-If any users are provisioned with the role **x_mioms_m365_assis.administrator** and are using different Microsoft 365 accounts to manage a Microsoft 365 support case, they must set up their Microsoft 365 admin email account by navigating to **Microsoft 365 support** > **Link Account**.

-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198022).

-|**Graders disagreement with Tenant Allow/Block List entry**|Generates an alert when Microsoft determines that the admin submission corresponding to an allow entry in the Tenant Allow/Block List is found to be malicious. This event is triggered as soon as the submission has been analyzed by Microsoft. <br/><br/> The allow entry will continue to exist for its stipulated duration. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list-about.md).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|

-Purging of SharePoint, OneDrive for work or school, and Teams files DEPs is not supported in Customer Key. These multi-workload DEPs are used to encrypt data across multiple workloads across all tenant users. Purging such a DEP would result in data from across multiple workloads becoming inaccessible. If you decide to exit Microsoft 365 services altogether, you could pursue the path of tenant deletion per the documented process. See how to [delete a tenant in Azure Active Directory](/azure/active-directory/enterprise-users/directory-delete-howto).

-5. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *DeviceComplianceOnboardingScript.cmd*.

-A sensitivity label that lets users assign permissions must be applied to content manually by users; it can't be auto-applied or used as a recommended label.

-Enable built-in labeling for [supported Office files](sensitivity-labels-office-apps.md#office-file-types-supported) in SharePoint and OneDrive so that users can apply your [sensitivity labels](sensitivity-labels.md) in Office for the web. When this feature is enabled, users will see the **Sensitivity** button on the ribbon so they can apply labels, and see any applied label name on the status bar.

-Enabling this feature also results in SharePoint and OneDrive being able to process the contents of Office files that have been encrypted by using a sensitivity label. The label can be applied in Office for the web, or in Office desktop apps and uploaded or saved in SharePoint and OneDrive. Until you enable this feature, these services can't process encrypted files, which means that coauthoring, eDiscovery, Microsoft Purview data loss prevention, search, and other collaborative features won't work for these files.

-|[Double Key Encryption (DKE)](encryption-sensitivity-labels.md#double-key-encryption) |Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) |Under review |Under review |Under review| Under review |

-|[Double Key Encryption (DKE)](encryption-sensitivity-labels.md#double-key-encryption) |Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) |Under review |Under review |Under review| Under review |

-<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.-->

-## Exchange Online

-## SharePoint Online and OneDrive for Business

-## Skype for Business Online and Microsoft Teams

-## Microsoft 365 Common and Office Online

-<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.-->

-## Exchange Online

-## SharePoint Online and OneDrive for Business

-## Skype for Business Online and Microsoft Teams

-## Microsoft 365 Common and Office Online

-<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.-->

-## Exchange Online

-## SharePoint Online and OneDrive for Business

-## Skype for Business Online and Microsoft Teams

-## Microsoft 365 Common and Office Online

-Microsoft 365 Lighthouse provides deployment insights within and across the tenants you manage. Deployment insights are derived from a combination of signals that are either detected by Lighthouse or entered into Lighthouse by a user in the partner tenant. The single view enables you to:

-To access Deployment insights, in the left navigation pane in Lighthouse, select **Deployment \> Deployment insights**.

-The Deployment insights page includes the following:

-**Note:** The Deployment insights page measures deployment progress across all tenants that have an Onboarding Status of **Active**. By default, the deployment insights are filtered to display insights for all tenants but can be filtered by tenant tag.

-The tenant progress graph measures deployment progress by tenant, reporting the status of each tenantsΓÇÖ deployment plans as either:

-The user progress graph measures deployment progress by user, reporting users as either:

-The deployment insights table organizes information by tenant and task.

-The **Tenants** tab pivot can be filtered by deployment plan status and baseline. It provides the following information for each tenant:

-| Tenant | The name of the tenant. |

-| Baseline | The baseline that is assigned to the tenant. |

-| Deployment plan status | The status of the deployment plan; either **Complete** or **Not complete**. |

-| Task progress | The number of total tasks that are in a state of completion; either **Compliant** or **Dismissed**. |

-| Not licensed tasks | The number of tasks for which the tenant is **Not licensed**. |

-| User progress | The number of users for which all deployment tasks are either **Compliant**, **Excluded**, or **Not targeted**. |

-To better understand deployment insights, here are a few examples for how different tenant configurations and deployment activities are reflected in the deployment insights table.

-In this example, all tenants have 100 users and have been assigned a baseline that includes 10 tasks:

-Selecting any tenant from the list opens the deployment insights details pane for that tenant, which provides the following information for each tenant:

-**NOTE**: Deployment insights around dismissed tasks, excluded users, and required licenses are also available from the **Tenant** page.

-The **Overview** tab provides the status of each deployment task assigned to the tenant with the following information:

-| Tasks | The name of the task. |

-| Task Status | The status of the deployment task. |

-| User status | The number of users who have completed the task, who have been excluded from the task, or who haven't been targeted for the task. |

-The **Dismissed tasks** tab provides details around tasks that have been dismissed from the deployment plan and allows you to reinstate tasks. The tab includes the following information:

-The **Excluded users** tab provides details around users that have been excluded from a deployment task. This tab includes the following information:

-| Task with excluded users | The name of the task from which one or more users has been excluded. |

-| Excluded users | The names of each user that has been excluded. |

-The **Required licenses** tab provides details around deployment tasks for which one or more users requires additional licensing to complete the task. This tab includes the following information:

-| Tasks with not licensed users | The name of the task from which one or more users aren't licensed. |

-| Not licensed users | The name of each user who isn't licensed to complete the task. |

-To view deployment insights by task, select the **Tasks** tab. The **Tasks** tab can be filtered by baseline and category. It provides the following information for each tenant:

-| Compliant | The number of tenants in which the status of the task is **Compliant**. |

-| Not compliant | The number of tenants in which the status of the task is **Not compliant**. |

-| Dismissed | The number of tenants in which the status of the task is **Dismissed**. |

-| Not licensed | The number of tenants in which the status of the task is **Not licensed**. |

-Selecting any task from the list opens the deployment insights details pane for that task, which provides the following information:

-| Tenant | The name of the tenant. |

-## Next Steps

-For information on how to manage tenants using deployment insights, see [Manage deployments using insights in Microsoft 365 Lighthouse](m365-lighthouse-manage-tenants-using-deployment-insights.md).

