failure. Learn more about the issue at [Receiving an error message when attempting to open Windows Defender Application Guard or Windows Sandbox](https://support.microsoft.com/help/4575917/receiving-an-error-message-when-attempting-to-open-windows-defender-ap).
+* Please see [Frequently asked questions - Microsoft Defender Application Guard for additional information.](/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard)
security Quarantine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-tags.md
Title: Quarantine tags
+ Title: Quarantine policies
ms.assetid:
- M365-security-compliance
-description: Admins can learn how to use quarantine tags to control what users are able to do to their quarantined messages.
+description: Admins can learn how to use quarantine policies to control what users are able to do to their quarantined messages.
ms.technology: mdo ms.prod: m365-security
-# Quarantine tags
+# Quarantine policies
> [!NOTE] > The features that are described in this article are currently in Preview, aren't available to everyone, and are subject to change.
-Quarantine tags in Exchange Online Protection (EOP) allow admins to control what users are able to do to their quarantined messages based on how the message arrived in quarantine.
+Quarantine policies (formerly known as quarantine tags) in Exchange Online Protection (EOP) allow admins to control what users are able to do to their quarantined messages based on how the message arrived in quarantine.
-EOP has traditionally allowed or prevented certain levels of interactivity for messages in [quarantine](find-and-release-quarantined-messages-as-a-user.md) and in [end-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md). For example, end-users can view and release messages that were quarantined by anti-spam filtering as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing.
+EOP has traditionally allowed or prevented certain levels of interactivity for messages in [quarantine](find-and-release-quarantined-messages-as-a-user.md) and in [end-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md). For example, users can view and release messages that were quarantined by anti-spam filtering as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing (only admins can do that).
-For [supported protection features](#step-2-assign-a-quarantine-tag-to-supported-features), quarantine tags specify what users are allowed to do in end-user spam notification messages and in their quarantined messages in quarantine (messages where the user is a recipient). Default quarantine tags are automatically assigned to enforce the historical capabilities for end-users on quarantined messages. Or, you can create and assign custom quarantine tags to allow or prevent end-users from performing specific actions on quarantined messages.
+For [supported protection features](#step-2-assign-a-quarantine-policy-to-supported-features), quarantine policies specify what users are allowed to do in end-user spam notification messages and in their quarantined messages in quarantine (messages where the user is a recipient). Default quarantine policies are automatically assigned to enforce the historical capabilities for users on quarantined messages. Or, you can create and assign custom quarantine policies to allow or prevent end users from performing specific actions on quarantined messages.
The individual permissions are combined into the following preset permission groups:
The available individual permissions and what's included or not included in the
|**Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_)||![Check mark](../../media/checkmark.png)|| |
-If you don't like the default permissions in the preset permission groups, you can use custom permissions when you create or modify custom quarantine tags. For more information about what each permission does, see the [Quarantine tag permission details](#quarantine-tag-permission-details) section later in this article.
+If you don't like the default permissions in the preset permission groups, you can use custom permissions when you create or modify custom quarantine policies. For more information about what each permission does, see the [Quarantine policy permission details](#quarantine-policy-permission-details) section later in this article.
-You create and assign quarantine tags in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with Exchange Online Mailboxes; standalone EOP PowerShell in EOP organizations without Exchange Online mailboxes).
+You create and assign quarantine policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with Exchange Online Mailboxes; standalone EOP PowerShell in EOP organizations without Exchange Online mailboxes).
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Quarantine tags** page, open <https://protection.office.com/quarantineTags>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. Or to go directly to the **Quarantine policies** page, open <https://security.microsoft.com/quarantineTags>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). -- To view, create, modify, or remove quarantine tags, you need to be a member of the **Organization Management** or **Security Administrator** roles in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+- To view, create, modify, or remove quarantine policies, you need to be a member of the **Organization Management** or **Security Administrator** roles in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
-## Step 1: Create quarantine tags in the Security & Compliance Center
+## Step 1: Create quarantine policies in the Microsoft 365 Defender portal
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** and then select **Quarantine tags**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \>**Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
-2. On the **Quarantine tags** page, select **Add custom tag**.
+2. On the **Quarantine policy** page, click ![Add custom policy icon](../../media/m365-cc-sc-create-icon.png) **Add custom policy**.
-3. The **New tag** wizard opens. On the **Tag name** page, enter a brief but unique name in the **Tag name** field. You'll need to identify and select the tag by name in upcoming steps. When you're finished, click **Next**.
+3. The **New policy** wizard opens. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. You'll need to identify and select the quarantine policy by name in upcoming steps. When you're finished, click **Next**.
4. On the **Recipient message access** page, select one of the following values: - **No access**
You create and assign quarantine tags in the Security & Compliance Center or in
The individual permissions that are included in these permission groups are described earlier in this article.
- To specify custom permissions, select **Set specific access (Advanced)** and configure the following settings:
+ To specify custom permissions, select **Set specific access (Advanced)** and the configure the following settings that appear:
- **Select release action preference**: Select one of the following values: - **No release action**: This is the default value. - **Allow recipients to release a message from quarantine** - **Allow recipients to request a message to be released from quarantine**- - **Select additional actions recipients can take on quarantined messages**: Select some, all, or none of the following values: - **Delete** - **Preview**
- - **Allow sender**
- **Block sender**
- These permissions and their effect on quarantined messages and in end-user spam notifications are described in the [Quarantine tag permission details](#quarantine-tag-permission-details) section later in this article.
+ These permissions and their effect on quarantined messages and in end-user spam notifications are described in the [Quarantine policy permission details](#quarantine-policy-permission-details) section later in this article.
When you're finished, click **Next**.
-5. On the **Summary** page that appears, review your settings. You can click **Edit** on each setting to modify it.
+5. On the **Review policy** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
When you're finished, click **Submit**.
-6. Click **Done** on the confirmation page that appears.
+6. On the confirmation page that appears, click **Done**.
-Now you are ready to assign the quarantine tag to a quarantine feature as described in the [Step 2](#step-2-assign-a-quarantine-tag-to-supported-features) section.
+Now you're ready to assign the quarantine policy to a quarantine feature as described in the [Step 2](#step-2-assign-a-quarantine-policy-to-supported-features) section.
-### Create quarantine tags in PowerShell
+### Create quarantine policies in PowerShell
-If you'd rather use PowerShell to create quarantine tags, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the **New-QuarantineTag** cmdlet. You have two different methods to choose from:
+If you'd rather use PowerShell to create quarantine policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the **New-QuarantineTag** cmdlet. You have two different methods to choose from:
- Use the _EndUserQuarantinePermissionsValue_ parameter. - Use the _EndUserQuarantinePermissions_ parameter.
These methods are described in the following sections.
#### Use the EndUserQuarantinePermissionsValue parameter
-To create a quarantine tag using the _EndUserQuarantinePermissionsValue_ parameter, use the following syntax:
+To create a quarantine policy using the _EndUserQuarantinePermissionsValue_ parameter, use the following syntax:
```powershell New-QuarantineTag -Name "<UniqueName>" -EndUserQuarantinePermissionsValue <0 to 236>
The required order and values for each individual permission in preset permissio
<sup>\*\*</sup> Don't set both of these values to 1. Set one to 1 and the other to 0, or set both to 0.
-This example creates a new quarantine tag name NoAccess that assigns the No access permissions as described in the previous table.
+This example creates a new quarantine policy name NoAccess that assigns the No access permissions as described in the previous table.
```powershell New-QuarantineTag -Name NoAccess -EndUserQuarantinePermissionsValue 0
For detailed syntax and parameter information, see [New-QuarantineTag](/powershe
#### Use the EndUserQuarantinePermissions parameter
-To create a quarantine tag using the _EndUserQuarantinePermissionsValue_ parameter, do the following steps:
+To create a quarantine policy using the _EndUserQuarantinePermissionsValue_ parameter, do the following steps:
A. Store a quarantine permissions object in a variable using the **New-QuarantinePermissions** cmdlet.
After you've created and stored the permissions object in a variable, use the va
New-QuarantineTag -Name "<UniqueName>" -EndUserQuarantinePermissions $<VariableName> ```
-This example creates a new quarantine tag named LimitedAccess using the `$LimitedAccess` permissions object that was described and created in the previous step.
+This example creates a new quarantine policy named LimitedAccess using the `$LimitedAccess` permissions object that was described and created in the previous step.
```powershell New-QuarantineTag -Name LimitedAccess -EndUserQuarantinePermissions $LimitedAccess
New-QuarantineTag -Name LimitedAccess -EndUserQuarantinePermissions $LimitedAcce
For detailed syntax and parameter information, see [New-QuarantineTag](/powershell/module/exchange/new-quarantinetag).
-## Step 2: Assign a quarantine tag to supported features
+## Step 2: Assign a quarantine policy to supported features
-In _supported_ protection features that quarantine messages or files (automatically or as a configurable action), you can assign a quarantine tag to the available quarantine actions. Features that quarantine messages and the availability of quarantine tags are described in the following table:
+In _supported_ protection features that quarantine messages or files (automatically or as a configurable action), you can assign a quarantine policy to the available quarantine actions. Features that quarantine messages and the availability of quarantine policies are described in the following table:
<br> ****
-|Feature|Quarantine tags supported?|Default quarantine tags used|
+|Feature|Quarantine policies supported?|Default quarantine policies used|
||::||
-|[Anti-spam policies](configure-your-spam-filter-policies.md): <ul><li>**Spam** (_SpamAction_)</li><li>**High confidence spam** (_HighConfidenceSpamAction_)</li><li>**Phishing email** (_PhishSpamAction_)</li><li>**High confidence phishing email** (_HighConfidencePhishAction_)</li><li>**Bulk email** (_BulkSpamAction_)</li></ul>|Yes|<ul><li>DefaultSpamTag (Full access)</li><li>DefaultHighConfSpamTag (Full access)</li><li>DefaultPhishTag (Full access)</li><li>DefaultHighConfPhishTag (No access)</li><li>DefaultBulkTag (Full access)</li></ul>
-|Anti-phishing policies: <ul><li>[Spoof intelligence protection](set-up-anti-phishing-policies.md#spoof-settings) (_AuthenticationFailAction_)</li><li>[Impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365):<sup>\*</sup> <ul><li>**If email is sent by an impersonated user** (_TargetedUserProtectionAction_)</li><li>**If email is sent by an impersonated domain** (_TargetedDomainProtectionAction_)</li><li>**Mailbox intelligence** \> **If email is sent by an impersonated user** (_MailboxIntelligenceProtectionAction_)</li></ul></li></ul></ul>|No|n/a|
+|[Anti-spam policies](configure-your-spam-filter-policies.md): <ul><li>**Spam** (_SpamAction_)</li><li>**High confidence spam** (_HighConfidenceSpamAction_)</li><li>**Phishing** (_PhishSpamAction_)</li><li>**High confidence phishing** (_HighConfidencePhishAction_)</li><li>**Bulk** (_BulkSpamAction_)</li></ul>|Yes|<ul><li>DefaultSpamTag (Full access)</li><li>DefaultHighConfSpamTag (Full access)</li><li>DefaultPhishTag (Full access)</li><li>DefaultHighConfPhishTag (No access)</li><li>DefaultBulkTag (Full access)</li></ul>
+|Anti-phishing policies: <ul><li>[Spoof intelligence protection](set-up-anti-phishing-policies.md#spoof-settings) (_AuthenticationFailAction_)</li><li>[Impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365):<sup>\*</sup> <ul><li>**If message is detected as an impersonated user** (_TargetedUserProtectionAction_)</li><li>**If message is detected as an impersonated domain** (_TargetedDomainProtectionAction_)</li><li>**If mailbox intelligence detects and impersonated user** (_MailboxIntelligenceProtectionAction_)</li></ul></li></ul></ul>|No|n/a|
|[Anti-malware policies](configure-anti-malware-policies.md): All detected messages are always quarantined.|No|n/a| |[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)|No|n/a| |[Mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) with the action: **Deliver the message to the hosted quarantine** (_Quarantine_).|No|n/a|
In _supported_ protection features that quarantine messages or files (automatica
<sup>\*</sup> Impersonation protection settings are available only in anti-phishing policies in Microsoft Defender for Office 365.
-If you're happy with the end-user permissions that are provided by the default quarantine tags, you don't need to do anything. If you want to customize the end-user capabilities (available buttons) in end-user spam notifications or in quarantined message details, you can assign a custom quarantine tag.
+If you're happy with the end-user permissions that are provided by the default quarantine policies, you don't need to do anything. If you want to customize the end-user capabilities (available buttons) in end-user spam notifications or in quarantined message details, you can assign a custom quarantine policy.
-### Assign quarantine tags in anti-spam policies in the Security & Compliance Center
+### Assign quarantine policies in anti-spam policies in the Microsoft 365 Defender portal
Full instructions for creating and modifying anti-spam policies are described in [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> and then select **Anti-spam**. Or, open <https://protection.office.com/antispam>.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Policies** section \> **Anti-spam**. Or, open <https://security.microsoft.com/antispam>.
-2. Find and select an existing anti-spam policy to edit, or create a new anti-spam policy.
