Docs update tracker

Updates from: 06/08/2023 02:10:39

Category	Microsoft Docs article	Related commit history on GitHub	Change details
admin	Select Domain To Use For Email From Microsoft 365 Products	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/select-domain-to-use-for-email-from-microsoft-365-products.md	The default option is that users receive no-reply emails sent by Microsoft on be ## <a name="configsetting">Configure the "Send email notifications from your domain" setting</a> -The setting is available via the Microsoft 365 Admin Center Settings menu item. Select Settings, select Org Settings, and then the Organizational Settings profile tab as illustrated below. +The setting is available via the Microsoft 365 Admin Center Settings menu item. Select Settings, select Org settings, and then select the Organization profile tab as illustrated below. :::image type="content" alt-text="Org Settings - Send email notifications setting" source="../../media/send-email-notifications-org-settings.png" lightbox="../../media/send-email-notifications-org-settings.png"::: The setting is available via the Microsoft 365 Admin Center Settings menu item. 1. In the Microsoft 365 admin center, in the navigation pane select Settings. 2. Select Org settings. -3. On the Org settings page, select Organizational profile. -4. On the Organizational profile page, select Send email notifications from your domain. +3. On the Org settings page, select Organization profile. +4. On the Organization profile page, select Send email notifications from your domain. 5. In the Send email notifications from your domain page, select Use a custom send-from domain address. 6. The Domains menu, select the domain that you want to use for your email replies.The domains listed in the menu includes verified complete and incomplete domains as Microsoft 365 allows DNS settings to be configured and managed outside of the tenant. Your System or Exchange administrator must ensure that they follow and meet all DNS and domain requirements. 7. For Custom username, administrators can optionally configure the no-reply prefix. They could then create a matching email address in Exchange, if they would like to monitor responses from users.
admin	Support Contact Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/support-contact-info.md	search.appverid: - MET150 description: "Learn how to get phone support for your Microsoft 365 for business subscription. You must be an admin for a business subscription to get support." Previously updated : 01/04/2023 Last updated : 06/07/2023 # Find Microsoft 365 for business support phone numbers by country or region English: 24 hours a day, 7 days a week Phone number:\ 120 852 137 -Billing support hours:\ -English: Monday through Friday, 9 AM-5 PM +Alternative Phone Number: 12280770 :::column-end::: :::column::: +Billing support hours:\ +English: Monday through Friday, 9 AM-5 PM + Technical support hours:\ English: 24 hours a day, 7 days a week :::column-end:::
compliance	Deploy Scanner	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/deploy-scanner.md	For more information about deploying the scanner, see the following articles: - Interested in how the Core Services Engineering and Operations team in Microsoft implemented this scanner? Read the technical case study: [Automating data protection with Azure Information Protection scanner](https://www.microsoft.com/itshowcase/Article/Content/1070/Automating-data-protection-with-Azure-Information-Protection-scanner). -- You can also use PowerShell to interactively classify and protect files from your desktop computer. For more information about this and other scenarios that use PowerShell, see [Using PowerShell with the Azure Information Protection unified labeling client](./-- .md). +- You can also use PowerShell to interactively classify and protect files from your desktop computer. For more information about this and other scenarios that use PowerShell, see [Using PowerShell with the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-powershell).
compliance	Dlp Chrome Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md	Title: "Get started with the Microsoft Purview Chrome Extension" + Title: "Get started with the Microsoft Purview extension for Chrome" f1.keywords: - CSH search.appverid: - MET150 -description: "Prepare for and deploy the Microsoft Purview Extension." +description: "Prepare for and deploy the Microsoft Purview extension for Chrome." -# Get started with Microsoft Purview Chrome Extension +# Get started with the Microsoft Purview extension for Chrome -Use these procedures to roll out the Microsoft Purview Chrome Extension. +Use these procedures to roll out the Microsoft Purview extension for Chrome. [!INCLUDE [purview-preview](../includes/purview-preview.md)] > [!NOTE] -> Microsoft Purview Extension is only applicable to Windows devices. The extension is not necessary for the enforcement of data loss prevention on macOS devices. +> Microsoft Purview extension for Chrome is only applicable to Windows devices. The extension is not necessary for the enforcement of data loss prevention on macOS devices. ## Before you begin -To use Microsoft Purview Chrome Extension, the device must be onboarded into endpoint DLP. Review these articles if you are new to DLP or endpoint DLP +To use Microsoft Purview extension for Chrome, the device must be onboarded into endpoint DLP. Review these articles if you are new to DLP or endpoint DLP -- [Learn about Microsoft Purview Chrome Extension](dlp-chrome-learn-about.md) +- [Learn about Microsoft Purview extension for Chrome](dlp-chrome-learn-about.md) - [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md) - [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Learn about endpoint data loss prevention](endpoint-dlp-learn-about.md)
compliance	Dlp Chrome Learn About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-learn-about.md	Title: "Learn about the Microsoft Purview Chrome Extension" + Title: "Learn about the Microsoft Purview extension for Chrome" f1.keywords: - CSH search.appverid: description: "The Microsoft Purview Extension extends monitoring and control of file activities and protective actions to the Google Chrome browser" -# Learn about the Microsoft Purview Chrome Extension +# Learn about the Microsoft Purview extension for Chrome [Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft Purview data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10/11 devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [data loss prevention policies](dlp-learn-about-dlp.md). -Once the Microsoft Purview Chrome Extension is installed on a Windows 10/11 device, organizations can monitor when a user attempts to access or upload a sensitive item to a cloud service using Google Chrome and enforce protective actions via DLP. +Once the Microsoft Purview extension for Chrome is installed on a Windows 10/11 device, organizations can monitor when a user attempts to access or upload a sensitive item to a cloud service using Google Chrome and enforce protective actions via DLP. [!INCLUDE [purview-preview](../includes/purview-preview.md)] activity \|description \| supported policy actions\| ## Next steps -See [Get started with the Microsoft Purview Chrome Extension](dlp-chrome-get-started.md) for complete deployment procedures and scenarios. +See [Get started with the Microsoft Purview extension for Chrome](dlp-chrome-get-started.md) for complete deployment procedures and scenarios. ## See also -- [Get started with Microsoft Purview Chrome Extension](dlp-chrome-get-started.md) +- [Get started with Microsoft Purview extension for Chrome](dlp-chrome-get-started.md) - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Getting started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Using Endpoint data loss prevention](endpoint-dlp-using.md)
compliance	Dlp Configure Endpoint Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-endpoint-settings.md	For macOS devices, you must add the full file path. To find the full path of Mac You can control whether sensitive files that are protected by your policies can be uploaded to specific service domains. > [!NOTE] -> The Service domains setting only applies to files uploaded using Microsoft Edge or an instance of Google Chrome that has the [Microsoft Purview Chrome Extension](dlp-chrome-learn-about.md) installed. +> The Service domains setting only applies to files uploaded using Microsoft Edge, or using instances of Google Chrome or Mozilla Firefox that have the [Microsoft Purview Chrome Extension](dlp-chrome-learn-about.md) installed. ##### Allow
compliance	Dlp Create Deploy Policy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-create-deploy-policy.md	f1.keywords: Previously updated : 04/19/2023 Last updated : 06/07/2023 audience: ITPro f1_keywords: This procedure uses a hypothetical distribution group Finance team at Contoso. 1. Choose Next > Keep it off > Next > Submit. -<!--### Scenario 2 Monitor or restrict user activities on sensitive service domains +<!--### Scenario Monitor or restrict user activities on sensitive service domains Use this scenario when you want to audit or block these user activities on a website. Use this scenario when you want to audit or block these user activities on a web The user must be accessing the website through Microsoft Edge. -#### Scenario 2 pre-requisites and assumptions +#### Scenario pre-requisites and assumptions This scenario requires that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md). -#### Scenario 2 policy intent statement and mapping +#### Scenario policy intent statement and mapping -#### Steps to create policy for scenario 2 +#### Steps to create policy for scenario ### Configure Sensitive service domains This scenario requires that you already have devices onboarded and reporting int 1. Finish configuring the rule and policy and apply it. --> <!-- -### Scenario 2 +### Scenario -5) Scenario 2 email - ΓÇ£Contoso needs to block all emails that contain a password protected OR a zip document file extension is zip/7z except it the recipient is in the contoso.com domain OR the fabrikam domain OR the sender is a member of the Contoso HR group. Introduces nested NOT with and OR +5) Scenario email - ΓÇ£Contoso needs to block all emails that contain a password protected OR a zip document file extension is zip/7z except it the recipient is in the contoso.com domain OR the fabrikam domain OR the sender is a member of the Contoso HR group. Introduces nested NOT with and OR a. Mapping b. Creation - can include creation from a template c. Deployment i. testing/tuning ii. move fully into production -### Scenario 3 Scenario recommendation: Restrict users from uploading sensitive data to unsanctioned locations (Web sites, USB devices, printers, etc) AND block users from copying/saving data from Sensitive sites. - --> -### Scenario 2 Show policy tip as oversharing popup (preview) +### Scenario 2 Show policy tip as oversharing popup Oversharing popup is an E5 feature. > [!IMPORTANT]
compliance	Dlp Firefox Extension Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-firefox-extension-get-started.md	Title: "Get started with the Microsoft Purview Firefox Extension" + Title: "Get started with the Microsoft Purview extension for Firefox" f1.keywords: - CSH search.appverid: - MET150 -description: "Prepare for and deploy the Microsoft Purview Firefox Extension." +description: "Prepare for and deploy the Microsoft Purview extension for Firefox." -# Get started with Microsoft Purview Firefox Extension +# Get started with the Microsoft Purview extension for Firefox -Use these procedures to roll out the Microsoft Purview Firefox Extension. +Use these procedures to roll out the Microsoft Purview extension for Firefox. [!INCLUDE [purview-preview](../includes/purview-preview.md)] ## Before you begin -To use Microsoft Purview Extension, the device must be onboarded into endpoint DLP. Review these articles if you are new to DLP or endpoint DLP +To use the Microsoft Purview extension for Firefox, the device must be onboarded into endpoint DLP. Review these articles if you are new to DLP or endpoint DLP -- [Learn about Microsoft Purview Firefox Extension](dlp-firefox-extension-learn.md) +- [Learn about Microsoft Purview extension for Firefox](dlp-firefox-extension-learn.md) - [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md) - [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Learn about endpoint data loss prevention](endpoint-dlp-learn-about.md) Before you get started, you should confirm your [Microsoft 365 subscription](htt For detailed licensing guidance, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection). -- Your org must be licensed for Endpoint DLP +- Your organization must be licensed for Endpoint DLP - Your devices must be running Windows 10 x64 build 1809 or later. - The device must have Antimalware Client Version is 4.18.2202.x or later. Check your current version by opening Windows Security app, select the Settings icon, and then select About. After ingesting the ADMX, the steps below can be followed to create a configurat If you don't want to use Microsoft Intune, you can use group policies to deploy the extension across your organization. -#### Adding the Firefox Extension to the ForceInstall List +#### Adding the Firefox extension to the ForceInstall List 1. In the Group Policy Management Editor, navigate to your OU. If you don't want to use Microsoft Intune, you can use group policies to deploy 8. Select OK and then Apply. -### Test the Extension +### Test the extension #### Upload to cloud service, or access by unallowed browsers Cloud Egress
compliance	Dlp Firefox Extension Learn	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-firefox-extension-learn.md	Title: "Learn about the Microsoft Purview Firefox Extension" + Title: "Learn about the Microsoft Purview extension for Firefox" f1.keywords: - CSH - m365initiative-compliance search.appverid: - MET150 -description: "The Microsoft Purview Firefox Extension extends monitoring and control of file activities and protective actions to the Firefox browser" +description: "The Microsoft Purview extension for Firefox extends monitoring and control of file activities and protective actions to the Firefox browser" -# Learn about the Microsoft Purview Firefox Extension +# Learn about the Microsoft Purview extension for Firefox [Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft Purview data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](dlp-learn-about-dlp.md). activity \|description \| supported policy actions\| ## Deployment process 1. [Get started with endpoint data loss prevention](endpoint-dlp-getting-started.md) 2. [Onboarding tools and methods for Windows 10 devices](device-onboarding-overview.md) -3. [Install the Firefox extension on your Windows 10 devices](dlp-firefox-extension-get-started.md) +3. [Install the extension for Firefox extension on your Windows 10 devices](dlp-firefox-extension-get-started.md) 4. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) that restrict upload to cloud service, or access by unallowed browsers actions and apply them to your Windows 10 devices ## Next steps -See [Get started with the Microsoft Purview Firefox Extension](dlp-firefox-extension-get-started.md) for complete deployment procedures and scenarios. +See [Get started with the Microsoft Purview extension for Firefox](dlp-firefox-extension-get-started.md) for complete deployment procedures and scenarios. ## See also -- [Get started with Microsoft Purview Firefox Extension](dlp-firefox-extension-get-started.md) +- [Get started with Microsoft Purview extension for Firefox](dlp-firefox-extension-get-started.md) - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Getting started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Using Endpoint data loss prevention](endpoint-dlp-using.md)
compliance	Dlp Owa Policy Tips	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-owa-policy-tips.md	ms.localizationpriority: medium - tier3 - purview-compliance -hideEdit: true feedback_system: None recommendations: false description: "DLP policy tip reference for Outlook 2013 for Win32."
compliance	Dlp Policy Reference	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-reference.md	When a user overrides a block with override action on an email, the override opt ] } ``` -If you have an automated process that makes use of the business justification values, the process can access that information programmatically in the email X-header data. +If you have an automated process that makes use of the business justification values, the process can access that information programmatically in the email X-header data. + +> [!NOTE] +> The `msip_justification` values are stored in the following order: +> +> `False Positive; Recipient Entitled; Manager Approved; I Acknowledge; JustificationText_[free text]`. +> +> Notice that the values are separated by semicolons. The maximum free text allowed is 500 characters. ### Incident reports
compliance	Sensitivity Labels Aip	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-aip.md	The AIP client supports many customizations by using [PowerShell advanced settin However, you might find you don't need to use PowerShell to configure the supported settings because they're included in the standard configuration from the Microsoft Purview compliance portal. For example, UI configuration to choose label colors, and turn off mandatory labeling for Outlook. Check the available configurations in [Manage sensitivity labels in Office apps](sensitivity-labels-office-apps.md). > [!NOTE] -> The AIP add-in used PowerShell advanced settings for [oversharing popup messages in Outlook](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#implement-pop-up-messages-in-outlook-that-warn-justify-or-block-emails-being-sent). When you use built-in labeling, the equivalent of this configuration is now available as a [DLP policy configuration](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview). +> The AIP add-in used PowerShell advanced settings for [oversharing popup messages in Outlook](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#implement-pop-up-messages-in-outlook-that-warn-justify-or-block-emails-being-sent). When you use built-in labeling, the equivalent of this configuration is now available as a [DLP policy configuration](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup). ## Features not planned to be supported by built-in labeling for Office apps
compliance	Sensitivity Labels Meetings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-meetings.md	audience: Admin Previously updated : 05/31/2023 Last updated : 06/06/2023 ms.localizationpriority: high Sensitivity labels that apply [S/MIME protection](sensitivity-labels-office-apps Specific to Teams: -- Labels configured for [other languages](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell) aren't supported and display the original language only.--- For Teams on the web, the prevent copy to clipboard option isn't supported for all browsers, such as Safari and Firefox. +- Labels configured for [other languages](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell) aren't supported for the [classic Teams client](https://support.microsoft.com/office/try-the-new-microsoft-teams-2d4a0c96-fa52-43f8-a006-4bfbc62cf6c5), and display the original language only. This limitation doesn't apply for the new Teams client. - For iOS and Android, the label isn't displayed in the calendar but is displayed when the user joins the meeting. -- If your label policy includes any of the following configurations, these aren't currently supported: - - Justification for changing a label - - Require users to label their meetings and calendar event (also known as mandatory labeling) - - Help link to a custom help page - - While a meeting is in session, a sensitivity label can't prevent participants from inviting people to join by copying the meeting link, or by sharing via default email or the Outlook calendar. These choices are from the Teams meeting Share invite option. -- If there's a label change made in Outlook clients while the meeting is progress, any changes to the meeting options won't take effect for the current meeting. If the meeting is in a series, the changes will apply to the next instance.- - If there's a label change made in Teams while the meeting is progress, any changes to the following meeting options won't take effect for the current meeting unless the organizer ends and restarts the meeting: - Who can record - Encryption for meeting video and audio - Automatically record - Video watermark for screen sharing and camera streams - - Prevent copy of meeting chat - The following meeting options won't take effect for a Meet Now meeting: - Who can record - Encryption for meeting video and audio - Automatically record - Video watermark for screen sharing and camera streams - - Prevent copy of meeting chat - Sensitivity labels can't be applied to live events and webinars. - Labeling meeting invites with Graph APIs isn't supported. - ## How to configure a sensitivity label to protect calendar items, Teams meetings, and chat 1. Follow the general instructions to [create or edit a sensitivity label](create-sensitivity-labels.md#create-and-configure-sensitivity-labels) and make sure Items is selected for the [label's scope](sensitivity-labels.md#label-scopes), and also the options for Files, Emails, and Meetings: Other label policy settings that are specific just to calendar items, Teams meet The label setting to prevent copying chat to the clipboard is enforced for all channel chats, even outside channel meetings. For non-channel meetings, it's enforced only for meetings. -This setting is currently unsupported for virtual desktop infrastructure (VDI). +The methods supported to prevent copying chat: +- Select the text and then right-click \> Copy or Ctrl+C +- Forward messages +- Share to Outlook +- Copy link -The methods supported to prevent copying chat: Select the text and then right-click \> Copy or Ctrl+C. Copying using developer tools or third-party apps won't be prevented. +Copying using developer tools, third-party apps, or using screen captures won't be prevented. ## How to configure and apply a label for channel meetings
compliance	Sensitivity Labels Office Apps	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md	f1.keywords: Previously updated : 05/31/2023 Last updated : 06/07/2023 audience: Admin For guidance about when to use this setting, see the information about [policy s ### For Outlook Mobile, change when users are prompted for a label -Now available in the Beta Channel for Android, and not yet for iOS, you can use a Microsoft Intune [Managed apps app configuration policy](/mem/intune/apps/app-configuration-policies-managed-app#add-a-managed-apps-app-configuration-policy) to configure a setting from the Intune App Software Development Kit (SDK) that changes when users are prompted to select a sensitivity label for Outlook Mobile. +Currently rolling out, this setting requires a minimum version of 4.2316.0 for Outlook for Android and Outlook for iOS. + +You can use a Microsoft Intune [Managed apps app configuration policy](/mem/intune/apps/app-configuration-policies-managed-app#add-a-managed-apps-app-configuration-policy) to configure a setting from the Intune App Software Development Kit (SDK) that changes when users are prompted to select a sensitivity label for Outlook Mobile. Instead of prompting for a label on send when mandatory labeling is configuring for emails, this configuration results in prompting for a label when a user first composes a message.
compliance	Sensitivity Labels Versions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-versions.md	The numbers listed are the minimum Office application versions required for each \|[Display label color](sensitivity-labels-office-apps.md#label-colors) \|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Preview: [Current Channel (Preview)](https://office.com/insider) <sup>\</sup> \|Under review \|Preview: [Beta](https://support.google.com/googleplay/work/answer/7042126) \|Under review \| \|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)\|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Under review \|Under review \|Under review \|Under review \| \|[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) \|Current Channel: 2303+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Rolling out: 16.70+ <sup>\</sup> \| Rolling out: 4.2309+ \|Rolling out: 4.2309+ \|Yes \| -\|[Preventing oversharing as DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview)\|Preview: [Current Channel (Preview)](https://office.com/insider) \|Under review \|Under review \|Under review \|Under review \| +\|[Preventing oversharing as DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup)\|Preview: [Current Channel (Preview)](https://office.com/insider) \|Under review \|Under review \|Under review \|Under review \| \|[Label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments) \|Current Channel: 2303+ <br /><br> Monthly Enterprise Channel: 2304+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Under review \|Under review \|Under review \|Under review \| \|[Double Key Encryption (DKE)](encryption-sensitivity-labels.md#double-key-encryption) \|Preview: [Current Channel (Preview)](https://office.com/insider) \|Under review \|Under review \|Under review\| Under review \|
compliance	Whats New	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md	f1.keywords: Previously updated : 05/31/2023 Last updated : 06/07/2023 audience: Admin Whether it be adding new solutions to the [Microsoft Purview compliance portal]( [!INCLUDE [purview-preview](../includes/purview-preview.md)] +## June 2023 + +### Sensitivity labels + +- General availability (GA): Now rolling out, Outlook for Android and Outlook for iOS support a setting for mandatory labeling that you can configure with Microsoft Intune to [prompt users to select a sensitivity label when they first compose an email](sensitivity-labels-office-apps.md#for-outlook-mobile-change-when-users-are-prompted-for-a-label) instead of when they send it. +- Removal of limitations for Teams when using sensitivity labels: Several previous limitations are removed for [Teams protected meetings](sensitivity-labels-meetings.md), which include Safari and Firefox support to prevent copy chat, support for virtual desktop infrastructure (VDI), policy settings for justification for changing a label, mandatory labeling, and a help link to a custom help page, and more methods are now supported to prevent copying chat. + +### Data loss prevention + +- General availability (GA): Oversharing Popup for Outlook Win 32. [Scenario 2 Show policy tip as oversharing popup](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup) and [Business justification X-Header](dlp-policy-reference.md#business-justification-x-header). + ## May 2023 ### Compliance Manager Whether it be adding new solutions to the [Microsoft Purview compliance portal]( - [Display of conditions matched when an item matches a policy](dlp-configure-view-alerts-policies.md#other-matched-conditions) - [Endpoint DLP policies can be applied to network shares](dlp-configure-endpoint-settings.md#network-share-groups) - Support for [endpoint DLP policies in Azure virtual desktop, Citrix Virtual Apps and Desktops 7, Amazon virtual workspaces and Hyper-V environments](endpoint-dlp-getting-started.md#endpoint-dlp-support-for-virtualized-environments-preview) - - [Show policy tips as an oversharing popup](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview) ### Device onboarding - In preview: Device configuration and policy sync status is now viewable in the onboarded devices list for [Onboarding Windows 10 or Windows 11 devices](device-onboarding-overview.md#onboarding-windows-10-or-windows-11-devices) and [Onboarding devices into device management](device-onboarding-macos-overview.md#onboarding-devices-into-device-management) devices Whether it be adding new solutions to the [Microsoft Purview compliance portal]( - General availability (GA): Now in general availability for built-in labeling for Windows, support for a [default sublabel for a parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label) as a parity feature for the AIP add-in. - General availability (GA): For labeling built into Windows, macOS, iOS, and Android, auditing actions for sensitivity labels include encryption details such as a change in the encryption status and settings, and the Rights Management owner. - In preview: The ability to [scope labels to files and emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails), so that, for example, a sensitivity label is visible to users in Outlook but not in Word, Excel, or PowerPoint. This configuration can be used as a parity feature for the AIP add-in, which could be disabled per app.-- In preview: Prevent [oversharing of labeled emails as a DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview). This DLP policy configuration is an equivalent for the AIP add-in with PowerShell advanced settings that implement pop-up messages in Outlook that warn, justify, or block emails being sent. - In preview: As a parity feature for the AIP add-in, built-in labeling for Windows supports [label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments). - In preview: Preview versions of Outlook for Mac now support [label colors](sensitivity-labels-office-apps.md#label-colors) but don't yet support the sensitivity bar. - In preview: For mandatory labeling, Outlook for Android in the Beta Channel supports a setting that you can configure with Microsoft Intune to [prompt users to select a sensitivity label when they first compose an email](sensitivity-labels-office-apps.md#for-outlook-mobile-change-when-users-are-prompted-for-a-label) instead of when they send it.
