-Check out [Microsoft 365 small business help](https://go.microsoft.com/fwlink/?linkid=2197659) on YouTube.

-If you're the person who purchased your Microsoft business subscription, you are the global admin. This means you have unlimited control over the products in your subscriptions and you can access most data.

-For more information, see [About admin roles](about-admin-roles.md).

-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../../business-video/index.yml).

-## Assign admin roles

-You can assign users to a role in two different ways:

-### Assign admin roles to users using Roles

-1. In the admin center, go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2097861" target="_blank">**Role assignments**</a>. Choose the **Azure AD** or **Intune** tabs to view the admin roles available for your organization.

-2. Select the admin role that you want to assign the user to.

-3. Select **Assigned admins** > **Add**.

-4. Type the user's **display name** or **username**, and then select the user from the list of suggestions.

-5. Add multiple users until you're done.

-6. Select **Save**, and then the user will be added to the list of assigned admins.

-[Authorize or remove partner relationships](../misc/add-partner.md) (article)

-## How to enable Adoption Score

-To enable Adoption Score:

-1. Sign in to the Microsoft 365 admin center as a Global Administrator and go to **Reports** > **Adoption Score**

-2. Select **enable Adoption Score**. It can take up to 24 hours for insights to become available.

-> [!NOTE]

-> Only an IT professional with the Global Administrator role can opt-in for Adoption Score.

-Visit [privacy controls for Adoption Score](privacy.md) to understand more about options to configure people experiences for your organization.

-description: "Learn how you can have more than one email address, called an email alias, associated with your Microsoft 365 for business account. "

-This article is for Microsoft 365 administrators who have business subscriptions. It's not for home users.

-

-A primary email address in Microsoft 365 is usually the email address a user was assigned when their account was created. When the user sends email to someone else, their primary email address is what typically appears in the *From* field in email apps. They can also have more than one email address associated with their Microsoft 365 for business account. These additional addresses are called aliases.

-

-For example, let's say Jenna has the email address jenna@contosoco.com, but she also wants to receive email at jen@contosoco.com because some people refer to her by that name. You can create aliases for her so that both email addresses go to Jenna's inbox.

-

-You can create up to 400 aliases for a user. No additional fees or licenses are required.

-> [!Tip]

-> If you want multiple people to manage email sent to a single email address like info@NodPublishers.com or sales@NodPublishers.com, create a shared mailbox. To learn more, see [Create a shared mailbox](create-a-shared-mailbox.md).

-

-## Add email aliases to a user

-You must have Global Admin rights to add email aliases to a user.

-2. On the **Active Users** page, select the user > **Manage username and email**. You won't see this option if the person doesn't have a license assigned to them.

-

-3. Select **+ Add an alias** and enter a new alias for the user.

-

- > [!Important]

- > If you get the error message "**A parameter cannot be found that matches parameter name 'EmailAddresses**," it means that it's taking a bit longer to finish setting up your tenant, or your custom domain if you recently added one. The setup process can take up to 4 hours to complete. Wait a while so the set up process has time to finish, and then try again. If the problem persists, call Support and they will do a full sync for you.

-

-

- > [!IMPORTANT]

- > If you purchased your subscription from GoDaddy or another Partner, to set the new alias as the primary, you must go to the GoDaddy/partner management console.

- > [!IMPORTANT]

- > If you get the error message **This user is synchronized with your local Active Directory. Some details can be edited only through your local Active Directory**, It means that the Active Directory is authoritative for attributes on synchronized users, you need to modify the attributes in your on-premises Active Directory.

-

- > The email alias must end with a domain from the drop-down list. To add another domain name to the list, see [Add a domain to Microsoft 365](../setup/add-domain.md).

-

-

-5. When you're done, choose **Save changes**.

-

-6. Wait 24 hours for the new aliases to populate throughout Microsoft 365.

-

- The user will now have a primary address and an alias. For example, all mail sent to Eliza Hoffman's primary address, Eliza@NodPublishers.com, and her alias, Sales@NodPublishers.com, will go to Eliza's Inbox.

-

-7. **When the user replies, the *From* address will depend on her Outlook client. Outlook on the web will use the alias at which the email was received (we'll call this the ping-pong principle). Outlook desktop will use her primary email alias.** For example, let's say a message is sent to Sales@NodPublishers.com, and it arrives in Eliza's inbox. When Eliza replies to the message using Outlook desktop, her primary email address will appear as Eliza@NodPublishers.com, not Sales@NodPublishers.com.