+2. On the **Anti-spam policies** page, do one of the following steps:
+ - Find and select an existing **inbound** anti-spam policy.
+ - Create a new **inbound** anti-spam policy.
-3. In the policy details flyout, expand the **Spam and bulk actions** section.
+3. Do one of the following steps:
+ - **Edit existing anti-spam policy**: In the policy details flyout, go to the **Actions** section and then click **Edit actions**.
+ - **Create new anti-spam policy**: In the new policy wizard, go to the **Actions** page.
-4. If you've selected **Quarantine message** for the action of an available spam filtering verdict, the **Apply quarantine policy tag** box is available for you to select the quarantine tag for that verdict.
+4. On the **Actions** page. every verdict that has the **Quarantine message** action will also have the **Select quarantine policy** box for you to select a corresponding quarantine policy.
- **Note**: When you create a new policy, a blank quarantine tag value for a spam filtering verdict indicates the default quarantine tag for that verdict is used. When you later edit the policy, the blank values are replaced by the actual default quarantine tag names as described in the previous table.
+ **Note**: When you create a new policy, a blank **Select quarantine policy** value indicates the default quarantine policy for that verdict is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table.
- ![Quarantine tag selections in an anti-spam policy](../../media/quarantine-tags-in-anti-spam-policies.png)
+ ![Quarantine policy selections in an anti-spam policy](../../media/quarantine-tags-in-anti-spam-policies.png)
5. When you're finished, click **Save**.
-#### Assign quarantine tags in anti-spam policies in PowerShell
+#### Assign quarantine policies in anti-spam policies in PowerShell
-If you'd rather use PowerShell to assign quarantine tags in anti-spam policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
+If you'd rather use PowerShell to assign quarantine policies in anti-spam policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
```powershell <New-HostedContentFilterPolicy -Name "<Unique name>" | Set-HostedContentFilterPolicy -Identity "<Policy name>"> [-SpamAction Quarantine] [-SpamQuarantineTag <QuarantineTagName>] [-HighConfidenceSpamAction Quarantine] [-HighConfidenceSpamQuarantineTag <QuarantineTagName>] [-PhishSpamAction Quarantine] [-PhishQuarantineTag <QuarantineTagName>] [-HighConfidencePhishQuarantineTag <QuarantineTagName>] [-BulkSpamAction Quarantine] [-BulkQuarantineTag <QuarantineTagName>] ...
If you'd rather use PowerShell to assign quarantine tags in anti-spam policies,
**Notes**: -- The default value for the _HighConfidencePhishAction_ parameter is Quarantine, so you don't need to set the Quarantine action for high confidence phishing detections in new anti-spam policies. For all other spam filtering verdicts in new or existing anti-spam policies, the quarantine tag is only effective if the action value is Quarantine. To see the action values in existing anti-spam policies, run the following command:
+- The default value for the _HighConfidencePhishAction_ parameter is Quarantine, so you don't need to set the Quarantine action for high confidence phishing detections in new anti-spam policies. For all other spam filtering verdicts in new or existing anti-spam policies, the quarantine policy is only effective if the action value is Quarantine. To see the action values in existing anti-spam policies, run the following command:
```powershell Get-HostedContentFilterPolicy | Format-Table Name,*SpamAction,HighConfidencePhishAction
If you'd rather use PowerShell to assign quarantine tags in anti-spam policies,
For information about the default action values and the recommended action values for Standard and Strict, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings). -- A spam filtering verdict without a corresponding quarantine tag parameter means the [default quarantine tag](#step-2-assign-a-quarantine-tag-to-supported-features) for that verdict is used.
+- A spam filtering verdict without a corresponding quarantine policy parameter means the [default quarantine policy](#step-2-assign-a-quarantine-policy-to-supported-features) for that verdict is used.
- You only need to replace a default quarantine tag with a custom quarantine tag if you want to change the default end-user capabilities on quarantined messages.
+ You only need to replace a default quarantine policy with a custom quarantine policy if you want to change the default end-user capabilities on quarantined messages.
- A new anti-spam policy in PowerShell requires a spam filter policy (settings) using the **New-HostedContentFilterPolicy** cmdlet and a new spam filter rule (recipient filters) using the **New-HostedContentFilterRule** cmdlet. For instructions, see [Use PowerShell to create anti-spam policies](configure-your-spam-filter-policies.md#use-powershell-to-create-anti-spam-policies). This example creates a new spam filter policy named Research Department with the following settings: - The action for all spam filtering verdicts is set to Quarantine.-- The custom quarantine tag named NoAccess that assigns **No access** permissions replaces any default quarantine tags that don't already assign **No access** permissions by default.
+- The custom quarantine policy named NoAccess that assigns **No access** permissions replaces any default quarantine policies that don't already assign **No access** permissions by default.
```powershell New-HostedContentFilterPolicy -Name Research Department -SpamAction Quarantine -SpamQuarantineTag NoAccess -HighConfidenceSpamAction Quarantine -HighConfidenceSpamQuarantineTag NoAction -PhishSpamAction Quarantine -PhishQuarantineTag NoAction -BulkSpamAction Quarantine -BulkQuarantineTag NoAccess
New-HostedContentFilterPolicy -Name Research Department -SpamAction Quarantine -
For detailed syntax and parameter information, see [New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy).
-This example modifies the existing spam filter policy named Human Resources. The action for the spam quarantine verdict is set to Quarantine, and the custom quarantine tag named NoAccess is assigned.
+This example modifies the existing spam filter policy named Human Resources. The action for the spam quarantine verdict is set to Quarantine, and the custom quarantine policy named NoAccess is assigned.
```powershell Set-HostedContentFilterPolicy -Identity "Human Resources" -SpamAction Quarantine -SpamQuarantineTag NoAccess
Set-HostedContentFilterPolicy -Identity "Human Resources" -SpamAction Quarantine
For detailed syntax and parameter information, see [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy).
-## Configure global quarantine notification settings in the Security & Compliance Center
+## Configure global quarantine notification settings in the Microsoft 365 Defender portal
-The global settings for quarantine tags allow you to customize the end-user spam notifications that are sent to recipients of messages that were quarantined. For more information about these notifications, see [End-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md).
+The global settings for quarantine policies allow you to customize the end-user spam notifications that are sent to recipients of messages that were quarantined. For more information about these notifications, see [End-user spam notifications](use-spam-notifications-to-release-and-report-quarantined-messages.md).
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** and then select **Quarantine tags**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \>**Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
-2. On the **Quarantine tags** page, select **Global settings**.
+2. On the **Quarantine policy** page, select **Global settings**.
3. In the **Quarantine notification settings** flyout that opens, configure some or all of the following settings:
- - **Use my company logo**: Select this option to replace the default Microsoft logo that's use at the top of end-user spam notifications. Before you do this, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo.
-
- The following screenshot shows a custom logo in an end-user spam notification:
-
- ![A custom logo in an end-user spam notification](../../media/quarantine-tags-esn-customization-logo.png)
-
- - **Choose language**: End-user spam notifications are already localized based on the recipient's language settings. You can specify customized text in different languages for the **Display name** and **Disclaimer** values.
-
- Select at least one language from the first language box and then click **Add**. You can select multiple languages by clicking **Add** after each one. A section language box shows all of the languages that you've selected:
-
- ![Selected languages in the second language box in the global quarantine notification settings of quarantine tags](../../media/quarantine-tags-esn-customization-selected-languages.png)
- - **Display name**: Customize the sender's display name that's used in end-user spam notifications. For each language that you've added, select the language in the second language box (don't click on the X) and enter the text value you want in the **Display name** box.
The global settings for quarantine tags allow you to customize the end-user spam
![A custom disclaimer at the bottom of an end-user spam notification](../../media/quarantine-tags-esn-customization-disclaimer.png)
-## View quarantine tags in the Security & Compliance Center
+ - **Choose language**: End-user spam notifications are already localized based on the recipient's language settings. You can specify customized text in different languages for the **Display name** and **Disclaimer** values.
+
+ Select at least one language from the first language box and then click **Add**. You can select multiple languages by clicking **Add** after each one. A section language box shows all of the languages that you've selected:
+
+ ![Selected languages in the second language box in the global quarantine notification settings of quarantine policies](../../media/quarantine-tags-esn-customization-selected-languages.png)
+
+ - **Use my company logo**: Select this option to replace the default Microsoft logo that's use at the top of end-user spam notifications. Before you do this, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo.
+
+ The following screenshot shows a custom logo in an end-user spam notification:
+
+ ![A custom logo in an end-user spam notification](../../media/quarantine-tags-esn-customization-logo.png)
+
+## View quarantine policies in the Microsoft 365 Defender portal
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** and then select **Quarantine tags**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \>**Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
-- To view the settings of built-in or custom quarantine tags, select the quarantine tag from the list (don't select the check box).
+2. The **Quarantine policy** page shows the list of policies by **Name** and **Last updated** date.
-- To view the global settings, select **Global settings**
+3. To view the settings of built-in or custom quarantine policies, select the quarantine policy from the list by clicking on the name.
-### View quarantine tags in PowerShell
+4. To view the global settings, click **Global settings**
-If you'd rather use PowerShell to view quarantine tags, do any of the following steps:
+### View quarantine policies in PowerShell
-- To view a summary list of all built-in or custom tags, run the following command:
+If you'd rather use PowerShell to view quarantine policies, do any of the following steps:
+
+- To view a summary list of all built-in or custom policies, run the following command:
```powershell Get-QuarantineTag | Format-Table Name ``` -- To view the settings of built-in or custom quarantine tags, replace \<TagName\> with the name of the quarantine tag, and run the following command:
+- To view the settings of built-in or custom quarantine policies, replace \<QuarantinePolicyName\> with the name of the quarantine policy, and run the following command:
```powershell
- Get-QuarantineTag -Identity "<TagName>"
+ Get-QuarantineTag -Identity "<QuarantinePolicyName>"
``` - To view the global settings, run the following command:
If you'd rather use PowerShell to view quarantine tags, do any of the following
For detailed syntax and parameter information, see [Get-HostedContentFilterPolicy](/powershell/module/exchange/get-hostedcontentfilterpolicy).
-## Remove quarantine tags in the Security & Compliance Center
+## Modify quarantine policies in the Microsoft 365 Defender portal
-**Notes**:
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \>**Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
+
+2. On the **Quarantine policies** page, select the policy by clicking on the name.
+
+3. After you select the policy, click the ![Edit policy icon](../../media/m365-cc-sc-edit-icon.png) **Edit policy** icon that appears.
+
+4. The **Edit policy** wizard that opens is virtually identical to the **New policy** wizard as described in the [Create quarantine policies in the Microsoft 365 Defender portal](#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal) section earlier in this article.
+
+ The main difference is: you can't rename an existing policy.
+
+5. When you're finished modifying the policy, go to the **Summary** page and click **Submit**.
-- You can't remove built-in quarantine tags.
+### Modify quarantine policies in PowerShell
-- Before you remove a custom quarantine tag, verify that it's not being used. For example, run the following command in PowerShell:
+If you'd rather use PowerShell to modify a custom quarantine policy, replace \<QuarantinePolicyName\> with the name of the quarantine policy, and use the following syntax:
+
+```powershell
+Set-QuarantineTag -Identity "<QuarantinePolicyName>" [Settings]
+```
+
+The available settings are the same as described for creating quarantine policies earlier in this article.
+
+For detailed syntax and parameter information, see [Set-QuarantineTag](/powershell/module/exchange/set-quarantinetag).
+
+## Remove quarantine policies in the Microsoft 365 Defender portal
+
+**Notes**:
+
+- You can't remove built-in quarantine policies.
+- Before you remove a custom quarantine policy, verify that it's not being used. For example, run the following command in PowerShell:
```powershell Get-HostedContentFilterPolicy | Format-List Name,*QuarantineTag ```
- If the quarantine tag is being used, [replace the assigned quarantine tag](#step-2-assign-a-quarantine-tag-to-supported-features) before you remove it.
+ If the quarantine policy is being used, [replace the assigned quarantine policy](#step-2-assign-a-quarantine-policy-to-supported-features) before you remove it.
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \>**Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** and then select **Quarantine tags**.
+2. On the **Quarantine policy** page, select the custom quarantine policy that you want to remove by clicking on the name.
-2. On the **Quarantine tags** page, select the custom quarantine tag that you want to remove, and the click **Delete tag**.
+3. After you select the policy, click the ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy** icon that appears.
-3. Click **Remove tag** in the confirmation dialog that appears.
+4. Click **Remove policy** in the confirmation dialog that appears.
-### Remove quarantine tags in PowerShell
+### Remove quarantine policies in PowerShell
-If you'd rather use PowerShell to remove a custom quarantine tag, replace \<TagName\> with the name of the quarantine tag, and run the following command:
+If you'd rather use PowerShell to remove a custom quarantine policy, replace \<QuarantinePolicyName\> with the name of the quarantine policy, and run the following command:
```powershell
-Remove-QuarantineTag -Identity "<TagName>"
+Remove-QuarantineTag -Identity "<QuarantinePolicyName>"
``` For detailed syntax and parameter information, see [Remove-QuarantineTag](/powershell/module/exchange/remove-quarantinetag).
