+1. Access the [Defender Threat Intelligence Portal](https://ti.defender.microsoft.com/).

+The Microsoft 365 Reports dashboard shows you an activity overview across the products in your organization. It enables you to drill into individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).

+The **Microsoft Browser Usage report** in the Microsoft 365 Admin Center lets you see if users access Microsoft 365 online services via Microsoft Edge. This report insight can help you migrate your organization to Microsoft Edge. Usage reporting is based on an aggregate count of users in your organization that sign in to their Microsoft 365 account and use the Microsoft Edge browser to access Microsoft 365 services.

+The report is internal to your organization with permissions limited to IT admins with existing access to the activity reports on the usage dashboard in the Microsoft 365 Admin Center.

+> [!NOTE]

+> Aggregate Microsoft browser usage and user level reporting is available. User level identification can be [removed per your organizationΓÇÖs policies](activity-reports.md#show-user-details-in-the-reports) and [role based access controls](../../admin/add-users/assign-admin-roles.md) can be used to adjust report access.

+We're continuously adding new features to [the Microsoft 365 admin center](admin-overview/admin-center-overview.md), fixing issues we learn about, and making changes based on your feedback. Some features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, [try adding yourself to targeted release](manage/release-options-in-office-365.md).

+Note that some custom sensitive information types are also supported for DLP policy tips in addition to the above out-of-the-box sensitive information types.

+> [!NOTE]

+> Not all elements of custom sensitive information types are compatible with every version of Office. Entity elements for Custom SITs, such as Functions, may cause incompatibility.

+|copy to other app |Detects when a user attempts to copy information from a protected item and then paste it into another app, process or item. It also detects when a user copies and pastes content among files within the same app, process or item for Word, Excel, and PowerPoint.|supported|supported | auditable and restrictable|

+Endpoint DLP supports monitoring of these file types through policy:

+DLP audits the activities for these file types, even if there isn't a policy match:

+- Word files

+- PowerPoint files

+- Excel files

+- PDF files

+> We have already disabled TLS 1.0 and 1.1 for most Microsoft 365 services in the world wide environment. Rollout will continue over the following weeks and months.

+For Microsoft 365 operated by 21 Vianet, TLS 1.0/1.1 will be disabled on June 30, 2023.

+The following regional geographies can store data at rest. The locations where customer data may be stored can change.

+| Regional Geographies | Locations where customer data may be stored |

+| Regional Geography 1 ΓÇô EMEA (Europe, Middle East and Africa) | Austria, Finland, France, Ireland, Netherlands, Sweden |

+| Regional Geography 2 ΓÇô Asia Pacific | Hong Kong, Japan, Malaysia, Singapore, South Korea |

+| Regional Geography 3 - Americas | Brazil, Chile, United States |

+| Qatar | Doha |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Exchange Online | Qatar* |

+| OneDrive for Business | Qatar* |

+| SharePoint Online | Qatar* |

+| Exchange Online Protection | Qatar* |

+| Microsoft Defender for Office P1 | Qatar* |

+| Microsoft Teams | Qatar* |

+| Office for the Web | Qatar* |

+| Office for Mobile | Qatar* |

+| OneNote Services | Qatar* |

+| Stream | Qatar* |

+| Whiteboard | Qatar* |

+| Viva Connections | Qatar* |

+| Viva Insights - Personal Insights | Qatar* |

+| Viva Topics | Qatar* |

+| Azure Active Directory | European Union |

+| Dataverse for Teams | European Union |

+| Intune | European Union |

+| Planner | European Union |

+| Power Automate Desktop | European Union |

+| Power Virtual Agent for Teams | European Union |

+| Viva Insights - Mgr / Leader / Advanced | European Union |

+| Viva learning | European Union |

+| Yammer | European Union |

+| Forms | United States |

+*Every service that stores customer data at rest in Exchange Online, SharePoint Online or OneDrive for Business, or is deployed locally.

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+| Forms | United States |

+###### [Schedule antivirus scan in Defender for Endpoint on Linux](schedule-antivirus-scan-in-mde.md)

+#### [Tamper protection]()

+##### [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)

+##### [Manage tamper protection using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md)

+##### [Manage tamper protection using Microsoft Endpoint Manager](manage-tamper-protection-microsoft-endpoint-manager.md)

+##### [Manage tamper protection with Configuration Manager](manage-tamper-protection-configuration-manager.md)

+##### [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md)

+##### [FAQs on tamper protection](faqs-tamper-protection.md)

+## Investigation states

+The following table lists investigation states and what they indicate.

+|Investigation state |Definition |

+|||

+|Benign | Artifacts were investigated and a determination was made that no threats were found.|

+|PendingResource | An automated investigation is paused because either a remediation action is pending approval, or the device on which an artifact was found is temporarily unavailable.|

+|UnsupportedAlertType | An automated investigation is not available for this type of alert. Further investigation can be done manually, by using advanced hunting. |

+|Failed | At least one investigation analyzer ran into a problem where it couldn't complete the investigation. If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded.|

+|Successfully remediated| An automated investigation completed, and all remediation actions were completed or approved.|

+To provide more context about how investigation states show up, the following table lists alerts and their corresponding automated investigation state. This table is included as an example of what a security operations team might see in the Microsoft 365 Defender portal.