enterprise	O365 Data Locations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/o365-data-locations.md	description: "Determine where your Microsoft 365 customer data is stored worldwi # Where your Microsoft 365 customer data is stored -See the following links to understand workload data location. +>[!NOTE] +>The Poland local data center region launched on April 26, 2023. If your organization requires the migration of your Microsoft 365 customer data to Poland, and a data residency commitments for Poland, please refer to [Advanced Data Residency](advanced-data-residency.md) for more information. -- Exchange Online [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo) +>[!NOTE] +> For tenants in Australia, Brazil, Canada, France, Germany, India, Japan, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, and the United Kingdom), additional workloads are available for data residency commitments. Refer to [Advanced Data Residency](advanced-data-residency.md) for more information. ++ +See the following links to understand how you can determine current workload data location. + +- Exchange Online [Data Location](m365-dr-workload-exo#how-can-i-determine-customer-data-location) - SharePoint Online (ODSP) and OneDrive for Business [Data Location](m365-dr-workload-spo.md#how-can-i-determine-customer-data-location) - Microsoft Teams [Data Location](m365-dr-workload-teams.md#how-can-i-determine-customer-data-location) - Microsoft Defender for Office (MDO P1) [Data Location](m365-dr-workload-mdo-p1.md#how-can-i-determine-customer-data-location)
includes	Office 365 Worldwide Endpoints	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md	ID \| Category \| ER \| Addresses \| Ports 125 \| Default<BR>Required \| No \| `.entrust.net, .geotrust.com, .omniroot.com, .public-trust.com, .symcb.com, .symcd.com, .verisign.com, .verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.com` \| TCP: 443, 80 126 \| Default<BR>Optional<BR>Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled. \| No \| `officespeech.platform.bing.com` \| TCP: 443 147 \| Default<BR>Required \| No \| `.office.com, www.microsoft365.com` \| TCP:* 443, 80 -152 \| Default<BR>Optional<BR>Notes: These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal. \| No \| `.microsoftusercontent.com` \| TCP:* 443 +152 \| Default<BR>Optional<BR>Notes: These endpoints enable the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal. \| No \| `.microsoftusercontent.com` \| TCP:* 443 153 \| Default<BR>Required \| No \| `.azure-apim.net, .flow.microsoft.com, .powerapps.com, .powerautomate.com` \| TCP: 443 156 \| Default<BR>Required \| No \| `.activity.windows.com, activity.windows.com` \| TCP:* 443 157 \| Default<BR>Required \| No \| `ocsp.int-x3.letsencrypt.org` \| TCP: 80
includes	Supported Web Browsers	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/supported-web-browsers.md	+ Last updated : 06/07/2023+++++ +> [!NOTE] +> The following web browsers are supported: +> - Microsoft Edge +> - Chrome (with the Microsoft Purview extension for Chrome installed) +> - Firefox (with the Microsoft Purview extension for Firefox installed)
security	Microsoft Defender Antivirus Compatibility	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md	Title: Microsoft Defender Antivirus compatibility with other security products description: Learn about Microsoft Defender Antivirus with other security products and the operating systems. -keywords: windows defender, defender for endpoint, next-generation, antivirus, compatibility, passive mode -ms.pagetype: security -ms.sitesec: library + ms.localizationpriority: medium Previously updated : 03/15/2023 Last updated : 06/07/2023 - - m365-security - tier2 search.appverid: met150 Microsoft Defender Antivirus is automatically installed on endpoints running the following versions of Windows: -- Windows 10 or newer +- Windows 10 or 11 - Windows Server 2022 - Windows Server 2019 - Windows Server, version 1803, or newer This article describes what happens with Microsoft Defender Antivirus and a non- This section describes what happens when you use Microsoft Defender Antivirus alongside non-Microsoft antivirus/antimalware products on endpoints that aren't onboarded to Defender for Endpoint. -> [!NOTE] -> In general, Microsoft Defender Antivirus does not run in passive mode on devices that are not onboarded to Defender for Endpoint. +In general, Microsoft Defender Antivirus doesn't run in passive mode on devices that aren't onboarded to Defender for Endpoint. The following table summarizes what to expect: The following table summarizes what to expect: \|Windows 10 <br/> Windows 11\|Microsoft Defender Antivirus\|Active mode\| \|Windows 10 <br/> Windows 11\|A non-Microsoft antivirus/antimalware solution\|Disabled mode (happens automatically)\| \|Windows Server 2022 <br/> Windows Server 2019<br/> Windows Server, version 1803, or newer <br/> Windows Server 2016 <br/> Windows Server 2012 R2 \|Microsoft Defender Antivirus\|Active mode\| -\|Windows Server 2022<br/>Windows Server 2019<br/>Windows Server, version 1803, or newer <br/> Windows Server 2016 \|A non-Microsoft antivirus/antimalware solution\|Disabled (set manually) <sup>[[1](#fn1)]</sup>\| +\|Windows Server 2022<br/>Windows Server 2019<br/>Windows Server, version 1803, or newer <br/> Windows Server 2016 \|A non-Microsoft antivirus/antimalware solution\|Disabled<br/>(set manually; see the note that follows this table) \| -(<a id="fn1">1</a>) On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlet (as an administrator): `Uninstall-WindowsFeature Windows-Defender`. Restart your server to finish removing Microsoft Defender Antivirus. +> [!NOTE] +> On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlet (as an administrator): `Uninstall-WindowsFeature Windows-Defender`. Restart your server to finish removing Microsoft Defender Antivirus. +> On Windows Server 2016, you might see Windows Defender Antivirus instead of Microsoft Defender Antivirus. If the device is onboarded to Microsoft Defender for Endpoint, you can use Microsoft Defender Antivirus in passive mode as described later in this article. -> [!TIP] -> On Windows Server 2016, you might see Windows Defender Antivirus instead of Microsoft Defender Antivirus. - ## Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions > [!NOTE] Whether Microsoft Defender Antivirus runs in active mode, passive mode, or is di - Which version of Windows is installed on an endpoint - Whether Microsoft Defender Antivirus is the primary antivirus/antimalware solution on the endpoint - Whether the endpoint is onboarded to Defender for Endpoint +- Whether Smart App Control is turned on or is in evaluation mode. (See [What is Smart App Control](https://support.microsoft.com/en-us/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003)?) The following table summarizes the state of Microsoft Defender Antivirus in several scenarios. -\| Windows version \| Antivirus/antimalware solution \| Onboarded to <br/> Defender for Endpoint? \| Microsoft Defender Antivirus state \| -\|:\|:\|:-\|:-\| -\| Windows 10 <br/> Windows 11\| Microsoft Defender Antivirus \| Yes \| Active mode \| -\| Windows 10 <br/> Windows 11 \| Microsoft Defender Antivirus \| No \| Active mode \| -\| Windows 10 <br/> Windows 11 \| A non-Microsoft antivirus/antimalware solution \| Yes \| Passive mode (automatically) \| -\| Windows 10 <br/> Windows 11 \| A non-Microsoft antivirus/antimalware solution \| No \| Disabled mode (automatically) \| -\| Windows Server 2022 <br/> Windows Server 2019 <br/>Windows Server, version 1803 or newer \| Microsoft Defender Antivirus \| Yes \| Active mode \| -\| Windows Server 2022 <br/> Windows Server 2019 <br/> Windows Server, version 1803 or newer \| Microsoft Defender Antivirus \| No \| Active mode \| -\| Windows Server 2022 <br/> Windows Server 2019 <p> Windows Server, version 1803 or newer \| A non-Microsoft antivirus/antimalware solution \| Yes \| Microsoft Defender Antivirus must be set to passive mode (manually) <sup>[[2](#fn2)]<sup> \| -\| Windows Server 2022 <br/> Windows Server 2019 <p> Windows Server, version 1803 or newer \| A non-Microsoft antivirus/antimalware solution \| No \| Microsoft Defender Antivirus must be disabled (manually) <sup>[[3](#fn3)]<sup></sup> \| -\| Windows Server 2016 <br/> Windows Server 2012 R2 \| Microsoft Defender Antivirus \| Yes \| Active mode \| -\|Windows Server 2016 <br/> Windows Server 2012 R2 \| Microsoft Defender Antivirus \| No \| Active mode \| -\| Windows Server 2016 <br/> Windows Server 2012 R2 \| A non-Microsoft antivirus/antimalware solution \| Yes \| Microsoft Defender Antivirus must be set to passive mode (manually) <sup>[[2](#fn2)]<sup> \| -\|Windows Server 2016 <br/> Windows Server 2012 R2 \| A non-Microsoft antivirus/antimalware solution \| No \| Microsoft Defender Antivirus must be disabled (manually) <sup>[[3](#fn3)]<sup> \| - -(<a id="fn2">2</a>) On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, set Microsoft Defender Antivirus to passive mode to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using a registry key as follows: +\|Antivirus/antimalware solution \| Onboarded to Defender for Endpoint? \| Smart App Control State \| Microsoft Defender Antivirus state \| +\|\|\|\|\| +\| Microsoft Defender Antivirus \| Yes \| N/A <br/>Smart App Control is a consumer-only product \| Active mode \| +\| Microsoft Defender Antivirus \| No \| Off or Evaluation \| Active mode \| +\| Microsoft Defender Antivirus \| No \| On \| Passive mode (automatically) \| +\| A non-Microsoft antivirus/antimalware solution \| Yes \| N/A <br/>Smart App Control is a consumer-only product \| Passive mode (automatically) \| +\| A non-Microsoft antivirus/antimalware solution \| No \| Evaluation or On \| Passive mode (automatically) \| + +## Windows Server and passive mode + +On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, set Microsoft Defender Antivirus to passive mode to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using a registry key as follows: + - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: `ForceDefenderPassiveMode` - Type: `REG_DWORD` The following table summarizes the state of Microsoft Defender Antivirus in seve You can view your protection status in PowerShell by using the command [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus). Check the value for `AMRunningMode`. You should see Normal, Passive, or EDR Block Mode if Microsoft Defender Antivirus is enabled on the endpoint. - > [!NOTE] - > For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded with the modern, unified solution described in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016). +For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded with the modern, unified solution described in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016). + +On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, and Windows Server 2022, if you're using a non-Microsoft antivirus product on an endpoint that isn't onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server. However, Defender for Endpoint includes capabilities that further extend the antivirus protection that is installed on your endpoint. If you have Defender for Endpoint, you can benefit from running Microsoft Defender Antivirus alongside another antivirus solution. -(<a id="fn3">3</a>) On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, and Windows Server 2022, if you are using a non-Microsoft antivirus product on an endpoint that is not onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server. +For example, [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) provides added protection from malicious artifacts even if Microsoft Defender Antivirus isn't the primary antivirus product. Such capabilities require Microsoft Defender Antivirus to be installed and running in passive mode or active mode. > [!TIP] > On Windows Server 2016, you might see Windows Defender Antivirus instead of Microsoft Defender Antivirus. -Defender for Endpoint includes capabilities that further extend the antivirus protection that is installed on your endpoint. You can benefit from running Microsoft Defender Antivirus alongside another antivirus solution. - -For example, [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) provides added protection from malicious artifacts even if Microsoft Defender Antivirus is not the primary antivirus product. Such capabilities require Microsoft Defender Antivirus to be installed and running in passive mode or active mode. - ## Requirements for Microsoft Defender Antivirus to run in passive mode In order for Microsoft Defender Antivirus to run in passive mode, endpoints must meet the following requirements: Defender for Endpoint affects whether Microsoft Defender Antivirus can run in pa \| Protection \| Microsoft Defender Antivirus <br/>(Active mode) \| Microsoft Defender Antivirus <br/>(Passive mode) \| Microsoft Defender Antivirus <br/>(Disabled or uninstalled) \| [EDR in block mode](edr-in-block-mode.md) \| \|:\|:\|:\|:\|:\| -\| [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) \| Yes \| See note <sup>[[4](#fn4)]</sup> \| No \| No \| +\| [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) \| Yes \| [See note 1](#notes-about-protection-states) \| No \| No \| \| [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) \| Yes \| No \| No \| No \| \| [Network protection](network-protection.md) \| Yes \| No \| No \| No \| \| [Attack surface reduction rules](attack-surface-reduction.md) \| Yes \| No \| No \| No \| \| [Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md) \| No \| Yes \| No \| No \| -\| [File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md) \| Yes \| Yes <sup>[[5](#fn5)]</sup> \| No \| Yes \| -\| [Threat remediation](configure-remediation-microsoft-defender-antivirus.md) \| Yes \| See note <sup>[[6](#fn6)]</sup> \| No \| Yes \| -\| [Security intelligence updates](microsoft-defender-antivirus-updates.md) \| Yes \| Yes <sup>[[7](#fn7)]</sup> \| No \| Yes <sup>[[7](#fn7)]</sup> \| +\| [File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md) \| Yes \| Yes <br/>[See note 2](#notes-about-protection-states) \| No \| Yes \| +\| [Threat remediation](configure-remediation-microsoft-defender-antivirus.md) \| Yes \| [See note 3](#notes-about-protection-states) \| No \| Yes \| +\| [Security intelligence updates](microsoft-defender-antivirus-updates.md) \| Yes \| Yes <br/>[See note 4](#notes-about-protection-states) \| No \| Yes<br/>[See note 4](#notes-about-protection-states) \| \| [Data Loss Prevention](../../compliance/endpoint-dlp-learn-about.md) \| Yes \| Yes \| No \| No \| \| [Controlled folder access](controlled-folders.md) \| Yes \|No \| No \| No \| -\| [Web content filtering](web-content-filtering.md) \| Yes \| See note <sup>[[8](#fn8)]</sup> \| No \| No \| +\| [Web content filtering](web-content-filtering.md) \| Yes \| [See note 5](#notes-about-protection-states) \| No \| No \| \| [Device control](device-control-report.md) \| Yes \| Yes \| No \| No \| \| [PUA protection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) \| Yes \| No \| No \| No \| -(<a id="fn4">4</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection doesn't provide any blocking or enforcement, even though it's enabled and in passive mode. +### Notes about protection states + +1. In general, when Microsoft Defender Antivirus is in passive mode, real-time protection doesn't provide any blocking or enforcement, even though it's enabled and in passive mode. -(<a id="fn5">5</a>) When Microsoft Defender Antivirus is in passive mode, scans aren't scheduled. Note that scan tasks that are enabled in Windows Task Scheduler will continue to run according to their schedule. If you have such scheduled tasks, you can remove these if preferred. +2. When Microsoft Defender Antivirus is in passive mode, scans aren't scheduled. If scans are scheduled in your configuration, the schedule is ignored. However, catchup scans continue to occur unless they are disabled. Scan tasks that are set up in Windows Task Scheduler continue to run according to their schedule. If you have scheduled tasks, you can remove them, if preferred. -(<a id="fn6">6</a>) When Microsoft Defender Antivirus is in passive mode, it doesn't remediate threats. However, threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md). In this case, you might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. +3. When Microsoft Defender Antivirus is in passive mode, it doesn't remediate threats. However, [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) can remediate threats. In this case, you might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. -(<a id="fn7">7</a>) The security intelligence update cadence is controlled by Windows Update settings only. Defender-specific update schedulers (daily/weekly at specific time, interval-based) settings only work when Microsoft Defender Antivirus is in active mode. They're ignored in passive mode. +4. The security intelligence update cadence is controlled by Windows Update settings only. Defender-specific update schedulers (daily/weekly at specific time, interval-based) settings only work when Microsoft Defender Antivirus is in active mode. They're ignored in passive mode. -(<a id="fn8">8</a>) When Microsoft Defender Antivirus is in passive mode, web content filtering only works with the Microsoft Edge browser. +5. When Microsoft Defender Antivirus is in passive mode, web content filtering only works with the Microsoft Edge browser. > [!IMPORTANT] > - [Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode. You can use one of several methods to confirm the state of Microsoft Defender An - [Use Windows PowerShell to confirm that antivirus protection is running](#use-windows-powershell-to-confirm-that-antivirus-protection-is-running). > [!IMPORTANT] -> Beginning with [platform version 4.18.2208.0 and later](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions): If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy](configure-endpoints-gp.md#update-endpoint-protection-configuration) setting will no longer completely disable Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it will place it into passive mode. In addition, the [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) feature will allow a switch to active mode but not to passive mode. +> Beginning with [platform version 4.18.2208.0 and later](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions): If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy](configure-endpoints-gp.md#update-endpoint-protection-configuration) setting no longer completely disables Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it place Microsoft Defender Antivirus into passive mode. In addition, the [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode, but not to passive mode. > -> - If "Turn off Windows Defender" is already in place before onboarding to Microsoft Defender for Endpoint, there will be no change and Defender Antivirus will remain disabled. -> - To switch Defender Antivirus to passive mode, even if it was disabled before onboarding, you can apply the [ForceDefenderPassiveMode configuration](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) with a value of `1`. To place it into active mode, switch this value to `0` instead. +> - If "Turn off Windows Defender" is already in place before onboarding to Microsoft Defender for Endpoint, Microsoft Defender Antivirus remains disabled. +> - To switch Microsoft Defender Antivirus to passive mode, even if it was disabled before onboarding, you can apply the [ForceDefenderPassiveMode configuration](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) with a value of `1`. To place it into active mode, switch this value to `0` instead. > -> Note the modified logic for `ForceDefenderPassiveMode` when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection will prevent it from going back into passive mode even when `ForceDefenderPassiveMode` is set to `1`. +> Note the modified logic for `ForceDefenderPassiveMode` when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection prevents it from going back into passive mode even when `ForceDefenderPassiveMode` is set to `1`. ### Use the Windows Security app to identify your antivirus app You can use one of several methods to confirm the state of Microsoft Defender An ### Use Windows PowerShell to confirm that Microsoft Defender Antivirus is running > [!NOTE] -> Use this procedure only to confirm whether Microsoft Defender Antirivus is running on an endpoint. +> Use this procedure only to confirm whether Microsoft Defender Antivirus is running on an endpoint. 1. On a Windows device, open Windows PowerShell. The following sections describe what to expect when Microsoft Defender Antivirus ### Active mode -In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as in the Microsoft Intune admin center or the Microsoft Defender Antivirus app on the endpoint). +In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as in the Microsoft Intune admin center or the Microsoft Defender Antivirus app on the endpoint). ### Passive mode or EDR Block mode -In passive mode, Microsoft Defender Antivirus isn't used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. However, threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md). Files are scanned by EDR, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. +In passive mode, Microsoft Defender Antivirus isn't used as the antivirus app, and threats aren't* remediated by Microsoft Defender Antivirus. However, [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) can remediate threats. Files are scanned by EDR, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](microsoft-defender-antivirus-updates.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. -Make sure to get your antivirus and antimalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).<br/><br/>Note that passive mode is only supported on Windows Server 2012 R2 & 2016 when the machine is onboarded using the [modern, unified solution](/microsoft-365/security/defender-endpoint/configure-server-endpoints). +Make sure to get your antivirus and antimalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md). Passive mode is only supported on Windows Server 2012 R2 & 2016 when the machine is onboarded using the [modern, unified solution](/microsoft-365/security/defender-endpoint/configure-server-endpoints). ### Disabled or uninstalled
security	Auditing	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/auditing.md	Last updated 05/29/2023 Applies to: -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft 365 Defender](microsoft-365-defender.md) As a tenant administrator, you can use Microsoft Purview to search the audit logs for the times Microsoft Defender Experts signed into your tenant and the actions they did there to perform their investigations. You can also search the audit logs for the changes done by your tenant administrators to the Defender Experts settings. As a tenant administrator, you can use Microsoft Purview to search the audit log 1. Sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com/) to use [Audit New Search](/microsoft-365/compliance/audit-new-search). 2. Provide a Date and time range (UTC). -3. Select the Workload and Record type from the list shown in the following table to further narrow your search +3. Select the Workload and Record type from the list shown in the following table to further narrow your search. 4. Select Search to list the audit logs related to actions taken by our experts in your tenant. -![Partial screenshot of Microsoft Purview compliance portal Defender New search page](../../media/xdr/audit.png) - \| Action performed by Defender Experts \| Workload \| Record type \| \|--\|--\|--\| As a tenant administrator, you can use Microsoft Purview to search the audit log \|Make changes to indicators in Microsoft Defender for Endpoint\|MicrosoftDefenderForEndpoint\|MSDEIndicatorsSettings\| \|Perform device remediation actions in Microsoft Defender for Endpoint\|MicrosoftDefenderForEndpoint\|MSDEResponseActions\| -![Partial screenshot of a sample audit log related to Defender Experts](../../media/xdr/audit-2.png) ## Search the audit logs for actions performed by your administrators in the Defender Experts settings As a tenant administrator, you can use Microsoft Purview to search the audit log 3. Under Workload, choose _MicrosoftDefenderExperts_. 4. Select Search to list the audit logs related to actions taken by your tenant administrators to the Defender Experts settings. -![Partial screenshot of Microsoft Purview compliance portal Defender New search page showing the Workload field selected to "MicrosoftDefenderExperts"](../../media/xdr/audit-3.png) ## Search the audit logs using a PowerShell script -In addition to using Audit New Search in the Microsoft Purview compliance portal, you can use PowerShell cmdlets to search for audit logs. [Learn more](/microsoft-365/compliance/audit-log-search-script) +In addition to using Audit New Search in the Microsoft Purview compliance portal, you can use PowerShell cmdlets to search for audit logs. [Learn more](/microsoft-365/compliance/audit-log-search-script). ### See also
security	Before You Begin Xdr	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-xdr.md	Last updated 11/17/2022 Applies to: -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft 365 Defender](microsoft-365-defender.md) This document outlines the key prerequisites you must meet and essential information you must know before purchasing the Microsoft Defender Experts for XDR service. Defender Experts for XDR is a managed extended detection and response (XDR) serv As part of the service's built-in [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md), you're also assigned two Ask Defender Experts credits on the first of each month, which you may use to submit questions. You can still submit inquiries beyond the initial number of allocated credits. Unused credits expire 90 days from date of assignment or at the end of the subscription term, whichever is shortest. -[Learn more about Microsoft's commercial licensing terms](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA) +[Learn more about Microsoft's commercial licensing terms](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA). ## Access requirements Anyone from your organization can complete the [customer interest form](https://aka.ms/IWantDefenderExperts) for the Defender Experts for XDR service, however, you need to work with your Commercial Executive to transact the Defender Experts for XDR SKU. -Defender Experts for XDR requests for certain roles and permissions for you to fully access the service capabilities. [Learn more](dex-xdr-permissions.md) +Defender Experts for XDR requests for certain roles and permissions for you to fully access the service capabilities. [Learn more](dex-xdr-permissions.md). ## Service availability and data protection Defender Experts for XDR is a managed extended detection and response service that proactively hunts for threats across endpoints, email, identity, and cloud apps. To carry out hunting on your behalf, Microsoft experts need access to your Microsoft 365 Defender advanced hunting data. Purchasing this service means youΓÇÖre granting permission to Microsoft experts to access the said data. -The following sections enumerate additional information about the serviceΓÇÖs data usage, compliance, and availability. For more information about Microsoft's commitment in valuing and protecting your data, visit the [Trust Center](https://www.microsoft.com/en-us/trust-center/product-overview) then scroll down to Additional products and services > Managed Security Services > [Microsoft Defender Experts](https://aka.ms/trustcenter-defenderexperts) +The following sections enumerate additional information about the serviceΓÇÖs data usage, compliance, and availability. For more information about Microsoft's commitment in valuing and protecting your data, visit the [Trust Center](https://www.microsoft.com/en-us/trust-center/product-overview) then scroll down to Additional products and services > Managed Security Services > [Microsoft Defender Experts](https://aka.ms/trustcenter-defenderexperts). ### Data collection, usage, and retention -All data used for hunting from existing Defender services will continue to reside in the customer's original Microsoft 365 Defender service storage location. [Learn more](/microsoft-365/enterprise/o365-data-locations) +All data used for hunting from existing Defender services will continue to reside in the customer's original Microsoft 365 Defender service storage location. [Learn more](/microsoft-365/enterprise/o365-data-locations). Defender Experts for XDR operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft 365 Defender service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft 365 Defender service storage location. Reporting data and operational data will be retained for a grace period of no less than 90 days after a customer leaves the service.