- - **Organization Management** or **Security Administrator** in the [Microsoft 365 Defender portal](../office-365-security/mdo-portal-permissions.md).

-## Report items to Microsoft from the portal

-If you have a file that you suspect might be malware or is being incorrectly detected (false positive), you can submit it to Microsoft for analysis using the Microsoft 365 Defender portal at https://security.microsoft.com/.

-### Submit a file or file hash

-1. Open Microsoft 365 Defender at [https://security.microsoft.com](https://security.microsoft.com), click **Actions & submissions**, click **Submissions**, go to **Files** tab, and then select **Add new submission**.

- :::image type="content" source="../../media/unified-admin-submission-new.png" alt-text="Screenshot showing how to add a new submission.":::

-2. Use the **Submit items to Microsoft for review** flyout that appears to submit the **File** or **File hash**.

-3. In the **Select the submission type** box, select **File** or **File hash** from the drop-down list.

-4. When submitting a file, click **Browse files**. In the dialog that opens, find and select the file, and then click **Open**. Note that for **File hash** submissions, you'll either have to copy or type in the file hash.

-5. In the **This file should have been categorized as** section, choose either **Malware** (false negative), or **Unwanted software**, or **Clean** (false positive).

-6. Next, **Choose the priority**. Note that for **File hash** submissions, **Low - bulk file or file hash submission** is the only choice, and is automatically selected.

- :::image type="content" source="../../media/unified-admin-submission-file.png" alt-text="Screenshot showing how to submit files.":::

-7. Click **Submit**.

- If you want to view the details of your submission, select your submission from the **Submissions name** list to open the **Result details** flyout.

-## Report items to Microsoft from the Alerts page

-You can also submit a file or file hash directly from the list of alerts on the **Alerts** page.

-1. Open the Microsoft 365 Defender at [https://security.microsoft.com](https://security.microsoft.com), click **Incidents & alerts**, and then click **Alerts** to view the list of alerts.

-2. Select the alert you want to report. Note that you are submitting a file that is nestled within the alert.

-3. Click the ellipses next to **Manage alert** to see additional options. Select **Submit items to Microsoft for review**.

- :::image type="content" source="../../media/unified-admin-submission-alerts-queue.png" alt-text="Screenshot showing how to submit items from an alerts queue.":::

-4. In the next flyout that opens, select the submission type.

- :::image type="content" source="../../media/unified-admin-submission-alert-queue-flyout.png" alt-text="Screenshot showing how to specify a submission type and fill in required fields.":::

- If you select **File** as the submission type, upload the file, categorize your submission, and choose the priority.

- If you select **File Hash** as the submission type, choose the file hashes that are available from the drop-down. You can select multiple file hashes.

-5. Click **Submit**.

-This feature is only available if you've an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.

-When you turn on this feature, you'll be able to incorporate data from Microsoft Defender for Office 365 into Microsoft 365 Defender to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.

-> [!NOTE]

-keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender

-ms.sitesec: library

-|`-ResetPlatform`| Revert platform binaries back to the previous installed version of the Defender platform.|

-|`-RevertPlatform`|reset platform binaries back to `%ProgramFiles%\Windows Defender`.|

-keywords: exclusions, files, extension, file type, folder name, file name, scans

-ms.sitesec: library

-Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"

-<br/><br/>

-|Location|Setting|Description|Default setting (if not configured)|

-|||||

-|Scan|Create a system restore point|A system restore point will be created each day before cleaning or scanning is attempted|Disabled|

-|Scan|Turn on removal of items from scan history folder|Specify how many days items should be kept in the scan history|30 days|

-|Root|Turn off routine remediation|You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do.|Disabled (threats are remediated automatically)|

-|Quarantine|Configure removal of items from Quarantine folder|Specify how many days items should be kept in quarantine before being removed|90 days|

-|Threats|Specify threat alert levels at which default action should not be taken when detected|Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored)|Not applicable|

-|Threats|Specify threats upon which default action should not be taken when detected|Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored|Not applicable|

-> If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md).

->

-> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md).

- :::image type="content" source="media/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group." lightbox="media/any-removable-storage-group.png":::

-# List security baselines assessment configurations

-## 1. Get all security baselines assessment configurations

-This API retrieves a list of all the possible security baselines assessment configurations and settings for all the available benchmarks.

-|Id | String | Unique identifier for the specific configuration in the baseline benchmark.

-|source|String| The registry path or other location used to determine the current device setting.

- "id": "1.1.8",

- "name": "(L1) Ensure 'Allow importing of payment info' is set to 'Disabled'",

- "description": "<p xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">This policy setting controls whether users are able to import payment information from another browser into Microsoft Edge as well as whether payment information is imported on first use.</p>",

- "category": "Microsoft Edge",

- "Level 1 (L1) - Corporate/Enterprise Environment (general use)",

- "Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)"

- "cce": "",

- "rationale": "<p xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">Having payment information automatically imported or allowing users to import payment data from another browser into Microsoft Edge could allow for sensitive data to be imported into Edge.</p>",

- "remediation": "<div xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">\r\n <p>\r\n <p>\r\nTo establish the recommended configuration via GP, set the following UI path to <span class=\"inline_block\">Disabled</span></p>\r\n <code class=\"code_block\">Computer Configuration\\Policies\\Administrative Templates\\Microsoft Edge\\Allow importing of payment info\r\n</code>\r\n <p>\r\n <strong>Note:</strong>\r\n This Group Policy path may not exist by default. It is provided by the Group Policy template <span class=\"inline_block\">MSEdge.admx/adml</span>\r\n that can be downloaded from Microsoft <a href=\"https://www.microsoft.com/en-us/edge/business/download\">here</a>\r\n. </p>\r\n <p class=\"bold\">Impact:</p>\r\n <p>\r\n <p>Users will be unable to perform a payment information import from other browsers into Microsoft Edge.</p>\r\n </p>\r\n </p>\r\n</div>",

- "benchmarkName": "CIS"

-"recommendedValue": [

- "Equals '0'"

- ],

- "source": [

- "hkey_local_machine\\software\\policies\\microsoft\\windows\\eventlog\\security\\retention"

- ]

- },

-> [!NOTE]

-> - Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).

-> - This article lists changes that are included in the broad release channel. [See the latest broad channel release here](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info).

-> - To learn more about the gradual rollout process, and to see more information about the next release, see [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md).

-> - To learn more about security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).

-> - If you're looking for a list of Microsoft Defender processes, **[download the mde-urls workbook](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaef).