-## Quarantine tag permission details
+## Quarantine policy permission details
The following sections describe the effects of preset permission groups and individual permissions in the details of quarantined messages and in end-user spam notifications.
The individual permissions that are included in preset permission groups are lis
#### No access
-If the quarantine tag assigns the **No access** permissions (no permissions), users still get some baseline capabilities:
+If the quarantine policy assigns the **No access** permissions (no permissions), users still get some baseline capabilities:
- **Quarantined message details**: The **View message header** button is always available.
- ![Available buttons in the quarantined message details if the quarantine tag gives the user No access permissions](../../media/quarantine-tags-quarantined-message-details-no-access.png)
+ ![Available buttons in the quarantined message details if the quarantine policy gives the user No access permissions](../../media/quarantine-tags-quarantined-message-details-no-access.png)
- **End-user spam notifications**: The **Review** button that takes the user to the message in quarantine is always available.
- ![Available buttons in the end-user spam notification if the quarantine tag gives the user No access permissions](../../media/quarantine-tags-esn-no-access.png)
+ ![Available buttons in the end-user spam notification if the quarantine policy gives the user No access permissions](../../media/quarantine-tags-esn-no-access.png)
#### Limited access
-If the quarantine tag assigns the **Limited access** permissions, users get the following capabilities:
+If the quarantine policy assigns the **Limited access** permissions, users get the following capabilities:
- **Quarantined message details**: The following buttons are available: - **Request release**
If the quarantine tag assigns the **Limited access** permissions, users get the
- **Block sender** - **Remove from quarantine**
- ![Available buttons in the quarantined message details if the quarantine tag gives the user Limited access permissions](../../media/quarantine-tags-quarantined-message-details-limited-access.png)
+ ![Available buttons in the quarantined message details if the quarantine policy gives the user Limited access permissions](../../media/quarantine-tags-quarantined-message-details-limited-access.png)
- **End-user spam notifications**: The following buttons are available: - **Block sender** - **Review**
- ![Available buttons in the end-user spam notification if the quarantine tag gives the user Limited access permissions](../../media/quarantine-tags-esn-limited-access.png)
+ ![Available buttons in the end-user spam notification if the quarantine policy gives the user Limited access permissions](../../media/quarantine-tags-esn-limited-access.png)
#### Full access
-If the quarantine tag assigns the **Full access** permissions (all available permissions), users get the following capabilities:
+If the quarantine policy assigns the **Full access** permissions (all available permissions), users get the following capabilities:
- **Quarantined message details**: The following buttons are available: - **Release message**
If the quarantine tag assigns the **Full access** permissions (all available per
- **Allow sender** - **Remove from quarantine**
- ![Available buttons in the quarantined message details if the quarantine tag gives the user Full access permissions](../../media/quarantine-tags-quarantined-message-details-full-access.png)
+ ![Available buttons in the quarantined message details if the quarantine policy gives the user Full access permissions](../../media/quarantine-tags-quarantined-message-details-full-access.png)
- **End-user spam notifications**: The following buttons are available: - **Block sender** - **Release** - **Review**
- ![Available buttons in the end-user spam notification if the quarantine tag gives the user Full access permissions](../../media/quarantine-tags-esn-full-access.png)
+ ![Available buttons in the end-user spam notification if the quarantine policy gives the user Full access permissions](../../media/quarantine-tags-esn-full-access.png)
### Individual permissions
The **Allow recipients to request a message to be released from quarantine** per
- Permission enabled: The **Request release** button is available. - Permission disabled: The **Request release** button is not available. -- **End-user spam notifications**: The **Release** button is not available.
+- **End-user spam notifications**: The **Release** button is not available.
security Reporting And Message Trace In Exchange Online Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reporting-and-message-trace-in-exchange-online-protection.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
## Usage reports
-**Microsoft 365 groups activity**: View information about the number of Microsoft 365 groups that are created and used.
+- **Microsoft 365 groups activity**: View information about the number of Microsoft 365 groups that are created and used. For more information, see [Microsoft 365 Reports in the admin center - Microsoft 365 groups](../../admin/activity-reports/office-365-groups.md).
+- **Email activity**: View information about the number of messages sent, received, and read in your whole organization, and by specific users. For more information, see [Microsoft 365 Reports in the admin center - Email activity](../../admin/activity-reports/email-activity.md).
+- **Email app usage**: View information about the email apps that are used. This includes the total number of connections for each app, and the versions of Outlook that are connecting. For more information, see [Microsoft 365 Reports in the admin center - Email apps usage](../../admin/activity-reports/email-apps-usage.md).
+- **Mailbox usage**: View information about storage used, quota consumption, item count, and last activity (send or read activity) for mailboxes. For more information, see [Microsoft 365 Reports in the admin center - Mailbox usage](../../admin/activity-reports/mailbox-usage.md).
-**Email activity**: View information about the number of messages sent, received and read in your whole organization, and by specific users.
-
-**Email app usage**: View information about the email apps that are used. This include the total number of connections for each app, and the versions of Outlook that are connecting.
-
-**Mailbox usage**: View information about storage used, quota consumption, item count, and last activity (send or read activity) for mailboxes.
-
-See the following resources for more information:
--- [Microsoft 365 Reports in the admin center - Microsoft 365 groups](../../admin/activity-reports/office-365-groups.md)-- [Microsoft 365 Reports in the admin center - Email activity](../../admin/activity-reports/email-activity.md)-- [Microsoft 365 Reports in the admin center - Email apps usage](../../admin/activity-reports/email-apps-usage.md)-- [Microsoft 365 Reports in the admin center - Mailbox usage](../../admin/activity-reports/mailbox-usage.md)-
-## Security & compliance reports in the Microsoft 365 admin center
+## Security reports in the Microsoft 365 defender portal
These enhanced reports provide an interactive reporting experience for EOP admins, which includes summary information, and the ability to drill down for more details.
-**Defender for Office 365**: View information about Safe Links and Safe Attachments that are part of Microsoft Defender for Office 365.
-
-**EOP**: View information about malware detections, spoofed mail, spam detections, and mail flow to and from your organization.
-
-[View reports for Defender for Office 365](view-reports-for-mdo.md)
+- **Defender for Office 365**: View information about Safe Links and Safe Attachments that are part of Microsoft Defender for Office 365. For more information, see [View Defender for Office 365 reports in the Microsoft 365 Defender portal](view-reports-for-mdo.md).
+- **EOP**: View information about malware detections, spoofed mail, spam detections, and mail flow to and from your organization. For more information, see [View email security reports in the Microsoft 365 Defender portal](view-email-security-reports.md).
## Custom reports using Microsoft Graph
Follows email messages as they travel through EOP. You can determine if an email
You can use this information to efficiently answer your user's questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance.
-See [Message trace in the Security & Compliance Center](message-trace-scc.md).
+See [Message trace in the Microsoft 365 Defender portal](message-trace-scc.md).
## Audit logging
Tracks specific changes made by admins to your organization. These reports can h
The following table describes when EOP reporting and message trace data is available and for how long.
+<br>
+ **** |Report type|Data available for (look back period)|Latency|
security Reports And Insights In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-If you are part of your organization's Microsoft for 365 for business security team and have the necessary [permissions assigned in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md), you can access a variety of reports, including smart reports and insights. Read this article to get an overview of these reports and insights, and where to go to learn more about specific reports.
+If you are part of your organization's Microsoft for 365 for business security team and have the necessary [permissions assigned in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md), you can access various reports, including smart reports and insights. Read this article to get an overview of these reports and insights, and where to go to learn more about specific reports.
## Smart reports and insights overview
In addition to highlighting problem areas, smart reports and insights include re
## Types of reports in the Security & Compliance Center
-A wide variety of reports are available in the Security & Compliance Center. (Go to **Reports** \> **Dashboard** to get an all-up view.) The following table lists available reports with links to learn more:
+A wide variety of reports are available in the Security & Compliance Center. (Go to **Reports** > **Security report** to get an all-up view.) The following table lists available reports with links to learn more:
<br>
A wide variety of reports are available in the Security & Compliance Center. (Go
|Type of information|How to get there|Where to go to learn more| ||||
-|**Security & Compliance Center reports** (all up) <p> Top insights and recommendations, and links to Security & Compliance reports, including data loss prevention reports, labels, email security reports, Defender for Office 365 reports, and more|In the Security & Compliance Center, go to **Reports** \> **Dashboard**||
+|**Microsoft 365 Defender reports** (all up) <p> Top insights and recommendations, and links to Microsoft 365 Defender reports, including data loss prevention reports, labels, email security reports, Defender for Office 365 reports, and more|In the Security & Compliance Center, go to **Reports** > **Email & collaboration** > **[Email & collaboration reports](https://security.microsoft.com/emailandcollabreport)**|[Monitor and view reports in the Microsoft 365 security center](../defender/overview-security-center.md)|
|**Data loss prevention** <p> Data loss prevention policy matches, false positives and overrides, and links to create or edit policies|In the Security & Compliance Center, go to **Data loss prevention** \> **Policy**|[View the reports for data loss prevention](../../compliance/view-the-dlp-reports.md)| |**Data governance** <p> Information about how labels are applied, labels classified as records, label trends, and more|In the Security & Compliance Center, go to **Information governance** \> **Dashboard**|[View the data governance reports](../../compliance/view-the-data-governance-reports.md)|
-|**Threat management dashboard** (this is also referred to as the Security dashboard) <p> Threat detections, malware trends, top targeted users, details about sent and received email messages, and more|In the Security & Compliance Center, go to **Threat management** \> **Dashboard**|[View reports for Defender for Office 365](view-reports-for-mdo.md)|
-|**Threat explorer** (also referred to as Explorer) or **Real-time detections** <p> Suspected malware detected in email and files in Microsoft 365|In the Security & Compliance Center, go to **Threat management** \> **Explorer** or **Real-time detections**<br> |[Threat Explorer (or real-time detections)](threat-explorer.md)|
-|**Defender for Office 365 and email security reports** <p> Email security and threat protection reports (including malware, spam, phishing, and spoofing reports)|In the Security & Compliance Center, go to **Reports** \> **Dashboard**|[View reports for Defender for Office 365](view-reports-for-mdo.md) <p> [View email security reports in the Security & Compliance Center](view-email-security-reports.md)|
+|**Threat management dashboard** (this is also referred to as the Security dashboard) <p> Threat detections, malware trends, top targeted users, details about sent and received email messages, and more|In the Security & Compliance Center, go to **Vulnerability Management** \> **Dashboard**|[View reports for Defender for Office 365](view-reports-for-mdo.md)|
+|**Explorer** (also referred to as Threat explorer) or **Real-time detections** <p> Suspected malware detected in email and files in Microsoft 365|In the Security & Compliance Center, go to **Vulnerability Management** \> **Explorer** or **Real-time detections**<br> |[Threat Explorer (or real-time detections)](threat-explorer.md)|
+|**Defender for Office 365 and email security reports** <p> Email security and threat protection reports (including malware, spam, phishing, and spoofing reports)|In the Security & Compliance Center, go to **Reports** > **Email & collaboration** > **[Email & collaboration reports](https://security.microsoft.com/emailandcollabreport)**|[View reports for Defender for Office 365](view-reports-for-mdo.md) <p> [View email security reports in the Security & Compliance Center](view-email-security-reports.md)|
|**Mail flow** <p> Information about sent and received email messages, recent alerts, top senders and recipients, email forwarding reports, and more|In the Security & Compliance Center, go to **Mail flow** \> **Dashboard** and **Reports** \> **Dashboard**|[Mail flow insights in the Security & Compliance Center](mail-flow-insights-v2.md) <p> [View mail flow reports in the Security & Compliance Center](view-mail-flow-reports.md)| |**GDPR compliance** <p> Information about GDPR compliance, including links to data subjects, label trends, and active & closed cases|In the Security & Compliance Center, go to **Data privacy** \> **GDPR dashboard**|[General Data Protection Regulation Summary](/compliance/regulatory/gdpr)| |**Audit log** <p> Information about Microsoft 365 activities, users, files or folders, and more|In the Security & Compliance Center, go to **Search & investigation** \> **Audit log search**|[Search the audit log in the Security & Compliance Center](../../compliance/search-the-audit-log-in-security-and-compliance.md)| |**Compliance reports** <p> FedRAMP reports, governance, risk and compliance reports, ISO information security management reports, and Service Organization Controls audit and assessment reports|In the Security & Compliance Center, go to **Service assurance** \> **Compliance reports**|[Plan for security & compliance in Office 365](../../compliance/plan-for-security-and-compliance.md)|
-|
## Related topics
-[Monitor and view reports in the Microsoft 365 Defender portal](../defender/overview-security-center.md)
+[Microsoft 365 Defender portal](../defender/overview-security-center.md)
-[Protect against threats in Office 365](protect-against-threats.md)
+[Protect against threats in Office 365](protect-against-threats.md)
security Responding To A Compromised Email Account https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account.md
ms.prod: m365-security
## What is a Compromised Email Account in Microsoft 365?
-Access to Microsoft 365 mailboxes, data and other services, is controlled through the use of credentials, for example a user name and password or PIN. When someone other than the intended user steals those credentials, the stolen credentials are considered to be compromised. With them the attacker can sign in as the original user and perform illicit actions.