security	Dex Xdr Permissions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/dex-xdr-permissions.md	Last updated 05/29/2023 Applies to: -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft 365 Defender](microsoft-365-defender.md) For Microsoft Defender Experts for XDR incident investigations, when our experts need access to your tenants, we follow the just-in-time and least privilege principles to provide the right level of access at the right time. To deliver on these requirements, we built the Microsoft Defender Experts permissions platform using the following capabilities in Microsoft Azure Active Directory (Azure AD):
security	Frequently Asked Questions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/frequently-asked-questions.md	Last updated 05/29/2023 Applies to: -- Microsoft 365 Defender +- [Microsoft 365 Defender](microsoft-365-defender.md) \| Questions \| Answers \| \|\|\|
security	Get Started Xdr	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started-xdr.md	Title: Getting started with Microsoft Defender Experts for XDR + Title: Get started with Microsoft Defender Experts for XDR description: Defender Experts for XDR lets you determine the individuals or groups within your organization that need to be notified if there's a critical incident keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Microsoft Defender Experts for hunting, threat hunting and analysis, Microsoft XDR service Last updated 05/29/2023 Applies to: -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft 365 Defender](microsoft-365-defender.md) Once the Defender Experts for XDR team is ready to onboard your organization, youΓÇÖll receive a welcome email to continue the setup and get you started. Select the link in the welcome email to directly launch the Defender Experts settings step-by-step guide in the Microsoft 365 Defender portal. You can also open this guide by going to Settings > Defender Experts and selecting Get started. -![Screenshot of the Get started page in Defender for Experts XDR settings step-by-step guide](../../media/XDR/security-team-boost.png) ## Grant permissions to our experts You also need to grant our experts temporary, scoped access only as needed, depe [Learn more about access levels](/azure/active-directory/roles/permissions-reference) -![Screenshot of Permissions page in Defender for Experts XDR settings step-by-step guide](../../media/xdr/grant-permissions-to-experts.png) To grant our experts permissions: You also need to grant our experts temporary, scoped access only as needed, depe To edit or update permissions after the initial setup, go to Settings > Defender Experts > Permissions. In this page, you could also turn Access security data from all devices on or off under the access levels. > [!IMPORTANT] -> If you turn off Access security data from all devices, our experts wonΓÇÖt be able to investigate incidents involving devices that belong to Microsoft Defender for Endpoint device groups. [Learn more about device groups](../defender-endpoint/machine-groups.md) +> If you turn off Access security data from all devices, our experts wonΓÇÖt be able to investigate incidents involving devices that belong to Microsoft Defender for Endpoint device groups. [Learn more about device groups](../defender-endpoint/machine-groups.md). ## Tell us who to contact for important matters Defender Experts for XDR lets you determine the individuals or groups within your organization that need to be notified if there are critical incidents, service updates, occasional queries, and other recommendations. Once identified, the individuals will receive an email notifying them that they have been chosen as a contact for incident notification or service review purposes. -![Screenshot of Incident contacts page in Defender for Experts XDR settings step-by-step guide](../../media/XDR/who-to-contact-for-important-matters.png) To add notification contacts: To edit or update your notification contacts after the initial setup, go to Se 2. Select the Notification type from the dropdown box. 3. Select Add**. -![Screenshot of notification contacts](../../media/xdr/who-to-contact-for-imp-matters-2.png) ## Run initial Defender Experts readiness checks
security	Start Using Mdex Xdr	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/start-using-mdex-xdr.md	Last updated 05/29/2023 Applies to: -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft 365 Defender](microsoft-365-defender.md) After you completed the [onboarding steps and readiness checks](get-started-xdr.md) for Microsoft Defender Experts for XDR, our experts will start monitoring your environment to streamline the service so we can perform comprehensive service on your behalf. During this stage, our experts identify latent threats, sources of risk, and normal activity. When our experts conclude their investigation on an incident, the incidentΓÇÖs * The Determination field corresponding to each classification is also updated to provide more insights on the findings that led our experts to determine the said classification. -![Screenshot of Incidents page showing the Tags, Status, Assigned to, Classification, and Determination fields](../../media/xdr/incidents-xdr-1.png) If an incident is classified as _False Positive_ or _Informational_, _Expected Activity_, then the incident's Status field gets updated to _Resolved_. Our experts then conclude their work on this incident and the Assigned to field gets updated to _Unassigned_. Our experts may share updates from their investigation and their conclusion when resolving an incident. These updates are posted in the incidentΓÇÖs Comments and history flyout panel. > [!NOTE] > Incident comments are one-way posts. Defender Experts canΓÇÖt respond to any comments or questions you add in the Comments and history panel. If you wish to correspond with our experts, reply to the email Defender Experts sent you instead. -Otherwise, if an incident is classified as _True Positive_, our experts then identify recommended response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts) +Otherwise, if an incident is classified as _True Positive_, our experts then identify recommended response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts). - If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the recommended response actions on the incident on your behalf. These actions, along with an Investigation summary, show up in the incidentΓÇÖs [Guided response](#how-to-use-guided-response-in-microsoft-365-defender) flyout panel in your Microsoft 365 Defender portal for you or your SOC team to review. Once our experts conclude their work on the incident, its Status field is then updated to _Resolved_ and the Assigned to field is updated to _Unassigned_. Otherwise, if an incident is classified as _True Positive_, our experts then ide You can check the number of incidents that are awaiting your action in the Defender Experts card in your Microsoft 365 Defender portal: -![Screenshot of the Defender Experts card in Microsoft 365 Defender portal showing the number of incidents awaiting customer action](../../media/xdr/view-incidents.png) To view the incidents our experts have investigated or are currently investigating, filter the incident queue in your Microsoft 365 Defender portal using the _Defender Experts_ tag. -![Screenshot of the Incidents queue in Microsoft 365 Defender portal filtered to only show those with the Defender Experts tag](../../media/xdr/incidents-filter.png) ### How to use guided response in Microsoft 365 Defender -In the Microsoft 365 Defender portal, an incident that requires your attention using guided response has the Assigned to field set to _Customer_ and a task card on top of the Incidents pane. Your designated incident contacts also receives a corresponding email notification with a link to the Defender portal to view the incident. [Learn more about notification contacts](get-started-xdr.md#tell-us-who-to-contact-for-important-matters) +In the Microsoft 365 Defender portal, an incident that requires your attention using guided response has the Assigned to field set to _Customer_ and a task card on top of the Incidents pane. Your designated incident contacts also receives a corresponding email notification with a link to the Defender portal to view the incident. [Learn more about notification contacts](get-started-xdr.md#tell-us-who-to-contact-for-important-matters). Select View guided response on the task card or on the top of the portal page (Guided response tab) to open a flyout panel where you can read our expertsΓÇÖ investigation summary, complete pending actions identified by our experts, or engage with them through chat. -![Screenshot of the view guided response task card](../../media/xdr/view-guided-response-button.png) #### Investigation summary The Investigation summary section provides you with more context about the incident analyzed by our experts to provide you with visibility about its severity and potential impact if not addressed immediately. It could include the device timeline, indicators of attack and indicators of compromise (IOCs) observed, and other details. -![Screenshot of guided response investigation summary](../../media/xdr/investigation-summary.png) #### Actions The Actions tab displays task cards that contain response actions recommended by our experts. -![Screenshot of the Actions tab showing one-click and manual guided response actions](../../media/xdr/guided-response-actions.png) Defender Experts for XDR currently supports the following one-click guided response actions: Defender Experts for XDR currently supports the following one-click guided respo Apart from these one-click actions, you can also receive guided responses from our experts that you need to perform manually. > [!NOTE] -> Before performing any of the recommended guided response actions, make sure that they are not already being addressed by your automated investigation and response configurations. [Learn more about automated investigation and response capabilities in Microsoft 365 Defender](m365d-autoir.md) +> Before performing any of the recommended guided response actions, make sure that they are not already being addressed by your automated investigation and response configurations. [Learn more about automated investigation and response capabilities in Microsoft 365 Defender](m365d-autoir.md). To view and perform the guided response actions: Apart from these one-click actions, you can also receive guided responses from o 1. For cards with one-click response actions, select the recommended action. The Action status in the card changes to In progress, then to Failed or Completed, depending on the actionΓÇÖs outcome. > [!TIP] -> You can also monitor the status of in-portal response actions in the [Action center](m365d-action-center.md). +> You can also monitor the status of in-portal response actions in the [Action center](m365d-action-center.md). 3. For cards with recommended actions that you need to perform manually, select Mark as complete once youΓÇÖve performed them. 1. If you donΓÇÖt want to complete a recommended action right away, select the ellipsis icon on the top of the card and choose any of the following other options: Apart from these one-click actions, you can also receive guided responses from o The Chat tab provides you with a space in the Microsoft 365 Defender portal to engage with our experts and further understand the incident, our investigation, and the recommended actions we provided. You could ask about a malicious executable, malicious attachment, information about activity groups, advanced hunting queries, or any other information that would assist you with the incident resolution. -![Screenshot of the chat tab in the Guided response flyout panel](../../media/xdr/chat.png) > [!NOTE] > The chat option is only available for incidents where we issued guided response. The following section describes how an incident handled by our experts is update 1. An incident that our experts have confirmed as a _True Positive_ has a guided response posted in Microsoft 365 Defender, and the Owner is listed as _Customer_. You need to act on the incident based on using the provided guided response. 1. Once our experts have concluded their investigation and closed an incident as _False Positive_ or _Informational_, _Expected Activity_, the incidentΓÇÖs Status is updated to _Resolved_ and a Reason for closing is provided. -![Screenshot of Microsoft Sentinel incidents](../../media/xdr/microsoft-sentinel-incidents.png) ### Other applications After configuring a connector, the updates by Defender Experts to an incidentΓÇÖ Defender Experts for XDR includes an interactive, on-demand report that provides a clear summary of the work our expert analysts are doing on your behalf, aggregate information about your incident landscape, and granular details about specific incidents. Your service delivery manager (SDM) also uses the report to provide you with more context regarding the service during a monthly business review. -![Screenshot of Defender Experts for XDR report](../../media/xdr/Defender-xdr-report.png) Each section of the report is designed to provide more insights about the incidents our experts investigated and resolved in your environment in real time. You can also select the Date range to get detailed information about incidents based on severity, category, and understand the time taken to investigate and resolve an incident during a specific period. Defender Experts for XDR also includes proactive threat hunting offered by [Micr Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat questions. Experts can provide insights to better understand the complex threats your organization may face. Consult an expert to: -- Gather additional information on alerts and incidents, including root causes and scope-- Gain clarity into suspicious devices, alerts, or incidents and get the next steps if faced with an advanced attacker-- Determine risks and available protections related to activity groups, campaigns, or emerging attacker techniques +- Gather additional information on alerts and incidents, including root causes and scope. +- Gain clarity into suspicious devices, alerts, or incidents and get the next steps if faced with an advanced attacker. +- Determine risks and available protections related to activity groups, campaigns, or emerging attacker techniques. > [!NOTE] > Ask Defender Experts is not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/). The option to Ask Defender Experts is available in the incidents and alerts - _Alerts page flyout menu_: - ![Screenshot of the Ask Defender Experts menu option in the Alerts page flyout menu in the Microsoft 365 Defender portal.](../../media/mte/defenderexperts/alerts-flyout-menu.png) - _Incidents page actions menu_: - ![Screenshot of the Ask Defender Experts menu option in the Incidents page actions menu in the Microsoft 365 Defender portal.](../../media/mte/defenderexperts/incidents-page-actions-menu.png) ### See also
security	Anti Phishing From Email Address Validation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-from-email-address-validation.md	A standard SMTP email message consists of a message envelope and message conte - The `5321.MailFrom` address (also known as the MAIL FROM address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message. This email address is typically recorded in the Return-Path header field in the message header (although it's possible for the sender to designate a different Return-Path email address). -- The `5322.From` (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients. The From address is the focus of the requirements in this article. +- The `5322.From` address (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients. The From address is the focus of the requirements in this article. The From address is defined in detail across several RFCs (for example, RFC 5322 sections 3.2.3, 3.4, and 3.4.1, and [RFC 3696](https://tools.ietf.org/html/rfc3696)). There are many variations on addressing and what's considered valid or invalid. To keep it simple, we recommend the following format and definitions:
security	Anti Phishing Policies About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-about.md	The following spoof settings are available in anti-phishing policies in EOP and - Enable spoof intelligence: Turns spoof intelligence on or off. We recommend that you leave it turned on. - When spoof intelligence is enabled, the spoof intelligence insight shows spoofed senders that were automatically detected and allowed or blocked by spoof intelligence. You can manually override the spoof intelligence verdict to allow or block the detected spoofed senders from within the insight. But when you do, the spoofed sender disappears from the spoof intelligence insight, and is now visible only on the Spoofed senders tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders in the Tenant Allow/Block List. For more information, see the following articles: + When spoof intelligence is enabled, the spoof intelligence insight shows spoofed senders that were automatically detected and allowed or blocked by spoof intelligence. You can manually override the spoof intelligence verdict to allow or block the detected spoofed senders from within the insight. But when you do, the spoofed sender disappears from the spoof intelligence insight, and is now visible only on the Spoofed senders tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders in the Tenant Allow/Block List. For more information, see the following articles: - [Spoof intelligence insight in EOP](anti-spoofing-spoof-intelligence.md) - [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list-about.md)
security	Anti Phishing Protection About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-about.md	EOP (that is, Microsoft 365 organizations without Microsoft Defender for Office Honor the sender's DMARC policy when the message is detected as spoof (currently in Preview): Control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks and the DMARC policy is set to `p=quarantine` or `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies). -- Allow or block spoofed senders in the Tenant Allow/Block List: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list-about.md). +- Allow or block spoofed senders in the Tenant Allow/Block List: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list-about.md). - Implicit email authentication: EOP enhances standard email authentication checks for inbound email ([SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md) with sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques to help identify forged senders. For more information, see [Email authentication in Microsoft 365](email-authentication-about.md).
security	Anti Phishing Protection Spoofing About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about.md	The following anti-spoofing technologies are available in EOP: - Spoof intelligence insight: Review spoofed messages from senders in internal and external domains during the last 7 days, and allow or block those senders. For more information, see [Spoof intelligence insight in EOP](anti-spoofing-spoof-intelligence.md). -- Allow or block spoofed senders in the Tenant Allow/Block List: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list-about.md). +- Allow or block spoofed senders in the Tenant Allow/Block List: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list-about.md). - Anti-phishing policies: In EOP and Microsoft Defender for Office 365, anti-phishing policies contain the following anti-spoofing settings: - Turn spoof intelligence on or off.
security	Anti Spam Spam Vs Bulk About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-spam-vs-bulk-about.md	EmailEvents \| summarize count() by SenderMailFromAddress, BulkComplaintLevel ``` -This query allows admins to identify wanted and unwanted senders. If a bulk sender has a BCL score that's less than the bulk threshold, admins can [report the sender's messages to Microsoft for analysis](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page). This action also adds the sender as an allow entry in the Tenant Allow/Block List. +This query allows admins to identify wanted and unwanted senders. If a bulk sender has a BCL score that's less than the bulk threshold, admins can [report the sender's messages to Microsoft for analysis](submissions-admin.md#report-good-email-to-microsoft). This action also adds the sender as an allow entry in the Tenant Allow/Block List. Organizations without Defender for Office 365 Plan 2 can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free. Use the 90-day Defender for Office 365 evaluation at <https://security.microsoft.com/atpEvaluation>. Learn about who can sign up and trial terms [here](try-microsoft-defender-for-office-365.md) or you can use the [Threat protection status report](reports-email-security.md#threat-protection-status-report) to identify wanted and unwanted bulk senders: Organizations without Defender for Office 365 Plan 2 can try the features in Mic 4. In Defender for Office 365 Plan 2, select a bulk message to investigate, and then select email entity to learn more about the sender. -5. After you identify wanted and unwanted bulk senders, adjust the bulk threshold in the default anti-spam policy and in custom anti-spam policies. If some bulk senders don't fit within your bulk threshold, [report the messages to Microsoft for analysis](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page). +5. After you identify wanted and unwanted bulk senders, adjust the bulk threshold in the default anti-spam policy and in custom anti-spam policies. If some bulk senders don't fit within your bulk threshold, [report the messages to Microsoft for analysis](submissions-admin.md#report-good-email-to-microsoft). Admins can follow the [recommended bulk threshold values](recommended-settings-for-eop-and-office365.md#anti-spam-anti-malware-and-anti-phishing-protection-in-eop) or choose a bulk threshold value that suits the needs of their organization.
security	Anti Spoofing Spoof Intelligence	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence.md	The rest of this article explains how to use the spoof intelligence insight in t > [!NOTE] > -> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the Spoofed senders tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list-about.md). +> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the Spoofed senders tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](tenant-allow-block-list-about.md). > > - The spoof intelligence insight and the Spoofed senders tab in the Tenant Allow/Block list replace the functionality of the spoof intelligence policy that was available on the anti-spam policy page in the Security & Compliance Center. > The rest of this article explains how to use the spoof intelligence insight in t ## What do you need to know before you begin? -- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the Spoofed senders tab on the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. To go directly to the Spoof intelligence insight page, use <https://security.microsoft.com/spoofintelligence>. +- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the Spoofed senders tab on the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. To go directly to the Spoof intelligence insight page, use <https://security.microsoft.com/spoofintelligence>. - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). The rest of this article explains how to use the spoof intelligence insight in t ## Open the spoof intelligence insight in the Microsoft 365 Defender portal -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Tenant Allow/Block Lists in the Rules section. To go directly to the Spoofed senders tab on the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & Collaboration \> Policies & Rules \> Threat policies \> Tenant Allow/Block Lists in the Rules section. To go directly to the Spoofed senders tab on the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. 2. On the Tenant Allow/Block Lists page, the spoof intelligence insight looks like this: To view information about the spoof intelligence detections, click View spoofi ### View information about spoofed messages > [!NOTE] -> Remember, only spoofed senders that were detected by spoof intelligence appear on this page. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the Spoofed senders tab in the Tenant Allow/Block List. +> Remember, only spoofed senders that were detected by spoof intelligence appear on this page. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the Spoofed senders on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. On the Spoof intelligence insight page that appears after you click View spoofing activity** in the spoof intelligence insight, the page contains the following information:
security	Create Block Sender Lists In Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-block-sender-lists-in-office-365.md	A standard SMTP email message consists of a _message envelope_ and message conte - The `5321.MailFrom` address (also known as the MAIL FROM address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message. This email address is typically recorded in the Return-Path header field in the message header (although it's possible for the sender to designate a different Return-Path email address). If the message can't be delivered, it's the recipient for the non-delivery report (also known as an NDR or bounce message). -- The `5322.From` (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients. +- The `5322.From` address (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients. Frequently, the `5321.MailFrom` and `5322.From` addresses are the same (person-to-person communication). However, when email is sent on behalf of someone else, the addresses can be different.
security	Create Safe Sender Lists In Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md	The maximum limit for these lists is approximately 1000 entries; although, you'l A standard SMTP email message consists of a _message envelope_ and message content. The message envelope contains information that's required for transmitting and delivering the message between SMTP servers. The message content contains message header fields (collectively called the _message header_) and the message body. The message envelope is described in RFC 5321, and the message header is described in RFC 5322. Recipients never see the actual message envelope because it's generated by the message transmission process, and it isn't actually part of the message. - The `5321.MailFrom` address (also known as the MAIL FROM address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message. This email address is typically recorded in the Return-Path header field in the message header (although it's possible for the sender to designate a different Return-Path email address). If the message can't be delivered, it's the recipient for the non-delivery report (also known as an NDR or bounce message).-- The `5322.From` (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients. +- The `5322.From` address (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients. Frequently, the `5321.MailFrom` and `5322.From` addresses are the same (person-to-person communication). However, when email is sent on behalf of someone else, the addresses can be different. This happens most often for bulk email messages.
security	Defender For Office 365 Whats New	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md	For more information on what's new with other Microsoft Defender security produc ## March 2023 -- Collaboration security for Microsoft Teams: With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using URLs and messages has increased as well. Microsoft Defender for Office 365 is extending its [Safelinks](safe-links-about.md) protection with increased capabilities for zero-hour auto purge (ZAP), quarantine, and end user reporting of potential malicious messages to their admins. For more information, see [Microsoft Defender for Office 365 support for Microsoft Teams (Preview)](mdo-support-teams-about.md).-- Built-in protection: Safe Links time of click protection enabled for email: Microsoft will now by default protect URLs in email messages at time of click as part of this update to Safe Links settings (_EnableSafeLinksForEmail_) within the Built-in protection preset security policy. To learn about the specific Safe Links protections in the Built-in protection policy, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). +- Collaboration security for Microsoft Teams: With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using URLs and messages has increased as well. Microsoft Defender for Office 365 is extending its [Safe Links](safe-links-about.md) protection with increased capabilities for zero-hour auto purge (ZAP), quarantine, and end user reporting of potential malicious messages to their admins. For more information, see [Microsoft Defender for Office 365 support for Microsoft Teams (Preview)](mdo-support-teams-about.md). +- Built-in protection: Safe Links time of click protection enabled for email: By default, Microsoft now protects URLs in email messages at time of click as part of this update to Safe Links settings (_EnableSafeLinksForEmail_) within the Built-in protection preset security policy. To learn about the specific Safe Links protections in the Built-in protection policy, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). - Quarantine notifications enabled in preset security policies: If your organization has enabled or will enable the Standard or Strict preset security policies, the policies will be automatically updated to use the new DefaultFullAccessWithNotificationPolicy quarantine policy (notifications enabled) wherever the DefaultFullAccessPolicy (notifications disabled) was used. To learn more about quarantine notifications, see [Quarantine notifications](quarantine-quarantine-notifications.md). For more information about specific settings in preset security policies, see [Microsoft recommendations for EOP and Defender for Office 365 security settings](recommended-settings-for-eop-and-office365.md). ## January 2023 -- [Automatic Tenant Allow/Block List expiration management is now available in Microsoft Defender for Office 365](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447): Microsoft will now automatically remove entries from the allow list once the system has learned from it. Alternatively, Microsoft extends the expiration time of the allows if the system hasn't learned yet. This prevents your legitimate emails from going to junk or quarantine. +- [Automatic Tenant Allow/Block List expiration management is now available in Microsoft Defender for Office 365](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447): Microsoft now automatically removes allow entries from the Tenant Allow/Block List once the system has learned from it. Alternatively, Microsoft extends the expiration time of the allows if the system hasn't learned yet. This behavior prevents legitimate email from going to junk or quarantine. - Configuring third-party phishing simulations in Advanced Delivery: We've expanded "Simulation URLs to allow" limit to 30 URLs. To learn how to configure, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](skip-filtering-phishing-simulations-sec-ops-mailboxes.md) - [Enhanced user telemetry in the simulation reports in Attack Simulation Training](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/attack-simulation-training-new-insights-into-targeted-user/ba-p/3673105): As part of our enhanced user telemetry, administrators can now view additional details about how their targeted users are interacting with the phishing payload from phishing simulation campaigns. For more information on what's new with other Microsoft Defender security produc ## October 2022 -- [Automated Investigations email cluster action de-duplication](air-review-approve-pending-completed-actions.md): We have added additional checks. If the same investigation cluster is already approved during the past hour, new duplicate remediation will not be processed again. +- [Automated Investigations email cluster action deduplication](air-review-approve-pending-completed-actions.md): We have added additional checks. If the same investigation cluster is already approved during the past hour, new duplicate remediation isn't processed again. - [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md): - - With allow expiry management (currently in private preview), if Microsoft hasn't learned from the allow, Microsoft will automatically extend the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again. - - Customers in the government cloud environments will now be able to create allow and block entries for URLs and attachments in the Tenant Allow/Block List using the admin URL and email attachment submissions. The data submitted through the submissions experience won't leave the customer tenant, thus satisfying the data residency commitments for government cloud clients. + - With allow expiry management (currently in Private Preview), if Microsoft hasn't learned from the allow, Microsoft automatically extends the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again. + - Customers in government cloud environments are now able to create allow and block entries for URLs and attachments in the Tenant Allow/Block List using admin submissions for URLs and email attachments. The data submitted through the submissions experience doesn't leave the customer tenant, thus satisfying the data residency commitments for government cloud clients. - Enhancement in URL click alerts: - - With the new lookback scenario, the "A potentially malicious URL click was detected" alert will now include any clicks during the _past 48 hours_ (for emails) from the time the malicious URL verdict is identified. + - With the new lookback scenario, the "A potentially malicious URL click was detected" alert now includes any clicks during the _past 48 hours_ (for email) from the time the malicious URL verdict is identified. ## September 2022 For more information on what's new with other Microsoft Defender security produc - Automatic redirection from Office action center to unified action center: The action center in the Email & Collaboration section Email & Collaboration > Review > Action center (https://security.microsoft.com/threatincidents) is automatically redirected to Actions & Submissions > Action center > History (https://security.microsoft.com/action-center/history). -- Automatic redirection from Office 365 Security & Compliance Center to Microsoft 365 Defender portal: Automatic redirection begins for users accessing the security solutions in Office 365 Security & Compliance center (protection.office.com) to the appropriate solutions in Microsoft 365 Defender portal (security.microsoft.com). This is for all security workflows like: Alerts, Threat Management, and Reports. +- Automatic redirection from Office 365 Security & Compliance Center to Microsoft 365 Defender portal: Automatic redirection begins for users accessing the security solutions in Office 365 Security & Compliance center (protection.office.com) to the appropriate solutions in Microsoft 365 Defender portal (security.microsoft.com). This change is for all security workflows like (for example, Alerts, Threat Management, and Reports). - Redirection URLs: - GCC Environment: For more information on what's new with other Microsoft Defender security produc - From Office 365 Security & Compliance Center URL: scc.protection.apps.mil - To Microsoft 365 Defender URL: security.apps.mil - Items in the Office 365 Security & Compliance Center that aren't related to security aren't redirected to Microsoft 365 Defender. For compliance solutions redirection to Microsoft 365 Compliance Center, see Message Center post 244886.-- This is a continuation of [Microsoft 365 Defender delivers unified XDR experience to GCC, GCC High and DoD customers - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-365-defender-delivers-unified-xdr-experience-to-gcc/ba-p/3263702), announced in March 2022. +- This change is a continuation of [Microsoft 365 Defender delivers unified XDR experience to GCC, GCC High and DoD customers - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-365-defender-delivers-unified-xdr-experience-to-gcc/ba-p/3263702), announced in March 2022. - This change enables users to view and manage additional Microsoft 365 Defender security solutions in one portal. - This change impacts all customers who use the Office 365 Security & Compliance Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection. For the full list, see [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)-- This change impacts all users who log in to the Office 365 Security and Compliance portal (protection.office.com), including security teams and end-users who access the Email Quarantine experience, at the Microsoft Defender Portal \> Review \> Quarantine. +- This change impacts all users who sign in to the Office 365 Security and Compliance portal (protection.office.com), including security teams and end-users who access the Email Quarantine experience, at the Microsoft Defender Portal \> Review \> Quarantine. - Redirection is enabled by default and impacts all users of the Tenant. - Global Administrators and Security Administrators can turn on or off redirection in the Microsoft 365 Defender portal by navigating to Settings \> Email & collaboration > Portal redirection and switch the redirection toggle.-- Built-in protection: A profile that enables a base level of Safe Links and Safe Attachments protection that's on by default for all Defender for Office 365 customers. To learn more about this new policy and order of precedence, see [Preset security policies](preset-security-policies.md) and to learn about the specific Safe Links and Safe Attachment controls set, see [Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings) and [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). +- Built-in protection: A profile that enables a base level of Safe Links and Safe Attachments protection that's on by default for all Defender for Office 365 customers. To learn more about this new policy and order of precedence, see [Preset security policies](preset-security-policies.md). To learn about the specific Safe Links and Safe Attachment controls that are set, see [Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings) and [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). - Bulk Complaint Level is now available in the EmailEvents table in Advanced Hunting with numeric BCL values from 0 to 9. A higher BCL score indicates that bulk message is more likely to generate complaints and is more likely to be spam. ## July 2022 For more information on what's new with other Microsoft Defender security produc ## June 2022 -- [Use the Microsoft 365 Defender portal to create allow entries for spoofed senders on the Submissions page](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-on-the-submissions-page): Create allowed spoofed sender entries using the Tenant Allow/Block List. +- [Create allow entries for spoofed senders](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders): Create allowed spoofed sender entries using the Tenant Allow/Block List. - [Impersonation allows using admin submission](tenant-allow-block-list-email-spoof-configure.md#about-impersonated-domains-or-senders): Add allows for impersonated senders using the Submissions page in Microsoft 365 Defender. For more information on what's new with other Microsoft Defender security produc - [Admin review for reported messages](submissions-admin-review-user-reported-messages.md): Admins can now send templated messages back to end users after they review reported messages. The templates can be customized for your organization and based on your admin's verdict as well. - You can now add allow entries to the Tenant Allow/Block List if the blocked message was submitted as part of the admin submission process. Depending on the nature of the block, the submitted URL, file, and/or sender allow will be added to the Tenant Allow/Block List. In most cases, the allows are added to give the system some time and allow it naturally if warranted. In some cases, Microsoft manages the allow for you. For more information, see: - - [Use the Microsoft 365 Defender portal to create allow entries for URLs on the Submissions page](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-on-the-submissions-page) - - [Use the Microsoft 365 Defender portal to create allow entries for files on the Submissions page](tenant-allow-block-list-files-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-files-on-the-submissions-page) - - [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses on the Submissions page](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page) + - [Report good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft) + - [Report good email attachments to Microsoft](submissions-admin.md#report-good-email-attachments-to-microsoft) + - [Report good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft) ## July 2021
security	Mdo Sec Ops Guide	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md	Campaign Views reveals malware and phishing attacks against your organization. F \|Activity\|Cadence\|Description\|Persona\| \|\|\|\|\| -\|Review the Spoof intelligence insight and the Impersonation detection insights at <ul><li><<https://security.microsoft.com/spoofintelligence>></li><li><https://security.microsoft.com/impersonationinsight></li></ul>.\|Ad-hoc <br/><br/> Monthly\|Use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) and the [impersonation insight](anti-phishing-mdo-impersonation-insight.md) to adjust filtering for spoof and impersonation detections.\|Security Administration <br/><br/> Messaging Team\| +\|Review the Spoof intelligence insight and the Impersonation detection insights at <ul><li><https://security.microsoft.com/spoofintelligence></li><li><https://security.microsoft.com/impersonationinsight></li></ul>.\|Ad-hoc <br/><br/> Monthly\|Use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) and the [impersonation insight](anti-phishing-mdo-impersonation-insight.md) to adjust filtering for spoof and impersonation detections.\|Security Administration <br/><br/> Messaging Team\| ### Review priority account membership Security team members can do submissions from multiple locations in the Microsof For the short-term mitigation of false negatives, security teams can directly manage block entries for files, URLs, and domains or email addresses in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). -For the short-term mitigation of false positives, security teams can't directly manage allow entries for domains and email addresses in the Tenant Allow/Block List. Instead, they need to use [admin submissions](submissions-admin.md) to report the email message as a false positive. For instructions, see [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses on the Submissions page](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page). +For the short-term mitigation of false positives, security teams can't directly manage allow entries for domains and email addresses in the Tenant Allow/Block List. Instead, they need to use [admin submissions](submissions-admin.md) to report the email message as a false positive. For instructions, see [Report good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft). [Quarantine](quarantine-admin-manage-messages-files.md) in Defender for Office 365 holds potentially dangerous or unwanted messages and files. Security teams can view, release, and delete all types of quarantined messages for all users. This capability enables security teams to respond effectively when a false positive message or file is quarantined.
