-> [!NOTE]

-> Support for cloud attachments that are shared in Yammer is in preview.

-See the [licensing requirements for Information Protection](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection) for details on the subscriptions that support DLP. You don't need any additional licenses over what is needed for endpoint DLP.

-You have to configure two sets of permissions on the blobs, one for the administrators and investigators so they can view and manage evidence and another for users whose devices need to upload items to Azure. You should [create custom role groups in Microsoft Purview compliance](../security/office-365-security/scc-permissions.md) to enforce least privileges and assign accounts to them.

-Assign these permissions to the Azure blob for the users role:

-1. Select **+ Add storage** and provide the Name and URL of the Azure storage account.

-Cross Tenant User Data Migration is available as an add-on to the following Microsoft 365 subscription plans for Enterprise Agreement customers. User licenses are per migration (one-time fee) and can be assigned either on the source or target user object. This license also covers [OneDrive for Business migration](/microsoft-365/enterprise/cross-tenant-onedrive-migration). Contact your Microsoft account team for details.

- 1. LegacyExchangeDN (flow as proxyAddress, "x500:\<LegacyExchangeDN\>"): The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. In addition, you also need to copy all x500 addresses from the source mailbox to the target mail user. The move processes won't proceed if these aren't present on the target object. Also, this step is important for enabling reply ability for emails that are sent before migration. The sender/recipient address in each email item and the auto-complete cache in Microsoft Outlook and in Microsoft Outlook Web App (OWA) uses the value of the LegacyExchangeDN attribute. If a user can't be located using the LegacyExchangeDN value, the delivery of email messages may fail with a 5.1.1 NDR.

-| LegacyExchangeDN | /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=74e5385fce4b46d19006876949855035Lara |

-| LegacyExchangeDN | /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=d11ec1a2cacd4f81858c81907273f1f9Lara |

-@([char[]]([char]'a'..[char]'z'), [char[]]([char]'A'..[char]'Z'), [char[]]([char]'0'..[char]'9') + $symbols)

-Microsoft Defender for Endpoint on Android supports both the configurations of MAM.

-Microsoft Defender for Endpoint on Android along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability through Intune.

-It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center and add trusted certificates. Admins can also enable [privacy controls](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) to configure the data that's sent by Defender for Endpoint from Android devices.

-1. If your organization uses root CAs that are private in nature, you need to establish explicit trust between Intune (MDM solution) and user devices so Defender doesn't flag them as rogue certificates.

- |Trusted CA certificate list for Network Protection|This setting is managed by a security admin to establish trust for root CA and self-signed certificates|

- |Enable Network Protection Privacy|1: Enable (default) <br/> 0: Disable <br/><br/> This setting is managed by IT admins to enable or disable privacy in network protection.|

- |Manage Network Protection detection for Open Networks|0: Disable (default) <br/> 1: Audit Mode <br/><br/> This setting is managed by IT Admin to enable or disable open network detection.|

-1. Add the required groups on which the policy will have to be applied. Review and create the policy.

-|Malware report |Admins can set up privacy control for malware report - If privacy is enabled, then Defender for Endpoint will not send the malware app name and other app details as part of the malware alert report |

-|Phish report |Admins can set up privacy control for phish report - If privacy is enabled, then Defender for Endpoint will not send the domain name and details of the unsafe website as part of the phish alert report |

-|Network Protection (preview)| Admins can enable or disable privacy in network protection - If enabled, then Defender will not send network details.|

-Admins can now enable privacy control for the phish report, malware report and network report sent by Microsoft Defender for Endpoint on android. This configuration ensures that the domain name, app details and network details respectively are not sent as part of the alert whenever a corresponding threat is detected.

-4. In Settings page, select **Use configuration designer** and add click on **Add**.

-1. For **Android Enterprise work profile**, end user controls will not be visible. Admins control these settings.

-3. Users will see a toggle for Unsafe Site Info, malicious application, and network protection.

-Enabling/disabling the above privacy controls will not impact the device compliance check or conditional access.

-From version 1.0.3425.0303 of Microsoft Defender for Endpoint on Android, you'll be able to run vulnerability assessments of OS and apps installed on the onboarded mobile devices.

- - **Profile**: Select "Custom" and click Create

-4. Click **Next** and assign this profile to targeted devices/users.

- - For users with key set as `0`, Defender for Endpoint will send the list of apps from the work profile to the backend service for vulnerability assessment.

-5. Click **Next** and assign this profile to targeted devices/users.

-Turning the above privacy controls on or off will not impact the device compliance check or conditional access.

- - **Profile**: Select "Custom" and click **Create**.

-4. Click **Next** and assign this profile to targeted devices/users.

-Using this privacy control will not impact the device compliance check or conditional access.

-5. Click **Next** and assign this profile to targeted devices/users.

-Turning the above privacy controls on or off will not impact the device compliance check or conditional access.

- - **Profile**: Select "Custom" and click **Create**.

-4. Click **Next** and assign this profile to targeted devices/users.

-Using this privacy control will not impact the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".

-5. Click **Next** and assign this profile to targeted devices/users.

-Using this privacy control will not impact the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".

-## Related topics

-**Sign in failed:** *Invalid license, please contact administrator*

-**Message:** *Invalid license, please contact administrator*

-Phishing and harmful web threats that are detected by Defender for Endpoint

-Xiaomi devices include a new permission model. This prevents Defender for Endpoint for Android from displaying pop-up windows while it runs in the background.

-> [!IMPORTANT]

-> This issue has been resolved. Please update to the latest app version to complete the onboarding process. If the issue persists, please send an **[in-app feedback](/microsoft-365/security/defender-endpoint/android-support-signin#send-in-app-feedback)**.

-> [!IMPORTANT]

-> To be eligible to acquire Microsoft Defender for Endpoint Server licenses (one per covered server instance), you must have already purchased a combined minimum of 50 licenses for one or more of the following:

->

-> - Microsoft Defender for Endpoint (per user)

-> - Windows E5/A5

-> - Microsoft 365 E5/A5

-> - Microsoft 365 E5 Security User subscription licenses.

-3. Select **Platform**, choose **Windows 10 and later**, and select the profile **Attack Surface Reduction rules** \> **Create**.