+|Alert name | Severity | Investigation state | Status | Category |

+|--|-||--|-|

+|Malware was detected in a wim disk image file|Informational|Benign|Resolved|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|UnsupportedAlertType|New|Malware|

+|Malware was detected in a rar archive file|Informational|UnsupportedAlertType|New|Malware|

+|Malware was detected in a rar archive file|Informational|UnsupportedAlertType|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Wpakill hacktool was prevented|Low|Failed|New|Malware|

+|GendowsBatch hacktool was prevented|Low|Failed|New|Malware|

+|Keygen hacktool was prevented|Low|Failed|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in an iso disc image file|Informational|PendingResource|New|Malware|

+|Malware was detected in an iso disc image file|Informational|PendingResource|New|Malware|

+|Malware was detected in a pst outlook data file|Informational|UnsupportedAlertType|New|Malware|

+|Malware was detected in a pst outlook data file|Informational|UnsupportedAlertType|New|Malware|

+|MediaGet detected|Medium|PartiallyInvestigated|New|Malware|

+|TrojanEmailFile|Medium|SuccessfullyRemediated|Resolved|Malware|

+|CustomEnterpriseBlock malware was prevented|Informational|SuccessfullyRemediated|Resolved|Malware|

+|An active CustomEnterpriseBlock malware was blocked|Low|SuccessfullyRemediated|Resolved|Malware|

+|An active CustomEnterpriseBlock malware was blocked|Low|SuccessfullyRemediated|Resolved|Malware|

+|An active CustomEnterpriseBlock malware was blocked|Low|SuccessfullyRemediated|Resolved|Malware|

+|TrojanEmailFile|Medium|Benign|Resolved|Malware|

+|CustomEnterpriseBlock malware was prevented|Informational|UnsupportedAlertType|New|Malware|

+|CustomEnterpriseBlock malware was prevented|Informational|SuccessfullyRemediated|Resolved|Malware|

+|TrojanEmailFile|Medium|SuccessfullyRemediated|Resolved|Malware|

+|TrojanEmailFile|Medium|Benign|Resolved|Malware|

+|An active CustomEnterpriseBlock malware was blocked|Low|PendingResource|New|Malware|

+[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus(MDAV) is not the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. EDR in block mode allows Microsoft Defender Antivirus to take actions on post-breach, behavioral EDR detections. See the section, [Do I need to turn on EDR in block mode if I have Microsoft Defender Antivirus?](#do-i-need-to-turn-edr-in-block-mode-on-if-i-have-microsoft-defender-antivirus-running-on-devices) in the **Frequently asked questions** section.

+> EDR in block mode does not provide all the protection that is available when Microsoft Defender Antivirus real-time protection is enabled. Some capabilities that depend on Microsoft Defender Antivirus to be the active antivirus solution will not work, such as the following examples:

+> It is expected that your non-Microsoft antivirus solution includes these capabilities.

+EDR in block mode is integrated with [threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) capabilities. Your organization's security team will get a [security recommendation](tvm-security-recommendation.md) to turn EDR in block mode on if it isn't already enabled. This recommendation is primarily for devices using an active non-Microsoft antivirus solution (with Microsoft Defender Antivirus in passive mode). There is little benefit to enabling EDR in block mode when Microsoft Defender Antivirus is the primary antivirus solution on devices.

+Watch this video to learn why and how to turn on endpoint detection and response (EDR) in block mode, enable behavioral blocking, and containment at every stage from pre-breach to post-breach.

+When EDR in block mode is turned on, and a malicious artifact is detected, Defender for Endpoint remediates that artifact. Your security operations team will see detection status as **Blocked** or **Prevented** in the [Action center](respond-machine-alerts.md#check-activity-details-in-action-center), listed as completed actions. The following image shows an instance of unwanted software that was detected and remediated through EDR in block mode:

+> Starting with platform version 4.18.2202.X, you can now set EDR in block mode to target specific device groups using Intune CSPs. You can continue to set EDR in block mode tenant-wide in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. EDR in block mode is primarily recommended for devices that are running Microsoft Defender Antivirus in passive mode (a non-Microsoft antivirus solution is installed and active on the device).

+### Security Portal

+1. Choose **Settings** \> **Endpoints** \> **General** \> **Advanced features**.

+1. Scroll down, and then turn on **Enable EDR in block mode**.

+|Operating system|Devices must be running one of the following versions of Windows: <ul><li>Windows 11</li><li>Windows 10 (all releases)</li><li>Windows Server 2019 or later</li><li>Windows Server, version 1803 or later</li><li>Windows Server 2016 and Windows Server 2012 R2 \(with the [new unified client solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution)\)</li></ul>|

+|Command Prompt|<ol><li>Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results.</li><li>Type `sc query windefend`.</li><li>In the list of results, in the **STATE** row, confirm that the service is running.</li></ol>|

+- Windows Server, version 1803 or newer

+- Windows Server 2019

+> Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md) for this feature to work.