security	Quarantine Admin Manage Messages Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md	In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to On the Email tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal and then selecting :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. -You can sort the results by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: Customize columns to change the columns that are shown. The default values are marked with an asterisk (<sup>\</sup>): +You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: Customize columns* to change the columns that are shown. The default values are marked with an asterisk (<sup>\</sup>): - Time received<sup>\</sup> - Subject<sup>\</sup> You can sort the results by clicking on an available column header. Select :::im - Mail direction* - Recipient tag -To filter the results, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filters flyout that opens: +To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filters flyout that opens: - Message ID: The globally unique identifier of the message. To filter the results, select :::image type="icon" source="../../media/m365-cc-s - Anti-spam policy - Transport rule (mail flow rule) -When you're finished on the Filters flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. +When you're finished in the Filters flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: Search box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values: In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to On the Files tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal and then selecting :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. -You can sort the results by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: Customize columns to change the columns that are shown. The default values are marked with an asterisk (<sup>\</sup>): +You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: Customize columns* to change the columns that are shown. The default values are marked with an asterisk (<sup>\</sup>): - User<sup>\</sup> - Location<sup>\</sup>: The value is SharePoint* or OneDrive. You can sort the results by clicking on an available column header. Select :::im - Detected by - Modified by time -To filter the results, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filters flyout that opens: +To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filters flyout that opens: - Time received: - Last 24 hours To filter the results, select :::image type="icon" source="../../media/m365-cc-s - Quarantine reason: The only available value is Malware. - Policy type: The only available value is Unknown. -When you're finished on the Filters flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. +When you're finished in the Filters flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: Search box and a corresponding value to find specific files by filename. Wildcards aren't supported. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to On the Teams messages tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal and then selecting :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. -You can sort the results by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: Customize columns to change the columns that are shown. The default values are marked with an asterisk (<sup>\</sup>): +You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: Customize columns* to change the columns that are shown. The default values are marked with an asterisk (<sup>\</sup>): - Teams message text: Contains the subject for the teams message.<sup>\</sup> - Time received: The time the message was received by the recipient.<sup>\</sup> You can sort the results by clicking on an available column header. Select :::im - Recipient address: Email address of the recipients.<sup>\</sup> - Message ID: Includes the chat message ID. -To filter the results, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filters flyout that opens: +To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filters flyout that opens: - Message ID - Sender address To filter the results, select :::image type="icon" source="../../media/m365-cc-s - Recipient: Select All users or Only me. - Review status: Select Needs review and Released. -When you're finished on the Filters flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. +When you're finished in the Filters flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: Search box and a corresponding value to find specific Teams messages. Wildcards aren't supported.
security	Quarantine End User	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-end-user.md	In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to On the Email tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: Change list spacing to compact or normal and then selecting :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: Compact list. -You can sort the results by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: Customize columns to change the columns that are shown. The default values are marked with an asterisk (<sup>\</sup>): +You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: Customize columns* to change the columns that are shown. The default values are marked with an asterisk (<sup>\</sup>): - Time received<sup>\</sup> - Subject<sup>\</sup> You can sort the results by clicking on an available column header. Select :::im - Mail direction* - Recipient tag -To filter the results, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filters flyout that opens: +To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filters flyout that opens: - Message ID: The globally unique identifier of the message. - Sender address To filter the results, select :::image type="icon" source="../../media/m365-cc-s - Anti-spam policy - Transport rule (mail flow rule) -When you're finished on the Filters flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. +When you're finished in the Filters flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: Search box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
security	Recommended Settings For Eop And Office365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md	In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new \|Apply real-time URL scanning for suspicious links and links that point to files <br><br> _ScanUrls_\|Selected <br><br> `$true`\|Selected <br><br> `$true`\|Selected <br><br> `$true`\|Selected <br><br> `$true`\|\| \|Wait for URL scanning to complete before delivering the message <br><br> _DeliverMessageAfterScan_\|Selected <br><br> `$true`\|Selected <br><br> `$true`\|Selected <br><br> `$true`\|Selected <br><br> `$true`\|\| \|Do not rewrite URLs, do checks via Safe Links API only <br><br> _DisableURLRewrite_\|Selected<sup>\</sup> <br><br> `$true`\|Selected <br><br> `$true`\|Not selected <br><br> `$false`\|Not selected <br><br> `$false`\|<sup>\</sup> In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the _DisableURLRewrite_ parameter is `$false`.\| -\|Do not rewrite the following URLs in email <br><br> _DoNotRewriteUrls_\|Blank <br><br> `$null`\|Blank <br><br> `$null`\|Blank <br><br> `$null`\|Blank <br><br> `$null`\|We have no specific recommendation for this setting. <br><br> Note: Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [allow URL entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-on-the-submissions-page) so URLs are not scanned or wrapped by Safe Links during mail flow _and_ at time of click.\| +\|Do not rewrite the following URLs in email <br><br> _DoNotRewriteUrls_\|Blank <br><br> `$null`\|Blank <br><br> `$null`\|Blank <br><br> `$null`\|Blank <br><br> `$null`\|We have no specific recommendation for this setting. <br><br> Note: Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Report the URL as Should not have been blocked (False positive) and select Alow this URL to add an allow entry to the Tenant Allow/Block List so the URL isn't scanned or wrapped by Safe Links during mail flow _and_ at time of click. For instructions, see [Report good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft).\| \|Teams\|\|\|\|\|The setting in this section affects time of click protection in Microsoft Teams.\| \|On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten. <br><br> _EnableSafeLinksForTeams_\|Selected <br><br> `$true`\|Selected <br><br> `$true`\|Selected <br><br> `$true`\|Selected <br><br> `$true`\|\| \|Office 365 apps\|\|\|\|\|The setting in this section affects time of click protection in Office apps.\|
security	Reports Email Security	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md	In the View data by Email \> Malware and Chart breakdown by Detection Tech - Anti-malware engine*<sup>\</sup>: Detection from anti-malware engines. - URL malicious reputation - URL detonation<sup>\</sup>: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis.-- URL detonation reputation<sup>\</sup>>: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations. +- URL detonation reputation<sup>\</sup>: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations. - Campaign<sup>\</sup>: Messages identified as part of a [campaign](campaigns.md). <sup>\*</sup> Defender for Office 365 only
security	Safe Links About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-about.md	For more information about the order of precedence and how multiple policies are ## "Do not rewrite the following URLs" lists in Safe Links policies > [!NOTE] -> Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow but might still be blocked at time of click. Use [allow URL entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-on-the-submissions-page) to override the Safe Links URL verdict. +> Entries in the "Do not rewrite the following URLs" list aren't scanned or wrapped by Safe Links during mail flow, but might still be blocked at time of click. Report the URL as Should not have been blocked (False positive) and select Alow this URL to add an allow entry to the Tenant Allow/Block List so the URL isn't scanned or wrapped by Safe Links during mail flow _and_ at time of click. For instructions, see [Report good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft). Each Safe Links policy contains a Do not rewrite the following URLs list that you can use to specify URLs that aren't rewritten by Safe Links scanning. You can configure different lists in different Safe Links policies. Policy processing stops after the first (likely, the highest priority) policy is applied to the user. So, only one Do not rewrite the following URLs list is applied to a user who is included in multiple active Safe Links policies.
security	Safe Links Policies Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md	You configure Safe Links policies in the Microsoft 365 Defender portal or in Exc - Do not rewrite the following URLs in email section: Select the Manage (nn) URLs link to allow access to specific URLs that would otherwise be blocked by Safe Links. > [!NOTE] - > Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [URL allow entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-on-the-submissions-page) to override the Safe Links URL verdict. + > Entries in the "Do not rewrite the following URLs" list aren't scanned or wrapped by Safe Links during mail flow, but might still be blocked at time of click. Report the URL as Should not have been blocked (False positive) and select Alow this URL to add an allow entry to the Tenant Allow/Block List so the URL isn't scanned or wrapped by Safe Links during mail flow _and_ at time of click. For instructions, see [Report good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft). 1. In the Manage URLs to not rewrite flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: Add URLs. 2. In the Add URLs flyout that opens, click in the URL box, enter a value, and then press the ENTER key or select the complete value that's displayed below the box. Repeat this step as many times as necessary.
security	Secure By Default	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md	You should only consider using overrides in the following scenarios: - Phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. To prevent phishing simulation messages from being filtered, see [Configure third-party phishing simulations in the advanced delivery policy](/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes#use-the-microsoft-365-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy). - Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get unfiltered messages (both good and bad). Teams can then review to see if they contain malicious content. For more information, see [Configure SecOps mailboxes in the advanced delivery policy](/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy). - Third-party filters: Secure by default only applies when the MX record for your domain is set to Exchange Online Protection (contoso.mail.protection.outlook.com). If it's set to another service or device, it's possible to override Secure by default with a [Transport Rule](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl) to bypass all spam filtering. When Microsoft detects messages as High Confidence Phish with this rule in place, they still deliver to the Inbox.-- False positives: To temporarily allow certain messages that are still being blocked by Microsoft, use [admin submissions](submissions-admin.md#report-good-email-to-microsoft). By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire. +- False positives: To temporarily allow certain messages that are still being blocked by Microsoft, use [admin submissions](submissions-admin.md#report-good-email-to-microsoft). By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire.
security	Submissions Admin	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md	For other ways that admins can report messages to Microsoft in the Defender :::image type="content" source="../../media/admin-submission-email-block.png" alt-text="Submit a false negative (bad) email to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-email-block.png"::: -After a few moments, the block entry is available on the Domains & addresses tab on the Tenant Allow/Block List page at <https://security.microsoft.com/tenantAllowBlockList?viewid=Sender>. +After a few moments, the block entry is available on the Domains & addresses tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=Sender>. ### Report questionable email attachments to Microsoft After a few moments, the block entry is available on the Domains & addresses :::image type="content" source="../../media/admin-submission-file-block.png" alt-text="Submit a false negative (bad) email attachment to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-file-block.png"::: -After a few moments, the block entry is available on the Files tab on the Tenant Allow/Block List page at <https://security.microsoft.com/tenantAllowBlockList?viewid=FileHash>. +After a few moments, the block entry is available on the Files tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=FileHash>. ### Report questionable URLs to Microsoft After a few moments, the block entry is available on the Files tab on the :::image type="content" source="../../media/admin-submission-url-block.png" alt-text="Submit a false negative (bad) URL to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-url-block.png"::: -After a few moments, the block entry is available on the URL tab on the Tenant Allow/Block List page at <https://security.microsoft.com/tenantAllowBlockList?viewid=Url>. +After a few moments, the block entry is available on the URL tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=Url>. ### Report good email to Microsoft After a few moments, the block entry is available on the URL tab on the Te - Allow entry note: Enter optional information about why you're allowing and submitting this email message. - For spoofed senders, any value you enter here isn't shown in the allow entry on the Spoofed senders tab on the Tenant Allow/Block List. + For spoofed senders, any value you enter here isn't shown in the allow entry on the Spoofed senders tab on the Tenant Allow/Block Lists page. When you're finished in the Submit to Microsoft for analysis flyout, select Submit, and then select Done. :::image type="content" source="../../media/admin-submission-email-allow.png" alt-text="Submit a false positive (good) email to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-email-allow.png"::: -After a few moments, the associated allow entries appear on the Domains & addresses, Spoofed senders, URL, or Files tab on the Tenant Allow/Block List page at <https://security.microsoft.com/tenantAllowBlockList>. +After a few moments, the associated allow entries appear on the Domains & addresses, Spoofed senders, URLs, or Files tabs on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList>. > [!IMPORTANT] > After a few moments, the associated allow entries appear on the Domains & addr > - If the sender email address is not found to be malicious by our filtering system, submitting the email message to Microsoft won't create an allow entry in the Tenant Allow/Block List. > - When an allowed domain or email address, spoofed sender, URL, or file (_entity_) is encountered again, all filters that are associated with the entity are skipped. For email messages, all other entities are still evaluated by the filtering system before making a decision. > - During mail flow, if messages from the allowed domain or email address pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message from an allowed sender email address are delivered. -> - By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages from those domains or email addresses are delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire. +> - By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages from those domains or email addresses are delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire. > - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message. -> - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab in the Tenant Allow/Block List. +> - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. ### Report good email attachments to Microsoft After a few moments, the allow entry is available on the Files tab on the > [!IMPORTANT] > -> - By default, allow entries for files exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those files are delivered, unless something else in the message is detected as malicious. +> - By default, allow entries for files exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those files are delivered, unless something else in the message is detected as malicious. > - When the file is encountered again during mail flow, [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks and all other file-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered. > - During selection, all file-based filters, including [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks are overridden, allowing user access to the file. For URLs reported as false positives, we allow subsequent messages that contain :::image type="content" source="../../media/admin-submission-url-allow.png" alt-text="Submit a false positive (good) URL to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-url-allow.png"::: -After a few moments, the allow entry is available on the URL tab on the Tenant Allow/Block List page at <https://security.microsoft.com/tenantAllowBlockList?viewid=Url>. +After a few moments, the allow entry is available on the URL tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=Url>. > [!NOTE] > -> - By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs are delivered, unless something else in the message is detected as malicious. +> - By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs are delivered, unless something else in the message is detected as malicious. > - When the URL is encountered again during mail flow, [Safe Links](safe-links-about.md) detonation or URL reputation checks and all other URL-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered. > - During selection, all URL-based filters, including [Safe Links](safe-links-about.md) detonation or URL reputation checks are overridden, allowing user access to content at the URL.
security	Tenant Allow Block List About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-about.md	The following list describes what happens in the Tenant Allow/Block List when yo - If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the Domains & addresses tab in the Tenant Allow/Block List. - If the message wasn't blocked due to filtering, no allow entries are created anywhere. -By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities will be delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire. +By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities will be delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire. > [!IMPORTANT] > Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system.