- | `DefenderOpenNetworkDetection` | Integer | 0 | 1 - enable, 0 - disable; This setting is managed by IT Admin to enable or disable open network detection informational alerts with no end user detection experience. |

- |`DefenderOpenNetworkDetection`|0|1 - enable, 0 - disable; This setting is managed by IT Admin to enable or disable open network detection informational alerts with no end user detection experience.|

- ```bash

- sudo yum install yum-utils

- ```

- Use the following table to help guide you in locating the package:

- |Distro & version|Package|

- |||

- |For RHEL/Centos/Oracle 8.0-8.7|<https://packages.microsoft.com/config/rhel/8/prod.repo>|

- |For RHEL/Centos/Oracle 7.2-7.9 & Amazon Linux 2 |<https://packages.microsoft.com/config/rhel/7.2/prod.repo>|

- |For Fedora 33|<https://packages.microsoft.com/config/fedora/33/prod.repo>|

- |For Fedora 34|<https://packages.microsoft.com/config/fedora/34/prod.repo>|

- <!--|For RHEL/Centos 6.7-6.10|<https://packages.microsoft.com/config/rhel/6/[channel].repo>|-->

- In the following commands, replace *[version]* and *[channel]* with the information you've identified:

- ```bash

- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/[version]/[channel].repo

- ```

- > [!TIP]

- > Use hostnamectl command to identify system related information including release *[version]*.

- For example, if you are running CentOS 7 and want to deploy Defender for Endpoint on Linux from the *prod* channel:

- ```bash

- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7/prod.repo

- ```

- Or if you wish to explore new features on selected devices, you might want to deploy Microsoft Defender for Endpoint on Linux to *insiders-fast* channel:

- ```bash

- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7/insiders-fast.repo

- ```

- ```bash

- sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc

- ```

- ```bash

- sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc

- ```

- ```bash

- sudo apt-get install curl

- ```

- ```bash

- sudo apt-get install libplist-utils

- ```

- > [!NOTE]

- > Your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/[distro]/`.

- In the following command, replace *[distro]* and *[version]* with the information you've identified:

- ```bash

- curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list

- ```

- > [!TIP]

- > Use hostnamectl command to identify system related information including release *[version]*.

- For example, if you are running Ubuntu 18.04 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel:

- ```bash

- curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list

- ```

- ```bash

- sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list

- ```

- For example, if you chose *prod* channel:

- ```bash

- sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list

- ```

- ```bash

- sudo apt-get install gpg

- ```

- ```bash

- sudo apt-get install gnupg

- ```

- ```bash

- curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg >

- ```

- ```bash

- sudo apt-get install apt-transport-https

- ```

- ```bash

- sudo apt-get update

- ```

- ```bash

- sudo yum install mdatp

- ```

- > [!NOTE]

- > If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. Depending on the distribution and the version of your server, the repository alias might be different than the one in the following example.

- ```bash

- # list all repositories

- yum repolist

- ```

- ```Output

- ...

- packages-microsoft-com-prod packages-microsoft-com-prod 316

- packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2

- ...

- ```

- ```bash

- # install the package from the production repository

- sudo yum --enablerepo=packages-microsoft-com-prod install mdatp

- ```

- ```bash

- sudo zypper install mdatp

- ```

- > [!NOTE]

- > If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.

- ```bash

- zypper repos

- ```

- ```Output

- ...

- # | Alias | Name | ...

- XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...

- XX | packages-microsoft-com-prod | microsoft-prod | ...

- ...

- ```

- ```bash

- sudo zypper install packages-microsoft-com-prod:mdatp

- ```

- ```bash

- sudo apt-get install mdatp

- ```

- > [!NOTE]

- > If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.

- ```bash

- cat /etc/apt/sources.list.d/*

- ```

- ```Output

- deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod insiders-fast main

- deb [arch=amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod bionic main

- ```

- ```bash

- sudo apt -t bionic install mdatp

- ```

- ```bash

- ls -l

- ```

- ```Output

- total 8

- -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip

- ```

- ```bash

- unzip WindowsDefenderATPOnboardingPackage.zip

- ```

- ```Output

- Archive: WindowsDefenderATPOnboardingPackage.zip

- inflating: MicrosoftDefenderATPOnboardingLinuxServer.py

- ```

- > [!NOTE]

- > Initially the client device is not associated with an organization and the *orgId* attribute is blank.

- ```bash

- mdatp health --field org_id

- ```

- > [!NOTE]

- > To run this command, you must have `python` or `python3` installed on the device depending on the distro and version. If needed, see [Step-by-step Instructions for Installing Python on Linux](https://opensource.com/article/20/4/install-python-linux).

- > [!NOTE]

- > To onboard a device that was previously offboarded you must remove the mdatp_offboard.json file located at /etc/opt/microsoft/mdatp.

- If you're running RHEL 8.x or Ubuntu 20.04 or higher, you will need to use `python3`.

- ```bash

- sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py

- ```

- For the rest of distros and versions, you will need to use `python`.

- ```bash

- sudo python MicrosoftDefenderATPOnboardingLinuxServer.py

- ```

- ```bash

- mdatp health --field org_id

- ```

- ```bash

- mdatp health --field healthy

- ```

- > [!IMPORTANT]

- > When the product starts for the first time, it downloads the latest antimalware definitions. This may take up to a few minutes depending on the network connectivity. During this time the above command returns a value of `false`. You can check the status of the definition update using the following command:

- >

- > ```bash

- > mdatp health --field definitions_status

- > ```

- >

- > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint on Linux for static proxy discovery: Post-installation configuration](linux-static-proxy-configuration.md#post-installation-configuration).

- - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):

- ```bash

- mdatp health --field real_time_protection_enabled

- ```

- If it is not enabled, execute the following command:

- ```bash

- mdatp config real-time-protection --value enabled

- ```

- - Open a Terminal window and execute the following command:

- ``` bash

- curl -o /tmp/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

- ```

- - The file should have been quarantined by Defender for Endpoint on Linux. Use the following command to list all the detected threats:

- ```bash

- mdatp threat list

- ```

- - Verify that the onboarded Linux server appears in Microsoft 365 Defender. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.

- - Download and extract the [script file](https://aka.ms/LinuxDIY) to an onboarded Linux server and run the following command: `./mde_linux_edr_diy.sh`

- - After a few minutes, a detection should be raised in Microsoft 365 Defender.

- - Look at the alert details, machine timeline, and perform your typical investigation steps.

- ```bash

- sudo yum remove mdatp

- ```

- ```bash

- sudo yum repolist

- ```

- > [!NOTE]

- > The output should show "packages-microsoft-com-fast-prod".

- ```bash

- sudo yum-config-manager --disable packages-microsoft-com-fast-prod

- ```

-After installation, configure Defender for Endpoint with static proxy using one of the following methods:

-The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macOS/schemE Preferences configuration profile should be updated to use the new schema fileΓÇÖs content.

- - Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** drop down list that appears:

- - **If the message is detected as spoof by spoof intelligence**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Select one of the following actions in the drop down list for messages from blocked spoofed senders:

- - Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** drop down list that appears:

- - **Internal users**: Click in the **Add a valid email** box or start typing the user's email address. Select the email address in the **Suggested contacts** drop down list that appears. The user's display name is added to the **Add a name** box (which you can change). When you're finished selecting the user, select **Add**.

- - **External users**: Type the external user's full email address in the **Add a valid email** box, and then select the email address in the **Suggested contacts** drop down list that appears. The email address is also added in the **Add a name** box (which you can change to a display name).

- - **Domain** tab: Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add domains**. In the **Add trusted domains** flyout that opens, enter domain in the **Domain** box, and then select the domain in drop down list that appears. Repeat this step as many times as necessary. To remove an existing entry, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: for the entry.

- - **If a message is detected as user impersonation**: This setting is available only if you selected **Enable users to protect** on the previous page. Select one of the following actions in the drop down list:

- - **If the message is detected as an impersonated domain**: This setting is available only if you selected **Enable domains to protect** on the previous page. Select one of the following actions in the drop down list:

- - **If mailbox intelligence detects an impersonated user**: This setting is available only if you selected **Enable intelligence for impersonation protection** on the previous page. Select one of the following actions in the drop down list:

- - **If the message is detected as spoof by spoof intelligence**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Select one of the following actions in the drop down list for messages from blocked spoofed senders:

- - Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** drop down list that appears:

-*Backscatter* is non-delivery reports (also known as NDRs or bounce messages) that you receive for messages that you didn't send. Spammers often use real email addresses as the From address to lend credibility to their messages, and forge (spoof) the From address (also known as the `5322.From` or P2 address) to create backscatter. When a non-existent recipient receives spam, the destination email server is essentially tricked into returning the undeliverable message in an NDR to the forged sender in the From address.

-Exchange Online Protection (EOP) makes every effort to identify and silently drop messages from dubious sources without generating an NDR. But, based on the sheer volume email flowing through the service, there's always the possibility that EOP will unintentionally send backscatter.

-Backscatterer.org maintains a blocklist (also known as a DNS blocklist or DNSBL) of email servers that were responsible for sending backscatter, and EOP servers might appear on this list. This list isn't a list of spammers.

-2. On the **Anti-spam policies** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** **Create policy** and then select **Inbound** from the drop down list to start the new anti-spam policy wizard.

- - **Contains specific languages**: Select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages appears. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

- - **From these countries***: Select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a country in the box. A filtered list of supported countries appears. When you find the country that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

-description: Admins can learn about the anti-spam settings and filters that will help prevent spam in Exchange Online Protection (EOP).

-Microsoft's email safety roadmap involves an unmatched cross-product approach. EOP anti-spam and anti-phishing technology is applied across our email platforms to provide users with the latest anti-spam and anti-phishing tools and innovations throughout the network. The goal for EOP is to offer a comprehensive and usable email service that helps detect and protect users from junk email, fraudulent email threats (phishing), and malware.

-As email use has grown, so has email abuse. Unmonitored junk email can clog inboxes and networks, impact user satisfaction, and hamper the effectiveness of legitimate email communications. That's why Microsoft continues to invest in anti-spam technologies. Simply put, it starts by containing and filtering junk email.

- - **SPF**: Sender Policy Framework verifies the source IP address of the message against the owner of the sending domain. For a quick introduction to SPF and to get it configured quickly, see [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md). For a more in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](email-authentication-anti-spoofing.md).

- - **DKIM**: DomainKeys Identified Mail adds a digital signature to the message header of messages sent from your domain. For information, see [Use DKIM to validate outbound email sent from your custom domain in Microsoft 365](email-authentication-dkim-configure.md).

- - **DMARC**: Domain-based Message Authentication, Reporting, and Conformance helps destination email systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners. For more information, see [Use DMARC to validate email in Microsoft 365](email-authentication-dmarc-configure.md).

- - **Verify the Outlook 'Safe Lists Only' setting is disabled**: When this setting is enabled, only messages from senders in the user's Safe Senders list or Safe Recipients list are delivered to the Inbox; email from everyone else is automatically moved to the Junk Email folder.

- - **Mark this as the default language**: Because this is the first and only language for the notification, this language value is selected as the default and you can't change it.

- Back on the **Define content** page, the notification you created is listed on the page. In the **Action** colum, you can select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** or :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **Preview** to edit or view the notification.

- Other than the flyout title changing to **Add translation**, the same options are available as the the **Add content in default language** flyout in the first notification you created. Now the **Mark this as default language** check box is available to select. Only one translation of the notification can be the default language.

-In the confirmation dialog tht opens, select **Delete**.

-Attack simulation training enables Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations to measure and manage social engineering risk by allowing the creation and management of phishing simulations that are powered by real-world, de-weaponized phishing payloads. Hyper-targeted training, delivered in partnership with Terranova security, helps improve knowledge and change employee behavior.

-While the whole simulation creation and scheduling experience has been designed to be free-flowing and frictionless, running simulations at an enterprise scale often requires planning. This article helps address specific challenges that we see as our customers run simulations in their own environments.

-Note that this issue doesn't affect Microsoft Edge.

-It's possible that the number of users who actually receive the simulation email messages is less than the number of users who were targeted by the simulation. The following types of users will be excluded as part of target validation:

-### Attack simulation training reports do not contain any activity details

-### Simulation reports are not updated immediately

-Once the simulation enters the **In progress** stage, you'll notice information starting to trickle into the reporting:

-If you don't configure the required exclusions for the custom reporting mailbox, these messages might be detonated by Safe Links or Safe Attachments protection, which will cause training assignments.

-We've found that campaigns where the targeted users are identified by Azure AD groups are generally easier to manage.

-A: Currently, there are 40+ localized payloads available in 29+ languages: English, Spanish, German, Japanese, French, Portuguese, Dutch, Italian, Swedish, Chinese (Simplified), Norwegian Bokmål, Polish, Russian, Finnish, Korean, Turkish, Hungarian, Hebrew, Thai, Arabic, Vietnamese, Slovak, Greek, Indonesian, Romanian, Slovenian, Croatian, Catalan, and Other. We've noticed that any direct or machine translations of existing payloads to other languages will lead to inaccuracies and decreased relevance.

