Updates from: 06/05/2021 03:15:23
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove Former Employee Step 7 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-7.md
The above operations can be done in three places:
**Fastest for a user with presence on-premises and in the Exchange Datacenter**: Terminate the session using Azure Active Directory admin center/Exchange admin center AND make the change in the on-premises environment as well. Otherwise, the change in Azure Active Directory admin center/Exchange admin center will be overwritten by DirSync.
-## Related articles
+## Related content
-[Restore a user](restore-user.md)
-
-[Reset passwords](reset-passwords.md)
+[Restore a user](restore-user.md) (article)/
+[Reset passwords](reset-passwords.md) (article)
admin Get Details About Managed Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/get-details-about-managed-devices.md
There are a few things you need to set up to run the commands and scripts descri
For more info on these steps, seeΓÇ»[Connect to Microsoft 365 with PowerShell](/office365/enterprise/powershell/connect-to-office-365-powershell).
-1. Go to [Microsoft Online Services Sign-In Assistant for IT Professionals RTWl](https://www.microsoft.com/download/details.aspx?id=41950) and select  **Download for Microsoft Online Services Sign-in Assistant**.
+1. Go to [Microsoft Online Services Sign-In Assistant for IT Professionals RTWl](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi) and select  **Download for Microsoft Online Services Sign-in Assistant**.
2. Install the Microsoft Azure Active Directory Module for Windows PowerShell with these steps:
admin Office 365 Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/office-365-groups.md
Microsoft 365 Groups is the foundational membership service that drives all team
With a Microsoft 365 group, you don't have to manually assign permissions to each of these resources. Adding people to the group automatically gives them the permissions they need.
-Any user can create a group unless you [limit group creation to a specific set of people](../../solutions/manage-creation-of-groups.md). If you limit group creation, users who cannot create groups will not be able to create SharePoint sites, Planners, or teams. These services require the people creating them to be able to create a group. Users can still participate in group activities, such as creating tasks in Planner or using Teams chat, provided they are a member of the group.
+Any user can create a group unless you [limit group creation to a specific set of people](../../solutions/manage-creation-of-groups.md). If you limit group creation, users who cannot create groups will not be able to create SharePoint sites, Planners, teams, Outlook group calendars, Stream groups, Yammer groups, Shared libraries in OneDrive, or shared Power BI workspaces. These services require the people creating them to be able to create a group. Users can still participate in group activities, such as creating tasks in Planner or using Teams chat, provided they are a member of the group.
Groups have the following roles:
Microsoft 365 groups work with Azure Active Directory. The groups features you g
[Upgrade distribution lists to Microsoft 365 Groups](../manage/upgrade-distribution-lists.md) (article)\ [Manage Microsoft 365 Groups with PowerShell](../../enterprise/manage-microsoft-365-groups-with-powershell.md) (article)\ [SharePoint Online Limits](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits) (article)\
-[Organize groups and channels in Microsoft Stream](/stream/groups-channels-organization) (article)
+[Organize groups and channels in Microsoft Stream](/stream/groups-channels-organization) (article)
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
When the tool finishes running, it produces an output file in comma-separated (.
- Supported Mailbox - If they are on an OAuth-enabled mailbox > [!NOTE]
-> Multifactor authentication is not supported when using the Central Deployment PowerShell module.
+> Multifactor authentication is not supported when using the Central Deployment PowerShell module. The module only works with Basic authentication.
## User and group assignments
admin Productivity Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/productivity/productivity-score.md
We provide metrics, insights, and recommendations in two areas:
For each of the mentioned categories, we look at public research to identify some best practices and associated benefits in the form of organizational effectiveness. For example, Forrester research has shown that when people collaborate and share content in the cloud (instead of emailing attachments), they can save up to 100 minutes a week. Furthermore, we quantify the use of these best practices in your organization to help you see where you are on your digital transformation journey. -- **Technology experiences:** Your organization depends on reliable and well performing technology as well as the efficient use of Microsoft 365. [Endpoint analytics](https://aka.ms/endpointanalytics) helps you understand how your organization can be impacted by performance and health issues with your hardware and software. Microsoft 365 apps health helps you understand whether the devices in your organization are running Microsoft 365 apps on recommended channels.
+- **Technology experiences:** Your organization depends on reliable and well-performing technology, as well as the efficient use of Microsoft 365. [Endpoint analytics](https://aka.ms/endpointanalytics) helps you understand how your organization can be impacted by performance and health issues with your hardware and software. Microsoft 365 apps health helps you understand whether the devices in your organization are running Microsoft 365 apps on recommended channels.
## Before you begin
For people experiences data, you need a Microsoft 365 for business or Office 365
> [!NOTE] > A license to Workplace Analytics is not required to get the Productivity Score features.
-Productivity Score is only available in the Microsoft 365 Admin Center and can only be accessed by IT professionals who have one of the following roles:
+Productivity Score is only available in the Microsoft 365 admin center and can only be accessed by IT professionals who have one of the following roles:
- Global admin - Exchange admins
For network connectivity, the recommended benchmark is 80 points.
The **Score breakdown** section provides a breakdown of your Productivity Score with benchmarks by people and technology experience areas.
-Score history displays how your score in each category has changed in the past 6 months.
+Score history displays how your score in each category has changed in the past six months.
-The **People experiences** and **Technology experiences** areas contain the primary insights for the categories in those areas. You can click on each category to see deeper insights.
+The **People experiences** and **Technology experiences** areas contain the primary insights for the categories in those areas. You can select each category to see deeper insights.
## Category details pages
-Each category details page shows the primary insight and supporting metrics as well as related research and actions you can take to drive change in your organization. Research supports the importance and rationale behind the primary insights for each category. for more information, [read the Forrester report](https://vc2prod.blob.core.windows.net/vc-resources/TEIStudies/TEI%20of%20Microsoft%20365%20E5%20-%20Oct%202018.pdf).
+Each category details page shows the primary insight and supporting metrics as well as related research and actions you can take to drive change in your organization. Research supports the importance and rationale behind the primary insights for each category. For more information, [read the Forrester report](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2PBrb).
The details pages are: - [Content collaboration ΓÇô people experiences](content-collaboration.md)
admin Security Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-guide.md
The links for PowerPoint and PDF below can be downloaded and printed in tabloid
![Image for secure your small business info graphic](../media/smbthreatprotectioninfographic-thumbnail.png)
-[PDF](downloads/smbthreatprotection-infographic.pdf) | [PowerPoint](https://github.com/MicrosoftDocs/microsoft-365-docs-pr/raw/live/m365-democracy/microsoft-365/admin/downloads/smbthreatprotection-infographic.pptx)
+[PDF](downloads/smbthreatprotection-infographic.pdf) | [PowerPoint](downloads/smbthreatprotection-infographic.pptx)
commerce About Registration Numbers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/about-registration-numbers.md
The following table contains samples of the registration numbers collected for e
| **Poland** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Poland-TIN.pdf) – Tax Identification number<br>[PESEL](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Poland-TIN.pdf) – The national identification number used in Poland (Polish Powszechny Elektroniczny System Ewidencji Ludności, Universal Electronic System for Registration of the Population) | | | | | | **Russia** | [INN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Russia-TIN.pdf) – Tax identification number (Russian “Individualiy Nomer Nalogoplatelshika”) | | | | | | **Saudi Arabia** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Saudi-Arabia-TIN.pdf) – Tax Identification number | | | | |
-| **South Africa** | TRN ΓÇô traffic registration number | | | | |
+| **South Africa** | TRN ΓÇô tax reference number | | | | |
| **South Sudan** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | | | **Tajikistan** | INN ΓÇô Tax Identification number<br>EIN ΓÇô Employer Identification number<br>KPP ΓÇô This is a code that reflects the reason for the organization registration. | | | | | | **Thailand** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
You can apply retention labels to content automatically when that content contai
> [!WARNING] > This configuration currently has a known limitation where all unlabeled emails always have the selected retention label applied when there is a match for your chosen sensitive information types. For example, even if you scope your auto-apply policy to specific users, or select locations other than Exchange for the policy, the label is always applied to unlabeled emails when there is a match.
-When you create auto-apply retention label policies for sensitive information, you see the same list of policy templates as when you create a data loss prevention (DLP) policy. Each template is preconfigured to look for specific types of sensitive information. For example, the template shown here looks for U.S. ITIN, SSN, and passport numbers from the **Privacy** category, and **U.S Personally Identifiable Information (PII) Data** template:
+When you create auto-apply retention label policies for sensitive information, you see the same list of policy templates as when you create a data loss prevention (DLP) policy. Each template is preconfigured to look for specific types of sensitive information. In the following example, the sensitive info types are from the **Privacy** category, and **U.S Personally Identifiable Information (PII) Data** template:
![Policy templates with sensitive information types](../media/sensitive-info-configuration.png) To learn more about the sensitivity information types, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md). Currently, [exact data matches](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) and [document fingerprinting](document-fingerprinting.md) are not supported for this scenario.
-After you select a policy template, you can add or remove any types of sensitive information, and you can change the instance count and match accuracy. In the example screenshot shown next, a retention label will be auto-applied only when:
+After you select a policy template, you can add or remove any types of sensitive information, and you can change the confidence level and instance count. In the previous example screenshot, these options have been changed so that a retention label will be auto-applied only when:
-- The type of sensitive information that's detected has a match accuracy (or confidence level) of at least 75. Many sensitive information types are defined with multiple patterns, where a pattern with a higher match accuracy requires more evidence to be found (such as keywords, dates, or addresses), while a pattern with a lower match accuracy requires less evidence. The lower the **min** match accuracy, the easier it is for content to match the condition.
+- The type of sensitive information that's detected has a match accuracy (or [confidence level](sensitive-information-type-learn-about.md#more-on-confidence-levels)) of at least **Medium confidence** for two of the sensitive info types, and **High confidence** for one. Many sensitive information types are defined with multiple patterns, where a pattern with a higher match accuracy requires more evidence to be found (such as keywords, dates, or addresses), while a pattern with a lower match accuracy requires less evidence. The lower the confidence level, the easier it is for content to match the condition but with the potential for more false positives.
-- The content contains between 1 and 9 instances of any of these three sensitive information types. You can delete the **to** value so that it changes to **Any**.
+- The content contains between 1 and 9 instances of any of these three sensitive info types. The default for the **to** value is **Any**.
For more information about these options, see the following guidance from the DLP documentation [Tuning rules to make them easier or harder to match](data-loss-prevention-policies.md#tuning-rules-to-make-them-easier-or-harder-to-match).
-
-![Options for identifying sensitive information types](../media/de255881-f596-4c8d-8359-e974e3a0819a.png)
To consider when using sensitive information types to auto-apply retention labels:
compliance Assign Ediscovery Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/assign-ediscovery-permissions.md
Title: "Assign eDiscovery permissions in the Security & Compliance Center"
+ Title: "Assign eDiscovery permissions in the Microsoft 365 compliance center"
f1.keywords: - NOCSH
search.appverid:
- MOE150 - MET150 ms.assetid: 5b9a067b-9d2e-4aa5-bb33-99d8c0d0b5d7
-description: "Assign the permissions required to perform eDiscovery-related tasks using the Security & Compliance Center."
+description: "Assign the permissions required to perform eDiscovery-related tasks using the Microsoft 365 compliance center."
-# Assign eDiscovery permissions in the Security & Compliance Center
+# Assign eDiscovery permissions in the Microsoft 365 compliance center
-If you want people to use any of the [eDiscovery-related tools](ediscovery.md) in the Security & Compliance Center in Office 365 or the Microsoft 365 compliance center, you have to assign them the appropriate permissions. The easiest way to do this is to add the person the appropriate role group on the **Permissions** page in the Security & Compliance Center. This topic describes the permissions required to perform eDiscovery- and Content Search-related tasks using the Security & Compliance Center.
+If you want people to use any of the [eDiscovery-related tools](ediscovery.md) in the Microsoft 365 compliance center, you have to assign them the appropriate permissions. The easiest way to do this is to add the person the appropriate role group on the **Permissions** page in the compliance center. This topic describes the permissions required to perform eDiscovery tasks.
-The primary eDiscovery-related role group in Security & Compliance Center is called **eDiscovery Manager**. There are two subgroups within this role group.
+The primary eDiscovery-related role group in Microsoft 365 compliance center is called **eDiscovery Manager**. There are two subgroups within this role group.
-- **eDiscovery Managers** - An eDiscovery Manager can use the Content Search tool in the Security & Compliance Center to search content locations in the organization, and perform various search-related actions such as preview and export search results. Members can also create and manage cases in Core eDiscovery and Advanced eDiscovery, add and remove members to a case, create case holds, run searches associated with a case, and access case data. eDiscovery Managers can only access and manage the cases they create. They can't access or manage cases created by other eDiscovery Managers.
+- **eDiscovery Managers** - An eDiscovery Manager can use eDiscovery search tools to search content locations in the organization, and perform various search-related actions such as preview and export search results. Members can also create and manage cases in Core eDiscovery and Advanced eDiscovery, add and remove members to a case, create case holds, run searches associated with a case, and access case data. eDiscovery Managers can only access and manage the cases they create. They can't access or manage cases created by other eDiscovery Managers.
- **eDiscovery Administrators** - An eDiscovery Administrator is a member of the eDiscovery Manager role group, and can perform the same content search and case management-related tasks that an eDiscovery Manager can perform. Additionally, an eDiscovery Administrator can:
- - Access all cases that are listed on the **eDiscovery** and **Advanced eDiscovery** pages in the Security & Compliance Center.
+ - Access all cases that are listed on the **Core eDiscovery** and **Advanced eDiscovery** pages in the Microsoft 365 compliance center.
- Access case data in Advanced eDiscovery for any case in the organization.
The primary eDiscovery-related role group in Security & Compliance Center is cal
For reasons why you might want eDiscovery Administrators in your organization, see [More information](#more-information). > [!NOTE]
-> To analyze a user's data using Advanced eDiscovery, the user (the custodian of the data) must be assigned an Office 365 E5 or Microsoft 365 E5 license. Alternatively, users with an Office 365 E1 or a Office 365 or Microsoft 365 E3 license can be assigned an Microsoft 365 E5 Compliance or Microsoft 365 eDiscovery and Audit add-on license. Administrators, compliance officers, or legal personnel who are assigned to cases as members and use Advanced eDiscovery to collect, view, and analyze data don't need an E5 license. For more information about Advanced eDiscovery licensing, see [Get started with Advanced eDiscovery](get-started-with-advanced-ediscovery.md).
+> To analyze a user's data using Advanced eDiscovery, the user (the custodian of the data) must be assigned an Office 365 E5 or Microsoft 365 E5 license. Alternatively, users with an Office 365 E1 or a Office 365 or Microsoft 365 E3 license can be assigned an Microsoft 365 E5 Compliance or Microsoft 365 eDiscovery and Audit add-on license. Administrators, compliance officers, or legal personnel who are assigned to cases as members and use Advanced eDiscovery to collect, view, and analyze data don't need an E5 license. For more information about Advanced eDiscovery licensing, see [Subscriptions and licensing in Advanced eDiscovery](overview-ediscovery-20.md#subscriptions-and-licensing).
-## Confirm your roles
+## Before you assign permissions
-- You have to be a member of the Organization Management role group or be assigned the Role Management role to assign eDiscovery permissions in the Security & Compliance Center.
+- You have to be a member of the Organization Management role group or be assigned the Role Management role to assign eDiscovery permissions in the Microsoft 365 compliance center.
- You can use the [Add-RoleGroupMember](/powershell/module/exchange/Add-RoleGroupMember) cmdlet in Security & Compliance Center PowerShell to add a mail-enabled security group as a member of the eDiscovery Managers subgroup in the eDiscovery Manager role group. However, you can't add a mail-enabled security group to the eDiscovery Administrators subgroup. For details, see [More information](#more-information).
-## Assign eDiscovery permissions in the Security & Compliance Center
+## Assign eDiscovery permissions
-1. Go to [https://protection.office.com](https://protection.office.com).
+1. Go to <https://compliance.microsoft.com> and sign in using an account that can assign permissions.
-2. Sign in using your work or school account.
-
-3. In the left pane of the security and compliance center, select **Permissions**, and then select the checkbox next to **eDiscovery Manager**.
+2. In the left pane of the Microsoft 365 compliance center, select **Permissions**.
+
+3. On the **Permissions & Roles** page, under **Compliance center**, click **Roles**.
+
+4. On the **Compliance center roles** page, select **eDiscovery Manager**.
-4. On the **eDiscovery Manager** flyout page, do one of the following based on the eDiscovery permissions that you want to assign.
+5. On the **eDiscovery Manager** flyout page, do one of the following based on the eDiscovery permissions that you want to assign.
- **To make a user an eDiscovery
+ **To make a user an eDiscovery
- **To make a user an eDiscovery Administrator:** Next to **eDiscovery Manager**, select **Edit**. In the **Choose eDiscovery Administrator** section, Under **eDiscovery Administrators**, select **Choose eDiscovery Administrator**, select **Edit**, and then select ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **Add**. Select the user (or users) you want to add as an **eDiscovery Administrator**, and then **Add**. When you're finished adding users, select **Done**. Then, on the **Editing Choose eDiscovery Administrator** flyout page, select **Save** to save the changes to the eDiscovery Administrator membership.
+ **To make a user an eDiscovery Administrator:** Next to **eDiscovery Administrator**, select **Edit**. On the **Choose eDiscovery Administrator** page, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **Add**. Select the user (or users) you want to add as an **eDiscovery Administrator**, and then **Add**. When you're finished adding users, select **Done**. Then, on the **Editing Choose eDiscovery Administrator** wizard page, select **Save** to save the changes to the eDiscovery Administrator membership.
> [!NOTE] > You can also use the **Add-eDiscoveryCaseAdmin** cmdlet to make a user an eDiscovery Administrator. However, the user must be assigned the Case Management role before you can use this cmdlet to make them an eDiscovery Administrator. For more information, see [Add-eDiscoveryCaseAdmin](/powershell/module/exchange/add-ediscoverycaseadmin).
-On the **Permissions** page in the Security & Compliance Center, you can also assign users eDiscovery-related permissions by adding them to the Compliance Administrator, Organization Management, and Reviewer role groups. For a description of the eDiscovery-related RBAC roles assigned to each of these role groups, see [RBAC roles related to eDiscovery](#rbac-roles-related-to-ediscovery).
+On the **Permissions** page in the Microsoft 365 compliance center, you can also assign users eDiscovery-related permissions by adding them to the Compliance Administrator, Organization Management, and Reviewer role groups. For a description of the eDiscovery-related RBAC roles assigned to each of these role groups, see [RBAC roles related to eDiscovery](#rbac-roles-related-to-ediscovery).
## RBAC roles related to eDiscovery
-The following table lists the eDiscovery-related RBAC roles in the Security & Compliance Center, and indicates the built-in role groups that each role is assigned to by default.
+The following table lists the eDiscovery-related RBAC roles in the Microsoft 365 compliance center, and indicates the built-in role groups that each role is assigned to by default.
| Role | Compliance Administrator | eDiscovery Manager & Administrator | Organization Management | Reviewer | |:--|:--:|:--:|:--:|:--:|
The following sections describe each of the eDiscovery-related RBAC roles listed
### Case Management
-This role lets users create, edit, delete, and control access to Core eDiscovery and Advanced eDiscovery cases in the Security & Compliance Center. As previously explained, a user must be assigned the Case Management role before you can use the **Add-eDiscoveryCaseAdmin** cmdlet to make them an eDiscovery Administrator.
+This role lets users create, edit, delete, and control access to Core eDiscovery and Advanced eDiscovery cases in the Microsoft 365 compliance center. As previously explained, a user must be assigned the Case Management role before you can use the **Add-eDiscoveryCaseAdmin** cmdlet to make them an eDiscovery Administrator.
For more information, see:
For more information, see [Work with communications in Advanced eDiscovery](mana
### Compliance Search
-This role lets users run the Content Search tool in the Security & Compliance Center to search mailboxes and public folders, SharePoint Online sites, OneDrive for Business sites, Skype for Business conversations, Microsoft 365 groups, and Microsoft Teams, and Yammer groups. This role allows a user to get an estimate of the search results and create export reports, but additional roles are needed to initiate content search actions such as previewing, exporting, or deleting search results.
+This role lets users run the Content Search tool in the Microsoft 365 compliance center to search mailboxes and public folders, SharePoint Online sites, OneDrive for Business sites, Skype for Business conversations, Microsoft 365 groups, and Microsoft Teams, and Yammer groups. This role allows a user to get an estimate of the search results and create export reports, but other roles are needed to initiate content search actions such as previewing, exporting, or deleting search results.
Users who are assigned the Compliance Search role but don't have the Preview role can preview the results of a search in which the preview action has been initiated by a user who is assigned the Preview role. The user without the Preview role can preview results for up to two weeks after the initial preview action was created.
For more information, see [Work with custodians in Advanced eDiscovery](managing
The role lets users export the results of a Content Search to a local computer. It also lets them prepare search results for analysis in Advanced eDiscovery.
-For more information about exporting search results, see [Export search results from Security & Compliance Center](export-search-results.md).
+For more information about exporting search results, see [Export search results from Microsoft 365 compliance center](export-search-results.md).
### Hold
compliance Classifier How To Retrain Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-how-to-retrain-content-explorer.md
To understand more about the overall workflow of retraining a classifier, see [P
12. Review the recommended action, and the prediction comparisons of the retrained and currently published versions of the classifier. 13. If you satisfied with the results of the retraining, choose **Re-publish**.
-14. If you are not satisfied with the results of the retraining, you can choose to provide additional feedback to the classifier in the Communications compliance interface and start another retraining cycle or do nothing in which case the currently published version of the classifier will continue to be used.
+14. If you are not satisfied with the results of the retraining, you can choose to provide additional feedback to the classifier in the Content Explorer interface and start another retraining cycle or do nothing in which case the currently published version of the classifier will continue to be used.
## Details on republishing recommendations
compliance Dlp Microsoft Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-microsoft-teams.md
DLP protection are applied differently to Teams entities.
|||| |individual user accounts |1:1/n chats |yes | | |general chats |no |
-| |shared channels |no |
| |private channels |yes | |security groups/distribution lists | 1:1/n chats |yes | | |general chats |no |
-| |shared channels |no |
| |private channels |yes | |Microsoft 365 group |1:1/n chats |no | | |general chats |yes |
-| |shared channels|yes |
| |private channels|no|
compliance Microsoft 365 Compliance Center Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center-permissions.md
To view the **Permissions** tab in the Microsoft 365 compliance center, users ne
![Permissions page in Microsoft 365 compliance center](../media/m365-compliance-center-permissions.png)
-Permissions in the Microsoft 365 compliance center are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services, so if you're familiar with the permission structure in these services, granting permissions in the Microsoft 365 compliance center will be familiar. It's important to remember that the permissions managed in the Microsoft 365 compliance center don't cover the management of all the permissions needed in each individual service. You'll still need to manage certain service-specific permissions in the admin center for the specific service. For example, if you need to assign permissions for archiving, auditing, and retention policies, you'll need to manage these permissions in the Exchange admin center.
+Permissions in the Microsoft 365 compliance center are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services, so if you're familiar with the permission structure in these services, granting permissions in the Microsoft 365 compliance center will be familiar. It's important to remember that the permissions managed in the Microsoft 365 compliance center don't cover the management of all the permissions needed in each individual service. You'll still need to manage certain service-specific permissions in the admin center for the specific service. For example, if you need to assign permissions for archiving, auditing, and MRM retention policies, you'll need to manage these permissions in the Exchange admin center.
## Relationship of members, roles, and role groups
compliance Microsoft 365 Compliance Center Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center-redirection.md
To switch back to the Office 365 Security and Compliance center (protection.micr
1. Sign in to the [Microsoft 365 compliance center](https://compliance.microsoft.com) as a global administrator or using any account with compliance administrator permissions in Azure Active directory. 2. Navigate to **Settings** > **Compliance center redirection**. 3. Toggle the Automatic redirection setting to **Off**.
-4. Select **Disable** and share feedback when prompted.
+4. Select **Turn off** and share feedback when prompted.
Once disabled, users will no longer be routed to compliance.microsoft.com and they will be directed to the Office 365 Security and Compliance center (protection.microsoft.com). This setting can be enabled again at any time by Global or Compliance admins.
compliance Overview Ediscovery 20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/overview-ediscovery-20.md
# Overview of Microsoft 365 Advanced eDiscovery
-The Advanced eDiscovery solution in Microsoft 365 builds on the existing Microsoft eDiscovery and analytics capabilities. Advanced eDiscovery provides an end-to-end workflow to preserve, collect, analyze, review, analyze, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.
+The Advanced eDiscovery solution in Microsoft 365 builds on the existing Microsoft eDiscovery and analytics capabilities. Advanced eDiscovery provides an end-to-end workflow to preserve, collect, analyze, review, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.
## Advanced eDiscovery capabilities
compliance Sensitive Information Type Entity Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-entity-definitions.md
hideEdit: true feedback_system: None recommendations: false
-description: "Data loss prevention (DLP) in the Security &amp; Compliance Center includes over 200 sensitive information types that are ready for you to use in your DLP policies. This article lists all of these sensitive information types and shows what a DLP policy looks for when it detects each type."
+description: "There are 200 sensitive information types that are ready for you to use in your DLP policies. This article lists all of these sensitive information types and shows what a DLP policy looks for when it detects each type."
# Sensitive information type entity definitions
-Data loss prevention (DLP) in the Compliance Center includes many sensitive information types that are ready to use in your DLP policies. This article lists all of these sensitive information types and shows what a DLP policy looks for when it detects each type. To learn more about sensitive information types, see [Sensitive information types](sensitive-information-type-learn-about.md)
+This article lists all sensitive information type entity definitions. Each definition shows what a DLP policy looks for to detect each type. To learn more about sensitive information types, see [Sensitive information types](sensitive-information-type-learn-about.md)
## ABA routing number
A DLP policy has medium confidence that it's detected this type of sensitive inf
### Format
-Eleven digits with dash
+11 digits with dash
### Pattern
-Eleven digits with a dash:
+11 digits with a dash:
- two digits in 20, 23, 24, 27, 30, 33 or 34 - a hyphen (-) - eight digits
A DLP policy has medium confidence that it's detected this type of sensitive inf
### Format
-six to ten digits with or without a bank state branch number
+six to 10 digits with or without a bank state branch number
### Pattern
A DLP policy has medium confidence that it's detected this type of sensitive inf
10-11 digits: - First digit is in the range 2-6-- Nine digit is a check digit
+- Ninth digit is a check digit
- Tenth digit is the issue digit - Eleventh digit (optional) is the individual number
eight or nine alphanumeric characters
### Pattern -- one letter (N, E, D, F, A, C, U, X) followed by 7 digits
+- one letter (N, E, D, F, A, C, U, X) followed by seven digits
or-- 2 letters (PA, PB, PC, PD, PE, PF, PU, PW, PX, PZ) followed by 7 digits.
+- Two letters (PA, PB, PC, PD, PE, PF, PU, PW, PX, PZ) followed by seven digits.
### Checksum
Varies by province
### Pattern
-Various patterns covering Alberta, British Columbia, Manitoba, New Brunswick, Newfoundland/Labrador, Nova Scotia, Ontario, Prince Edward Island, Quebec, and Saskatchewan
+Various patterns covering:
+- Alberta
+- British Columbia
+- Manitoba
+- New Brunswick
+- Newfoundland/Labrador
+- Nova Scotia
+- Ontario
+- Prince Edward Island
+- Quebec
+- Saskatchewan
### Checksum
Yes
A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters: - The function Func_canadian_sin finds content that matches the pattern.-- At least two of any combination of the following:
+- At least two of the following patterns:
- A keyword from Keyword_sin is found. - A keyword from Keyword_sin_collaborative is found. - The function Func_eu_date finds a date in the right date format.
A DLP policy has medium confidence that it's detected this type of sensitive inf
### Pattern
-Complex and robust pattern that detects cards from all major brands worldwide, including Visa, MasterCard, Discover Card, JCB, American Express, gift cards, and diner cards.
+Detects cards from all major brands worldwide, including Visa, MasterCard, Discover Card, JCB, American Express, gift cards, and diner cards.
### Checksum
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Croatia identity card number
-This sensitive information type entity is included in the EU National Identification Number sensitive information type. It's available as a stand-alone sensitive information type entity.
+This entity is included in the EU National Identification Number sensitive information type. It's available as a stand-alone sensitive information type entity.
### Format
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Finland passport number
-This sensitive information type entity is available in the EU Passport Number sensitive information type and is available as a stand-alone sensitive information type entity.
+This entity is available in the EU Passport Number sensitive information type and is available as a stand-alone sensitive information type entity.
### Format combination of nine letters and digits
A DLP policy has medium confidence that it's detected this type of sensitive inf
## France driver's license number
-This sensitive information type entity is available in the EU Driver's License Number sensitive information type and is available as a stand-alone sensitive information type entity.
+This entity is available in the EU Driver's License Number sensitive information type and is available as a stand-alone sensitive information type entity.
### Format
A DLP policy has low confidence that it's detected this type of sensitive inform
## France passport number
-This sensitive information type entity is available in the EU Passport Number sensitive information type. It's available as a stand-alone sensitive information type entity.
+This entity is available in the EU Passport Number sensitive information type. It's also available as a stand-alone sensitive information type entity.
### Format
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Germany driver's license number
-This sensitive information type entity is included in the EU Driver's License Number sensitive information type. It's available as a stand-alone sensitive information type entity.
+This sensitive information type entity is included in the EU Driver's License Number sensitive information type. It's also available as a stand-alone sensitive information type entity.
### Format
A DLP policy has low confidence that it's detected this type of sensitive inform
## Germany passport number
-This sensitive information type entity is included in the EU Passport Number sensitive information type and is available as a stand-alone sensitive information type entity.
+This entity is included in the EU Passport Number sensitive information type and is available as a stand-alone sensitive information type entity.
### Format
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Greece driver's license number
-This sensitive information type entity is included in the EU Driver's License Number sensitive information type and is available as a stand-alone sensitive information type entity.
+This entity is included in the EU Driver's License Number sensitive information type. It is also available as a stand-alone sensitive information type entity.
### Format
This sensitive information type is only available for use in:
### Format
-Eleven digits without spaces and delimiters
+11 digits without spaces and delimiters
### Pattern -- 6 digits as date of birth YYMMDD-- 4 digits
+- Six digits as date of birth YYMMDD
+- Four digits
- a check digit ### Checksum
This sensitive information type is only available for use in:
11 digits: -- One digit that corresponds to gender (1-male, 2-female, other numbers are also possible for citizens born before 1900 or citizens with double citizenship)
+- One digit that corresponds to gender, 1 for male, 2 for female. Other numbers are also possible for citizens born before 1900 or citizens with double citizenship.
- Six digits that correspond to birth date (YYMMDD) - Three digits that correspond to a serial number - One check digit
Pattern must include all of the following:
The format for each country is slightly different. The IBAN sensitive information type covers these 60 countries:
-ad, ae, al, at, az, ba, be, bg, bh, ch, cr, cy, cz, de, dk, do, ee, es, fi, fo, fr, gb, ge, gi, gl, gr, hr, hu, ie, il, is, it, kw, kz, lb, li, lt, lu, lv, mc, md, me, mk, mr, mt, mu, nl, no, pl, pt, ro, rs, sa, se, si, sk, sm, tn, tr, vg
+- ad
+- ae
+- al
+- at
+- az
+- ba
+- be
+- bg
+- bh
+- ch
+- cr
+- cy
+- cz
+- de
+- dk
+- do
+- ee
+- es
+- fi
+- fo
+- fr
+- gb
+- ge
+- gi
+- gl
+- gr
+- hr
+- hu
+- ie
+- il
+- is
+- it
+- kw
+- kz
+- lb
+- li
+- lt
+- lu
+- lv
+- mc
+- md
+- me
+- mk
+- mr
+- mt
+- mu
+- nl
+- no
+- pl
+- pt
+- ro
+- rs
+- sa
+- se
+- si
+- sk
+- sm
+- tn
+- tr
+- vg
### Checksum
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Italy driver's license number
-This sensitive information type entity is included in the EU Driver's License Number sensitive information type and is available as a stand-alone sensitive information type entity.
+This type entity is included in the EU Driver's License Number sensitive information type. It is also available as a stand-alone sensitive information type entity.
### Format
A 16-character combination of letters and digits:
- three letters that correspond to the first, third, and fourth consonants in the first name - two digits that correspond to the last digits of the birth year - one letter that corresponds to the letter for the month of birthΓÇöletters are used in alphabetical order, but only the letters A to E, H, L, M, P, R to T are used (so, January is A and October is R)-- two digits that correspond to the day of the month of birthΓÇöin order to differentiate between genders, 40 is added to the day of birth for women
+- two digits that correspond to the day of the month of birth in order to differentiate between genders, 40 is added to the day of birth for women
- four digits that correspond to the area code specific to the municipality where the person was born (country-wide codes are used for foreign countries) - one parity digit
A DLP policy has low confidence that it's detected this type of sensitive inform
### Format
-eleven character alphanumeric pattern
+11 character alphanumeric pattern
### Pattern
A DLP policy has high confidence that it's detected this type of sensitive infor
### Format
-ten digits without spaces and delimiters
+10 digits without spaces and delimiters
### Pattern
-ten digits
+10 digits
### Checksum
A DLP policy has low confidence that it's detected this type of sensitive inform
### Pattern 11 digits:-- six digits in the format DDMMYY which are the date of birth
+- six digits in the format DDMMYY, which are the date of birth
- three-digit individual number - two check digits
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Poland passport number
-This sensitive information type entity is included in the EU Passport Number sensitive information type. It's available as a stand-alone sensitive information type entity.
+This sensitive information type entity is included in the EU Passport Number sensitive information type. It's also available as a stand-alone sensitive information type entity.