+ Title: Frequently asked questions on tamper protection

+description: Frequently asked questions on configuring tamper protection.

+keywords: malware, defender, antivirus, tamper protection

+ms.pagetype: security

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.localizationpriority: medium

+audience: ITPro

+- nextgen

+- admindeeplinkDEFENDER

+ms.technology: mde

+- M365-security-compliance

+- m365initiative-defender-endpoint

+# Frequently asked questions on tamper protection

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+## On which versions of Windows can I configure 'tamper protection'?

+- Windows 11

+- Windows 11 Enterprise multi-session

+- Windows 10 OS [1709](/lifecycle/announcements/revised-end-of-service-windows-10-1709), [1803](/lifecycle/announcements/windows-server-1803-end-of-servicing), [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint).

+- Windows 10 Enterprise multi-session

+

+If you're using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](/mem/configmgr/tenant-attach/deploy-antivirus-policy).

+## Will tamper protection affect non-Microsoft antivirus registration in the Windows Security app?

+No. Non-Microsoft antivirus offerings will continue to register with the Windows Security application.

+## What happens if Microsoft Defender Antivirus isn't active on a device?

+Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. In these cases, tamper protection will continue to protect the service and its features.

+## How do I turn tamper protection on or off?

+If you're a home user, see [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md).

+If you're an organization using [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint), you should be able to manage 'tamper protection' in Intune similar to how you manage other endpoint protection features. See the following sections of this article:

+- [Manage tamper protection using Microsoft Endpoint Manager](manage-tamper-protection-microsoft-endpoint-manager.md)

+- [Manage tamper protection using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md)

+## How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus with Group Policy?

+If you're currently using Intune to configure and manage 'tamper protection', you should continue using Intune.

+Group policy doesn't apply to tamper protection. Changes made to Microsoft Defender Antivirus settings using Group Policy are ignored when tamper protection is turned on, or when tamper protection is configured with Intune.

+## If we use Microsoft Intune to configure 'tamper protection', does it apply only to the entire organization?

+You have flexibility in configuring tamper protection with Intune. You can target your entire organization, or select specific devices and user groups.

+## Can I configure tamper protection with Microsoft Endpoint Configuration Manager?

+If you're using tenant attach, you can use Microsoft Endpoint Configuration Manager. See the following resources:

+- [Manage tamper protection using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md)

+- [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)

+## I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?

+Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint).

+## I'm an enterprise customer. Can local admins change tamper protection on their devices?

+No. Local admins can't change or modify 'tamper protection' settings.

+## What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state?

+If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.

+## If the status of tamper protection changes, are alerts shown in the Microsoft 365 Defender portal?

+Yes. The alert is shown in [https://security.microsoft.com](https://security.microsoft.com) under **Alerts**.

+Your security operations team can also use hunting queries, such as the following example:

+`AlertInfo|where Title == "Tamper Protection bypass"`

+> [!TIP]

+> If you're looking for Antivirus related information for other platforms, see:

+> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

+> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

+> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

+> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+> - [Configure Defender for Endpoint on Android features](android-configure.md)

+> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+|Configuration|Turn on/off data_loss_prevention|`mdatp config data_loss_prevention --value [enabled/disabled]`|

+<details>

+ <summary>Aug-2022 (Build: 101.78.13 | Release version: 20.122072.17813.0)</summary>

+&ensp;Build: **101.78.13**<br/>

+&ensp;Release version: **20.122072.17813.0**<br/>

+&ensp;Engine version: **1.1.19500.2**<br/>

+&ensp;Signature version: **1.373.556.0**<br/>

+**What's new**

+- Fix for uninstaller to properly delete Application Support folder

+- Fix for Network Protection not filtering Safari when Firewall or iCloud Private Relay is on

+- Fix for osqueryui zombie processes

+- Fix for UI crash on Ventura

+- Fix for definitions not getting downloaded right after install

+- Other bug fixes

+<br/>

+</details>

+</details>

+ Title: Manage tamper protection using tenant attach with Configuration Manager, version 2006

+description: Turn tamper protection on or off using tenant attach with Configuration Manager.

+keywords: malware, defender, antivirus, tamper protection, Configuration Manager

+ms.pagetype: security

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.localizationpriority: medium

+audience: ITPro

+- nextgen

+- admindeeplinkDEFENDER

+ms.technology: mde

+- M365-security-compliance

+- m365initiative-defender-endpoint

+# Manage tamper protection using tenant attach with Configuration Manager, version 2006

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+If you're using [version 2006 of Configuration Manager](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows 10 Enterprise multi-session, Windows 11, Windows 11 Enterprise multi-session, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver endpoint security configuration policies to on-premises collections & devices.

+> [!NOTE]

+> The procedure can be used to extend tamper protection to devices running Windows 10, Windows 10 Enterprise multi-session, Windows 11, Windows 11 Enterprise multi-session, Windows Server 2019, and Windows Server 2022. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. For Windows Server 2012 R2 running the modern, unified solution [version 2203 of Configuration Manager](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2203) is required.