-Note that the configuration change might take up to 30 minutes to synchronize across all services.

-A: Yes you can! On the very last **Review Simulation** page in the wizard to create a new simulation, there's an option to **Send a test**. This option sends a sample phishing simulation message to the currently logged in user. After you validate the phishing message in your Inbox, you can submit the simulation.

-A: No. Any information entered at the credential harvest login page is discarded silently. Only the 'click' is recorded to capture the compromise event. Microsoft doesn't collect, log or store any details that users enter at this step.

- Back on the **Configure landing page** page, the landing page you created is now listed. In the **Action** colum, you can select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** or :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **Preview** to edit or view the landing page.

- Other than the flyout title changing to **Add translation**, the same options are available as the the **Add content in default language** flyout in the first landing page you created. Now the **Mark this as default language** check box is available to select. Only one translation of landing page can be the default language.

-In the confirmation dialog tht opens, select **Delete**.

-In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, payload automations (also known as _payload harvesting_) collect information from real-world phishing attacks that were reported by users in your organization. Although the numbers of these messages are likely low in your organization, you can specify the conditions to look for in phishing attacks (for example, recipients, social engineering technique, sender information, etc.). Attack simulation training will then mimic the messages and payloads used in the attack to automatically launch harmless simulations to targeted users.

-4. On the **Run conditions** page, select the conditions of the real phishing attack that determines when the automation will run.

-2. On the **Alert policy** page, find the alert named **Suspicious connector activity**. You can sort the alerts by name, or use the ::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find the alert.

-3. Select the filter dropdown, and then choose **Basic** \> **Detection technology** in the drop down list.

-5. Select the **Allow emails with similar attributes** checkbox. From the drop down list, specify the number of days you want the message to be removed, add a note if needed, and then select **Submit**.

-3. Select the filter dropdown, and then choose **URLs** \> **Click verdict** in the drop down list.

-2. In the **View** menu, choose **Email** \> **All email** from the drop down list.

-[Directory Based Edge Blocking](/exchange/mail-flow-best-practices/use-directory-based-edge-blocking) reject messages to invalid recipients at the service network perimeter by default.

- By default, this role is assigned only to the **Security Operator role group in Exchange Online**, not in Azure AD. Membership in the **[Security Operator role in Azure AD](/azure/active-directory/roles/permissions-reference#security-operator)** _does not_ allow you to manage entries the Tenant Allow/Block List.

-You can use this simple "Hello World" example to test API access to Microsoft Defender APIs: [Hello World for Microsoft 365 Defender REST API](/microsoft-365/security/defender/api-hello-world).

- Security teams members should do add-hoc [admin submissions](submissions-admin.md) when false positives or false negatives that were not reported by users were discovered by the operations teams.

-Whenever a user reports a message as phishing, Defender for Office 365 generates an alert and the alert will trigger an AIR playbook. Incident logic will correlate this information to other alerts and events where possible. This consolidation of information helps security teams triage, investigate, and respond to user reported messages.

-User reported messages and admin submissions are handled by the submission pipeline by Microsoft, which follows a tightly integrated process. This process includes:

-Defender for Office 365 actions are seamlessly integrated into hunting experiences and the history of actions are visible on the **History** tab in the unified **Action center** at <https://security.microsoft.com/action-center/history>.

-|`reason`|The reason the composite authentication passed or failed. The value is a 3-digit code. For example: <ul><li>**000**: The message failed explicit authentication (`compauth=fail`). For example, the message received a DMARC fail with an action of quarantine or reject.</li><li>**001**: The message failed implicit authentication (`compauth=fail`). This result means that the sending domain didn't have email authentication records published, or if they did, they had a weaker failure policy (SPF `~all` or `?all`, or s DMARC policy of `p=none`).</li><li>**002**: The organization has a policy for the sender/domain pair that is explicitly prohibited from sending spoofed email. An admin manually configures this setting.</li><li>**010**: The message failed DMARC with an action of reject or quarantine, and the sending domain is one of your organization's accepted-domains (self-to-self or intra-org spoofing).</li><li>**1xx** or **7xx**: The message passed authentication (`compauth=pass`). The last two digits are internal codes used by Microsoft 365.</li><li>**2xx**: The message soft-passed implicit authentication (`compauth=softpass`). The last two digits are internal codes used by Microsoft 365.</li><li>**3xx**: The message wasn't checked for composite authentication (`compauth=none`).</li><li>**4xx** or **9xx**: The message bypassed composite authentication (`compauth=none`). The last two digits are internal codes used by Microsoft 365.</li><li>**6xx**: The message failed implicit email authentication, and the sending domain is one of your organization's accepted domains (self-to-self or intra-org spoofing).</li></ul>|

- **Notes**: Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).

-In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Exchange message trace**. To go directly to the message trace page, use <https://admin.exchange.microsoft.com/#/messagetrace>.

-If you already have an existing third-party protection service or device that sits in front of Microsoft 365, you can use this guide to migrate your protection to Microsoft Defender for Office 365 to get the benefits of a consolidated management experience, potentially reduced cost (using products that you already pay for), and a mature product with integrated security protection. For more information, see [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender).

-The very high-level migration steps are illustrated in the following diagram. The actual steps are listed in the section named [The migration process](#the-migration-process) later in this article.

-In contrast, if you follow the steps in this migration guide, you'll get the following tangible benefits for your migration:

-This migration guide gives you a plan for gradually "turning the dial" so you can monitor and test how Defender for Office 365 affects your users and their email so you can react quickly to any issues that you encounter.

-The high risk delivery pool is a separate IP address pool for outbound email that's only used to send "low quality" messages (for example, spam and [backscatter](anti-spam-backscatter-about.md). Using the high risk delivery pool helps prevent the normal IP address pool for outbound email from sending spam. The normal IP address pool for outbound email maintains the reputation sending "high quality" messages, which reduces the likelihood that these IP address appear on IP blocklists.

-The very real possibility that IP addresses in the high-risk delivery pool are placed on IP blocklists remains, but this is by design. Delivery to the intended recipients isn't guaranteed, because many email organizations don't accept messages from the high risk delivery pool.

-The outbound high-risk delivery pool manages the delivery for all non-delivery reports (also known as NDRs, bounce messages, delivery status notifications, or DSNs).