### Format
This sensitive information type is only available for use in:
### Format
-nine or ten digits containing optional backslash
+nine or 10 digits containing optional backslash
### Pattern
This sensitive information type is only available for use in:
- seven digits that correspond to the birth date (DDMMLLL) where "LLL" corresponds to the last three digits of the birth year - two digits that correspond to the area of birth "50"-- three digits that correspond to a combination of gender and serial number for persons born on the same day (000-499 for male and 500-999 for female)
+- three digits that correspond to a combination of gender and serial number for persons born on the same day. 000-499 for male and 500-999 for female.
- one check digit ### Checksum
A DLP policy has high confidence that it's detected this type of sensitive infor
#### CEP_PasswordPlaceHolder
-(Note that technically, this sensitive information type identifies these keywords by using a regular expression, not a keyword list.)
+This sensitive information type identifies these keywords by using a regular expression, not a keyword list.
- Password or pwd followed by 0-2 spaces, an equal sign (=), 0-2 spaces, and an asterisk (*) -OR-
A DLP policy has high confidence that it's detected this type of sensitive infor
#### CEP_CommonExampleKeywords
-(Note that technically, this sensitive information type identifies these keywords by using a regular expression, not a keyword list.)
+This sensitive information type identifies these keywords by using a regular expression, not a keyword list.
- contoso - fabrikam
A DLP policy has high confidence that it's detected this type of sensitive infor
### Format
-ten digits containing a hyphen
+10 digits containing a hyphen
### Pattern
-ten digits containing a hyphen:
+10 digits containing a hyphen:
- six digits - a hyphen
A DLP policy has high confidence that it's detected this type of sensitive infor
- Birth Date ## U.K. national insurance number (NINO)
-This sensitive information type entity is included in the EU National Identification Number sensitive information type. It's available as a stand-alone sensitive information type entity.
+This sensitive information type entity is included in the EU National Identification Number sensitive information type. It's also available as a stand-alone sensitive information type entity.
### Format
enterprise Connect To Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/connect-to-microsoft-365-powershell.md
PowerShell Core doesn't support the Microsoft Azure Active Directory Module for
These steps are required only one time on your computer. But you'll likely need to update the software periodically.
-1. If you're not running Windows 10, install the 64-bit version of the Microsoft Online Services Sign-in Assistant: [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://www.microsoft.com/Download/details.aspx?id=28177).
+1. If you're not running Windows 10, install the 64-bit version of the Microsoft Online Services Sign-in Assistant: [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi).
2. Follow these steps to install the Microsoft Azure Active Directory Module for Windows PowerShell:
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
If you're using a third-party service or line-of-business (LOB) apps that are in
If you are using the same Azure Active Directory identity partition for Office 365 and Microsoft Azure in the Microsoft Cloud Deutschland instance, make sure that you are preparing for the customer driven migration of Microsoft Azure services. > [!NOTE]
-> The migration of your Microsoft Azure services may not start before your Office 365 tenant has reached migration phase 9 and must be completed before migration phase 10 has been completed.
+> The migration of your Microsoft Azure services may not start before your Office 365 tenant has reached migration phase 9 and must be completed before migration phase 10 has been started.
Customers who use Office 365 and Azure resources (for example, networking, compute, and storage) will perform the migration of resources to the Office 365 services instance. This migration is the customer's responsibility. Message Center posts will signal the start. Migration must be completed before finalization of the Azure AD organization in the Office 365 services environment. For Azure migrations, see the Azure migration playbook, [Overview of migration guidance for Azure Germany](https://docs.microsoft.com/azure/germany/germany-migration-main).
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
The migration process will complete over many weeks depending on the overall siz
|Power BI & Dynamics 365|15+ days|Microsoft|Migrate Power BI and Dynamics 365 content.| |Finalize Azure AD|1-2 days|Microsoft|Complete tenant cutover to worldwide.| |Clean-Up|1-2 days|Customer|Clean up legacy connections to Microsoft Cloud Deutschland, such as Active Directory Federation Services (AD FS) Relying Party Trust, Azure AD Connect, and Office client restarts.|
-|Endpoints Disabled|30 days|Microsoft|30 days after the finalization of Azure AD, the Microsoft Cloud Deutschland Azure AD service will stop endpoint access for the transitioned organization. Endpoint requests such as Authentication will fail from this point forward against the Microsoft Cloud Deutschland service. |
-
+|Endpoints Disabled|30 days|Microsoft|30 days after the finalization of Azure AD, the Microsoft Cloud Deutschland Azure AD service will stop endpoint access for the transitioned organization. Endpoint requests such as Authentication will fail from this point forward against the Microsoft Cloud Deutschland service. Customers running Azure workloads in the instance linked to Office 365 services in Microsoft Cloud Deutschland will be moved to the final migration phase later on. |
The phases and their actions ensure that critical data and experiences are migrated to the Office 365 Global services. After your tenant is added to the migration queue, each workload will be completed as a set of steps that are executed on the backend service. Some workloads may require actions by the administrator (or user), or the migration may affect usage for the phases that are executed and discussed in [How is the migration organized?](ms-cloud-germany-transition.md#how-is-the-migration-organized)
Additional considerations:
- If your organization still uses SharePoint 2010 workflows, they'll no longer function after December 31, 2021. SharePoint 2013 workflows will remain supported, although turned off by default for new tenants starting on November 1, 2020. After migration to the SharePoint Online service is complete, we recommend that you to move to Power Automate or other supported solutions. - Microsoft Cloud Deutschland customers whose SharePoint Online instance is not yet migrated need to stay on SharePoint Online PowerShell module/Microsoft.SharePointOnline.CSOM version 16.0.20616.12000 or below. Otherwise, connections to SharePoint Online via PowerShell or the client-side object model will fail. - During this phase, the IP addresses behind the SharePoint URLs will change. After the transition to Office 365 Global services, the addresses for the preserved tenant URLs (for example, `contoso.sharepoint.de` and `contoso-my.sharepoint.de`) will be changed to the [Worldwide Microsoft 365 URLs and IP address ranges (SharePoint Online and OneDrive for Business)](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#sharepoint-online-and-onedrive-for-business).
+- While SharePoint and OneDrive services are transitioned, Office Online may not work as expected.
> [!NOTE] > In case you are using eDiscovery, make sure you are aware of the [eDiscovery migration experience](ms-cloud-germany-transition-add-scc.md).
enterprise Ms Cloud Germany Transition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition.md
There are currently 39 services available as part of Office 365 services in the
If you are an Azure customer only, you can begin [migrating](/azure/germany/germany-migration-main) your Azure resources to another region today.
-If you have Azure with Office 365, Dynamics 365, or Power BI, you must follow the migration process to ensure successful migration AzureAD before you begin the self-directed Azure migration. You must complete the Azure migration before the service closure in order to maintain your Azure workloads with your AzureAD, and Office 365 organization.
+If you have Azure with Office 365, Dynamics 365, or Power BI, you must follow the migration process for Office 365 services first to ensure the successful migration of Azure AD before you could begin the self-directed Azure migration. You must complete the Azure migration before finalizing your tenant migration to maintain your Azure workloads with your Azure AD and Office 365 organization. Refer to [Migration phases actions and impacts for the migration from Microsoft Cloud Deutschland](ms-cloud-germany-transition-phases.md) for additional details.
**Office 365**
The migration is designed to have minimal impact to end users/customers.
### Which customers are affected by the Azure Active Directory migration?
-All customers of Office365 depend on Azure Active Directory to authenticate and store critical service components needed for operation of Microsoft hosted services.
+All customers of Office 365 depend on Azure Active Directory to authenticate and store critical service components needed for operation of Microsoft hosted services.
### What are the impacts of the Azure Active Directory Migration?
knowledge Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/search.md
For users who are looking for information about booking a trip for work:
- For users who search generally for "travel", create a topic on "Travel" that has the information they expect to see. Consider adding a link to the Concur external site in the description of the topic. If the link is instead to an internal travel booking site hosted on the Microsoft 365 tenant, you can add it to the ΓÇ£Pinned ResourcesΓÇ¥. ### Search results priority
-
-In the users search experience, when a user searches for a term like ΓÇ£travelΓÇ¥, search results will display in the following priority in Microsoft Search
-1. Published or Confirmed topics
-2. Bookmarks
-3. Suggested topics
+
+In the user's search experience, when a user searches for a term like ΓÇ£travelΓÇ¥, a bookmark will appear ahead of a topic, if a bookmark is available.
learning Configure Sharepoint Content Source https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/learning/configure-sharepoint-content-source.md
Title: "Coming soon: Configure SharePoint as a learning content source for Microsoft Viva Learning (Preview)"
+ Title: "Configure SharePoint as a learning content source for Microsoft Viva Learning (Preview)"
Previously updated : 05/12/2021 Last updated : audience: admin
description: "Learn how to configure SharePoint as a learning content source for
-# Coming soon: Configure SharePoint as a learning content source for Microsoft Viva Learning (Preview)
+# Configure SharePoint as a learning content source for Microsoft Viva Learning (Preview)
> [!NOTE]
-> The information in this article relates to a preview product that may be substantially modified before it's commercially released.
+> This feature is not yet available in product preview.
+++
+<!
You can configure SharePoint as a learning content source to make your organization's own content available in Viva Learning (Preview).
Knowledge admins can access their organizationΓÇÖs Learning App Content Reposito
3. Select **Check access** to connect to your organizationΓÇÖs centralized library.
+>
learning Set Up Teams Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/learning/set-up-teams-admin-center.md
Previously updated : 05/24/2021 Last updated : audience: admin
description: "Learn how to configure Microsoft Viva Learning (Preview) in the Te
> [!NOTE] > The information in this article relates to a preview product that may be substantially modified before it's commercially released.
+The Teams administrator needs to perform certain steps to enable Viva Learning (Preview) for their users in the tenant. These steps vary based on how the tenant is enabled: [*Public Preview*](set-up-teams-admin-center.md#public-preview-tenants) or [*Private Preview* (or Beta)](set-up-teams-admin-center.md#private-preview-tenants).
+
+## Public Preview tenants
+
+### Administrator steps for Public Preview tenants
+
+Because the Viva Learning (Preview) is not yet generally available, certain steps are required to enable the features and set permissions for specific users or groups.
+
+1. Enable Public Preview features for Viva Learning (Preview) users.
+
+ a. Modify Teams update policy to enable Public Preview features. See [Microsoft Teams Public Preview](/microsoftteams/public-preview-doc-updates).
+
+ b. Enable the update policy for users or groups who will perform Viva Learning (Preview) testing. See [Assign policies to users and groups](/microsoftteams/assign-policies-users-and-groups).
+
+2. Modify the app permission policy for Viva Learning (Preview) users.
+
+ a. Unless it's currently part of the global policy, allow all Microsoft apps in the app permission policy. See [Manage app permission policies in Microsoft Teams](/microsoftteams/teams-app-permission-policies).
+
+ b. Enable the app permission policy for users or groups who will perform Viva Learning (Preview) testing. See [Assign policies to users and groups](/microsoftteams/assign-policies-users-and-groups).
+
+3. Notify users who will test Viva Learning (Preview) to [switch their build client to Public Preview for Teams](set-up-teams-admin-center.md#user-steps-for-public-preview-tenants).
+
+> [!IMPORTANT]
+> For Public Preview tenants, Viva Learning (Preview) will not be displayed in **Managed apps** in the Teams admin center until final product release. However, enabled Public Preview users can find Viva Learning (Preview) in the Teams app store and use it, once the correct policies and permissions have been set up.
+
+### User steps for Public Preview tenants
+
+Users who have been enabled for Public Preview testing ΓÇö by enabling the [policies previously described](set-up-teams-admin-center.md#administrator-steps-for-public-preview-tenants) ΓÇö need to [switch to Public Preview](/microsoftteams/public-preview-doc-updates#enable-public-preview) in their Teams client.
+
+1. Users must select their profile image > **About** > **Public Preview**.
+
+ ![Upper navigation in the Teams application showing user's profile](../media/learning/learning-app-select-profile-teams.png)
+
+2. Users must accept the Public Preview terms and conditions.
+
+ ![Switch to public preview build](../media/learning/learning-app-switch-to-public-preview.png)
+
+3. Users can now find Viva Learning (Preview) in the Teams app store and start using it.
+
+## Private Preview tenants
+
+### Administrator steps for Private Preview (or Beta) tenants
+
+For Private Preview tenants, there are no additional policies that need to be enabled. However, Viva Learning (Preview) must be made available for users in your organization.
+
+1. In the left navigation of the Teams admin center, go to **Teams apps** > **Manage apps**.
+
+ ![Left navigation in the Teams admin center showing Teams apps and Manage apps section.](../media/learning/learning-app-teams-manage-apps-nav.png)
+
+2. On the **Manage apps** page, in the search box, type *Viva Learning*, and then select **Viva Learning (Preview)**.
+
+ ![Manage apps page in the Teams admin center showing the search box.](../media/learning/learning-app-teams-manage-apps-page.png)
+
+3. On the **Viva Learning (Preview)** page, under **Status**, select **Allowed** to turn on Viva Learning (Preview).
+
+ ![Learning page in the Teams admin center showing Status and App settings section.](../media/learning/learning-app-teams-learning-page.png)
++
+<!
The Teams admin installs Viva Learning (Preview) and applies permission policies through the Teams admin center. 1. For Viva Learning (Preview), you must first set the Update policy in Teams. For more information, see [Microsoft Teams Public Preview](/MicrosoftTeams/public-preview-doc-updates).
To make Viva Learning (Preview) available for users in your organization, follow
> [!NOTE] > If your organization is in Ring 4.0 as part of Teams TAP100 program, you might need to enable approved users in Ring 3.0 to access Viva Learning (Preview). <br><br>As part of the preview, Viva Learning (Preview) is released in Ring 3.0. If your organization is in Ring 4.0, you wonΓÇÖt see Viva Learning (Preview) on the **Manage apps** page. To test the app, you need to create a custom apps permission policy, set it to **Allow all apps**, and assign it to Ring 3.0 approved users. <br><br> ![TAP-AppsPermission-Plcy page showing Allow all apps selected.](../media/learning/learning-app-tap-appspermission-plcy.png)
+>
+ ## Next step [Configure learning content sources for Viva Learning (Preview) in the Microsoft 365 admin center](content-sources-365-admin-center.md)
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
### Next-generation protection #### [Overview of Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
-#### [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md)
-#### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
-#### [Better together: Microsoft Defender Antivirus and Office 365](office-365-microsoft-defender-antivirus.md)
-#### [Cloud-delivered protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md)
+##### [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md)
+##### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
+##### [Better together: Microsoft Defender Antivirus and Office 365](office-365-microsoft-defender-antivirus.md)
#### [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) #### [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
+#### [Cloud-delivered protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md)
##### [Turn on cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) ##### [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md)
-##### [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)
-##### [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)
-##### [Turn on block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
-##### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
-##### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
-##### [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
-##### [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](configure-real-time-protection-microsoft-defender-antivirus.md)
-##### [Configure remediation for Microsoft Defender Antivirus detections](configure-remediation-microsoft-defender-antivirus.md)
-##### [Configure scheduled quick or full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-##### [Use limited periodic scanning in Microsoft Defender Antivirus](limited-periodic-scanning-microsoft-defender-antivirus.md)
+#### [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)
+#### [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)
+#### [Turn on block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
+#### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
+#### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
+#### [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
+#### [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](configure-real-time-protection-microsoft-defender-antivirus.md)
+#### [Configure remediation for Microsoft Defender Antivirus detections](configure-remediation-microsoft-defender-antivirus.md)
+#### [Configure scheduled quick or full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+#### [Use limited periodic scanning in Microsoft Defender Antivirus](limited-periodic-scanning-microsoft-defender-antivirus.md)
#### [Compatibility with other security products](microsoft-defender-antivirus-compatibility.md) #### [Get your antivirus and antimalware updates](manage-updates-baselines-microsoft-defender-antivirus.md)
##### [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) ##### [Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus](use-wmi-microsoft-defender-antivirus.md) ##### [Use the mpcmdrun.exe tool to manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md)
+##### [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+##### [Specify whether users can locally modify Microsoft Defender Antivirus policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+##### [Specify whether users can see or interact with Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
#### [Deploy and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) ##### [Deploy and enable Microsoft Defender Antivirus](deploy-microsoft-defender-antivirus.md)
####### [Get alert related user information](get-alert-related-user-info.md) ###### [Assessments of vulnerabilities and secure configurations]()
-####### [Export assessment methods and properties](get-assessmnt-1methods-properties.md)
-####### [Export secure configuration assessment](get-assessmnt-secure-cfg.md)
-####### [Export software inventory assessment](get-assessmnt-software-inventory.md)
-####### [Export software vulnerabilities assessment](get-assessmnt-software-vulnerabilities.md)
+####### [Export assessment methods and properties](get-assessment-methods-properties.md)
+####### [Export secure configuration assessment](get-assessment-secure-config.md)
+####### [Export software inventory assessment](get-assessment-software-inventory.md)
+####### [Export software vulnerabilities assessment](get-assessment-software-vulnerabilities.md)
###### [Automated Investigation]() ####### [Investigation methods and properties](investigation.md)
security Api Release Notes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-release-notes.md
The following information lists the updates made to the Microsoft Defender for E
### 05.25.2021 -- Added new API [Export assessment methods and properties per device](get-assessmnt-1methods-properties.md).
+- Added new API [Export assessment methods and properties per device](get-assessment-methods-properties.md).
### 03.05.2021
security Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md
ms.technology: mde Last updated : 06/03/2021
-# Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection
--
+# Cloud-delivered protection and Microsoft Defender Antivirus
**Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) - Microsoft Defender Antivirus
-Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
-
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)
+Next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To identify new threats dynamically, next-generation technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection.
-To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
+> [!TIP]
+> Want to learn more? See the blog post, [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
->[!NOTE]
->The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-
-With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Microsoft Defender Antivirus in action:
-
-<iframe
-src="https://www.microsoft.com/videoplayer/embed/RE1Yu4B" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
+Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
-To understand how next-generation technologies shorten protection delivery time through the cloud, watch the following video:
-
-<iframe
-src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
+> [!NOTE]
+> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. As a cloud service, it is not simply protection for files stored in the cloud; instead, the cloud service uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates.
-Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI:
+With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. The following blog posts illustrate how cloud-delivered protection works:
- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise) -- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign)-- [How artificial intelligence stopped an Emotet outbreak](https://www.microsoft.com/security/blog/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak)
+- [Behavior monitoring combined with machine learning spoils a massive coin-mining campaign](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign)
+- [How artificial intelligence stopped an "Emotet" outbreak](https://www.microsoft.com/security/blog/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak)
- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://www.microsoft.com/security/blog/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) - [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://www.microsoft.com/security/blog/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware)
-## Get cloud-delivered protection
-
-Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies.
-
-Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
+## How to get cloud-delivered protection
-|OS version or service application |Cloud-protection service label |Reporting level (MAPS membership level) |Cloud block timeout period |
-|||||
-|Windows 8.1 (Group Policy) |Microsoft Advanced Protection Service |Basic, Advanced |No |
-|Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No |
-|Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable |
-|System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable |
-|Microsoft Endpoint Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable |
-|Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable |
+Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies. To learn more, see [Turn on cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md).
-You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates).
+Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update. [Configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates).
+> [!TIP]
+> Visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-## Tasks
+## Next steps
-- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+1. [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Manager (which now includes Microsoft Endpoint Configuration Manager and Microsoft Intune), Group Policy, or PowerShell cmdlets.
-- [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+2. [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md). You can specify the level of protection offered by the cloud by using Microsoft Endpoint Manager or Group Policy. The protection level affects the amount of information shared with the cloud and how aggressively new files are blocked.
-- [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+3. [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
-- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Manager and Group Policy.
+4. [Configure the "block at first sight" feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it by using Microsoft Endpoint Manager or Group Policy.
-- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Manager and Group Policy.
+5. [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running by using Microsoft Endpoint Manager or Group Policy.
security Configure Cloud Block Timeout Period Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
ms.technology: mde Last updated : 06/04/2021 # Configure the cloud block timeout period -- **Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](cloud-protection-microsoft-defender-antivirus.md).
-The default period that the file will be [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
+The default period that the file is [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. If you're a security administrator, you can specify more time to wait before the file is allowed to run. Extending the cloud block timeout period can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
## Prerequisites to use the extended cloud block timeout [Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
-## Specify the extended timeout period
+## Specify the extended timeout period using Microsoft Endpoint Manager
+
+You can specify the cloud block timeout period with an [endpoint security policy in Microsoft Endpoint Manager](/mem/intune/protect/endpoint-security-policy).
+
+1. Go to the Endpoint Manager admin center ([https://endpoint.microsoft.com/](https://endpoint.microsoft.com/)) and sign in.
+
+2. Select **Endpoint security**, and then under **Manage**, choose **Antivirus**.
+
+3. Select (or create) an antivirus policy.
+
+4. In the **Configuration settings** section, expand **Cloud protection**. Then, in the **Defender Cloud Extended Timeout In Seconds** box, specify the more time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds.
+
+5. (This step is optional) Make any other changes to your antivirus policy. (Need help? See [Settings for Microsoft Defender Antivirus policy in Microsoft Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows).)
+
+6. Choose **Next**, and finish configuring your policy.
+
+## Specify the extended timeout period using Group Policy
You can use Group Policy to specify an extended timeout for cloud checks.
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11))
+
+2. Right-click the Group Policy Object you want to configure and then select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. In the **Group Policy Management Editor**, go to **Computer configuration**, and then select **Administrative templates**.
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**.
-4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
+4. Double-click **Configure extended cloud check** and ensure the option is enabled.
-5. Click **OK**.
+ Specify the extra amount of time to prevent the file from running while waiting for a cloud determination. Specify the extra time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds.
-## Related topics
+5. Select **OK**.
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)-- [Use next-generation antivirus technologies through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)-- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)-- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+
security Configure End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-end-user-interaction-microsoft-defender-antivirus.md
- Title: Configure how users can interact with Microsoft Defender Antivirus
-description: Configure how end users interact with Microsoft Defender Antivirus, what notifications they see, and if they can override settings.
-keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
-localization_priority: Normal
--------
-# Configure end-user interaction with Microsoft Defender Antivirus
---
-**Applies to:**
--- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)-
-You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus. You can configure whether users see the Microsoft Defender Antivirus interface, what notifications they see, and if they can locally override globally deployed Group Policy settings.
-
-Use the following articles to configure end-user interaction with Microsoft Defender Antivirus
--- **[Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)** Configure and customize notifications, including text for notifications, and notifications about reboots that are needed for remediation.--- **[Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)** Hide the **Virus & threat protection** user interface from end users.--- **[Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)** Prevent (or allow) users from overriding policy settings on their individual endpoints.
security Configure Microsoft Defender Antivirus Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md
localization_priority: Normal
Previously updated : 11/18/2020 Last updated : 06/04/2021 ms.technology: mde
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-You can configure Microsoft Defender Antivirus with a number of tools, including:
+You can configure Microsoft Defender Antivirus with a number of tools, such as:
-- Microsoft Intune-- Microsoft Endpoint Configuration Manager
+- Microsoft Endpoint Manager (which includes Microsoft Intune and Microsoft Endpoint Configuration Manager)
- Group Policy - PowerShell cmdlets - Windows Management Instrumentation (WMI) The following broad categories of features can be configured: -- Cloud-delivered protection-- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection-- How end users interact with the client on individual endpoints
+- Cloud-delivered protection. See [Cloud-delivered protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md)
+
+- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection. See [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md).
-The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools).
+- How end users interact with the client on individual endpoints. See the following resources:
+
+ - [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
-|Article |Description |
-|||
-|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. |
-|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. |
-|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. |
+ - [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
> [!TIP]
-> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help.
+> Review [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md).
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
localization_priority: Normal
Previously updated : 05/17/2021 Last updated : 06/04/2021 ms.technology: mde
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
+To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. > [!TIP]
-> You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
> > - Cloud-delivered protection > - Fast learning (including block at first sight)
See the blog post [Important changes to Microsoft Active Protection Services end
## Allow connections to the Microsoft Defender Antivirus cloud service
-The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it's highly recommended because it provides important protection against malware on your endpoints and across your network.
+The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it's highly recommended because it provides important protection against malware on your endpoints and across your network. See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+
+After you've enabled the service, you might need to configure your network or firewall to allow connections between it and your endpoints. Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Don't exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
> [!NOTE] > The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it's called a cloud service, it's not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
-
-After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
+## Services and URLs
-Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Don't exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
+The table in this section lists the services and their associated website addresses (URLs).
-The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
+Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you might need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). The URLs in the following table use port 443 for communication.
-
-| **Service**| **Description** |**URL** |
-| :--: | :-- | :-- |
-| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
-| Microsoft Update Service (MU) <br/> Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/><br/> For details see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update)|
-|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` </br> `*.download.windowsupdate.com`</br> `go.microsoft.com`</br> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
-| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` <br/> `ussus2eastprod.blob.core.windows.net` <br/> `ussus3eastprod.blob.core.windows.net` <br/> `ussus4eastprod.blob.core.windows.net` <br/> `wsus1eastprod.blob.core.windows.net` <br/> `wsus2eastprod.blob.core.windows.net` <br/> `ussus1westprod.blob.core.windows.net` <br/> `ussus2westprod.blob.core.windows.net` <br/> `ussus3westprod.blob.core.windows.net` <br/> `ussus4westprod.blob.core.windows.net` <br/> `wsus1westprod.blob.core.windows.net` <br/> `wsus2westprod.blob.core.windows.net` <br/> `usseu1northprod.blob.core.windows.net` <br/> `wseu1northprod.blob.core.windows.net` <br/> `usseu1westprod.blob.core.windows.net` <br/> `wseu1westprod.blob.core.windows.net` <br/> `ussuk1southprod.blob.core.windows.net` <br/> `wsuk1southprod.blob.core.windows.net` <br/> `ussuk1westprod.blob.core.windows.net` <br/> `wsuk1westprod.blob.core.windows.net` |
-| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/` <br/> `http://www.microsoft.com/pkiops/certs` <br/> `http://crl.microsoft.com/pki/crl/products` <br/> `http://www.microsoft.com/pki/certs` |
-| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
-| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com` <br/> `settings-win.data.microsoft.com`|
+| Service and description | URL |
+|-|- |
+| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)<p>This service is used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <p> `*.wdcpalt.microsoft.com` <p> `*.wd.microsoft.com`|
+| Microsoft Update Service (MU) and Windows Update Service (WU) <p>These services allow for security intelligence and product updates |`*.update.microsoft.com` <p> `*.delivery.mp.microsoft.com`<p> `*.windowsupdate.com` <p> For more details, see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update)|
+|Security intelligence updates Alternate Download Location (ADL)<p>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` <p> `*.download.windowsupdate.com`<p> `go.microsoft.com`<p> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
+| Malware submission storage <p>This is the upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` <p> `ussus2eastprod.blob.core.windows.net` <p> `ussus3eastprod.blob.core.windows.net` <p> `ussus4eastprod.blob.core.windows.net` <p> `wsus1eastprod.blob.core.windows.net` <p> `wsus2eastprod.blob.core.windows.net` <p> `ussus1westprod.blob.core.windows.net` <p> `ussus2westprod.blob.core.windows.net` <p> `ussus3westprod.blob.core.windows.net` <p> `ussus4westprod.blob.core.windows.net` <p> `wsus1westprod.blob.core.windows.net` <p> `wsus2westprod.blob.core.windows.net` <p> `usseu1northprod.blob.core.windows.net` <p> `wseu1northprod.blob.core.windows.net` <p> `usseu1westprod.blob.core.windows.net` <p> `wseu1westprod.blob.core.windows.net` <p> `ussuk1southprod.blob.core.windows.net` <p> `wsuk1southprod.blob.core.windows.net` <p> `ussuk1westprod.blob.core.windows.net` <p> `wsuk1westprod.blob.core.windows.net` |
+| Certificate Revocation List (CRL) <p>This list is used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/` <p> `http://www.microsoft.com/pkiops/certs` <p> `http://crl.microsoft.com/pki/crl/products` <p> `http://www.microsoft.com/pki/certs` |
+| Symbol Store <p>The symbol store is used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
+| Universal Telemetry Client <p>This client is used by Windows to send client diagnostic data<p> Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: <p> `vortex-win.data.microsoft.com` <p> `settings-win.data.microsoft.com`|
## Validate connections between your network and the cloud After allowing the URLs listed above, you can test if you're connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you're fully protected.
-**Use the cmdline tool to validate cloud-delivered protection:**
+### Use the cmdline tool to validate cloud-delivered protection
Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
Use the following argument with the Microsoft Defender Antivirus command-line ut
For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).
-**Attempt to download a fake malware file from Microsoft:**
+### Attempt to download a fake malware file from Microsoft
You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud.
You'll also see a detection under **Quarantined threats** in the **Scan history*
The Windows event log will also show [Windows Defender client event ID 1116](troubleshoot-microsoft-defender-antivirus.md).
-## Related articles
--- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)--- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)--- [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md)--- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)
security Customize Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction.md
You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configu
You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
+For example, consider the ransomware rule:
+
+The ransomware rule is designed to help enterprise customers reduce risks of ransomware attacks while ensuring business continuity. By default, the ransomware rule will error on the side of caution and protect against files that haven't yet attained sufficient reputation and trust. To reemphasize, the ransomware rule only triggers on files that have not gained enough positive reputation and prevalence, based on usage metrics of millions of our customers. Usually, the blocks are self resolved, because each file's ΓÇ£reputation and trustΓÇ¥ values are incrementally upgraded as non-problematic usage increases.
+
+In cases in which blocks arenΓÇÖt self resolved in a timely manner, customers can - _at their own risk_ - make use of either the self-service mechanism or an Indicator of Compromise (IOC)-based "allow list" capability to unblock the files themselves.
+ > [!WARNING]
-> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+> Excluding or unblocking files or folders could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.
Attack surface reduction supports environment variables and wildcards. For infor
If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md). | Rule description | GUID |
-|:-|:-|:-|
+|:-|:-|
| Block all Office applications from creating child processes | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | | Block execution of potentially obfuscated scripts | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | | Block Win32 API calls from Office macro | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` |
security Defender Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md
The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antiviru
>[!IMPORTANT] >Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings.
-You must configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
+You must configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
If an onboarded device is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode.
Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.e
The Microsoft Defender Antivirus interface will be disabled, and users on the device will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
-For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](microsoft-defender-antivirus-compatibility.md).
security Exposed Apis List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-list.md
Topic | Description
:|: [Advanced Hunting](run-advanced-query-api.md) | Run queries from API. [Alert methods and properties](alerts.md) | Run API calls such as \- get alerts, create alert, update alert and more.
-[Export assessment methods and properties per device](get-assessmnt-1methods-properties.md) | Run API calls such as \- export secure configuration assessment, export software inventory assessment, and export software vulnerabilities assessment.
+[Export assessment methods and properties per device](get-assessment-methods-properties.md) | Run API calls such as \- export secure configuration assessment, export software inventory assessment, and export software vulnerabilities assessment.
[Automated Investigation methods and properties](investigation.md) | Run API calls such as \- get collection of Investigation. [Get domain related alerts](get-domain-related-alerts.md) | Run API calls such as \- get domain-related devices, domain statistics and more. [File methods and properties](files.md) | Run API calls such as \- get file information, file related alerts, file related devices, and file statistics.
security Get Assessment Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-methods-properties.md
+
+ Title: Export assessment methods and properties per device
+description: Provides information about the APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. Since the amount of data can be large, there are two ways it can be retrieved
+keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+
+# Export assessment methods and properties per device
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
++
+## API description
+
+Provides methods and property details about the APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.
+
+> [!Note]
+>
+> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+There are three API methods that you can use to retrieve (export) different types of information:
+
+1. Export secure configurations assessment
+
+2. Export software inventory assessment
+
+3. Export software vulnerabilities assessment
+
+For each method, there are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
+
+- **OData** The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+
+ - Call the API to get a list of download URLs with all your organization data.
+
+ - Download all the files using the download URLs and process the data as you like.
+
+Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+
+## 1. Export secure configurations assessment
+
+Returns all of the configurations and their status, on a per-device basis.
+
+### 1.1 Methods
+
+Method | Data type | Description
+:|:|:
+Export secure configuration assessment **(OData)** | Secure configuration by device collection. See: [1.2 Properties (OData)](#12-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export secure configuration assessment **(via files)** | Secure configuration by device collection. See: [1.2 Properties (OData)](#12-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+
+### 1.2 Properties (OData)
+
+Property (ID) | Data type | Description
+:|:|:
+ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls
+ConfigurationId | string | Unique identifier for a specific configuration
+ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10)
+ConfigurationName | string | Display name of the configuration
+ConfigurationSubcategory | string | Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.
+DeviceId | string | Unique identifier for the device in the service.
+DeviceName | string | Fully qualified domain name (FQDN) of the device.
+IsApplicable | bool | Indicates whether the configuration or policy is applicable
+IsCompliant | bool | Indicates whether the configuration or policy is properly configured
+IsExpectedUserImpact | bool | Indicates whether there will be user impact if the configuration will be applied
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
+RecommendationReference | string | A reference to the recommendation ID related to this software.
+Timestamp | string | Last time the configuration was seen on the device
+
+### 1.3 Properties (via files)
+
+Property (ID) | Data type | Description
+:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime | string | The time that the export was generated.
+
+## 2. Export software inventory assessment
+
+Returns all of the installed software and their details on each device.
+
+### 2.1 Methods
+
+Method | Data type | Description
+:|:|:
+Export software inventory assessment **(OData)** | Software inventory by device collection. See: [2.2 Properties (OData)](#22-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export software inventory assessment **(via files)** | Software inventory by device files. See: [2.3 Properties (via files)](#23-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+
+### 2.2 Properties (OData)
+
+Property (ID) | Data type | Description
+:|:|:
+DeviceId | string | Unique identifier for the device in the service.
+DeviceName | string | Fully qualified domain name (FQDN) of the device.
+DiskPaths | Array[string] | Disk evidence that the product is installed on the device.
+EndOfSupportDate | string | The date in which support for this software has or will end.
+EndOfSupportStatus | string | End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software.
+Id | string | Unique identifier for the record.
+NumberOfWeaknesses | int|Number of weaknesses on this software on this device
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
+RegistryPaths | Array[string] | Registry evidence that the product is installed in the device.