+1. Set up tenant attach. To learn more, see [Get started: Create and deploy endpoint security policies from the admin center](/mem/configmgr/tenant-attach/endpoint-security-get-started).

+2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** \> **Antivirus**, and then choose **+ Create Policy**.

+ - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server (ConfigMgr)**.

+ - In the **Profile** list, select **Windows Security experience (preview)**.

+3. Deploy the policy to your device collection.

+## Need help with this method?

+See the following resources:

+- [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings)

+- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)

+> [!TIP]

+> If you're looking for Antivirus related information for other platforms, see:

+> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

+> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

+> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

+> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+> - [Configure Defender for Endpoint on Android features](android-configure.md)

+> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+ Title: Manage tamper protection on an individual device

+description: Turn tamper protection on or off for an individual device.

+keywords: malware, defender, antivirus, tamper protection

+ms.pagetype: security

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.localizationpriority: medium

+audience: ITPro

+- nextgen

+- admindeeplinkDEFENDER

+ms.technology: mde

+- M365-security-compliance

+- m365initiative-defender-endpoint

+# Manage tamper protection on an individual device

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+> [!NOTE]

+> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.

+> To help ensure that tamper protection doesn't interfere with non-Microsoft security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)

+> After you've made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.

+If you're a home user, or you aren't subject to settings managed by a security team, you can use the Windows Security app to manage 'tamper protection'. You must have appropriate admin permissions on your device to do change security settings, such as tamper protection.

+Here's what you see in the Windows Security app:

+1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**.

+2. Select **Virus & threat protection** \> **Virus & threat protection settings**.

+3. Set **Tamper Protection** to **On** or **Off**.

+> [!TIP]

+> If you're looking for Antivirus related information for other platforms, see:

+> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

+> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

+> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

+> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+> - [Configure Defender for Endpoint on Android features](android-configure.md)

+> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+ Title: Manage tamper protection for your organization using Microsoft 365 Defender

+description: Turn tamper protection on or off for your tenant using the Microsoft 365 Defender portal.

+keywords: malware, defender, antivirus, tamper protection, Microsoft 365 Defender

+ms.pagetype: security

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.localizationpriority: medium

+audience: ITPro

+- nextgen

+- admindeeplinkDEFENDER

+ms.technology: mde

+- M365-security-compliance

+- m365initiative-defender-endpoint

+# Manage tamper protection for your organization using Microsoft 365 Defender portal

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+Tamper protection can be turned on or off for your tenant using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Here are a few points to keep in mind:

+- Currently, the option to manage 'tamper protection' in the Microsoft 365 Defender portal is on by default for new deployments. For existing deployments, 'tamper protection' is available on an opt-in basis. To opt in, in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, choose **Settings** \> **Endpoints** \> **Advanced features** \> **Tamper protection**.

+- When you use the Microsoft 365 Defender portal to manage 'tamper protection', you do not have to use Intune or the tenant attach method.

+- When you manage 'tamper protection' in the Microsoft 365 Defender portal, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows 10 Enterprise multi-session, Windows 11, Windows 11 Enterprise multi-session, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 or Windows Server 2022. To fine-tune 'tamper protection' (such as having tamper protection on for some devices but off for others), use either [Manage tamper protection for your organization using Microsoft Endpoint Manager](manage-tamper-protection-microsoft-endpoint-manager.md) or [Manage tamper protection using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md).

+- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft 365 Defender portal.

+## Requirements for managing tamper protection in the Microsoft 365 Defender portal

+- You must have appropriate [permissions](/microsoft-365/security/defender-endpoint/assign-portal-access) assigned, such as global admin, security admin, or security operations.

+- Your Windows devices must be running one of the following versions of Windows:

+

+ - Windows 11

+ - Windows 11 Enterprise multi-session

+ - Windows 10

+ - Windows 10 Enterprise multi-session

+ - Windows Server 2022

+ - Windows Server 2019

+ - Windows Server, version 1803 or later

+ - Windows Server 2016

+ - Windows Server 2012 R2

+For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).

+- Your devices must be [onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboarding).

+- Your devices must be using anti-malware platform version `4.18.2010.7` (or above) and anti-malware engine version `1.1.17600.5` (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)

+- [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be turned on.

+> [!NOTE]

+> When tamper protection is enabled via the Microsoft 365 Defender portal, cloud-delivered protection is required, so that the enabled state of tamper protection can be controlled.

+> Starting with the November 2021 update (platform version `4.18.2111.5`), if cloud-delivered protection is not turned on for a device and tamper protection is turned on in the Microsoft 365 Defender portal, then cloud-delivered protection will be automatically turned on for that device along with tamper protection.

+## Turn tamper protection on (or off) in the Microsoft 365 Defender portal

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Choose **Settings** \> **Endpoints**.

+3. Go to **General** \> **Advanced features**, and then turn tamper protection on.

+> [!TIP]

+> If you're looking for Antivirus related information for other platforms, see:

+> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

+> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

+> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

+> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+> - [Configure Defender for Endpoint on Android features](android-configure.md)

+> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+ Title: Manage tamper protection for your organization using Microsoft Endpoint Manager

+description: Turn tamper protection on or off for your organization in Microsoft Endpoint Manager.