+Access to Microsoft 365 mailboxes, data and other services, is controlled by using credentials, for example a user name and password or PIN. When someone other than the intended user steals those credentials, the stolen credentials are considered to be compromised. With them the attacker can sign in as the original user and perform illicit actions.
+ Using the stolen credentials, the attacker can access the user's Microsoft 365 mailbox, SharePoint folders, or files in the user's OneDrive. One action commonly seen is the attacker sending emails as the original user to recipients both inside and outside of the organization. When the attacker emails data to external recipients, this is called data exfiltration. ## Symptoms of a Compromised Microsoft Email Account
Using the stolen credentials, the attacker can access the user's Microsoft 365 m
Users might notice and report unusual activity in their Microsoft 365 mailboxes. Here are some common symptoms: - Suspicious activity, such as missing or deleted emails.- - Other users might receive emails from the compromised account without the corresponding email existing in the **Sent Items** folder of the sender.- - The presence of inbox rules that weren't created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the **Notes**, **Junk Email**, or **RSS Subscriptions** folders.- - The user's display name might be changed in the Global Address List.- - The user's mailbox is blocked from sending email.- - The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web (formerly known as Outlook Web App) contain common hacked-account messages, such as "I'm stuck in London, send money."- - Unusual profile changes, such as the name, the telephone number, or the postal code were updated.- - Unusual credential changes, such as multiple password changes are required.- - Mail forwarding was recently added.- - An unusual signature was recently added, such as a fake banking signature or a prescription drug signature.
-If a user reports any of the above symptoms, you should perform further investigation. The Microsoft 365 Security & Compliance Center and the Azure Portal offer tools to help you investigate the activity of a user account that you suspect may be compromised.
+If a user reports any of the above symptoms, you should perform further investigation. The [Microsoft 365 Defender](https://security.microsoft.com) and the Azure portal offer tools to help you investigate the activity of a user account that you suspect may be compromised.
-- **Unified Audit Logs in the Security & Compliance Center**: Review all the activities for the suspected account by filtering the results for the date range spanning from immediately before the suspicious activity occurred to the current date. Do not filter on the activities during the search.
+- **Unified audit logs in the Microsoft 365 Defender portal**: Review all the activities for the suspected account by filtering the results for the date range spanning from immediately before the suspicious activity occurred to the current date. Do not filter on the activities during the search.
-- **Admin Audit logs in the EAC**: In Exchange Online, you can use the Exchange admin center (EAC) to search for and view entries in the administrator audit log. The administrator audit log records specific actions, based on Exchange Online PowerShell cmdlets, performed by administrators and users who have been assigned administrative privileges. Entries in the administrator audit log provide you with information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected.
+- **Admin Audit logs in the EAC**: In Exchange Online, you can use the Exchange admin center (EAC) to search for and view entries in the administrator audit log. The administrator audit log records specific actions, based on Exchange Online PowerShell cmdlets, performed by administrators, and users who have been assigned administrative privileges. Entries in the administrator audit log provide you with information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected.
- **Azure AD Sign-in logs and other risk reports in the Azure AD portal**: Examine the values in these columns:- - Review IP address - sign-in locations - sign-in times
Follow the procedures in [Reset a business password for someone](../../admin/add
### Step 2 Remove suspicious email forwarding addresses
-1. Open the Microsoft 365 admin center at <https://admin.microsoft.com>
+1. Open the Microsoft 365 admin center at <https://admin.microsoft.com>.
2. Go to **Users** \> **Active users**. Find the user account in question, and select the user (row) without selecting the checkbox.
To unblock a mailbox from sending mail, follow the procedures in [Removing a use
> [!IMPORTANT] > You can block the suspected compromised account from signing-in until you believe it is safe to re-enable access.
-1. Open the Microsoft 365 admin center and go to **Users** \> **Active users**.
+1. Open the Microsoft 365 admin center at <https://admin.microsoft.com> and go to **Users** \> **Active users**.
2. Find and select the user account, click ![More icon](../../media/ITPro-EAC-MoreOptionsIcon.png), and then select **Edit sign-in status**. 3. On the **Block sign-in** pane that appears, select **Block this user from signing in**, and then click **Save changes**.
-4. Open the Exchange admin center (EAC) at <admin.protection.outlook.com/ecp/>, and go to **Recipients > Mailboxes**.
+4. Open the Exchange admin center (EAC) at <https://admin.exchange.microsoft.com>, and go to **Recipients** \> **Mailboxes**.
-5. Find and select the select the user. In the details pane, do the following steps:
+5. Find and select the user. In the mailbox details flyout that opens, do the following steps:
+ - In the **Email apps** section, block all of the available settings by moving the toggle to the right ![Disable](../../media/scc-toggle-on.png):
+ - **Outlook on the web**
+ - **Outlook desktop (MAPI)**
+ - **Exchange Web Services**
+ - **Mobile (Exchange ActiveSync)**
+ - **IMAP**
+ - **POP3**
- - In the **Phone and voice features** section, do the following steps:
-
- - Select **Disable Exchange ActiveSync** and then click **Yes** in the warning that appears.
- - Select **Disable OWA for Devices** and then click **Yes** in the warning that appears.
-
- - In the **Email Connectivity** section for Outlook on the web, click **Disable** and then click **Yes** in the warning that appears.
+ When you're finished, click **Save** and then click **Close**.
### Step 6 Optional: Remove the suspected compromised account from all administrative role groups > [!NOTE] > Administrative role group membership can be restored after the account has been secured.
-1. Sign in with a global administrator account:
-
-2. In the Microsoft 365 admin center, do the following steps:
-
+1. Open the Microsoft 365 admin center at <https://admin.microsoft.com> with a global administrator account and do the following steps:
1. Go to **Users** \> **Active users**. 2. Find and select the user account, click ![More icon](../../media/ITPro-EAC-MoreOptionsIcon.png), and then select **Manage roles**. 3. Remove any administrative roles that are assigned to the account. When you're finished, click **Save changes**.
-3. In the Security & Compliance Center at <https://protection.office.com>, do the following steps:
-
- Select **Permissions**, select each role group in the list and look for the user account in the **Members** section of the details flyout that appears. If the role group contains the user account, do the following steps:
-
- a. Click **Edit** next to **Members**.
- b. On the **Editing Choose members** flyout that appears, click **Edit**.
- c. In the **Choose members** flyout that appears, select the user account, and then click **Remove**. When you're finished, click **Done**, **Save**, and then **Close**.
+2. Open the Microsoft 365 Defender portal at <https://security.microsoft.com> and do the following steps:
+ 1. Go to **Permissions & roles** \> **Email & collaboration roles** \> **Roles**.
+ 2. On the **Permissions** page, select each role group in the list and look for the user account in the **Members** section of the details flyout that appears. If the role group contains the user account, do the following steps:
+ 1. In the **Members** section, click **Edit**.
+ 2. On the **Editing Choose members** flyout that appears, click **Edit**.
+ 3. On the **Choose members** flyout that appears, click **Remove**.
+ 4. In the flyout that appears, select the user account, and then click **Remove**.
-4. In the EAC at <admin.protection.outlook.com/ecp/>, do the following steps:
+ When you're finished, click **Done**, **Save**, and then **Close**.
- Select **Permissions**, manually select each role group, and in the details pane, verify the user accounts in the **Members** section. If the role group contains the user account, do the following steps:
+3. Open the EAC at <https://admin.exchange.microsoft.com> and do the following steps:
+ 1. Select **Roles** \> **Admin roles**.
+ 2. On the **Admin roles** page, manually select each role group, and in the details pane, select the **Assigned** tab to verify the user accounts. If the role group contains the user account, do the following steps:
+ 1. Select the user account.
+ 2. Click the ![Delete icon](../../media/m365-cc-sc-delete-icon.png).
- a. Select the role group, click **Edit** ![Edit icon](../../media/ITPro-EAC-EditIcon.png).
- b. In the **Member** section, select the user account, and then click **Remove** ![Remove icon](../../media/ITPro-EAC-RemoveIcon.gif). When you're finished, click **Save**.
+ When you're finished, click **Save**.
### Step 7 Optional: Additional precautionary steps
To unblock a mailbox from sending mail, follow the procedures in [Removing a use
Your Microsoft 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. Use the [Microsoft 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond](security-roadmap.md) to implement Microsoft recommended best practices for securing your Microsoft 365 tenant. -- Tasks to accomplish in the first 30 days. These have immediate affect and are low-impact to your users.-
+- Tasks to accomplish in the first 30 days. These have immediate affect and are low-impact to your users.
- Tasks to accomplish in 90 days. These take a bit more time to plan and implement but greatly improve your security posture.- - Beyond 90 days. These enhancements build in your first 90 days work. ## See also - [Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Microsoft 365](detect-and-remediate-outlook-rules-forms-attack.md)- - [Internet Crime Complaint Center](https://www.ic3.gov/Home/Ransomware)- - [Securities and Exchange Commission - "Phishing" Fraud](https://www.sec.gov/investor/pubs/phishing.htm)--- To report spam email directly to Microsoft and your admin [Use the Report Message add-in](https://support.microsoft.com/office/b5caa9f1-cdf3-4443-af8c-ff724ea719d2)
+- To report spam email directly to Microsoft and your admin [Use the Report Message add-in](https://support.microsoft.com/office/b5caa9f1-cdf3-4443-af8c-ff724ea719d2)
security Safe Attachments https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments.md
The following table describes scenarios for Safe Attachments in Microsoft 365 an
Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides. For more information about datacenter geography, see [Where is your data located?](https://products.office.com/where-is-your-data-located?geo=All) > [!NOTE]
-> The following features are located in the global settings of Safe Attachments policies in the Security & Compliance Center. But, these settings are enabled or disabled globally, and don't require Safe Attachments policies:
+> The following features are located in the global settings of Safe Attachments policies in the Microsoft 365 Defender portal. But, these settings are enabled or disabled globally, and don't require Safe Attachments policies:
> > - [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md). > - [Safe Documents in Microsoft 365 E5](safe-docs.md)
This section describes the settings in Safe Attachments policies:
|||| |**Off**|Attachments aren't scanned for malware by Safe Attachments. Messages are still scanned for malware by [anti-malware protection in EOP](anti-malware-protection.md).|Turn scanning off for selected recipients. <p> Prevent unnecessary delays in routing internal mail. <p> **This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders.**| |**Monitor**|Delivers messages with attachments and then tracks what happens with detected malware. <p> Delivery of safe messages might be delayed due to Safe Attachments scanning.|See where detected malware goes in your organization.|
- |**Block**|Prevents messages with detected malware attachments from being delivered. <p> Messages are [quarantined](manage-quarantined-messages-and-files.md) where only admins (not end-users) can review, release, or delete the messages. <p> Automatically blocks future instances of the messages and attachments. <p> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Protects your organization from repeated attacks using the same malware attachments. <p> This is the default value, and the recommended value in Standard and Strict [preset security policies](preset-security-policies.md).|
- |**Replace**|Removes detected malware attachments. <p> Notifies recipients that attachments have been removed. <p> Messages are [quarantined](manage-quarantined-messages-and-files.md) where only admins (not end-users) can review, release, or delete the messages. <p> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Raise visibility to recipients that attachments were removed because of detected malware.|
+ |**Block**|Prevents messages with detected malware attachments from being delivered. <p> Messages are [quarantined](manage-quarantined-messages-and-files.md) where only admins (not users) can review, release, or delete the messages. <p> Automatically blocks future instances of the messages and attachments. <p> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Protects your organization from repeated attacks using the same malware attachments. <p> This is the default value, and the recommended value in Standard and Strict [preset security policies](preset-security-policies.md).|
+ |**Replace**|Removes detected malware attachments. <p> Notifies recipients that attachments have been removed. <p> Messages are [quarantined](manage-quarantined-messages-and-files.md) where only admins (not users) can review, release, or delete the messages. <p> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Raise visibility to recipients that attachments were removed because of detected malware.|
|**Dynamic Delivery**|Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete. <p> For details, see the [Dynamic Delivery in Safe Attachments policies](#dynamic-delivery-in-safe-attachments-policies) section later in this article.|Avoid message delays while protecting recipients from malicious files. <p> Enable recipients to preview attachments in safe mode while scanning is taking place.| |
This section describes the settings in Safe Attachments policies:
The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. The body of the email message is delivered to the recipient with a placeholder for each attachment. The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.
-If an attachment is found to be malicious, the message is quarantined. Only admins (not end-users) can review, release, or delete messages that were quarantined by Safe Attachments scanning. For more information, see [Manage quarantined messages and files as an admin](manage-quarantined-messages-and-files.md).
+If an attachment is found to be malicious, the message is quarantined. Only admins (not users) can review, release, or delete messages that were quarantined by Safe Attachments scanning. For more information, see [Manage quarantined messages and files as an admin](manage-quarantined-messages-and-files.md).