-> - Platform updates can be temporarily postponed if other protection features (such as [Endpoint DLP](../../compliance/endpoint-dlp-getting-started.md) or [Device Control](device-control-report.md)) are actively monitoring running processes. Platform updates will be retried after a reboot or when all monitored services are stopped.

-\* Technical support continues to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.

-Performance mode is enabled by default when a new Dev Drive is created. To control of the balance between performance and security when protecting a Dev Drive, administrators can choose between these options:

-A Dev Drive is automatically designated as trusted, providing the best possible performance by default. A trusted Dev Drive means that the developer using the volume has high confidence in the security of the content stored there.

-Similar to when an administrator chooses to add an exclusion to a Microsoft Defender Antivirus configuration, it's the administrator's responsibility to assess the performance benefits and security risks when using performance mode. As mentioned, security runs in Real-time protection mode when a Dev Drive is untrusted.

-> [!NOTE]

-> Performance mode can only run on a ΓÇ£trustedΓÇ¥ Dev Drive.

-For more information on trusted Dev Drive and to confirm whether a designated Dev Drive is trusted, see: [Set up a Dev Drive on Windows 11](/windows/dev-drive).

-keywords: malware, defender, antivirus, tamper protection

-When tamper protection is turned on, tamper-protected settings can't be changed.

-> [!NOTE]

-> For the full available Advanced Hunting API experience across all Microsoft Defenders' products, visit [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview).

-> [!NOTE]

-> This API can only query tables belonging to Microsoft Defender for Endpoint. Tables belonging to other Microsoft 365 Defender services require the use of the [Microsoft 365 Defender Advanced hunting API](/microsoft-365/security/defender/api-advanced-hunting).

-5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached.

-See([Block abuse of exploited vulnerable signed drivers rule](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers)).

-> [!NOTE]

-> **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview?view=graph-rest-1.0&preserve-view=true).

-3. You can make up to 45 calls per minute per tenant.

-4. Queries are blocked if the tenant has reached 100% until after the next 15-minute cycle.

-5. If a single request runs for more than 10 minutes, it will time out and return an error.

-6. A `429` HTTP response code indicates that you've reached a quota, either by number of requests sent, or by allotted running time. Read the response body to understand the limit you have reached.

-> [!NOTE]

-> All quotas listed above (for example 15 calls per min) are tenant wide. These quotas are the minimum.

-> The MVI Program is not currently accepting new applications for membership. Please contact MVI@microsoft.com for more information.

- You can select up to 10 messages to perform a bulk submission. Admin submissions created this way also visible in the Submission portal.

-An [incident](/microsoft-365/security/defender/incidents-overview) in Microsoft 365 Defender is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/microsoft-365/compliance/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft 365 Defender at <https://security.microsoft.com/incidents-queue>. We'll refer to this page as the _Incidents queue_.

-Alerts are created when malicious or suspicious activity affects an entity (for example, email, users, or mailboxes). Alerts provide valuable insights about in-progress or completed attacks. However, an ongoing attack can affect multiple entities, which results in multiple alerts from different sources. Some built-in alerts will automatically trigger AIR playbooks. These playbooks do a series of investigation steps to look for other impacted entities or suspicious activity.

-Defender for Office 365 alerts, investigations, and their data are automatically correlated. When a relationship is determined, an incident is created by the system to give security teams visibility for the entire attack.

-

-

-

-

-

-

-

-The most effective way to take action is to use the built-in integration with Incidents in Microsoft 365 Defender. You can simply approve the actions that were recommended by AIR in Defender for Office 365 on the [Evidence and response](/microsoft-365/security/defender/investigate-incidents#evidence-and-response) tab of an Incident in Microsoft 365 Defender. This method of tacking action is recommended for the following reasons:

- - **Should not have been blocked (false negative)**: If you select this option, the following settings appear:

-To go directly to the **Submissions** page in the Defender portal, select **Go to submissions**.

-The details table below the graph shows the same information and has the same :::image type="icon" source="../../medi#view-user-reported-messages-to-microsoft).

-Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report and the details table by selecting one or more of the following values in the flyout that opens:

- - **No threats**

- - **Threats**

- - **Spam**

- - **Email**

- - **Teams message** (currently in Preview)

-When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.

-To group the entries, select **Group** and select one of the following values from the drop-down list:

-The Report Message and Report Phishing add-ins for Outlook make it easy to report phishing to Microsoft and its affiliates for analysis, along with easy triage for admins on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=user>.

-In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can send templated messages back to users after an admin has reviewed their reported messages. You can customize the templates for your organization and for the admin verdict.

-The feature is designed to give feedback to your users but doesn't change the verdicts of messages in the system. To help Microsoft update and improve its filters, you need to submit messages for analysis using [Admin submission](submissions-admin.md).

-Admins can mark messages and notify users of review results only if the user reported the message as a [false positives or false negatives](submissions-outlook-report-messages.md).

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Email & collaboration** \> **Submissions** \> **User reported** tab. Or, to go directly to the **User reported** tab, use <https://security.microsoft.com/reportsubmission?viewid=user>.

-2. On the **User reported** tab, find and select the message, select **Mark as and notify**, and then select one of the following values from the dropdown list:

-In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the Submissions page in the Microsoft 365 Defender portal to submit email messages, URLs, and attachments to Microsoft for analysis.

-When you submit an email message for analysis, Microsoft does the following checks:

-> In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can use the **Submissions** page in the Microsoft 365 Defender portal to submit messages to Microsoft. The messages are only analyzed for email authentication check and policy check.

->

->Payload reputation/detonation and grader analysis are not done as data is not supposed to leave the tenant boundary for compliance purposes.

-For other ways to submit email messages, URLs, attachments and files to Microsoft, see [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md).

- - **Security Administrator** or **Security Reader** in the [Microsoft 365 Defender portal](mdo-portal-permissions.md).

- Note that one of these roles is required to [View user reported messages](#view-user-reported-messages-to-microsoft) as described later in this article.

- - Maximum submissions in any 15 minutes period: 150 submissions

- - Same submissions in a 24 hour period: 3 submissions

- - Same submissions in a 15 minute period: 1 submission

-## Report questionable email to Microsoft

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-3. On the **Emails** tab, click  **Submit to Microsoft for analysis**.

-4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

- - **Add the email network message ID**: This is a GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header in the message or in the **X-MS-Office365-Filtering-Correlation-Id** header in quarantined messages.

- - **Upload the email file (.msg or .eml)**: Click **Browse files**. In the dialog that opens, find and select the .eml or .msg file, and then click **Open**.