-Possible causes for a surge in NDRs include:

-All of these issues can result in a sudden increase in the number of NDRs being processed by the service. Many times, these NDRs appear to be spam to other email servers and services (also known as _[backscatter](anti-spam-backscatter-about.md)_).

-Messages that are forwarded or relayed via Microsoft 365 in certain scenarios are sent using a special relay pool, because the destination shouldn't consider Microsoft 365 as the actual sender. It's important for us to isolate this email traffic, because there are legitimate and invalid scenarios for auto forwarding or relaying email out of Microsoft 365. Similar to the high-risk delivery pool, a separate IP address pool is used for relayed mail. This address pool isn't published because it can change often, and it's not part of published SPF record for Microsoft 365.

-You can tell that a message was sent via the relay pool by looking at the outbound server IP (the relay pool is in the 40.95.0.0/16 range), or by looking at the outbound server name (it has "rly" in the name).

-To add a custom domains, follow the steps in [Add a domain to Microsoft 365](../../admin/setup/add-domain.md).

-If the MX record for your domain points to a third party service or an on-premises email server, you should use [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors). Enhanced Filtering ensures SPF validation is correct for inbound mail and will avoid sending email through the relay pool.

-2. On the **Anti-spam policies** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create policy** and then select **Outbound** from the drop down list to start the new outbound spam policy wizard.

- - **Restriction placed on users who reach the message limit**: Select an action from the drop down list when any of the limits in the **Protection settings** section are exceeded.

- Select one of the following actions from the **Automatic forwarding rules** drop down list:

-As described in the [Exchange Online Service Description](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits), using EOP to send bulk email is not a supported use of the service, and is only permitted on a "best-effort" basis. For customers who do want to send bulk email, we recommend the following solutions:

- - **Internal users**: Click in the **Add a valid email** box or start typing the user's email address. Select the email address in the **Suggested contacts** drop down list that appears. The user's display name is added to the **Add a name** box (which you can change). When you're finished selecting the user, select **Add**.

- - **External users**: Type the external user's full email address in the **Add a valid email** box, and then select the email address in the **Suggested contacts** drop down list that appears. The email address is also added in the **Add a name** box (which you can change to a display name).

-In general, the **Strict protection** profile tends to quarantine less harmful email (for example, bulk and spam) than the **Strict protection** profile, but many of the settings in both profiles are the same (in particular, for unquestionably harmful email like malware or phishing). For a comparison of the setting differences, see the tables in the next section.

-In other words, the settings of the Strict preset security policy override the settings of the Standard preset security policy, which overrides the settings from any anti-phishing, Safe Links, or Safe Attachments evaluation policies, which overrides the settings from any custom policies, which override the settings of the Built-in protection preset security policy for Safe Links and Safe Attachments, and the default policies for anti-spam, anti-malware, and anti-phishing.

-Training users with priority accounts can help save those users and your security operations team much time and frustration. Savvy users are less likely to open attachments or click links in questionable email messages, and they are more likely to avoid suspicious websites.

-When you select multiple quarantined files on the **Files** tab by selecting the check boxes next to the first column (up to 100 files), a **Bulk actions** drop down list appears where you can take the following actions:

-3. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. The policy name is selectable in drop-down lists in upcoming steps.

- - **Select release action preference**: Select one of the following values from the drop down:

- - Select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create policy**, select **Inbound** from the drop down list to start the new anti-spam policy wizard, and then get to the **Actions** page.

-Users can manage quarantined messages where they are one of the recipients as described in [Find and release quarantined messages as a user in EOP](quarantine-end-user.md). But what about **shared mailboxes** where the user has Full Access and Send As or Send on Behalf permissions to the mailbox as described in [Shared mailboxes in Exchange Online](/exchange/collaboration-exo/shared-mailboxes)?

- The user can click the **Review** button in the notification to go to quarantine in the Microsoft 365 Defender portal. This method only allows access to quarantined messages that were sent to the shared mailbox. Users can't manage their own quarantine messages in this context.

- Then, the end-user can select a quarantined message from the list to view or take action on.

- For detailed syntax and parameter information, see the following topics:

-If you _change_ the action of a spam filtering verdict to **Quarantine message** when you create anti-spam policies the the Defender portal, the **Select quarantine policy** box is blank by default. A blank value means the default quarantine policy for that spam filtering verdict is used. These default quarantine policies enforce the historical capabilities for the spam filter verdict that quarantined the message as described in the table [here](quarantine-end-user.md). When you later view or edit the anti-spam policy settings, the quarantine policy name is shown.

-|**Quarantine policy** for **Hight confidence spam** (_HighConfidenceSpamQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if high confidence spam detections are quarantined.|

-If you are not in compliance with these policies and guidelines, it may not be possible for our support team to assist you. If you are adhering to the guidelines, practices, and policies presented in this article and are still experiencing delivery issues based on your sending IP address, please follow the steps to submit a delisting request. For instructions, see [Use the delist portal to remove yourself from the blocked senders list](use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md).

-Email sent to Microsoft 365 should comply with the applicable recommendations listed in the documents below (some links are only available in English).

-Microsoft actively works with industry bodies and service providers in order to improve the internet and email ecosystem. These organizations have published best practice documents that we support and recommend senders adhere to. This improves your ability to deliver email among several email service providers around the world.

-To report unlawful, abusive, unwanted or malicious email, see [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md). Sending these types of communications is a violation of Microsoft policy, and appropriate action will be taken on confirmed reports.

-If you are a member of law enforcement and wish to serve Microsoft Corporation with legal documentation regarding Office 365, or if you have questions regarding legal documentation you have submitted to Microsoft, please call (1) (425) 722-1299.

-2. On the **Alert policy** page, find the alert named **User restricted from sending email**. You can sort the alerts by name, or use the ::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find the alert.

-|Pat's Microsoft 365 E5 organization has no Safe Attachments policies configured.|Pat is protected by Safe Attachments due to the **Built-in protection** preset security policy that applies to all recipients who are not otherwise defined in Safe Attachments policies.|

-|Lee's organization has a Safe Attachments policy that applies only to finance employees. Lee is a member of the sales department.|Lee and the rest of the sales department are protected by Safe Attachments due to the **Built-in protection** preset security policy that applies to all recipients who are not otherwise defined in Safe Attachments policies.|

- |**Replace**|**Note**: This action will be deprecated. For more information, see [MC424901](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC424901). <br/><br/> Removes detected malware attachments. <br/><br/> Notifies recipients that attachments have been removed. <br/><br/> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.┬╣ <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Raise visibility to recipients that attachments were removed because of detected malware.|

- - **Severity**: Select **Low**, **Medium**, or **High** from the drop down list.