+SoftwareFirstSeenTimestamp | string | The first time this software was seen on the device.
+SoftwareName | string | Name of the software product.
+SoftwareVendor | string | Name of the software vendor.
+SoftwareVersion | string | Version number of the software product.
+
+### 2.3 Properties (via files)
+
+Property (ID) | Data type | Description
+:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime | string | The time that the export was generated.
+
+## 3. Export software vulnerabilities assessment
+
+Returns all the known vulnerabilities on a device and their details, for all devices.
+
+### 3.1 Methods
+
+Method | Data type | Description
+:|:|:
+Export software vulnerabilities assessment **(OData)** | Investigation collection See: [3.2 Properties (OData)](#32-properties-odata) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export software vulnerabilities assessment **(via files)** | Investigation entity See: [3.3 Properties (via files)](#33-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+
+### 3.2 Properties (OData)
+
+Property (ID) | Data type | Description
+:|:|:
+CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.
+CvssScore | string | The CVSS score of the CVE.
+DeviceId | string | Unique identifier for the device in the service.
+DeviceName | string | Fully qualified domain name (FQDN) of the device.
+DiskPaths | Array\[string\] | Disk evidence that the product is installed on the device.
+ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)
+FirstSeenTimestamp | string | First time the CVE of this product was seen on the device.
+Id | string | Unique identifier for the record.
+LastSeenTimestamp | string | Last time the CVE was seen on the device.
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
+RecommendationReference | string | A reference to the recommendation ID related to this software.
+RecommendedSecurityUpdate | string | Name or description of the security update provided by the software vendor to address the vulnerability.
+RecommendedSecurityUpdateId | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles
+Registry Paths Array\[string\] | Registry evidence that the product is installed in the device.
+SoftwareName | string | Name of the software product.
+SoftwareVendor | string | Name of the software vendor.
+SoftwareVersion | string | Version number of the software product.
+VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.
+
+### 3.3 Properties (via files)
+
+Property (ID) | Data type | Description
+:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime | string | The time that the export was generated.
+
+## See also
+
+- [Export secure configuration assessment per device](get-assessment-secure-config.md)
+
+- [Export software inventory assessment per device](get-assessment-software-inventory.md)
+
+- [Export software vulnerabilities assessment per device](get-assessment-software-vulnerabilities.md)
+
+Other related
+
+- [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+- [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessment Secure Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-secure-config.md
+
+ Title: Export secure configuration assessment per device
+description: Returns an entry for every unique combination of DeviceId, ConfigurationId.
+keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
+
+
+
+# Export secure configuration assessment per device
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+>
+>
+Returns all of the configurations and their status, on a per-device basis.
+
+There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
+
+- [Export secure configuration assessment **OData**](#1-export-secure-configuration-assessment-odata): The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- [Export secure configuration assessment **via files**](#2-export-secure-configuration-assessment-via-files): This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+
+ - Call the API to get a list of download URLs with all your organization data.
+
+ - Download all the files using the download URLs and process the data as you like.
+
+Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+
+> [!Note]
+>
+> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+## 1. Export secure configuration assessment (OData)
+
+### 1.1 API method description
+
+This API response contains the Secure Configuration Assessment on your exposed devices, and returns an entry for every unique combination of DeviceId, ConfigurationId.
+
+#### 1.1.1 Limitations
+
+- Maximum page size is 200,000.
+
+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+
+### 1.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+||
+Application | Vulnerability.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Vulnerability.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 1.3 URL
+
+```http
+GET /api/machines/SecureConfigurationsAssessmentByMachine
+```
+
+### 1.4 Parameters
+
+- pageSize \(default = 50,000\) ΓÇô number of results in response
+
+- \$top ΓÇô number of results to return \(doesnΓÇÖt return \@odata.nextLink and therefore doesnΓÇÖt pull all the data\)
+
+### 1.5 Properties
+
+>[!Note]
+>
+>- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+>
+>- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+>
+
+Property (ID) | Data type | Description | Example of a returned value
+:|:|:|:
+ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | Security controls
+ConfigurationId | string | Unique identifier for a specific configuration | scid-10000
+ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | 9
+ConfigurationName | string | Display name of the configuration | Onboard devices to Microsoft Defender for Endpoint
+ConfigurationSubcategory | string | Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | Onboard Devices
+DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
+DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
+IsApplicable | bool | Indicates whether the configuration or policy is applicable | true
+IsCompliant | bool | Indicates whether the configuration or policy is properly configured | false
+IsExpectedUserImpact | bool | Indicates whether there will be user impact if the configuration will be applied | true
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers
+RecommendationReference | string | A reference to the recommendation ID related to this software. | sca-_-scid-20000
+Timestamp | string | Last time the configuration was seen on the device | 2020-11-03 10:13:34.8476880
+
+### 1.6 Examples
+
+#### 1.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentByMachine?pageSize=5
+```
+
+#### 1.6.2 Response example
+
+```json
+{
+    "@odata.context": "api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetConfiguration)",
+    "value": [
+        {
+            "deviceId": "00013ee62c6b12345b10214e1801b217b50ab455c293d",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_5d96860d69c73fdd06fc8d1679e1eb73eceb8330",
+            "osPlatform": "Windows10",
+            "osVersion": "NT kernel 6.x",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-10000",
+            "configurationCategory": "Network",
+            "configurationSubcategory": "",
+            "configurationImpact": 5,
+            "isCompliant": true,
+            "isApplicable": true,
+            "isExpectedUserImpact": false,
+            "configurationName": "Disable insecure administration protocol – Telnet",
+            "recommendationReference": "sca-_-scid-10000"
+        },
+        {
+            "deviceId": "0002a1be533813b9a8c6de739785365bce7910",
+            "rbacGroupName": "hhh",
+            "deviceName": null,
+            "osPlatform": "Windows10",
+            "osVersion": "10.0",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-20000",
+            "configurationCategory": "Security controls",
+            "configurationSubcategory": "Onboard Devices",
+            "configurationImpact": 9,
+            "isCompliant": false,
+            "isApplicable": true,
+            "isExpectedUserImpact": false,
+            "configurationName": "Onboard devices to Microsoft Defender for Endpoint",
+            "recommendationReference": "sca-_-scid-20000"
+        },
+        {
+            "deviceId": "0002a1de123456a8c06de736785395d4ce7610",
+            "rbacGroupName": "hhh",
+            "deviceName": null,
+            "osPlatform": "Windows10",
+            "osVersion": "10.0",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-10000",
+            "configurationCategory": "Network",
+            "configurationSubcategory": "",
+            "configurationImpact": 5,
+            "isCompliant": true,
+            "isApplicable": true,
+            "isExpectedUserImpact": false,
+            "configurationName": "Disable insecure administration protocol – Telnet",
+            "recommendationReference": "sca-_-scid-10000"
+        },
+        {
+            "deviceId": "00044f912345bdaf756492dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663d45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e76bdfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-39",
+            "configurationCategory": "OS",
+            "configurationSubcategory": "",
+            "configurationImpact": 5,
+            "isCompliant": true,
+            "isApplicable": true,
+            "isExpectedUserImpact": false,
+            "configurationName": "Enable 'Domain member: Digitally sign secure channel data (when possible)'",
+            "recommendationReference": "sca-_-scid-39"
+        },
+        {
+            "deviceId": "00044f912345daf759462bde6bd733d6a9c56ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45612eeb224d2de2f5ea3142726e63f16a.DomainPII_21eed80d086e76dbfa178eadfa25e8be9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "timestamp": "2021-01-11 09:47:58.854",
+            "configurationId": "scid-6093",
+            "configurationCategory": "Security controls",
+            "configurationSubcategory": "Antivirus",
+            "configurationImpact": 5,
+            "isCompliant": false,
+            "isApplicable": false,
+            "isExpectedUserImpact": false,
+            "configurationName": "Enable Microsoft Defender Antivirus real-time behavior monitoring for Linux",
+            "recommendationReference": "sca-_-scid-6093"
+        }
+    ],
+    "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
+}
+```
+
+## 2. Export secure configuration assessment (via files)
+
+### 2.1 API method description
+
+This API response contains the Secure Configuration Assessment on your exposed devices, and returns an entry for every unique combination of DeviceId, ConfigurationId.
+
+#### 2.1.2 Limitations
+
+Rate limitations for this API are 5 calls per minute and 20 calls per hour.
+
+### 2.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Vulnerability.Read.All | \'Read "threat and vulnerability management" vulnerability information\'
+Delegated (work or school account) | Vulnerability.Read | \'Read "threat and vulnerability management" vulnerability information\'
+
+### 2.3 URL
+
+```http
+GET /api/machines/SecureConfigurationsAssessmentExport
+```
+
+### Parameters
+
+- sasValidHours ΓÇô The number of hours that the download URLs will be valid for (Maximum 24 hours).
+
+### 2.5 Properties
+
+>[!Note]
+>
+>- The files are gzip compressed & in multiline Json format.
+>
+>- The download URLs are only valid for 3 hours; otherwise you can use the parameter.
+>
+>- For maximum download speed of your data, you can make sure you are downloading from the same Azure region in which your data resides.
+>
+Property (ID) | Data type | Description | Example of a returned value
+:|:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization | [ Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
+GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z ]
+
+### 2.6 Examples
+
+#### 2.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentExport
+```
+
+#### 2.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#contoso.windowsDefenderATP.api.ExportFilesResponse",
+    "exportFiles": [
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/ScaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=..."
+    ],
+    "generatedTime": "2021-01-11T11:01:00Z"
+}
+```
+
+## See also
+
+- [Export assessment methods and properties per device](get-assessment-methods-properties.md)
+
+- [Export software inventory assessment per device](get-assessment-software-inventory.md)
+
+- [Export software vulnerabilities assessment per device](get-assessment-software-vulnerabilities.md)
+
+Other related
+
+- [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+- [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessment Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md
+
+ Title: Export software inventory assessment per device
+description: Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
+keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+
+# Export software inventory assessment per device
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+>
+>
+There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
+
+- [Export software inventory assessment **OData**](#1-export-software-inventory-assessment-odata) The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- [Export software inventory assessment **via files**](#2-export-software-inventory-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+
+ - Call the API to get a list of download URLs with all your organization data.
+
+ - Download all the files using the download URLs and process the data as you like.
+
+Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+
+> [!Note]
+>
+> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+## 1. Export software inventory assessment (OData)
+
+### 1.1 API method description
+
+This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
+
+#### Limitations
+
+- Maximum page size is 200,000.
+
+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+
+### 1.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Software.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Software.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 1.3 URL
+
+```http
+GET /api/machines/SoftwareInventoryByMachine
+```
+
+### 1.4 Parameters
+
+- pageSize (default = 50,000) ΓÇô number of results in response.
+
+- $top ΓÇô number of results to return (doesnΓÇÖt return @odata.nextLink and therefore doesnΓÇÖt pull all the data)
+
+### 1.5 Properties
+
+>[!NOTE]
+>
+>-Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+
+>-The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+>
+>-Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+
+Property (ID) | Data type | Description | Example of a returned value
+:|:|:|:
+DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
+DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
+DiskPaths | Array[string] | Disk evidence that the product is installed on the device. | [ "C:\\Program Files (x86)\\Microsoft\\Silverlight\\Application\\silverlight.exe" ]
+EndOfSupportDate | string | The date in which support for this software has or will end. | 2020-12-30
+EndOfSupportStatus | string | End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software. | Upcoming EOS
+Id | string | Unique identifier for the record. | 123ABG55_573AG&mnp!
+NumberOfWeaknesses | int | Number of weaknesses on this software on this device | 3
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers
+RegistryPaths | Array[string] | Registry evidence that the product is installed in the device. | [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Silverlight" ]
+SoftwareFirstSeenTimestamp | string | The first time this software was seen on the device. | 2019-04-07 02:06:47
+SoftwareName | string | Name of the software product. | Silverlight
+SoftwareVendor | string | Name of the software vendor. | microsoft
+SoftwareVersion | string | Version number of the software product. | 81.0.4044.138
+
+### 1.6 Examples
+
+#### 1.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?pageSize=5 &sinceTime=2021-05-19T18%3A35%3A49.924Z
+```
+
+#### 1.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(contoso.windowsDefenderATP.api.AssetSoftware)",
+    "value": [
+        {
+            "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": "windows_10",
+            "softwareVersion": "10.0.17763.1637",
+            "numberOfWeaknesses": 58,
+            "diskPaths": [],
+            "registryPaths": [],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "Upcoming EOS Version",
+            "endOfSupportDate": "2021-05-11T00:00:00+00:00"
+        },
+        {
+            "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": ".net_framework",
+            "softwareVersion": "4.0.0.0",
+            "numberOfWeaknesses": 0,
+            "diskPaths": [],
+            "registryPaths": [
+                "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install"
+            ],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "None",
+            "endOfSupportDate": null
+        },
+        {
+            "deviceId": "00044f68765bbaf712342dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eed80d086e79bdfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": "system_center_2012_endpoint_protection",
+            "softwareVersion": "4.7.214.0",
+            "numberOfWeaknesses": 0,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client"
+            ],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "None",
+            "endOfSupportDate": null
+        },
+        {
+            "deviceId": "00044f68765ddaf71234bde6bd733d6a9c59ad4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2be2f5ea3142726e63f16a.DomainPII_21eeb80d086e79dbfa178aedfa25e8be9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": "configuration_manager",
+            "softwareVersion": "5.0.8634.1000",
+            "numberOfWeaknesses": 0,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{B7D3A842-E826-4542-B39B-1D883264B279}"
+            ],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "None",
+            "endOfSupportDate": null
+        },
+        {
+            "deviceId": "00044f38765bbaf712342dbe6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18993b45912eeb224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8be9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "softwareVendor": "microsoft",
+            "softwareName": "system_center_2012_endpoint_protection",
+            "softwareVersion": "4.10.209.0",
+            "numberOfWeaknesses": 0,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client"
+            ],
+            "softwareFirstSeenTimestamp": "2020-12-30 11:07:15",
+            "endOfSupportStatus": "None",
+            "endOfSupportDate": null
+        }
+    ],
+    "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0yNS8wMjAwLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
+}
+```
+
+## 2. Export software inventory assessment (via files)
+
+### 2.1 API method description
+
+This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion.
+
+#### 2.1.1 Limitations
+
+Rate limitations for this API are 5 calls per minute and 20 calls per hour.
+
+### 2.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Software.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Software.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 2.3 URL
+
+```http
+GET /api/machines/SoftwareInventoryExport
+```
+
+### Parameters
+
+- sasValidHours ΓÇô The number of hours that the download URLs will be valid for (Maximum 24 hours)
+
+### 2.5 Properties
+
+>[!Note]
+>
+>- The files are gzip compressed & in multiline Json format.
+>
+>- The download URLs are only valid for 3 hours. Otherwise you can use the parameter.
+>
+>_ For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+>
+Property (ID) | Data type | Description | Example of a returned value
+:|:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization | [ Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
+GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z ]
+
+### 2.6 Examples
+
+#### 2.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryExport
+```
+
+#### 2.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",
+    "exportFiles": [
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/SoftwareInventory/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00394-e423630d-4c69-4490-8769-a4f5468c4f25.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A55%3A51Z&se=2021-01-11T14%3A55%3A51Z&sr=b&sp=r&sig=..."
+    ],
+    "generatedTime": "2021-01-11T11:01:00Z"
+}
+```
+
+## See also
+
+- [Export assessment methods and properties per device](get-assessment-methods-properties.md)
+
+- [Export secure configuration assessment per device](get-assessment-secure-config.md)
+
+- [Export software vulnerabilities assessment per device](get-assessment-software-vulnerabilities.md)
+
+Other related
+
+- [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+- [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessment Software Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities.md
+
+ Title: Export software vulnerabilities assessment per device
+description: The API response is per device and contains vulnerable software installed on your exposed devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information.
+keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+
+# Export software vulnerabilities assessment per device
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+>
+>
+Returns all known software vulnerabilities and their details for all devices, on a per-device basis.
+
+There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
+
+- [Export software vulnerabilities assessment OData](#1-export-software-vulnerabilities-assessment-odata) The API pulls all data in your organization as Json responses, following the OData protocol. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
+
+- [Export software vulnerabilities assessment via files](#2-export-software-vulnerabilities-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+
+ - Call the API to get a list of download URLs with all your organization data.
+
+ - Download all the files using the download URLs and process the data as you like.
+
+Data that is collected (using either _OData_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
+
+> [!Note]
+>
+> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**).
+
+## 1. Export software vulnerabilities assessment (OData)
+
+### 1.1 API method description
+
+This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID.
+
+#### Limitations
+
+>- Maximum page size is 200,000.
+>
+>- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+
+### 1.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+||
+Application | Vulnerability.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Vulnerability.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 1.3 URL
+
+```http
+GET /api/machines/SoftwareVulnerabilitiesByMachine
+```
+
+### 1.4 Parameters
+
+- pageSize (default = 50,000) ΓÇô number of results in response
+- $top ΓÇô number of results to return (doesnΓÇÖt return @odata.nextLink and therefore doesnΓÇÖt pull all the data)
+
+### 1.5 Properties
+>
+>[!Note]
+>
+>- Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+>
+>- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+>
+>- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+>
+
+Property (ID) | Data type | Description | Example of a returned value
+:|:|:|:
+CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. | CVE-2020-15992
+CvssScore | string | The CVSS score of the CVE. | 6.2
+DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
+DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
+DiskPaths | Array\[string\] | Disk evidence that the product is installed on the device. | [ "C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe" ]
+ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) | ExploitIsInKit
+FirstSeenTimestamp | string | First time the CVE of this product was seen on the device. | 2020-11-03 10:13:34.8476880
+Id | string | Unique identifier for the record. | 123ABG55_573AG&mnp!
+LastSeenTimestamp | string | Last time the CVE was seen on the device. | 2020-11-03 10:13:34.8476880
+OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
+RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers
+RecommendationReference | string | A reference to the recommendation ID related to this software. | va-_-microsoft-_-silverlight
+RecommendedSecurityUpdate (optional) | string | Name or description of the security update provided by the software vendor to address the vulnerability. | April 2020 Security Updates
+RecommendedSecurityUpdateId (optional) | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles | 4550961
+RegistryPaths | Array\[string\] | Registry evidence that the product is installed in the device. | [ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftSilverlight" ]
+SoftwareName | string | Name of the software product. | chrome
+SoftwareVendor | string | Name of the software vendor. | google
+SoftwareVersion | string | Version number of the software product. | 81.0.4044.138
+VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape. | Medium
+
+### 1.6 Examples
+
+#### 1.6.1 Request example
+
+```http
+GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?pageSize=5
+```
+
+#### 1.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetVulnerability)",
+    "value": [
+        {
+            "id": "00044f612345baf759462dbe6db733b6a9c59ab4_edge_10.0.17763.1637__",
+            "deviceId": "00044f612345daf756462bde6bd733b9a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45912eed224b2de2f5ea3142726e63f16a.DomainPII_21eeb80d089e79bdfa178eabfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "edge",
+            "softwareVersion": "10.0.17763.1637",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [],
+            "lastSeenTimestamp": "2020-12-30 14:17:26",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-edge"
+        },
+        {
+            "id": "00044f912345baf756462bde6db733b9a9c56ad4_.net_framework_4.0.0.0__",
+            "deviceId": "00044f912345daf756462bde6db733b6a9c59ad4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eeb80b086e79bdfa178eabfa25e8de6acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": ".net_framework",
+            "softwareVersion": "4.0.0.0",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4.0\\Client\\Install"
+            ],
+            "lastSeenTimestamp": "2020-12-30 13:18:33",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-.net_framework"
+        },
+        {
+            "id": "00044f912345baf756462dbe6db733d6a9c59ab4_system_center_2012_endpoint_protection_4.10.209.0__",
+            "deviceId": "00044f912345daf756462bde6db733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45912eed224b2be2f5ea3142726e63f16a.DomainPII_21eed80b089e79bdfa178eadfa25e8be6acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "system_center_2012_endpoint_protection",
+            "softwareVersion": "4.10.209.0",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client"
+            ],
+            "lastSeenTimestamp": "2020-12-30 14:17:26",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-system_center_2012_endpoint_protection"
+        },
+        {
+            "id": "00044f612345bdaf759462dbe6bd733b6a9c59ab4_onedrive_20.245.1206.2__",
+            "deviceId": "00044f91234daf759492dbe6bd733b6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_189663d45612eed224b2be2f5ea3142729e63f16a.DomainPII_21eed80b086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "onedrive",
+            "softwareVersion": "20.245.1206.2",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_USERS\\S-1-5-21-2944539346-1310925172-2349113062-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe"
+            ],
+            "lastSeenTimestamp": "2020-12-30 13:18:33",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-onedrive"
+        },
+        {
+            "id": "00044f912345daf759462bde6db733b6a9c56ab4_windows_10_10.0.17763.1637__",
+            "deviceId": "00044f912345daf756462dbe6db733d6a9c59ab4",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_18663b45912eeb224d2be2f5ea3142729e63f16a.DomainPII_21eeb80d086e79bdfa178eadfa25e8de6acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.17763.1637",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "windows_10",
+            "softwareVersion": "10.0.17763.1637",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [],
+            "lastSeenTimestamp": "2020-12-30 14:17:26",
+            "firstSeenTimestamp": "2020-12-30 11:07:15",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-windows_10"
+        }
+    ],
+    "@odata.nextLink": "https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
+}
+```
+
+## 2. Export software vulnerabilities assessment (via files)
+
+### 2.1 API method description
+
+This API response contains all the data of installed software per device. Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CVEID.
+
+#### 2.1.2 Limitations
+
+Rate limitations for this API are 5 calls per minute and 20 calls per hour.
+
+### 2.2 Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details](apis-intro.md).
+
+Permission type | Permission | Permission display name
+||
+Application | Vulnerability.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | Vulnerability.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+### 2.3 URL
+
+```http
+GET /api/machines/SoftwareVulnerabilitiesExport
+```
+
+### 2.4 Parameters
+
+- sasValidHours ΓÇô The number of hours that the download URLs will be valid for (Maximum 24 hours)
+
+### 2.5 Properties
+
+>[!Note]
+>
+>- The files are gzip compressed & in multiline Json format.
+>
+>- The download URLs are only valid for 3 hours; otherwise you can use the parameter.
+>
+>- For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+>
+
+>[!Note]
+>
+>- Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+>
+>- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+>
+
+Property (ID) | Data type | Description | Example of a returned value
+:|:|:|:
+Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization. | [ ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
+GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z
+
+### 2.6 Examples
+
+#### 2.6.1 Request example
+
+```http
+GET https://api-us.securitycenter.contoso.com/api/machines/SoftwareVulnerabilitiesExport
+```
+
+#### 2.6.2 Response example
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",
+    "exportFiles": [
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c000.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c001.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=...",
+        "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export/2021-01-11/1101/VaExport/json/OrgId=12345678-195f-4223-9c7a-99fb420fd000/part-00393-bcc26c4f-e531-48db-9892-c93ac5d72d5c.c002.json.gz?sv=2019-12-12&st=2021-01-11T11%3A35%3A13Z&se=2021-01-11T14%3A35%3A13Z&sr=b&sp=r&sig=..."
+    ],
+    "generatedTime": "2021-01-11T11:01:00Z"
+}
+```
+
+## See also
+
+- [Export assessment methods and properties per device](get-assessment-methods-properties.md)
+
+- [Export secure configuration assessment per device](get-assessment-secure-config.md)
+
+- [Export software inventory assessment per device](get-assessment-software-inventory.md)
+
+Other related
+
+- [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+- [Vulnerabilities in your organization](tvm-weaknesses.md)
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 06/03/2021 Last updated : 06/04/2021 # Manage Microsoft Defender Antivirus updates and apply baselines
All our updates contain
- integration improvements (Cloud, Microsoft 365 Defender). <br/> <details>
+<summary> May-2021 (Platform: 4.18.2105.4 | Engine: 1.1.18200.4)</summary>
+
+&ensp;Security intelligence update version: **1.341.8.0**
+&ensp;Released: **June 4, 2021**
+&ensp;Platform: **4.18.2105.4**
+&ensp;Engine: **1.1.18200.4**
+&ensp;Support phase: **Security and Critical Updates**
+
+### What's new
+- Improvements to behavior monitoring
+
+### Known Issues
+No known issues
+<br/>
+</details><details>
<summary> April-2021 (Platform: 4.18.2104.14 | Engine: 1.1.18100.5)</summary> &ensp;Security intelligence update version: **1.337.2.0**
All our updates contain
### Known Issues No known issues <br/>
-</details>
-
-<details>
+</details><details>
<summary> March-2021 (Platform: 4.18.2103.7 | Engine: 1.1.18000.5)</summary> &ensp;Security intelligence update version: **1.335.36.0**
No known issues
### Known Issues No known issues <br/>
-</details><details>
+</details>
+
+### Previous version updates: Technical upgrade support only
+
+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
+<br/><br/>
+<details>
<summary> February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)</summary> &ensp;Security intelligence update version: **1.333.7.0** &ensp;Released: **March 9, 2021** &ensp;Platform: **4.18.2102.3** &ensp;Engine: **1.1.17900.7**
-&ensp;Support phase: **Security and Critical Updates**
+&ensp;Support phase: **Technical upgrade support (only)**
### What's new
No known issues
### Known Issues No known issues <br/>
-</details>
-
-### Previous version updates: Technical upgrade support only
-
-After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
-<br/><br/>
-<details>
+</details><details>
<summary> January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)</summary> &ensp;Security intelligence update version: **1.327.1854.0**
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
If you are an organization using [Microsoft Defender for Endpoint](/microsoft-36
- [Manage tamper protection using Intune](#manage-tamper-protection-for-your-organization-using-intune) - [Manage tamper protection using Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)-- [Manage tamper protection using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) (currently in preview)
+- [Manage tamper protection using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center)
### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
security Raw Data Export https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export.md
## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
-Defender for Endpoint supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/event-hubs/).
+
+Microsoft Defender for Endpoint supports streaming events available through [Advanced Hunting](../defender/advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/storage/common/storage-account-overview).
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga]
security Run Scan Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md
localization_priority: Normal
Previously updated : 05/05/2021 Last updated : 06/04/2021 ms.technology: mde
# Configure and run on-demand Microsoft Defender Antivirus scans - **Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
Quick scan looks at all the locations where there could be malware registered to
> [!IMPORTANT] > Microsoft Defender Antivirus runs in the context of the [LocalSystem](/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
-Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
-
-In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Always-on, real-time protection reviews files when they're opened and closed, and whenever a user navigates to a folder. By default, quick scans run on mounted removable devices, such as USB drives. In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection.
-A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is ideal if your organization is running on-demand scans.
+A full scan can be useful when a malware threat is reported on an endpoint. The scan can identify whether there are any inactive components that require a more thorough clean-up. However, Microsoft generally recommends using quick scans instead of full scans. A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.
-> [!NOTE]
-> By default, quick scans run on mounted removable devices, such as USB drives.
+> [!TIP]
+> To learn more about the differences between quick and full scans, see [Quick scan versus full scan and custom scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md#quick-scan-versus-full-scan-and-custom-scan).
## Use Microsoft Endpoint Manager to run a scan
security Scheduled Catch Up Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus.md
localization_priority: Normal
Previously updated : 05/05/2021 Last updated : 06/04/2021 ms.technology: mde
Use the following table to choose a scan type.
|Scenario |Recommended scan type | ||| |You want to set up regular, scheduled scans | Quick scan <p>A quick scan checks the processes, memory, profiles, and certain locations on the device. Combined with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they are opened and closed, and whenever a user navigates to a folder. |
-|Threats, such as malware, are detected on a device | Full scan <p>A full scan can help identify whether there are any inactive components that require a more thorough clean-up. |
-|You want to run an [on-demand scan](run-scan-microsoft-defender-antivirus.md) | Full scan <p>A full scan looks at all files on the device disk, including files that are stale, archived, and not accessed on a daily basis. |
+|Threats, such as malware, are detected on an individual device | Quick scan <p>In most cases, a quick scan will catch and clean up detected malware. |
+|You want to run an [on-demand scan](run-scan-microsoft-defender-antivirus.md) | Quick scan |
| You want to make sure a portable device, such as a USB drive, does not contain malware | Custom scan <p>A custom scan enables you to select specific locations, folders, or files and runs a quick scan. | ### What else do I need to know about quick and full scans?
security Whats New In Microsoft Defender Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-atp.md
ms.technology: mde
The following features are generally available (GA) in the latest release of Microsoft Defender for Endpoint as well as security features in Windows 10 and Windows Server.
-For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
+For more information on preview features, see [Preview features](preview.md).
> [!TIP]
For more information preview features, see [Preview features](https://docs.micro
> https://docs.microsoft.com/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet= > ```
+## March 2021
+- [Manage tamper protection using the Microsoft Defender Security Center](prevent-changes-to-security-settings-with-tamper-protection.md#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) <br> You can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*.
## January 2021
For more information preview features, see [Preview features](https://docs.micro
## April 2020 -- [Threat & Vulnerability Management API support](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exposed-apis-list) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+- [Threat & Vulnerability Management API support](exposed-apis-list.md) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
## November-December 2019 - [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md) <BR> Microsoft Defender for Endpoint on macOS brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](microsoft-defender-endpoint-mac.md). -- [Threat & Vulnerability Management application and application version end-of-life information](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-security-recommendation) <BR>Applications and application versions which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
+- [Threat & Vulnerability Management application and application version end-of-life information](tvm-security-recommendation.md) <BR>Applications and application versions which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
-- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference) <BR>Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
+- [Threat & Vulnerability Management Advanced Hunting Schemas](advanced-hunting-schema-reference.md) <BR>Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
+ - [Threat & Vulnerability Management role-based access controls](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR>Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
- [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
For more information preview features, see [Preview features](https://docs.micro
## September 2019 -- [Tamper Protection settings using Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection#turn-tamper-protection-on-or-off-for-your-organization-using-intune)<br/>You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
+- [Tamper Protection settings using Intune](prevent-changes-to-security-settings-with-tamper-protection.md)<br/>You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
- [Live response](live-response.md)<BR> Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time. - [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. -- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) <BR> You can now onboard Windows Server 2008 R2 SP1.
+- [Windows Server 2008 R2 SP1](configure-server-endpoints.md) <BR> You can now onboard Windows Server 2008 R2 SP1.
## June 2019
For more information preview features, see [Preview features](https://docs.micro
## May 2019 -- [Threat protection reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)<BR>The threat protection report provides high-level information about alerts generated in your organization.
+- [Threat protection reports](threat-protection-reports.md)<BR>The threat protection report provides high-level information about alerts generated in your organization.
-- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)<BR> Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
+- [Microsoft Threat Experts](microsoft-threat-experts.md)<BR> Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-- [Indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/ti-indicator) <BR> APIs for indicators are now generally available.
+- [Indicators](ti-indicator.md) <BR> APIs for indicators are now generally available.
-- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications) <BR> Microsoft Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
+- [Interoperability](partner-applications.md) <BR> Microsoft Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
## April 2019-- [Microsoft Threat Experts Targeted Attack Notification capability](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts#targeted-attack-notification) <BR> Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much information as can be quickly delivered thus bringing attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion.
+- [Microsoft Threat Experts Targeted Attack Notification capability](microsoft-threat-experts.md) <BR> Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much information as can be quickly delivered thus bringing attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion.
-- [Microsoft Defender for Endpoint API](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/apis-intro) <BR> Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities.
+- [Microsoft Defender for Endpoint API](apis-intro.md) <BR> Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities.
## February 2019-- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue) <BR> Incident is a new entity in Microsoft Defender for Endpoint that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
+- [Incidents](view-incidents-queue.md) <BR> Incident is a new entity in Microsoft Defender for Endpoint that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)<BR> Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
+- [Onboard previous versions of Windows](onboard-downlevel.md)<BR> Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
## October 2018-- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<BR>All Attack surface reduction rules are now supported on Windows Server 2019.
+- [Attack surface reduction rules](attack-surface-reduction.md)<BR>All Attack surface reduction rules are now supported on Windows Server 2019.
-- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)<BR> Controlled folder access is now supported on Windows Server 2019.
+- [Controlled folder access](enable-controlled-folders.md)<BR> Controlled folder access is now supported on Windows Server 2019.
-- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<BR>With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules.
+- [Custom detection](manage-indicators.md)<BR>With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules.
-- [Integration with AAzure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<BR> Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
+- [Integration with Azure Defender](configure-server-endpoints.md)<BR> Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
-- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)<BR> Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+- [Managed security service provider (MSSP) support](mssp-support.md)<BR> Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)<BR>Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs. -- [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)<BR> iOS and Android devices are now supported and can be onboarded to the service.
+- [Support for iOS and Android devices](configure-endpoints-non-windows.md)<BR> iOS and Android devices are now supported and can be onboarded to the service.
-- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)<BR>
+- [Threat analytics](threat-analytics.md)<BR>
Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - New in Windows 10 version 1809, there are two new attack surface reduction rules: - Block Adobe Reader from creating child processes - Block Office communication application from creating child processes. -- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/). - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.
- - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus) for Microsoft Defender Antivirus scans.
+ - [Configure CPU priority settings](configure-advanced-scan-types-microsoft-defender-antivirus.md) for Microsoft Defender Antivirus scans.
## March 2018-- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) <BR>
+- [Advanced Hunting](advanced-hunting-overview.md) <BR>
Query data using advanced hunting in Microsoft Defender for Endpoint. -- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<BR>
+- [Attack surface reduction rules](/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<BR>
New attack surface reduction rules: - Use advanced protection against ransomware - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Query data using advanced hunting in Microsoft Defender for Endpoint.
- Block untrusted and unsigned processes that run from USB - Block executable content from email client and webmail -- [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<BR> Use Automated investigations to investigate and remediate threats.
+- [Automated investigation and remediation](automated-investigations.md)<BR> Use Automated investigations to investigate and remediate threats.
>[!NOTE] >Available from Windows 10, version 1803 or later. -- [Conditional Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) <br> Enable conditional access to better protect users, devices, and data.
+- [Conditional Access](conditional-access.md) <br> Enable conditional access to better protect users, devices, and data.