+keywords: malware, defender, antivirus, tamper protection, Microsoft Endpoint Manager

+ms.pagetype: security

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.localizationpriority: medium

+audience: ITPro

+- nextgen

+- admindeeplinkDEFENDER

+ms.technology: mde

+- M365-security-compliance

+- m365initiative-defender-endpoint

+# Manage tamper protection for your organization using Microsoft Endpoint Manager

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+If your organization uses Microsoft Endpoint Manager (MEM) you can turn tamper protection on (or off) for your organization in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). Use Intune when you want to fine-tune tamper protection settings. For example, if you want to enable tamper protection on some devices, but not all, use Intune.

+## Requirements for managing tamper protection in Endpoint Manager

+- You must have appropriate [permissions](/microsoft-365/security/defender-endpoint/assign-portal-access) assigned, such as global admin, security admin, or security operations.

+- Your organization uses [Microsoft Endpoint Manager to manage devices](/mem/endpoint-manager-getting-started). (Microsoft Endpoint Manager (MEM) licenses are required; MEM is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, Microsoft 365 Business Premium, Microsoft 365 F1/F3, Microsoft 365 Government G3/G5, and corresponding education licenses.)

+- Your Windows devices must be running Windows 11 or Windows 10 [1709](/lifecycle/announcements/revised-end-of-service-windows-10-1709), [1803](/lifecycle/announcements/windows-server-1803-end-of-servicing), [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later. (For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).)

+- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).

+- Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version `1.1.15500.X` (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)

+## Turn tamper protection on (or off) in Microsoft Endpoint Manager

+1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** \> **Antivirus**, and then choose **+ Create Policy**.

+ - In the **Platform** list, select **Windows 10 and later**.

+ - In the **Profile** list, select **Windows Security experience**.

+2. Create a profile that includes the following setting:

+ - **Enable tamper protection to prevent Microsoft Defender being disabled: Enable**

+3. Assign the profile to one or more groups.

+> [!TIP]

+> If you're looking for Antivirus related information for other platforms, see:

+> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

+> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

+> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

+> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+> - [Configure Defender for Endpoint on Android features](android-configure.md)

+> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+ - Red Hat Enterprise Linux 9.x

+- [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint)

+- [Connect your non-Azure machines to Microsoft Defender for Cloud](/azure/defender-for-cloud/quickstart-onboard-machines)

+- [Turn on network protection for Linux](network-protection-linux.md)

+- [Turn on Network protection for macOS](network-protection-macos.md)

+- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+mdatp health --field release_ring

+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+For information about Network protection for Linux and macOS see: [Network protection for Linux](network-protection-linux.md) and [Network protection for MacOS](network-protection-macos.md).

+educateUrl|String|Custom notification/support URL. Supported for Block and Warn action types for URL indicators. **Optional**

+|Manage tamper protection across your tenant <p> Use the Microsoft 365 Defender portal to turn tamper protection on or off|[Manage tamper protection for your organization using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md)|

+|Fine-tune tamper protection settings in your organization <p> Use Intune (Microsoft Endpoint Manager) to turn tamper protection on or off. You can configure tamper protection for some or all users with this method.|[Manage tamper protection for your organization using Microsoft Endpoint Manager](manage-tamper-protection-microsoft-endpoint-manager.md)|

+|Turn tamper protection on (or off) for your organization with Configuration Manager|[Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md)|

+|Turn tamper protection on (or off) for an individual device|[Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md)|

+|Review the list of frequently asked questions (FAQs)|[Browse the FAQs](faqs-tamper-protection.md)|

+Depending on the method or management tool you use to enable tamper protection, there might be a dependency on [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md). Cloud-delivered protection is also referred to as cloud protection, or Microsoft Advanced Protection Service (MAPS).

+If you're using Windows Server 2012 R2 using the modern unified solution, Windows Server 2016, Windows 10 version 1709, 1803, or [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.

+On Windows Server 2016, the Settings app won't accurately reflect the status of real-time protection when tamper protection is enabled.

+### Use PowerShell to determine whether tamper protection and real-time protection are turned on

+ Title: How to schedule an antivirus scan using Anacron in Microsoft Defender for Endpoint on Linux

+description: Learn how to schedule an antivirus scan in Microsoft Defender for Endpoint on Linux for better protection of your organization's assets.

+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, scans, antivirus, microsoft defender for endpoint on linux

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# Schedule an antivirus scan using Anacron in Microsoft Defender for Endpoint on Linux

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+To run a scan of Microsoft Defender Antivirus for Linux, see [Supported Commands](/microsoft-365/security/defender-endpoint/linux-resources#supported-commands).

+> [!NOTE]

+> This article supports Microsoft Defender for Endpoint on Linux for Red Hat Enterprise Linux distributions (RHEL).

+## System requirements

+See the following system requirements needed to schedule Microsoft Defender Antivirus scan in Microsoft Defender Endpoint on Linux.