-

-## Did you get "A parameter cannot be found that matches parameter name EmailAddresses"?

-If you get the error message "**A parameter cannot be found that matches parameter name EmailAddresses**" it means that it's taking a bit longer to finish setting up your tenant, or your custom domain if you recently added one. The setup process can take up to 4 hours to complete. Wait a while so the set up process has time to finish, and then try again. If the problem persists, call Support and they will do a full sync for you.

-

-## Did you purchase your subscription from GoDaddy or another Partner?

-If you purchased your subscription from GoDaddy or another Partner, to set the new alias as the primary, you must go to the GoDaddy/partner management console.

-## Sending email from the proxy address easily

-A new feature is rolling out in July 2021 that allows users to send from their aliases easily when using Outlook on the web. When the feature rolls out to a tenancy where the tenant admin uses the `Set-OrganizationConfig -SendFromAliasEnabled $true` cmdlet, users within the tenancy will get access to a list of checkboxes where each entry corresponds to an alias in their Outlook settings. Selecting an alias will make it appear in the From dropdown in the Compose form.

-## Before you begin

-This article is for people who set password expiration policy for a business, school, or nonprofit. To complete these steps, you need to sign in with your Microsoft 365 admin account. [What's an admin account?](/microsoft-365/admin/add-users/about-admin-roles).

-As an admin, you can make user passwords expire after a certain number of days, or set passwords to never expire. By default, passwords are set to never expire for your organization.

-You must be a [global admin](../add-users/about-admin-roles.md) to perform these steps.

-If you're a user, you don't have the permissions to set your password to never expire. Ask your work or school technical support to do the steps in this article for you.

-1. In the Microsoft 365 admin center, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2072756" target="_blank">**Security & privacy** tab</a>.

- If you aren't a global admin or security admin, you won't see the Security & privacy option.

-

-1. Select **Password expiration policy**.

-1. If you wish to require users to change their passwords periodically, make sure that the **Set passwords to never expire** box is not checked.

-1. Type how often passwords should expire. Choose a number of days from 14 to 730.

-

-## Update password Policy

-# Secure your data with Microsoft 365 for business

- - Office files for Word (.docx), PowerPoint (.pptx), and Excel (.xlsx) are supported.

- - You have [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md).

- - At the time the auto-labeling policy runs, the file mustn't be open by another process or user. A file that's checked out for editing falls into this category.

- - The sensitive information types you select will apply only to content that's created or modified after these information types are [created or modified](audit-log-activities.md#sensitive-information-types-activities). This restriction applies to all custom sensitive information types and any new built-in information types.

- - To test new custom sensitive information types, create them before you create your auto-labeling policy, and then create new documents with sample data for testing.

-3. For the page **Choose info you want this label applied to**: Select one of the templates, such as **Financial** or **Privacy**. You can refine your search by using the **Show options for** dropdown. Or, select **Custom policy** if the templates don't meet your requirements. Select **Next**.

-7. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, including more options for Exchange, select **Advanced rules**. Then select **Next**.

-

- The rules use conditions that include [sensitive information types](sensitive-information-type-learn-about.md), [trainable classifiers](classifier-learn-about.md), and sharing options:

-

- If your location is **Exchange** and you selected **Advanced rules**, there are other conditions that you can select:

- - Attachment's file extension is

- For each of these conditions, you can then specify exceptions.

-

-|Forensic evidence|5 users for preview release|

-|6|**Mailbox Migration**<p>When mailbox migration is initiated from on-premises [Exchange Hybrid](/exchange/exchange-deployment-assistant) to Office 365, Office 365 will connect to your published Exchange Web Services (EWS)/Mailbox Replication Services (MRS) server. If you need to allow inbound connections only from specific source IP ranges, create a permit rule for the IP addresses listed in the **Exchange Online** table in [Office 365 URL & IP ranges](urls-and-ip-address-ranges.md). <p> To ensure that connectivity to published EWS endpoints (like OWA) is not blocked, make sure the MRS proxy resolves to a separate FQDN and public IP address before you restrict connections.|Customer on-premises EWS/MRS Proxy <br> TCP port 443|Inbound server traffic|