security	Tenant Allow Block List Email Spoof Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure.md	search.appverid: - m365-security - tier1 -description: Admins can learn how to allow or block email and spoofed sender entries in the Tenant Allow/Block List in the Security portal. +description: Admins can learn how to allow or block email and spoofed sender entries in the Tenant Allow/Block List. Previously updated : 12/05/2022 Last updated : 6/7/2022 # Allow or block email using the Tenant Allow/Block List Last updated 12/05/2022 - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) -This article describes how to create and manage allow and block entries for domains and email addresses (including spoofed senders) that are available in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md). +In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, admins can create and manage entries for domains and email addresses (including spoofed senders) in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md). -You manage allow and block entries for email in the Microsoft 365 Defender Portal or in Exchange Online PowerShell. +This article describes how admins can manage entries for email senders in the Microsoft 365 Defender Portal and in Exchange Online PowerShell. ## What do you need to know before you begin? -- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. To go directly to the Submissions page, use <https://security.microsoft.com/reportsubmission>. +- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. To go directly to the Submissions page, use <https://security.microsoft.com/reportsubmission>. - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). You manage allow and block entries for email in the Microsoft 365 Defender Porta ## Domains and email addresses in the Tenant Allow/Block List -### Create block entries for domains and email addresses +### Create allow entries for domains and email addresses + +You can't create allow entries for domains and email addresses directly in the Tenant Allow/Block List. Unnecessary allow entries expose your organization to malicious email that would have been filtered by the system. + +Instead, you use the Emails tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=email>. When you submit a blocked message as Should not have been blocked (False positive), an allow entry for the sender is added to the Domains & email addresses tab on the Tenant Allow/Block Lists page. For instructions, see [Submit good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft). -You have the following options to create block entries for domains and email addresses: +> [!NOTE] +> Allow entries are added based on the filters that determined the message was malicious during mail flow. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL. +> +> When the entity in the allow entry is encountered again (during mail flow or at time of click), all filters associated with that entity are overridden. +> +> By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities are delivered, unless something else in the message is detected as malicious. +> +> During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), URL filtering, and file filtering, the message is delivered if it's also from an allowed sender. -- [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-domains-and-email-addresses-on-the-submissions-page)-- The Tenant Allow/Block List in [the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list) or in [PowerShell](#use-powershell-to-create-block-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list) +### Create block entries for domains and email addresses -To create block entries for spoofed senders, see the [Use the Microsoft 365 Defender portal to create block entries for spoofed senders in the Tenant Allow/Block List](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list) section later in this article. +To create block entries for domains and email addresses, use either of the following methods: -By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities will be delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire. +- From the Emails tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=email>. When you submit a message as Should have been blocked (False negative), you can select Block all emails from this sender or domain to add a block entry to the Domains & email addresses tab on the Tenant Allow/Block Lists page. For instructions, see [Report questionable email to Microsoft](submissions-admin.md#report-questionable-email-to-microsoft). -#### Use the Microsoft 365 Defender portal to create block entries for domains and email addresses on the Submissions page +- From the Domains & addresses tab on the Tenant Allow/Block Lists page or in PowerShell as described in this section. -When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit email messages as Should have been blocked (False negative), you can select Block all emails from this sender or domain to add a block entry for the sender email address or domain on the Domains & addresses tab in the Tenant Allow/Block List. +To create block entries for spoofed senders, see [this section](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list) later in this article. -For instructions, see [Submit questionable email to Microsoft](submissions-admin.md#report-questionable-email-to-microsoft). +By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities are delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire. #### Use the Microsoft 365 Defender portal to create block entries for domains and email addresses in the Tenant Allow/Block List -You can create block entries for domains and email addresses directly in the Tenant Allow/Block List. - -Email messages from these senders are marked as high confidence spam (SCL = 9). What happens to the messages is determined by the [anti-spam policy](anti-spam-policies-configure.md) that detected the message for the recipient. In the default anti-spam policy and new custom policies, messages that are marked as high confidence spam are delivered to the Junk Email folder by default. In Standard and Strict [preset security policies](preset-security-policies.md), high confidence spam messages are quarantined. +Email messages from these senders are marked as high confidence spam (SCL = 9). What happens to the messages is determined by the [anti-spam policy](anti-spam-policies-configure.md) that detected the message for the recipient. For more information, see the Spam detection action in [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings). > [!NOTE] -> Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): `550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy.` The entire message is blocked for all external recipients of the message, even if only one recipient email address or domain is defined in a block entry. +> Users in the organization also can't send email to these blocked domains and addresses. The message is returned in the following non-delivery report (also known as an NDR or bounce message): `550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy.` The entire message is blocked for all external recipients of the message, even if only one recipient email address or domain is defined in the block entry. -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. -2. On the Tenant Allow/Block List page, verify that the Domains & addresses tab is selected. +2. On the Tenant Allow/Block Lists page, verify that the Domains & addresses tab is selected. -3. On the Domains & addresses tab, click ![Block icon.](../../media/m365-cc-sc-create-icon.png) Block. +3. On the Domains & addresses tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: Block. -4. In the Block domains & addresses flyout that appears, configure the following settings: +4. In the Block domains & addresses flyout that opens, configure the following settings: - Domains & addresses: Enter one email address or domain per line, up to a maximum of 20. - - Remove block entry after: The default value is 30 days, but you can select from the following values: + - Remove block entry after: Select from the following values: - 1 day - 7 days - - 30 days + - 30 days (default) - Never expire - Specific date: The maximum value is 90 days from today. - Optional note: Enter descriptive text for why you're blocking the email addresses or domains. -5. When you're finished, click Add. +5. When you're finished in the Block domains & addresses flyout, select Add. + +Back on the Domains & email addresses tab, the entry is listed. ##### Use PowerShell to create block entries for domains and email addresses in the Tenant Allow/Block List New-TenantAllowBlockListItems -ListType Sender -Block -Entries "test@badattacker For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems). -### Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses on the Submissions page +### Use the Microsoft 365 Defender portal to view entries for domains and email addresses in the Tenant Allow/Block List -You can't create allow entries for domains and email addresses directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit the message as a false positive, which also adds an allow entry for the sender on the Domains & addresses tab in the Tenant Allow/Block List. +In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. -For instructions, see [Submit good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft). +Verify the Domains & addresses tab is selected. -By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities will be delivered, unless something else in the message is detected as malicious. +On the Domains & addresses tab, you can sort the entries by clicking on an available column header. The following columns are available: -> [!IMPORTANT] -> Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system. -> -> Microsoft manages the creation of allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL. -> -> When the entity in the allow entry is encountered again (during mail flow or time of click), all filters associated with that entity are skipped. -> -> During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), URL filtering, and file filtering, a message from an allowed sender email address will be delivered. - -### Use the Microsoft 365 Defender portal to view existing allow or block entries for domains and email addresses in the Tenant Allow/Block List - -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. +- Value: The domain or email address. +- Action: The value Allow or Block. +- Modified by +- Last updated +- Remove on: The expiration date. +- Notes -2. Verify the Domains & addresses tab is selected. The following columns are available: +To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filter flyout that opens: - - Value: The domain or email address. - - Action: The value Allow or Block. - - Modified by - - Last updated - - Remove on: The expiration date. - - Notes +- Action: The values are Allow and Block. +- Never expire: :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: or :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: +- Last updated: Select From and To dates. +- Remove on: Select From and To dates. - You can click on a column heading to sort in ascending or descending order. +When you're finished in the Filter flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. - Click ![Group icon.](../../media/m365-cc-sc-group-icon.png) Group to group the results by None or Action. +Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: Search box and a corresponding value to find specific entries. - Click ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search, enter all or part of a value, and then press the ENTER key to find a specific value. When you're finished, click ![Clear search icon.](../../media/m365-cc-sc-close-icon.png) Clear search. +To group the entries, select :::image type="icon" source="../../media/m365-cc-sc-group-icon.png" border="false"::: Group and then select Action. To ungroup the entries, select None. - Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) Filter to filter the results. The following values are available in the Filter flyout that appears: - - - Action: The values are Allow and Block. - - Never expire: ![Toggle on.](../../media/scc-toggle-on.png) or ![Toggle off.](../../media/scc-toggle-off.png) - - Last updated: Select From and To dates. - - Remove on: Select From and To dates. - - When you're finished, click Apply. To clear existing filters, click ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) Clear filters in the Filter flyout. - -#### Use PowerShell to view existing allow or block entries for domains and email addresses in the Tenant Allow/Block List +#### Use PowerShell to view entries for domains and email addresses in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: Get-TenantAllowBlockListItems -ListType Sender -Block For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems). -### Use the Microsoft 365 Defender portal to modify existing allow or block entries for domains and email addresses in the Tenant Allow/Block List - -You can make the following modifications to entries for domains and email addresses in the Tenant Allow/Block list: +### Use the Microsoft 365 Defender portal to modify entries for domains and email addresses in the Tenant Allow/Block List -- Block entries: The expiration date and notes.-- Allow entries: The expiration date and notes. +In existing domain and email address entries, you can change the expiration date and note. -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Verify the Domains & addresses tab is selected. -3. On the Domains & addresses tab, select the check box of the entry that you want to modify, and then click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) Edit button that appears. - -4. The following settings are available in the Edit domain & addresses flyout that appears: - - Remove block entry after: You can extend block entries for a maximum of 90 days from the system date or set them to Never expire. - - Remove allow entry after: You can extend allow entries for a maximum of 30 days from the system date. - - Optional note - - When you're finished, click Save. +3. On the Domains & addresses tab, select the entry from the list by selecting the check box next to the first column, and then select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit action that appears. + +4. In the Edit domains & addresses flyout that opens, the following settings are available: + - Block entries: + - Remove block entry after: Select from the following values: + - 1 day + - 7 days + - 30 days + - Never expire + - Specific date: The maximum value is 90 days from today. + - Optional note + - Allow entries: + - Remove allow entry after: Select from the following values: + - 1 day + - 7 days + - 30 days + - Specific date: The maximum value is 30 days from today. + - Optional note + + When you're finished in the Edit domains & addresses flyout, select Save. > [!TIP] -> For entries added via submission, if you select the entry by clicking anywhere in the row other than the check box next to the name, you can select ![View submission icon.](../../media/m365-cc-sc-view-submission-icon.png) View submission in the details flyout that opens, which takes you to the submission details that added the entry. +> In the details flyout of an entry on the Domains & addresses tab, use :::image type="icon" source="../../media/m365-cc-sc-view-submission-icon.png" border="false"::: View submission at the top of the flyout to go to the details of the corresponding entry on the Submissions page. This action is available if a submission was responsible for creating the entry in the Tenant Allow/Block List. -#### Use PowerShell to modify existing allow or block entries for domains and email addresses in the Tenant Allow/Block List +#### Use PowerShell to modify entries for domains and email addresses in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: ```powershell -Set-TenantAllowBlockListItems -ListType Sender <-Ids <Identity value> \| -Entries <Value value>> [<-ExpirationDate Date \| -NoExpiration>] [-Notes <String>] +Set-TenantAllowBlockListItems -ListType Sender <-Ids <Identity value> \| -Entries <Value>> [<-ExpirationDate Date \| -NoExpiration>] [-Notes <String>] ``` This example changes the expiration date of the specified block entry for the sender email address. Set-TenantAllowBlockListItems -ListType Sender -Entries "julia@fabrikam.com" -Ex For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems). -### Use the Microsoft 365 Defender portal to remove existing allow or block entries for domains and email addresses in the Tenant Allow/Block List +### Use the Microsoft 365 Defender portal to remove entries for domains and email addresses from the Tenant Allow/Block List -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Verify the Domains & addresses tab is selected. 3. On Domains & addresses tab, do one of the following steps: - - Select the check box of the entry that you want to remove, and then click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete icon that appears. - - Select the entry that you want to remove by clicking anywhere in the row other than the check box. In the details flyout that appears, click ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete. + - Select the entry from the list by selecting the check box next to the first column, and then select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete action that appears. + - Select the entry from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete at the top of the flyout. + + > [!TIP] + > To see details about other entries without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. -4. In the warning dialog that appears, click Delete. +4. In the warning dialog that opens, select Delete. + +Back on the Domains & addresses tab, the entry is no longer listed. > [!TIP] > You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the Value column header. -#### Use PowerShell to remove existing allow or block entries for domains and email addresses from the Tenant Allow/Block List +#### Use PowerShell to remove entries for domains and email addresses from the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: ```powershell -Remove-TenantAllowBlockListItems -ListType Sender <-Ids <Identity value> \| -Entries <Value value>> +Remove-TenantAllowBlockListItems -ListType Sender `<-Ids <Identity value> \| -Entries <Value>> ``` This example removes the specified entry for domains and email addresses from the Tenant Allow/Block List. For detailed syntax and parameter information, see [Remove-TenantAllowBlockListI ## Spoofed senders in the Tenant Allow/Block List +When you override the verdict in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab in the Tenant Allow/Block List. + ### Create allow entries for spoofed senders -You have the following options to create block entries for spoofed senders: +To create allow entries for spoofed senders, use either of the following methods: -- [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page)-- The Tenant Allow/Block List in [the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) or in [PowerShell](#use-powershell-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list) +- From the Emails tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=email>. When you submit a message that was blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md) as Should not have been blocked (False positive), an allow entry for the spoofed sender is added to the Spoofed senders tab in the Tenant Allow/Block List. For instructions, see [Submit good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft). +- From the Spoofed senders tab on the Tenant Allow/Block Lists page or in PowerShell as described in this section. > [!NOTE] -> Allow entries for spoofed senders take care of intra-org, cross-org, and DMARC spoofing. +> Allow entries for spoofed senders account for intra-org, cross-org, and DMARC spoofing. > > Only the combination of the spoofed user and the sending infrastructure as defined in the [domain pair](#domain-pair-syntax-for-spoofed-sender-entries) is allowed to spoof. > -> When you configure an allow entry for a domain pair, messages from that domain pair no longer appear in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md). +> When you configure an allow entry for a domain pair, the spoofed sender becomes a manual allow entry that appears only on the Spoofed senders tab in the Tenant Allow/Block List. > > Allow entries for spoofed senders never expire.- -#### Use the Microsoft 365 Defender portal to create allow entries for spoofed senders on the Submissions page - -Submitting messages that were blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md) to Microsoft in the Submissions portal at <https://security.microsoft.com/reportsubmission> adds the sender as an allow entry for the sender on the Spoofed senders tab in Tenant Allow/Block List. - -For instructions, see [Submit good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft). - -> [!NOTE] -> When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab in the Tenant Allow/Block List. > -> If the sender has not been blocked by spoof intelligence, submitting the email message to Microsoft won't create an allow entry in the Tenant Allow/Block List. +> If the sender wasn't blocked by spoof intelligence, submitting the message to Microsoft doesn't create an allow entry for the sender in the Tenant Allow/Block List. #### Use the Microsoft 365 Defender portal to create allow entries for spoofed senders in the Tenant Allow/Block List In the Tenant Allow/Block List, you can create allow entries for spoofed senders before they're detected and blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md). -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. + +2. On the Tenant Allow/Block Lists page, select the Spoofed senders tab. -2. On the Tenant Allow/Block List page, select the Spoofed senders tab, and then click ![Add icon.](../../media/m365-cc-sc-create-icon.png) Add. +3. On the Spoofed senders tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: Add. -3. In the Add new domain pairs flyout that appears, configure the following settings: +4. In the Add new domain pairs flyout that opens, configure the following settings: - Add domain pairs with wildcards: Enter domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see the [Domain pair syntax for spoofed sender entries](#domain-pair-syntax-for-spoofed-sender-entries) section later in this article. In the Tenant Allow/Block List, you can create allow entries for spoofed senders - Action: Select Allow or Block. - When you're finished, click Add. + When you're finished in the Add new domain pairs flyout, select Add. + +Back on the Spoofed senders tab, the entry is listed. ##### Use PowerShell to create allow entries for spoofed senders in the Tenant Allow/Block List For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoo You can create block entries for spoofed senders directly in the Tenant Allow/Block List. The steps are nearly identical to [creating allow entries for spoofed senders](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) as previously described in this article. -The only difference is: for the Action value in Step 3, choose Block instead of Allow. +The only difference is: for the Action value in Step 4, select Block instead of Allow. > [!NOTE] -> Email messages from these senders are blocked as phishing. +> Email messages from these senders are marked as phishing. What happens to the messages is determined by the [anti-spam policy](anti-spam-policies-configure.md) that detected the message for the recipient. For more information, see the Phishing detection action in [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings). > > Only the combination of the spoofed user and the sending infrastructure as defined in the [domain pair](#domain-pair-syntax-for-spoofed-sender-entries) is blocked from spoofing. > -> When you configure a block entry for a domain pair, messages from that domain pair no longer appear in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md). +> When you configure a block entry for a domain pair, the spoofed sender becomes a manual allow entry that appears only on the Spoofed senders tab in the Tenant Allow/Block List. > > Block entries for spoofed senders never expire. New-TenantAllowBlockListSpoofItems -Identity Default -Action Allow -SendingInfra For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems). -### Use the Microsoft 365 Defender portal to view existing allow or block entries for spoofed senders in the Tenant Allow/Block List +### Use the Microsoft 365 Defender portal to view entries for spoofed senders in the Tenant Allow/Block List -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. +In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. -2. Verify the Spoofed senders tab is selected. The following columns are available: +Verify the Spoofed senders tab is selected. + +On the Spoofed senders tab, you can sort the entries by clicking on an available column header. The following columns are available: - Spoofed user - Sending infrastructure - - Spoof type: The values are Internal or External. - - Action: The values are Block or Allow. + - Spoof type: The available values are Internal or External. + - Action: The available values are Block or Allow. + +To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filter flyout that opens: - You can click on a column heading to sort in ascending or descending order. +- Action: The available values are Allow and Block. +- Spoof type: The available values are Internal and External. - Click ![Group icon.](../../media/m365-cc-sc-group-icon.png) Group to group the results by None, Action, or Spoof type. +When you're finished in the Filter flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. - Click ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search, enter all or part of a value, and then press the ENTER key to find a specific value. When you're finished, click ![Clear search icon.](../../media/m365-cc-sc-close-icon.png) Clear search. +Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: Search box and a corresponding value to find specific entries. - Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) Filter to filter the results. The following values are available in the Filter flyout that appears: +To group the entries, select :::image type="icon" source="../../media/m365-cc-sc-group-icon.png" border="false"::: Group and then select one of the following values: - - Action: Allow and Block. - - Spoof type: Internal and External. +- Action +- Spoof type - When you're finished, click Apply. To clear existing filters, click ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) Clear filters in the Filter flyout. +To ungroup the entries, select None. -#### Use PowerShell to view existing allow or block entries for spoofed senders in the Tenant Allow/Block List +#### Use PowerShell to view entries for spoofed senders in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: Get-TenantAllowBlockListSpoofItems -Action Block -SpoofType External For detailed syntax and parameter information, see [Get-TenantAllowBlockListSpoofItems](/powershell/module/exchange/get-tenantallowblocklistspoofitems). -### Use the Microsoft 365 Defender portal to modify existing allow or block entries for spoofed senders in the Tenant Allow/Block List +### Use the Microsoft 365 Defender portal to modify entries for spoofed senders in the Tenant Allow/Block List When you modify an allow or block entry for spoofed senders in the Tenant Allow/Block list, you can only change the entry from Allow to Block, or vice-versa. -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Select the Spoofed senders tab. -3. On the Spoofed senders tab, select the entry that you want to modify, and then click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) Edit button that appears. +3. Select the entry from the list by selecting the check box next to the first column, and then select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit action that appears. -4. In the Edit spoofed sender flyout that appears, choose Allow or Block. +4. In the Edit spoofed sender flyout that opens, select Allow or Block, and then select Save. -5. When you're finished, click Save. - -#### Use PowerShell to modify existing allow or block entries for spoofed senders in the Tenant Allow/Block List +#### Use PowerShell to modify entries for spoofed senders in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online- Set-TenantAllowBlockListSpoofItems -Identity Default -Ids <Identity value> -Action <Allow \| Block> ``` -This example changes spoofed sender entry from allow to block. +This example changes the specified spoofed sender entry from an allow entry to a block entry. ```powershell Set-TenantAllowBlockListItems -Identity Default -Ids 3429424b-781a-53c3-17f9-c0b5faa02847 -Action Block Set-TenantAllowBlockListItems -Identity Default -Ids 3429424b-781a-53c3-17f9-c0b For detailed syntax and parameter information, see [Set-TenantAllowBlockListSpoofItems](/powershell/module/exchange/set-tenantallowblocklistspoofitems). -### Use the Microsoft 365 Defender portal to remove existing allow or block entries for spoofed senders in the Tenant Allow/Block List +### Use the Microsoft 365 Defender portal to remove entries for spoofed senders from the Tenant Allow/Block List -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Select the Spoofed senders tab. -3. On the Spoofed senders tab, select the entry that you want to remove, and then click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete icon that appears. +3. On the Spoofed senders tab, select the entry from the list by selecting the check box next to the first column, and then select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete action that appears. -4. In the warning dialog that appears, click Delete. +4. In the warning dialog that opens, select Delete. > [!NOTE] -> You can select multiple entries by selecting each check box, or selecting all entries by selecting the check box next to the Spoofed user column header. +> You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the Spoofed user column header. -#### Use PowerShell to remove existing allow or block entries for spoofed senders from the Tenant Allow/Block List +#### Use PowerShell to remove entries for spoofed senders from the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: For detailed syntax and parameter information, see [Remove-TenantAllowBlockListS A domain pair for a spoofed sender in the Tenant Allow/Block List uses the following syntax: `<Spoofed user>, <Sending infrastructure>`. -- Spoofed user: This value involves the email address of the spoofed user that's displayed in the From box in email clients. This address is also known as the `5322.From` address. Valid values include: +- Spoofed user: This value involves the email address of the spoofed user that's displayed in the From box in email clients. This address is also known as the `5322.From` or P2 sender address. Valid values include: - An individual email address (for example, chris@contoso.com). - An email domain (for example, contoso.com). - - The wildcard character (for example, \). + - The wildcard character (\). - Sending infrastructure: This value indicates the source of messages from the spoofed user. Valid values include: - The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address (for example, fabrikam.com). - If the source IP address has no PTR record, then the sending infrastructure is identified as \<source IP\>/24 (for example, 192.168.100.100/24). - A verified DKIM domain. + - The wildcard character (\). Here are some examples of valid domain pairs to identify spoofed senders: Here are some examples of valid domain pairs to identify spoofed senders: - `chris@contoso.com, fabrikam.com` - `, contoso.net` -Adding a domain pair only allows or blocks the combination of the spoofed user and the sending infrastructure. It does not allow email from the spoofed user from any source, nor does it allow email from the sending infrastructure source for any spoofed user. +> [!NOTE] +> You can specify wildcards in the sending infrastructure or in the spoofed user, but not in both at the same time. For example, `, ` isn't permitted. -For example, you add an allow entry for the following domain pair: +Adding a domain pair allows or blocks the combination of the spoofed user and the sending infrastructure only. For example, you add an allow entry for the following domain pair: - Domain: gmail.com - Sending infrastructure: tms.mx.com Only messages from that domain and sending infrastructure pair are allowed to spoof. Other senders attempting to spoof gmail.com aren't allowed. Messages from senders in other domains originating from tms.mx.com are checked by spoof intelligence. -> [!NOTE] -> You can specify wildcards in the sending infrastructure or in the spoofed user, but not in both at the same time. For example, `, ` is not permitted. - ## About impersonated domains or senders -You can't create allow entries in the Tenant Allow/Block List for messages that were detected as [domain or sender impersonation protection in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). +You can't create allow entries in the Tenant Allow/Block List for messages that were detected as [impersonated users or impersonated domains by anti-phishing policies in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). -Submitting a message that was incorrectly blocked as impersonation on the Submissions page at <https://security.microsoft.com/reportsubmission> does not add the sender or domain as an allow entry in the Tenant Allow/Block List. +Submitting a message that was incorrectly blocked as impersonation on the Emails tab of the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=email> doesn't add the sender or domain as an allow entry in the Tenant Allow/Block List. -Instead, the domain or sender is added to the Trusted senders and domains section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message. +Instead, the domain or sender is added to the Trusted senders and domains section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message. -The instructions to submit the message are identical to the steps in [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions page](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page). +For submission instructions for impersonation false positives, see [Report good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft). > [!NOTE] -> Currently, Graph Impersonation is not taken care from here. +> Currently, Graph Impersonation isn't taken care of from here. ## Related articles
security	Tenant Allow Block List Files Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure.md	search.appverid: - m365-security - tier1 -description: Admins can learn how to allow or block files in the Tenant Allow/Block List in the Security portal. +description: Admins can learn how to allow or block files in the Tenant Allow/Block List. Previously updated : 12/05/2022 Last updated : 6/7/2023 # Allow or block files using the Tenant Allow/Block List Last updated 12/05/2022 - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) -This article describes how to manage file allow and block entries that are available in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md). +In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, admins can create and manage entries for files in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md). -You manage allow and block entries for files in the Microsoft 365 Defender Portal or in Exchange Online PowerShell. +This article describes how admins can manage entries for files in the Microsoft 365 Defender Portal and in Exchange Online PowerShell. ## What do you need to know before you begin? -- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. To go directly to the Submissions page, use <https://security.microsoft.com/reportsubmission>. +- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. To go directly to the Submissions page, use <https://security.microsoft.com/reportsubmission>. - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). You manage allow and block entries for files in the Microsoft 365 Defender Porta certutil.exe -hashfile "<Path>\<Filename>" SHA256 ``` - An example value is `768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a`. Perceptual hash (pHash) values are not supported. + An example value is `768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a`. Perceptual hash (pHash) values aren't supported. - For files, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 file entries in total). You manage allow and block entries for files in the Microsoft 365 Defender Porta - View-Only Organization Management - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -## Create block entries for files +- A Files tab is available on the Submissions page only in organizations with Microsoft 365 Defender or Microsoft Defender for Endpoint Plan 2. For information and instructions to submit files from the Files tab, see [Submit files in Microsoft Defender for Endpoint](../defender-endpoint/admin-submissions-mde.md). -Email messages that contain these blocked files are blocked as malware. Messages containing the blocked files are quarantined. +## Create allow entries for files -You have the following options to create block entries for files: +You can't create allow entries for files directly in the Tenant Allow/Block List. Unnecessary allow entries expose your organization to malicious email that would have been filtered by the system. -- [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-files-on-the-submissions-page)-- The Tenant Allow/Block List in [the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-files-in-the-tenant-allowblock-list) or in [PowerShell](#use-powershell-to-create-block-entries-for-files-in-the-tenant-allowblock-list) +Instead, you use the Email attachments tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>. When you submit a blocked file as Should not have been blocked (False positive), you can select Allow this file to add an allow entry for the file on the Files tab on the Tenant Allow/Block Lists page. For instructions, see [Submit good email attachments to Microsoft](submissions-admin.md#report-good-email-attachments-to-microsoft). -### Use the Microsoft 365 Defender portal to create block entries for files on the Submissions page +> [!NOTE] +> Allow entries are added based on the filters that determined the message was malicious during mail flow. For example, if the sender email address and a file in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the file. +> +> When the entity in the allow entry is encountered again (during mail flow or at time of click), all filters associated with that entity are overridden. +> +> By default, allow entries for files exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities are delivered, unless something else in the message is detected as malicious. +> +> During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), the message is delivered if it also contains an allowed file. +> +> During time of click, the file allow entry overrides all filters associated with the file entity, which allows users to access the file. -When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit files as Should have been blocked (False negative), you can select Block this file to add a block entry on the Files tab in the Tenant Allow/Block List. +## Create block entries for files -For instructions, see [Submit questionable email attachments to Microsoft](submissions-admin.md#report-questionable-email-attachments-to-microsoft). +Email messages that contain these blocked files are blocked as malware. Messages that contain the blocked files are quarantined. -### Use the Microsoft 365 Defender portal to create block entries for files in the Tenant Allow/Block List +To create block entries for files, use either of the following methods: -You can create block entries for files directly in the Tenant Allow/Block List. +- From the Email attachments tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>. When you submit a file as Should have been blocked (False negative), you can select Block this file to add a block entry to the Files tab on the Tenant Allow/Block Lists page. For instructions, see [Report questionable email attachments to Microsoft](submissions-admin.md#report-questionable-email-attachments-to-microsoft). -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +- From the Files tab on the Tenant Allow/Block Lists page or in PowerShell as described in this section. -2. On the Tenant Allow/Block List page, select the Files tab. +### Use the Microsoft 365 Defender portal to create block entries for files in the Tenant Allow/Block List + +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. + +2. On the Tenant Allow/Block Lists page, select the Files tab. -3. On the Files tab, click ![Block icon.](../../media/m365-cc-sc-create-icon.png) Block. +3. On the Files tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: Block. -4. In the Block files flyout that appears, configure the following settings: +4. In the Block files flyout that opens, configure the following settings: - Add file hashes: Enter one SHA256 hash value per line, up to a maximum of 20. - - Remove block entry after: The default value is 30 days, but you can select from the following values: + - Remove block entry after: Select from the following values: - 1 day - 7 days - - 30 days + - 30 days (default) - Never expire - Specific date: The maximum value is 90 days from today. - Optional note: Enter descriptive text for why you're blocking the files. -5. When you're finished, click Add. + When you're finished in the Block files flyout, select Add. + +Back on the Files tab, the entry is listed. #### Use PowerShell to create block entries for files in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: ```powershell -New-TenantAllowBlockListItems -ListType <FileHash> -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date \| -NoExpiration> [-Notes <String>] +New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "HashValue1","HashValue2",..."HashValueN" <-ExpirationDate Date \| -NoExpiration> [-Notes <String>] ``` This example adds a block entry for the specified files that never expires. New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695e For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems). -## Use the Microsoft 365 Defender portal to create allow entries for files on the Submissions page +## Use the Microsoft 365 Defender portal to view entries for files in the Tenant Allow/Block List -You can't create allow entries for files directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit the message attachment as a false positive, which also adds an allow entry on the Files tab in the Tenant Allow/Block List. +In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. -For instructions, see [Submit good email attachments to Microsoft](submissions-admin.md#report-good-email-attachments-to-microsoft). +Select the Files tab. -> [!IMPORTANT] -> Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system. -> -> Microsoft manages the creation of allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a file in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the file. -> -> When that entity is encountered again, all filters associated with that entity are overridden. -> -> By default, allow entries for files exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those files will be delivered, unless something else in the message is detected as malicious. -> -> During mail flow, if messages containing the allowed file pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message containing an allowed file will be delivered. -> -> During time of click, the file allow overrides all filters associated with the file entity, allowing the end user to access the file. - -## Use the Microsoft 365 Defender portal to view existing allow or block entries for files in the Tenant Allow/Block List - -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. - -2. Select the Files tab. The following columns are available: +On the Files tab, you can sort the entries by clicking on an available column header. The following columns are available: - Value: The file hash. - - Action: The values are Allow or Block. + - Action: The available values are Allow or Block. - Modified by - Last updated - Remove on: The expiration date. - Notes - You can click on a column heading to sort in ascending or descending order. +To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filter flyout that opens: - Click ![Group icon.](../../media/m365-cc-sc-group-icon.png) Group to group the results by None or Action. +- Action: The available values are Allow and Block. +- Never expire: :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: or :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: +- Last updated: Select From and To dates. +- Remove on: Select From and To dates. - Click ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search, enter all or part of a value, and then press the ENTER key to find a specific value. When you're finished, click ![Clear search icon.](../../media/m365-cc-sc-close-icon.png) Clear search. +When you're finished in the Filter flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. - Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) Filter to filter the results. The following values are available in the Filter flyout that appears: +Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: Search box and a corresponding value to find specific entries. - - Action: The values are Allow and Block. - - Never expire: ![Toggle on.](../../media/scc-toggle-on.png) or ![Toggle off.](../../media/scc-toggle-off.png) - - Last updated: Select From and To dates. - - Remove on: Select From and To dates. +To group the entries, select :::image type="icon" source="../../media/m365-cc-sc-group-icon.png" border="false"::: Group and then select Action. To ungroup the entries, select None. - When you're finished, click Apply. To clear existing filters, click ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) Clear filters in the Filter flyout. - -### Use PowerShell to view existing allow or block entries for files in the Tenant Allow/Block List +### Use PowerShell to view entries for files in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: Get-TenantAllowBlockListItems -ListType FileHash -Block For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems). -## Use the Microsoft 365 Defender portal to modify existing allow or block entries for files in the Tenant Allow/Block List - -You can make the following modifications to entries for files in the Tenant Allow/Block list: +## Use the Microsoft 365 Defender portal to modify entries for files in the Tenant Allow/Block List -- Block entries: The expiration date and notes.-- Allow entries: The expiration date and notes. +In existing file entries, you can change the expiration date and note. -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Select the Files tab -3. On the Files tab, select the check box of the entry that you want to modify, and then click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) Edit button that appears. - -4. The following settings are available in the Edit file flyout that appears: - - Remove block entry after: You can extend block entries for a maximum of 90 days from the system date or set them to Never expire. - - Remove allow entry after: You can extend allow entries for a maximum of 30 days from the system date. - - Optional note - - When you're finished, click Save. +3. On the Files tab, select the entry from the list by selecting the check box next to the first column, and then select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit action that appears. + +4. In the Edit file flyout that opens, the following settings are available: + - Block entries: + - Remove block entry after: Select from the following values: + - 1 day + - 7 days + - 30 days + - Never expire + - Specific date: The maximum value is 90 days from today. + - Optional note + - Allow entries: + - Remove allow entry after: Select from the following values: + - 1 day + - 7 days + - 30 days + - Specific date: The maximum value is 30 days from today. + - Optional note + + When you're finished in the Edit file flyout, select Save. > [!TIP] -> For entries added via submission, if you select the entry by clicking anywhere in the row other than the check box, you can select ![View submission icon.](../../media/m365-cc-sc-view-submission-icon.png) View submission in the details flyout that opens, which takes you to the submission details that added the entry. +> In the details flyout of an entry on the Files tab, use :::image type="icon" source="../../media/m365-cc-sc-view-submission-icon.png" border="false"::: View submission at the top of the flyout to go to the details of the corresponding entry on the Submissions page. This action is available if a submission was responsible for creating the entry in the Tenant Allow/Block List. ### Use PowerShell to modify existing allow or block entries for files in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: ```powershell -Set-TenantAllowBlockListItems -ListType <FileHash> <-Ids <Identity value> \| -Entries <Value value>> [<-ExpirationDate Date \| -NoExpiration>] [-Notes <String>] +Set-TenantAllowBlockListItems -ListType FileHash <-Ids <Identity value> \| -Entries <Value>> [<-ExpirationDate Date \| -NoExpiration>] [-Notes <String>] ``` This example changes the expiration date of the specified file block entry. Set-TenantAllowBlockListItems -ListType FileHash -Entries "27c5973b2451db9deeb01 For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems). -## Use the Microsoft 365 Defender portal to remove existing allow or block entries for files from the Tenant Allow/Block List +## Use the Microsoft 365 Defender portal to remove entries for files from the Tenant Allow/Block List -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Select the Files tab. 3. On the Files tab, do one of the following steps: - - Select the check box of the entry that you want to remove, and then click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete icon that appears. - - Select the entry that you want to remove by clicking anywhere in the row other than the check box. In the details flyout that appears, click ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete. + - Select the entry from the list by selecting the check box next to the first column, and then select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete action that appears. + - Select the entry from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete at the top of the flyout. + + > [!TIP] + > To see details about other entries without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. + +4. In the warning dialog that opens, select Delete. -4. In the warning dialog that appears, click Delete. +Back on the Files tab, the entry is no longer listed. > [!TIP] > You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the Value column header. -### Use PowerShell to remove existing allow or block entries for files from the Tenant Allow/Block List +### Use PowerShell to remove entries for files from the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: ```powershell -Remove-TenantAllowBlockListItems -ListType FileHash <-Ids <Identity value> \| -Entries <Value value>> +Remove-TenantAllowBlockListItems -ListType FileHash <-Ids <Identity value> \| -Entries <Value>> ``` This example removes the specified file block from the Tenant Allow/Block List.