-- [Microsoft Defender for Endpoint Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)<BR>
+- [Microsoft Defender for Endpoint Community center](community.md)<BR>
The Microsoft Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product. -- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)<BR>
+- [Controlled folder access](enable-controlled-folders.md)<BR>
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access. -- [Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)<BR>
+- [Onboard non-Windows devices](configure-endpoints-non-windows.md)<BR>
Microsoft Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. -- [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)<BR>
+- [Role-based access control (RBAC)](rbac.md)<BR>
Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. -- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)<BR>
-Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)<BR>
+Microsoft Defender Antivirus now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md).
- Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
+ Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
Alert source | Prepended character
Microsoft Defender for Office 365 | `fa{GUID}` <br> Example: `fa123a456b-c789-1d2e-12f1g33h445h6i` Microsoft Defender for Endpoint | `da` or `ed` for custom detection alerts <br> Microsoft Defender for Identity | `aa{GUID}` <br> Example: `aa123a456b-c789-1d2e-12f1g33h445h6i`
-Microsoft Cloud App Security |`ca{GUID}` <br> Example: `aa123a456b-c789-1d2e-12f1g33h445h6i`
+Microsoft Cloud App Security |`ca{GUID}` <br> Example: `ca123a456b-c789-1d2e-12f1g33h445h6i`
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
audience: ITPro
- M365-security-compliance - m365initiative-m365-defender
+ - incidentresponse
+ - m365solution-incidentresponse
+ - m365solution-overview
search.appverid: - MOE150
security M365d Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-action-center.md
Title: Go to the Action center to view and approve your automated investigation and remediation tasks
-description: Use the Action Center to view details about automated investigation and approve pending actions
-keywords: Action Center, threat protection, investigation, alert, pending, automated, detection
+description: Use the Action center to view details about automated investigation and approve pending actions
+keywords: Action center, threat protection, investigation, alert, pending, automated, detection
search.appverid: met150 ms.prod: m365-security ms.mktglfcycl: deploy
The unified Action center ([https://security.microsoft.com/action-center](https:
For example: - If you were previously using the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), try the unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).-- If you were using the Action Center in the Microsoft Defender Security Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)), try the unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
+- If you were using the Action center in the Microsoft Defender Security Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)), try the unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
- If you were already using the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), you'll see several improvements in the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)). The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions and provides a unified investigation experience. Your security operations team has a "single pane of glass" experience to view and manage remediation actions.
security M365d Autoir Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-actions.md
Title: View and manage actions in the Action center
-description: Use the Action Center to view and manage remediation actions
+description: Use the Action center to view and manage remediation actions
keywords: action, center, autoair, automated, investigation, response, remediation search.appverid: met150 ms.prod: m365-security
It's important to approve (or reject) pending actions as soon as possible so tha
2. In the navigation pane, choose **Action center**.
-3. In the Action Center, on the **Pending** tab, select an item in the list. Its flyout pane opens. Here's an example.
+3. In the Action center, on the **Pending** tab, select an item in the list. Its flyout pane opens. Here's an example.
![Approve or reject an action](../../media/air-actioncenter-itemselected.png)
security M365d Configure Auto Investigation Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-configure-auto-investigation-response.md
Security settings in Office 365 help protect email and content. To view or chang
1. In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies & Rules** \> **Threat policies**. 2. Make sure all of the following policies are configured. To get help and recommendations, see [Protect against threats](/microsoft-365/security/office-365-security/protect-against-threats).
- - [Anti-malware)](../office-365-security/protect-against-threats.md#part-1anti-malware-protection-in-eop)
- - [Anti-phishing)](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection)
+ - [Anti-malware](../office-365-security/protect-against-threats.md#part-1anti-malware-protection-in-eop)
+ - [Anti-phishing](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection-in-eop-and-defender-for-office-365)
- [Safe Attachments](../office-365-security/protect-against-threats.md#safe-attachments-policies-in-microsoft-defender-for-office-365) - [Safe Links](../office-365-security/protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365) - [Anti-spam](../office-365-security/protect-against-threats.md#part-3anti-spam-protection-in-eop)
security M365d Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-remediation-actions.md
The following table summarizes remediation actions that are currently supported
|:|:| |- Collect investigation package <br/>- Isolate device (this action can be undone)<br/>- Offboard machine <br/>- Release code execution <br/>- Release from quarantine <br/>- Request sample <br/>- Restrict code execution (this action can be undone) <br/>- Run antivirus scan <br/>- Stop and quarantine |- Block URL (time-of-click)<br/>- Soft delete email messages or clusters<br/>- Quarantine email<br/>- Quarantine an email attachment<br/>- Turn off external mail forwarding |
-Remediation actions, whether pending approval or already complete, can be viewed in the [Action Center](m365d-action-center.md).
+Remediation actions, whether pending approval or already complete, can be viewed in the [Action center](m365d-action-center.md).
## Remediation actions that follow automated investigations
security Microsoft 365 Defender Integration With Azure Sentinel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-integration-with-azure-sentinel.md
Here's how it works.
## Next steps
-1. Get a better understanding of [Microsoft 365 Defender integration with Azure Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration).
+1. Get a deeper understanding of [Microsoft 365 Defender integration with Azure Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration).
2. [Connect data from Microsoft 365 Defender to Azure Sentinel](/azure/sentinel/connect-microsoft-365-defender). ## See also
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
Proactively search for threats, malware, and malicious activity across your endp
Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in Microsoft 365 Defender can help security teams by automatically responding to specific events.
-[Learn more about Action Center](m365d-action-center.md)
+[Learn more about Action center](m365d-action-center.md)
#### Threat Analytics
security Overview Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/overview-security-center.md
Microsoft 365 security center helps security teams investigate and respond to at
- Incidents & alerts - Hunting-- Action Center
+- Action center
- Threat analytics The Microsoft 365 security center emphasizes *unity, clarity, and common goals* as it merges Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. The merge was based on the priorities listed below, and made without sacrificing the capabilities that each security suite brought to the combination of:
security Streaming Api Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-event-hub.md
Title: Stream Microsoft 365 Defender events to Azure Event Hubs
+ Title: Stream Microsoft 365 Defender events to Azure Event Hub
description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to your Event Hub.
-keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+keywords: raw data export, streaming API, API, Azure Event Hub, Azure storage, storage account, Advanced Hunting, raw data sharing
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
-# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hubs
+# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
[!include[Prerelease information](../../includes/prerelease.md)]
-## Before you begin:
+## Before you begin
-1. Create an [event hub](/azure/event-hubs/) in your tenant.
+1. Create an [Event hub](/azure/event-hubs/) in your tenant.
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
-3. Create an Event Hub Namespace, go to **Event Hubs > Add** and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see [Pricing - Event Hubs | Microsoft Azure](https://azure.microsoft.com/en-us/pricing/details/event-hubs/).
+3. Create an Event Hub Namespace, go to **Event Hub > Add** and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see [Pricing - Event Hub | Microsoft Azure](https://azure.microsoft.com/en-us/pricing/details/event-hubs/).
-4. Once the event hub namespace is created you will need to add the App Registration Service Principal as Reader, Azure Event Hubs Data Receiver and the user who will be logging into Microsoft 365 Defender as Contributor (this can also be done at Resource Group or Subscription level). Go to **Event hubs namespace > Access control (IAM) > Add** and verify under **Role assignements**.
+### Add contributor permissions
+Once the Event Hub namespace is created you will need to add the App Registration Service Principal as Reader, Azure Event Hub Data Receiver, and the user who will be logging into Microsoft 365 Defender as Contributor (this can also be done at Resource Group or Subscription level).
-## Enable raw data streaming:
+Go to **Event hubs namespace > Access control (IAM) > Add** and verify under **Role assignments**.
+
+## Enable raw data streaming
1. Log in to the [Microsoft 365 Defender security center](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.
-2. Go to the [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export).
+2. Go to the [Streaming API settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export).
3. Click on **Add**. 4. Choose a name for your new settings.
-5. Choose **Forward events to Azure Event Hubs**.
+5. Choose **Forward events to Azure Event Hub**.
-6. You can select if you want to export the event data to a single event hub, or to export each event table to a different even hub in your event hub namespace.
+6. You can select if you want to export the event data to a single Event Hub, or to export each event table to a different event hub in your Event Hub namespace.
-7. To export the event data to a single event hub, Enter your **Event Hub name** and your **Event Hub resource ID**.
+7. To export the event data to a single Event Hub, enter your **Event Hub name** and your **Event Hub resource ID**.
- To get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > **Properties** tab > copy the text under **Resource ID**:
+ To get your **Event Hub resource ID**, go to your Azure Event Hub namespace page on [Azure](https://ms.portal.azure.com/) > **Properties** tab > copy the text under **Resource ID**:
- ![Image of event hub resource Id1](../defender-endpoint/images/event-hub-resource-id.png)
+ ![Image of Event Hub resource Id1](../defender-endpoint/images/event-hub-resource-id.png)
8. Choose the events you want to stream and click **Save**.
-## The schema of the events in Azure Event Hubs:
+## The schema of the events in Azure Event Hub
``` {
ms.technology: mde
} ``` -- Each event hub message in Azure Event Hubs contains list of records.
+- Each Event Hub message in Azure Event Hub contains list of records.
- Each record contains the event name, the time Microsoft 365 Defender received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
ms.technology: mde
- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well.
-9. To export each event table to a different event hub, simply leave the **Event hub name** empty, and Microsoft 365 Defender will do the rest.
-## Data types mapping:
+
+## Data types mapping
To get the data types for event properties do the following:
To get the data types for event properties do the following:
- Here is an example for Device Info event:
- ![Image of event hub resource Id2](../defender-endpoint/images/machine-info-datatype-example.png)
+ ![Image of Event Hub resource Id2](../defender-endpoint/images/machine-info-datatype-example.png)
## Related topics - [Overview of Advanced Hunting](advanced-hunting-overview.md) - [Microsoft 365 Defender streaming API](streaming-api.md) - [Stream Microsoft 365 Defender events to your Azure storage account](streaming-api-storage.md)-- [Azure Event Hubs documentation](/azure/event-hubs/)-- [Troubleshoot connectivity issues - Azure Event Hubs](/azure/event-hubs/troubleshooting-guide)
+- [Azure Event Hub documentation](/azure/event-hubs/)
+- [Troubleshoot connectivity issues - Azure Event Hub](/azure/event-hubs/troubleshooting-guide)
security Streaming Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api.md
ms.technology: mde
## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
-Microsoft 365 Defender supports streaming all the events available through [Advanced Hunting](../defender/advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/event-hubs/).
+Microsoft 365 Defender supports streaming events through [Advanced Hunting](../defender/advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/event-hubs/).
security Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/troubleshoot.md
This section addresses issues that might arise as you use the Microsoft 365 Defe
## I don't see Microsoft 365 Defender content
-If you don't see capabilities on the navigation pane such as the Incidents, Action Center, or Hunting in your portal, you'll need to verify that your tenant has the appropriate licenses.
+If you don't see capabilities on the navigation pane such as the Incidents, Action center, or Hunting in your portal, you'll need to verify that your tenant has the appropriate licenses.
For more information, see [Prerequisites](prerequisites.md).
security Configuration Analyzer For Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Configuration analyzer in the Security & Compliance center provides a central location to find and fix security policies where the settings are below the Standard protection and Strict protection profile settings in [preset security policies](preset-security-policies.md).
+Configuration analyzer in the Microsoft 365 security center provides a central location to find and fix security policies where the settings are below the Standard protection and Strict protection profile settings in [preset security policies](preset-security-policies.md).
The following types of policies are analyzed by the configuration analyzer:
The following types of policies are analyzed by the configuration analyzer:
- **Microsoft Defender for Office 365 policies**: This includes organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions: - Anti-phishing policies in Microsoft Defender for Office 365, which include:- - The same [spoof settings](set-up-anti-phishing-policies.md#spoof-settings) that are available in the EOP anti-phishing policies. - [Impersonation settings](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) - [Advanced phishing thresholds](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365)- - [Safe Links policies](set-up-safe-links-policies.md).- - [Safe Attachments policies](set-up-safe-attachments-policies.md). The **Standard** and **Strict** policy setting values that are used as baselines are described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md). ## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Configuration analyzer** page, use <https://protection.office.com/configurationAnalyzer>.
+- You open the security center at <https://security.microsoft.com>. To go directly to the **Configuration analyzer** page, use <https://security.microsoft.com/configurationAnalyzer>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). -- You need to be assigned permissions in the Security & Compliance Center before you can do the procedures in this article:
+- You need to be assigned permissions in the security center before you can do the procedures in this article:
- To use the configuration analyzer **and** make updates to security policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups. - For read-only access to the configuration analyzer, you need to be a member of the **Global Reader** or **Security Reader** role groups.
- For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+ For more information, see [Permissions in the Microsoft 365 security center](permissions-microsoft-365-security-center.md).
> [!NOTE] >
- > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ > - Adding users to the corresponding Azure Active Directory role gives users the required permissions in the security center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
> > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
-## Use the configuration analyzer in the Security & Compliance Center
+## Use the configuration analyzer in the security center
-In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Configuration analyzer**.
-
-![Configuration analyzer widget on the Threat management \> Policy page](../../media/configuration-analyzer-widget.png)
+In the security center, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Templated policies** section \> **Configuration analyzer**.
The configuration analyzer has two main tabs: -- **Settings and recommendations**: You pick Standard or Strict and compare those settings to your existing security policies. In the results, you can adjust the values of your settings to bring them up to the same level as Standard or Strict.-
+- **Settings and recommendations**: You pick **Standard** or **Strict** and compare those settings to your existing security policies. In the results, you can adjust the values of your settings to bring them up to the same level as Standard or Strict.
- **Configuration drift analysis and history**: This view allows you to track policy changes over time. ### Setting and recommendations tab in the configuration analyzer
-By default, the tab opens on the comparison to the Standard protection profile. You can switch to the comparison of the Strict protection profile by clicking **View Strict recommendations**. To switch back, select **View Standard recommendations**.
+By default, the tab opens on the comparison to the Standard protection profile. You can switch to the comparison of the Strict protection profile by selecting **View Strict recommendations**. To switch back, select **View Standard recommendations**.
![Settings and recommendations view in the Configuration analyzer](../../media/configuration-analyzer-settings-and-recommendations-view.png)
By default, the **Policy group/setting name** column contains a collapsed view o
- **Anti-spam** - **Anti-phishing** - **Anti-malware**-- **ATP Safe Attachments** (if your subscription includes Microsoft Defender for Office 365)-- **ATP Safe Links** (if your subscription includes Microsoft Defender for Office 365)
+- **Safe Attachments** (if your subscription includes Microsoft Defender for Office 365)
+- **Safe Links** (if your subscription includes Microsoft Defender for Office 365)
In the default view, everything is collapsed. Next to each policy, there's a summary of comparison results from your policies (which you can modify) and the settings in the corresponding policies for the Standard or Strict protection profiles (which you can't modify). You'll see the following information for the protection profile that you're comparing to:
If you expand **Policy group/setting name**, all of the policies and the associa
If the comparison has no recommendations for improvement (green), expanding the policy reveals nothing. If there are any number of recommendations for improvement (amber or red), the settings that require attention are revealed, and corresponding information is revealed in the following columns: -- The name of the setting that requires your attention. For example, in the previous screenshot, it's the **Bulk email threshold** in an anti-spam policy.-
+- **Policy group/setting name**: The name of the setting that requires your attention. For example, in the previous screenshot, it's the settings in the default anti-spam policy.
- **Policy**: The name of the affected policy that contains the setting.- - **Applied to**: The number of users that the affected policies are applied to.--- **Current configuration**: The current value of the setting.-
+- **Current configuration**: The current value of the setting. For the default policy of that type that applies to all recipients, this value is blank.
- **Last modified**: The date that the policy was last modified.- - **Recommendations**: The value of the setting in the Standard or Strict protection profile. To change the value of the setting in your policy to match the recommended value in the protection profile, click **Adopt**. If the change is successful, you'll see the message: **Recommendations successfully adopted**. Click **Refresh** to see the reduced number of recommendations, and the removal of the specific setting/policy row from the results. ### Configuration drift analysis and history tab in the configuration analyzer
This tab allows you to track the changes that you've made to your custom securit
- **Setting Name** - **Policy** - **Type**
+- **Configuration change**
+- **Configuration drift**: The value **Increase** or **Decrease**.
To filter the results, click **Filter**. In the **Filters** flyout that appears, you can select from the following filters:
To filter the results, click **Filter**. In the **Filters** flyout that appears,
To export the results to a .csv file, click **Export**.
-![Configuration drift analysis and history view in the Configuration analyzer](../../media/configuration-analyzer-configuration-drift-analysis-view.png)
+![Configuration drift analysis and history view in the Configuration analyzer](../../media/configuration-analyzer-configuration-drift-analysis-view.png)
security Configure Advanced Delivery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md
ms.prod: m365-security
> [!NOTE] > The feature that's described in this article is in Preview, isn't available to everyone, and is subject to change.
-To keep your organization [secure by default](secure-by-default.md), Exchange Online Protection (EOP) does not allow safe lists or filtering bypass for messages that result in malware or high confidence phishing verdicts. But there are specific scenarios that require the delivery of unfiltered messages. For example:
+To keep your organization [secure by default](secure-by-default.md), Exchange Online Protection (EOP) does not allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages. For example:
- **Third-party phishing simulations**: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. - **Security operations (SecOps) mailboxes**: Dedicated mailboxes that are used by security teams to collect and analyze unfiltered messages (both good and bad).
-You use the _advanced delivery policy_ in Microsoft 365 to prevent these messages _in these specific scenarios_ from being filtered<sup>\*</sup>. The advanced delivery policy ensures that messages in these scenarios are not filtered:
+You use the _advanced delivery policy_ in Microsoft 365 to prevent these messages _in these specific scenarios_ from being filtered.<sup>\*</sup> The advanced delivery policy ensures that messages in these scenarios achieve the following results:
- Filters in EOP and Microsoft Defender for Office 365 take no action on these messages.<sup>\*</sup>-- [Zero-hour Purge (ZAP)](zero-hour-auto-purge.md) for spam and phishing takes no action on these messages.<sup>\*</sup>
+- [Zero-hour Purge (ZAP)](zero-hour-auto-purge.md) for spam and phishing take no action on these messages.<sup>\*</sup>
- [Default system alerts](alerts.md) aren't triggered for these scenarios. - [AIR and clustering in Defender for Office 365](office-365-air.md) ignores these messages. - Specifically for third-party phishing simulations:
Messages that are identified by the advanced delivery policy aren't security thr
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Advanced delivery** page, open <https://protection.office.com/advanceddelivery>.
+- You open the security center at <https://security.microsoft.com>. To go directly to the **Advanced delivery** page, open <https://security.microsoft.com/advanceddelivery>.
- You need to be assigned permissions before you can do the procedures in this article:
- - To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the **Security Administrator** role group in the **Security & Compliance Center** and a member of the **Organization Management** role group in **Exchange Online**.
+ - To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the **Security Administrator** role group in the **security center** and a member of the **Organization Management** role group in **Exchange Online**.
- For read-only access to the advanced delivery policy, you need to be a member of the **Global Reader** or **Security Reader** role groups.
- For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
+ For more information, see [Permissions in the Microsoft 365 security center](permissions-microsoft-365-security-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
-## Use the Security & Compliance Center to configure third-party phishing simulations in the advanced delivery policy
+ > [!NOTE]
+ > Adding users to the corresponding Azure Active Directory role gives users the required permissions in the security center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Advanced delivery**.
+## Use the security center to configure SecOps mailboxes in the advanced delivery policy
-2. On the **Advanced delivery** page, select the **Phishing simulation** tab, and then click **Edit**.
+1. In the security center, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Rules** section \> **Advanced delivery**.
-3. On the **Third-party phishing simulation** flyout that opens, configure the following settings:
+2. On the **Advanced delivery** page, verify that the **SecOps mailbox** tab is selected, and then do one of the following steps:
+ - Click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**.
+ - If there are no configured phishing simulations, click **Add**.
- - **Sending domain**: At least one email address domain is required (for example, contoso.com). You can add up to 10 entries.
- - **Sending IP**: At least one valid IPv4 address is required. You can add up to 10 entries. Valid values are:
- - Single IP: For example, 192.168.1.1.
- - IP range: For example, 192.168.0.1-192.168.0.254.
- - CIDR IP: For example, 192.168.0.1/25.
- - **Simulation URLs to allow**: Optionally, enter specific URLs that are part of your phishing simulation campaign that should not be blocked or detonated. You can add up to 10 entries.
+3. On the **Edit SecOps mailboxes** flyout that opens, enter an existing Exchange Online mailbox that you want to designate as SecOps mailbox by doing one of the following steps:
+ - Click in the box, let the list of mailboxes resolve, and then select the mailbox.
+ - Click in the box start typing an identifier for the mailbox (name, display name, alias, email address, account name, etc.), and select the mailbox (display name) from the results.
-4. When you're finished, click **Save.**
+ Repeat this step as many times as necessary. Distribution groups are not allowed.
-The third-party phishing simulation entries that you configured are displayed on the **Phishing simulation** tab. To make changes, click **Edit** on the tab.
+ To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
-## Use the Security & Compliance Center to configure SecOps mailboxes in the advanced delivery policy
+4. When you're finished, click **Save**.
-1. In the Security & Compliance Center, go to **Threat Management** \> **Policy** \> **Advanced delivery**.
+The SecOps mailbox entries that you configured are displayed on the **SecOps mailbox** tab. To make changes, click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit** on the tab.
-2. On the **Advanced delivery** page, select the **SecOps mailbox** tab, and then click **Edit**.
+## Use the security center to configure third-party phishing simulations in the advanced delivery policy
-3. On the **SecOps mailbox** flyout that opens, enter the email addresses of existing Exchange Online mailboxes that you want to designate as SecOps mailboxes. Distribution groups are not allowed.
+1. In the security center, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Rules** section \> **Advanced delivery**.
-4. When you're finished, click **Save**.
+2. On the **Advanced delivery** page, select the **Phishing simulation** tab, and then do one of the following steps:
+ - Click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**.
+ - If there are no configured phishing simulations, click **Add**.
+
+3. On the **Edit third-party phishing simulation** flyout that opens, configure the following settings:
+
+ - **Sending domain**: Expand this setting and enter at least one email address domain (for example, contoso.com) by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries.
+ - **Sending IP**: Expand this setting and enter at least one valid IPv4 address is required by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are:
+ - Single IP: For example, 192.168.1.1.
+ - IP range: For example, 192.168.0.1-192.168.0.254.
+ - CIDR IP: For example, 192.168.0.1/25.
+ - **Simulation URLs to allow**: Expand this setting and optionally enter specific URLs that are part of your phishing simulation campaign that should not be blocked or detonated by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. You can add up to 10 entries.
+
+ To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+
+4. When you're finished, do one of the following steps:
+ - **First time**: Click **Add**, and then click **Close**.
+ - **Edit existing**: Click **Save** and then click **Close**.
-The SecOps mailbox entries that you configured are displayed on the **SecOps mailbox** tab. To make changes, click **Edit** on the tab.
+The third-party phishing simulation entries that you configured are displayed on the **Phishing simulation** tab. To make changes, click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit** on the tab.
## Additional scenarios that require filtering bypass
In addition to the two scenarios that the advanced delivery policy can help you
- **Third-party filters**: If your domain's MX record *doesn't* point to Office 365 (messages are routed somewhere else first), [secure by default](secure-by-default.md) *is not available*.
- To bypass Microsoft filtering for messages that have already been evaluated by third-party filtering, use mail flow rules (also known as transport rules), see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl.md).
+ To bypass Microsoft filtering for messages that have already been evaluated by third-party filtering, use mail flow rules (also known as transport rules). For more information, see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl.md).
-- **False positives under review**: You might want to temporarily allow certain messages that are still being analyzed by Microsoft via [admin submissions](admin-submission.md) to report known good messages that are incorrectly being marked as bad to Microsoft (false positives). As with all overrides, it is ***highly recommended*** that these allowances be made temporarily.
+- **False positives under review**: You might want to temporarily allow certain messages that are still being analyzed by Microsoft via [admin submissions](admin-submission.md) to report known good messages that are incorrectly being marked as bad to Microsoft (false positives). As with all overrides, we ***highly recommended*** that these allowances are temporary.
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
You can configure anti-malware policies in the Microsoft 365 security center or
Creating a custom anti-malware policy in the security center creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware**, and then click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-Malware**.
-2. The policy wizard opens. On the **Name your policy page**, configure these settings:
+2. On the **Anti-malware** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
+
+3. The policy wizard opens. On the **Name your policy** page, configure these settings:
- **Name**: Enter a unique, descriptive name for the policy. - **Description**: Enter an optional description for the policy. When you're finished, click **Next**.
-3. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
+4. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
- **Users**: The specified mailboxes, mail users, or mail contacts in your organization. - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization. - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
Creating a custom anti-malware policy in the security center creates the malware
When you're finished, click **Next**.
-4. On the **Protection settings** page that appears, configure the following settings:
+5. On the **Protection settings** page that appears, configure the following settings:
- **Enable the common attachments filter**: If you select this option, messages with the specified attachments are treated as malware and are automatically quarantined. You can modify the default list by selecting **Customize file types**.
Creating a custom anti-malware policy in the security center creates the malware
When you're finished, click **Next**.
-5. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section.
+6. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
When you're finished, click **Submit**.
-6. On the confirmation page that appears, click **Done**.
+7. On the confirmation page that appears, click **Done**.
## Use the security center to view anti-malware policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, the following properties are displayed in the list of anti-malware policies:
Creating a custom anti-malware policy in the security center creates the malware
## Use the security center to modify anti-malware policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, select a policy from the list by clicking on the name.
Creating a custom anti-malware policy in the security center creates the malware
To enable or disable a policy or set the policy priority order, see the following sections.
-### Enable or disable anti-malware policies
+### Enable or disable custom anti-malware policies
You can't disable the default anti-malware policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the security center, you can only change the priority of the anti-malware policy after you create it. In PowerShell, you can override the default priority when you create the malware filter rule (which can affect the priority of existing rules). - Anti-malware policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-malware policy has the priority value **Lowest**, and you can't change it.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
4. When you're finished, click **Close** in the policy details flyout.
-## Use the security center to remove anti-malware policies
+## Use the security center to remove custom anti-malware policies
-When you use the security center to remove an anti-malware policy, the malware filter rule and the corresponding malware filter policy are both deleted. You can't remove the default policy.
+When you use the security center to remove a custom anti-malware policy, the malware filter rule and the corresponding malware filter policy are both deleted. You can't remove the default anti-malware policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-malware**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**.
2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
Admins can view, edit, and configure (but not delete) the default anti-phishing policy. For greater granularity, you can also create custom anti-phishing policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
-Organizations with Exchange Online mailboxes can configure anti-phishing policies in the Security & Compliance Center or in Exchange Online PowerShell. Standalone EOP organizations can only use the Security & Compliance Center.
+Organizations with Exchange Online mailboxes can configure anti-phishing policies in the Microsoft 365 security center or in Exchange Online PowerShell. Standalone EOP organizations can only use the security center.
-For information about creating and modifying the more advanced anti-phishing policies in Microsoft Defender for Office 365 that are available in Defender for Office 365, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+For information about creating and modifying the more advanced anti-phishing policies that are available in Microsoft Defender for Office 365, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
The basic elements of an anti-phishing policy are: - **The anti-phish policy**: Specifies the phishing protections to enable or disable, and the actions to apply options. - **The anti-phish rule**: Specifies the priority and recipient filters (who the policy applies to) for an anti-phish policy.
-The difference between these two elements isn't obvious when you manage anti-phishing policies in the Security & Compliance Center:
+The difference between these two elements isn't obvious when you manage anti-phishing policies in the security center:
- When you create an anti-phishing policy, you're actually creating an anti-phish rule and the associated anti-phish policy at the same time using the same name for both. - When you modify an anti-phishing policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the anti-phish rule. All other settings modify the associated anti-phish policy.
To increase the effectiveness of anti-phishing protection, you can create custom
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Anti-phishing** page, use <https://protection.office.com/antiphishing>.
+- You open the security center at <https://security.microsoft.com/>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
To increase the effectiveness of anti-phishing protection, you can create custom
- You need to be assigned permissions in **Exchange Online** before you can do the procedures in this article: - To add, modify, and delete anti-phishing policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups.
- - For read-only access to anti-phishing policies, you need to be a member of the **Global Reader** or **Security Reader** role groups<sup>\*</sup>.
+ - For read-only access to anti-phishing policies, you need to be a member of the **Global Reader** or **Security Reader** role groups.
For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
To increase the effectiveness of anti-phishing protection, you can create custom
- Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature<sup>\*</sup>.
- - <sup>\*</sup> In the Security & Compliance Center, read-only access allows users to view the settings of custom anti-phishing policies. Read-only users can't see the settings in the default anti-phishing policy.
-- To create and modify anti-phishing policies in standalone EOP, you need to do something that requires _hydration_ for your tenant. For example, in the Exchange admin center (EAC), you can go to the **Permissions** tab, select an existing role group, click **Edit** ![Edit icon](../../medilet (which isn't available in standalone EOP PowerShell or in the Security & Compliance Center).--- For our recommended settings for anti-phishing policies, see [EOP default anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-default-anti-phishing-policy-settings).
+- For our recommended settings for anti-phishing policies, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).
- Allow up to 30 minutes for the updated policy to be applied. - For information about where anti-phishing policies are applied in the filtering pipeline, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-## Use the Security & Compliance Center to create anti-phishing policies
-
-Creating a custom anti-phishing policy in the Security & Compliance Center creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
-
-When you create an anti-phishing policy, you can only specify the policy name, description, and the recipient filter that identifies who the policy applies to. After you create the policy, you can modify the policy to change or review the default anti-phishing settings.
+## Use the security center to create anti-phishing policies
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+Creating a custom anti-phishing policy in the security center creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
-2. On the **Anti-phishing** page, click **Create**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-3. The **Create a new anti-phishing policy** wizard opens. On the **Name your policy** page, configure the following settings:
+2. On the **Anti-phishing** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
+3. The policy wizard opens. On the **Policy name** page, configure these settings:
- **Name**: Enter a unique, descriptive name for the policy.- - **Description**: Enter an optional description for the policy. When you're finished, click **Next**.
-4. On the **Applied to** page that appears, identify the internal recipients that the policy applies to.
-
- You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
-
- Click **Add a condition**. In the dropdown that appears, select a condition under **Applied if**:
+4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
+ - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
+ - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- - **The recipient is**: Specifies one or more mailboxes, mail users, or mail contacts in your organization.
- - **The recipient is a member of**: Specifies one or more groups in your organization.
- - **The recipient domain is**: Specifies recipients in one or more of the configured accepted domains in your organization.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- After you select the condition, a corresponding dropdown appears with an **Any of these** box.
+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
- - Click in the box and scroll through the list of values to select.
- - Click in the box and start typing to filter the list and select a value.
- - To add additional values, click in an empty area in the box.
- - To remove individual entries, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the value.
- - To remove the whole condition, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the condition.
+ Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
- To add an additional condition, click **Add a condition** and select a remaining value under **Applied if**.
-
- To add exceptions, click **Add a condition** and select an exception under **Except if**. The settings and behavior are exactly like the conditions.
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
When you're finished, click **Next**.
-5. On the **Review your settings** page that appears, review your settings. You can click **Edit** on each setting to modify it.
-
- When you're finished, click **Create this policy**.
-
-6. Click **OK** in the confirmation dialog that appears.
-
-After you create the anti-phishing policy with these general policy settings, use the instructions in the next section to configure the protection settings in the policy.
-
-## Use the Security & Compliance Center to modify anti-phishing policies
-
-Use the following procedures to modify anti-phishing policies: a new policy that you created, or existing policies that you've already customized.
-
-1. If you're not already there, open the Security & Compliance Center, and go to **Threat management** \> **Policy** \> **Anti-phishing**.
-
-2. Select the custom anti-phishing policy that you want to modify. If it's already selected, deselect it and select it again.
-
-3. The **Edit your policy \<name\>** flyout appears. Clicking **Edit** in any section gives you access to the settings in that section.
-
- - The following steps are presented in the order that the sections appear, but they aren't sequential (you can select and modify the sections in any order).
-
- - After you click **Edit** in a section, the available settings are presented in a wizard format, but you can jump within the pages in any order, and you can click **Save** on any page (or **Cancel** or **Close** ![Close icon](../../media/scc-remove-icon.png) to return to the **Edit your policy \<name\>** page (you aren't required to visit the last page of the wizard to save or leave).
-
-4. **Policy setting**: Click **Edit** to modify the same settings that were available when you [created the policy](#use-the-security--compliance-center-to-create-anti-phishing-policies) in the previous section:
-
- - **Name**
- - **Description**
- - **Applied to**
- - **Review your settings**
-
- When you're finished, click **Save** on any page.
-
-5. **Spoof**: Click **Edit** to turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and configure the action to apply to messages from blocked spoofed senders. For more information about these settings, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
+5. On the **Phishing threshold & protection** page that appears, use the **Enable spoof intelligence** check box to turn spoof intelligence on or off. The default value is on (selected), and we recommend that you leave it on. You configure the action to take on blocked spoofed messages on the next page.
- Note that these same settings are also available in anti-phishing policies in Defender for Office 365.
+ To turn off spoof intelligence, clear the check box.
- - **Spoofing filter settings**: Use the **Enable spoof intelligence?** setting to turn spoof intelligence on or off. The default value is **On**, and we recommend that you leave it on. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
+ > [!NOTE]
+ > You don't need to turn off anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
- > [!NOTE]
- > You don't need to turn off anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
-
- - **Unauthenticated sender settings**: You can configure the following settings:
- - **Enable unauthenticated sender question mark (?) symbol?**: This settings adds question mark to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication). The default value is **On**. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
- - **Enable "via" tag?**: This setting adds a via tag (chris@contoso.com via fabrikam.com) is different from the domain in the DKIM signature or the **MAIL FROM** address. The default value is **On**. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
-
- - **Actions**: Specify the action to take on messages from blocked spoofed senders:
-
- **If email is sent by someone who's not allowed to spoof your domain**:
+ When you're finished, click **Next**.