-|16|**Microsoft Teams FQDNs** <p> If you are using Internet Explorer or Microsoft Edge, you need to enable first and third-party cookies and add the FQDNs for Teams to your Trusted Sites. This is in addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14. See [Known issues for Microsoft Teams](/microsoftteams/known-issues) for more information.||Trusted Sites|

-|17|**SharePoint Online and OneDrive for Business FQDNs** <p> All '.sharepoint.com' FQDNs with '\<tenant\>' in the FQDN need to be in your client's IE or Edge Trusted Sites Zone to function. In addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14, you'll need to also add these endpoints.||Trusted Sites|

-|23|**Microsoft Graph Change Notifications** <p> Developers can use [change notifications](/graph/webhooks?context=graph%2fapi%2f1.0&view=graph-rest-1.0&preserve-view=true) to subscribe to events in the Microsoft Graph.|Public Cloud: 52.159.23.209, 52.159.17.84, 13.78.204.0, 52.148.24.136, 52.148.27.39, 52.147.213.251, 52.147.213.181, 20.127.53.125, 40.76.162.99, 40.76.162.42, 70.37.95.92, 70.37.95.11, 70.37.92.195, 70.37.93.191, 70.37.90.219, 20.9.36.45, 20.9.35.166, 20.9.36.128, 20.9.37.73, 20.9.37.76, 20.96.21.67, 20.69.245.215, 104.46.117.15, 20.96.21.98, 20.96.21.115, 137.135.11.161, 137.135.11.116, 20.253.156.113, 137.135.11.222, 137.135.11.250, 52.159.107.50, 52.159.107.4, 52.159.124.33, 52.159.109.205, 52.159.102.72, 20.98.68.182, 20.98.68.57, 20.98.68.200, 20.98.68.203, 20.98.68.218, 20.171.81.121, 20.25.189.138, 20.171.82.192, 20.171.83.146, 20.171.83.157, 52.142.114.29, 52.142.115.31, 20.223.139.245, 51.104.159.213, 51.104.159.181, 51.124.75.43, 51.124.73.177, 104.40.209.182, 51.138.90.7, 51.138.90.52, 20.199.102.157, 20.199.102.73, 20.216.150.67, 20.111.9.46, 20.111.9.77, 13.87.81.123, 13.87.81.35, 20.90.99.1, 13.87.81.133, 13.87.81.141, 20.91.212.211, 20.91.212.136, 20.91.213.57, 20.91.208.88, 20.91.209.147, 20.44.210.83, 20.44.210.146, 20.212.153.162, 52.148.115.48, 52.148.114.238, 40.80.232.177, 40.80.232.118, 52.231.196.24, 40.80.233.14, 40.80.239.196, 20.48.12.75, 20.48.11.201, 20.89.108.161, 20.48.14.35, 20.48.15.147, 104.215.13.23, 104.215.6.169, 20.89.240.165, 104.215.18.55, 104.215.12.254 <br> <p> Microsoft Cloud for US Government: 52.244.33.45, 52.244.35.174, 52.243.157.104, 52.243.157.105, 52.182.25.254, 52.182.25.110, 52.181.25.67, 52.181.25.66, 52.244.111.156, 52.244.111.170, 52.243.147.249, 52.243.148.19, 52.182.32.51, 52.182.32.143, 52.181.24.199, 52.181.24.220 <p> Microsoft Cloud China operated by 21Vianet: 42.159.72.35, 42.159.72.47, 42.159.180.55, 42.159.180.56, 40.125.138.23, 40.125.136.69, 40.72.155.199, 40.72.155.216 <br> TCP port 443 <p> Note: Developers can specify different ports when creating the subscriptions.|Inbound server traffic|

-|24|**Network Connection Status Indicator**<p>Used by Windows 10 and 11 to determine if the computer is connected to the internet (does not apply to non-Windows clients). When this URL cannot be reached, Windows will assume it is not connected to the Internet and M365 Apps for Enterprise will not try to verify activation status, causing connections to Exchange and other services to fail.|www.msftconnecttest.com <br> 13.107.4.52<p>Also see [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints) and [Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints).|Outbound server-only traffic|

-|25|**Teams Notifications on Mobile Devices**<p>Used by Android and Apple mobile devices to receive push notifications to the Teams client for incoming calls and other Teams services. When these ports are blocked, all push notifications to mobile devices will fail.|For specific ports, see [FCM ports and your firewall in the Google Firebase documentation](https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall) and [If your Apple devices aren't getting Apple push notifications](https://support.apple.com/en-us/HT203609).|Outbound server-only traffic|

-Microsoft 365 Business Basic/Business Standard/Business Premium/F1/F3/E3/E5/; Office 365 F3/E1/E3/E5; Exchange Online; SharePoint Online; OneDrive for Business.