- - **Category**: Select **Threat management** from the drop down list.

- - **What do you want to alert on?** section \> **Activity is** \> **Common user activities** section \> Select **Detected malware in file** from the drop down list.

- - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported).

- - **Replace**: This action will be deprecated. For more information, see [MC424901](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC424901).

- - **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined by Safe Attachments (**Block**, **Replace**, or **Dynamic Delivery**). Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

- - Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** drop down list that appears:

-Safe Documents is a premium feature that uses the cloud back end of [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) to scan opened Office documents in [Protected View](https://support.microsoft.com/office/d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653) or [Application Guard for Office](https://support.microsoft.com/topic/9e0fb9c2-ffad-43bf-8ba3-78f785fdba46).

- - Select the policy from the list by selecting the check box next to the name. The following actions are available in the :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** drop down list that appears:

-These portals let you grant permissions to people who perform tasks like device management, data loss prevention, eDiscovery, retention, and so on. These people can perform only the tasks that you explicitly grant them access to. To access these portals, users need to be a global admin or a member of one or more Defender for Office 365 (Email & collaboration) or Purview compliance groups.

-Permissions in these portals are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by Exchange, so if you're familiar with Exchange Online, granting permissions in these portals will be very similar. But, It's important to remember that role groups in Exchange Online and role groups for Defender for Office 365 or Purview compliance don't share membership or permissions. For example, while an Organization Management role group exists in Exchange Online, the permissions granted and role group members are different than the Organization Management role group in Defender for Office 365 and Purview compliance.

-The table in this section lists the default role groups that are available in the Microsoft 365 Defender and Microsoft Purview compliance portals, and the roles that are assigned to the role groups by default. To grant permissions to a user to perform taks in Defender for Office 365 or Purview compliance, add them to the appropriate role group.

-|**eDiscovery Manager**|Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in eDiscovery (Premium). <br/><br/> An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:<ul><li>View all eDiscovery cases in the organization.</li><li>Manage any eDiscovery case after they add themselves as a member of the case.</li></ul> <br/><br/> The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the **eDiscovery cases** page in the compliance portal. An eDiscovery manager can only access the cases they created or cases they are a member of. For more information about making a user an eDiscovery Administrator, see [Assign eDiscovery permissions in the compliance portal](../../compliance/assign-ediscovery-permissions.md).|Case Management <br/><br/> Communication <br/><br/> Compliance Search <br/><br/> Custodian <br/><br/> Export <br/><br/> Hold <br/><br/> Manage Review Set Tags <br/><br/> Preview <br/><br/> Review <br/><br/> RMS Decrypt <br/><br/> Scope Manager|

-|**Insider Risk Management**|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|Case Management <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> Insider Risk Management Analysis <br/><br/> Insider Risk Management Approval <br/><br/> Insider Risk Management Audit <br/><br/> Insider Risk Management Investigation <br/><br/> Insider Risk Management Sessions <br/><br/> Review <br/><br/> View-Only Case|

-|**Insider Risk Management Analysts**|Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer.|Case Management <br/><br/> Insider Risk Management Analysis <br/><br/> View-Only Case|

-|**Insider Risk Management Auditors**|Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log.|Insider Risk Management Audit|

-|**Insider Risk Management Investigators**|Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.|Case Management <br/><br/> Custodian <br/><br/> Insider Risk Management Investigation <br/><br/> Review <br/><br/> View-Only Case|

-|**MailFlow Administrator**|Members can monitor and view mail flow insights and reports in the Defender portal. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user will not have access to Exchange admin-related tasks.|View-Only Recipients|

-|**Organization Management**¹|Members can control permissions for accessing features in these portals, and also manage settings for device management, data loss prevention, reports, and preservation. <br/><br/> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <br/><br/> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance PowerShell](/powershell/module/exchange/get-rolegroupmember).|Audit Logs <br/><br/> Case Management <br/><br/> Communication Compliance Admin <br/><br/> Communication Compliance Case Management <br/><br/> Compliance Administrator <br/><br/> Compliance Manager Administration <br/><br/> Compliance Search <br/><br/> Data Connector Admin <br/><br/> Device Management <br/><br/> DLP Compliance Management <br/><br/> Hold <br/><br/> IB Compliance Management <br/><br/> Insider Risk Management Admin <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> Quarantine <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> Role Management <br/><br/> Scope Manager <br/><br/> Search And Purge <br/><br/> Security Administrator <br/><br/> Security Reader <br/><br/> Sensitivity Label Administrator <br/><br/> Sensitivity Label Reader <br/><br/> Service Assurance View <br/><br/> Tag Manager <br/><br/> Tag Reader <br/><br/> View-Only Audit Logs <br/><br/> View-Only Case <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|

-|**Security Administrator**|Members have access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. <br/><br/> By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. <br/><br/> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in these portals (membership or roles), those changes apply only to the security and compliance areas and not to any other services. <br/><br/> This role group includes all of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same

-|**Security Reader**|Members have read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. <br/><br/> By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. <br/><br/> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the portals (membership or roles), those changes apply only to security and compliance areas and not to any other services.|Compliance Manager Reader <br/><br/> Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Tag Reader <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts|

-|**Communication**|Manage all communications with the custodians identified in an eDiscovery (Premium) case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that is used by each custodian in a case to track communications for the cases where they were identified as a custodian.|Data Investigator <br/><br/> eDiscovery Manager|

-|**Disposition Management**|Control permissions for accessing Manual Disposition in the the Defender and compliance portals.|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Records Management|

-|**Hold**|Place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners will still be able to modify or delete the original content.|Compliance Administrator <br/><br/> eDiscovery Manager <br/><br/> Organization Management|

-These articles help external senders improve their reputation and increase their ability to deliver email to users at Microsoft 365. They also provide some information about how you can report junk email and phishing attempts even if you aren't a Microsoft 365 user yourself.

-If you're not a customer, but are trying to send mail to someone in who is, you're in the right place. If you're an admin and you need help with fighting spam, this isn't the right section for you. Instead, go to [anti-spam](anti-spam-protection-about.md) and [anti-malware](anti-malware-protection-about.md).