security	Tenant Allow Block List Urls Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure.md	search.appverid: - m365-security - tier1 -description: Admins can learn how to allow or block URLs in the Tenant Allow/Block List in the Security portal. +description: Admins can learn how to allow or block URLs in the Tenant Allow/Block List. Previously updated : 12/05/2022 Last updated : 6/7/2023 # Allow or block URLs using the Tenant Allow/Block List Last updated 12/05/2022 - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) -> [!IMPORTANT] -> To allow phishing URLs that are part of third-party attack simulation training, use the [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md) to specify the URLs. Don't use the Tenant Allow/Block List. +In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, admins can create and manage entries for URLs in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md). -This article describes how to create and manage URL allow and block entries that are available in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md). +> [!NOTE] +> To allow phishing URLs from third-party phishing simulations, use the [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md) to specify the URLs. Don't use the Tenant Allow/Block List. -You manage allow and block entries for URLs in the Microsoft 365 Defender Portal or in Exchange Online PowerShell. +This article describes how admins can manage entries for URLs in the Microsoft 365 Defender Portal and in Exchange Online PowerShell. ## What do you need to know before you begin? You manage allow and block entries for URLs in the Microsoft 365 Defender Portal - View-Only Organization Management - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365. -## Create block entries for URLs +## Create allow entries for URLs -Email messages that contain these blocked URLs are blocked as high confidence phishing. Messages containing the blocked URLs are quarantined. +You can't create allow entries for URLs directly in the Tenant Allow/Block List. Unnecessary allow entries expose your organization to malicious email that would have been filtered by the system. -You have the following options to create block entries for URLs: +Instead, you use the URLs tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=url>. When you submit a blocked URL as Should not have been blocked (False positive), you can select Allow this URL to add and allow entry for the URL on the URLs tab on the Tenant Allow/Block Lists page. For instructions, see [Report good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft). + +> [!NOTE] +> We create allow entries for URLs that were determined to be malicious by our filters during mail flow or at time of click. +> +> We allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL `www.contoso.com/abc`. If your organization later receives a message that contains the URL (for example but not limited to: `www.contoso.com/abc`, `www.contoso.com/abc?id=1`, `www.contoso.com/abc/def/gty/uyt?id=5`, or `.contoso.com/abc`), the message isn't blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft. +> +> When the entity in the allow entry is encountered again (during mail flow or at time of click), all filters associated with that entity are overridden. +> +> By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs are delivered, unless something else in the message is detected as malicious. +> +> During mail flow, if messages containing the allowed URL pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md) and file filtering, the message is delivered if it also contains an allowed URL. +> +> During time of click, the URL allow entry overrides all filters associated with the URL entity, which allows users to access the URL. +> +> A URL allow entry doesn't prevent the URL from being wrapped by Safe Links protection in Defender for Office 365. For more information, see [Do not rewrite list in SafeLinks](safe-links-about.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies). -- [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-on-the-submissions-page)-- The Tenant Allow/Block List in [the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list) or in [PowerShell](#use-powershell-to-create-block-entries-for-urls-in-the-tenant-allowblock-list) +## Create block entries for URLs -### Use the Microsoft 365 Defender portal to create block entries for URLs on the Submissions page +Email messages that contain these blocked URLs are blocked as high confidence phishing. Messages that contain the blocked URLs are quarantined. -When you use the Submissions* page at <https://security.microsoft.com/reportsubmission> to submit URLs as Should have been blocked (False negative), you can select Block this URL to add a block entry on the URLs tab in the Tenant Allow/Block List. +To create block entries for URLs, use either of the following methods: -For instructions, see [Submit questionable URLs to Microsoft](submissions-admin.md#report-questionable-urls-to-microsoft). +You have the following options to create block entries for URLs: -### Use the Microsoft 365 Defender portal to create block entries for URLs in the Tenant Allow/Block List +- From the URLs tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=url>. When you submit a message as Should have been blocked (False negative), you can select Block this URL to add a block entry to the URLs tab on the Tenant Allow/Block Lists page. For instructions, see [Report questionable URLs to Microsoft](submissions-admin.md#report-questionable-urls-to-microsoft). -You can create block entries for URLs directly in the Tenant Allow/Block List. +- From the URLs tab on the Tenant Allow/Block Lists page or in PowerShell as described in this section. + +### Use the Microsoft 365 Defender portal to create block entries for URLs in the Tenant Allow/Block List 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. On the Tenant Allow/Block List page, select the URLs tab. -3. On the URLs tab, click ![Block icon.](../../media/m365-cc-sc-create-icon.png) Block. +3. On the URLs tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: Block. -4. In the Block URLs flyout that appears, configure the following settings: +4. In the Block URLs flyout that opens, configure the following settings: - Add URLs with wildcards: Enter one URL per line, up to a maximum of 20. For details about the syntax for URL entries, see the [URL syntax for the Tenant Allow/Block List](#url-syntax-for-the-tenant-allowblock-list) section later in this article. - - Remove block entry after: The default value is 30 days, but you can select from the following values: + - Remove block entry after: Select from the following values: - Never expire - 1 day - 7 days - - 30 days + - 30 days (default) - Specific date: The maximum value is 90 days from today. - Optional note: Enter descriptive text for why you're blocking the URLs. -5. When you're finished, click Add. + When you're finished in the Block URLs flyout, select Add. + +Back on the URLs tab, the entry is listed. #### Use PowerShell to create block entries for URLs in the Tenant Allow/Block List New-TenantAllowBlockListItems -ListType Url -Block -Entries "Value1","Value2",.. This example adds a block entry for the URL contoso.com and all subdomains (for example, contoso.com and xyz.abc.contoso.com). Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days. ```powershell -New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com +New-TenantAllowBlockListItems -ListType Url -Block -Entries contoso.com ``` For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems). -## Use the Microsoft 365 Defender portal to create allow entries for URLs on the Submissions page - -You can't create URL allow entries directly in the Tenant Allow/Block List. Instead, you use the Submissions* page at <https://security.microsoft.com/reportsubmission> to submit the URL as a false positive, which also adds an allow entry on the URLs tab in the Tenant Allow/Block List. +## Use the Microsoft 365 Defender portal to view entries for URLs in the Tenant Allow/Block List -For instructions, see [Submit good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft). +In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. -> [!IMPORTANT] -> Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system. -> -> Microsoft manages the allow entry creation process for URLs from the Submissions page. We'll create allow entries for URLs that were determined to be malicious by our filters during mail flow or at time of click. -> -> We allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL `www.contoso.com/abc`. If your organization later receives a message that contains the URL (for example but not limited to: `www.contoso.com/abc`, `www.contoso.com/abc?id=1`, `www.contoso.com/abc/def/gty/uyt?id=5`, or `.contoso.com/abc`), the message won't be blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft. -> -> When the URL is encountered again, all filters associated with the URL are overridden. -> -> By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs will be delivered, unless something else in the message is detected as malicious. -> -> During mail flow, if messages containing the allowed URL pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md) and file filtering, a message containing an allowed URL will be delivered. -> -> During time of click, the URL allow entry overrides all filters associated with the URL entity, allowing the user to access the content in the URL. -> -> Adding an allow entry for a URL does not prevent it from being wrapped by Safe Links. For more information, see [Do not rewrite list in SafeLinks](safe-links-about.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies). - -## Use the Microsoft 365 Defender portal to view existing allow or block entries for URLs in the Tenant Allow/Block List +Select the URLs* tab. -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. - -2. Select the URL tab. The following columns are available: +On the URLs tab, you can sort the entries by clicking on an available column header. The following columns are available: - Value: The URL. - - Action: The values are Allow or Block. + - Action: The available values are Allow or Block. - Modified by - Last updated - Remove on: The expiration date. - Notes - Click on a column heading to sort in ascending or descending order. - - Click ![Group icon.](../../media/m365-cc-sc-group-icon.png) Group to group the results by None or Action. +To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: Filter. The following filters are available in the Filter flyout that opens: - Click ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search, enter all or part of a value, and then press the ENTER key to find a specific value. When you're finished, click ![Clear search icon.](../../media/m365-cc-sc-close-icon.png) to clear the search. +- Action: The available values are Allow and Block. +- Never expire: :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: or :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: +- Last updated: Select From and To dates. +- Remove on: Select From and To dates. - Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) Filter to filter the results. The following values are available in the Filter flyout that appears: +When you're finished in the Filter flyout, select Apply. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: Clear filters. - - Action: The values are Allow and Block. - - Never expire: ![Toggle on.](../../media/scc-toggle-on.png) or ![Toggle off.](../../media/scc-toggle-off.png) - - Last updated: Select From and To dates. - - Remove on: Select From and To dates. +Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: Search box and a corresponding value to find specific entries. - When you're finished, click Apply. To clear existing filters, click ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) Clear filters in the Filter flyout. +To group the entries, select :::image type="icon" source="../../media/m365-cc-sc-group-icon.png" border="false"::: Group and then select Action. To ungroup the entries, select None. -### Use PowerShell to view existing allow or block entries for URLs in the Tenant Allow/Block List +### Use PowerShell to view entries for URLs in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: Get-TenantAllowBlockListItems -ListType Url -Block For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems). -## Use the Microsoft 365 Defender portal to modify existing allow or block entries for URLs in the Tenant Allow/Block List +## Use the Microsoft 365 Defender portal to modify entries for URLs in the Tenant Allow/Block List -You can make the following modifications to entries for URLs in the Tenant Allow/Block list: +In existing URL entries, you can change the expiration date and note. -- Block entries: The expiration date and notes.-- Allow entries: The expiration date and notes.- -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block Lists page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Select the URLs tab -3. On the URLs tab, select the check box of the entry that you want to modify, and then click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) Edit button that appears. - -4. The following values are available in the Edit URL flyout that appears: - - Remove block entry after: You can extend block entries for a maximum of 90 days from the system date or set them to Never expire. - - Remove allow entry after: You can extend allow entries for a maximum of 30 days from the system date. - - Optional note - - When you're finished, click Save. +3. On the URLs tab, select the entry from the list by selecting the check box next to the first column, and then select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: Edit action that appears. + +4. In the Edit URL flyout that opens, the following settings are available: + - Block entries: + - Remove block entry after: Select from the following values: + - 1 day + - 7 days + - 30 days + - Never expire + - Specific date: The maximum value is 90 days from today. + - Optional note + - Allow entries: + - Remove allow entry after: Select from the following values: + - 1 day + - 7 days + - 30 days + - Specific date: The maximum value is 30 days from today. + - Optional note + + When you're finished in the Edit URL flyout, select Save. > [!TIP] -> For entries added via submission, if you select the entry by clicking anywhere in the row other than the check box, you can select ![View submission icon.](../../media/m365-cc-sc-view-submission-icon.png) View submission in the details flyout that opens up. It takes you to the submission details that added the entry. +> In the details flyout of an entry on the URLs tab, use :::image type="icon" source="../../media/m365-cc-sc-view-submission-icon.png" border="false"::: View submission at the top of the flyout to go to the details of the corresponding entry on the Submissions page. This action is available if a submission was responsible for creating the entry in the Tenant Allow/Block List. -### Use PowerShell to modify existing allow or block entries for URLs in the Tenant Allow/Block List +### Use PowerShell to modify entries for URLs in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: ```powershell -Set-TenantAllowBlockListItems -ListType Url <-Ids <Identity value> \| -Entries <Value value>> [<-ExpirationDate Date \| -NoExpiration>] [-Notes <String>] +Set-TenantAllowBlockListItems -ListType Url <-Ids <Identity value> \| -Entries <Value>> [<-ExpirationDate Date \| -NoExpiration>] [-Notes <String>] ``` This example changes the expiration date of the block entry for the specified URL. Set-TenantAllowBlockListItems -ListType Url -Entries "~contoso.com" -ExpirationD For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems). -## Use the Microsoft 365 Defender portal to remove existing allow or block entries for URLs from the Tenant Allow/Block List +## Use the Microsoft 365 Defender portal to remove entries for URLs from the Tenant Allow/Block List 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Policies & rules \> Threat Policies \> Rules section \> Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use <https://security.microsoft.com/tenantAllowBlockList>. For detailed syntax and parameter information, see [Set-TenantAllowBlockListItem 3. On the URLs tab, do one of the following steps: - - Select the check box of the entry that you want to remove, and then click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete icon that appears. - - Select the entry that you want to remove by clicking anywhere in the row other than the check box. In the details flyout that appears, click ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete. + - Select the entry from the list by selecting the check box next to the first column, and then select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete action that appears. + - Select the entry from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: Delete at the top of the flyout. + + > [!TIP] + > To see details about other entries without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: Previous item and Next item at the top of the flyout. + +4. In the warning dialog that opens, select Delete. -4. In the warning dialog that appears, click Delete. +Back on the URLs tab, the entry is no longer listed. > [!TIP] > You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the Value column header. -### Use PowerShell to remove existing allow or block entries for URLs from the Tenant Allow/Block List +### Use PowerShell to remove entries for URLs from the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax: ```powershell -Remove-TenantAllowBlockListItems -ListType Url <-Ids <Identity value> \| -Entries <Value value>> +Remove-TenantAllowBlockListItems -ListType Url <-Ids <Identity value> \| -Entries <Value>> ``` This example removes the block entry for the specified URL from the Tenant Allow/Block List. ```powershell -Remove-TenantAllowBlockListItems -ListType Url -Entries "~cohovineyard.com +Remove-TenantAllowBlockListItems -ListType Url -Entries "cohovineyard.com ``` For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems). ## URL syntax for the Tenant Allow/Block List -- IPv4 and IPv6 addresses are allowed, but TCP/UDP ports are not. +- IPv4 and IPv6 addresses are allowed, but TCP/UDP ports aren't. -- Filename extensions are not allowed (for example, test.pdf). +- Filename extensions aren't allowed (for example, test.pdf). -- Unicode is not supported, but Punycode is. +- Unicode isn't supported, but Punycode is. - Hostnames are allowed if all of the following statements are true: - The hostname contains a period. - There is at least one character to the left of the period. - There are at least two characters to the right of the period. - For example, `t.co` is allowed; `.com` or `contoso.` are not allowed. + For example, `t.co` is allowed; `.com` or `contoso.` aren't allowed. -- Subpaths are not implied for allows. +- Subpaths aren't implied for allows. - For example, `contoso.com` does not include `contoso.com/a`. + For example, `contoso.com` doesn't include `contoso.com/a`. - Wildcards () are allowed in the following scenarios: - - A left wildcard must be followed by a period to specify a subdomain. (only applicable for blocks) + - A left wildcard must be followed by a period to specify a subdomain. (applicable only for blocks) - For example, `.contoso.com` is allowed; `contoso.com` is not allowed. + For example, `.contoso.com` is allowed; `contoso.com` isn't allowed. - A right wildcard must follow a forward slash (/) to specify a path. - For example, `contoso.com/` is allowed; `contoso.com` or `contoso.com/ab` are not allowed. + For example, `contoso.com/` is allowed; `contoso.com` or `contoso.com/ab` aren't allowed. - - `.com` is invalid (not a resolvable domain and the right wildcard does not follow a forward slash). + - `.com` is invalid (not a resolvable domain and the right wildcard doesn't follow a forward slash). - - Wildcards are not allowed in IP addresses. + - Wildcards aren't allowed in IP addresses. - The tilde (~) character is available in the following scenarios: - A left tilde implies a domain and all subdomains. - For example `~contoso.com` includes `contoso.com` and `.contoso.com`. + For example, `~contoso.com` includes `contoso.com` and `.contoso.com`. - A username or password isn't supported or required. For detailed syntax and parameter information, see [Remove-TenantAllowBlockListI ### URL entry scenarios -Valid URL entries and their results are described in the following sections. +Valid URL entries and their results are described in the following subsections. #### Scenario: No wildcards
security	Trial User Guide Defender For Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/trial-user-guide-defender-for-office-365.md	Do you want your Defender for Office 365 experience to be active or passive? The - Blocking mode: The Standard template for [preset security policies](preset-security-policies.md) is turned on and used for the trial, and the users you specify to include in the trial are added to the Standard preset security policy. Defender for Office 365 detects and takes action on harmful messages (for example, detected messages are quarantined). - The default and recommended selection is to scope these Defender for Office 365 policies to all users in the organization. But during or after the setup of your trial, you can change the policy assignment to specific users, groups, or email domains in the Microsoft 365 Defender portal or in [Policy settings associated with Defender for Office 365 trials](try-microsoft-defender-for-office-365.md#policy-settings-associated-with-defender-for-office-365-trials) + The default and recommended selection is to scope these Defender for Office 365 policies to all users in the organization. But during or after the setup of your trial, you can change the policy assignment to specific users, groups, or email domains in the Microsoft 365 Defender portal or in [Policy settings associated with Defender for Office 365 evaluations and trials](try-microsoft-defender-for-office-365.md#policy-settings-associated-with-defender-for-office-365-evaluations-and-trials) Blocking mode does not provide customized reports for threats detected by Defender for Office 365. Instead, the information is available in the regular reports and investigation features of Defender for Office 365 Plan 2.