- - **Choose a recipient who had an issue**: Specify the recipients that you would like to run a policy check against. The policy check will determine if the email bypassed scanning due to user or organization policies or override.

- - **Block all emails from this sender or domain**: Select this option to create a block entry for the sender domain or email address in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

- When you're finished, click **Submit**, and then click **Done**.

-After a few moments, the block entry will appear on the **Domains & addresses** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

-## Report questionable email attachments to Microsoft

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-3. On the **Email attachments** tab, click  **Submit to Microsoft for analysis**.

-4. On the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

- - **File**: Click **Browse files** to find and select the file to submit.

- - **Block this file**: Select this option to create a block entry for the file in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

- When you're finished, click **Submit**, and then click **Done**.

-After a few moments, the block entry will appear on the **Files** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

-## Report questionable URLs to Microsoft

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-3. On the **URLs** tab, click  **Submit to Microsoft for analysis**.

-4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

- - **URL**: Enter the full URL (for example, `https://www.fabrikam.com/marketing.html`), and then select it in the box that appears. You can enter upto 50 URLs at once.

- - **Block this URL**: Select this option to create a block entry for the URL in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

- When you're finished, click **Submit**, and then click **Done**.

-After a few moments, the block entry will appear on the **URL** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

-## Report good email to Microsoft

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-3. On the **Emails** tab, click  **Submit to Microsoft for analysis**.

-4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

- - **Add the email network message ID**: This is a GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header in the message or in the **X-MS-Office365-Filtering-Correlation-Id** header in quarantined messages.

- - **Upload the email file (.msg or .eml)**: Click **Browse files**. In the dialog that opens, find and select the .eml or .msg file, and then click **Open**.

- - **Choose a recipient who had an issue**: Specify the recipient(s) that you would like to run a policy check against. The policy check will determine if the email was blocked due to user or organization policies or overrides.

- - **Allow emails with similar attributes (URL, sender, etc.)**: Turn on this setting .

- For spoofed senders, any value you enter here is not shown in the allow entry on the **Spoofed senders** tab on the **Tenant Allow/Block List**.

- When you're finished, click **Submit**, and then click **Done**.

-After a few moments, the allow entries will appear on the **Domains & addresses**, **Spoofed senders**, **URL**, or **Files** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

-> - During mail flow, if messages from the allowed domain or email address pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message from an allowed sender email address will be delivered.

-> - By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages from those domains or email addresses will be delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.

-## Report good email attachments to Microsoft

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-3. On the **Email attachments** tab, click  **Submit to Microsoft for analysis**.

-4. On the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

- - **File**: Click **Browse files** to find and select the file to submit.

- - **Allow this file**: Turn on this setting .

- When you're finished, click **Submit**, and then click **Done**.

-After a few moments, the allow entry will appear on the **Files** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

-> [!NOTE]

-> - By default, allow entries for files exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those files will be delivered, unless something else in the message is detected as malicious.

-> - When the file is encountered again during mail flow, [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks and all other file-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message will be delivered.

-## Report good URLs to Microsoft

-For URLs reported as false positives, we'll allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL `www.contoso.com/abc`. If your organization later receives a message that contains the URL (for example but not limited to: `www.contoso.com/abc`, `www.contoso.com/abc?id=1`, `www.contoso.com/abc/def/gty/uyt?id=5`, or `*.contoso.com/abc`), the message won't be blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-3. On the **URLs** tab, click  **Submit to Microsoft for analysis**.

-4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

- - **Allow this URL**: Turn on this setting .

- When you're finished, click **Submit**, and then click **Done**.

-After a few moments, the allow entry will appear on the **URL** tab on the **Tenant Allow/Block List** page. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).

-> - By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs will be delivered, unless something else in the message is detected as malicious.

-> - When the URL is encountered again during mail flow, [Safe Links](safe-links-about.md) detonation or URL reputation checks and all other URL-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message will be delivered.

-## View email admin submissions to Microsoft

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-2. On the **Submissions** page, verify that the **Emails** tab is selected.

- - You can sort the entries by clicking on an available column header.

- - Click  **Customize columns** to select the columns that you want to view. The default values are marked with an asterisk (\*):

- - **Submission name**^\*

- - **Sender**^\*

- - **Recipient**

- - **Date submitted**^\*

- - **Reason for submitting**^\*

- - **Original verdict**^\*

- - **Status**^\*

- - **Result**^\*

- - **Delivery/Block reason**

- - **Submission ID**

- - **Network Message ID**

- - **Direction**

- - **Sender IP**

- - **Bulk compliant level (BCL)**

- - **Destination**

- - **Policy action**

- - **Submitted by**

- - **Phish simulation**

- - **Tags**^\*

- - **Action**

- When you're finished, click **Apply**.

- :::image type="content" source="../../media/admin-submission-email-customize-columns.png" alt-text="Customize columns option for email admin submissions." lightbox="../../media/admin-submission-email-customize-columns.png":::

- - To filter the entries, click  **Filter**. The following values are available in the **Filter** flyout that appears:

- - **Date submitted**: **Start date** and **End date** values.

- - **Submission ID**: A GUID value that's assigned to every submission.

- - **Network Message ID**

- - **Sender**

- - **Recipient**

- - **Submission name**

- - **Submitted by**

- - **Reason for submitting**: The values are **Not junk**, **Phish**, **Malware**, and **Spam**.

- - **Status**: The values are **Pending** and **Completed**.

- - **Tags**: The default value is **All** or select a [user tag](user-tags-about.md) from the drop-down list.

- When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

- :::image type="content" source="../../media/admin-submission-email-filters.png" alt-text="Filter options for email admin submissions." lightbox="../../media/admin-submission-email-filters.png":::

- - To group the entries, click  **Group** and select one of the following values from the dropdown list:

- - **None**

- - **Reason**

- - **Status**

- - **Result**

- - **Tags**

- - To export the entries, click  **Export**. In the dialog that appears, save the .csv file.

-## View email attachment admin submissions to Microsoft

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-2. On the **Submissions** page, verify that the **Email attachments** tab is selected.

- - You can sort the entries by clicking on an available column header.

- - Click  **Customize columns** to select the columns that you want to view. The default values are marked with an asterisk (\*):

- - **Attachment filename**^\*

- - **Date submitted**^\*

- - **Reason for submitting**^\*

- - **Status**^\*

- - **Result**^\*

- - **Filter verdict**

- - **Delivery/Block reason**

- - **Submission ID**

- - **Object ID**

- - **Policy action**

- - **Submitted by**

- - **Tags**^\*

- - **Action**

- When you're finished, click **Apply**.