+6. On the **Actions** page that appears, configure the following settings:
+ - **If message is detected as spoof**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Select one of the following actions in the drop down list for messages from blocked spoofed senders:
- **Move message to the recipients' Junk Email folders** - **Quarantine the message**
- - **Review your settings**: Instead of clicking on each individual step, the settings are displayed in a summary.
-
- - You can click **Edit** in each section to jump back to the relevant page.
- - You can toggle the following settings **On** or **Off** directly on this page:
- - **Spoof filter settings**
- - **Unauthenticated sender settings**
- - **Actions**
+ - **Safety tips & indicators**: This setting is available only if you selected **Enable spoof intelligence** on the previous page:
+ - **Show (?) for unauthenticated senders for spoof**: Adds a question mark to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication).
+ - **Show "via" tag**: Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address.
- When you're finished, click **Save** on any page.
+ > [!NOTE]
+ > Currently, the **Show "via" tag** setting is not available in all organizations. If you don't have the **Show "via" tag** setting, the the question mark **and** the via tag are both controlled by the **Show (?) for unauthenticated senders for spoof** setting in your organization.
-6. Back on the **Edit your policy \<Name\>** page, review your settings and then click **Close**.
+ To turn on a setting, select the check box. To turn it off, clear the check box.
-### Use the Security & Compliance Center to modify the default anti-phishing policy
+ When you're finished, click **Next**.
-The default anti-phishing policy is named Office365 AntiPhish Default, and it doesn't appear in the list of policies. To modify the default anti-phishing policy, do the following steps:
+7. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+ When you're finished, click **Submit**.
-2. On the **Anti-phishing** page, click **Default policy**.
+8. On the confirmation page that appears, click **Done**.
-3. The **Edit your policy Office365 AntiPhish Default** page appears. Only the **Spoof** section is available, which contains identical settings for when you [modify a custom policy](#use-the-security--compliance-center-to-modify-anti-phishing-policies).
+## Use the security center to view anti-phishing policies
- The following settings aren't available when you modify the default policy:
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
- - You can see the **Policy setting** section and values, but there's no **Edit** link, so you can't modify the settings (policy name, description, and who the policy applies to (it applies to all recipients)).
- - You can't delete the default policy.
- - You can't change the priority of the default policy (it's always applied last).
+2. On the **Anti-phishing** page, the following properties are displayed in the list of anti-phishing policies:
-4. On the **Edit your policy Office365 AntiPhish Default** page, review your settings and then click **Close**.
+ - **Name**
+ - **Status**
+ - **Priority**
+ - **Last modified**
-### Enable or disable custom anti-phishing policies
+3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+## Use the security center to modify anti-phishing policies
-2. Notice the value in the **Status** column:
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
- - Slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png) to disable the policy.
+2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.
- - Slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png) to enable the policy.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the security center to create anti-phishing policies](#use-the-security-center-to-create-anti-phishing-policies) section earlier in this article.
-You can't disable the default anti-phishing policy.
+ For the default anti-phishing policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.
-### Set the priority of custom anti-phishing policies
+To enable or disable a policy or set the policy priority order, see the following sections.
-By default, anti-phishing policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-
-For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
+### Enable or disable custom anti-phishing policies
-Custom anti-phishing policies are displayed in the order they're processed (the first policy has the **Priority** value 0). The default anti-phishing policy named Office365 AntiPhish Default has the custom priority value **Lowest**, and you can't change it.
+You can't disable the default anti-phishing policy.
- **Note**: In the Security & Compliance Center, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules).
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Security & Compliance Center). Changing the priority of a policy only makes sense if you have multiple policies.
+2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+3. At the top of the policy details flyout that appears, you'll see one of the following values:
+ - **Policy off**: To turn on the policy, click ![Turn on icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** .
+ - **Policy on**: To turn off the policy, click ![Turn off icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off**.
-2. Select the policy that you want to modify. If it's already selected, deselect it and select it again.
+4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
-3. The **Edit your policy \<name\>** flyout appears.
+5. Click **Close** in the policy details flyout.
- - The custom anti-phishing policy with the **Priority** value **0** has only the **Decrease priority** button available.
+Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.
- - The custom anti-phishing policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** button available.
+### Set the priority of custom anti-phishing policies
- - If you have three or more custom anti-phishing policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** buttons available.
+By default, anti-phishing policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-4. Click **Increase priority** or **Decrease priority** to change the **Priority** value.
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
-5. When you're finished, click **Close**.
+ **Notes**:
-## Use the Security & Compliance Center to view anti-phishing policies
+- In the security center, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules).
+- Anti-phishing policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-phishing policy has the priority value **Lowest**, and you can't change it.
-1. In the Security & Compliance Center, and go to **Threat management** \> **Policy** \> **Anti-phishing**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-2. Do one of the following steps:
+2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
- - Select a custom anti-phishing policy that you want to view. If it's already selected, deselect it and select it again.
+3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
+ - The anti-phishing policy with the **Priority** value **0** has only the **Decrease priority** option available.
+ - The anti-phishing policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
+ - If you have three or more anti-phishing policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
- - Click **Default policy** to view the default anti-phishing policy.
+ Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
-3. The **Edit your policy \<name\>** flyout appears, where you can view the settings and values.
+4. When you're finished, click **Close** in the policy details flyout.
-## Use the Security & Compliance Center to remove anti-phishing policies
+## Use the security center to remove custom anti-phishing policies
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+When you use the security center to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
-2. Select the policy that you want to remove. If it's already selected, deselect it and select it again.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-3. In the **Edit your policy \<name\>** flyout that appears, click **Delete policy**, and then click **Yes** in the warning dialog that appears.
+2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
-You can't remove the default policy.
+3. In the confirmation dialog that appears, click **Yes**.
## Use Exchange Online PowerShell to configure anti-phishing policies
Creating an anti-phishing policy in PowerShell is a two-step process:
- You can create a new anti-phish rule and assign an existing, unassociated anti-phish policy to it. An anti-phish rule can't be associated with more than one anti-phish policy. -- You can configure the following settings on new anti-phish policies in PowerShell that aren't available in the Security & Compliance Center until after you create the policy:
+- You can configure the following settings on new anti-phish policies in PowerShell that aren't available in the security center until after you create the policy:
- Create the new policy as disabled (_Enabled_ `$false` on the **New-AntiPhishRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-AntiPhishRule** cmdlet). -- A new anti-phish policy that you create in PowerShell isn't visible in the Security & Compliance Center until you assign the policy to an anti-phish rule.
+- A new anti-phish policy that you create in PowerShell isn't visible in the security center until you assign the policy to an anti-phish rule.
#### Step 1: Use PowerShell to create an anti-phish policy
For detailed syntax and parameter information, see [Get-AntiPhishRule](/powershe
Other than the following items, the same settings are available when you modify an anti-phish policy in PowerShell as when you create a policy as described in [Step 1: Use PowerShell to create an anti-phish policy](#step-1-use-powershell-to-create-an-anti-phish-policy) earlier in this article. - The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, always **Lowest** priority, and you can't delete it) is only available when you modify an anti-phish policy in PowerShell.--- You can't rename an anti-phish policy (the **Set-AntiPhishPolicy** cmdlet has no _Name_ parameter). When you rename an anti-phishing policy in the Security & Compliance Center, you're only renaming the anti-phish _rule_.
+- You can't rename an anti-phish policy (the **Set-AntiPhishPolicy** cmdlet has no _Name_ parameter). When you rename an anti-phishing policy in the security center, you're only renaming the anti-phish _rule_.
To modify an anti-phish policy, use this syntax:
Set-AntiPhishRule -Identity "Marketing Department" -Priority 2
**Notes**: - To set the priority of a new rule when you create it, use the _Priority_ parameter on the **New-AntiPhishRule** cmdlet instead.- - The default anti-phish policy doesn't have a corresponding anti-phish rule, and it always has the unmodifiable priority value **Lowest**. ### Use PowerShell to remove anti-phish policies
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
## How do you know these procedures worked?
-To verify that you've successfully configured anti-phishing policies in Microsoft Defender for Office 365, do any of the following steps:
+To verify that you've successfully configured anti-phishing policies in EOP, do any of the following steps:
-- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details do either of the following steps:-
- - Select the policy from the list, and view the details in the flyout.
- - Click **Default policy** and view the details in the flyout.
+- In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
To verify that you've successfully configured anti-phishing policies in Microsof
```PowerShell Get-AntiPhishRule -Identity "<Name>"
- ```
+ ```
security Configure Global Settings For Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-global-settings-for-safe-links.md
But, Safe Links also uses the following global settings that you configure outsi
- The **Block the following URLs** list. This setting applies to all users who are included in any active Safe Links policies. For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links) - Safe Links protection for Office 365 apps. These settings apply to all users in the organization who are licensed for Defender for Office 365, regardless of whether the users are included in active Safe Links policies or not. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).
-You can configure the global Safe Links settings in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).
+You can configure the global Safe Links settings in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).
## What do you need to know before you begin? - There is no built-in or default Safe Links policy, so you need to create at least one Safe Links policy in order for the **Block the following URLs** list to be active. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md). -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Safe Links** page, use <https://protection.office.com/safelinksv2>.
+- You open the security center at <https://security.microsoft.com/>. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
You can configure the global Safe Links settings in the Security & Compliance Ce
- [New features are continually being added to Microsoft Defender for Office 365](defender-for-office-365.md#new-features-in-microsoft-defender-for-office-365). As new features are added, you may need to make adjustments to your existing Safe Links policies.
-## Configure the "Block the following URLs" list in the Security & Compliance Center
+## Configure the "Block the following URLs" list in the security center
The **Block the following URLs** list identifies the links that should always be blocked by Safe Links scanning in supported apps. For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links).
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**, and then click **Global settings**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
-2. In the **Safe Links policy for your organization** fly out that appears, go to the **Block the following URLs** box.
+2. On the **Safe Links** page, click **Global settings**. In the **Safe Links policy for your organization** fly out that appears, go to the **Block the following URLs** box.
3. Configure one or more entries as described in [Entry syntax for the "Block the following URLs" list](safe-links.md#entry-syntax-for-the-block-the-following-urls-list).
You can use the **Get-AtpPolicyForO365** cmdlet to view existing entries in the
Set-AtpPolicyForO365 -BlockUrls @{Add="adatum.com"; Remove="fabrikam"} ```
-## Configure Safe Links protection for Office 365 apps in the Security & Compliance Center
+## Configure Safe Links protection for Office 365 apps in the security center
Safe Links protection for Office 365 apps applies to documents in supported Office desktop, mobile, and web apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**, and then click **Global settings**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
-2. In the **Safe Links policy for your organization** fly out that appears, configure the following settings in the **Settings that apply to content except email** section:
+2. On the **Safe Links** page, click **Global settings**. In the **Safe Links policy for your organization** fly out that appears, configure the following settings in the **Settings that apply to content in supported Office 365 apps** section:
- - **Office 365 applications**: Verify the toggle is to the right to enable Safe Links for supported Office 365 apps: ![Toggle on](../../media/scc-toggle-on.png).
+ - **Use Safe Links in Office 365 apps**: Verify the toggle is to the right to enable Safe Links for supported Office 365 apps: ![Toggle on](../../media/scc-toggle-on.png).
- - **Do not track when users click Safe Links**: Move the toggle to the left to track user clicks related to blocked URLs in supported Office 365 apps: ![Toggle off](../../media/scc-toggle-off.png).
+ - **Do not track when users click protected links in Office 365 apps**: Move the toggle to the left to track user clicks related to blocked URLs in supported Office 365 apps: ![Toggle off](../../media/scc-toggle-off.png).
- - **Do not let users click through Safe Links to the original URL**: Verify the toggle is to the right to prevent users from clicking through to the original blocked URL in supported Office 365 apps: ![Toggle on](../../media/scc-toggle-on.png).
+ - **Do not let users click through to the original URL in Office 365 apps**: Verify the toggle is to the right to prevent users from clicking through to the original blocked URL in supported Office 365 apps: ![Toggle on](../../media/scc-toggle-on.png).
When you're finished, click **Save**.
For detailed syntax and parameter information, see [Set-AtpPolicyForO365](/power
To verify that you've successfully configured the global settings for Safe Links (the **Block the following URLs** list and the Office 365 app protection settings), do any of the following steps: -- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**, click **Global settings**, and verify the settings in the fly out that appears.
+- In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links** \> click **Global settings**, and verify the settings in the fly out that appears.
- In Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command and verify the settings:
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
Anti-phishing policies in [Microsoft Defender for Office 365](defender-for-offic
Admins can view, edit, and configure (but not delete) the default anti-phishing policy. For greater granularity, you can also create custom anti-phishing policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
-You can configure anti-phishing policies in the Security & Compliance Center or in Exchange Online PowerShell.
+You can configure anti-phishing policies in Defender for Office 365 in the Microsoft 365 security center or in Exchange Online PowerShell.
-For information about configuring the more limited in anti-phishing policies that are available in Exchange Online Protection organizations (that is, organizations without Microsoft Defender for Office 365), see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
+For information about configuring the more limited in anti-phishing policies that are available in Exchange Online Protection (that is, organizations without Defender for Office 365), see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
The basic elements of an anti-phishing policy are: - **The anti-phish policy**: Specifies the phishing protections to enable or disable, and the actions to apply options. - **The anti-phish rule**: Specifies the priority and recipient filters (who the policy applies to) for an anti-phish policy.
-The difference between these two elements isn't obvious when you manage anti-phishing policies in the Security & Compliance Center:
+The difference between these two elements isn't obvious when you manage anti-phishing policies in the security center:
- When you create a policy, you're actually creating an anti-phish rule and the associated anti-phish policy at the same time using the same name for both. - When you modify a policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the anti-phish rule. All other settings modify the associated anti-phish policy. - When you remove a policy, the anti-phish rule and the associated anti-phish policy are removed.
-In Exchange Online PowerShell, you manage the policy and the rule separately. For more information, see the [Use Exchange Online PowerShell to configure anti-phishing policies in Microsoft Defender for Office 365](#use-exchange-online-powershell-to-configure-anti-phishing-policies-in-microsoft-defender-for-office-365) section later in this article.
+In Exchange Online PowerShell, you manage the policy and the rule separately. For more information, see the [Use Exchange Online PowerShell to configure anti-phishing policies](#use-exchange-online-powershell-to-configure-anti-phishing-policies) section later in this article.
-Every Microsoft Defender for Office 365 organization has a built-in anti-phishing policy named Office365 AntiPhish Default that has these properties:
+Every Defender for Office 365 organization has a built-in anti-phishing policy named Office365 AntiPhish Default that has these properties:
- The policy is applied to all recipients in the organization, even though there's no anti-phish rule (recipient filters) associated with the policy. - The policy has the custom priority value **Lowest** that you can't modify (the policy is always applied last). Any custom policies that you create always have a higher priority. - The policy is the default policy (the **IsDefault** property has the value `True`), and you can't delete the default policy.
-To increase the effectiveness of anti-phishing protection in Microsoft Defender for Office 365, you can create custom anti-phishing policies with stricter settings that are applied to specific users or groups of users.
+To increase the effectiveness of anti-phishing protection in Defender for Office 365, you can create custom anti-phishing policies with stricter settings that are applied to specific users or groups of users.
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Anti-phishing** page, use <https://protection.office.com/antiphishing>.
+- You open the security center at <https://security.microsoft.com/>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
To increase the effectiveness of anti-phishing protection in Microsoft Defender
**Notes**: - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
- - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature<sup>\*</sup>.
- - <sup>\*</sup> In the Security & Compliance Center, read-only access allows users to view the settings of custom anti-phishing policies. Read-only users can't see the settings in the default anti-phishing policy.
+ - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
-- For our recommended settings for anti-phishing policies in Microsoft Defender for Office 365, see [Anti-phishing policy in Defender for Office 365 settings](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365).
+- For our recommended settings for anti-phishing policies in Defender for Office 365, see [Anti-phishing policy in Defender for Office 365 settings](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365).
- Allow up to 30 minutes for a new or updated policy to be applied. - For information about where anti-phishing policies are applied in the filtering pipeline, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-## Use the Security & Compliance Center to create anti-phishing policies in Microsoft Defender for Office 365
+## Use the security center to create anti-phishing policies
-Creating a custom anti-phishing policy in the Security & Compliance Center creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
+Creating a custom anti-phishing policy in the security center creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
-When you create an anti-phishing policy, you can only specify the policy name, description, and the recipient filter that identifies who the policy applies to. After you create the policy, you can modify the policy to change or review the default anti-phishing settings.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
-
-2. On the **Anti-phishing** page, click **Create**.
-
-3. The **Create a new anti-phishing policy** wizard opens. On the **Name your policy** page, configure the following settings:
+2. On the **Anti-phishing** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
+3. The policy wizard opens. On the **Policy name** page, configure these settings:
- **Name**: Enter a unique, descriptive name for the policy.- - **Description**: Enter an optional description for the policy. When you're finished, click **Next**.
-4. On the **Applied to** page that appears, identify the internal recipients that the policy applies to.
+4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
+ - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
+ - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- Click **Add a condition**. In the dropdown that appears, select a condition under **Applied if**:
+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
- - **The recipient is**: Specifies one or more mailboxes, mail users, or mail contacts in your organization.
- - **The recipient is a member of**: Specifies one or more groups in your organization.
- - **The recipient domain is**: Specifies recipients in one or more of the configured accepted domains in the organization.
+ Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
- After you select the condition, a corresponding dropdown appears with an **Any of these** box.
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
- - Click in the box and scroll through the list of values to select.
- - Click in the box and start typing to filter the list and select a value.
- - To add additional values, click in an empty area in the box.
- - To remove individual entries, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the value.
- - To remove the whole condition, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the condition.
+ When you're finished, click **Next**.
- To add an additional condition, click **Add a condition** and select a remaining value under **Applied if**.
+5. On the **Phishing threshold & protection** page that appears, configure the following settings:
- To add exceptions, click **Add a condition** and select an exception under **Except if**. The settings and behavior are exactly like the conditions.
+ - **Phishing email threshold**: Use the slider to select one of the following values:
+ - **1 - Standard** (This is the default value.)
+ - **2 - Aggressive**
+ - **3 - More aggressive**
+ - **4 - Most aggressive**
- When you're finished, click **Next**.
+ For more information, see [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+
+ - **Impersonation**: These settings are a condition for the policy that identifies specific senders to look for (individually or by domain) in the From address of inbound messages. For more information, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+
+ > [!NOTE]
+ >
+ > - In each anti-phishing policy, you can specify a maximum of 60 protected users (sender email addresses). You can't specify the same protected user in multiple policies.
+ >
+ > - User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message will be identified as an impersonation attempt.
-5. On the **Review your settings** page that appears, review your settings. You can click **Edit** on each setting to modify it.
+ - **Enable users to protect**: The default value is off (not selected). To turn it on, select the check box, and then click the **Manage (nn) sender(s)** link that appears.
- When you're finished, click **Create this policy**.
+ In the **Manage senders for impersonation protection** flyout that appears, do the following steps:
-6. Click **OK** in the confirmation dialog that appears.
+ - **Internal senders**: Click ![Add internal icon](../../media/m365-cc-sc-add-internal-icon.png) **Select internal**. In the **Add internal senders** flyout that appears, click in the box and select an internal user from the list. You can filter the list by typing the user, and then selecting the user from the results. You can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results.
-After you create the anti-phishing policy with these general settings, use the instructions in the next section to configure the protection settings in the policy.
+ Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
-## Use the Security & Compliance Center to modify anti-phishing policies in Microsoft Defender for Office 365
+ When you're finished, click **Add**
-Use the following procedures to modify anti-phishing policies: a new policy that you created, or existing policies that you've already customized.
+ - **External senders**: Click ![Add external icon](../../media/m365-cc-sc-create-icon.png) **Select external**. In the **Add external senders** flyout that appears, enter a display name in the **Add a name** box and an email address in the **Add a vaild email** box, and then click **Add**.
-1. If you're not already there, open the Security & Compliance Center, and go to **Threat management** \> **Policy** \> **Anti-phishing**.
+ Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
-2. Select the custom anti-phishing policy that you want to modify. If it's already selected, deselect it and select it again.
+ When you're finished, click **Add**
-3. The **Edit your policy \<name\>** flyout appears. Clicking **Edit** in any section gives you access to the settings in that section.
+ Back on the **Manage senders for impersonation** flyout, you can remove entries by selecting one or more entries from the list. You can search for entries using the ![Search icon](../../media/m365-cc-sc-create-icon.png) **Search** box.
- - The following steps are presented in the order that the sections appear, but they aren't sequential (you can select and modify the sections in any order).
+ After you select at least one entry, the ![Remove selected users icon](../../media/m365-cc-sc-remove-selected-users-icon.png) **Remove selected users** icon appears, which you can use to remove the selected entries.
- - After you click **Edit** in a section, the available settings are presented in a wizard format, but you can jump within the pages in any order, and you can click **Save** on any page (or **Cancel** or **Close** ![Close icon](../../media/scc-remove-icon.png) to return to the **Edit your policy \<name\>** page (you aren't required to visit the last page of the wizard to save or leave).
+ When you're finished, click **Done**.
-4. **Policy setting**: Click **Edit** to modify the same settings that were available when you [created the policy](#use-the-security--compliance-center-to-create-anti-phishing-policies-in-microsoft-defender-for-office-365) in the previous section:
+ - **Enable domains to protect**: The default value is off (not selected). To turn it on, select the check box, and then configure one or both of the following settings that appear:
+ - **Include the domains I own**: To turn this setting on, select the check box. To view the domains that you own, click **View my domains**.
+ - **Include custom domains**: To turn this setting on, select the check box, and then click the **Manage (nn) custom domain(s)** link that appears. In the **Manage custom domains for impersonation protection** flyout that appears, click ![Add domains icon](../../media/m365-cc-sc-create-icon.png) **Add domains**.
- - **Name**
- - **Description**
- - **Applied to**
- - **Review your settings**
+ In the **Add custom domains** flyout that appears, click in the **Domain** box, enter a value, and then press Enter or select the value that's displayed below the box. Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- When you're finished, click **Save** on any page.
+ When you're finished, click **Add domains**
-5. **Impersonation**: Click **Edit** to modify the protected senders and protected sender domains in the policy. These settings are a condition for the policy that identifies specific senders to look for (individually or by domain) in the From address of inbound messages. For more information, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+ > [!NOTE]
+ > You can have a maximum of 50 domains in all anti-phishing policies.
- - **Add users to protect**: The default value is **Off** ![Toggle Off](../../media/scc-toggle-off.png). To turn it on, slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png), and then click the **Add user** button that appears.
+ Back on the **Manage custom domains for impersonation** flyout, you can remove entries by selecting one or more entries from the list. You can search for entries using the ![Search icon](../../media/m365-cc-sc-create-icon.png) **Search** box.
- In the **Add user** flyout that appears, configure the following values:
+ After you select at least one entry, the ![Delete domains icon](../../media/m365-cc-sc-delete-icon.png) **Delete** icon appears, which you can use to remove the selected entries.
- - **Email address**:
+ - **Add trusted senders and domains**: : Specify impersonation protection exceptions for the policy by clicking on **Manage (nn) trusted sender(s) and domain(s)**. In the **Manage custom domains for impersonation protection** flyout that appears, configure the following settings:
+ - **Senders**: Verify the **Sender** tab is selected and click ![Add senders icon](../../media/m365-cc-sc-create-icon.png). In the **Add trusted senders** flyout that appears, enter an email address in the box and then click **Add**. Repeat this step as many times as necessary. To remove an existing entry, click ![Delete icon](../../media/m365-cc-sc-close-icon.png) for the entry.
- - Click in the box and scroll through the list of users to select.
- - Click in the box and start typing to filter the list and select a user.
- - To remove an entry, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the user.
+ When you're finished, click **Add**.
- - **Name**: This value is populated based on the email address you selected, but you can change it.
+ - **Domains**: Select the **Domain** tab and click ![Add domains icon](../../media/m365-cc-sc-create-icon.png).
+
+ In the **Add trusted domains** flyout that appears, click in the **Domain** box, enter a value, and then press Enter or select the value that's displayed below the box. Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- When you're finished, click **Save** on any page.
+ When you're finished, click **Add**.
- To edit an existing entry, select the protected user in the list.
+ Back on the **Manage custom domains for impersonation** flyout, you can remove entries from the **Sender** and **Domain** tabs by selecting one or more entries from the list. You can search for entries using the ![Search icon](../../media/m365-cc-sc-create-icon.png) **Search** box.
- > [!NOTE]
- >
- > - In each anti-phishing policy, you can specify a maximum of 60 protected users (sender email addresses). You can't specify the same protected user in multiple policies.
- >
- > - User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message will be identified as an impersonation attempt.
+ After you select at least one entry, the **Delete** icon appears, which you can use to remove the selected entries.
- - **Add domains to protect**: Configure one or both of the following settings:
+ When you're finished, click **Done**.
- - **Automatically include the domains I own**: The default value is **Off** ![Toggle Off](../../media/scc-toggle-off.png). To turn it on, slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png).
+ - **Enable mailbox intelligence**: The default value is on (selected), and we recommend that you leave it on. To turn it off, clear the check box.
- To view the domains that you own, select **View domains I own**.
+ - **Enable intelligence based impersonation protection**: This setting is available only if **Enable mailbox intelligence** is on (selected). This setting allows mailbox intelligence to take action on messages that are identified as impersonation attempts. You specify the action to take in the **If mailbox intelligence detects an impersonated user** setting on the next page.
- - **Include custom domains**: The default value is **Off** ![Toggle Off](../../media/scc-toggle-off.png). To turn it on, slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png), and in the **Add domains** box, enter the domain name (for example, contoso.com), press ENTER, and repeat as necessary.
+ We recommend that you turn this setting on by selecting the check box. To turn this setting off, clear the check box.
+
+ - **Spoof**: In this section, use the **Enable spoof intelligence** check box to turn spoof intelligence on or off. The default value is on (selected), and we recommend that you leave it on. You specify the action to take on messages from blocked spoofed senders in the **If message is detected as spoof** setting on the next page.
+
+ To turn off spoof intelligence, clear the check box.
> [!NOTE]
- > You can have a maximum of 50 domains in all anti-phishing policies.
+ > You don't need to turn off anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
- - **Actions**: Click **Edit**
+ When you're finished, click **Next**.
- - **If email is sent by an impersonated user**: Configure one of the following actions for messages where the sender is one of the protected users you specified in **Add users to protect**:
+6. On the **Actions** page that appears, configure the following settings:
+ - **Message actions**: Configure the following actions in this section:
+ - **If message is detected as an impersonated user**: This setting is available only if you selected **Enable users to protect** on the previous page. Select one of the following actions in the drop down list for messages where the sender is one of the protected users that you specified on the previous page:
- **Don't apply any action** - **Redirect message to other email addresses** - **Move message to the recipients' Junk Email folders**
Use the following procedures to modify anti-phishing policies: a new policy that
- **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered**
- - **If email is sent by an impersonated domain**: Configure one of the following actions for messages where the sender's domain is in one of the protected domains you specified in **Add domains to protect**:
-
+ - **If the message is detected as an impersonated domain**: This setting is available only if you selected **Enable domains to protect** on the previous page. Select one of the following actions in the drop down list for messages where the sender's email address is in one of the protected domains that you specified on the previous page:
- **Don't apply any action** - **Redirect message to other email addresses** - **Move message to the recipients' Junk Email folders**
Use the following procedures to modify anti-phishing policies: a new policy that
- **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered**
- - Click **turn on impersonation safety tips** and configure any of the following settings:
-
- - **Show tip for impersonated users**
- - **Show tip for impersonated domains**
- - **Show tip for unusual characters**
-
- The default value for all tips is **Off** ![Toggle Off](../../media/scc-toggle-off.png). To turn any of them on, slide the toggle to **On** [Toggle On](../../media/scc-toggle-on.png).
-
- When you're finished, click **Save**.
-
- - **Mailbox intelligence**:
-
- - **Enable mailbox intelligence?**: The default value is **On** [Toggle On](../../media/scc-toggle-on.png). To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
-
- - **Enable mailbox intelligence based impersonation protection?**: This setting is available only if **Enable mailbox intelligence?** is **On**. Turn on this setting to specify the action to take on messages for impersonation detections from mailbox intelligence results.
-
- In **If email is sent by an impersonated user**, you can specify one of the following actions (the same actions that are available for protected users and protected domains):
-
- - **Don't apply any action**: Note that this value has the same result as turning on **Enable mailbox intelligence?** but turning off **Enable mailbox intelligence based impersonation protection?**.
+ - **If mailbox intelligence detects an impersonated user**: This setting is available only if you selected **Enable intelligence for impersonation protection** on the previous page. Select one of the following actions in the drop down list for messages that were identified as impersonation attempts by mailbox intelligence:
+ - **Don't apply any action**
- **Redirect message to other email addresses** - **Move message to the recipients' Junk Email folders** - **Quarantine the message** - **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered**
- - **Add trusted senders and domains**: Specify exceptions for the policy:
-
- - **Trusted senders**:
-
- - Click in the box and scroll through the list of users to select.
- - Click in the box and start typing to filter the list and select a user.
- - To remove an entry, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the user.
-
- - **Trusted domains**: Enter the domain name (for example, contoso.com), press ENTER, and repeat as necessary.
-
- - **Review your settings**: Instead of clicking on each individual step, the settings are displayed in a summary.
-
- - You can click **Edit** in each section to jump back to the relevant page.
- - You can toggle the following settings **On** or **Off** directly on this page:
-
- - **Protected users**
- - **Protected domains** \> **Include domains I own**
- - **Protected domains** \> **Protected domains** (custom domains)
- - **Mailbox intelligence**
-
- When you're finished, click **Save** on any page.
-
-6. **Spoof**: Click **Edit** to turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and configure the action to apply to messages from blocked spoofed senders. For more information about these settings, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings).
-
- Note that these same settings are also available in anti-phishing policies in EOP.
-
- - **Spoofing filter settings**: Use the **Enable spoof intelligence?** setting to turn spoof intelligence on or off. The default value is **On**, and we recommend that you leave it on. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
-
- > [!NOTE]
- > You don't need to turn off anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
-
- - **Unauthenticated sender settings**: You can configure the following settings:
- - **Enable unauthenticated sender question mark (?) symbol?**: Add a question mark to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication). The default value is **On**. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
- - **Enable "via" tag?**: Add the via tag (chris@contoso.com via fabrikam.com) if the email address in the From box is different from the domain in the DKIM signature or the **MAIL FROM** address. The default value is **On**. To turn it off, slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png).
-
- - **Actions**: Specify the action to take on messages from blocked spoofed senders:
-
- **If email is sent by someone who's not allowed to spoof your domain**:
-
- - **Move message to the recipients' Junk Email folders**
- - **Quarantine the message**
-
- - **Review your settings**: Instead of clicking on each individual step, the settings are displayed in a summary.
-
- - You can click **Edit** in each section to jump back to the relevant page.
- - You can toggle the following settings **On** or **Off** directly on this page:
- - **Spoof filter settings**
- - **Unauthenticated sender settings**
- - **Actions**
-
- When you're finished, click **Save** on any page.
-
-7. **Advanced settings**: Click **Edit** to configure the advanced phishing thresholds. For more information, see [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+ - **If message is detected as spoof**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Select one of the following actions in the drop down list for messages from blocked spoofed senders:
+ - **Move message to the recipients' Junk Email folders**
+ - **Quarantine the message**
- - **Advanced phishing thresholds**: Select one of the following values:
+ - **Safety tips & indicators**: Configure the following settings:
+ - **Show user impersonation safety tip**: This setting is available only if you selected **Enable users to protect** on the previous page.
+ - **Show domain impersonation safety tip**: This setting is available only if you selected **Enable domains to protect** on the previous page.
+ - **Show user impersonation unusual characters safety tip** This setting is available only if you selected **Enable users to protect** or **Enable domains to protect** on the previous page.
+ - **Show (?) for unauthenticated senders for spoof**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Adds a question mark to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication).
+ - **Show "via" tag**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. The default value is on (selected). To turn it off, clear the check box.
- - **1 - Standard** (This is the default value.)
- - **2 - Aggressive**
- - **3 - More aggressive**
- - **4 - Most aggressive**
+ > [!NOTE]
+ > Currently, the **Show "via" tag** setting is not available in all organizations. If you don't have the **Show "via" tag** setting, the question mark **and** the via tag are both controlled by the **Show (?) for unauthenticated senders for spoof** setting in your organization.
- - **Review your settings**: Click **Edit** to jump back to the **Advanced phishing thresholds** page.
+ To turn on a setting, select the check box. To turn it off, clear the check box.
- When you're finished, click **Save** on either page.
+ When you're finished, click **Next**.
-8. Back on the **Edit your policy \<Name\>** page, review your settings and then click **Close**.
+7. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
-### Use the Security & Compliance Center to modify the default anti-phishing policy in Microsoft Defender for Office 365
+ When you're finished, click **Submit**.
-The default anti-phishing policy in Microsoft Defender for Office 365 is named Office365 AntiPhish Default, and it doesn't appear in the list of policies. To modify the default anti-phishing policy, do the following steps:
+8. On the confirmation page that appears, click **Done**.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+## Use the security center to view anti-phishing policies
-2. On the **Anti-phishing** page, click **Default policy**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-3. The **Edit your policy Office365 AntiPhish Default** page appears. The following sections are available, which contain identical settings for when you [modify a custom policy](#use-the-security--compliance-center-to-modify-anti-phishing-policies-in-microsoft-defender-for-office-365):
+2. On the **Anti-phishing** page, the following properties are displayed in the list of anti-phishing policies:
- - **Impersonation**
- - **Spoof**
- - **Advanced settings**
+ - **Name**
+ - **Status**
+ - **Priority**
+ - **Last modified**
- The following settings aren't available when you modify the default policy:
+3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
- - You can see the **Policy setting** section and values, but there's no **Edit** link, so you can't modify the settings (policy name, description, and who the policy applies to (it applies to all recipients)).