security	Try Microsoft Defender For Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md	ROBOTS: Previously updated : 1/31/2023 Last updated : 5/26/2023 # Try Microsoft Defender for Office 365 Before you try Defender for Office 365 Plan 2, there are some key questions that - Either way, how can I tell what Defender for Office 365 Plan 2 is doing for me? - How long do I have before I need to make the decision to keep Defender for Office 365 Plan 2? -This article will help you answer those questions so you can try Defender for Office 365 Plan 2 in a way that best meets the needs of your organization. +This article helps you answer those questions so you can try Defender for Office 365 Plan 2 in a way that best meets the needs of your organization. For a companion guide for how to use your trial, see [Trial User Guide: Microsoft Defender for Office 365](trial-user-guide-defender-for-office-365.md). Defender for Office 365 helps organizations secure their enterprise by offering You can also learn more about Defender for Office 365 at this [interactive guide](https://aka.ms/MS365D.InteractiveGuide). -![Microsoft Defender for Office 365 conceptual diagram.](../../media/microsoft-defender-for-office-365.png) Watch this short video to learn more about how you can get more done in less time with Microsoft Defender for Office 365. The protection features of EOP and Defender for Office 365 are implemented using - [Impersonation protection in anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) - [Safe Attachments for email messages](safe-attachments-about.md) - [Safe Links for email messages and Microsoft Teams](safe-links-about.md) - - Safe Links detonates URLs during mail flow. To prevent specific URLs from being detonated, use allow entries for URLs in the Tenant Allow/Block List. For more information, see [Manage the Tenant Allow/Block List](tenant-allow-block-list-about.md). + - Safe Links detonates URLs during mail flow. To prevent specific URLs from being detonated, submit the URLs to Microsoft as good URLs. For instructions, see [Report good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft). - Safe Links doesn't wrap URL links in email message bodies. -Your eligibility for an evaluation or trial means you already have EOP. No new or special EOP policies are created for your evaluation or trial of Defender for Office 365 Plan 2. Existing EOP policies in your Microsoft 365 organization are able to act on messages (for example, send messages to the Junk Email folder or to quarantine): +Your eligibility for an evaluation or trial means you already have EOP. No new or special EOP policies are created for your evaluation or trial of Defender for Office 365 Plan 2. Existing EOP policies in your Microsoft 365 organization remain able to act on messages (for example, send messages to the Junk Email folder or to quarantine): - [Anti-malware policies](anti-malware-protection-about.md) - [Inbound anti-spam protection](anti-spam-protection-about.md) The default policies for these EOP features are always on, apply to all recipien ### Audit mode vs. blocking mode for Defender for Office 365 -Do you want your Defender for Office 365 experience to be active or passive? These are the two modes that you can select from: +Do you want your Defender for Office 365 experience to be active or passive? The following modes are available: -- Audit mode: Special evaluation policies are created for anti-phishing (which includes impersonation protection), Safe Attachments, and Safe Links. These evaluation policies are configured to detect threats only. Defender for Office 365 detects harmful messages for reporting, but the messages aren't acted upon (for example, detected messages aren't quarantined). The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article. +- Audit mode: Special evaluation policies are created for anti-phishing (which includes impersonation protection), Safe Attachments, and Safe Links. These evaluation policies are configured to detect threats only. Defender for Office 365 detects harmful messages for reporting, but the messages aren't acted upon (for example, detected messages aren't quarantined). The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article. We also automatically turn on SafeLinks time of click protection in audit mode for non-email workloads (for example, Microsoft Teams, SharePoint, and OneDrive for Business) - Audit mode provides access to customized reports for threats detected by Defender for Office 365 on the Evaluation mode page at <https://security.microsoft.com/atpEvaluation>. + You can also selectively turn on or turn off anti-phishing protection (spoofing and impersonation), Safe Links protection, and Safe Attachments protection. For instructions, see [Manage evaluation settings](#manage-evaluation-settings). -- Blocking mode: The Standard template for [preset security policies](preset-security-policies.md) is turned on and used for the trial, and the users you specify to include in the trial are added to the Standard preset security policy. Defender for Office 365 detects and takes action on harmful messages (for example, detected messages are quarantined). + Audit mode provides specialized reports for threats that are detected by the evaluation policies on the Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation>. These reports are described in the [Reports for audit mode](#reports-for-audit-mode) section later in this article. - The default and recommended selection is to scope these Defender for Office 365 policies to all users in the organization. But during or after the setup of your trial, you can change the policy assignment to specific users, groups, or email domains in the Microsoft 365 Defender portal or in [Exchange Online PowerShell](#policy-settings-associated-with-defender-for-office-365-trials). +- Blocking mode: The Standard template for [preset security policies](preset-security-policies.md) is turned on and used for the trial, and the users you specify to include in the trial are added to the Standard preset security policy. Defender for Office 365 detects and takes action on harmful messages (for example, detected messages are quarantined). - Blocking mode does not provide customized reports for threats detected by Defender for Office 365. Instead, the information is available in the regular reports and investigation features of Defender for Office 365 Plan 2. + The default and recommended selection is to scope these Defender for Office 365 policies to all users in the organization. But during or after the setup of your trial, you can change the policy assignment to specific users, groups, or email domains in the Microsoft 365 Defender portal or in [Exchange Online PowerShell](#policy-settings-associated-with-defender-for-office-365-evaluations-and-trials). -A key factor in audit mode vs. blocking mode is how email is delivered to your Microsoft 365 organization: + Information about threats that are detected by Defender for Office 365 is available in the regular reports and investigation features of Defender for Office 365 Plan 2, which are described in the [Reports for blocking mode](#reports-for-blocking-mode) section later in this article. -- Mail from the internet flows directly Microsoft 365, but your current subscription has only [Exchange Online Protection (EOP)](eop-about.md) or [Defender for Office 365 Plan 1](overview.md#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet). +The key factors that determine which modes are available to you are: - ![Mail flows from the internet into Microsoft 365, with protection from EOP and/or Defender for Office 365 Plan 1.](../../media/mdo-trial-mail-flow.png) +- Whether or not you currently have Defender for Office 365 (Plan 1 or Plan 2) as described in the next section. +- How email is delivered to your Microsoft 365 organization as described in the following scenarios: - In these environments, you can select audit mode or blocking mode. + - Mail from the internet flows directly Microsoft 365, but your current subscription has only [Exchange Online Protection (EOP)](eop-about.md) or [Defender for Office 365 Plan 1](overview.md#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet). -- You're currently using a third-party service or device for email protection of your Microsoft 365 mailboxes. Mail from the internet flows through the protection service before delivery into your Microsoft 365 organization. Microsoft 365 protection is as low as possible (it's never completely off; for example, malware protection is always enforced). + :::image type="content" source="../../medio-trial-mail-flow.png"::: - ![Mail flows from the internet through the third-party protection service or device before delivery into Microsoft 365.](../../media/mdo-migration-before.png) + In these environments, audit mode or blocking mode are available, depending on your licensing as explained in the next section - In these environments, you can select audit mode only. You don't need to change your mail flow (MX records). + - You're currently using a third-party service or device for email protection of your Microsoft 365 mailboxes. Mail from the internet flows through the protection service before delivery into your Microsoft 365 organization. Microsoft 365 protection is as low as possible (it's never completely off; for example, malware protection is always enforced). + + :::image type="content" source="../../medio-migration-before.png"::: + + In these environments, only audit mode is available. You don't need to change your mail flow (MX records) to evaluate Defender for Office 365 Plan 2. ### Evaluation vs. trial for Defender for Office 365 -What's the difference between an evaluation and a trial of Defender for Office 365 Plan 2? Aren't they the same thing? Well, yes and no. Here's what you need to know: +What's the difference between an evaluation and a trial of Defender for Office 365 Plan 2? Aren't they the same thing? Well, yes and no. The licensing in your Microsoft 365 organization makes all the difference: + +- No Defender for Office Plan 2: If you don't already have Defender for Office 365 Plan 2 (for example, you have standalone EOP, Microsoft 365 E3, Microsoft 365 Business Premium, or a Defender for Office 365 Plan 1 add-on subscription), you can start the Defender for Office 365 Plan 2 experience from the following locations in the Microsoft 365 Defender portal: + + - The Microsoft 365 trials page at <https://security.microsoft.com/trialHorizontalHub>. + - The Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation>. + + You can select audit mode (evaluation policies) or blocking mode (Standard preset security policy) during the set up of the evaluation or trial. + + Regardless of which location you use, we automatically provision any required Defender for Office 365 Plan 2 licenses when you enroll. Manually getting and assigning Plan 2 licenses in the Microsoft 365 admin center isn't required. -- If you don't already have Defender for Office 365 Plan 2 licenses (for example, standalone EOP, Microsoft 365 E3, Microsoft 365 Business Premium, or Defender for Office 365 Plan 1), you can start your trial from the Microsoft 365 trials page at <https://security.microsoft.com/trialHorizontalHub> or the Evaluation mode page at <https://security.microsoft.com/atpEvaluation> in the Microsoft 365 Defender portal. At either location, you can select allow mode (Standard preset security policy) or blocking mode (evaluation policies) as previously described. + The automatically provisioned licenses are good for 90 days. What this 90 day period means depends the existing licensing in your organization: - Regardless of which location you use, we'll automatically provision the required Defender for Office 365 Plan 2 trial licenses for you when you enroll. Manual or outside steps for getting and assigning Plan 2 licenses in the Microsoft 365 admin center are no longer required. The trial licenses are good for 90 days: + - No Defender for Office 365 Plan 1: For organizations without Defender for Office 365 Plan 1 (for example, standalone EOP or Microsoft 365 E3) all Defender for Office 365 Plan 2 features (in particular, the security policies) are available during the 90 day period only. - - For organizations without Defender for Office 365 (for example, standalone EOP or Microsoft 365 E3) the features (in particular, the policies) of Defender for Office 365 are available to you during the trial period. + - Defender for Office 365 Plan 1: Organizations with Defender for Office 365 Plan 1 (for example, Microsoft 365 Business Premium or add-on subscriptions) already have the same security policies that are available in Defender for Office 365 Plan 2: impersonation protection in anti-phishing policies, Safe Attachments policies, and Safe Links policies. - - Organizations with Defender for Office 365 Plan 1 (for example Microsoft 365 Business Premium or add-on subscriptions) have exactly the same policies as organizations with Defender for Office 365 Plan 2 (impersonation protection in anti-phishing policies, Safe Attachments policies, and Safe Links policies). The security policies from allow mode (Standard preset security policy) or blocking mode (evaluation policies) don't expire or stop working after 90 days. What ends after 90 days for these organizations are the [automation, investigation, remediation, and education capabilities](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2) of Plan 2 that aren't present in Plan 1. + The security policies from audit mode (evaluation policies) or blocking mode (Standard preset security policy) don't expire or stop working after 90 days. What ends after 90 days are the [automation, investigation, remediation, and education capabilities](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2) of Defender for Office 365 Plan 2 that aren't available in Plan 1. -- If you already have Defender for Office 365 Plan 2 (for example, as part of a Microsoft 365 E5 subscription), you'll never see Defender for Office 365 on the Microsoft 365 trials page at <https://security.microsoft.com/trialHorizontalHub>. Instead, you start your evaluation of Defender for Office 365 Plan to on the Evaluation mode page at <https://security.microsoft.com/atpEvaluation> in allow mode (Standard preset security policy) or blocking mode (evaluation policies). + If you set up your evaluation or trial in audit mode (evaluation policies), you can later _convert_ to blocking mode (Standard preset security policy). For instructions, see the [Convert to Standard protection](#convert-to-standard-protection) section later in this article. - By definition, these organizations don't require trial licenses of Defender for Office 365 Plan 2, so their evaluations are unlimited in duration. +- Defender for Office 365 Plan 2: If you already have Defender for Office 365 Plan 2 (for example, as part of a Microsoft 365 E5 subscription), Defender for Office 365 isn't available to select on the Microsoft 365 trials page at <https://security.microsoft.com/trialHorizontalHub>. + + Your only option is to set up an evaluation of Defender for Office 365 on the Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation>. Furthermore, the evaluation is automatically set up in Audit mode (evaluation policies). + + Later, you can _convert_ to blocking mode (Standard preset security policy) using the [Convert to standard action on the Microsoft Defender for Office 365 evaluation page](#convert-to-standard-protection) or by [turning off the evaluation on the Microsoft Defender for Office 365 evaluation page](#manage-evaluation-settings) and then [configuring the Standard preset security policy](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). + + By definition, organizations with Defender for Office 365 Plan 2 don't require additional licenses to evaluate Defender for Office 365 Plan 2, so evaluations in these organizations are unlimited in duration. The information from the previous list is summarized in the following table: -\|Organization\|Available modes\|Enroll from the<br/>Evaluation page?\|Enroll from the<br/>Trials page?\|Evaluation<br/>period\| -\|\|\|::\|::\|\| -\|Standalone EOP<br/>(no Exchange Online mailboxes) <br/><br/> Microsoft 365 E3\|Audit mode <br/> Blocking mode\|Yes\|Yes\|90 days\| -\|Defender for Office 365 Plan 1 <br/><br/> Microsoft 365 Business Premium\|Audit mode <br/> Blocking mode\|Yes\|Yes\|Unlimited<sup>\</sup>\| -\|Microsoft 365 E5\|Audit mode <br/> Blocking mode\|Yes\|No\|Unlimited\| +\|Organization\|Enroll from<br>the Trials page?\|Enroll from<br>the Evaluation page?\|Available modes\|Evaluation<br>period\| +\|\|::\|::\|\|\| +\|Standalone EOP (no Exchange Online mailboxes) <br><br> Microsoft 365 E3\|Yes\|Yes\|Audit mode <br><br> Blocking mode┬╣\|90 days\| +\|Defender for Office 365 Plan 1 <br><br> Microsoft 365 Business Premium\|Yes\|Yes\|Audit mode <br><br> Blocking mode┬╣\|90 days┬▓\| +\|Microsoft 365 E5\|No\|Yes\|Audit mode <br><br> Blocking mode┬╣ ┬│\|Unlimited\| + +┬╣ As [previously described](#audit-mode-vs-blocking-mode-for-defender-for-office-365), blocking mode* (Standard preset security policy) isn't available if internet mail flows through a third-party protection service or device before delivery to Microsoft 365. + +┬▓ The security policies from audit mode (evaluation policies) or blocking mode (Standard preset security policy) don't expire or stop working after 90 days. The [automation, investigation, remediation, and education capabilities](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2) that are exclusive to Defender for Office 365 Plan 2 stop working after 90 days. + +┬│ The evaluation is set up in audit mode (evaluation policies). At any point after the setup is complete, you can _convert_ to blocking mode (Standard preset security policy) as described in [Convert to Standard protection](#convert-to-standard-protection). -<sup>\</sup> The security policies from allow mode* (Standard preset security policy) or blocking mode (evaluation policies) don't expire or stop working after 90 days. Only the [automation, investigation, remediation, and education capabilities](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2) that are exclusive to Defender for Office 365 Plan 2 stop working after 90 days. +Now that you understand the differences between evaluations, trials, audit mode, and blocking mode, you're ready to set up your evaluation or trial as described in the next sections. ## Set up an evaluation or trial in audit mode -Remember, when you evaluate Defender for Office 365 in audit mode, special evaluation policies are created so Defender for Office 365 can detect threats. The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article. +Remember, when you evaluate or try Defender for Office 365 in audit mode, special evaluation policies are created so Defender for Office 365 can detect threats. The settings of these evaluation policies are described in the [Policies in audit mode](#policies-in-audit-mode) section later in this article. 1. Start the evaluation in any of the available locations in the Microsoft 365 Defender portal at <https://security.microsoft.com>. For example: - - On the banner at the top of any Defender for Office 365 feature page, click Start free trial. + - On the banner at the top of any Defender for Office 365 feature page, select Start free trial. - On the Microsoft 365 trials page at <https://security.microsoft.com/trialHorizontalHub>, find and select Defender for Office 365. - - On the Evaluation mode page at <https://security.microsoft.com/atpEvaluation>, click Start evaluation. + - On the Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation>, select Start evaluation. -2. In the Turn on protection dialog, select No, I only want reporting, and then click Continue. +2. The Turn on protection dialog isn't available in organizations with Defender for Office Plan 1 or Plan 2. + + In the Turn on protection dialog, select No, I only want reporting, and then select Continue. 3. In the Select the users you want to include dialog, configure the following settings: - All users: This is the default and recommended option. - - Select users: If you select this option, you need to select the internal recipients that the evaluation applies to: + - Specific users: If you select this option, you need to select the internal recipients that the evaluation applies to: - Users: The specified mailboxes, mail users, or mail contacts. - Groups: - - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported). + - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). - The specified Microsoft 365 Groups. - Domains: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. - Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value. + Click in the box, start typing a value, and select the value from the results below the box. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value in the box. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\) by itself to see all available values. Remember, when you evaluate Defender for Office 365 in audit mode, special evalu > > Likewise, if you use the same recipient filter as an exception, the evaluation or trial is not applied to romain@contoso.com only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial still applies to him. - When you're finished, click Continue. + When you're finished in the Select the users you want to include dialog, select Continue. 4. In the Help us understand your mail flow dialog, configure the following options: - One of the following options is automatically selected based on our detection of the MX record for your domain: - - I'm using a third-party and/or on-premises service provider: The MX record for your domain points somewhere other than Microsoft 365. This selection requires the following additional settings after you click Next: + - I'm using a third-party and/or on-premises service provider: The MX record for your domain points somewhere other than Microsoft 365. Verify or configure the following settings: + - Third party service your organization is using: Verify or select one of the following values: + - Other: This value also requires information in If your email messages pass through multiple gateways, list each gateway IP address, which is available only for the value Other. Use this value if you're using an on-premises service provider. - 1. In the Third party or on-premises settings dialog, configure the following settings: + Enter a comma-separated list of the IP addresses that are used by the third-party protection service or device to send mail into Microsoft 365. - - Select a third party service provider: Select one of the following values: - Barracuda - IronPort - Mimecast Remember, when you evaluate Defender for Office 365 in audit mode, special evalu - Sophos - Symantec - Trend Micro - - Other - - - The connector to apply this evaluation to: Select the connector that's used for mail flow into Microsoft 365. - - [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as skip listing) is automatically configured on the connector that you specify. - - When a third-party service or device sits in front of email flowing into Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md). - - - List each gateway IP address your messages pass through: This setting is available only if you selected Other for Select a third party service provider. Enter a comma-separated list of the IP addresses that are used by the third-party protection service or device to send mail into Microsoft 365. - - When you're finished, click Next. - 2. In the Exchange mail flow rules dialog, decide if you need an Exchange Online mail flow rule (also known as a transport rule) that skips spam filtering for incoming messages from the third-party protection service or device. + - The connector to apply this evaluation to: Select the connector that's used for mail flow into Microsoft 365. - It's likely that you already have an SCL=-1 mail flow rule in Exchange Online that allows all inbound mail from the protection service to bypass (most) Microsoft 365 filtering. Many protection services encourage this spam confidence level (SCL) mail flow rule method for Microsoft 365 customers who use their services. + [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as skip listing) is automatically configured on the connector that you specify. - As explained in the previous step, Enhanced Filtering for Connectors is automatically configured on the connector that you specify as the source of mail from the protection service. + When a third-party service or device sits in front of email flowing into Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md). - Turning on Enhanced Filtering for Connectors without an SCL=-1 rule for incoming mail from the protection service will vastly improve the detection capabilities of EOP protection features like [spoof intelligence](anti-phishing-protection-spoofing-about.md), and could impact the delivery of those newly detected messages (for example, move to the Junk Email folder or to quarantine). This impact is limited to EOP policies; as previously explained, Defender for Office 365 policies are created in audit mode. - - To create an SCL=-1 mail flow rule or to review your existing rules, click the Go to Exchange admin center button on the page. For more information, see [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl). - - When you're finished, click Finish. - - - I'm only using Microsoft Exchange Online: The MX records for your domain point to Microsoft 365. There's nothing left to configure, so click Finish. + - I'm only using Microsoft Exchange Online: The MX records for your domain point to Microsoft 365. There's nothing left to configure, so select Finish. - Share data with Microsoft: This option isn't selected by default, but you can select the check box if you like. -5. A progress dialog appears as your evaluation is set up. When set up is complete, click Done. + When you're finished in the Help us understand your mail flow dialog, select Finish. + +5. When set up is complete, you get a Let us show you around dialog. Select Start tour or Dismiss. ## Set up an evaluation or trial in blocking mode -Remember, when you try Defender for Office 365 in blocking mode, the Standard preset security is turned on and the specified users (some or everyone) are included in the Standard preset security policy. For more information about the Standard preset security policy, see [Preset security policies](preset-security-policies.md). +Remember, when you try Defender for Office 365 in blocking mode, the Standard preset security is turned on and the specified users (some or everyone) are included in the Standard preset security policy. For more information about the Standard preset security policy, see [Preset security policies](preset-security-policies.md). 1. Start the trial in any of the available locations in the Microsoft 365 Defender portal at <https://security.microsoft.com>. For example: - - On the banner at the top of any Defender for Office 365 feature page, click Start free trial. + - On the banner at the top of any Defender for Office 365 feature page, select Start free trial. - On the Microsoft 365 trials page at <https://security.microsoft.com/trialHorizontalHub>, find and select Defender for Office 365. - - On the Evaluation mode page at <https://security.microsoft.com/atpEvaluation>, click Start evaluation. + - On the Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation>, select Start evaluation. + +2. The Turn on protection dialog isn't available in organizations with Defender for Office Plan 1 or Plan 2. -2. In the Turn on protection dialog, select Yes, protect my organization by blocking threats, and then click Continue. + In the Turn on protection dialog, select Yes, protect my organization by blocking threats, and then select Continue. 3. In the Select the users you want to include dialog, configure the following settings: Remember, when you try Defender for Office 365 in blocking mode, the Standard pr - Select users: If you select this option, you need to select the internal recipients that the trial applies to: - Users: The specified mailboxes, mail users, or mail contacts. - Groups: - - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported). + - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported). - The specified Microsoft 365 Groups. - Domains: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. - Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value. + Click in the box, start typing a value, and select the value from the results below the box. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value in the box. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\) by itself to see all available values. Remember, when you try Defender for Office 365 in blocking mode, the Standard pr > > Likewise, if you use the same recipient filter as an exception, the evaluation or trial is not applied to romain@contoso.com only* if he's also a member of the Executives group. If he's not a member of the group, then the evaluation or trial still applies to him. - When you're finished, click Continue. + When you're finished in the Select the users you want to include dialog, select Continue. -4. A progress dialog appears as your evaluation is set up. When setup is complete, click Done. +4. A progress dialog appears as your evaluation is set up. When setup is complete, select Done. ## Manage your evaluation or trial of Defender for Office 365 -After you set up your evaluation or trial in audit mode or blocking mode, the Evaluation mode page at <https://security.microsoft.com/atpEvaluation> is your central location for information about trying Defender for Office 365 Plan 2. +After you set up your evaluation or trial in audit mode, the Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation> is your central location for the results of trying Defender for Office 365 Plan 2. + +In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Policies & rules \> Threat policies \> select Evaluation mode in the Others section. Or, to go directly to the Microsoft Defender for Office 365 evaluation page, use <https://security.microsoft.com/atpEvaluation>. -1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Policies & rules \> Threat policies \> select Evaluation mode in the Others section. Or, to go directly to the Microsoft Defender for Office 365 evaluation page, use <https://security.microsoft.com/atpEvaluation>. +The actions that are available on the Microsoft Defender for Office 365 evaluation page are described in the following subsections. -2. On the Microsoft Defender for Office 365 evaluation page, you can do the following tasks: +### Manage evaluation settings - - Click Buy a paid subscription to buy Defender for Office 365 Plan 2. +On the Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation>, select Manage evaluation settings. - - Click Manage. In the Microsoft Defender for Office 365 evaluation flyout that appears, you can do the following tasks: +In the Manage MDO evaluation settings flyout that opens, the following information and settings are available: - - Change who the evaluation or trial applies to as described earlier in the [Set up an evaluation or trial in audit mode](#set-up-an-evaluation-or-trial-in-audit-mode) and [Set up an evaluation or trial in blocking mode](#set-up-an-evaluation-or-trial-in-blocking-mode). +- Whether the evaluation is on is shown at the top of the flyout (Evaluation on or Evaluation off). This information is also available on the Microsoft Defender for Office 365 evaluation page. - - To switch from audit mode (evaluation policies) to blocking mode (Standard preset security policy), click Convert to standard protection, and then click Continue in the dialog that appears to be taken to the Apply standard protection wizard on the Preset security policies page. The existing included and excluded recipients are copied over. For more information, see [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). + The :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: Turn off or Turn on action allows you to turn off or turn on the evaluation policies. - Notes: +- How many days are left in the evaluation is shown at the top of the flyout (nn days remaining). - - The policies in the Standard preset security policy have a higher priority than the evaluation policies, which means the policies in the Standard preset security are always applied before the evaluation policies, even if both are present and turned on. To turn off the evaluation policies, use the Turn off button. - - There's no automatic way to go from blocking mode to audit mode. The manual steps are: - 1. Turn off the Standard preset security policy on the Preset security policies page. - 2. After clicking Manage on the Microsoft Defender for Office 365 evaluation page, verify the presence of the Turn off button, which indicates the evaluation policies are turned on. If you see the Turn on button, click it to turn on the evaluation policies. - 3. Verify the users that the evaluation applies to. +- Detection capabilities section: Use the toggles to turn on or turn off the following Defender for Office 365 protections: + - Safe Links + - Safe Attachments + - Anti-phishing - - To turn off the evaluation policies, click Turn off. To turn them back on, click Turn on. +- Users, groups, and domains section: Select Edit users, groups, and domains to change who the evaluation or trial applies to as described earlier in [Set up an evaluation or trial in audit mode](#set-up-an-evaluation-or-trial-in-audit-mode). - When you're finished in the flyout, click Save. +- Impersonation settings section: + - If impersonation protection isn't configured in the anti-phishing evaluation policy, select Apply impersonation protection to configure impersonation protection: + - Internal and external users (senders) for user impersonation protection. + - Custom domains for domain impersonation protection. + - Trusted senders and domains to exclude from impersonation protection. + + The steps are essentially the same as described in the Impersonation section in Step 5 at [Use the Microsoft 365 Defender portal to create anti-phishing policies](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies). + + - If impersonation protection is configured in the anti-phishing evaluation policy, this section