- :::image type="content" source="../../media/admin-submission-file-customize-columns.png" alt-text="Customize column options for email attachment admin submissions.":::

- - To filter the entries, click  **Filter**. The following values are available in the **Filter** flyout that appears:

- - **Date submitted**: **Start date** and **End date**.

- - **Submission ID**: A GUID value that's assigned to every submission.

- - **Attachment filename**

- - **Submitted by**

- - **Reason for submitting**: The values are **Not junk**, **Phish**, **Malware**, and **Spam**.

- - **Status**: The values are **Pending** and **Completed**.

- - **Tags**: The default value is **All** or select a [user tag](user-tags-about.md) from the drop-down list.

- When you're finished, click **Apply**.

- :::image type="content" source="../../media/admin-submission-file-filters.png" alt-text="Filter options for email attachment admin submissions.":::

- - To group the entries, click  **Group** and select one of the following values from the drop-down list:

- - **None**

- - **Reason**

- - **Status**

- - **Result**

- - **Tags**

- - To export the entries, click  **Export**. In the dialog that appears, save the .csv file.

-## View URLs admin submissions to Microsoft

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

-2. On the **Submissions** page, verify that the **URLs** tab is selected.

- - You can sort the entries by clicking on an available column header.

- - Click  **Customize columns** to select the columns that you want to view. The default values are marked with an asterisk (\*):

- - **URL**^\*

- - **Date submitted**^\*

- - **Reason for submitting**^\*

- - **Status**^\*

- - **Result**^\*

- - **Filter verdict**

- - **Delivery/Block reason**

- - **Submission ID**

- - **Object ID**

- - **Policy action**

- - **Submitted by**

- - **Tags**^\*

- - **Action**

- When you're finished, click **Apply**.

- :::image type="content" source="../../media/admin-submission-url-customize-columns.png" alt-text="Customize column options for URL admin submissions.":::

- - To filter the entries, click  **Filter**. The following values are available in the **Filter** flyout that appears:

- - **Date submitted**: **Start date** and **End date**.

- - **Submission ID**: A GUID value that's assigned to every submission.

- - **URL**

- - **Submitted by**

- - **Reason for submitting**: The values **Not junk**, **Phish**, **Malware**, and **Spam**.

- - **Status**: The values are **Pending** and **Completed**.

- - **Tags**: The default value is **All** or select a [user tag](user-tags-about.md) from the drop-down list.

- When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

- :::image type="content" source="../../media/admin-submission-url-filters.png" alt-text="Filter options for URL admin submissions.":::

- - To group the entries, click  **Group** and select one of the following values from the dropdown list:

- - **None**

- - **Reason**

- - **Status**

- - **Result**

- - **Tags**

- - To export the entries, click  **Export**. In the dialog that appears, save the .csv file.

-## Admin submission result details

-Messages that are submitted in admin submissions are reviewed by Microsoft and results shown in the submissions detail flyout:

-## View user reported messages to Microsoft

-If you've deployed the [Microsoft Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md) or if people use the [built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web), you can see what users are reporting on the **User reported** tab on the **Submissions** page.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions** \> **User reported** tab. To go directly to the **User reported** tab, use <https://security.microsoft.com/reportsubmission?viewid=user>.

-2. On the **User reported** tab, the following settings are available:

- - Click  **Customize columns** to select the columns that you want to view. The default values are marked with an asterisk (\*):

- - **Submission name**^\*

- - **Reported by**^\*

- - **Date reported**^\*

- - **Sender**^\*

- - **Reported reason**^\*

- - **Original verdict**^\*

- - **Result**^\*

- - **Message reported ID**

- - **Network Message ID**

- - **Sender IP**

- - **Reported from**

- - **Phish simulation**

- - **Converted to admin submission**

- - **Tags**^\*

- - **Marked as**^\*

- - **Marked by**

- - **Date marked**

- When you're finished, click **Apply**.

- - To filter the entries, click  **Filter**. The following values are available in the **Filter** flyout that appears:

- - **Date reported**: **Start date** and **End date**.

- - **Reported by**

- - **Name**

- - **Message reported ID**

- - **Network Message ID**

- - **Sender**

- - **Reported reason**: The values are **Not junk**, **Phish**, or **Spam**.

- - **Reported from**: The values are **Microsoft** or **Third party**.

- - **Phish simulation**: The values are **Yes** or **No**.

- - **Converted to admin submission**: The values are **Yes** or **No**.

- - **Tags**: The default value is **All** or select a [user tag](user-tags-about.md) from the drop-down list.

- When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

- - To group the entries, click  **Group** and select one of the following values from the dropdown list:

- - **None**

- - **Reason**

- - **Sender**

- - **Reported by**

- - **Original verdict**

- - **Result**

- - **Reported from**

- - **Phish simulation**

- - **Converted to admin submission**

- - **Tags**

- - To export the entries, click  **Export**. In the dialog that appears, save the .csv file.

- - To notify users, see [Admin Review for Reported messages](submissions-admin-review-user-reported-messages.md)

-> [!NOTE]

-> User reported messages that are sent only to the [reporting mailbox](submissions-user-reported-messages-custom-mailbox.md) (not to Microsoft) appear on the **User reported** tab on the **Submissions** page, but the **Result** value for those entries is **Not Submitted to Microsoft** (because these messages aren't analyzed by Microsoft).

-## Undo user reported messages

-Once a user reports a suspicious message that's delivered to the reporting mailbox, to Microsoft, or both, the user or admins can't undo the reported message. The user can recover the messages from their Deleted Items or Junk Email folders.

-## Convert user reported messages in the reporting mailbox into admin submissions

-If you've configured the reporting mailbox to intercept user reported messages without sending the messages to Microsoft, admins can find and manually send specific messages to Microsoft for analysis.

-On the **User reported** tab at <https://security.microsoft.com/reportsubmission?viewid=user>, select a message from the list, click  **Submit to Microsoft for analysis**, and then select one of the following values from the dropdown list:

- :::image type="content" source="../../media/admin-submission-user-reported-submit-button-options.png" alt-text="The New options on the Action button" lightbox="../../media/admin-submission-user-reported-submit-button-options.png":::

-If the message is reported to Microsoft, the **Converted to admin submission** value turns from **no** to **yes**. You can directly access the admin submission by clicking **View the converted admin submission** from the  **More options** menu on the submission flyout of the message.