- - You can't delete the default policy.
- - You can't change the priority of the default policy (it's always applied last).
+## Use the security center to modify anti-phishing policies
-4. On the **Edit your policy Office365 AntiPhish Default** page, review your settings and then click **Close**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-### Enable or disable custom anti-phishing policies in Microsoft Defender for Office 365
+2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the security center to create anti-phishing policies](#use-the-security-center-to-create-anti-phishing-policies) section earlier in this article.
-2. Notice the value in the **Status** column:
+ For the default anti-phishing policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.
- - Slide the toggle to **Off** ![Toggle Off](../../media/scc-toggle-off.png) to disable the policy.
+To enable or disable a policy or set the policy priority order, see the following sections.
- - Slide the toggle to **On** ![Toggle On](../../media/scc-toggle-on.png) to enable the policy.
+### Enable or disable custom anti-phishing policies
You can't disable the default anti-phishing policy.
-### Set the priority of custom anti-phishing policies in Microsoft Defender for Office 365
-
-By default, anti-phishing policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-
-For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-
-Custom anti-phishing policies are displayed in the order they're processed (the first policy has the **Priority** value 0). The default anti-phishing policy named Office365 AntiPhish Default has the custom priority value **Lowest**, and you can't change it.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
- **Note**: In the Security & Compliance Center, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules).
+2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Security & Compliance Center). Changing the priority of a policy only makes sense if you have multiple policies.
+3. At the top of the policy details flyout that appears, you'll see one of the following values:
+ - **Policy off**: To turn on the policy, click ![Turn on icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** .
+ - **Policy on**: To turn off the policy, click ![Turn off icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off**.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
-2. Select the policy that you want to modify. If it's already selected, deselect it and select it again.
+5. Click **Close** in the policy details flyout.
-3. The **Edit your policy \<name\>** flyout appears.
+Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.
- - The custom anti-phishing policy with the **Priority** value **0** has only the **Decrease priority** button available.
+### Set the priority of custom anti-phishing policies
- - The custom anti-phishing policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** button available.
-
- - If you have three or more custom anti-phishing policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** buttons available.
+By default, anti-phishing policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-4. Click **Increase priority** or **Decrease priority** to change the **Priority** value.
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
-5. When you're finished, click **Close**.
+ **Notes**:
-## Use the Security & Compliance Center to view anti-phishing policies in Microsoft Defender for Office 365
+- In the security center, you can only change the priority of the anti-phishing policy after you create it. In PowerShell, you can override the default priority when you create the anti-phish rule (which can affect the priority of existing rules).
+- Anti-phishing policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-phishing policy has the priority value **Lowest**, and you can't change it.
-1. In the Security & Compliance Center, and go to **Threat management** \> **Policy** \> **Anti-phishing**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-2. Do one of the following steps:
+2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.
- - Select a custom anti-phishing policy that you want to view. If it's already selected, deselect it and select it again.
+3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
+ - The anti-phishing policy with the **Priority** value **0** has only the **Decrease priority** option available.
+ - The anti-phishing policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
+ - If you have three or more anti-phishing policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
- - Click **Default policy** to view the default anti-phishing policy.
+ Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
-3. The **Edit your policy \<name\>** flyout appears, where you can view the settings and values.
+4. When you're finished, click **Close** in the policy details flyout.
-## Use the Security & Compliance Center to remove anti-phishing policies in Microsoft Defender for Office 365
+## Use the security center to remove custom anti-phishing policies
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**.
+When you use the security center to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.
-2. Select the policy that you want to remove. If it's already selected, deselect it and select it again.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**.
-3. In the **Edit your policy \<name\>** flyout that appears, click **Delete policy**, and then click **Yes** in the warning dialog that appears.
+2. Select a custom policy from the list by clicking on the name of the policy. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
-You can't remove the default policy.
+3. In the confirmation dialog that appears, click **Yes**.
-## Use Exchange Online PowerShell to configure anti-phishing policies in Microsoft Defender for Office 365
+## Use Exchange Online PowerShell to configure anti-phishing policies
As previously described, an anti-spam policy consists of an anti-phish policy and an anti-phish rule.
Creating an anti-phishing policy in PowerShell is a two-step process:
**Notes**: - You can create a new anti-phish rule and assign an existing, unassociated anti-phish policy to it. An anti-phish rule can't be associated with more than one anti-phish policy.--- You can configure the following settings on new anti-phish policies in PowerShell that aren't available in the Security & Compliance Center until after you create the policy:-
+- You can configure the following settings on new anti-phish policies in PowerShell that aren't available in the security center until after you create the policy:
- Create the new policy as disabled (_Enabled_ `$false` on the **New-AntiPhishRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-AntiPhishRule** cmdlet).--- A new anti-phish policy that you create in PowerShell isn't visible in the Security & Compliance Center until you assign the policy to an anti-phish rule.
+- A new anti-phish policy that you create in PowerShell isn't visible in the security center until you assign the policy to an anti-phish rule.
#### Step 1: Use PowerShell to create an anti-phish policy
Other than the following items, the same settings are available when you modify
- The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, always **Lowest** priority, and you can't delete it) is only available when you modify an anti-phish policy in PowerShell. -- You can't rename an anti-phish policy (the **Set-AntiPhishPolicy** cmdlet has no _Name_ parameter). When you rename an anti-phishing policy in the Security & Compliance Center, you're only renaming the anti-phish _rule_.
+- You can't rename an anti-phish policy (the **Set-AntiPhishPolicy** cmdlet has no _Name_ parameter). When you rename an anti-phishing policy in the security center, you're only renaming the anti-phish _rule_.
To modify an anti-phish policy, use this syntax:
For detailed syntax and parameter information, see [Remove-AntiPhishRule](/power
## How do you know these procedures worked?
-To verify that you've successfully configured anti-phishing policies in Microsoft Defender for Office 365, do any of the following steps:
+To verify that you've successfully configured anti-phishing policies in Defender for Office 365, do any of the following steps:
-- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details do either of the following steps:-
- - Select the policy from the list, and view the details in the flyout.
- - Click **Default policy** and view the details in the flyout.
+- In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-phishing**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list by clicking on the name and viewing the details in the flyout that appears.
- In Exchange Online PowerShell, replace \<Name\> with the name of the policy or rule, and run the following command and verify the settings:
To verify that you've successfully configured anti-phishing policies in Microsof
```PowerShell Get-AntiPhishRule -Identity "<Name>"
- ```
+ ```
security Configure The Connection Filter Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-connection-filter-policy.md
If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standa
- **Safe list**: The *safe list* is a dynamic allow list in the Microsoft datacenter that requires no customer configuration. Microsoft identifies these trusted email sources from subscriptions to various third-party lists. You enable or disable the use of the safe list; you can't configure the source email servers on the safe list. Spam filtering is skipped on incoming messages from the email servers on the safe list.
-This topic describes how to configure the default connection filter policy in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes). For more information about how EOP uses connection filtering is part of your organization's overall anti-spam settings, see see [Anti-spam protection](anti-spam-protection.md).
+This article describes how to configure the default connection filter policy in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes). For more information about how EOP uses connection filtering is part of your organization's overall anti-spam settings, see see [Anti-spam protection](anti-spam-protection.md).
> [!NOTE] > The IP Allow List, safe list, and the IP Block List are one part of your overall strategy to allow or block email in your organization. For more information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md) and [Create blocked sender lists](create-block-sender-lists-in-office-365.md). ## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Anti-spam settings** page, use <https://protection.office.com/antispam>.
+- You open the security center at <https://security.microsoft.com/>. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
This topic describes how to configure the default connection filter policy in th
- The IP Allow List and the IP Block List each support a maximum of 1273 entries, where an entry is a single IP address, an IP address range, or a Classless InterDomain Routing (CIDR) IP.
-## Use the Security & Compliance Center to modify the default connection filter policy
+## Use the security center to modify the default connection filter policy
-1. In the Security & Compliance Center and go to **Threat management** \> **Policy** \> **Anti-Spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-2. On the **Anti-spam settings** page, expand **Connection filter policy** by clicking ![Expand icon](../../media/scc-expand-icon.png), and then click **Edit policy**.
+2. On the **Anti-spam policies** page, select **Connection filter policy (Default)** from the list by clicking on the name of the policy.
-3. In the **Default** flyout that appears, configure any of the following settings:
+3. In the policy details flyout that appears, configure any of the following settings:
- - **Description**: Enter optional descriptive text.
+ - **Description** section: Click **Edit name and description**. In the **Edit name and description** flyout that appears, enter optional descriptive text in the **Description** box.
- - **IP Allow List**: Click **Edit**. In the **IP Allow List** flyout that appears, enter an IPV4 address in the **Address or address range** box using the following syntax:
+ When you're finished, click **Save**.
- - Single IP: For example, 192.168.1.1.
+ - **Connection filtering section**: Click **Edit connection filter policy**. In the flyout that appears, configure the following settings:
- - IP range: For example, 192.168.0.1-192.168.0.254.
+ - **Always allow messages from the following IP addresses or address range**: This is the IP Allow list. Click in the box, enter a value, and then press Enter or select the complete value that's displayed below the box. Valid values are
+ - Single IP: For example, 192.168.1.1.
+ - IP range: For example, 192.168.0.1-192.168.0.254.
+ - CIDR IP: For example, 192.168.0.1/25. Valid subnet mask values are /24 through /32. To skip spam filtering for /1 to /23, see the [Skip spam filtering for a CIDR IP outside of the available range](#skip-spam-filtering-for-a-cidr-ip-outside-of-the-available-range) section later in this article.
- - CIDR IP: For example, 192.168.0.1/25. Valid network mask values are /24 through /32. To skip spam filtering for CIDR IP mask values /1 to /23, see the [Skip spam filtering for a CIDR IP outside of the available range](#skip-spam-filtering-for-a-cidr-ip-outside-of-the-available-range) section later in this article.
+ Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- To add the IP address or address range, click **Add** ![Add Icon](../../media/ITPro-EAC-AddIcon.png). To remove an entry, select the entry in **Allowed IP Address** and then click **Remove** ![Remove](../../media/scc-remove-icon.png). When you're finished, click **Save**.
+ To add the IP address or address range, click in the box and type itclick **Add** ![Add Icon](../../media/ITPro-EAC-AddIcon.png). To remove an entry, select the entry in **Allowed IP Address** and then click **Remove** ![Remove](../../media/scc-remove-icon.png). When you're finished, click **Save**.
- - **IP Block List**: Click **Edit**. In the **IP Block List** flyout that appears, enter a single IP, IP range, or CIDR IP in the **Address or address range** box as previously described in the **IP Allow List** setting.
+ - **Always block messages from the following IP addresses or address range**: This is the IP Block List. Enter a single IP, IP range, or CIDR IP in the box as previously described in the **Always allow messages from the following IP addresses or address range** setting.
- To add the IP address or address range, click **Add** ![Add Icon](../../media/ITPro-EAC-AddIcon.png). To remove an entry, select the entry in **Blocked IP Address** and then click **Remove** ![Remove](../../media/scc-remove-icon.png). When you're finished, click **Save**.
+ - **Turn on safe list**: Enable or disable the use of the safe list to identify known, good senders that will skip spam filtering. To use the safe list, select the check box.
- - **Turn on safe list**: Enable or disable the use of the safe list to identify known, good senders that will skip spam filtering.
+ When you're finished, click **Save**.
-4. When you're finished, click **Save**.
+4. Back on the policy details flyout, click **Close**.
-## Use the Security & Compliance Center to view the default connection filter policy
+## Use the security center to view the default connection filter policy
-1. In the Security & Compliance Center and go to **Threat management** \> **Policy** \> **Anti-Spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-2. On the **Anti-spam settings** page, click the drop down next to the default policy named **Connection filter policy**.
+2. On the **Anti-spam policies** page, the following properties are displayed in the list of policies:
-3. The policy settings are displayed in the drop down that opens.
+ - **Name**: This value is **Connection filter policy (Default)** for the default connection filter policy.
+ - **Status**: This value is **Always on** for the default connection filter policy.
+ - **Priority**: This value is **Lowest** for the default connection filter policy.
+ - **Type**: This value is blank for the default connection filter policy.
+
+3. When you select the default connection filter policy, the policy settings are displayed in a flyout.
## Use Exchange Online PowerShell or standalone EOP PowerShell to modify the default connection filter policy
Set-HostedConnectionFilterPolicy -Identity Default [-AdminDisplayName <"Optional
**Notes**: - Valid IP address or address range values are:- - Single IP: For example, 192.168.1.1.- - IP range: For example, 192.168.0.1-192.168.0.254.- - CIDR IP: For example, 192.168.0.1/25. Valid network mask values are /24 through /32.- - To *overwrite* any existing entries with the values you specify, use the following syntax: `IPAddressOrRange1,IPAddressOrRange2,...,IPAddressOrRangeN`.- - To *add or remove* IP addresses or address ranges without affecting other existing entries, use the following syntax: `@{Add="IPAddressOrRange1","IPAddressOrRange2",...,"IPAddressOrRangeN";Remove="IPAddressOrRange3","IPAddressOrRange4",...,"IPAddressOrRangeN"}`.- - To empty the IP Allow List or IP Block List, use the value `$null`. This example configures the IP Allow List and the IP Block List with the specified IP addresses and address ranges.
For detailed syntax and parameter information, see [Set-HostedConnectionFilterPo
To verify that you've successfully modified the default connection filter policy, do any of the following steps: -- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-Spam** \> click the drop down next to **Connection filter policy (always ON**), and verify the settings.
+- In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam** \> select **Connection filter policy (Default)** from the list by clicking on the name of the policy, and verify the settings.
- In Exchange Online PowerShell or standalone EOP PowerShell, run the following command and verify the settings:
As described earlier in this article, you can only use a CIDR IP with the networ
Now that you're fully aware of the potential issues, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from these IP addresses will skip spam filtering: - Rule condition: **Apply this rule if** \> **The sender** \> **IP address is in any of these ranges or exactly matches** \> (enter your CIDR IP with a /1 to /23 network mask).- - Rule action: **Modify the message properties** \> **Set the spam confidence level (SCL)** \> **Bypass spam filtering**. You can audit the rule, test the rule, activate the rule during a specific time period, and other selections. We recommend testing the rule for a period before you enforce it. For more information, see [Manage mail flow rules in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules).
For example, the source email server 192.168.1.25 sends email from the domains c
1. Add 192.168.1.25 to the IP Allow List. 2. Configure a mail flow rule with the following settings (at a minimum):- - Rule condition: **Apply this rule if** \> **The sender** \> **IP address is in any of these ranges or exactly matches** \> 192.168.1.25 (the same IP address or address range that you added to the IP Allow List in the previous step).- - Rule action: **Modify the message properties** \> **Set the spam confidence level (SCL)** \> **0**.- - Rule exception: **The sender** \> **domain is** \> fabrikam.com (only the domain or domains that you want to skip spam filtering). ### Scenarios where messages from sources in the IP Allow List are still filtered
Messages from an email server in your IP Allow List are still subject to spam fi
If you encounter either of these scenarios, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from the problematic IP addresses will skip spam filtering: - Rule condition: **Apply this rule if** \> **The sender** \> **IP address is in any of these ranges or exactly matches** \> (your IP address or addresses).- - Rule action: **Modify the message properties** \> **Set the spam confidence level (SCL)** \> **Bypass spam filtering**. ## New to Microsoft 365? ****
-![The short icon for LinkedIn Learning](../../media/eac8a413-9498-4220-8544-1e37d1aaea13.png) **New to Microsoft 365?** Discover free video courses for **Microsoft 365 admins and IT pros**, brought to you by LinkedIn Learning.
+![The short icon for LinkedIn Learning](../../media/eac8a413-9498-4220-8544-1e37d1aaea13.png) **New to Microsoft 365?** Discover free video courses for **Microsoft 365 admins and IT pros**, brought to you by LinkedIn Learning.
security Configure The Outbound Spam Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md
EOP uses outbound spam policies as part of your organization's overall defense a
Admins can view, edit, and configure (but not delete) the default outbound spam policy. For greater granularity, you can also create custom outbound spam policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
-You can configure outbound spam policies in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+You can configure outbound spam policies in the Microsoft 365 security center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
The basic elements of an outbound spam policy in EOP are: - **The outbound spam filter policy**: Specifies the actions for outbound spam filtering verdicts and the notification options. - **The outbound spam filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a outbound spam filter policy.
-The difference between these two elements isn't obvious when you manage outbound spam polices in the Security & Compliance Center:
+The difference between these two elements isn't obvious when you manage outbound spam polices in the security center:
- When you create a policy, you're actually creating a outbound spam filter rule and the associated outbound spam filter policy at the same time using the same name for both. - When you modify a policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the outbound spam filter rule. All other settings modify the associated outbound spam filter policy.
To increase the effectiveness of outbound spam filtering, you can create custom
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Anti-spam settings** page, use <https://protection.office.com/antispam>.
+- You open the security center at <https://security.microsoft.com/>. To go directly to the **Anti-spam settings** page, use <https://security.microsoft.com/antispam>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
To increase the effectiveness of outbound spam filtering, you can create custom
For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
- > [!NOTE]
- > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
- >
- > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
+ **Notes**:
+
+ - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
- For our recommended settings for outbound spam policies, see [EOP outbound spam filter policy settings](recommended-settings-for-eop-and-office365.md#eop-outbound-spam-policy-settings). - The default [alert policies](../../compliance/alert-policies.md) named **Email sending limit exceeded**, **Suspicious email sending patterns detected**, and **User restricted from sending email** already send email notifications to members of the **TenantAdmins** (**Global admins**) group about unusual outbound email activity and blocked users due to outbound spam. For more information, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users). We recommend that you use these alert policies instead of the the notification options in outbound spam policies.
-## Use the Security & Compliance Center to create outbound spam policies
-
-Creating a custom outbound spam policy in the Security & Compliance Center creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
+## Use the security center to create outbound spam policies
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+Creating a custom outbound spam policy in the security center creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
-2. On the **Anti-spam settings** page, click **Create an outbound policy**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-3. In the **Outbound spam filter policy** fly out that opens, configure the following settings:
+2. On the **Anti-spam policies** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Outbound** from the drop down list.
+3. The policy wizard opens. On the **Name your policy page**, configure these settings:
- **Name**: Enter a unique, descriptive name for the policy.- - **Description**: Enter an optional description for the policy.
-4. (Optional) Expand the **Notifications** section to configure additional users who should receive copies and notifications of suspicious outbound email messages:
-
- - **Send a copy of suspicious outbound email messages to specific people**: This setting adds the specified users as Bcc recipients to the suspicious outbound messages.
-
- > [!NOTE]
- > This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.
+ When you're finished, click **Next**.
- To enable this setting:
+4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
+ - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
+ - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- 1. Select the check box to enable the setting.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- 1. Click **Add people**. In the **Add or remove recipients** flyout that appears:
+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
- 1. Enter the sender's email address. You can specify multiple email addresses separated by semicolons (;) or one recipient per line.
+ Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
- 1. Click ![Add icon](../../media/c2dd8b3a-5a22-412c-a7fa-143f5b2b5612.png) to add the recipients.
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
- Repeat these steps as many times as necessary.
+ When you're finished, click **Next**.
- The recipients you added appear in the **Recipient list** section on the flyout. To delete a recipient, click ![Remove button](../../media/scc-remove-icon.png).
-
- 1. When you're finished, click **Save**.
-
- To disable this setting, clear the check box.
-
- - **Notify specific people if a sender is blocked due to sending outbound spam**:
-
- > [!IMPORTANT]
- >
- > - This setting is in the process of being deprecated from outbound spam policies.
- >
- > - The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in the **Recipient Limits** section. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).
-
-5. (Optional) Expand the **Recipient Limits** section to configure the limits and actions for suspicious outbound email messages:
-
- > [!NOTE]
- > These settings are only applicable to cloud-based mailboxes.
-
- - **Maximum number of recipients per user**
+5. On the **Protection settings** page that opens, configure the following settings:
+ - **Message limits**: The settings in this section configure the limits for outbound email messages from **Exchange Online** mailboxes:
+ - **Set an external message limit**: The maximum number of external recipients per hour.
+ - **Set an internal message limit**: The maximum number of internal recipients per hour.
+ - **Set a daily message limit**: The maximum total number of recipients per day.
A valid value is 0 to 10000. The default value is 0, which means the service defaults are used. For more information, see [Sending limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-1).
- - **External hourly limit**: The maximum number of external recipients per hour.
-
- - **Internal hourly limit**: The maximum number of internal recipients per hour.
+ Enter a value in the box, or use the increase/decrease arrows on the box.
- - **Daily limit**: The maximum total number of recipients per day.
+ - **Restriction placed on users who reach the message limit**: Select an action from the drop down list when any of the limits in the **Protection settings** section are exceeded.
- - **Action when a user exceeds the limits above**: Configure the action to take when any one of the **Recipient Limits** are exceeded. For all actions, the recipients specified in the **User restricted from sending email** alert policy (and in the now redundant **Notify specific people if a sender is blocked due to sending outbound spam** setting in the outbound spam policy receive email notifications.
-
- - **Restrict the user from sending mail till the following day**: This is the default value. Email notifications are sent, and the user will be unable to send any more messages until the following day, based on UTC time. There is no way for the admin to override this block.
+ For all actions, the recipients specified in the **User restricted from sending email** alert policy (and in the now redundant **Notify these users and groups if a sender is blocked due to sending outbound spam** setting later on this page) receive email notifications.
+ - **Restrict the user from sending mail until the following day**: This is the default value. Email notifications are sent, and the user will be unable to send any more messages until the following day, based on UTC time. There is no way for the admin to override this block.
- The activity alert named **User restricted from sending email** notifies admins (via email and on the **View alerts** page).- - Any recipients specified in the **Notify specific people if a sender is blocked due to sending outbound spam** setting in the policy are also notified.- - The user will be unable to send any more messages until the following day, based on UTC time. There is no way for the admin to override this block.-
- - **Restrict the user from sending mail**: Email notifications are sent, the user is added to the **[Restricted Users]<https://sip.protection.office.com/restrictedusers>** portal in the Security & Compliance Center, and the user can't send email until they're removed from the **Restricted Users** portal by an admin. After an admin removes the user from the list, the user won't be restricted again for that day. For instructions, see [Removing a user from the Restricted Users portal after sending spam email](removing-user-from-restricted-users-portal-after-spam.md).
-
+ - **Restrict the user from sending mail**: Email notifications are sent, the user is added to **Restricted users** <https://security.microsoft.com/restrictedusers> in the security center, and the user can't send email until they're removed from **Restricted users** by an admin. After an admin removes the user from the list, the user won't be restricted again for that day. For instructions, see [Removing a user from the Restricted Users portal after sending spam email](removing-user-from-restricted-users-portal-after-spam.md).
- **No action, alert only**: Email notifications are sent.
-6. (Optional) Expand **Automatic forwarding** section to control automatic email forwarding by users to external senders. For more information, see [Control automatic external email forwarding in Microsoft 365](external-email-forwarding.md).
+ - **Forwarding rules**: Use the settings in this section to control automatic email forwarding by **Exchange Online mailboxes** to external senders. For more information, see [Control automatic external email forwarding in Microsoft 365](external-email-forwarding.md).
- > [!NOTE]
- >
- > - Before September 2020, these settings are available but not enforced.
- >
- > - These settings apply only to cloud-based mailboxes.
- >
- > - When automatic forwarding is disabled, the recipient will receive a non-delivery report (also known as an NDR or bounce message) if external senders send email to a mailbox that has forwarding in place. If the message is sent by an internal sender **and** the forwarding method is [mailbox forwarding](/exchange/recipients-in-exchange-online/manage-user-mailboxes/configure-email-forwarding) (also known as _SMTP forwarding_), the internal sender will get the NDR. The internal sender does not get an NDR if the forwarding occurred due to an inbox rule.
+ > [!NOTE]
+ > When automatic forwarding is disabled, the recipient will receive a non-delivery report (also known as an NDR or bounce message) if external senders send email to a mailbox that has forwarding in place. If the message is sent by an internal sender **and** the forwarding method is [mailbox forwarding](/exchange/recipients-in-exchange-online/manage-user-mailboxes/configure-email-forwarding) (also known as _SMTP forwarding_), the internal sender will get the NDR. The internal sender does not get an NDR if the forwarding occurred due to an inbox rule.
- The available values are:
+ Select one of the following actions from the **Automatic forwarding rules** drop down list:
- - **Automatic - System-controlled**: Allows outbound spam filtering to control automatic external email forwarding. This is the default value.
- - **On**: Automatic external email forwarding is not disabled by the policy.
- - **Off**: All automatic external email forwarding is disabled by the policy.
+ - **Automatic - System-controlled**: Allows outbound spam filtering to control automatic external email forwarding. This is the default value.
+ - **On**: Automatic external email forwarding is not disabled by the policy.
+ - **Off**: All automatic external email forwarding is disabled by the policy.
-7. (Required) Expand the **Applied to** section to identify the internal senders that the policy applies to.
+ - **Notifications**: Use the settings in the section to configure additional recipients who should receive copies and notifications of suspicious outbound email messages:
- You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<sender1\>_ or _\<sender2\>_). Different conditions or exceptions use AND logic (for example, _\<sender1\>_ and _\<member of group 1\>_).
+ - **Send a copy of suspicious outbound that exceed these limits to these users and groups**: This setting adds the specified recipients to the Bcc field of suspicious outbound messages.
- It's easiest to click **Add a condition** three times to see all of the available conditions. You can click ![Remove button](../../media/scc-remove-icon.png) to remove conditions that you don't want to configure.
+ > [!NOTE]
+ > This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.
- - **The sender domain is**: Specifies senders in one or more of the configured accepted domains in the organization. Click in the **Add a tag** box to see and select a domain. Click again the **Add a tag** box to select additional domains if more than one domain is available.
+ To enable this setting, select the check box. In the box that appears, click in the box, enter a valid email address, and then press Enter or select the complete value that's displayed below the box.
- - **Sender is**: Specifies one or more users in your organization. Click in the **Add a tag** and start typing to filter the list. Click again the **Add a tag** box to select additional senders.
+ Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- - **Sender is a member of**: Specifies one or more groups in your organization. Click in the **Add a tag** and start typing to filter the list. Click again the **Add a tag** box to select additional senders.
+ - **Notify these users and groups if a sender is blocked due to sending outbound spam**
- - **Except if**: To add exceptions for the rule, click **Add a condition** three times to see all of the available exceptions. The settings and behavior are exactly like the conditions.
+ > [!IMPORTANT]
+ >
+ > - This setting is in the process of being deprecated from outbound spam policies.
+ >
+ > - The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in the **Recipient Limits** section. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).
-8. When you're finished, click **Save**.
+ When you're finished, click **Next**.
-## Use the Security & Compliance Center to view outbound spam policies
+6. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+ When you're finished, click **Create**.
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand an outbound spam policy:
+7. On the confirmation page that appears, click **Done**.
- - The default policy named **Outbound spam filter policy**.
+## Use the security center to view outbound spam policies
- - A custom policy that you created where the value in the **Type** column is **Custom outbound spam policy**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-3. The policy settings are displayed in the expanded policy details that appear, or you can click **Edit policy**.
+2. On the **Anti-spam policies** page, look for one of the following values:
+ - The **Type** value is **Custom outbound spam policy**
+ - The **Name** value is **Anti-spam outbound policy (Default)**
-## Use the Security & Compliance Center to modify outbound spam policies
+ The following properties are displayed in the list of anti-spam policies:
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+ - **Name**
+ - **Status**
+ - **Priority**
+ - **Type**
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand an outbound spam policy:
+3. When you select an outbound spam policy by clicking on the name, the policy settings are displayed in a flyout.
- - The default policy named **Outbound spam filter policy**.
+## Use the security center to modify outbound spam policies
- - A custom policy that you created where the value in the **Type** column is **Custom outbound spam policy**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-3. Click **Edit policy**.
+2. On the **Anti-spam policies** page, select an outbound spam policy from the list by clicking on the name:
+ - A custom policy that you created where the value in the **Type** column is **Custom outbound spam policy**.
+ - The default policy named **Anti-spam outbound policy (Default)**.
-For custom outbound spam policies, the available settings in the flyout that appears are identical to those described in the [Use the Security & Compliance Center to create outbound spam policies](#use-the-security--compliance-center-to-create-outbound-spam-policies) section.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the security center to create outbound spam policies](#use-the-security-center-to-create-outbound-spam-policies) section in this article.
-For the default outbound spam policy named **Outbound spam filter policy**, the **Applied to** section isn't available (the policy applies to everyone), and you can't rename the policy.
+ For the default outbound spam policy, the **Applied to** section isn't available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy, set the policy priority order, or configure the end-user quarantine notifications, see the following sections.
-### Enable or disable outbound spam policies
+### Enable or disable custom outbound spam policies
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+You can't disable the default outbound spam policy.
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand a custom policy that you created (the value in the **Type** column is **Custom outbound spam policy**).
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-3. In the expanded policy details that appear, notice the value in the **On** column.
+2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name.
- Move the toggle to the left to disable the policy: ![Toggle off](../../media/scc-toggle-off.png)
+3. At the top of the policy details flyout that appears, you'll see one of the following values:
+ - **Policy off**: To turn on the policy, click ![Turn on icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** .
+ - **Policy on**: To turn off the policy, click ![Turn off icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off**.
- Move the toggle to the right to enable the policy: ![Toggle on](../../media/scc-toggle-on.png)
+4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
-You can't disable the default outbound spam policy.
+5. Click **Close** in the policy details flyout.
-### Set the priority of custom outbound spam policies
+Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.
-By default, outbound spam policies are given a priority that's based on the order they were created in (newer polices are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
+### Set the priority of custom outbound spam policies
-Custom outbound spam policies are displayed in the order they're processed (the first policy has the **Priority** value 0). The default outbound spam policy named **Outbound spam filter policy** has the priority value **Lowest**, and you can't change it.
+By default, outbound spam policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-To change the priority of a policy, move the policy up or down in the list (you can't directly modify the **Priority** number in the Security & Compliance Center).
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the security center). Changing the priority of a policy only makes sense if you have multiple policies.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+ **Notes**:
-2. On the **Anti-spam settings** page, find the policies where the value in the **Type** column is **Custom outbound spam policy**. Notice the values in the **Priority** column:
+- In the security center, you can only change the priority of the outbound spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules).
+- Outbound spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default outbound spam policy has the priority value **Lowest**, and you can't change it.
- - The custom outbound spam policy with the highest priority has the value ![Down Arrow icon](../../media/ITPro-EAC-DownArrowIcon.png) **0**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
- - The custom outbound spam policy with the lowest priority has the value ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png) **n** (for example, ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png) **3**).
+2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name.
- - If you have three or more custom outbound spam policies, the policies between the highest and lowest priority have values ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png)![Down Arrow icon](../../media/ITPro-EAC-DownArrowIcon.png) **n** (for example, ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png)![Down Arrow icon](../../media/ITPro-EAC-DownArrowIcon.png) **2**).
+3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
+ - The outbound spam policy with the **Priority** value **0** has only the **Decrease priority** option available.
+ - The outbound spam policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
+ - If you have three or more outbound spam policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
-3. Click ![Up Arrow icon](../../media/ITPro-EAC-UpArrowIcon.png) or ![Down Arrow icon](../../media/ITPro-EAC-DownArrowIcon.png) to move the custom outbound spam policy up or down in the priority list.
+ Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
-## Use the Security & Compliance Center to remove outbound spam policies
+4. When you're finished, click **Close** in the policy details flyout.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Anti-spam**.
+## Use the security center to remove custom outbound spam policies
-2. On the **Anti-spam settings** page, click ![Expand icon](../../media/scc-expand-icon.png) to expand the custom policy that you want to delete (the **Type** column is **Custom outbound spam policy**).
+When you use the security center to remove a custom outbound spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default outbound spam policy.
-3. In the expanded policy details that appear, click **Delete policy**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-4. Click **Yes** in the warning dialog that appears.
+2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom outbound spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
-You can't remove the default policy.
+3. In the confirmation dialog that appears, click **Yes**.
## Use Exchange Online PowerShell or standalone EOP PowerShell to configure outbound spam policies
Creating an outbound spam policy in PowerShell is a two-step process:
1. Create the outbound spam filter policy. 2. Create the outbound spam filter rule that specifies the outbound spam filter policy that the rule applies to.
-> [!NOTE]
-> - You can create a new outbound spam filter rule and assign an existing, unassociated outbound spam filter policy to it. An outbound spam filter rule can't be associated with more than one outbound spam filter policy.
->
-> - You can configure the following settings on new outbound spam filter policies in PowerShell that aren't available in the Security & Compliance Center until after you create the policy:
->
-> - Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedOutboundSpamFilterRule** cmdlet).
-> - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedOutboundSpamFilterRule** cmdlet).
->
-> - A new outbound spam filter policy that you create in PowerShell isn't visible in the Security & Compliance Center until you assign the policy to a spam filter rule.
+ **Notes**:
+
+ - You can create a new outbound spam filter rule and assign an existing, unassociated outbound spam filter policy to it. An outbound spam filter rule can't be associated with more than one outbound spam filter policy.
+ - You can configure the following settings on new outbound spam filter policies in PowerShell that aren't available in the security center until after you create the policy:
+ - Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedOutboundSpamFilterRule** cmdlet).
+ - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedOutboundSpamFilterRule** cmdlet).
+ - A new outbound spam filter policy that you create in PowerShell isn't visible in the security center until you assign the policy to an outbound spam filter rule.
#### Step 1: Use PowerShell to create an outbound spam filter policy
For detailed syntax and parameter information, see [Get-HostedOutboundSpamFilter
The same settings are available when you modify a malware filter policy in PowerShell as when you create the policy as described in the [Step 1: Use PowerShell to create an outbound spam filter policy](#step-1-use-powershell-to-create-an-outbound-spam-filter-policy) section earlier in this article. > [!NOTE]
-> You can't rename an outbound spam filter policy (the **Set-HostedOutboundSpamFilterPolicy** cmdlet has no _Name_ parameter). When you rename an outbound spam policy in the Security & Compliance Center, you're only renaming the outbound spam filter _rule_.