Most PDFs and Office documents can be previewed in safe mode while Safe Attachments scanning is underway. If an attachment is not compatible with the Dynamic Delivery previewer, the recipients will see a placeholder for the attachment until Safe Attachments scanning is complete.
security Safe Docs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-docs.md
Safe Documents is a feature in Microsoft 365 E5 or Microsoft 365 E5 Security tha
- Safe Documents is supported in Microsoft 365 Apps for enterprise (formerly known as Office 365 ProPlus) version 2004 or later. -- You open the Security & Compliance Center at <https://protection.office.com>. To go directly to the **ATP Safe Attachments** page, open <https://protection.office.com/safeattachmentv2>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). -- You need to be assigned permissions in **Exchange Online** before you can do the procedures in this article:
+- You need permissions in **Exchange Online** before you can do the procedures in this article:
- To configure Safe Documents settings, you need to be a member of the **Organization Management** or **Security Administrator** role groups. - For read-only access to Safe Documents settings, you need to be a member of the **Global Reader** or **Security Reader** role groups.
To keep you protected, Safe Documents sends files to the [Microsoft Defender for
Files sent by Safe Documents are not retained in Defender beyond the time needed for analysis (typically, less than 24 hours).
-## Use the Security & Compliance Center to configure Safe Documents
+## Use the Microsoft 365 Defender to configure Safe Documents
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**, and then click **Global settings**.
+1. Open the Microsoft 365 Defender portal and go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
-2. In the **Global settings** fly out that appears, configure the following settings:
+2. On the **Safe Attachments** page, click **Global settings**.
+3. In the **Global settings** fly out that appears, configure the following settings:
- **Turn on Safe Documents for Office clients**: Move the toggle to the right to turn on the feature: ![Toggle on](../../media/scc-toggle-on.png).-
- - **Allow people to click through Protected View even if Safe Documents identifies the file as malicious**: We recommend that you leave this option turned off (leave the toggle to the left: ![Toggle off](../../media/scc-toggle-off.png)).
+ - **Allow people to click through Protected View even if Safe Documents identified the file as malicious**: We recommend that you leave this option turned off (leave the toggle to the left: ![Toggle off](../../media/scc-toggle-off.png)).
When you're finished, click **Save**.
- ![Safe Documents settings after selecting Global settings on the Safe Attachments page.](../../media/safe-docs.png)
+ ![Safe Documents settings after selecting Global settings on the Safe Attachments page.](../../media/safe-docs-global-settings.png)
### Use Exchange Online PowerShell to configure Safe Documents
For detailed syntax and parameter information, see [Set-AtpPolicyForO365](/power
### Onboard to the Microsoft Defender for Endpoint Service to enable auditing capabilities
-To deploy Microsoft Defender for Endpoint, you need to go through the various phases of deployment. After onboarding, you can configure auditing capabilities in the Security & Compliance Center.
+To deploy Microsoft Defender for Endpoint, you need to go through the various phases of deployment. After onboarding, you can configure auditing capabilities in the Microsoft 365 Defender portal.
-To learn more, see [Onboard to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/onboarding). If you need additional help, please refer to [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding).
+To learn more, see [Onboard to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/onboarding). If you need additional help, refer to [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding).
### How do I know this worked? To verify that you've enabled and configured Safe Documents, do any of the following steps: -- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**, click **Global settings**, and verify the **Turn on Safe Documents for Office clients** and **Allow people to click through Protected View even if Safe Documents identifies the file as malicious** settings.
+- In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments** \> **Global settings**, and verify the **Turn on Safe Documents for Office clients** and **Allow people to click through Protected View even if Safe Documents identifies the file as malicious** settings.
- Run the following command in Exchange Online PowerShell and verify the property values:
security Security Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-dashboard.md
ms.technology: mdo
ms.prod: m365-security
-# Security Dashboard
+# Security dashboard in the Security & Compliance Center
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
-## Basic functions and how to open Security Dashboard
+## Basic functions and how to open Security dashboard
-The [Security & Compliance Center](../../compliance/microsoft-365-compliance-center.md) enables your organization to manage data protection and compliance. Assuming you have the necessary permissions, the Security Dashboard enables you to review your Threat Protection Status, as well as view and act on security alerts.
+The Security & Compliance Center at <https://protection.office.com> enables your organization to manage data protection and compliance. Assuming you have the necessary permissions, the Security Dashboard enables you to review your Threat Protection Status, as well as view and act on security alerts.
Watch the video to get an overview, and then read this article to learn more.
Watch the video to get an overview, and then read this article to learn more.
Depending on what your organization's subscription includes, the Security Dashboard includes several widgets, such as Threat Management Summary, Threat Protection Status, Global Weekly Threat Detections, Malware, and more, as described in the following sections.
-To view the Security Dashboard, in the [Security & Compliance Center](../../compliance/microsoft-365-compliance-center.md), go to **Threat management** \> **Dashboard**.
+To view the Security Dashboard in the Security & Compliance Center, go to go to **Threat management** \> **Dashboard**. To go directly to the Security dashboard, use <https://protection.office.com/searchandinvestigation/dashboard>.
> [!NOTE]
-> You must be a global administrator, a security administrator, or a security reader to view the Security Dashboard. Some widgets require additional permissions to view. To learn more, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+> You must be a global administrator, a security administrator, or a security reader to view the Security Dashboard. Some widgets require additional permissions to view. To learn more, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)[.
## Threat Management Summary
The Threat Management Summary widget tells you at a glance how your organization
![Security Dashboard - Threat Management Summary widget](../../media/SecDash-ThreatMgmtSummary.png)
-The information you'll see in the Threat Management Summary depends on what you subscription includes. The following table describes what information is included for Office 365 E3 and Office 365 E5.
+The information you'll see in the Threat Management Summary depends on what your subscription includes. The following table describes what information is included for Office 365 E3 and Office 365 E5.
+
+<br>
+
+****
|Office 365 E3|Office 365 E5| ||| |Malware messages blocked<br>Phishing messages blocked<br>Messages reported by users<br><br><br><br>|Malware messages blocked<br>Phishing messages blocked<br>Messages reported by users<br>Zero-day malware blocked<br>Advanced phishing messages detected<br>Malicious URLs blocked|
+|
To view or access the Threat Management Summary widget, you must have permissions to view Defender for Office 365 reports. To learn more, see [What permissions are needed to view the Defender for Office 365 reports?](view-reports-for-mdo.md#what-permissions-are-needed-to-view-the-defender-for-office-365-reports).
The Threat Protection Status widget shows threat protection effectiveness with a
The details depend on whether your Microsoft 365 subscription includes [Exchange Online Protection](exchange-online-protection-overview.md) (EOP) with or without [Microsoft Defender for Office 365](defender-for-office-365.md).
+<br>
+
+****
+ |If your subscription includes...|You'll see these details| ||| |EOP but not Microsoft Defender for Office 365|Malicious email that was detected and blocked by EOP.<p> See [Threat Protection Status report (EOP)](view-email-security-reports.md#threat-protection-status-report).| |Microsoft Defender for Office 365|Malicious content and malicious email detected and blocked by EOP and Defender for Office 365 <p> Aggregated count of unique email messages with malicious content blocked by the anti-malware engine, [zero-hour auto purge](zero-hour-auto-purge.md), and Defender for Office 365 features (including [Safe Links](safe-links.md), [Safe Attachments](safe-attachments.md), and [Anti-phishing in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)). <p> See [Threat protection status report](view-reports-for-mdo.md#threat-protection-status-report).|
+|
To view or access the Threat Protection Status widget, you must have permissions to view Defender for Office 365 reports. To learn more, see [What permissions are needed to view the Defender for Office 365 reports?](view-reports-for-mdo.md#what-permissions-are-needed-to-view-the-defender-for-office-365-reports)
The Global Weekly Threat Detections widget shows how many threats were detected
The metrics are calculated as described in the following table:
+<br>
+
+****
+ |Metric|How it's calculated| ||| |Messages scanned|Number of email messages scanned multiplied by the number of recipients| |Threats stopped|Number of email messages identified as containing malware multiplied by the number of recipients| |Blocked by [Defender for Office 365](defender-for-office-365.md)|Number of email messages blocked by Defender for Office 365 multiplied by the number of recipients| |Removed after delivery|Number of messages removed by [zero-hour auto purge](zero-hour-auto-purge.md) multiplied by the number of recipients|
+|
## Malware
For example, you might see that phishing email messages are being delivered beca
## Threat investigation and response
-If your organization's subscription includes [Microsoft Defender for Office 365 Plan 2](office-365-ti.md), your Security Dashboard has a section that includes advanced threat investigation and response tools. These tools include [automated investigation and response capabilities](automated-investigation-response-office.md). Automated investigation and response can be helpful in scenarios such as [addressing compromised user accounts quickly](address-compromised-users-quickly.md).
+If your organization's subscription includes [Microsoft Defender for Office 365 Plan 2](office-365-ti.md), your Security Dashboard has a section that includes advanced threat investigation and response tools. These tools include [automated investigation and response capabilities](automated-investigation-response-office.md). Automated investigation and response can be helpful in scenarios such as [addressing compromised user accounts quickly](address-compromised-users-quickly.md).
To learn more, see [Get started using Automated investigation and response (AIR) in Office 365](office-365-air.md).
To view or access the Sent and Received Email widget, you must have permissions
To view or access the Recent Threat Management Alerts widget, you must have permissions to view alerts. To learn more, see [RBAC permissions required to view alerts](../../compliance/alert-policies.md#rbac-permissions-required-to-view-alerts).
-## Related topics
+## Related articles
[View email security reports in the Security & Compliance Center](view-email-security-reports.md)
To view or access the Recent Threat Management Alerts widget, you must have perm
[Defender for Office 365](defender-for-office-365.md)
-[Office 365 Threat investigation and response](office-365-ti.md)
+[Office 365 Threat investigation and response](office-365-ti.md)
security Security Recommendations For Priority Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts.md
Microsoft 365 and Microsoft Defender for Office 365 contain several key features
![Summary of the security recommendations in icon form](../../media/security-recommendations-for-priority-users.png)
+<br>
+ **** |Task|All Office 365 Enterprise plans|Microsoft 365 E3|Microsoft 365 E5|
For instructions, see [Step 1. Increase sign-in security for remote workers with
- You can use [authentication policies](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online) and [Client Access Rules](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) in Exchange Online to block or allow Basic authentication and legacy authentication protocols like POP3, IMAP4, and authenticated SMTP for specific users. -- You can disable POP3 and IMAP4 access on individual mailboxes. You can disable authenticated SMTP at the organizational level and enable it on specific mailboxes that still require it. For instructions, see the following topics:
+- You can disable POP3 and IMAP4 access on individual mailboxes. You can disable authenticated SMTP at the organizational level and enable it on specific mailboxes that still require it. For instructions, see the following articles:
- [Enable or Disable POP3 or IMAP4 access for a user](/exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access) - [Enable or disable authenticated client SMTP submission (SMTP AUTH)](/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission)
You can implement this stringent approach for priority accounts by using the Str
Preset security policies are a convenient and central location to apply our recommended Strict policy settings for all of the protections in EOP and Defender for Office 365. For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).
-For details about how the Strict policy settings differ from the the default and Standard policy settings, see [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+For details about how the Strict policy settings differ from the default and Standard policy settings, see [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
## Apply user tags to priority accounts
User tags in Microsoft Defender for Office 365 Plan 2 (as part of Microsoft 365
**Priority accounts** is a type of built-in user tag (known as a _system tag_) that you can use to identify incidents and alerts that involve priority accounts. For more information about **priority accounts**, see [Manage and monitor priority accounts](../../admin/setup/priority-accounts.md).
-You can also create custom tags to further identify and classify your priority accounts. For more information, see [User tags](user-tags.md). Note that you can manage **priority accounts** (system tags) in the same interface as custom user tags.
+You can also create custom tags to further identify and classify your priority accounts. For more information, see [User tags](user-tags.md). You can manage **priority accounts** (system tags) in the same interface as custom user tags.