-## View associated alert for user and admin email submissions

-> The information in this section applies only to Defender for Office 365 Plan 2 or higher.

-For each user reported message and admin email submission, a corresponding alert is generated.

-To view the corresponding alert for a user reported phishing message, go to the **User reported** tab at <https://security.microsoft.com/reportsubmission?viewid=user>, and then double-click the message to open the submission flyout. Click  **More options** and then select **View alert**.

-To view the corresponding alert for admin email submissions, go to the **Emails** tab at <https://security.microsoft.com/reportsubmission?viewid=email>, and then double-click the message to open the submission flyout. Select **View alert** on the **Open email entity** option.

-This article attempts to explain the common error messages that you might receive as you try to [report emails, URLs, and email attachments to Microsoft](submissions-admin.md)

-If you encounter this error message, then either of the following conditions might have occurred:

- It's hard for us to determine why the message was missed or delivered when it wasn't filtered by Microsoft's protection stack.

- If you wait "a while" and submit the message again, the submission will be successful.

-Be sure to check that both of these conditions are false before submitting the message again.

-In Microsoft 365 organizations with mailboxes in Exchange Online or in on-premises mailboxes that use hybrid modern authentication, users can report phishing and suspicious emails in Outlook.

-Users can report false positives (good email that was blocked or sent to their Junk Email folder) and false negatives (unwanted email or phishing that was delivered to their Inbox) from Outlook on all platforms using free tools from Microsoft.

-Admins configure user reported messages to go to a designated reporting mailbox, to Microsoft, or both. For more information, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md).

-> [!NOTE]

-> Admins in Microsoft 365 organizations with Exchange Online mailboxes use the **Submissions** page in the Microsoft 365 Defender portal to submit messages to Microsoft. For instructions, see [Use the Submissions page to submit suspected spam, phish, URLs, and files to Microsoft](submissions-admin.md).

->

-> Admins can view reported messages on the **Submissions** page at <https://security.microsoft.com/reportsubmission> **only** if both of the following settings are configured on the **User reported** page at <https://security.microsoft.com/securitysettings/userSubmission>:

->

-> - The toggle on the **User reported** page is **On** .

-> - **Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options** is selected.

-> [!NOTE]

->

-> - The built-in **Report** button is available in Outlook on the web **only** if both of the following settings are configured on the **User reported** page at <https://security.microsoft.com/securitysettings/userSubmission>:

-> - The toggle on the **User reported** page is **On** .

-> - **Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options** is selected.

->

-> If the toggle is **Off**  or if **Use a non-Microsoft add-in button** is selected, then the **Report** button is not available in Outlook on the web.

->

-> - Currently, the **Report** button in Outlook on the web does not honor the **Before a message is reported** and **After a message is reported** settings (notification pop-ups) in the [User reported settings](submissions-user-reported-messages-custom-mailbox.md).

->

-> - Built-in reporting in Outlook on the web supports reporting messages from shared mailboxes or other mailboxes by a delegate.

-> - Shared mailboxes require Send As or Send On Behalf permission for the user.

-> - Other mailboxes require Send As or Send On Behalf permission _and_ Read and Manage permissions for the delegate.

-In Outlook on the web, select one or more messages, click **Report**, and then select **Report phishing** or **Report junk** in the dropdown list.

-> :::image type="content" source="../../media/owa-report-junk-phishing.png" alt-text="The results of clicking the Report button after selecting multiple messages in Outlook on the web." lightbox="../../media/owa-report-junk-phishing.png":::

-In Outlook on the web, select one or more messages in the Junk Email folder, click **Report**, and then select **Not junk** in the dropdown list.

-> :::image type="content" source="../../media/owa-report-as-not-junk.png" alt-text="The results of clicking the Report button after selecting multiple messages in the Junk Email folder in Outlook on the web." lightbox="../../media/owa-report-as-not-junk.png":::

-> [!NOTE]

->

-> - The procedures in this section require the Microsoft Report Message or Report Phishing add-ins to be installed. For more information, see [Enable the Microsoft Report Message or the Report Phishing add-in](submissions-users-report-message-add-in-configure.md) installed.

-> - The versions of Outlook that are supported by the Report Message and Report Phishing add-ins are described [here](submissions-users-report-message-add-in-configure.md#what-do-you-need-to-know-before-you-begin).

- - **Classic Ribbon**: Click **Report Message**, and then select **Junk** or **Phishing** in the dropdown list.

- > :::image type="content" source="../../media/OutlookReportMessage-classic-expanded.png" alt-text="Select a message and then click the Report Message button in the Classic Ribbon in Outlook." lightbox="../../media/OutlookReportMessage-classic-expanded.png":::

- - **Simplified Ribbon**: Click  **More commands** \> **Protection** section \> **Report Message** \> select **Junk** or **Phishing**.

- > :::image type="content" source="../../media/OutlookReportMessage-simplified-expanded.png" alt-text="Select a message and then click the Report Message button in the Simplified Ribbon in Outlook." lightbox="../../media/OutlookReportMessage-simplified-expanded.png":::

-Based on the [User reported settings](submissions-user-reported-messages-custom-mailbox.md) in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken on the reported messages in the mailbox:

- - **Classic Ribbon**: Click **Report Message**, and then select **Not Junk** in the dropdown list.

- > :::image type="content" source="../../media/OutlookReportMessage-classic-expanded.png" alt-text="Select a message in the Junk Email folder, and then click the Report Message button in the Classic Ribbon in Outlook." lightbox="../../media/OutlookReportMessage-classic-expanded.png":::

- - **Simplified Ribbon**: Click  **More commands** \> **Protection** section \> **Report Message** \> select **Not Junk**.

- > :::image type="content" source="../../media/OutlookReportMessage-simplified-expanded.png" alt-text="Select a message in the Junk Email folder, and then click the Report Message button in the Simplified Ribbon in Outlook." lightbox="../../media/OutlookReportMessage-simplified-expanded.png":::

-Based on the [User reported settings](submissions-user-reported-messages-custom-mailbox.md) in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out of Junk Email to the Inbox.

-You can report phishing messages from any email folder.

- - **Classic Ribbon**: Click **Report Phishing**.