-> You must have purchased, or verified that you can purchase, cross tenant user data migration licenses prior to the next steps. Migrations will fail if this has not been completed. Microsoft does not offer exceptions for this licensing.

-1. Log in to your Azure AD portal (<https://portal.azure.com>) with your target tenant admin credentials

-1. Select View under "Manage Azure Active Directory".

-1. On the left navigation bar, select "App registrations".

-1. Select "New registration"

-1. On the "Register an application page", under "Supported account types", select" Accounts in any organizational directory (Any Azure AD directory - Multi-tenant)". Then, under "Redirect URI (optional)", select Web and enter <https://office.com>. Lastly, select Register.

-1. On the top-right corner of the page, you'll see a notification pop-up that states the app was successfully created.

-1. Go back to Home, Azure Active Directory and select on "App registrations".

-1. Under "Owned applications", find the app you created and select on it.

-1. Under "Essentials", you'll need to copy down the "Application (client) ID" as you'll need it later to create a URL for the target tenant.

-1. Now, on the left navigation bar, select on "API permissions" to view permissions assigned to your app.

-1. By default, User. Read permissions are assigned to the app you created, but we don't require them for mailbox migrations, you can remove that permission.

-1. Now we need to add permission for mailbox migration, select "Add a permission."

-1. In the "Request API permissions" window, select "APIs my organization uses", search for "Office 365 Exchange Online", and select it.

-1. Next, select "Application permissions."

-1. Then, under "Select permissions", expand Mailbox, and check "Mailbox.Migration", and "Add permissions" at the bottom on the screen.

-1. Now select Certificates & secrets on the left navigation bar for your application.

-1. Under "Client secrets", select "New client secret".

-1. In the Add a client secret window, enter a description, and configure your desired expiration settings.

-> [!NOTE]

-> This is the password that will be used when creating your migration endpoint. It is extremely important that you copy this password to your clipboard and or copy this password to secure/secret password safe location. This is the only time you will be able to see this password! If you do somehow lose it or need to reset it, you can log back into our Azure portal, go to App registrations, find your migration app, select Secrets & certificates, and create a new secret for your app.

-Now that you've successfully created the migration application and secret, you'll need to consent to the application. To consent to the application:

-1. Go back to the Azure Active Directory landing page, select on Enterprise applications in the left navigation, find your migration app you created, select it, and select Permissions on the left navigation.

-1. Select on the "Grant admin consent for [your tenant]" button.

-1. A new browser window will open and select "Accept".

-1. You can go back to your portal window and select Refresh to confirm your acceptance.

-```PowerShell

-https://login.microsoftonline.com/contoso.onmicrosoft.com/adminconsent?client_id=[application_id_of_the_app_you_just_created]&redirect_uri=https://office.com

-```

-> [!NOTE]

-> You will need the application ID of the mailbox migration app you just created.

-> You will need to replace contoso.onmicrosoft.com in the above example with your source tenants correct onmicrosoft.com name.

-> You will also need to replace [application_id_of_the_app_you_just_created] with the application ID of the mailbox migration app you just created.

-> [!NOTE]

-> You will need the application ID of the mailbox migration app you just created and the password (secret) you configured during this process. Depending on the Microsoft 365 cloud instance you use, your endpoint may be different. Please refer to the [Microsoft 365 endpoints](/microsoft-365/enterprise/microsoft-365-endpoints) page, select the correct instance for your tenant and review the Exchange Online _Optimize/Required_ address and replace as appropriate.