## Monitor priority accounts in alerts, reports, and detections
After you secure and tag your priority users, you can use the available reports,
|Feature|Description| |||
-|Alerts|The user tags of affected users are visible and available as filters on the **View alerts** page in the Security & Compliance Center. For more information, see [Viewing alerts](../../compliance/alert-policies.md#viewing-alerts).|
-|Threat Explorer <p> Real-time detections|In **Threat Explorer** (Microsoft Defender for Office 365 Plan 2) or **Real-time detections** (Microsoft Defender for Office 365 Plan 1), user tags are visible in the Email grid view and the Email details flyout. User tags are also available as a filterable property. For more information, see [Tags in Threat Explorer](threat-explorer.md#tags-in-threat-explorer).|
+|Alerts|The user tags of affected users are visible and available as filters on the **Alerts** page in the Microsoft 365 Defender portal. For more information, see [Viewing alerts](../../compliance/alert-policies.md#viewing-alerts).|
+|Explorer <p> Real-time detections|In **Explorer** (Defender for Office 365 Plan 2) or **Real-time detections** (Defender for Office 365 Plan 1), user tags are visible in the Email grid view and the Email details flyout. User tags are also available as a filterable property. For more information, see [Tags in Explorer](threat-explorer.md#tags-in-threat-explorer).|
|Campaign Views|User tags are one of many filterable properties in Campaign Views in Microsoft Defender for Office 365 Plan 2. For more information, see [Campaign Views](campaigns.md).| |Threat protection status report|In virtually all of the views and detail tables in the **Threat protection status report**, you can filter the results by **priority accounts**. For more information, see [Threat protection status report](view-email-security-reports.md#threat-protection-status-report).| |Email issues for priority accounts report|The **Email issues for priority accounts** report in the Exchange admin center (EAC) contains information about undelivered and delayed messages for **priority accounts**. For more information, see [Email issues for priority accounts report](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report).|
In addition, Microsoft recommends that users take the actions described in this
## See also
-[Announcing Priority Account Protection in Microsoft Defender for Office 365](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/announcing-priority-account-protection-in-microsoft-defender-for/ba-p/1696385)
+[Announcing Priority Account Protection in Microsoft Defender for Office 365](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/announcing-priority-account-protection-in-microsoft-defender-for/ba-p/1696385)
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
ms.prod: m365-security
Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations.
-Anti-phishing policies in Microsoft Defender for Office 365 are only available in organizations that have Defender for Office 365. For example:
+Examples of Microsoft Defender for Office 365 organizations include:
- Microsoft 365 Enterprise E5, Microsoft 365 Education A5, etc. - [Microsoft 365 Enterprise](https://www.microsoft.com/microsoft-365/enterprise/home) - [Microsoft 365 Business](https://www.microsoft.com/microsoft-365/business) - [Microsoft Defender for Office 365 as an add-on](https://products.office.com/exchange/advance-threat-protection)
-The high-level differences between anti-phishing policies in EOP and anti-phishing policies in Microsoft Defender for Office 365 are described in the following table:
+The high-level differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365 are described in the following table:
+
+<br>
****
-|Feature|Anti-phishing policies in EOP|Anti-phishing policies in Microsoft Defender for Office 365|
+|Feature|Anti-phishing policies in EOP|Anti-phishing policies in Defender for Office 365|
||::|::| |Automatically created default policy|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)| |Create custom policies|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
-|Policy settings<sup>\*</sup>|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
-|Impersonation settings||![Check mark](../../media/checkmark.png)|
+|Common policy settings<sup>\*</sup>|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
|Spoof settings|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
+|First contact safety tip|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
+|Impersonation settings||![Check mark](../../media/checkmark.png)|
|Advanced phishing thresholds||![Check mark](../../media/checkmark.png)| |
-<sup>\*</sup> In the default policy, the policy name and description are read-only (the description is blank), and you can't specify who the policy applies to (the default policy applies to all recipients).
+<sup>\*</sup> In the default policy, the policy name, and description are read-only (the description is blank), and you can't specify who the policy applies to (the default policy applies to all recipients).
To configure anti-phishing policies, see the following articles: - [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md)- - [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md) The rest of this article describes the settings that are available in anti-phishing policies in EOP and Defender for Office 365.
-## Policy settings
+## Common policy settings
-The following policy settings are available in anti-phishing policies in EOP and Microsoft Defender for Office 365:
+The following policy settings are available in anti-phishing policies in EOP and Defender for Office 365:
-- **Name**: You can't rename the default anti-phishing policy. After you create a custom anti-phishing policy, you can't rename the policy in the Security & Compliance Center.
+- **Name**: You can't rename the default anti-phishing policy. After you create a custom anti-phishing policy, you can't rename the policy in the Microsoft 365 Defender portal.
- **Description** You can't add a description to the default anti-phishing policy, but you can add and change the description for custom policies that you create. -- **Applied to**: Identifies internal recipients that the anti-phishing policy applies to. This value is required in custom policies, and not available in the default policy (the default policy applies to all recipients).
+- **Users, groups, and domains**: Identifies internal recipients that the anti-phishing policy applies to. This value is required in custom policies, and not available in the default policy (the default policy applies to all recipients).
You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
- - **Recipient is**: One or more mailboxes, mail users, or mail contacts in your organization.
- - **Recipient is a member of**: One or more groups in your organization.
- - **The recipient domain is**: One or more of the configured accepted domains in Microsoft 365.
-
- - **Except when**: Exceptions for the rule. The settings and behavior are exactly like the conditions:
+ - **Users**: One or more mailboxes, mail users, or mail contacts in your organization.
+ - **Groups**: One or more groups in your organization.
+ - **Domains**: One or more of the configured [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in Microsoft 365.
- - **Recipient is**
- - **Recipient is a member of**
- - **The recipient domain is**
+ - **Exclude these users, groups, and domains**: Exceptions for the policy. The settings and behavior are exactly like the conditions:
+ - **Users**
+ - **Groups**
+ - **Domains**
> [!NOTE]
- > The **Applied to** setting is required in custom anti-phishing policies to identify the message **recipients** <u>that the policy applies to</u>. Anti-phishing policies in Microsoft Defender for Office 365 also have [impersonation settings](#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) where you can specify individual sender email addresses or sender domains <u>that will receive impersonation protection</u> as described later in this article.
+ > At least one selection in the **Users, groups, and domains** settings is required in custom anti-phishing policies to identify the message **recipients** <u>that the policy applies to</u>. Anti-phishing policies in Defender for Office 365 also have [impersonation settings](#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) where you can specify individual sender email addresses or sender domains <u>that will receive impersonation protection</u> as described later in this article.
## Spoof settings Spoofing is when the From address in an email message (the sender address that's shown in email clients) doesn't match the domain of the email source. For more information about spoofing, see [Anti-spoofing protection in Microsoft 365](anti-spoofing-protection.md).
-The following spoof settings are available in anti-phishing policies in EOP and Microsoft Defender for Office 365:
+The following spoof settings are available in anti-phishing policies in EOP and Defender for Office 365:
-- **Enable spoof intelligence?**: Turns spoof intelligence on or off. We recommend that you leave it turned on.
+- **Enable spoof intelligence**: Turns spoof intelligence on or off. We recommend that you leave it turned on.
- When spoof intelligence is enabled, the **spoof intelligence insight** shows spoofed senders that were automatically detected and allowed or blocked by spoof intelligence. You can manually override the spoof intelligence verdict to allow or block the detected spoofed senders from within the insight. But when you do, the spoofed sender disappears from the spoof intelligence insight, and is now visible only on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders in the Tenant Allow/Block List. For more information, see the following topics:
+ When spoof intelligence is enabled, the **spoof intelligence insight** shows spoofed senders that were automatically detected and allowed or blocked by spoof intelligence. You can manually override the spoof intelligence verdict to allow or block the detected spoofed senders from within the insight. But when you do, the spoofed sender disappears from the spoof intelligence insight, and is now visible only on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders in the Tenant Allow/Block List. For more information, see the following articles:
- [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md) - [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list.md)
The following spoof settings are available in anti-phishing policies in EOP and
> [!NOTE] > > - Anti-spoofing protection is enabled by default in the default anti-phishing policy and in any new custom anti-phishing policies that you create.
- >
> - You don't need to disable anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
- >
- > - Disabling anti-spoofing protection only disables implicit spoofing protection from [composite authentication](email-validation-and-authentication.md#composite-authentication) checks. If the sender fails explicit [DMARC](use-dmarc-to-validate-email.md) checks where the policy is set to quarantine or reject, the message is still quarantined or rejected.
--- **Unauthenticated sender settings**: See the information in the next section.
+ > - Disabling anti-spoofing protection only disables _implicit_ spoofing protection from [composite authentication](email-validation-and-authentication.md#composite-authentication) checks. If the sender fails _explicit_ [DMARC](use-dmarc-to-validate-email.md) checks where the policy is set to quarantine or reject, the message is still quarantined or rejected.
+- **Unauthenticated sender notifications**: These notifications are available only when spoof intelligence is turned on. See the information in the next section.
- **Actions**: For messages from blocked spoofed senders (automatically blocked by spoof intelligence or manually blocked in the Tenant Allow/Block list), you can also specify the action to take on the messages:- - **Move messages to the recipients' Junk Email folders**: This is the default value. The message is delivered to the mailbox and moved to the Junk Email folder. In Exchange Online, the message is moved to the Junk Email folder if the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md).- - **Quarantine the message**: Sends the message to quarantine instead of the intended recipients. For information about quarantine, see the following articles:- - [Quarantine in Microsoft 365](quarantine-email-messages.md) - [Manage quarantined messages and files as an admin in Microsoft 365](manage-quarantined-messages-and-files.md) - [Find and release quarantined messages as a user in Microsoft 365](find-and-release-quarantined-messages-as-a-user.md) ### Unauthenticated sender
-Unauthenticated sender settings are part of the [Spoof settings](#spoof-settings) that are available in anti-phishing policies in EOP and Microsoft Defender for Office 365 as described in the previous section.
+The unauthenticated sender notifications are part of the [Spoof settings](#spoof-settings) that are available in anti-phishing policies in EOP and Defender for Office 365 as described in the previous section. The following settings are available only when spoof intelligence is turned on:
-- **Enable unauthenticated sender question mark (?) symbol?**: When this setting is turned on, a question mark is added to the sender's photo in the From box if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication). When this setting is turned off, the question mark isn't added to the sender's photo.
+- **Show (?) for unauthenticated senders for spoof**: This notification adds a question mark is added to the sender's photo in the From box if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication). When this setting is turned off, the question mark isn't added to the sender's photo.
-- **Enable "via" tag?**<sup>\*</sup>: When this setting is turned on, the via tag (chris@contoso.com <u>via</u> fabrikam.com) is added in the From box if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the **MAIL FROM** address. For more information about these addresses, see [An overview of email message standards](how-office-365-validates-the-from-address.md#an-overview-of-email-message-standards).
+- **Show "via" tag?**: This notification adds the via tag (chris@contoso.com <u>via</u> fabrikam.com) in the From box if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the **MAIL FROM** address. For more information about these addresses, see [An overview of email message standards](how-office-365-validates-the-from-address.md#an-overview-of-email-message-standards).
To prevent the question mark or via tag from being added to messages from specific senders, you have the following options: - Allow the spoofed sender in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually in the [Tenant Allow/Block List](tenant-allow-block-list.md). Allowing the spoofed sender will prevent the via tag from appearing in messages from the sender when unauthenticated sender identification is disabled.- - [Configure email authentication](email-validation-and-authentication.md#configure-email-authentication-for-domains-you-own) for the sender domain. - For the question mark in the sender's photo, SPF or DKIM are the most important. - For the via tag, confirm the domain in the DKIM signature or the **MAIL FROM** address matches (or is a subdomain of) the domain in the From address. For more information, see [Identify suspicious messages in Outlook.com and Outlook on the web](https://support.microsoft.com/office/3d44102b-6ce3-4f7c-a359-b623bec82206)
+## First contact safety tip
+
+The **Show first contact safety tip** settings is available in EOP and Defender for Office 365 organizations, and has no dependency on spoof intelligence or impersonation protection settings. The safety tip is shown to recipients in the following scenarios:
+
+- The first time they get a message from a sender
+- If they don't often get messages from the sender.
+
+![The text of the safety tip for impersonation protection with multiple recipients.](../../media/safety-tip-first-contact-multiple-recipients.png)
+
+This capability adds an extra layer of security protection against potential impersonation attacks, so we recommend that you turn it on.
+
+The first contact safety tip also replaces the need to create mail flow rules (also known as transport rules) that add the header named **X-MS-Exchange-EnableFirstContactSafetyTip** with the value **Enable** to messages (although this capability is still available).
+ ## Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365
-This section describes the policy settings that are only available in anti-phishing policies in Microsoft Defender for Office 365.
+This section describes the policy settings that are only available in anti-phishing policies in Defender for Office 365.
> [!NOTE]
-> The default anti-phishing policy in Microsoft Defender for Office 365 provides [spoof protection](set-up-anti-phishing-policies.md#spoof-settings) and mailbox intelligence for all recipients. However, the other available [impersonation protection](#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) features and [advanced settings](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365) are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.
+> The default anti-phishing policy in Defender for Office 365 provides [spoof protection](set-up-anti-phishing-policies.md#spoof-settings) and mailbox intelligence for all recipients. However, the other available [impersonation protection](#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) features and [advanced settings](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365) are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.
### Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
Impersonation is where the sender or the sender's email domain in a message look
An impersonated domain might otherwise be considered legitimate (registered domain, configured email authentication records, etc.), except its intent is to deceive recipients.
-The following impersonation settings are only available in anti-phishing policies in Microsoft Defender for Office 365:
+The following impersonation settings are only available in anti-phishing policies in Defender for Office 365:
-- **Add users to protect**: Prevents the specified internal or external email addresses from being impersonated **as message senders**. For example, you receive an email message from the Vice President of your company asking you to send her some internal company information. Would you do it? Many people would send the reply without thinking.
+- **Enable users to protect**: Prevents the specified internal or external email addresses from being impersonated **as message senders**. For example, you receive an email message from the Vice President of your company asking you to send her some internal company information. Would you do it? Many people would send the reply without thinking.