- > :::image type="content" source="../../media/Outlook-ReportPhishing.png" alt-text="Select a message and then click the Report Phishing button in the Classic Ribbon in Outlook." lightbox="../../media/Outlook-ReportPhishing.png":::

- - **Simplified Ribbon**: Click  **More commands** \> **Protection** section \> **Phishing**

- > :::image type="content" source="../../media/Outlook-ReportPhishing-simplified.png" alt-text="Select a message and then click the Report Phishing button in the Simplified Ribbon in Outlook." lightbox="../../media/Outlook-ReportPhishing-simplified.png":::

-> When you report an email entity to Microsoft, everything associated with the message is copied to include then in the continual algorithm reviews. This copy includes the email content, email headers, any attachments, and related data about email routing.

-|[The Submissions page in the Microsoft 365 Defender portal](submissions-admin.md)|Admin|Admins use this method to submit good (false positive) and bad (false negative) entities including user-reported messages to Microsoft for further analysis. Tabs include **Email**, **Email attachments**, **URLs**, and **Files**. Note that **Files** is only available to users with Microsoft Defender for Endpoint P2 license, and Microsoft 365 Defender E5 license.. The Submissions page is available to organizations who have Exchange Online mailboxes as part of a Microsoft 365 subscription (not available in standalone EOP).|

-[User reported settings](submissions-user-reported-messages-custom-mailbox.md) allow admins to configure whether user reported messages go to a specified reporting mailbox, to Microsoft, or both. Depending on your subscription, user reported messages are available in the following locations in the Microsoft 365 Defender portal:

-Admins can use mail flow rules (also known as transport rules) to notify specified email address when users report messages to Microsoft for analysis. For more information, see [Use mail flow rules to see what users are reporting to Microsoft](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-see-what-users-are-reporting-to-microsoft).

-Admins can also submit other suspected files to Microsoft for analysis using the sample submission portal at <https://www.microsoft.com/wdsi/filesubmission>. For more information, see [Submit files for analysis](../intelligence/submission-guide.md).

-> Information is blocked from going outside the organization when data isn't supposed to leave the tenant boundary for compliance purposes (for example, in U.S. Government organizations: Microsoft 365 GCC, GCC High, and DoD). Reporting a message or URL or email attachment to Microsoft from one of these organizations will have the following message in the result details:

-> **Further investigation needed**. Your tenant doesn't allow data to leave the environment, so nothing was found during the initial scan. You'll need to contact Microsoft support to have this item reviewed.

-> If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the **Submissions** page in the Microsoft 365 Defender portal. For more information, see [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](submissions-admin.md).

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP includes anti-malware protection that's automatically enabled. For more information, see [Anti-malware protection in EOP](anti-malware-protection-about.md).

-But what can you do if you receive a message with a suspicious attachment or have a suspicious file on your system? Or what if you suspect that your computer or device was infected by an email attachment that made it past our filters or a file you downloaded from the internet? In these cases, you should submit the suspicious attachment or file to Microsoft. Conversely, if an attachment in an email message or file was incorrectly identified as malware or some other threat, you can submit that, too.

-After we receive the sample, we'll investigate. If we determine that the sample file is malicious, we'll take corrective action to prevent the malware from going undetected.

-## Submit non-malware files to Microsoft

-After we receive the sample, we'll investigate. If we determine that the sample file is clean, we'll take corrective action to prevent the file from being detected as malware.

- - Click the link in the **Name** column.

- - Select the policy by clicking anywhere in the row other than the **Name** column, and then click  **Edit**.

-3. In the policy details page that opens, find the **Report a security concern** toggle. By default, it's  **On**. To turn it off, toggle the setting to  **Off**.

-4. Click **Save**, and then click **Confirm** in the confirmation dialog that opens.

-1. In the Microsoft Teams client, hover over the malicious message without selecting it, and then click **... More options** \> **More actions** \> **Report this message**.

- :::image type="content" source="../../media/submissions-user-report-message-in-teams-client-click-path.png" alt-text="Screenshot of the Click path to report a message in the Microsoft Teams client." lightbox="../../media/submissions-user-report-message-in-teams-client-click-path.png":::

-2. In the **report this message** dialog that opens, verify **Security risk - Spam, phishing, malicious content** is selected, and then click **Report**.

-3. In the confirmation dialog that opens, click **Close**.

- To view the corresponding alert for a user reported message in Teams, go to the **User reported** tab on the **Submission** page, and then double-click the message to open the submission flyout. Click  **More options** and then select **View alert**.

- - **Reason** is not available.

- - **Phish simulation** is not available.

- - **Send reported messages to** \> **My reporting mailbox only**: The **Result** column value is always **Not submitted to Microsoft**, because the messages were not analyzed by Microsoft.

-Delivering user reported messages to a reporting mailbox instead of directly to Microsoft allows admins to selectively and manually submit messages to Microsoft from the **Emails** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=email>. For more information, see [Admin submission](submissions-admin.md).

- - Turn off Zero-hour auto purge (ZAP) for malware (**Protection settings** section \> **Enable zero-hour auto purge for malware** is not selected or `-ZapEnabled $false` in PowerShell).

- - Turn off common attachments filtering (**Protection settings** section \> **Enable the common attachments filter** is not selected or `-EnableFileFilter $false` in PowerShell).

- - Create a Safe Links policy for the reporting mailbox where Safe Links scanning in email is turned off (**URL & click protection settings** \> **On: Safe Links checks a list of known, malicious links when users click links in email** is not selected or `EnableSafeLinksForEmail $false` in PowerShell). For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](safe-links-policies-configure.md).

-After you've verified that the reporting mailbox meets all of these requirements, use the rest of the instructions in this article to identify the reporting mailbox and to configure related settings.

- - **Organization Management** or **Security Administrator** in the [Permissions in the Microsoft 365 Defender portal](mdo-portal-permissions.md).

- > Specify an email address in your domain

- For more information about enabling or disabling access to Exchange Online PowerShell, see the following topics:

-2. On the **User reported** page, what you see and can configure is determined entirely by the toggle at the top of the page:

- - You decide how to customize the feedback email that's sent to users from **Mark and notify** on the **Submissions** page at <https://security.microsoft.com/reportsubmission>.

- In the **Add a mailbox to send reported messages to** box that appears, enter the email address of an existing Exchange Online mailbox to use as the reporting mailbox that holds user reported messages from Microsoft reporting tools. Distribution groups and routing to an external or on-premises mailbox are not allowed.

- Messages don't go to Microsoft for analysis unless an admin manually submits the message from the **Emails** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=email>.

- In the **Add a mailbox to send reported messages to** box that appears, enter the email address of an existing Exchange Online mailbox to use as the reporting mailbox. Distribution groups and routing to external or on-premises mailboxes is not allowed.