-|Services provided to email system admins that are sending individual and bulk email to customers.|[Services for non-customers sending mail to Office 365](services-for-non-customers.md)|

-|How Microsoft 365 prevents junk email, including phishing and spoofing email, from being sent to our customers.|[Anti-spam protection in Microsoft 365](anti-spam-protection-about.md)|

-|How you, an admin sending email to Microsoft 365 customers, can avoid having email blocked by adhering to our anti-spam policies. This is the legal stuff you need to know.|[Reference: Policies, practices, and guidelines](reference-policies-practices-and-guidelines.md)|

-# Services for non-customers sending mail to Microsoft 365

-Email abuse, junk email, and fraudulent emails (phishing) continue to burden the entire email ecosystem. To help maintain user trust in the use of email, Microsoft has put various policies and technologies in place to help protect our users. However, Microsoft understands that legitimate email shouldn't be negatively affected. Therefore, we've established a suite of services to help senders improve their ability to deliver email to Microsoft 365 users by proactively managing their sending reputation.

-This overview provides information about benefits we provide to your organization even if you aren't a customer.

-|This online help content|Provides: <ul><li>A starting point for any questions related to delivering communications to EOP users.</li><li>Includes a simple online guide with our policies and requirements.</li><li>An overview of the junk email filters and authentication technologies employed by Microsoft.</li><ul>|

-|[Anti-Spam IP Delist Portal](#anti-spam-ip-delist-portal)|A tool to submit IP delist request. Before submitting this request, it's the sender's responsibility to ensure that any further mail originating from the IP in question isn't abusive or malicious.|

-|[Abuse and spam reporting for junk email originating from Exchange Online](#abuse-and-spam-reporting-for-junk-email-originating-from-exchange-online)|Keeps spam and other unwanted mail from being sent from Exchange Online and cluttering up the internet and your mail system.|

- For more information about Microsoft Technical support for Office 365, see [Support](/office365/servicedescriptions/office-365-platform-service-description/support).

-This is a self-service portal you can use to remove yourself from the Microsoft 365 blocked senders list. Use this portal if you're getting an error message when you try to send an email to a recipient whose email address is in Microsoft 365 and you don't think you should be. For more information, see [Use the delist portal to remove yourself from the blocked senders list](use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md).

-Sometimes Microsoft 365 is used by third parties to send junk email, in violation of our terms of use and policy. If you receive any junk email from Office 365, you can report these messages to Microsoft. For instructions, see [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md).

-You use the _advanced delivery policy_ in Microsoft 365 to prevent inbound messages _in these specific scenarios_ from being filtered┬╣. The advanced delivery policy ensures that messages in these scenarios achieve the following results:

- - [Admin submissions](submissions-admin.md) generates an automatic response saying that the message is part of a phishing simulation campaign and isn't a real threat. Alerts and AIR aren't triggered. The admin submissions experience shows these messages as a simulated threat.

-Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as **Phishing simulation** or **SecOps mailbox** system overrides. Admins can filter and analyze on these system overrides in the following experiences:

-> To configure a third-party phishing simulation, you need to provide the following information:

->

-> - At least one **Domain**.

-> - At least one **Sending IP**.

-> - For **non-email** phishing simulations (for example, Microsoft Teams messages, Word documents, or Excel spreadsheets), you can optionally identify the **Simulation URLs to allow** that shouldn't be treated as real threats at time of click: the URLs aren't blocked or detonated, and no URL click alerts or resulting incidents are generated. The URLs are wrapped at time of click, but they aren't blocked.

->

-> There must be a match on at least one **Domain** and one **Sending IP**, but no association between values is maintained.

-> If your MX record doesn't point to Microsoft 365, the IP address in the `Authentication-results` header must match the IP address in the advanced delivery policy. If the IP addresses don't match, you might need to configure [Enhanced Filtering for Connectors](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) so the correct IP address is detected.

-Welcome to the Microsoft Defender for Office 365 trial user guide! This user guide will help you make the most of your free trial by teaching you how to safeguard your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

-Defender for Office 365 helps organizations secure their enterprise by offering a comprehensive slate of capabilities including threat protection policies, reports, threat investigation and response capabilities and automated investigation and response capabilities.

- Audit mode provides access to customized reports for threats detected by Defender for Office 365 on the **Evaluation mode** page at <https://security.microsoft.com/atpEvaluation>.

- The default and recommended selection is to scope these Defender for Office 365 policies to all users in the organization. But during or after the setup of your trial, you can change the policy assignment to specific users, groups, or email domains in the Microsoft 365 Defender portal or in [Policy settings associated with Defender for Office 365 evaluations and trials](try-microsoft-defender-for-office-365.md#policy-settings-associated-with-defender-for-office-365-evaluations-and-trials)

- Blocking mode does not provide customized reports for threats detected by Defender for Office 365. Instead, the information is available in the regular reports and investigation features of Defender for Office 365 Plan 2.

-A key factor in audit mode vs. blocking mode is how email is delivered to your Microsoft 365 organization:

- 

- In these environments, you can select **audit mode** or **blocking mode**.

- 

- In these environments, you can select **audit mode** only. You don't need to change your mail flow (MX records).

-We've automatically configured [Preset security policies](preset-security-policies.md) in your environment. These policies represent a baseline protection profile that's suitable for most users. Standard protection includes:

-When you're ready to turn on Defender for Office 365 policies in production, you can use "Convert to Standard Protection" within the evaluation management experience to easily move to Standard protection in [preset security policies](preset-security-policies.md).

-1. On the **Microsoft Defender for Office 365 evaluation** page at <https://security.microsoft.com/atpEvaluation>, click **Manage**.

- :::image type="content" source="../../medio-evaluation-page.png":::

-2. In the flyout that opens, click **Convert to Standard protection**

- :::image type="content" source="../../medio-trial-playbook-manage-flyout.png":::

-3. In the **Convert to standard protection** dialog that opens, click **Continue** to initiate the setup.

-2. On the **User tags** page, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create tag** to start the new tag wizard.

-On the **User tags** page, the following properties are displayed in the list of user tags:

-description: Zero-hour auto purge (ZAP) retroactively moves delivered messages in an Exchange Online mailbox to the Junk Email folder or quarantine if those messages are found to be spam, phishing, or contain malware.

-# Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365

-## Zero-hour auto purge (ZAP) basics

-In Microsoft 365 organizations with Exchange Online mailboxes and in Microsoft Teams, zero-hour auto purge (ZAP) is a protection feature that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes or over Teams chat.