- You can use protected users to add internal and external sender email addresses to protect from impersonation. This list of **senders** that are protected from user impersonation is different from the list of **recipients** that the policy applies to (all recipients for the default policy; specific recipients as configured in the **Applied to** setting in the [Policy settings](#policy-settings) section).
+ You can use protected users to add internal and external sender email addresses to protect from impersonation. This list of **senders** that are protected from user impersonation is different from the list of **recipients** that the policy applies to (all recipients for the default policy; specific recipients as configured in the **Users, groups, and domains** setting in the [Common policy settings](#common-policy-settings) section).
> [!NOTE] > > - In each anti-phishing policy, you can specify a maximum of 60 protected users (sender email addresses). You can't specify the same protected user in multiple policies. So, regardless of how many policies apply to a recipient, the maximum number of protected users (sender email addresses) for each individual recipient is 60. For more information about policy priority and how policy processing stops after the first policy is applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
- >
> - User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message will be identified as an impersonation attempt. By default, no sender email addresses are configured for impersonation protection in **Users to protect**. Therefore, by default, no sender email addresses are covered by impersonation protection, either in the default policy or in custom policies.
- When you add internal or external email addresses to the **Users to protect** list, messages from those **senders** are subject to impersonation protection checks. The message is checked for impersonation **if** the message is sent to a **recipient** that the policy applies to (all recipients for the default policy; **Applied to** recipients in custom policies). If impersonation is detected in the sender's email address, the impersonation protections actions for users are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).
+ When you add internal or external email addresses to the **Users to protect** list, messages from those **senders** are subject to impersonation protection checks. The message is checked for impersonation **if** the message is sent to a **recipient** that the policy applies to (all recipients for the default policy; **Users, groups, and domains** recipients in custom policies). If impersonation is detected in the sender's email address, the impersonation protections actions for users are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).
-- **Add domains to protect**: Prevents the specified domains from being impersonated **in the message sender's domain**. For example, all domains that you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)) or specific domains (domains you own or partner domains). This list of **sender domains** that are protected from impersonation is different from the list of **recipients** that the policy applies to (all recipients for the default policy; specific recipients as configured in the **Applied to** setting in the [Policy settings](#policy-settings) section).
+- **Enable domains to protect**: Prevents the specified domains from being impersonated **in the message sender's domain**. For example, all domains that you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)) or specific custom domains (domains you own or partner domains). This list of **sender domains** that are protected from impersonation is different from the list of **recipients** that the policy applies to (all recipients for the default policy; specific recipients as configured in the **Users, groups, and domains** setting in the [Common policy settings](#common-policy-settings) section).
> [!NOTE] > The maximum number of protected domains that you can define in all anti-phishing policies is 50.
- By default, no sender domains are configured for impersonation protection in **Domains to protect**. Therefore, by default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.
+ By default, no sender domains are configured for impersonation protection in **Enable domains to protect**. Therefore, by default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.
- When you add domains to the **Domains to protect** list, messages from **senders in those domains** are subject to impersonation protection checks. The message is checked for impersonation **if** the message is sent to a **recipient** that the policy applies to (all recipients for the default policy; **Applied to** recipients in custom policies). If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).
+ When you add domains to the **Enable domains to protect** list, messages from **senders in those domains** are subject to impersonation protection checks. The message is checked for impersonation **if** the message is sent to a **recipient** that the policy applies to (all recipients for the default policy; **Users, groups, and domains** recipients in custom policies). If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).
- **Actions**: Choose the action to take on inbound messages that contain impersonation attempts against the protected users and protected domains in the policy. You can specify different actions for impersonation of protected users vs. impersonation of protected domains:- - **Don't apply any action**- - **Redirect message to other email addresses**: Sends the message to the specified recipients instead of the intended recipients.- - **Move messages to the recipients' Junk Email folders**: The message is delivered to the mailbox and moved to the Junk Email folder. In Exchange Online, the message is moved to the Junk Email folder if the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md).- - **Quarantine the message**: Sends the message to quarantine instead of the intended recipients. For information about quarantine, see the following articles: - [Quarantine in Microsoft 365](quarantine-email-messages.md) - [Manage quarantined messages and files as an admin in Microsoft 365](manage-quarantined-messages-and-files.md) - [Find and release quarantined messages as a user in Microsoft 365](find-and-release-quarantined-messages-as-a-user.md)- - **Deliver the message and add other addresses to the Bcc line**: Deliver the message to the intended recipients and silently deliver the message to the specified recipients.- - **Delete the message before it's delivered**: Silently deletes the entire message, including all attachments. -- **Turn on impersonation safety tips**: Turn on or turn off the following impersonation safety tips that will appear messages that fail impersonation checks:
- - **Show tip for impersonated users**: The From address contains a protected user.
- - **Show tip for impersonated domains**: The From address contains a protected domain.
- - **Show tip for unusual characters**: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in a protected sender or domain.
+- **Impersonation safety tips**: Turn on or turn off the following impersonation safety tips that will appear messages that fail impersonation checks:
+ - **Show tip for impersonated users**: The From address contains an **Enable users to protect** user. Available only if **Enable users to protect** is turned on and configured.
+ - **Show tip for impersonated domains**: The From address contains an **Enable domains to protect** domain. Available only if **Enable domains to protect** is turned on and configured.
+ - **Show tip for unusual characters**: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in an **Enable users to protect** sender or an **Enable domains to protect** sender domain. Available only if **Enable users to protect** _or_ **Enable domains to protect** is turned on and configured.
- > [!IMPORTANT]
- > Even if the impersonation safety tips are turned off, **we recommend** that you use a mail flow rule (also known as a transport rule) to add a the following message header to messages:
- >
- > - Header name: **X-MS-Exchange-EnableFirstContactSafetyTip**
- > - Header value: **Enable**
- >
- > A safety tip will notify recipients the first time they get a message from the sender or if they don't often get messages from the sender. This capability adds an extra layer of security protection against potential impersonation attacks.
- >
- > ![The text of the safety tip for impersonation protection with multiple recipients.](../../media/safety-tip-first-contact-multiple-recipients.png)
--- **Mailbox intelligence**: Enables or disables artificial intelligence (AI) that determines user email patterns with their frequent contacts. This setting helps the AI distinguish between messages from legitimate and impersonated senders.
+- **Enable mailbox intelligence**: Enables or disables artificial intelligence (AI) that determines user email patterns with their frequent contacts. This setting helps the AI distinguish between messages from legitimate and impersonated senders.
- For example, Gabriela Laureano (glaureano@contoso.com) is the CEO of your company, so you add her as a protected sender in the **Users to protect** settings of the policy. But, some of the recipients that the policy applies to communicate regularly with a vendor who is also named Gabriela Laureano (glaureano@fabrikam.com). Because those recipients have a communication history with glaureano@fabrikam.com, mailbox intelligence will not identify messages from glaureano@fabrikam.com as an impersonation attempt of glaureano@contoso.com for those recipients.
+ For example, Gabriela Laureano (glaureano@contoso.com) is the CEO of your company, so you add her as a protected sender in the **Enable users to protect** settings of the policy. But, some of the recipients that the policy applies to communicate regularly with a vendor who is also named Gabriela Laureano (glaureano@fabrikam.com). Because those recipients have a communication history with glaureano@fabrikam.com, mailbox intelligence will not identify messages from glaureano@fabrikam.com as an impersonation attempt of glaureano@contoso.com for those recipients.
- To use frequent contacts that were learned by mailbox intelligence (and lack thereof) to help protect users from impersonation attacks, you can turn on **Mailbox intelligence based impersonation protection** and specify the action to take **if** you also turn on **Mailbox intelligence**.
+ To use frequent contacts that were learned by mailbox intelligence (and lack thereof) to help protect users from impersonation attacks, you can turn on **Enable intelligence impersonation protection** after you turn on **Enable mailbox intelligence**.
-- **Mailbox intelligence based impersonation protection**: Turn on this setting to specify the action to take on messages for impersonation detections from mailbox intelligence results:-
- - **Don't apply any action**: Note that this value has the same result as turning on **Mailbox intelligence** but turning off **Mailbox intelligence based impersonation protection**.
+- **Enable intelligence impersonation protection**: Turn on this setting to specify the action to take on messages for impersonation detections from mailbox intelligence results:
+ - **Don't apply any action**: Note that this value has the same result as turning on **Mailbox intelligence** but turning off **Enable intelligence impersonation protection**.
- **Redirect message to other email addresses** - **Move message to the recipients' Junk Email folders** - **Quarantine the message**
The following impersonation settings are only available in anti-phishing policie
### Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365
-The following advanced phishing thresholds are only available in anti-phishing policies in Microsoft Defender for Office 365. These thresholds control the sensitivity for applying machine learning models to messages for determining a phishing verdict:
+The following advanced phishing thresholds are only available in anti-phishing policies in Defender for Office 365. These thresholds control the sensitivity for applying machine learning models to messages to determine a phishing verdict:
- **1 - Standard**: This is the default value. The severity of the action that's taken on the message depends on the degree of confidence that the message is phishing (low, medium, high, or very high confidence). For example, messages that are identified as phishing with a very high degree of confidence have the most severe actions applied, while messages that are identified as phishing with a low degree of confidence have less severe actions applied.- - **2 - Aggressive**: Messages that are identified as phishing with a high degree of confidence are treated as if they were identified with a very high degree of confidence.- - **3 - More aggressive**: Messages that are identified as phishing with a medium or high degree of confidence are treated as if they were identified with a very high degree of confidence.- - **4 - Most aggressive**: Messages that are identified as phishing with a low, medium, or high degree of confidence are treated as if they were identified with a very high degree of confidence. The chance of false positives (good messages marked as bad) increases as you increase this setting. For information about the recommended settings, see [anti-phishing policy in Microsoft Defender for Office 365 settings](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365).
security Set Up Safe Attachments Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-attachments-policies.md
Safe Attachments is a feature in [Microsoft Defender for Office 365](whats-new-i
There's no built-in or default Safe Attachments policy. To get Safe Attachments scanning of email message attachments, you need to create one or more Safe Attachments policies as described in this article.
-You can configure Safe Attachments policies in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Defender for Office 365 add-on subscriptions).
+You can configure Safe Attachments policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Defender for Office 365 add-on subscriptions).
The basic elements of a Safe Attachments policy are: - **The safe attachment policy**: Specifies the actions for unknown malware detections, whether to send messages with malware attachments to a specified email address, and whether to deliver messages if Safe Attachments scanning can't complete. - **The safe attachment rule**: Specifies the priority and recipient filters (who the policy applies to).
-The difference between these two elements isn't obvious when you manage Safe Attachments polices in the Security & Compliance Center:
+The difference between these two elements isn't obvious when you manage Safe Attachments policies in the Microsoft 365 Defender portal:
- When you create a Safe Attachments policy, you're actually creating a safe attachment rule and the associated safe attachment policy at the same time using the same name for both. - When you modify a Safe Attachments policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the safe attachment rule. All other settings modify the associated safe attachment policy.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Safe Attachments** page, use <https://protection.office.com/safeattachmentv2>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). -- You need to be assigned permissions before you can do the procedures in this article:
- - To create, modify, and delete Safe Attachments policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Security & Compliance Center **and** a member of the **Organization Management** role group in Exchange Online.
- - For read-only access to Safe Attachments policies, you need to be a member of the **Global Reader** or **Security Reader** role groups in the Security & Compliance Center.
+- You need permissions before you can do the procedures in this article:
+ - To create, modify, and delete Safe Attachments policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Microsoft 365 Defender portal **and** a member of the **Organization Management** role group in Exchange Online.
+ - For read-only access to Safe Attachments policies, you need to be a member of the **Global Reader** or **Security Reader** role groups in the Microsoft 365 Defender portal.
- For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
**Notes**:
- - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
- The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. - For our recommended settings for Safe Attachments policies, see [Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings). - Allow up to 30 minutes for a new or updated policy to be applied.
-## Use the Security & Compliance Center to create Safe Attachments policies
+## Use the Microsoft 365 Defender portal to create Safe Attachments policies
-Creating a custom Safe Attachments policy in the Security & Compliance Center creates the safe attachment rule and the associated safe attachment policy at the same time using the same name for both.
+Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal creates the safe attachment rule and the associated safe attachment policy at the same time using the same name for both.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
-2. On the **Safe Attachments** page, click **Create**.
-
-3. The **New Safe Attachments policy** wizard opens. On the **Name your policy** page, configure the following settings:
+2. On the **Safe Attachments** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
+3. The policy wizard opens. On the **Name your policy** page, configure the following settings:
- **Name**: Enter a unique, descriptive name for the policy.- - **Description**: Enter an optional description for the policy. When you're finished, click **Next**.
-4. On the **Settings** page that appears, configure the following settings:
+4. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
+ - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
+ - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- - **Safe Attachments unknown malware response**: Select one of the following values:
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+
+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
+
+ Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
+
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
+ When you're finished, click **Next**.