+- Linux server distributions and versions: Red Hat Enterprise Linux 7.2 or higher.

+- The **FANOTIFY** option in kernel must be enabled.

+## Scheduling Microsoft Defender Antivirus scan in Red Hat Linux

+You can schedule cron jobs to initiate Microsoft Defender Antivirus scans on a schedule. For more information, see [How to schedule scans with Microsoft Defender for Endpoint on Linux](linux-schedule-scan-mde.md). This process works well if the device is always up and running.

+But if the Linux devices are shut down or offline during the cron schedule, the scan won't run. In these situations, you can use **anacron** to read the timestamp and find the last executed job. If the device was shut down during the scheduled cron job, it needs to wait until the next scheduled time. By using **anacron**, the system will detect the last time the scan was run. If the device didn't run the cron job, it will automatically start it.

+### Schedule Microsoft Defender Antivirus scans in Red Hat Linux

+Use the following steps to schedule scans:

+1. Connect to the RedHat server using Putty.

+1. Edit the anacron file:

+ ```vi /etc/anacron```

+ :::image type="content" source="images/vi_etc_anacron.png" alt-text="anacron file":::

+ ```

+ # /etc/anacrontab: configuration file for anacron

+ # See anacron (8) and anacrontab (5) for details.

+ SHELL=/bin/sh

+ PATH=/sbin:/bin:/usr/sbin:/usr/bin

+ RANDOM_DELAY=45

+ # Anacron jobs will start between 8pm and 11pm.

+ START_HOURS_RANGE=2-023

+ # delay will be 5 minutes + RANDOM_DELAY for cron.daily

+ ```

+1. Note the following items in the file.

+ 1. **Shell:** Shell is referred as ```/bin/sh```, and not as ```/bin/bash```. Remember when writing the jobs.

+ 1. **RANDOM_DELAY:** Describes the maximum time in minutes for the job. This value is used to offset the jobs so there wouldn't be too many jobs running at the same time. Using this delay is ideal for VDI solutions.

+ 1. **START_HOURS_RANGE:** Describes the time range to run the job.

+ 1. **cron.daily:** Describes 1 as the period of days required for the frequency of job executions. 5 is the delay in minutes that anacron waits after the device restarts.

+1. Review look at the anacron jobs:

+ ```ls -lh /etc/cron*```

+ :::image type="content" source="images/ls_lh_etc_cron.png" alt-text="anacron jobs":::

+ ```

+ [root@enaredhat7 /] # 1s -1h /etc/cron*

+ - rw

+ - rw - r

+ /etc/cron.d:

+ total 28k

+ - rw - r

+ - rw - r

+ - rw - r

+ - rw - r

+ - rw - r

+ - rw - r

+ - rw

+ /etc/cron.daily:

+ total 24k

+ - rwxr - xr - x. 1 root root 127 Jun 14 16:49 avscandaily

+ - rwx

+ - rwxr - xr - x. 1 root root 618 Jul 10 2018 man-db.cron

+ - rwx

+ - rwx

+ - rwxr - xr - x. 1 root root 114 Apr 8 2021 rhui-update-client

+ /etc/cron.hourly:

+ total 8.0k

+ - rwxr - xr - x. 1 root root 392 Nov 30 2021 0anacron

+ - rwxr - xr - x. 1 root root 131 Jun 14 17:05 update

+ /etc/cron.monthly:

+ total 0

+ - rwxr - xr - x. 1 root root 0 Jun 14 17:47 mdatpupdate

+

+ /etc/cron.weekly:

+ total 0

+ ```

+1. Ignore the ```/etc/cron.d``` directory, you'll see ```/etc/corn.daily, hourly, monthly, and weekly```.

+1. To schedule a weekly antivirus scan, you can create a file (Job) under the ```/etc/cron.weekly``` directory.

+ ```cd /etc/cron.weekly```

+ ``` vi mdavfullscan```

+ ```Press Insert```

+

+ :::image type="content" source="images/vi_mdavfullscan.png" alt-text="weekly antivirus scans":::

+ ```

+ #!/bin/sh

+ set -e

+ echo $(date) ΓÇ£Time Scan BeginsΓÇ¥ >>/logs/mdav_avacron_full_scan.log/bin/mdatp scan full >> /logs/mdav_avacron_full_scan.log

+ echo $(date) ΓÇ£Time Scan FinishedΓÇ¥ >>/logs/mdav_avacron_full_scan.log

+ exit 0

+ ~

+ ```

+ ```Press Esc```

+ ```Type: **wq!```

+1. Change the file permissions to allow the file to be executed.

+ ```Chmod 755 mdavfullscan```

+ ```ls -la```

+ :::image type="content" source="images/chmod-755-mdavfullscan.png" alt-text="7. Change file permissions":::

+ ```

+ [root@enaredhat7 cron.weekly]# 1s -1a

+ total 16

+ drwxr - xr ΓÇô x. 2 root root 26 Jun 14 19:19 .

+ drwxr - xr ΓÇô x. 85 root root 8192 Jun 14 19:01 ..