-```PowerShell

-# Enable customization if tenant is dehydrated

-$dehydrated=Get-OrganizationConfig | select isdehydrated

-if ($dehydrated.isdehydrated -eq $true) {Enable-OrganizationCustomization}

-$AppId = "[Guid copied from the migrations app]"

-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AppId, (ConvertTo-SecureString -String "[this is your secret password you saved in the previous steps]" -AsPlainText -Force)

-New-MigrationEndpoint -RemoteServer outlook.office.com -RemoteTenant "contoso.onmicrosoft.com" -Credentials $Credential -ExchangeRemoteMove:$true -Name "[the name of your migration endpoint]" -ApplicationId $AppId

-```

-1. Create new or edit your existing organization relationship object to your source tenant.

-```PowerShell

-$sourceTenantId="[tenant id of your trusted partner, where the source mailboxes are]"

-$orgrels=Get-OrganizationRelationship

-$existingOrgRel = $orgrels | ?{$_.DomainNames -like $sourceTenantId}

-If ($null -ne $existingOrgRel)

-{

- Set-OrganizationRelationship $existingOrgRel.Name -Enabled:$true -MailboxMoveEnabled:$true -MailboxMoveCapability Inbound

-}

-If ($null -eq $existingOrgRel)

-{

- New-OrganizationRelationship "[name of the new organization relationship]" -Enabled:$true -MailboxMoveEnabled:$true -MailboxMoveCapability Inbound -DomainNames $sourceTenantId

-}

-```

-1. From a browser, go to the URL link provided by your trusted partner to consent to the mailbox migration application. The URL will look like the following:

-```PowerShell

-https://login.microsoftonline.com/contoso.onmicrosoft.com/adminconsent?client_id=[application_id_of_the_app_you_just_created]&redirect_uri=https://office.com

-```

-> [!NOTE]

-> You will need the application ID of the mailbox migration app you just created. You will need to replace _contoso.onmicrosoft.com_ in the above example with your source tenant's onmicrosoft.com URL. You will also need to replace [application_id_of_the_app_you_just_created] with the application ID of the mailbox migration app you just created.

-1. Accept the application when the pop-up appears. You can also log into your Azure Active Directory portal and find the application under Enterprise applications.

-```PowerShell

-$targetTenantId="[tenant id of your trusted partner, where the mailboxes are being moved to]"

-$appId="[application id of the mailbox migration app you consented to]"

-$scope="[name of the mail enabled security group that contains the list of users who are allowed to migrate]"

-New-DistributionGroup -Type Security -Name $scope

-$existingOrgRel = $orgrels | ?{$_.DomainNames -like $targetTenantId}

-If ($null -ne $existingOrgRel)

-{

- Set-OrganizationRelationship $existingOrgRel.Name -Enabled:$true -MailboxMoveEnabled:$true -MailboxMoveCapability RemoteOutbound -OAuthApplicationId $appId -MailboxMovePublishedScopes $scope

-}

-If ($null -eq $existingOrgRel)

-{

- New-OrganizationRelationship "[name of your organization relationship]" -Enabled:$true -MailboxMoveEnabled:$true -MailboxMoveCapability RemoteOutbound -DomainNames $targetTenantId -OAuthApplicationId $appId -MailboxMovePublishedScopes $scope

-}

-```

-[Learn more about deploying dynamic frontline teams from your Microsoft 365 admin center](deploy-dynamic-teams-at-scale.md).

-2. On the **Deployment insights** page, review the following areas to gather insight on your tenantsΓÇÖ deployment progress.

-4. Select **View tenant deployment plan** to navigate you to the tenantΓÇÖs deployment plan.

-6. From the tenantΓÇÖs **Deployment plan** tab, select the applicable deployment task.

-|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>Windows, Mac, iOS, and Android OS (*For Windows Server and Linux, see note 6 below*) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

-|Partner APIs|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

-To perform tasks in the Microsoft 365 Defender portal, such as configuring Defender for Business, viewing reports, or taking response actions on detected threats, appropriate permissions must be assigned to your security team. Permissions are granted through roles that are assigned in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or in [Azure Active Directory](/azure/active-directory/roles/manage-roles-portal).

-| **Security reader** | Security readers can perform the following tasks:<br/>- View a list of onboarded devices<br/>- View security policies<br/>- View alerts and detected threats<br/>- View security information and reports <br/><br/>Security readers cannot add or edit security policies, nor can they onboard devices. |

-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

-2. In the navigation pane, choose **Permissions & roles**, and then under **Azure AD**, select **Roles**.