+
+5. On the **Settings** page, configure the following settings:
+
+ - **Safe Attachments unknown malware response**: Select one of the following values:
- **Off**: Typically, we don't recommend this value. - **Monitor** - **Block**: This is the default value, and the recommended value in Standard and Strict [preset security policies](preset-security-policies.md).
Creating a custom Safe Attachments policy in the Security & Compliance Center cr
These values are explained in [Safe Attachments policy settings](safe-attachments.md#safe-attachments-policy-settings).
- - **Send the attachment to the following email address**: For the action values **Block**, **Monitor**, or **Replace**, you can select **Enable redirect** to send messages that contain malware attachments to the specified internal or external email address for analysis and investigation.
+ - **Redirect messages with detected attachments**: If you select **Enable redirect**, you can specify an email address in the **Send messages that contain blocked, monitored, or replaced attachments to the specified email address** box to send messages that contain malware attachments for analysis and investigation.
The recommendation for Standard and Strict policy settings is to enable redirection. For more information, see [Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings).
- - **Apply the above selection if malware scanning for attachments times out or error occurs**: The action specified by **Safe Attachments unknown malware response** is taken on messages even when Safe Attachments scanning can't complete. If you selected this option, always select **Enabled redirect**. Otherwise, messages might be lost.
-
- When you're finished, click **Next**.
-
-5. On the **Applied to** page that appears, identify the internal recipients that the policy applies to.
-
- You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
-
- Click **Add a condition**. In the dropdown that appears, select a condition under **Applied if**:
-
- - **The recipient is**: Specifies one or more mailboxes, mail users, or mail contacts in your organization.
- - **The recipient is a member of**: Specifies one or more groups in your organization.
- - **The recipient domain is**: Specifies recipients in one or more of the configured accepted domains in your organization.
-
- After you select the condition, a corresponding dropdown appears with an **Any of these** box.
-
- - Click in the box and scroll through the list of values to select.
- - Click in the box and start typing to filter the list and select a value.
- - To add additional values, click in an empty area in the box.
- - To remove individual entries, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the value.
- - To remove the whole condition, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the condition.
-
- To add an additional condition, click **Add a condition** and select a remaining value under **Applied if**.
-
- To add exceptions, click **Add a condition** and select an exception under **Except if**. The settings and behavior are exactly like the conditions.
+ - **Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)**: The action specified by **Safe Attachments unknown malware response** is taken on messages even when Safe Attachments scanning can't complete. If you selected this option, always select **Enable redirect** and specify an email address to send messages that contain malware attachments. Otherwise, messages might be lost.
When you're finished, click **Next**.
-6. On the **Review your settings** page that appears, review your settings. You can click **Edit** on each setting to modify it.
+6. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
- When you're finished, click **Finish**.
+ When you're finished, click **Submit**.
-## Use the Security & Compliance Center to view Safe Attachments policies
+7. On the confirmation page that appears, click **Done**.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**.
+## Use the Microsoft 365 Defender portal to view Safe Attachments policies
-2. On the **Safe Attachments** page, select a policy from the list and click on it (don't select the check box).
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
- The policy details appear in a fly out
+2. On the **Safe Attachments** page, the following properties are displayed in the list of policies:
+ - **Name**
+ - **Status**
+ - **Priority**
-## Use the Security & Compliance Center to modify Safe Attachments policies
+3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**.
+## Use the Microsoft 365 Defender portal to modify Safe Attachments policies
-2. On the **Safe Attachments** page, select a policy from the list and click on it (don't select the check box).
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
-3. In the policy details fly out that appears, click **Edit policy**.
+2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
-The available settings in the fly out that appears are identical to those described in the [Use the Security & Compliance Center to create Safe Attachments policies](#use-the-security--compliance-center-to-create-safe-attachments-policies) section.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create Safe Attachments policies](#use-the-microsoft-365-defender-portal-to-create-safe-attachments-policies) section earlier in this article.
To enable or disable a policy or set the policy priority order, see the following sections. ### Enable or disable Safe Attachments policies
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
+
+2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
-2. Notice the value in the **Status** column:
+3. At the top of the policy details flyout that appears, you'll see one of the following values:
+ - **Policy off**: To turn on the policy, click ![Turn on icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** .
+ - **Policy on**: To turn off the policy, click ![Turn off icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off**.
- - Move the toggle to the left ![Turn policy off](../../media/scc-toggle-off.png) to disable the policy.
+4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
- - Move the toggle to the right ![Turn policy on](../../media/scc-toggle-on.png) to enable the policy.
+5. Click **Close** in the policy details flyout.
+
+Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.
### Set the priority of Safe Attachments policies
-By default, Safe Attachments policies are given a priority that's based on the order they were created in (newer polices are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
+By default, Safe Attachments policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md). Safe Attachments policies are displayed in the order they're processed (the first policy has the **Priority** value 0).
-**Note**: In the Security & Compliance Center, you can only change the priority of the Safe Attachments policy after you create it. In PowerShell, you can override the default priority when you create the safe attachment rule (which can affect the priority of existing rules).
-
-To change the priority of a policy, move the policy up or down in the list (you can't directly modify the **Priority** number in the Security & Compliance Center).
-
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**.
+**Note**: In the Microsoft 365 Defender portal, you can only change the priority of the Safe Attachments policy after you create it. In PowerShell, you can override the default priority when you create the safe attachment rule (which can affect the priority of existing rules).
-2. On the **Safe Attachments** page, select a policy from the list and click on it (don't select the check box).
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
-3. In the policy details fly out that appears, click the available priority button.
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
- - The Safe Attachments policy with the **Priority** value **0** has only the **Decrease priority** button available.
+2. On the **Safe Attachments** page, select a policy from the list by clicking on the name.
- - The Safe Attachments policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** button available.
+3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of policies:
+ - The policy with the **Priority** value **0** has only the **Decrease priority** option available.
+ - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
+ - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
- - If you have three or more Safe Attachments policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** buttons available.
+ Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
-4. Click **Increase priority** or **Decrease priority** to change the **Priority** value.
+4. When you're finished, click **Close** in the policy details flyout.
-5. When you're finished, click **Close**.
+## Use the Microsoft 365 Defender portal to remove Safe Attachments policies
-## Use the Security & Compliance Center to remove Safe Attachments policies
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**.
+2. On the **Safe Attachments** page, select a custom policy from the list by clicking on the name of the policy.
-2. On the **Safe Attachments** page, select a policy from the list and click on it (don't select the check box).
+3. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
-3. In the policy details fly out that appears, click **Delete policy**, and then click **Yes** in the warning dialog that appears.
+4. In the confirmation dialog that appears, click **Yes**.
## Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Attachments policies
Creating a Safe Attachments policy in PowerShell is a two-step process:
- You can create a new safe attachment rule and assign an existing, unassociated safe attachment policy to it. A safe attachment rule can't be associated with more than one safe attachment policy. -- You can configure the following settings on new safe attachment policies in PowerShell that aren't available in the Security & Compliance Center until after you create the policy:
+- You can configure the following settings on new safe attachment policies in PowerShell that aren't available in the Microsoft 365 Defender portal until after you create the policy:
- Create the new policy as disabled (_Enabled_ `$false` on the **New-SafeAttachmentRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-SafeAttachmentRule** cmdlet). -- A new safe attachment policy that you create in PowerShell isn't visible in the Security & Compliance Center until you assign the policy to a safe attachment rule.
+- A new safe attachment policy that you create in PowerShell isn't visible in the Microsoft 365 Defender portal until you assign the policy to a safe attachment rule.
#### Step 1: Use PowerShell to create a safe attachment policy
For detailed syntax and parameter information, see [Get-SafeAttachmentRule](/pow
### Use PowerShell to modify safe attachment policies
-You can't rename a safe attachment policy in PowerShell (the **Set-SafeAttachmentPolicy** cmdlet has no _Name_ parameter). When you rename a Safe Attachments policy in the Security & Compliance Center, you're only renaming the safe attachment _rule_.
+You can't rename a safe attachment policy in PowerShell (the **Set-SafeAttachmentPolicy** cmdlet has no _Name_ parameter). When you rename a Safe Attachments policy in the Microsoft 365 Defender portal, you're only renaming the safe attachment _rule_.
Otherwise, the same settings are available when you create a safe attachment policy as described in the [Step 1: Use PowerShell to create a safe attachment policy](#step-1-use-powershell-to-create-a-safe-attachment-policy) section earlier in this article.
For detailed syntax and parameter information, see [Remove-SafeAttachmentRule](/
To verify that you've successfully created, modified, or removed Safe Attachments policies, do any of the following steps: -- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list, and view the details in the fly out.
+- In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name, and view the details in the fly out.
- In Exchange Online PowerShell or Exchange Online Protection PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
To verify that you've successfully created, modified, or removed Safe Attachment
Get-SafeAttachmentRule -Identity "<Name>" | Format-List ```
-To verify that Safe Attachments is scanning messages, check the available Defender for Office 365 reports. For more information, see [View reports for Defender for Office 365](view-reports-for-mdo.md) and [Use Explorer in the Security & Compliance Center](threat-explorer.md).
+To verify that Safe Attachments is scanning messages, check the available Defender for Office 365 reports. For more information, see [View reports for Defender for Office 365](view-reports-for-mdo.md) and [Use Explorer in the Microsoft 365 Defender portal](threat-explorer.md).
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
Title: User submissions policy
+ Title: User reported message settings
f1.keywords: - NOCSH
ms.technology: mdo
ms.prod: m365-security
-# User submissions policy
+# User reported message settings
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-In Microsoft 365 organizations with Exchange Online mailboxes, you can specify a mailbox to receive messages that users report as malicious or not malicious. When users submit messages using the various reporting options, you can use this mailbox to intercept messages (send to the custom mailbox only) or receive copies of messages (send to the custom mailbox and Microsoft). This feature works with the following message reporting options:
+In Microsoft 365 organizations with Exchange Online mailboxes, you can specify a mailbox to receive messages that users report as malicious or not malicious. When users report messages using the various reporting options, you can use this mailbox to intercept messages (send to the custom mailbox only) or receive copies of messages (send to the custom mailbox and Microsoft). This feature works with the following message reporting options:
- [The Report Message add-in](enable-the-report-message-add-in.md) - [The Report Phishing add-in](enable-the-report-phish-add-in.md) - [Third-party reporting tools](#third-party-reporting-tools)
-Delivering user reported messages to a custom mailbox instead of directly to Microsoft allows your admins to selectively and manually report messages to Microsoft using [Admin submission](admin-submission.md).
+Delivering user reported messages to a custom mailbox instead of directly to Microsoft allows your admins to selectively and manually report messages to Microsoft using [Admin submission](admin-submission.md). These settings were formerly known as the User submissions policy.
> [!NOTE]
- > If reporting has been [disabled in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md#disable-or-enable-junk-email-reporting-in-outlook-on-the-web), enabling user submissions here will override that setting and enable users to report messages in Outlook on the web again.
+ > If reporting has been [disabled in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md#disable-or-enable-junk-email-reporting-in-outlook-on-the-web), enabling user reported messages here will override that setting and enable users to report messages in Outlook on the web again.
## Custom mailbox prerequisites
After you've verified that your mailbox meets all applicable prerequisites, you
## Third-party reporting tools
-You can configure third-party message reporting tools to send reported messages to the custom mailbox. The only requirement is that the original message is included as an attachment in the message that's sent to the custom mailbox (don't just forward the original message to the custom mailbox).
+You can configure third-party message reporting tools to send reported messages to the custom mailbox. You would do this by setting the **Microsoft Outlook Report Message button** setting to **Off** and setting the **My organization's mailbox** to an Office 365 mailbox of your choice.
+
+The only requirement is that the original message is included as a .EML or .MSG attachment (not compressed) in the message that's sent to the custom mailbox (don't just forward the original message to the custom mailbox).
The message formatting requirements are described in the next section. The formatting is optional, but if it does not follow the prescribed format, the reports will always be submitted as phish.
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
> [!TIP] > Don't have Microsoft Defender for Office 365 yet? [Contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html).
+## June 2021
+
+- New first contact safety tip setting within anti-phishing policies. This safety tip is shown when recipients first receive an email from a sender or do not often receive email from a sender. For more information on this setting and how to configure it, see the following articles:
+
+- [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip)
+- [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md)
+- [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md)
+ ## April/May 2021 - [Email entity page](mdo-email-entity-page.md): A unified 360-degree view of an email with enriched information around threats, authentication and detections, detonation details, and a brand-new email preview experience.
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
- Increasing the limits for Export of records from 9990 to 200,000 in [hunting experiences](threat-explorer.md) - Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 (previous limit) to 30 days in [hunting experiences](threat-explorer.md) - New hunting pivots called **Impersonated domain** and **Impersonated user** within the Explorer (and Real-time detections) to search for impersonation attacks against protected users or domains. For more information, see [details](threat-explorer.md#view-phishing-emails-sent-to-impersonated-users-and-domains). (Microsoft Defender for Office 365 Plan 1 or Plan 2)
+- New first contact safety tip for when recipients first receive an email from a sender or do not often receive email from a sender. For more information on this setting and how to configure it using Exchange mail flow rules (also known as transport rules), see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).
## December 2020