+ - rw - r

+ [root@enaredhat7 cron.weekly] # chmod 755 mdavfullscan

+ [root@enaredhat7 cron.weekly] # 1s -1h

+ total 4. 0k

+ - rwxr - xr ΓÇô x. 1 root root 128 Jun 14 19:19 mdavfullscan

+ [root@enaredhat7 cron.weekly] #

+ ```

+1. Use the command to test the weekly anacron job.

+

+ ```./mdavfullscan```

+1. Use the command to verify the job ran successfully.

+ ```cat /logs/mdav_avacron_full_scan.log```

+ :::image type="content" source="images/mdav_avacron_full_scan_log.png" alt-text="verify the job ran":::

+ ```

+ [root@enaredhat7 cron.weekly] # cat / logs / mdav_avacron_full_scan.log

+ Tue Jun 14 20:20:44 UTC 2022 Time Scan Begins

+ Scan has finished

+ 66547 file(s) scanned

+ 0 threat(s) detected

+ Tue Jun 14 20:20:50 UTC 2022 Time Scan Finished

+ [root@enaredhat7 cron.weekly] #

+ ```

+>Offboarding will [disable Tamper Protection](manage-tamper-protection-microsoft-365-defender.md) if it is enabled.

+3. WpnService connectivity with WNS cloud is not disabled via group policy or MDM setting. ['Turn off notifications network usage'](/windows/client-management/mdm/policy-csp-notifications) should not be set to '1'.

+ - To prevent users from bypassing the warnings and downloading unverified files, set **Block unverified file download** to **Yes**.

+- Integration with Tunnel. Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. This feature was earlier available only on Android. [Learn more](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/what-s-new-in-microsoft-endpoint-manager-2204-april-edition/ba-p/3297995)

+- [Microsoft Tunnel VPN integration](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730) <br> Microsoft Tunnel VPN capabilities is now integrated with Microsoft Defender for Endpoint app for Android. This unification enables organizations to offer a simplified end user experience with one security app ΓÇô offering both mobile threat defense and the ability to access on-premesis resources from their mobile device, while security and IT teams are able to maintain the same admin experiences they are familiar with.

+- [Manage tamper protection for your organization using Microsoft 365 Defender portal](manage-tamper-protection-microsoft-365-defender.md) <br> You can manage tamper protection settings on Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server 2022 by using a method called *tenant attach*.

+- Any investigation page in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077143" target="_blank">Microsoft Purview compliance portal</a>

+| **Alerts** | Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Microsoft Defender for Cloud Apps, and other Microsoft 365 Defender features. <br> <br> If you see *Unsupported alert type*, it means that automated investigation capabilities cannot pick up that alert to run an automated investigation. However, you can [investigate these alerts manually](investigate-incidents.md#alerts).

+## Investigation states

+The following table lists investigation states and what they indicate.

+|Investigation state |Definition |

+|||

+|Benign | Artifacts were investigated and a determination was made that no threats were found.|

+|PendingResource | An automated investigation is paused because either a remediation action is pending approval, or the device on which an artifact was found is temporarily unavailable.|

+|UnsupportedAlertType | An automated investigation is not available for this type of alert. Further investigation can be done manually, by using advanced hunting. |

+|Failed | At least one investigation analyzer ran into a problem where it couldn't complete the investigation. If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded.|

+|Successfully remediated| An automated investigation completed, and all remediation actions were completed or approved.|

+To provide more context about how investigation states show up, the following table lists alerts and their corresponding automated investigation state. This table is included as an example of what a security operations team might see in the Microsoft 365 Defender portal.

+|Alert name | Severity | Investigation state | Status | Category |

+|--|-||--|-|

+|Malware was detected in a wim disk image file|Informational|Benign|Resolved|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|UnsupportedAlertType|New|Malware|

+|Malware was detected in a rar archive file|Informational|UnsupportedAlertType|New|Malware|

+|Malware was detected in a rar archive file|Informational|UnsupportedAlertType|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Wpakill hacktool was prevented|Low|Failed|New|Malware|

+|GendowsBatch hacktool was prevented|Low|Failed|New|Malware|

+|Keygen hacktool was prevented|Low|Failed|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a zip archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in a rar archive file|Informational|PendingResource|New|Malware|

+|Malware was detected in an iso disc image file|Informational|PendingResource|New|Malware|

+|Malware was detected in an iso disc image file|Informational|PendingResource|New|Malware|

+|Malware was detected in a pst outlook data file|Informational|UnsupportedAlertType|New|Malware|

+|Malware was detected in a pst outlook data file|Informational|UnsupportedAlertType|New|Malware|

+|MediaGet detected|Medium|PartiallyInvestigated|New|Malware|

+|TrojanEmailFile|Medium|SuccessfullyRemediated|Resolved|Malware|

+|CustomEnterpriseBlock malware was prevented|Informational|SuccessfullyRemediated|Resolved|Malware|

+|An active CustomEnterpriseBlock malware was blocked|Low|SuccessfullyRemediated|Resolved|Malware|

+|An active CustomEnterpriseBlock malware was blocked|Low|SuccessfullyRemediated|Resolved|Malware|