-3. Select one of the following roles that are relevant to Defender for Business:

- - Global administrator

- - Security administrator

- - Security reader

- A side pane opens and displays information, such as which users are assigned that role.

-4. In the side pane, select the **Manage members in Azure AD** link. This action takes you to the **Users** view in Azure Active Directory (Azure AD), where you can view and manage your role assignments.

- | Add a role to a user account | 1. In the [**Users** view in Azure AD](https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers), select a user to open their profile.<br/><br/>2. In the navigation pane, under **Manage**, select **Assigned roles**, and then choose **+ Add assignments**.<br/><br/>3. Search for one of the following roles, select it, and then choose **Add** to assign that role to the user account.<br/>- Global Administrator<br/>- Security Administrator<br/>- Security Reader |

- | Remove a role from a user account | 1. In the [**Users** view in Azure AD](https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers), select a user to open their profile.<br/><br/>2. In navigation pane, under **Manage**, select **Assigned roles**.<br/><br/>3. Select one or more administrative roles, and then select **X Remove assignments**. |

-1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Settings** > **Web content filtering** > **+ Add policy**.

-keywords: security, malware, MVI, Microsoft Malware Protection Center, MMPC, alliances, WDSI

-ms.sitesec: library

-> [!NOTE]

-> The MVI Program is not currently accepting new applications for membership but will reopen for new member applications on June 1, 2023. Please contact MVI@microsoft.com for more information.

- - **Bulk email threshold**: Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the **Bulk** spam filtering verdict that you configure on the next page. A higher value indicates the message is less desirable (more likely to resemble spam). The default value is 7. For more information, see [Bulk complaint level (BCL) in EOP](anti-spam-bulk-complaint-level-bcl-about.md) and [What's the difference between junk email and bulk email?](anti-spam-spam-vs-bulk-about.md).

- By default, the PowerShell only setting _MarkAsSpamBulkMail_ is `On` in anti-spam policies. This setting dramatically affects the results of a **Bulk** filtering verdict:

- - **_MarkAsSpamBulkMail_ is On**: A BCL that's greater than or equal to the threshold is converted to an SCL 6 that corresponds to a filtering verdict of **Spam**, and the action for the **Bulk** filtering verdict is taken on the message.

- - **_MarkAsSpamBulkMail_ is Off**: The message is stamped with the BCL, but _no action_ is taken for a **Bulk** filtering verdict. In effect, the BCL threshold and **Bulk** filtering verdict action are irrelevant.

- - **Bulk**

- - **Intra-Organizational messages to take action on**: Select what types of intra-organizational messages containing malicious or spam-based URLs to take action on. The default setting is to take no action on messages. The action taken on different spam filtering verdicts for intra-org messages is the same as configured above in the message actions section.

- The default behavior will be updated in the future to take action on high-confidence phishing messages. Additional details on handling malicious intra-organizational messages are communicated through posts in the Message Center Portal.

- > By default, spam filtering is configured to send messages that were marked as spam to the recipient's Junk Email folder. However, in hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the EOP spam headers that are added to messages. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).

-|`CAT:`|The category of protection policy, applied to the message: <ul><li>`BULK`: Bulk</li><li>`DIMP`: Domain Impersonation</li><li>`GIMP`: [Mailbox intelligence based impersonation](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>`HPHSH` or `HPHISH`: High confidence phishing</li><li>`HSPM`: High confidence spam</li><li>`MALW`: Malware</li><li>`PHSH`: Phishing</li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User Impersonation</li><li>`AMP`: Anti-malware</li><li>`SAP`: Safe attachments</li><li>`FTBP`: Anti-malware filetype policy</li><li>`OSPM`: Outbound spam</li></ul> <br/> An inbound message might be flagged by multiple forms of protection and multiple detection scans. Policies have different priorities, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).|

-|&nbsp;&nbsp;**Bulk** detection action (_BulkSpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)|

- - **Bulk**: Verify **Move message to Junk Email folder** is selected (Standard) or select **Quarantine message** (Strict).

-|**Bulk** detection action (_BulkSpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)||

-|**Quarantine policy** for **Bulk** (_BulkQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if bulk detections are quarantined.|

-This section explains how to allow users to send email as a group in the<a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center (EAC)</a> in Exchange Online.