+> You can't rename an outbound spam filter policy (the **Set-HostedOutboundSpamFilterPolicy** cmdlet has no _Name_ parameter). When you rename an outbound spam policy in the security center, you're only renaming the outbound spam filter _rule_.
To modify an outbound spam filter policy, use this syntax:
This example sets the priority of the rule named Marketing Department to 2. All
Set-HostedOutboundSpamFilterRule -Identity "Marketing Department" -Priority 2 ```
-> [!NOTE]
->
-> - To set the priority of a new rule when you create it, use the _Priority_ parameter on the **New-HostedOutboundSpamFilterRule** cmdlet instead.
->
-> - The outbound default spam filter policy doesn't have a corresponding spam filter rule, and it always has the unmodifiable priority value **Lowest**.
+**Notes**:
+
+- To set the priority of a new rule when you create it, use the _Priority_ parameter on the **New-HostedOutboundSpamFilterRule** cmdlet instead.
+- The outbound default spam filter policy doesn't have a corresponding spam filter rule, and it always has the unmodifiable priority value **Lowest**.
### Use PowerShell to remove outbound spam filter policies
For detailed syntax and parameter information, see [Remove-HostedOutboundSpamFil
[Anti-spam protection FAQ](anti-spam-protection-faq.yml)
-[Auto-forwarded messages report](mfi-auto-forwarded-messages-report.md)
+[Auto-forwarded messages report](mfi-auto-forwarded-messages-report.md)
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
To increase the effectiveness of spam filtering, you can create custom anti-spam
Creating a custom anti-spam policy in the security center creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-2. Click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Inbound** from the dropdown list.
+2. On the **Anti-spam policies** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create policy** and then select **Inbound** from the drop down list.
3. The policy wizard opens. On the **Name your policy page**, configure these settings: - **Name**: Enter a unique, descriptive name for the policy.
Creating a custom anti-spam policy in the security center creates the spam filte
<sup>\*</sup> **Contains specific languages** and **from these countries** are not part of ASF settings.
- - **Contains specific languages**: Click the box and select **On** or **Off** from the dropdown list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages will appear. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+ - **Contains specific languages**: Click the box and select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages will appear. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- - **From these countries***: Click the box and select **On** or **Off** from the dropdown list. If you turn it on, a box appears. Start typing the name of a country in the box. A filtered list of supported countries will appear. When you find the country that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
+ - **From these countries***: Click the box and select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a country in the box. A filtered list of supported countries will appear. When you find the country that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
When you're finished, click **Next**.
Creating a custom anti-spam policy in the security center creates the spam filte
Back on the **Allow & block list** page, click **Next** when you're read to continue.
-8. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section.
+8. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
When you're finished, click **Create**.
Creating a custom anti-spam policy in the security center creates the spam filte
## Use the security center to view anti-spam policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-2. On the **Anti-spam policy** page, look for one of the following values:
+2. On the **Anti-spam policies** page, look for one of the following values:
- The **Type** value is **Custom anti-spam policy** - The **Name** value is **Anti-spam inbound policy (Default)**
Creating a custom anti-spam policy in the security center creates the spam filte
## Use the security center to modify anti-spam policies
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
-2. On the **Anti-spam policy** page, select an anti-spam policy from the list by clicking on the name:
+2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name:
- A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**. - The default policy named **Anti-spam inbound policy (Default)**.
To enable or disable a policy, set the policy priority order, or configure the e
You can't disable the default anti-spam policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
- In the security center, you can only change the priority of the anti-spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules). - Anti-spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-spam policy has the priority value **Lowest**, and you can't change it.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name.
To change the priority of a policy, you click **Increase priority** or **Decreas
When a spam filtering verdict quarantines a message, you can configure end-user spam notifications to let recipients know what happened to messages that were sent to them. For more information about these notifications, see [End-user spam notifications in EOP](use-spam-notifications-to-release-and-report-quarantined-messages.md).
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name: - A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**.
When a spam filtering verdict quarantines a message, you can configure end-user
4. Back on the policy details flyout, click **Close**.
-## Use the security center to remove anti-spam policies
+## Use the security center to remove custom anti-spam policies
-When you use the security center to remove an anti-spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default policy.
+When you use the security center to remove a custom anti-spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default anti-spam policy.
-1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam**.
+1. In the security center, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-spam**.
2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
Creating an anti-spam policy in PowerShell is a two-step process:
**Notes**: - You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy.- - You can configure the following settings on new spam filter policies in PowerShell that aren't available in the security center until after you create the policy:- - Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedContentFilterRule** cmdlet). - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedContentFilterRule** cmdlet).
security Enable The Report Message Add In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/enable-the-report-message-add-in.md
The Report Phishing add-in provides the option to report only phishing messages.
If you're an individual user, you can enable both the add-ins for yourself.
-f you're a global administrator or an Exchange Online administrator, and Exchange is configured to use OAuth authentication, you can enable the Report Message add-in and the Report Phishing add-in for your organization. Both add-ins are now available through [Centralized Deployment](../../admin/manage/centralized-deployment-of-add-ins.md).
+If you're a global administrator or an Exchange Online administrator, and Exchange is configured to use OAuth authentication, you can enable the Report Message add-in and the Report Phishing add-in for your organization. Both add-ins are now available through [Centralized Deployment](../../admin/manage/centralized-deployment-of-add-ins.md).
## What do you need to know before you begin? - Both the Report Message add-in and the Report Phishing add-in works with most Microsoft 365 subscriptions and the following products:- - Outlook on the web - Outlook 2013 SP1 or later - Outlook 2016 for Mac
f you're a global administrator or an Exchange Online administrator, and Exchang
- For more information on how to report a message using the Report Message feature, see [Report false positives and false negatives in Outlook](report-false-positives-and-false-negatives.md).
+> [!IMPORTANT]
+> We don't recommend the built-in reporting experience in Outlook because it can't use the [user submission policy](./user-submission.md). We recommend using the Report Message add-in or the Report Phishing add-in instead.
+ ## Get the Report Message add-in ### Get the add-in for yourself
security External Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/external-email-forwarding.md
ms.prod: m365-security
As an admin, you might have company requirements to restrict or control automatically forwarded messages to external recipients (recipients outside of your organization). Email forwarding can be a useful, but can also pose a security risk due to the potential disclosure of information. Attackers might use this information to attack your organization or partners. - The following types of automatic forwarding are available in Microsoft 365: - Users can configure [Inbox rules](https://support.microsoft.com/office/c24f5dea-9465-4df4-ad17-a50704d66c59) to automatically forward messages to external senders (deliberately or as a result of a compromised account).- - Admins can configure [mailbox forwarding](/exchange/recipients-in-exchange-online/manage-user-mailboxes/configure-email-forwarding) (also known as _SMTP forwarding_) to automatically forward messages to external recipients. The admin can choose whether to simply forward messages, or keep copies of forwarded messages in the mailbox. You can use outbound spam filter policies to control automatic forwarding to external recipients. Three settings are available: -- **Automatic**: Automatic external forwarding is blocked. Internal automatic forwarding of messages will continue to work. This is the default setting.
+- **Automatic - System-controlled**: Automatic external forwarding is blocked. Internal automatic forwarding of messages will continue to work. This is the default setting.
- **On**: Automatic external forwarding is allowed and not restricted. - **Off**: Automatic external forwarding is disabled and will result in a non-delivery report (also known as an NDR or bounce message) to the sender.
For instructions on how to configure these settings, see [Configure outbound spa
As an admin, you might have already configured other controls to allow or block automatic email forwarding. For example: - [Remote domains](/exchange/mail-flow-best-practices/remote-domains/remote-domains) to allow or block automatic email forwarding to some or all external domains.- - Conditions and actions in Exchange [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to detect and block automatically forwarded messages to external recipients. Remote domain settings and mail flow rules are independent of the settings in outbound spam filter policies. For example: - You allow automatic forwarding for a remote domain, but you block automatic forwarding in outbound spam filter policies. In this example, automatically forwarded messages are blocked.- - You allow automatic forwarding in outbound spam filter policies, but you use mail flow rules or remote domain settings to block automatically forwarded email. In this example, the mail flow rules or remote domain settings will block automatically forwarded messages. This feature independence allows you to (for example) allow automatic forwarding in outbound spam filter policies, but use remote domains to control the external domains that users can forward messages to.
This feature independence allows you to (for example) allow automatic forwarding
When a message is detected as automatically forwarded, and the [outbound spam filter](configure-the-outbound-spam-policy.md) policy *blocks* that activity, the message is returned to the sender in an NDR that contains the following information:
-`5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)`
+`5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)`
security Learn About Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
The rest of this article explains how to use the spoof intelligence insight in t
- You enable and disable spoof intelligence in anti-phishing policies in EOP and Microsoft Defender for Office 365. Spoof intelligence is enabled by default. For more information, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) or [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md). -- For our recommended settings for spoof intelligence, see [EOP default anti-phishing policy settings](recommended-settings-for-eop-and-office365-atp.md#eop-default-anti-phishing-policy-settings).
+- For our recommended settings for spoof intelligence, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365-atp.md#eop-anti-phishing-policy-settings).
## Open the spoof intelligence insight in the Security & Compliance Center
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
During and after each automated investigation, your security operations team can
AIR capabilities are included in [Microsoft Defender for Office 365](defender-for-office-365.md#microsoft-defender-for-office-365-plan-1-and-plan-2), provided your policies and alerts are configured. Need some help? Follow the guidance in [Protect against threats](protect-against-threats.md) to set up or configure the following protection settings: - [Audit logging](../../compliance/turn-audit-log-search-on-or-off.md) (should be turned on)-- [Anti-malware policies](protect-against-threats.md#part-1anti-malware-protection-in-eop)-- [Anti-phishing protection](protect-against-threats.md#part-2anti-phishing-protection)
+- [Anti-malware protection](protect-against-threats.md#part-1anti-malware-protection-in-eop)
+- [Anti-phishing protection](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection-in-eop-and-defender-for-office-365)
- [Anti-spam protection](protect-against-threats.md#part-3anti-spam-protection-in-eop) - [Safe Links and Safe Attachments](protect-against-threats.md#part-4protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365) - [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on)
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
In other words, the settings of the **Strict protection** policy override the se
### Use the security center to assign preset security policies to users
-1. In the security center, go to **Email & collaboration** \> **Policies & Rules** \> **Threat Policies** \> **Preset Security Policies**.
+1. In the security center, go to **Email & collaboration** \> **Policies & Rules** \> **Threat Policies** \> **Templated policies** section \> **Preset Security Policies**.
2. Under **Standard protection** or **Strict protection**, click **Edit**.
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
For more information about the recommended settings for anti-malware, see [EOP a
For detailed instructions for configuring anti-malware policies, see [Configure anti-malware policies in EOP](configure-anti-malware-policies.md).
-## Part 2 - Anti-phishing protection
+## Part 2 - Anti-phishing protection in EOP and Defender for Office 365
[Anti-phishing protection](anti-phishing-protection.md) is available in subscriptions that include [EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description). Advanced anti-phishing protection is available in [Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description).
-The following procedure describes how to configure an anti-phishing policy in Microsoft Defender for Office 365. The steps are similar for configuring an anti-phishing policy in EOP.
+For more information about the recommended settings for anti-phishing policies, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings) and [Anti-phishing policy settings in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365).
-1. In the [Security & Compliance Center](https://protection.office.com), choose **Threat management** \> **Policy** \> **Anti-phishing**.
+The following procedure describes how to configure the default anti-phishing policy. Settings that are only available in Defender for Office 365 are clearly marked.
-2. Click **Default policy**.
+1. Open <https://security.microsoft.com/antiphishing>.
-3. In the **Impersonation** section, click **Edit**, and then specify the following settings:
+2. On the **Anti-phishing** page, select the policy named **Office365 AntiPhish Default (Default)** by clicking on the name.
- - On the **Add users to protect** tab, turn *On* protection. Then add users, such as your organization's board members, your CEO, CFO, and other senior leaders. (You can type an individual email address, or click to display a list.)
+3. In the policy details flyout that appears, configure the following settings:
- - On the **Add domains to protect** tab, turn on **Automatically include the domains I own**. If you have custom domains, add them now.
+ - **Phishing threshold & protection** section: Click **Edit protection settings** and configure the following settings in the **Edit protection settings** flyout that opens:
+ - **Phishing email threshold**<sup>\*</sup>: Select **2 - Aggressive** (Standard) or **3 - More Aggressive** (Strict).
+ - **Impersonation** section<sup>\*</sup>: Configure the following values:
+ - Select **Enable users to protect**, click the **Manage (nn) sender(s)** link that appears, and then add internal and external senders to protect from impersonation, such as your organization's board members, your CEO, CFO, and other senior leaders.
+ - Select **Enable domains to protect**, and then configure the following settings that appear:
+ - Select **Include domains I own** to protect internal senders in your accepted domains (visible by clicking **View my domains**) from impersonation.
+ - To protect senders in other domains, select **Include custom domains**, click the **Manage (nn) custom domain(s)** link that appears, and then add other domains to protect from impersonation.
+ - **Add trusted senders and domains** section<sup>\*</sup>: Click **Manage (nn) trusted sender(s) and domains(s)** to configure sender and sender domain exceptions to impersonation protection if needed.
+ - Mailbox intelligence settings<sup>\*</sup>: Verify that **Enable mailbox intelligence** and **Enable intelligence for impersonation protection** are selected.
+ - **Spoof** section: Verify **Enable spoof intelligence** is selected.
- - On the **Actions** tab, select **Quarantine the message** for both the **impersonated user** and **impersonated domain** options. Also, turn on impersonation safety tips.
+ When you're finished, click **Save**.
- - On the **Mailbox intelligence** tab, make sure mailbox intelligence is turned on and turn on mailbox intelligence-based impersonation protection. In the **If email is sent by an impersonated user** list, choose **Quarantine the message**.
+ - **Actions** section: Click **Edit actions** and configure the following settings in the **Edit actions** flyout that opens:
+ - **Message actions** section: Configure the following settings:
+ - **If message is detected as an impersonated user**<sup>\*</sup>: Select **Quarantine the message**.
+ - **If message is detected as an impersonated domain**<sup>\*</sup>: Select **Quarantine the message**.
+ - **If mailbox intelligence detects an impersonated user**<sup>\*</sup>: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict).
+ - **If message is detected as spoof**: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict).
+ - **Safety tips & indicators** section: Configure the following settings:
+ - **Show user impersonation safety tip**<sup>\*</sup>: Select (turn on).
+ - **Show domain impersonation safety tip**<sup>\*</sup>: Select (turn on).
+ - **Show user impersonation unusual characters safety tip**<sup>\*</sup>: Select (turn on).
+ - **Show (?) for unauthenticated senders for spoof**: Select (turn on).
+ - **Show "via" tag**: Select (turn on) if this setting is available.
- - On the **Add trusted senders and domains** tab, specify any trusted senders or domains that you want to add.
+ When you're finished, click **Save**.
- - **Save** on the **Review your settings** tab after you've reviewed your settings.
+ <sup>\*</sup> This setting is available only in Defender for Office 365.
-4. In the **Spoof** section, click **Edit**, and then specify the following settings:
+4. Click **Save** and then click **Close**
- - On the **Spoofing filter settings** tab, make sure anti-spoofing protection is turned on.
-
- - On the **Actions** tab, choose **Quarantine the message**.
-
- - **Save** on the **Review your settings** tab after you have reviewed your changes. (If you didn't make any changes, **Cancel**.)
-
-5. Close the default policy settings page.
-
-To learn more about your anti-phishing policy options, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
+For detailed instructions for configuring anti-phishing policies, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) and [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).
## Part 3 - Anti-spam protection in EOP
For more information about the recommended settings for anti-spam, see [EOP anti
1. Open <https://security.microsoft.com/antispam>.
-2. On the **Anti-spam policies** page, select the policy named **Anti-spam inbound policy** from the list by clicking on the name.
-
-3. In the policy details flyout that appears, click **Edit spam threshold and properties** in the **Bulk email threshold & spam properties** section.
-
-4. In the **spam threshold and properties** flyout that appears, set the **Bulk email threshold** value to 5 (Strict) or 6 (Standard). When you're finished, click **Save**
+2. On the **Anti-spam policies** page, select the policy named **Anti-spam inbound policy (Default)** from the list by clicking on the name.
-5. Back on the policy details flyout, go to the **Allowed and blocked senders and domains** section and review or edit your allowed senders and allowed domains.
+3. In the policy details flyout that appears, do the following steps:
+ - **Bulk email threshold & spam properties** section: Click **Edit spam threshold and properties**. In the **spam threshold and properties** flyout that appears, set the **Bulk email threshold** value to 5 (Strict) or 6 (Standard). When you're finished, click **Save**.
+ - **Allowed and blocked senders and domains** section: Review or edit your allowed senders and allowed domains.
-6. When you're finished, click **Close**.
+4. When you're finished, click **Close**.
For detailed instructions for configuring anti-spam policies, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
Although we empower security administrators to customize their security settings
To automatically apply the Standard or Strict settings to users, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md). > [!NOTE]
-> The junk email rule needs to be enabled on mailboxes in order for filtering to work properly. It's enabled by default, but you should check it if filtering does not seem to be working. For more information, see [Configure junk email settings on Exchange Online mailboxes in Office 365](configure-junk-email-settings-on-exo-mailboxes.md).
+> The junk email rule needs to be enabled on mailboxes in order for filtering to work properly. It's enabled by default, but you should check it if filtering does not seem to be working. For more information, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).
This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users. The tables contain the settings in the Microsoft 365 security center and PowerShell (Exchange Online PowerShell or standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).
Anti-spam, anti-malware, and anti-phishing are EOP features that can be configur
### EOP anti-spam policy settings
-To create and configure anti-spam policies, see [Configure anti-spam policies in Office 365](configure-your-spam-filter-policies.md).
+To create and configure anti-spam policies, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
<br>
To create and configure anti-spam policies, see [Configure anti-spam policies in
|**Phishing** detection action <p> _PhishSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|| |**High confidence phishing** detection action <p> _HighConfidencePhishAction_|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|| |**Bulk** detection action <p> _BulkSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`||
-|**Bulk email threshold** <p> _BulkThreshold_|7|6|4|For details, see [Bulk complaint level (BCL) in Office 365](bulk-complaint-level-values.md).|
+|**Bulk email threshold** <p> _BulkThreshold_|7|6|4|For details, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md).|
|_MarkAsSpamBulkMail_|On|On|On|This setting is only available in PowerShell.| |**Retain spam in quarantine for this many days** <p> _QuarantineRetentionPeriod_|15 days|30 days|30 days|| |**Enable spam safety tips** <p> _InlineSafetyTipsEnabled_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
To create and configure anti-spam policies, see [Configure anti-spam policies in
There are many Advanced Spam Filter (ASF) settings in anti-spam policies that are in the process of being deprecated. More information on the timelines for the depreciation of these features will be communicated outside of this article.
-We recommend that you leave the following ASF settings **Off** for both **Standard** and **Strict** levels. For more information about ASF settings, see [Advanced Spam Filter (ASF) settings in Office 365](advanced-spam-filtering-asf-options.md).
+We recommend that you leave the following ASF settings **Off** for both **Standard** and **Strict** levels. For more information about ASF settings, see [Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md).
<br>
We recommend that you leave the following ASF settings **Off** for both **Standa
||| |**Image links to remote sites** (_IncreaseScoreWithImageLinks_)|| |**Numeric IP address in URL** (_IncreaseScoreWithNumericIps_)||
-|**UL redirect to other port** (_IncreaseScoreWithRedirectToOtherPort_)||
-|**URL to .biz or .info websites** (_IncreaseScoreWithBizOrInfoUrls_)||
+|**URL redirect to other port** (_IncreaseScoreWithRedirectToOtherPort_)||
+|**Links to .biz or .info websites** (_IncreaseScoreWithBizOrInfoUrls_)||
|**Empty messages** (_MarkAsSpamEmptyMessages_)||
-|**JavaScript or VBScript in HTML** (_MarkAsSpamJavaScriptInHtml_)||
-|**Frame or IFrame tags in HTML** (_MarkAsSpamFramesInHtml_)||
-|**Object tags in HTML** (_MarkAsSpamObjectTagsInHtml_)||
|**Embed tags in HTML** (_MarkAsSpamEmbedTagsInHtml_)||
+|**JavaScript or VBScript in HTML** (_MarkAsSpamJavaScriptInHtml_)||
|**Form tags in HTML** (_MarkAsSpamFormTagsInHtml_)||
+|**Frame or iframe tags in HTML** (_MarkAsSpamFramesInHtml_)||
|**Web bugs in HTML** (_MarkAsSpamWebBugsInHtml_)||
-|**Apply sensitive word list** (_MarkAsSpamSensitiveWordList_)||
+|**Object tags in HTML** (_MarkAsSpamObjectTagsInHtml_)||
+|**Sensitive words** (_MarkAsSpamSensitiveWordList_)||
|**SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_)||
-|**Conditional Sender ID filtering: hard fail** (_MarkAsSpamFromAddressAuthFail_)||
-|**NDR backscatter** (_MarkAsSpamNdrBackscatter_)||
+|**Sender ID filtering hard fail** (_MarkAsSpamFromAddressAuthFail_)||
+|**Backscatter** (_MarkAsSpamNdrBackscatter_)||
| #### EOP outbound spam policy settings
-To create and configure outbound spam policies, see [Configure outbound spam filtering in Office 365](configure-the-outbound-spam-policy.md).
+To create and configure outbound spam policies, see [Configure outbound spam filtering in EOP](configure-the-outbound-spam-policy.md).
For more information about the default sending limits in the service, see [Sending limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-1).
For more information about the default sending limits in the service, see [Sendi
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Maximum number of recipients per user: External hourly limit** <p> _RecipientLimitExternalPerHour_|0|500|400|The default value 0 means use the service defaults.|
-|**Maximum number of recipients per user: Internal hourly limit** <p> _RecipientLimitInternalPerHour_|0|1000|800|The default value 0 means use the service defaults.|
-|**Maximum number of recipients per user: Daily limit** <p> _RecipientLimitPerDay_|0|1000|800|The default value 0 means use the service defaults.|
-|**Action when a user exceeds the limits** <p> _ActionWhenThresholdReached_|**Restrict the user from sending mail till the following day** <p> `BlockUserForToday`|**Restrict the user from sending mail** <p> `BlockUser`|**Restrict the user from sending mail** <p> `BlockUser`||
+|**Set an external message limit** <p> _RecipientLimitExternalPerHour_|0|500|400|The default value 0 means use the service defaults.|
+|**Set an internal message limit** <p> _RecipientLimitInternalPerHour_|0|1000|800|The default value 0 means use the service defaults.|
+|**Set a daily message limit** <p> _RecipientLimitPerDay_|0|1000|800|The default value 0 means use the service defaults.|
+|**Restriction placed on users who reach the message limit** <p> _ActionWhenThresholdReached_|**Restrict the user from sending mail until the following day** <p> `BlockUserForToday`|**Restrict the user from sending mail** <p> `BlockUser`|**Restrict the user from sending mail** <p> `BlockUser`||
+|**Automatic forwarding rules** <p> _AutoForwardingMode_|**Automatic - System-controlled** <p> `Automatic`|**Automatic - System-controlled** <p> `Automatic`|**Automatic - System-controlled** <p> `Automatic`|
| ### EOP anti-malware policy settings
-To create and configure anti-malware policies, see [Configure anti-malware policies in Office 365](configure-anti-malware-policies.md).
+To create and configure anti-malware policies, see [Configure anti-malware policies in EOP](configure-anti-malware-policies.md).
<br>
To create and configure anti-malware policies, see [Configure anti-malware polic
|**Notify external senders when messages are quarantined as malware** <p> _EnableExternalSenderNotifications_|Disabled <p> `$false`|Disabled <p> `$false`|Disabled <p> `$false`|| |
-### EOP default anti-phishing policy settings
+### EOP anti-phishing policy settings
For more information about these settings, see [Spoof settings](set-up-anti-phishing-policies.md#spoof-settings). To configure these settings, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
For more information about these settings, see [Spoof settings](set-up-anti-phis
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Enable anti-spoofing protection** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
-|**Enable Unauthenticated Sender** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).|
-|**If email is sent by someone who's not allowed to spoof your domain** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
+|**Enable spoof intelligence** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
+|**If email is detected as spoof** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
+|**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).|
+|**Show "via" tag** <p> _EnableViaTag_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> If this setting isn't available to you, the question mark **and** the via tag are both controlled by the **Show (?) for unauthenticated senders for spoof** setting in your organization.|
| ## Microsoft Defender for Office 365 security
For more information about these settings, see [Impersonation settings in anti-p
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|Protected users: **Add users to protect** <p> _EnableTargetedUserProtection_ <p> _TargetedUsersToProtect_|Off <p> `$false` <p> none|On <p> `$true` <p> \<list of users\>|On <p> `$true` <p> \<list of users\>|Depending on your organization, we recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|
-|Protected domains: **Automatically include the domains I own** <p> _EnableOrganizationDomainsProtection_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
+|Protected users (senders): **Enable users to protect** <p> _EnableTargetedUserProtection_ <p> _TargetedUsersToProtect_|Off <p> `$false` <p> none|On <p> `$true` <p> \<list of users\>|On <p> `$true` <p> \<list of users\>|Depending on your organization, we recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|
+|Protected users: **If message is detected as an impersonated user** <p> _TargetedUserProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`||
+|Protected domains: **Include domains I own** <p> _EnableOrganizationDomainsProtection_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
|Protected domains: **Include custom domains** <p> _EnableTargetedDomainsProtection_ <p> _TargetedDomainsToProtect_|Off <p> `$false` <p> none|On <p> `$true` <p> \<list of domains\>|On <p> `$true` <p> \<list of domains\>|Depending on your organization, we recommend adding domains (sender domains) that you don't own, but you frequently interact with.|
-|Protected users: **If email is sent by an impersonated user** <p> _TargetedUserProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`||
-|Protected domains: **If email is sent by an impersonated domain** <p> _TargetedDomainProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`||
-|**Show tip for impersonated users** <p> _EnableSimilarUsersSafetyTips_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Show tip for impersonated domains** <p> _EnableSimilarDomainsSafetyTips_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Show tip for unusual characters** <p> _EnableUnusualCharactersSafetyTips_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**Enable Mailbox intelligence?** <p> _EnableMailboxIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
-|**Enable Mailbox intelligence based impersonation protection?** <p> _EnableMailboxIntelligenceProtection_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
-|**If email is sent by an impersonated user protected by mailbox intelligence** <p> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <p> `NoAction`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`||
-|**Trusted senders** <p> _ExcludedSenders_|None|None|None|Depending on your organization, we recommend adding users that incorrectly get marked as phishing due to impersonation only and not other filters.|
-|**Trusted domains** <p> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding domains that incorrectly get marked as phishing due to impersonation only and not other filters.|
+|Protected domains: **If message is detected as an impersonated domain** <p> _TargetedDomainProtectionAction_|**Don't apply any action** <p> `NoAction`|**Quarantine the message** <p> `Quarantine`|**Quarantine the message** <p> `Quarantine`||
+|**Add trusted senders and domains** <p> _ExcludedSenders_ <p> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|
+|**Enable mailbox intelligence** <p> _EnableMailboxIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
+|**Enable intelligence for impersonation protection** <p> _EnableMailboxIntelligenceProtection_|Off <p> `$false`|On <p> `$true`|On <p> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|
+|**If mailbox intelligence detects and impersonated user** <p> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <p> `NoAction`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`||
+|**Show user impersonation safety tip** <p> _EnableSimilarUsersSafetyTips_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
+|**Show domain impersonation safety tip** <p> _EnableSimilarDomainsSafetyTips_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
+|**Show user impersonation unusual characters safety tip** <p> _EnableUnusualCharactersSafetyTips_|Off <p> `$false`|On <p> `$true`|On <p> `$true`||
| #### Spoof settings in anti-phishing policies in Microsoft Defender for Office 365
Note that these are the same settings that are available in [anti-spam policy se
**** |Security feature name|Default|Standard|Strict|Comment|
-||||||
-|**Enable anti-spoofing protection** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
-|**Enable Unauthenticated Sender** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).|
-|**If email is sent by someone who's not allowed to spoof your domain** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
+||::|::|::||
+|**Enable spoof intelligence** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
+|**If email is detected as spoof** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md).|
+|**Show (?) for unauthenticated senders for spoof** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).|
+|**Show "via" tag** <p> _EnableViaTag_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <p> If this setting isn't available to you, the question mark **and** the via tag are both controlled by the **Show (?) for unauthenticated senders for spoof** setting in your organization.|
| #### Advanced settings in anti-phishing policies in Microsoft Defender for Office 365
For more information about this setting, see [Advanced phishing thresholds in an
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Advanced phishing thresholds** <p> _PhishThresholdLevel_|**1 - Standard** <p> `1`|**2 - Aggressive** <p> `2`|**3 - More aggressive** <p> `3`||
+|**Phishing email threshold** <p> _PhishThresholdLevel_|**1 - Standard** <p> `1`|**2 - Aggressive** <p> `2`|**3 - More aggressive** <p> `3`||
| ### Safe Links settings
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/se
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Use Safe Links in: Office 365 applications** <p> _EnableSafeLinksForO365Clients_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).|
-|**Do not track when users click Safe Links** <p> _TrackClicks_|On <p> `$false`|Off <p> `$true`|Off <p> `$true`|Turning off this setting (setting _TrackClicks_ to `$true`) tracks user clicks in supported Office 365 apps.|
-|**Do not let users click through Safe Links to original URL** <p> _AllowClickThrough_|On <p> `$false`|On <p> `$false`|On <p> `$false`|Turning on this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL in supported Office 365 apps.|
+|**Use Safe Links in: Office 365 apps** <p> _EnableSafeLinksForO365Clients_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).|
+|**Do not track when users click protected links in Office 365 apps** <p> _TrackClicks_|On <p> `$false`|Off <p> `$true`|Off <p> `$true`|Turning off this setting (setting _TrackClicks_ to `$true`) tracks user clicks in supported Office 365 apps.|
+|**Do not let users click through to the original URL in Office 365 apps** <p> _AllowClickThrough_|On <p> `$false`|On <p> `$false`|On <p> `$false`|Turning on this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL in supported Office 365 apps.|
| #### Safe Links policy settings
security Recover From Ransomware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recover-from-ransomware.md
Scam reporting websites provide information about how to prevent and avoid scams
- New Zealand: [Consumer Affairs Scams](http://www.consumeraffairs.govt.nz/scams)
+- Switzerland [Nationales Zentrum f├╝r Cybersicherheit NCSC](https://www.ncsc.admin.ch/ncsc/de/home.html)
+ - United Kingdom: [Action Fraud](http://www.actionfraud.police.uk/) - United States: [On Guard Online](http://www.onguardonline.gov/)
You can report phishing messages that contain ransomware by using one of several
- [The three heads of the Cerberus-like Cerber ransomware](https://www.microsoft.com/security/blog/2016/03/09/the-three-heads-of-the-cerberus-like-cerber-ransomware/) -- [Troldesh ransomware influenced by (the) Da Vinci code](https://www.microsoft.com/security/blog/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/)
+- [Troldesh ransomware influenced by (the) Da Vinci code](https://www.microsoft.com/security/blog/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/)
security Report False Positives And False Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-false-positives-and-false-negatives.md
audience: Admin - localization_priority: Normal - M365-security-compliance
In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises
- For the best user submission experience, use the Report Message add-in or the Report Phishing add-in. -- Note that this add-in works for Outlook in all platformsΓÇöon the web, iOS, Android, and Desktop.
+ > [!IMPORTANT]
+ > The built-in experience for reporting junk or phishing in Outlook can't use the [user submission policy](./user-submission.md). We recommend using the Report Message add-in or the Report Phishing add-in instead.
+
+- The the Report Message add-in and the Report Phishing add-in work for Outlook in all platforms (Outlook on the web, iOS, Android, and Desktop).
- If you're an admin in an organization with Exchange Online mailboxes, use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises
For messages in the Inbox or any other email folder except Junk Email, use the following method to report spam and phishing messages:
-1. Click the **More actions** ellipses on the top-right corner of the selected message, click **Report message** from the dropdown menu, and then select **Junk** or **Phishing**.
+1. Select the **More actions** ellipses on the top-right corner of the selected message, select **Report message** from the dropdown menu, and then select **Junk** or **Phishing**.
- > [!div class="mx-imgBorder"]
- > ![Report Message - More actions](../../media/report-message-more-actions.png)
-
- > [!div class="mx-imgBorder"]
- > ![Report Message - Junk and Phishing](../../media/report-message-junk-phishing.png)
+ ![Report Message - More actions](../../media/report-message-more-actions.png)
+
+ ![Report Message - Junk and Phishing](../../media/report-message-junk-phishing.png)
2. The selected messages will be sent to Microsoft for analysis and:-
- - Moved to the Junk Email folder if it was reported as spam.
-
- - Deleted if it was reported as phishing.
+ - Moved to the Junk Email folder if they were reported as spam.
+ - Deleted if they were reported as phishing.
### Report messages that are not junk
-1. Click the **More actions** ellipses on the top-right corner of the selected message, click **Report message** from the dropdown menu, and then click **Not Junk**.
-
- > [!div class="mx-imgBorder"]
- > ![Report Message - More actions](../../media/report-message-more-actions.png)
+1. Select the **More actions** ellipses on the top-right corner of the selected message, select **Report message** from the dropdown menu, and then select **Not Junk**.