shows the impersonation protection settings for: + - User impersonation protection + - Domain impersonation protection + - Trusted impersonated senders and domains + + To modify the settings, select Edit impersonation settings. + +When you're finished in the Manage MDO evaluation settings flyout, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: Close. + +### Convert to Standard protection + +For your evaluation or trial, you can switch from audit mode (evaluation policies) to blocking mode (Standard preset security policy) using either of the following methods: + +- <u>On the Microsoft Defender for Office 365 evaluation page</u>: Select Convert to standard protection +- <u>In the Manage MDO evaluation settings flyout</u>: On the Microsoft Defender for Office 365 evaluation page, select Manage evaluation settings. In the details flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-convert-to-std-prot-icon.png" border="false"::: Convert to standard protection. + +After you select Convert to standard protection, read the information in the dialog that opens, and then select Continue. + +You're taken to the Apply standard protection wizard on the Preset security policies page. The list of recipients that are included and excluded from the evaluation or trial are copied into the Standard preset security policy. For more information, see [Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). + +- The security policies in the Standard preset security policy have a higher priority than the evaluation policies, which means the policies in the Standard preset security are always applied before the evaluation policies, even if both are present and turned on. +- There's no automatic way to go from blocking mode to audit mode. The manual steps are: + 1. Turn off the Standard preset security policy on the Preset security policies page at <https://security.microsoft.com/presetSecurityPolicies>. + 2. On the Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation>, verify the value Evaluation on is shown. + + If Evaluation off is shown, select Manage evaluation settings. In the Manage MDO evaluation settings flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: Turn on. + + 3. Select Manage evaluation settings to verify the users that the evaluation applies to in the Users, groups, and domains section in the Manage MDO evaluation settings details flyout that opens. ## Reports for your evaluation or trial of Defender for Office 365 -This section describes the reports that are available in audit mode and blocking mode. +This section describes the reports that are available in audit mode and blocking mode. ### Reports for blocking mode -In blocking mode, the following reports show detections by Defender for Office 365: +No special reports are created for blocking mode, so use the standard reports that are available in Defender for Office 365. Specifically, you're looking for reports that apply only to Defender for Office 365 features (for example, Safe Links or Safe Attachments) or reports that can be filtered by Defender for Office 365 detections as described in the following list: - The [Mailflow view for the Mailflow status report](reports-email-security.md#mailflow-view-for-the-mailflow-status-report):- - Messages detected as user impersonation or domain impersonation by anti-phishing policies appear in Impersonation block. - Messages detected during file or URL detonation by Safe Attachments policies or Safe Links policies appear in Detonation block. - The [Threat protection status report](reports-email-security.md#threat-protection-status-report): - - [View data by Overview](reports-email-security.md#view-data-by-overview): - - You can filter most views by the Protected by value MDO to see the effects of Defender for Office 365. + You can filter many of the views in the Threat protection status report by the Protected by value MDO to see the effects of Defender for Office 365. + - [View data by Overview](reports-email-security.md#view-data-by-overview) + - [View data by Email \> Phish and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--phish-and-chart-breakdown-by-detection-technology)- - Messages detected by [campaigns](campaigns.md) appear in Campaign. - Messages detected by Safe Attachments appear in File detonation and File detonation reputation. - Messages detected by user impersonation protection in anti-phishing policies appear in Impersonation domain, Impersonation user, and Mailbox intelligence impersonation. - Messages detected by Safe Links appear in URL detonation and URL detonation reputation. - [View data by Email \> Malware and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--malware-and-chart-breakdown-by-detection-technology)- - Messages detected by [campaigns](campaigns.md) appear in Campaign. - Messages detected by Safe Attachments appear in File detonation and File detonation reputation. - Messages detected by Safe Links appear in URL detonation and URL detonation reputation. In blocking mode, the following reports show detections by Defender for Offi Malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md) appear in MDO detonation. - - The [Top senders and recipients report](reports-email-security.md#top-senders-and-recipients-report) +- The [Top senders and recipients report](reports-email-security.md#top-senders-and-recipients-report) - Show data for Top malware recipients (MDO) and Show data for Top phish recipients (MDO). + Show data for Top malware recipients (MDO) and Show data for Top phish recipients (MDO). - - The [URL protection report](reports-defender-for-office-365.md#url-protection-report) +- The [URL protection report](reports-defender-for-office-365.md#url-protection-report) ### Reports for audit mode -In audit mode, the following reports show detections by Defender for Office 365: +In audit mode, you're looking for reports that show detections by the evaluation policies as described in the following list: -- The [Threat protection status report](reports-email-security.md#threat-protection-status-report) has Evaluation: Yes/No as a filterable property in the following views: - - [View data by Email \> Phish and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--phish-and-chart-breakdown-by-detection-technology) - - [View data by Email \> Malware and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) - - [View data by Email \> Spam and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--spam-and-chart-breakdown-by-detection-technology) +- The [Email entity page](mdo-email-entity-page.md) (part of [Threat Explorer](threat-explorer-about.md)) shows the following banner in message detection details on the Analysis tab for Bad attachment, spam url + malware, Phish url, and impersonation messages that were detected by the Defender for Office 365 evaluation: + + :::image type="content" source="../../media/evalv2-detection-banner.png" alt-text="Notification banner in message details that the Defender for Office 365 evaluation detected a malicious email message." lightbox="../../media/evalv2-detection-banner.png"::: + +- The Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation> consolidates the detections from the standard reports that are available in Defender for Office 365. The reports on this page are primarily filtered by Evaluation: Yes to show detections by the evaluation policies only, but most reports also use additional clarifying filters. -- [Threat Explorer](threat-explorer-about.md) shows the following banner in message detection details on the Analysis tab for Bad attachment, spam url + malware, Phish url, and impersonation messages that were detected by the Defender for Office 365 evaluation show the following banner in the details of the entry: + By default, the report summaries on the page show data for the last 30 days, but you can filter the date range by selecting :::image type="icon" source="../../media/m365-cc-sc-add-internal-icon.png" border="false"::: 30 days and selecting from following additional values that are less than 30 days: - ![Notification banner in message details that the Defender for Office 365 evaluation detected a malicious email message.](../../media/evalv2-detection-banner.png) + - 24 hours + - 7 days + - 14 days + - Custom date range -The Microsoft Defender for Office 365 evaluation page at <https://security.microsoft.com/atpEvaluation> consolidates the reporting for the policies in the evaluation: + The date range filter affects the data that's displayed in the report summaries on the page and in the main report when you select View details in a card. -- Safe Links-- Safe Attachments-- Impersonation protection in anti-phishing policies + Select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: Download to download the chart data to a .csv file. -By default, the charts show data for the last 30 days, but you can filter the date range by clicking ![Calendar icon.](../../media/m365-cc-sc-add-internal-icon.png) 30 days and selecting from following additional values that are less than 30 days: + - The following reports on the Microsoft Defender for Office 365 evaluation page contain filtered information from specific views in the [Threat protection status report](reports-email-security.md#threat-protection-status-report): + - Email links: + - Report view: [View data by Email \> Phish and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--phish-and-chart-breakdown-by-detection-technology) + - Detection filters: URL detonation reputation and URL detonation. + - Attachments in email: + - Report view: [View data by Email \> Phish and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--phish-and-chart-breakdown-by-detection-technology) + - Detection filters: File detonation and File detonation reputation. + - Impersonation + - Report view: [View data by Email \> Phish and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--phish-and-chart-breakdown-by-detection-technology) + - Detection filters: Impersonation user, Impersonation domain, and Mailbox intelligence impersonation. + - Attachment links + - Report view: [View data by Email \> Malware and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) + - Detection filters: URL detonation and URL detonation reputation. + - Embedded malware + - Report view: [View data by Email \> Malware and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) + - Detection filters: File detonation and File detonation reputation. + - Spoofed senders: + - Report view: [View data by Email \> Phish and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--phish-and-chart-breakdown-by-detection-technology) + - Detection filters: Spoof intra-org, Spoof external domain, and Spoof DMARC. -- 24 hours-- 7 days-- 14 days-- Custom date range + - Real-time URL click protection uses the [View data by URL click protection action in the URL protection report](reports-defender-for-office-365.md#view-data-by-url-click-protection-action-in-the-url-protection-report) that's filtered by Evaluation: Yes. -You can click ![Download icon.](../../media/m365-cc-sc-download-icon.png) Download to download the chart data to a .csv file. + Although the [View data by URL click by application in the URL protection report](reports-defender-for-office-365.md#view-data-by-url-click-by-application-in-the-url-protection-report) isn't shown on the Microsoft Defender for Office 365 evaluation page, it's also filterable by Evaluation: Yes. ## Required permissions -The following permissions are required in Azure AD to set up an evaluation or trial of Defender for Microsoft 365: +The following permissions are required in [Azure AD](../../admin/add-users/about-admin-roles.md) to set up an evaluation or trial of Defender for Microsoft 365: -- Create, modify or delete an evaluation or trial: Security Administrator or Global Administrator.-- View evaluation policies and reports in audit mode: Security Administrator or Security Reader. +- Create, modify or delete an evaluation or trial: Membership in the Security Administrator or Global Administrator roles. +- View evaluation policies and reports in audit mode: Membership in the Security Administrator or Security Reader roles. For more information about Azure AD permissions in the Microsoft 365 Defender portal, see [Azure AD roles in the Microsoft 365 Defender portal](mdo-portal-permissions.md#azure-ad-roles-in-the-microsoft-365-defender-portal) A: See [Extend your trial](/microsoft-365/commerce/try-or-buy-microsoft-365#exte ### Q: What happens to my data after the trial expires? -A: After your trial expires, you'll have access to your trial data (data from features in Defender for Office 365 that you didn't have previously) for 30 days. After this 30 day period, all policies and data that were associated with the Defender for Office 365 trial will be deleted. +A: After your trial expires, yo have access to your trial data (data from features in Defender for Office 365 that you didn't have previously) for 30 days. After this 30 day period, all policies and data that were associated with the Defender for Office 365 trial are deleted. ### Q: How many times can I use the Defender for Office 365 trial in my organization? -A: A maximum of 2 times. If your first trial expires, you need to wait at least 30 days after the expiration date before you can enroll in the Defender for Office 365 trial again. After your second trial, you can't enroll in another trial. +A: A maximum of two times. If your first trial expires, you need to wait at least 30 days after the expiration date before you can enroll in the Defender for Office 365 trial again. After your second trial, you can't enroll in another trial. -### Q: In audit mode, are there scenarios where Defender for Office 365 will act on messages? +### Q: In audit mode, are there scenarios where Defender for Office 365 acts on messages? -A: Yes. No one in any program or SKU can turn off or bypass taking action on messages that are classified as malware or high confidence phishing by the service. - -In audit mode, [anti-spoofing protection in EOP](anti-phishing-policies-about.md#spoof-settings) also takes action on messages. To prevent anti-spoofing protection from acting on messages, create an Exchange mail flow rule (also known as a transport rule) where inbound email bypasses all types of filtering that can be bypassed (including anti-spoofing protection). For instructions, see [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl). +A: Yes. For the protection of the service, no one in any program or SKU can turn off or bypass taking action on messages that are classified as malware or high confidence phishing by the service. ### Q: In what order are policies evaluated? A: See [Order of precedence for preset security policies and other policies](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies). -## Reference - -### Policy settings associated with Defender for Office 365 trials +## Policy settings associated with Defender for Office 365 evaluations and trials -#### Policies in audit mode +### Policies in audit mode > [!WARNING] > Do not attempt to create, modify, or remove the individual security policies that are associated with the evaluation of Defender for Office 365. The only supported method for creating the individual security policies for the evaluation is to start the evaluation or trial in audit mode in the Microsoft 365 Defender portal for the first time. Write-Output -InputObject ("`r`n"3),"Evaluation anti-phishing policy",("-"79); The settings are also described in the following tables. -##### Anti-phishing evaluation policy settings +#### Anti-phishing evaluation policy settings \|Setting\|Value\| \|\|\| \|Name\|Evaluation Policy\| \|AdminDisplayName\|Evaluation Policy\| \|AuthenticationFailAction\|MoveToJmf\| +\|DmarcQuarantineAction\|Quarantine\| +\|DmarcRejectAction\|Quarantine\| \|Enabled\|True\| \|EnableFirstContactSafetyTips\|False\| \|EnableMailboxIntelligence\|True\| The settings are also described in the following tables. \|EnableViaTag\|True\| \|ExcludedDomains\|{}\| \|ExcludedSenders\|{}\| +\|HonorDmarcPolicy\|False\| \|ImpersonationProtectionState\|Manual\| \|IsDefault\|False\| \|MailboxIntelligenceProtectionAction\|NoAction\| The settings are also described in the following tables. \|TargetedUserQuarantineTag\|DefaultFullAccessPolicy\| \|TargetedUsersToProtect\|{}\| -##### Safe Attachments evaluation policy settings +#### Safe Attachments evaluation policy settings \|Setting\|Value\| \|\|\| The settings are also described in the following tables. \|RedirectAddress\|blank\| \|ScanTimeout\|30\| -##### Safe Links evaluation policy settings +#### Safe Links evaluation policy settings \|Setting\|Value\| \|\|\| The settings are also described in the following tables. \|ScanUrls\|True\| \|TrackClicks\|True\| -##### Use PowerShell to configure recipient conditions and exceptions to the evaluation in audit mode +#### Use PowerShell to configure recipient conditions and exceptions to the evaluation or trial in audit mode A rule that's associated with the Defender for Office 365 evaluation policies controls the recipient conditions and exceptions to the evaluation. This example configures exceptions from the evaluation for the specified securit Set-ATPEvaluationRule -Identity "Evaluation Rule" -ExceptIfSentTo "SecOps1","SecOps2" ``` -##### Use PowerShell to turn on or turn off the evaluation in audit mode +#### Use PowerShell to turn on or turn off the evaluation or trial in audit mode To turn on or turn off the evaluation in audit mode, you enable or disable the rule that's associated with the evaluation. The State property value of the evaluation rule shows whether the rule is Enabled or Disabled. Run the following command to turn on the evaluation if it's turned off: Enable-ATPEvaluationRule -Identity "Evaluation Rule" ``` -#### Policies and rules in block mode +### Policies in blocking mode -[As previously described](#audit-mode-vs-blocking-mode-for-defender-for-office-365), when you choose blocking mode for your trial, policies are created using the Standard template for [preset security policies](preset-security-policies.md). +As previously described, blocking mode policies are created using the Standard template for [preset security policies](preset-security-policies.md). -To use Exchange Online PowerShell to view the individual security policies that are associated with the Standard preset security policy, and to use Exchange Online PowerShell to view and configure the recipient conditions and exceptions for the preset security policy, see [Preset security policies in Exchange Online PowerShell](preset-security-policies.md#preset-security-policies-in-exchange-online-powershell). +To use Exchange Online PowerShell to view the individual security policies that are associated with the Standard preset security policy, and to view and configure the recipient conditions and exceptions for the preset security policy, see [Preset security policies in Exchange Online PowerShell](preset-security-policies.md#preset-security-policies-in-exchange-online-powershell).
security	Use Privileged Identity Management In Defender For Office 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-privileged-identity-management-in-defender-for-office-365.md	In the Microsoft 365 Defender portal, create a custom role group that contains t 1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command: ```powershell - Add-RoleGroupMember "<<Role Group Name>>" -Member "<<Azure Security Group>>"` + Add-RoleGroupMember "<Role Group Name>" -Member "<Azure Security Group>"` ``` ## Test your configuration of PIM with Defender for Office 365
security	Walkthrough Spoof Intelligence Insight	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md	Last updated 1/31/2023 > > Spoofed sender management in Exchange Online PowerShell or Standalone EOP PowerShell is in the process of being migrated exclusively to the related *\-TenantAllowBlockListSpoofItems, Get-SpoofIntelligenceInsight, and Get-SpoofMailReport cmdlets. For procedures using these cmdlets, see the following articles: > -> - [Use PowerShell to view existing allow or block entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-view-existing-allow-or-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list) +> - [Use PowerShell to view entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list) > - [Use PowerShell to create allow entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) > - [Use PowerShell to create block entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list) -> - [Use PowerShell to modify existing allow or block entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-modify-existing-allow-or-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list) -> - [Use PowerShell to remove existing allow or block entries for spoofed senders from the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-remove-existing-allow-or-block-entries-for-spoofed-senders-from-the-tenant-allowblock-list) +> - [Use PowerShell to modify entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-modify-entries-for-spoofed-senders-in-the-tenant-allowblock-list) +> - [Use PowerShell to remove entries for spoofed senders from the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-remove-entries-for-spoofed-senders-from-the-tenant-allowblock-list) > > The older spoofed sender management experience using the Get-PhishFilterPolicy and Set-PhishFilterPolicy** cmdlets is in the process of being deprecated, but is still presented in this article for completeness until the cmdlets are removed everywhere.
syntex	Accessibility Mode	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/accessibility-mode.md	Previously updated : 01/21/2021 Last updated : 01/21/2023 audience: admin As you navigate through the sample documents and label string values, Narrator w After a string is labeled or a label has been removed in the viewer, Narrator audio will warn you to save your changes before you exit. -## See also - -[Create an extractor](create-an-extractor.md) - -[Create a classifier](create-a-classifier.md) ---------- - -- - -
syntex	Apply A Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/apply-a-model.md	Previously updated : 07/01/2022 Last updated : 10/01/2022 audience: admin To run the flow: ![Screenshot showing the Create a flow panel and flow option highlighted.](../media/content-understanding/integrate-create-flow.png) -## See also -[Share an enterprise model](model-discovery.md) - -[Discover other trained models](discover-other-trained-models.md) - -[Choose the view in a document library](choose-library-view.md)
syntex	Apply A Retention Label To A Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/apply-a-retention-label-to-a-model.md	Previously updated : 07/01/2022 Last updated : 10/01/2022 audience: admin You can add a retention label to an existing structured document processing mode > [!NOTE] > You must be the model owner for the model settings pane to be editable. -## See also -[Apply a sensitivity label to a model in Microsoft Syntex](create-a-classifier.md)
syntex	Apply A Sensitivity Label To A Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/apply-a-sensitivity-label-to-a-model.md	Previously updated : 04/21/2022 Last updated : 10/21/2022 audience: admin On your model's view page in your document library, a new Sensitivity label For example, all financial documents that your model identifies also will have the Encryption sensitivity label applied to them, preventing them from being accessed by unauthorized people. If an attempt is made to access the file from the document library by an unauthorized person, an error will display saying it isn't allowed because of the applied sensitivity label. -## See also -[Apply a retention label](apply-a-retention-label-to-a-model.md)
syntex	Content Assembly Conditional Sections	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-assembly-conditional-sections.md	Title: Create conditional sections for templates in Microsoft Syntex + Title: Create conditional sections for a modern template in Microsoft Syntex ms.localizationpriority: medium description: Learn how to create conditional sections for templates in Microsoft Syntex. -# Create conditional sections for templates in Microsoft Syntex +# Create conditional sections for a modern template in Microsoft Syntex When you create a modern template, you can specify which parts of a document will be included and under what conditions. This lets you control which sections of the template will be included when you generate a document.
syntex	Content Processing Create Rules	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-processing-create-rules.md	In the document library, in the upper-right corner of the page, select the detai > [!NOTE] > Currently, the activity feed shows only move activity. Copy activity will be available in a future release. -## See also - -[Overview of content processing](content-processing-overview.md)
syntex	Create A Content Center	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/create-a-content-center.md	The Models library in the default content center view groups the created mod > [!NOTE] > You can't change the designated default content center. It's always the first content center created during setup. -## See also - -[Overview of model types](model-types-overview.md)
syntex	Difference Between Document Understanding And Form Processing Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/difference-between-document-understanding-and-form-processing-model.md	Use the following table to see differences in custom models to help identify the \| Capacity \| No capacity restrictions. \| Uses the default Power Platform environment (custom environments with Dataverse database supported). \| Uses the default Power Platform environment (custom environments with Dataverse database supported). \| \| Supported languages\| Models work on all Latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese. \| Current language support is for English. \| Language support for [more than 100 languages](/ai-builder/form-processing-model-requirements#languages-supported). \| -## See also -[Training: Improve business performance with AI Builder](/training/paths/improve-business-performance-ai-builder/?source=learn)
syntex	Discover Other Trained Models	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/discover-other-trained-models.md	To remove an applied model from your document library: 2. On the model you want to remove, select View model details, and then select Remove from library. -<! -## Change the view in a document library - -> - -## See also - -[Share an enterprise model](model-discovery.md) - -[Choose the view in a document library](choose-library-view.md)
syntex	Document Understanding Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/document-understanding-overview.md	description: Learn about the unstructured document processing model in Microsoft > [!NOTE] > Unstructured document processing was known as document understanding in previous releases. -Use the unstructured document processing model ([teaching method](create-syntex-model.md#train-a-custom-model)) to automatically classify files and extract information. It works best for unstructured documents, such as letters or contracts. - -The unstructured document processing model (formerly known as document understanding model) uses artificial intelligence (AI) to process documents. These documents must have text that can be identified based on phrases or patterns. The identified text designates both the type of file it is (its classification) and what you'd like to extract (its extractors). - </br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4CSu7] </br> +Use the unstructured document processing model ([teaching method](create-syntex-model.md#train-a-custom-model)) to automatically classify files and extract information. It works best for unstructured documents, such as letters or contracts. + +The unstructured document processing model (formerly known as document understanding model) uses artificial intelligence (AI) to process documents. These documents must have text that can be identified based on phrases or patterns. The identified text designates both the type of file it is (its classification) and what you'd like to extract (its extractors). + > [!NOTE] > For more information about how to use Syntex and scenario examples, see [Get started driving adoption of Microsoft Syntex](./adoption-getstarted.md) and [Scenarios and use cases for Microsoft Syntex](./adoption-scenarios.md). After publishing your model, use the content center to apply it to any SharePoin For information about requirements to consider when choosing this model, see [Requirements and limitations for models in Microsoft Syntex](requirements-and-limitations.md#unstructured-document-processing). -## See also -[Compare custom models](difference-between-document-understanding-and-form-processing-model.md)
syntex	Duplicate A Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/duplicate-a-model.md	audience: admin Previously updated : 03/18/2022 Last updated : 10/18/2022 search.appverid: Follow these steps to duplicate an unstructured document processingmodel. 5. Select Duplicate. -## See also - -[Rename a model](rename-a-model.md) - -[Syntex accessibility mode](accessibility-mode.md)
syntex	Form Processing Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/form-processing-overview.md	If you need it enabled on your document library, contact your Microsoft 365 admi For information about requirements to consider when choosing this model, see [Requirements and limitations for models in Microsoft Syntex](requirements-and-limitations.md#structured-document-processing). -## See also -[Compare custom models](difference-between-document-understanding-and-form-processing-model.md) - -[Train a structured document processing model](create-a-form-processing-model.md) - -[Power Automate documentation](/power-automate/) - -[Training: Improve business performance with AI Builder](/training/paths/improve-business-performance-ai-builder/?source=learn)
syntex	Freeform Document Processing Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/freeform-document-processing-overview.md	If you need it enabled on your document library, contact your Microsoft 365 admi For information about requirements to consider when choosing this model, see [Requirements and limitations for models in Microsoft Syntex](requirements-and-limitations.md#freeform-document-processing). -## See also - -[Compare custom models](difference-between-document-understanding-and-form-processing-model.md) - -[Train a freeform document processing model](train-freeform-document-processing-model.md)
syntex	Learn About Document Understanding Models Through The Sample Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/learn-about-document-understanding-models-through-the-sample-model.md	Not only can you look through analyze the sample model to get a better understan ## Get sample models You can access the [Syntex Samples repository](https://github.com/pnp/syntex-samples), which contains community samples that demonstrate different usage patterns of unstructured document processing models. The samples in this repository contain both the model files and the files used to train the model. Once imported, you can use these models to process files and to view and edit the classifier and extractors.- -## See also - -[Overview of unstructured document processing](document-understanding-overview.md) - -[Create a classifier](create-a-classifier.md) - -[Create an extractor](create-an-extractor.md)
syntex	Model Discovery	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/model-discovery.md	To make your trained model available for others to use: 4. Select the sites where you want the model to be available for other users to apply, and then select Save. -## See also -[Discover other trained models](discover-other-trained-models.md)
syntex	Model Types Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/model-types-overview.md	The prebuilt receipt processing model analyzes and extracts key information from For more information about prebuilt receipt processing models, see [Use a prebuilt model to extract information from receipts](prebuilt-model-receipt.md). -## See also - -[Compare custom models in Microsoft Syntex](./difference-between-document-understanding-and-form-processing-model.md) - -[Training: Improve business performance with AI Builder](/learn/paths/improve-business-performance-ai-builder/?source=learn)
syntex	Prebuilt Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/prebuilt-overview.md	Additional prebuilt models will be available in future releases. For information about requirements to consider when choosing this model, see [Requirements and limitations for models in Microsoft Syntex](requirements-and-limitations.md). -## See also -[Use a prebuilt model to extract information from contracts](prebuilt-model-contract.md) - -[Use a prebuilt model to extract information from invoices](prebuilt-model-invoice.md) - -[Use a prebuilt model to extract information from receipts](prebuilt-model-receipt.md)
syntex	Rename A Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/rename-a-model.md	audience: admin Previously updated : 03/18/2022 Last updated : 10/18/2022 search.appverid: Follow these steps to rename a model. 5. Select Rename. -## See also -[Delete a model](delete-a-model.md)
syntex	Rename An Extractor	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/rename-an-extractor.md	audience: admin Previously updated : 03/18/2022 Last updated : 10/18/2022 search.appverid: Follow these steps to rename an entity extractor. 5. Select Rename. -## See also -[Create an extractor](create-an-extractor.md)
syntex	Train Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/train-model.md	Previously updated : 10/14/2022 Last updated : 06/06/2023 audience: admin description: Learn how to train custom models in Microsoft Syntex. The method to train your model depends on the type of custom model you're using. +## Training methods + \|Model type \|Use the steps in this article to train \| \|\|\|\| \|Unstructured document processing<br>[:::image type="content" source="../medi) \| \|Freeform document processing<br>[:::image type="content" source="../medi) \| \|Structured document processing[:::image type="content" source="../medi) \| -## See also -[Overview of model types in Microsoft Syntex](model-types-overview.md)