-ZAP doesn't work in standalone Exchange Online Protection (EOP) environments that protect on-premises Exchange mailboxes.

-## Zero-hour auto purge (ZAP) in Exchange Online

-Spam and malware signatures are updated in the service real-time on a daily basis. However, users can still receive malicious messages for a variety of reasons, including if content is weaponized after being delivered to users. ZAP addresses this issue by continually monitoring updates to the spam and malware signatures in the service. ZAP can find and take automated actions on messages that are already in a user's mailbox up to 48 hours after delivery.

-The ZAP action is seamless for the user; they aren't notified if a message is detected and moved.

-[Safe sender lists](create-safe-sender-lists-in-office-365.md), mail flow rules (also known as transport rules), Inbox rules, or additional filters take precedence over ZAP. Similar to what happens in mail flow, this means that even if the service determines the delivered message needs ZAP, the message isn't acted on because of the safe senders configuration. This is another reason to be careful about configuring messages to bypass filtering.

-For **read or unread messages** that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. By default, only admins can view and manage quarantined malware messages. But, admins can create and use _quarantine policies_ to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

-For **read or unread messages** that are identified as phishing after delivery, the ZAP outcome depends on the action that's configured for a **Phishing email** filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for phishing and their possible ZAP outcomes are described in the following list:

-By default, ZAP for phishing is enabled in anti-spam policies, and the default action for the **Phishing email** filtering verdict is **Quarantine message**, which means ZAP for phishing quarantines the message by default.

-For **read or unread messages** that are identified as high confidence phishing after delivery, ZAP quarantines the message. By default, only admins can view and manage quarantined high confidence phish messages. But, admins can create and use _quarantine policies_ to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

-ZAP for high confidence phish is enabled by default. For more information, see [Secure by Default in Office 365](secure-by-default.md).

-For **unread messages** that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the **Spam** filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for spam and their possible ZAP outcomes are described in the following list:

-By default, spam ZAP is enabled in anti-spam policies, and the default action for the **Spam** filtering verdict is **Move message to Junk Email folder**, which means spam ZAP moves **unread** messages to the Junk Email folder by default.

-ZAP will not quarantine any message that's in the process of [Dynamic Delivery](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies) in Safe Attachments policy scanning. If a phishing or spam signal is received for messages in this state, and the filtering verdict in the anti-spam policy is set to take some action on the message (Move to Junk, Redirect, Delete, or Quarantine) then ZAP will default to a 'Move to Junk' action.

-> This section lists new features which are currently in preview.

-When a chat message is identified as potentially phishing or malicious in Microsoft Teams, ZAP blocks the message and quarantines it. This message is blocked for both the recipient and the sender. Note that this protection feature only applies to messages in a chat or in a meeting within the organization.

-Admins can view and manage these quarantined messages in Microsoft Teams. For more information, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-messages-in-microsoft-teams). Note that if you're not an admin, you won't be able to view or manage quarantined messages for this release.

-> [!NOTE]

-> Zero-hour auto purge (ZAP) in Microsoft Teams is available only to customers with Microsoft Defender for Office 365 E5 and Defender for Office P2 subscriptions.

-### Zero-hour auto purge (ZAP) for high confidence phishing in Teams

-For messages that are identified as high confidence phishing after delivery, ZAP blocks and quarantines the message. By default, only admins can view and manage quarantined high confidence phishing messages.

-### Zero-hour auto purge (ZAP) for malware in Teams

-For messages that are identified as malware, ZAP blocks and quarantines the message. By default, only admins can view and manage quarantined malware messages.

-Note that for this release, ZAP is available only for messages that are identified as high confidence phish or malware.

-### Review messages blocked in Teams

-To find out if ZAP blocked your message, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-messages-in-microsoft-teams).

-### What happens if a legitimate message is moved to the Junk Email folder?

-You should follow the normal reporting process for [false positives](submissions-report-messages-files-to-microsoft.md). The only reason the message would be moved from the Inbox to the Junk Email folder would be because the service has determined that the message was spam or malicious.

-ZAP will take action on a message based on the configuration your anti-spam policies as described earlier in this article.

-### What if I'm using safe senders, mail flow rules, or allowed/blocked sender lists?

-Safe senders, mail flow rules, or block and allow organizational settings take precedence. These messages are excluded from ZAP since the service is doing what you configured it to do. This is another reason to be careful about configuring messages to bypass filtering.

-### What are the licensing Requirements for Zero-hour auto purge (ZAP) to work?

-There are no limitations on licenses. ZAP works on all mailboxes hosted on Exchange online. ZAP doesn't work in standalone Exchange Online Protection (EOP) environments that protect on-premises Exchange mailboxes.

-### What if a message is moved to another folder (e.g. Inbox rules)?

-Zero-hour auto purge still works as long as the message hasn't been deleted, or as long as the same, or stronger, action hasn't already been applied. For example, if the anti-phishing policy is set to quarantine and message is already in the Junk Email, then ZAP will take action to quarantine the message.

-Zero-hour auto purge will quarantine messages from mailboxes on hold. ZAP can move messages to the Junk Email folder based on the action that's configured for a spam or phishing verdict in anti-spam policies.

-

-2. In the left navigation pane, click **Azure Active Directory**.

-3. Click **External identities**.

-4. On the **Get started** screen, in the left navigation pane, click **External collaboration settings**.

-5. Ensure that either **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions** or **Anyone in the organization can invite guest users including guests and non-admins** is selected.

-6. If you made changes, click **Save**.

-2. In the left navigation pane, click **Show all**.

-3. Under **Admin centers**, click **Teams**.

-5. Ensure that **Allow guest access in Teams** is set to **On**.

-6. Make any desired changes to the additional guest settings, and then click **Save**.

-2. Click **Org settings**.

-3. In the list, click **Microsoft 365 Groups**.

-5. If you made changes, click **Save changes**.

-1. In Teams, on the **Teams** tab, click **Join or create a team** at the bottom of the left pane.

-2. Click **Create a team**.

-3. Click **Build a team from scratch**.

-5. Type a name and description for the team, and then click **Create**.

-6. Click **Skip**.

-1. In the team, click **More options** (**\*\*\***), and then click **Add member**.

-3. Click **Add**, and then click **Close**.

-1. In the team, click **More options** (**\*\*\***), and then click **Add member**.

-3. Click **Edit guest information**.

-4. Type the guest's full name and click the check mark.

-5. Click **Add**, and then click **Close**.

-## See also