- > - If you select **My reporting mailbox only**, the **Result** value of messages entries on the **User reported** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user> will be **Not Submitted to Microsoft**, because the messages were not analyzed by Microsoft.

- > - In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), the only available selection in the **Send the reported messages to** section is **My reporting mailbox only**. The other two options are grayed out due to compliance reasons.

- If this setting is selected, click **Customize before message** to enter the **Title** and **Message** text in the **Customize text before message is reported** flyout that opens. Use the variable `%type%` to include the submission type (junk, not junk, phishing, etc.).

- When you're finished, click **Confirm** to return to the **User reported** page.

- If this setting is selected, click **Customize after message** to enter the **Title** and **Message** text in the **Customize text after message is reported** flyout that opens. Use the variable `%type%` to include the submission type (junk, not junk, phishing, etc.).

- When you're finished, click **Confirm** to return to th **User reported** page.

- - **Replace the Microsoft logo with my company logo**: Select this option to replace the default Microsoft logo that's used in notifications. Before you do this step, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo. This option is not supported if your organization has a custom logo pointing to a URL instead of an uploaded image file.

- - **Customize email notification messages**: Click this link to customize the email notification that's sent after an admin reviews and marks a reported message. In the **Customize admin review email notifications** flyout that appears, configure the following settings on the **Phishing**, **Junk** and **No threats found** tabs:

- When you're finished, click **Confirm** to return to the **User reported** page.

-When you're finished on the **User reported** page, click **Save**. To restore all settings on the page to their immediately previous values, click **Restore**.

- > Messages that contain multiple attached messages will be discarded. We support only one attached original message in a user reported message.

-When you're finished on the **User reported** page, click **Save**. To restore all settings on the page to their immediately previous values, click **Restore**.

- Messages that don't follow this format will not display properly on the **Submissions** page at <https://security.microsoft.com/reportsubmission>.

-Remember, if you've never gone to <https://security.microsoft.com/securitysettings/userSubmission> or manually created the report submission policy or the report submission rule in PowerShell, there is no report submission policy or report submission rule, so the **Get-ReportSubmissionPolicy** and **Get-ReportSubmissionRule** cmdlets return nothing.

- - **Customize before message** link: Nothing is entered in the **Title** or **Message** boxes in the flyout.(`-EnableCustomizedMsg $false` is the default value).

- - **Specify an Office 365 mailbox to send email notifications from** is not selected (`-EnableCustomNotificationSender $false` is the default value).

- - **Replace the Microsoft logo with my company logo** is not selected (`-EnableOrganizationBranding $false` is the default value).

-Because a reporting mailbox isn't use, the report submission rule is not needed or created.

-To start over with the default settings of the report submission policy, you can delete it and recreate it. Removing the report submission policy does not remove the report submission rule, and vice-versa.

-> In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), reported messages aren't sent to Microsoft for analysis. They are sent only to the reporting mailbox that you identify. For more information, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md).

-Use the Submissions page (also known as *admin submission*) at <https://security.microsoft.com/reportsubmission> to create block entries for the following types of items as you report them as false negatives to Microsoft:

- - If spoof intelligence has already blocked the message as spoofing, use the Submissions page at <https://security.microsoft.com/reportsubmission> to report the **email** to Microsoft as **Should not have been blocked (False positive)**.

-The following list describes what happens in the Tenant Allow/Block List when you report something to Microsoft as a false positive on the Submissions page:

- For URLs reported as false positives, we'll allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL `www.contoso.com/abc`. If your organization later receives a message that contains the URL (for example but not limited to: `www.contoso.com/abc`, `www.contoso.com/abc?id=1`, `www.contoso.com/abc/def/gty/uyt?id=5`, or `*.contoso.com/abc`), the message won't be blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.

-> Microsoft manages the creation of allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL.

-After you add an allow entry on the Submissions page or a block entry in the Tenant Allow/Block List, the entry should start working immediately 99.999% of the time. For the rest, it could take up to 24 hours.

-When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit email messages as **Should have been blocked (False negative)**, you can select **Block all emails from this sender or domain** to add a block entry for the sender email address or domain on the **Domains & addresses** tab in the Tenant Allow/Block List.

-You can't create allow entries for domains and email addresses directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit the message as a false positive, which also adds an allow entry for the sender on the **Domains & addresses** tab in the Tenant Allow/Block List.

-> Microsoft manages the creation of allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL.

-Submitting a message that was incorrectly blocked as impersonation on the Submissions page at <https://security.microsoft.com/reportsubmission> does not add the sender or domain as an allow entry in the Tenant Allow/Block List.

-When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit files as **Should have been blocked (False negative)**, you can select **Block this file** to add a block entry on the **Files** tab in the Tenant Allow/Block List.

-You can't create allow entries for files directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit the message attachment as a false positive, which also adds an allow entry on the **Files** tab in the Tenant Allow/Block List.

-> Microsoft manages the creation of allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a file in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the file.

-When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit URLs as **Should have been blocked (False negative)**, you can select **Block this URL** to add a block entry on the **URLs** tab in the Tenant Allow/Block List.

-You can't create URL allow entries directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit the URL as a false positive, which also adds an allow entry on the **URLs** tab in the Tenant Allow/Block List.

-> Microsoft manages the allow entry creation process for URLs from the Submissions page. We'll create allow entries for URLs that were determined to be malicious by our filters during mail flow or at time of click.

-> We allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL `www.contoso.com/abc`. If your organization later receives a message that contains the URL (for example but not limited to: `www.contoso.com/abc`, `www.contoso.com/abc?id=1`, `www.contoso.com/abc/def/gty/uyt?id=5`, or `*.contoso.com/abc`), the message won't be blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.

-^{**Applies to:** &ensp; &#10003; All custom models &ensp; | &ensp; &#10003; All trained models}

-Microsoft Syntex is a content understanding, processing, and compliance service that uses intelligent document processing, content artificial intelligence (AI), and advanced machine learning to automatically and thoughtfully find, organize, and classify documents in your SharePoint libraries.

- :::column span="":::

- With Syntex, you can automate your content-based processesΓÇöcapturing the information in your business documents and transforming that information into working knowledge for your organization.

- Rather than clicking and sorting through hundreds or thousands of files, Syntex extracts, analyzes, and categorizes the data for you.

- :::column-end:::

- :::column span="":::

- 

- :::column-end:::