- > [!div class="mx-imgBorder"]
- > ![Report Message - Not junk](../../media/report-message-not-junk.png)
+ ![Report Message - More actions](../../media/report-message-more-actions.png)
+
+ ![Report Message - Not junk](../../media/report-message-not-junk.png)
2. The selected message will be sent to Microsoft for analysis and moved to Inbox or any other specified folder.
For messages in the Inbox or any other email folder except Junk Email, use the f
To review messages that users report to Microsoft, you have these options: - Use the Admin Submissions portal. For more information, see [View user submissions to Microsoft](admin-submission.md#view-user-submissions-to-microsoft).- - Create a mail flow rule (also known as a transport rule) to send copies of reported messages. For instructions, see [Use mail flow rules to see what users are reporting to Microsoft](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-see-what-users-are-reporting-to-microsoft).
security Report Junk Email And Phishing Scams In Outlook On The Web Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md
In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises
## What do you need to know before you begin? -- For the best user submission experience we recommend using the Report Message and the Report Phishing add-ins. See [Enable the Report Message add-in](./enable-the-report-message-add-in.md) and [Enable the Report Phishing add-in](./enable-the-report-phish-add-in.md) for more information.
+> [!IMPORTANT]
+> We recommend the Report Message add-in or the Report Phishing add-in for user submissions. For more information, see [Enable the Report Message or the Report Phishing add-ins](./enable-the-report-message-add-in.md). We don't recommend the built-in reporting experience in Outlook because it can't use the [user submission policy](./user-submission.md).
- If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
To verify that you've successfully enabled or disabled junk email reporting in O
1. Click **Settings** ![Outlook on the web settings icon](../../media/owa-settings-icon.png) \> **View all Outlook settings** \> **Junk email**. 2. In the **Reporting** section, verify the value: **Ask me before sending a report**.
- ![Outlook on the web Junk Email Reporting settings](../../media/owa-junk-email-reporting-options.png)
+ ![Outlook on the web Junk Email Reporting settings](../../media/owa-junk-email-reporting-options.png)
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
The following Safe Links settings are available for Office 365 apps:
- **Do not let users click through safe links to original URL**: Allows or blocks users from clicking through the [warning page](#warning-pages-from-safe-links) to the original URL in in the desktop versions Word, Excel, PowerPoint, and Visio. The default and recommended value is **On**.
-To configure the Safe Links settings for Office 365 apps, see [Configure Safe Links protection for Office 365 apps](configure-global-settings-for-safe-links.md#configure-safe-links-protection-for-office-365-apps-in-the-security--compliance-center).
+To configure the Safe Links settings for Office 365 apps, see [Configure Safe Links protection for Office 365 apps](configure-global-settings-for-safe-links.md#configure-safe-links-protection-for-office-365-apps-in-the-security-center).
For more information about the recommended values for Standard and Strict policy settings, see [Global settings for Safe Links](recommended-settings-for-eop-and-office365.md#global-settings-for-safe-links).
The **Block the following URLs** list defines the links that are always blocked
When a user in an active Safe Links policy clicks a blocked link in a supported app, they're taken to the [Blocked URL warning](#blocked-url-warning) page.
-You configure the list of URLs in the global settings for Safe Links. For instructions, see [Configure the "Block the following URLs" list](configure-global-settings-for-safe-links.md#configure-the-block-the-following-urls-list-in-the-security--compliance-center).
+You configure the list of URLs in the global settings for Safe Links. For instructions, see [Configure the "Block the following URLs" list](configure-global-settings-for-safe-links.md#configure-the-block-the-following-urls-list-in-the-security-center).
**Notes**:
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
Unauthenticated sender settings are part of the [Spoof settings](#spoof-settings
- **Enable "via" tag?**<sup>\*</sup>: When this setting is turned on, the via tag (chris@contoso.com <u>via</u> fabrikam.com) is added in the From box if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the **MAIL FROM** address. For more information about these addresses, see [An overview of email message standards](how-office-365-validates-the-from-address.md#an-overview-of-email-message-standards). > [!NOTE]
-> Currently, the **Enable "via" tag?** setting is not available in all organizations. If you don't have the **Enable "via" tag?** setting, the the question mark **and** the via tag are both controlled by the **Enable unauthenticated sender question mark (?) symbol?** setting in your organization.
+> Currently, the **Enable "via" tag?** setting is not available in all organizations. If you don't have the **Enable "via" tag?** setting, the question mark **and** the via tag are both controlled by the **Enable unauthenticated sender question mark (?) symbol?** setting in your organization.
To prevent the question mark or via tag from being added to messages from specific senders, you have the following options:
security User Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags.md
To see how user tags are part of the strategy to help protect high-impact user a
For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
- **Notes**:
-
- - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
- - User tag management is controlled by the **Tag Reader** and **Tag Manager** roles.
+ > [!NOTE]
+ >
+ > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ >
+ > - User tag management is controlled by the **Tag Reader** and **Tag Manager** roles.
- You can also manage and monitor priority accounts in the Microsoft 365 admin center. For instructions, see [Manage and monitor priority accounts](../../admin/setup/priority-accounts.md).
To see how user tags are part of the strategy to help protect high-impact user a
## Use the Security & Compliance Center to remove user tags
-**Note**: You can't remove the built-in **Priority account** tag.
+> [!NOTE]
+> You can't remove the built-in **Priority account** tag.
1. In the Security & Compliance Center, go to **Threat management** \> **User tags**.
security Walkthrough Spoof Intelligence Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md
You can manage spoof intelligence in the Security & Compliance Center, or in Pow
- [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md). - [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md). -- For our recommended settings for spoof intelligence, see [EOP default anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-default-anti-phishing-policy-settings).
+- For our recommended settings for spoof intelligence, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).
## Manage spoofed senders
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
> [!TIP] > Don't have Microsoft Defender for Office 365 yet? [Contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html).
+## April/May 2021
+
+- [Email entity page](mdo-email-entity-page.md): A unified 360-degree view of an email with enriched information around threats, authentication and detections, detonation details, and a brand-new email preview experience.
+- [Office 365 Management API](/office/office-365-management-api/office-365-management-activity-api-schema#email-message-events): Updates to EmailEvents (RecordType 28) to add delivery action, original and latest delivery locations, and updated detection details.
+- [Threat Analytics for Defender for Office 365](/microsoft-365/security/defender/threat-analytics): View active threat actors, popular techniques and attack surfaces, along with extensive reporting from Microsoft researchers around ongoing campaigns.
+ ## February/March 2021 - Alert ID integration (search using Alert ID and Alert-Explorer navigation) in [hunting experiences](threat-explorer.md)
solutions Configure Teams Highly Sensitive Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-highly-sensitive-protection.md
The highly sensitive tier offers the following additional protections over the b
- Only team owners can create private channels. - Access requests for the associated SharePoint site are turned off.
+## Video demonstration
+
+Watch this video for a walkthrough of the procedures described in this article.
+<br>
+<br>
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4NzI7]
+ ## Guest sharing Depending on the nature of your business, you may or may not want to enable guest sharing for teams that contain highly sensitive data. If you do plan to collaborate with people outside your organization in the team, we recommend enabling guest sharing. Microsoft 365 includes a variety of security and compliance features to help you share sensitive content securely. This is generally a more secure option than emailing content directly to people outside your organization.
solutions Configure Teams Sensitive Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-sensitive-protection.md
In this article, we look at setting up a team for a sensitive level of protectio
- A more restrictive default sharing link type - Only team owners can create private channels.
+## Video demonstration
+
+Watch this video for a walkthrough of the procedures described in this article.
+<br>
+<br>
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4NMS6]
+ ## Guest sharing Depending on the nature of your business, you may or may not want to enable guest sharing for teams that contain sensitive data. If you do plan to collaborate with people outside your organization in the team, we recommend enabling guest sharing. Microsoft 365 includes a variety of security and compliance features to help you share sensitive content securely. This is generally a more secure option than emailing content directly to people outside your organization.
solutions Contoso Case Study Solutions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/contoso-case-study-solutions.md
First, learn about the [Contoso Corporation](../enterprise/contoso-overview.md),
Next, see how Contoso used Microsoft 365 for these solutions and scenarios: -- [COVID-19 response and infrastructure for remote and onsite work](contoso-remote-onsite-work.md)
+- [COVID-19 response and infrastructure for hybrid work](contoso-remote-onsite-work.md)
- [An isolated team for a top-secret project](contoso-team-for-top-secret-project.md)
solutions Contoso Remote Onsite Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/contoso-remote-onsite-work.md
Title: "Contoso's COVID-19 response and support for remote and onsite work"
+ Title: "Contoso's COVID-19 response and support for hybrid work"
f1.keywords: - NOCSH
- Strat_O365_Enterprise
-description: Understand how the Contoso Corporation responded to the COVID-19 pandemic and engineered their software install and update infrastructure for remote and onsite work.
+description: Understand how the Contoso Corporation responded to the COVID-19 pandemic and engineered their software install and update infrastructure for hybrid work.
-# Contoso's COVID-19 response and support for remote and onsite work
+# Contoso's COVID-19 response and support for hybrid work
Contoso had always supported its remote workers, who accessed on-premises resources through a central VPN server in the Paris headquarters. Contoso had issued all remote workers a managed laptop. On-premises workers had a mixture of desktop computers and laptops.
Here is the resulting configuration with VPN devices installed in the Paris head
A remote worker with the installed VPN client uses DNS to find the regionally closest office and connects to the VPN device installed there. With split tunneling, traffic to Microsoft 365 Optimize endpoints gets sent directly to the regionally closest Microsoft 365 network location. All other traffic gets sent over the VPN connection to the VPN device.
-## ContosoΓÇÖs support for remote and onsite work
+## ContosoΓÇÖs support for hybrid work
-After the initial changes were made to support mostly remote workers during regional lockdowns, Contoso made infrastructure changes to support remote and onsite work in which a worker could be:
+After the initial changes were made to support mostly remote workers during regional lockdowns, Contoso made infrastructure changes to support hybrid work in which a worker could be:
- Always remote. - Always onsite.
For a new remote device issued to a new worker, when the worker signs in, the de
## Next step
-[Set up your infrastructure for remote work](empower-people-to-work-remotely.md) in your organization.
+[Set up your infrastructure for hybrid work](empower-people-to-work-remotely.md) in your organization.
solutions Empower People To Work Remotely Manage Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely-manage-endpoints.md
description: Use Microsoft Endpoint Manager to manage your manage devices, PCs,
# Step 4. Deploy endpoint management for your devices, PCs, and other endpoints
-With remote workers, you need to support a growing number of personal devices. Endpoint management is a policy-based approach to security that requires devices to comply with specific criteria before they are granted access to resources. Microsoft Endpoint Manager delivers modern management capabilities to keep your data secure in the cloud and on-premises.
+With hybrid workers, you need to support a growing number of personal devices. Endpoint management is a policy-based approach to security that requires devices to comply with specific criteria before they are granted access to resources. Microsoft Endpoint Manager delivers modern management capabilities to keep your data secure in the cloud and on-premises.
[Microsoft Endpoint Manager](/mem/endpoint-manager-overview) provides services and tools for managing mobile devices, desktop computers, virtual machines, embedded devices, and servers by combining the following services you may already know and be using.
Microsoft Intune is a cloud-based service that focuses on mobile device manageme
- **MDM:** For organization-owned devices, you can exercise full control including settings, features, and security. Devices are "enrolled" in Intune where they receive Intune policies with rules and settings. For example, you can set password and PIN requirements, create a VPN connection, set up threat protection, and more. -- **MAM:** Remote workers might not want you to have full control on their personal devices, also known as bring-your-own device (BYOD) devices. You can give your remote workers options and still protect your organization. For example, remote workers can enroll their devices if they want full access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then use app protection policies that require multi-factor authentication (MFA) to use these apps.
+- **MAM:** Remote workers might not want you to have full control on their personal devices, also known as bring-your-own device (BYOD) devices. You can give your hybrid workers options and still protect your organization. For example, hybrid workers can enroll their devices if they want full access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then use app protection policies that require multi-factor authentication (MFA) to use these apps.
For more information, see this [overview of Microsoft Intune](/intune/fundamentals/what-is-intune).
You are using the suite of Endpoint Manager features and capabilities to manage
[![Step 5: Deploy remote worker productivity apps and services](../medi)
-Continue with [Step 5](empower-people-to-work-remotely-teams-productivity-apps.md) to get your remote workers using Microsoft 365 productivity apps such as Microsoft Teams.
+Continue with [Step 5](empower-people-to-work-remotely-teams-productivity-apps.md) to get your hybrid workers using Microsoft 365 productivity apps such as Microsoft Teams.
solutions Empower People To Work Remotely Secure Sign In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely-secure-sign-in.md
Title: "Step 1. Increase sign-in security for remote workers with MFA"
+ Title: "Step 1. Increase sign-in security for hybrid workers with MFA"
f1.keywords: - NOCSH
- m365solution-remotework - m365solution-scenario
-description: Require that your remote workers sign in with multi-factor authentication (MFA).
+description: Require that your hybrid workers sign in with multi-factor authentication (MFA).
-# Step 1. Increase sign-in security for remote workers with MFA
+# Step 1. Increase sign-in security for hybrid workers with MFA
-To increase the security of sign-ins of your remote workers, use multi-factor authentication (MFA). MFA requires that user sign-ins be subject to an additional verification beyond the user account password. Even if a malicious user determines a user account password, they must also be able to respond to an additional verification, such as a text message sent to a smartphone before access is granted.
+To increase the security of sign-ins of your hybrid workers, use multi-factor authentication (MFA). MFA requires that user sign-ins be subject to an additional verification beyond the user account password. Even if a malicious user determines a user account password, they must also be able to respond to an additional verification, such as a text message sent to a smartphone before access is granted.
![The correct password plus an additional verification results in a successful sign-in](../media/empower-people-to-work-remotely/remote-workers-mfa.png)
-For all users, including remote workers and especially admins, Microsoft strongly recommends MFA.
+For all users, including hybrid workers and especially admins, Microsoft strongly recommends MFA.
There are three ways to require your users to use MFA based on your Microsoft 365 plan.
Self-Service Password Reset (SSPR) enables users to reset their own passwords wi
## Sign in to SaaS apps with Azure AD
-In addition to providing cloud authentication for users, Azure AD can also be your central way to secure all your apps, whether theyΓÇÖre on-premises, in MicrosoftΓÇÖs cloud, or in another cloud. By [integrating your apps into Azure AD](/azure/active-directory/manage-apps/plan-an-application-integration), you can make it easy for remote workers to discover the applications they need and sign into them securely.
+In addition to providing cloud authentication for users, Azure AD can also be your central way to secure all your apps, whether theyΓÇÖre on-premises, in MicrosoftΓÇÖs cloud, or in another cloud. By [integrating your apps into Azure AD](/azure/active-directory/manage-apps/plan-an-application-integration), you can make it easy for hybrid workers to discover the applications they need and sign into them securely.
## Admin technical resources for MFA and identity
solutions Empower People To Work Remotely Security Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely-security-compliance.md
Title: "Step 3: Deploy security and compliance for remote workers"
+ Title: "Step 3: Deploy security and compliance for hybrid workers"
f1.keywords: - NOCSH
- m365solution-remotework - m365solution-scenario
-description: Use Microsoft 365 security and compliance services to protect your apps, data, and devices for remote workers.
+description: Use Microsoft 365 security and compliance services to protect your apps, data, and devices for hybrid workers.
-# Step 3: Deploy security and compliance for remote workers
+# Step 3: Deploy security and compliance for hybrid workers
-For remote workers, some of whom never go into the office or who go infrequently, security and compliance are an important part of the overall solution. All of their communications occur over the Internet instead of being confined to an organizational intranet.
+For hybrid workers, some of whom never go into the office or who go infrequently, security and compliance are an important part of the overall solution. All of their communications occur over the Internet instead of being confined to an organizational intranet.
There are things you and your workers can do to remain productive while decreasing cybersecurity risk and maintaining compliance with your internal policies and data regulations. Remote work needs these elements of security and compliance: -- Controlled access to the productivity apps that remote workers use, such as Microsoft Teams -- Controlled access to and protection of the data that remote workers create and use, such as chat conversations or shared files
+- Controlled access to the productivity apps that hybrid workers use, such as Microsoft Teams
+- Controlled access to and protection of the data that hybrid workers create and use, such as chat conversations or shared files
- Protection of Windows 10 devices from malware and other types of cyberattacks - Protection of email, files, and site with consistent labeling for levels of sensitivity and protection - Prevention of leaked information - Adherence to regional data regulations
-Here are the features of Microsoft 365 that provide security and compliance services for remote workers.
+Here are the features of Microsoft 365 that provide security and compliance services for hybrid workers.
![Use these Microsoft 365 services to stay secure and compliant](../media/empower-people-to-work-remotely/remote-workers-security-compliance-grid.png)
Protect your applications and data with these security features of Microsoft 365
| Azure AD Identity Protection | Automate detection and remediation of identity-based risks. <br><br>Create risk-based Conditional Access policies to require multi-factor authentication (MFA) for risky sign-ins. | Microsoft 365 E5 or E3 with Azure AD Premium P2 licenses | ||||
+You first step should be to learn about and use [Microsoft Secure Score ](/microsoft-365/security/defender/microsoft-secure-score).
+ See [Top 12 tasks for security teams to support working from home](../security/top-security-tasks-for-remote-work.md) for more information.
+For information about security across Microsoft 365, see [Microsoft 365 security documentation](/microsoft-365/security).
+ ## Compliance Comply with internal policies or regulatory requirements with these compliance features of Microsoft 365.
See [Quick tasks for getting started with Microsoft 365 compliance](../complianc
## Results of Step 3
-For your remote workers, you have implemented:
+For your hybrid workers, you have implemented:
- Security
- - Controlled access to apps and data that remote workers use to communicate and collaborate
+ - Controlled access to apps and data that hybrid workers use to communicate and collaborate
- Malware protection for cloud service data, email, and Windows 10 devices - Compliance - Consistent labeling for levels of sensitivity and protection
solutions Empower People To Work Remotely Teams Productivity Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely-teams-productivity-apps.md
Title: "Step 5. Deploy remote worker productivity apps and services"
+ Title: "Step 5. Deploy hybrid worker productivity apps and services"
f1.keywords: - NOCSH
description: Enable your users to be productive with Teams, Exchange, SharePoint, and other Microsoft 365 services.
-# Step 5. Deploy remote worker productivity apps and services
+# Step 5. Deploy hybrid worker productivity apps and services
To be productive, people need to communicate and collaborate with one another. They need to meet, chat by voice and text, create new content and share information and files, exchange email, and manage calendars and tasks. Microsoft 365 provides cloud-based services for all of these key functions:
To be productive, people need to communicate and collaborate with one another. T
## Keep people connected with Microsoft Teams
-Teams allows you to chat, meet, call, and collaborate all in one place. Millions of people get their work done in Teams every day because it brings together everything you need to work remotely into a hub for teamwork.
+Teams allows you to chat, meet, call, and collaborate all in one place. Millions of people get their work done in Teams every day because it brings together everything you need to work on-site or remotely into a hub for teamwork.
For detailed guidance, see [Support remote workers using Microsoft Teams](/microsoftteams/support-remote-work-with-teams).
-Watch the [Enabling hybrid work with Microsoft Teams webcasts](https://resources.techcommunity.microsoft.com/enabling-hybrid-work/) for guidance and demos on using Teams for remote work.
+Watch the [Enabling hybrid work with Microsoft Teams webcasts](https://resources.techcommunity.microsoft.com/enabling-hybrid-work/) for guidance and demos on using Teams for hybrid work.
### Chat and conversations
Chat and threaded conversations are at the center of Teams with support for indi
### Meetings and conferencing
-Teams can certainly help maintain communications and information sharing with remote workers, especially with meetings that support up to 250 people. Teams meetings enable interactive, collaborative meetings with people inside and outside your organization. Remote workers can use Teams meetings for day-to-day activities including recurring project checkpoints, catching-up with colleagues, brainstorming sessions, and facilitating conversations with customers.
+Teams can certainly help maintain communications and information sharing with hybrid workers, especially with meetings that support up to 250 people. Teams meetings enable interactive, collaborative meetings with people inside and outside your organization. Remote workers can use Teams meetings for day-to-day activities including recurring project checkpoints, catching-up with colleagues, brainstorming sessions, and facilitating conversations with customers.
### Calling
-Teams supports direct VoIP calling between users and even other organizations using federation. It uses the same codecs as meetings and provide great audio world-wide without additional PSTN charges. However, some users may need a dedicated phone number to take external calls when working remotely. Teams can quickly provide cloud phone service for these users to make and receive phone calls.
+Teams supports direct VoIP calling between users and even other organizations using federation. It uses the same codecs as meetings and provide great audio world-wide without additional PSTN charges. However, some users may need a dedicated phone number to take external calls when working on-site or remotely. Teams can quickly provide cloud phone service for these users to make and receive phone calls.
### Apps and workflows Teams provides a platform for apps and workflows that can be accessed from the desktop, web, and mobile versions of Teams. Teams provides hundreds of apps published by Microsoft and by third parties to engage users, support productivity, and integrate commonly used business services into Teams. Users and Admins can also create custom apps and automated workflows for Teams using the low-code Power Apps and Power Automate development tools.
-Apps and workflows let remote workers be more productive in Teams, by collecting and sharing critical information, automating repetitive tasks, and allowing them to chat with interactive bot. Pinning apps to a channel or the Teams app bar is a great way for users to make these apps easily accessible in a relevant space, and admins can pin apps to drive awareness and adoption of the apps that everyone should be using.
+Apps and workflows let hybrid workers be more productive in Teams, by collecting and sharing critical information, automating repetitive tasks, and allowing them to chat with interactive bot. Pinning apps to a channel or the Teams app bar is a great way for users to make these apps easily accessible in a relevant space, and admins can pin apps to drive awareness and adoption of the apps that everyone should be using.
## Exchange email and manage calendars, contacts, and tasks with Exchange Online and Outlook
-With Outlook, remote workers can stay connected and organized with email, calendars, contacts, tasks, and moreΓÇötogether in one place. Outlook helps you stay on track and prioritize your day based on whatΓÇÖs relevant to you. Outlook enables you to share attachments right from OneDrive, plan and join Teams meetings, view and share calendars, and provide delegate permissions to others. Knowing whatΓÇÖs coming up next across both work and personal commitments and what needs attention can help remote workers focus on what matters. Outlook provides helpful ways for remote workers to manage their time and to find what they need easily, including files, people in the organization, and more.
+With Outlook, hybrid workers can stay connected and organized with email, calendars, contacts, tasks, and moreΓÇötogether in one place. Outlook helps you stay on track and prioritize your day based on whatΓÇÖs relevant to you. Outlook enables you to share attachments right from OneDrive, plan and join Teams meetings, view and share calendars, and provide delegate permissions to others. Knowing whatΓÇÖs coming up next across both work and personal commitments and what needs attention can help hybrid workers focus on what matters. Outlook provides helpful ways for hybrid workers to manage their time and to find what they need easily, including files, people in the organization, and more.
See [this article](../security/office-365-security/secure-email-recommended-policies.md) for the recommended identity and device access policies to protect organizational email and email clients that support modern authentication and Conditional Access. ## Store and collaborate on files with SharePoint and OneDrive
-For content collaboration, remote workers can use SharePoint and OneDrive folders as a central place in the cloud to store and share files, co-author, communicate, and collaborate. Remote workers can securely work from anywhere from a web browser, from Teams, and from Office apps.
+For content collaboration, hybrid workers can use SharePoint and OneDrive folders as a central place in the cloud to store and share files, co-author, communicate, and collaborate. Remote workers can securely work from anywhere from a web browser, from Teams, and from Office apps.
You might have to migrate your documents to SharePoint or OneDrive from:
solutions Empower People To Work Remotely Train Monitor Usage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely-train-monitor-usage.md
Title: "Step 6: Train remote workers and address usage feedback"
+ Title: "Step 6: Train your workers and address usage feedback"
f1.keywords: - NOCSH
description: Train your users and ensure that issues are dealt with quickly.
-# Step 6: Train remote workers and address usage feedback
+# Step 6: Train your workers and address usage feedback
-Train your remote workers on:
+Train your hybrid workers on:
- Proper sign-in procedures using MFA, including registering an additional verification method. - The use of devices and how endpoint management policies can be used to block access for non-compliant or unmanaged devices.
Train your remote workers on:
This training should include hands-on exercises so that your workers can experience these capabilities and their results.
-Create a forum for your remote workers to ask questions or get issues addressed, such as a team or a Yammer group.
+Create a forum for your workers to ask questions or get issues addressed, such as a team or a Yammer group.
In the weeks after training: -- Quickly address remote worker feedback in your forum and adjust your remote worker policies and configurations as needed.
+- Quickly address worker feedback in your forum and adjust your worker policies and configurations as needed.
- Analyze usage for teams, email, SharePoint sites, and OneDrive folders and compare it with your expectations of user adoption. Then, retrain your users as needed. ## Results of Step 6
-Your remote workers are trained and there is a responsive and open forum for them to provide feedback and post issues with remote access and productivity apps.
+Your hybrid workers are trained and there is a responsive and open forum for them to provide feedback and post issues with security, compliance, remote access, and productivity apps.
solutions Empower People To Work Remotely https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/empower-people-to-work-remotely.md
Title: "Set up your infrastructure for remote work with Microsoft 365"
+ Title: "Set up your infrastructure for hybrid work with Microsoft 365"
f1.keywords: - NOCSH
- M365initiative-coredeploy keywords: work from home, work-from-home, hybrid, remote worker, hybrid work, remote employees, hybrid connectivity, remote access, telecommuting, telework, teleworking, mobile work, remote job, work from anywhere, flexible workplace
-description: Step through the layers of infrastructure so your remote workers can securely access on-premises and Microsoft 365 resources.
+description: Step through the layers of infrastructure so your hybrid workers can securely access on-premises and Microsoft 365 resources.
-# Set up your infrastructure for remote work with Microsoft 365
+# Set up your infrastructure for hybrid work with Microsoft 365
-To secure and optimize your remote workerΓÇÖs productivity and collaboration, you need to configure your IT and cloud infrastructure to enable remote work and to provide access to your organization's on-premises and cloud-based information, tools, and resources. This solution steps through the deployment of key layers of infrastructure that empower your workers to do their best work, wherever they are.
+To secure and optimize your workerΓÇÖs productivity and collaboration, you need to allow on-site and remote workers to easily and securely access your organization's on-premises and cloud-based information, tools, and resources. This solution steps through the deployment of key layers of infrastructure that empower your workers to do their best work, wherever they are.
-Allowing workers to work away from the office is important for many organizations to:
+Hybrid workers can work on-site or remotely in a combination of locations. Allowing workers to work away from a traditional office is important for many organizations to:
+- Hire and retain workers who are unwilling to relocate or require a flexible work environment.
+- Reduce worker commuting, leaving workers with more time to be productive and for stress-reducing activities outside of work.
- Save on office space.-- Hire and retain workers who are unwilling to relocate.-- Reduce worker commuting, leaving them with more time to be productive and for stress-reducing activities outside of work.
-Microsoft 365 has the capabilities to empower your workers to work remotely.
+Microsoft 365 has the capabilities to empower your hybrid workers to work either on-site or remotely.
-![Empower your remote workers with Microsoft 365](../media/empower-people-to-work-remotely/2-m365-remoteworker-solution-businessoverview.png)
+![Empower your hybrid workers with Microsoft 365](../media/empower-people-to-work-remotely/2-m365-remoteworker-solution-businessoverview.png)
>[!Note] >If you are new to Microsoft 365, see [these resources](https://www.microsoft.com/microsoft-365).
Watch this video for an overview of the deployment process.
<br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4F1af]
-For IT professionals managing onsite and cloud-based infrastructure to enable worker productivity, this solution provides these key capabilities:
+For IT professionals managing onsite and cloud-based infrastructure to enable hybrid worker productivity, this solution provides these key capabilities:
- Connected
- From anywhere in the world and at any time, remote workers are able to access:
+ From anywhere in the world and at any time, your workers are able to access:
- Cloud-based services and data in your Microsoft 365 subscription.
For IT professionals managing onsite and cloud-based infrastructure to enable wo
- Managed
- Your remote worker's devices can be managed from the cloud with security settings, allowed apps, and to require compliance with system health.
+ Your hybrid worker's devices can be managed from the cloud with security settings, allowed apps, and to require compliance with system health.
- Collaborative and productive
- Your remote workers can be as productive as on-premises in a highly collaborative way with:
+ Your hybrid workers can be as productive as on-premises in a highly collaborative way with:
- Online meetings and chat sessions with Teams.
For IT professionals managing onsite and cloud-based infrastructure to enable wo
For a seamless sign-in experience, your on-premises Active Directory Domain Services (AD DS) user accounts should be synchronized with Azure Active Directory (Azure AD). To protect your Windows 10 devices, they should be enrolled in Intune. Here is a high-level view of the infrastructure.
-![The basic infrastructure for remote workers with Microsoft 365](../media/empower-people-to-work-remotely/remote-workers-basic-infrastructure.png)
+![The basic infrastructure for hybrid workers with Microsoft 365](../media/empower-people-to-work-remotely/remote-workers-basic-infrastructure.png)
-To enable the capabilities of Microsoft 365 for your remote workers, use these Microsoft 365 features.
+To enable the capabilities of Microsoft 365 for your hybrid workers, use these Microsoft 365 features.
| Capability or feature | Description | Licensing | |:-|:--|:-|
To enable the capabilities of Microsoft 365 for your remote workers, use these M
For security and compliance criteria, see [Deploy security and compliance for remote workers](empower-people-to-work-remotely-security-compliance.md). <a name="poster"></a>
-For a 2-page summary of this solution, see the [Empower remote workers poster](../downloads/empower-remote-workers.pdf).
+For a 2-page summary of this solution, see the [Empower hybrid workers poster](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pdf).
-[![Empower remote workers poster](../media/empower-people-to-work-remotely/empower-remote-workers-poster.png)](../downloads/empower-remote-workers.pdf)
+[![Empower hybrid workers poster](../media/empower-people-to-work-remotely/empower-remote-workers-poster.png)](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pdf)
-You can also download this poster in [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/empower-remote-workers.pdf) or [PowerPoint](https://download.microsoft.com/download/5/1/1/511b77a9-a34c-4ea7-af2a-32b07f20b780/empower-remote-workers.pptx) formats and print it on letter, legal, or tabloid (11 x 17) size paper.
+You can also download this poster in [PowerPoint](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pptx) format and print it on letter, legal, or tabloid (11 x 17) size paper.
-## Provide remote working for all of your workers
+## Provide hybrid working for all of your workers
You can enable all of your workers to stay productive from anywhere with these devices:
You can enable all of your workers to stay productive from anywhere with these d
## Next steps
-Use these steps to secure and optimize access to your organization's servers and cloud services and maximize your remote worker's productivity.
+Use these steps to secure and optimize access to your organization's servers and cloud services and maximize your hybrid worker's productivity.
1. [Increase sign-in security with MFA](empower-people-to-work-remotely-secure-sign-in.md) 2. [Provide remote access to on-premises apps and services](empower-people-to-work-remotely-remote-access.md) 3. [Deploy security and compliance services](empower-people-to-work-remotely-security-compliance.md) 4. [Deploy endpoint management for your devices, PCs, and other endpoints](empower-people-to-work-remotely-manage-endpoints.md)
-5. [Deploy remote worker productivity apps and services](empower-people-to-work-remotely-teams-productivity-apps.md)
-6. [Train remote workers and address usage feedback](empower-people-to-work-remotely-train-monitor-usage.md)
+5. [Deploy hybrid worker productivity apps and services](empower-people-to-work-remotely-teams-productivity-apps.md)
+6. [Train your workers and address usage feedback](empower-people-to-work-remotely-train-monitor-usage.md)
-[![The steps to set up your infrastructure for remote work with Microsoft 365](../medi)
+[![The steps to set up your infrastructure for hybrid work with Microsoft 365](../medi)
-To see how a fictional but representative multi-national organization set up its infrastructure for remote work, see [Contoso's COVID-19 response and infrastructure for remote and onsite work](contoso-remote-onsite-work.md).
+To see how a fictional but representative multi-national organization set up its infrastructure for hybrid work, see [Contoso's COVID-19 response and infrastructure for hybrid work](contoso-remote-onsite-work.md).
solutions Productivity Illustrations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/productivity-illustrations.md
Microsoft supports several options as you begin your journey to Teams in the Mic
|[![Microsoft Telephony Solutions poster](../media/solutions-architecture-center/microsoft-telephony-solutions-thumb.png)](https://download.microsoft.com/download/4/3/5/435cd4e9-ca56-4fd1-acb6-d1fda7952320/microsoft-voice-solutions.pdf) <br/> [PDF](https://download.microsoft.com/download/4/3/5/435cd4e9-ca56-4fd1-acb6-d1fda7952320/microsoft-voice-solutions.pdf) \| [Visio](https://download.microsoft.com/download/7/5/c/75c13012-e20c-48bd-a6dd-ea49d1a3420d/microsoft-voice-solutions.vsdx) <br/>Updated March 2021 | For more information, see [Plan your Teams voice solution](/microsoftteams/cloud-voice-landing-page).|
-## Empower remote workers
+## Set up your infrastructure for hybrid work
With Microsoft 365 and other Microsoft cloud technologies, you can provide your workers with secure access to your organization's on-premises and cloud-based information, tools, and resources from their homes.
-[![Empower remote workers poster](../media/empower-people-to-work-remotely/empower-remote-workers-poster.png)](../downloads/empower-remote-workers.pdf) <br/>
-[PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/empower-remote-workers.pdf) | [PowerPoint](https://download.microsoft.com/download/5/1/1/511b77a9-a34c-4ea7-af2a-32b07f20b780/empower-remote-workers.pptx) <br>
-Updated July 2020
+[![Set up your infrastructure for hybrid work poster](../media/empower-people-to-work-remotely/empower-remote-workers-poster.png)](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pdf) <br/>
+[PDF](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pdf) | [PowerPoint](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pptx) <br>
+Updated June 2021
-For more information, see the article for this poster: [Empower remote workers with Microsoft 365](empower-people-to-work-remotely.md).
+For more information, see the article for this poster: [Set up your infrastructure for hybrid work with Microsoft 365](empower-people-to-work-remotely.md).
## Microsoft Teams with security isolation