+|An active CustomEnterpriseBlock malware was blocked|Low|SuccessfullyRemediated|Resolved|Malware|

+|TrojanEmailFile|Medium|Benign|Resolved|Malware|

+|CustomEnterpriseBlock malware was prevented|Informational|UnsupportedAlertType|New|Malware|

+|CustomEnterpriseBlock malware was prevented|Informational|SuccessfullyRemediated|Resolved|Malware|

+|TrojanEmailFile|Medium|SuccessfullyRemediated|Resolved|Malware|

+|TrojanEmailFile|Medium|Benign|Resolved|Malware|

+|An active CustomEnterpriseBlock malware was blocked|Low|PendingResource|New|Malware|

+| **Discover** | |

+| **Investigate** | |

+| Files | Cloud apps -> Files |

+| Connected apps | Settings -> Cloud apps -> Connected apps |

+| **Control** | |

+| Policies | Cloud apps -> Policy management |

+| Templates | Cloud apps -> Policy templates |

+| **Settings** | |

+| Settings | Settings -> Cloud apps |

+| System settings | Settings -> Cloud apps |

+| Settings/Governance log | Cloud apps -> Governance log |

+| Security extensions | Settings -> Cloud apps |

+| Playbooks | Settings -> Cloud apps |

+| SIEM agents | Settings -> Cloud apps |

+| External DLP | Settings -> Cloud apps |

+| API tokens | Settings -> Cloud apps |

+| Manage admin access | Permissions-> Cloud apps-> Roles |

+| Exported reports | Reports -> Cloud apps -> Exported reports |

+| Scoped deployment and privacy | Permissions -> Cloud apps -> Activity Privacy permissions |

+| Connected Apps/App connectors | Settings -> Cloud Apps -> Connected Apps |

+| Conditional Access App Control | Settings -> Cloud apps -> Conditional Access App Control apps |

+| IP address ranges | Settings -> Cloud apps |

+| User groups | Settings -> Cloud apps |

+>

+> - **App/Instance admin**, **User group admin**, **Cloud Discovery global admin**, and **Cloud Discovery report admin**, as defined in [Built-in admin roles in Defender for Cloud Apps](/defender-cloud-apps/manage-admins#built-in-admin-roles-in-defender-for-cloud-apps).

+> - User privacy groups as defined in [Activity privacy](/defender-cloud-apps/activity-privacy)

+2. On the **Submissions** page, verify that the **Emails** tab is selected.

+3. On the **Emails** tab, click  **Submit to Microsoft for analysis**.

+4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

+ - **Select the submission type**: Verify the value **Email** is selected.

+ - **Add the network message ID or upload the email file**: Select one of the following options:

+ - **Choose a recipient who had an issue**: Specify the recipient that you would like to run a policy check against. The policy check will determine if the email bypassed scanning due to user or organization policies.

+ - **Select a reason for submitting to Microsoft**: Verify **Should not have been blocked (False positive)** is selected.

+ - **The email should have been categorized as**: Select **Phish**, **Malware**, or **Spam**. If you're not sure, use your best judgement.

+ - **Block all emails from this sender or domain**: Select this option to create a block entry for the sender in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+ After you select this option, the following settings are available:

+ - By default, **Sender** is selected but you can select **Domain** instead.

+ - **Remove block entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **90 days**

+ - **Never expire**

+ - **Specific date**

+ - **Block entry note**: Enter optional information about why you're allowing this email.

+ When you're finished, click **Submit**, and then click **Done**.

+> :::image type="content" source="../../media/admin-submission-email-block.png" alt-text="Submit a false negative (bad) email to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-email-block.png":::

+> [!NOTE]

+> For messages that were incorrectly blocked by [spoof intelligence](learn-about-spoof-intelligence.md), a block entry for the domain pair is not created in the Tenant Allow/Block List.

+>

+> For messages that were incorrectly blocked by [domain or user impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), a block entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](configure-mdo-anti-phishing-policies.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.

+>

+> To report a file as **Should not have been blocked (False positive)**, see [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions portal](allow-block-email-spoof.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal).

+## Report questionable email attachments to Microsoft

+2. On the **Submissions** page, select the **Email attachments** tab.

+3. On the **Email attachments** tab, click  **Submit to Microsoft for analysis**.

+4. On the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

+ - **Select the submission type**: Verify the value **Email attachment** is selected.

+ - **File**: Click **Browse files** to find and select the file to submit.

+ > [!NOTE]

+ > File submissions are not available in clouds that do not allow for data to leave the environment. **Browse files** is greyed out.

+ - **Select a reason for submitting to Microsoft**: Verify **Should have been blocked (False negative)** is selected.

+ - **The email should have been categorized as**: Select **Phish** or **Malware**. If you're not sure, use your best judgement.

+ - **Block this file**: Select this option to create a block entry for the sender in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+ After you select this option, the following settings are available:

+ - **Remove block entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **90 days**

+ - **Never expire**

+ - **Specific date**

+ - **Block entry note**: Enter optional information about why you're allowing this email.

+ When you're finished, click **Submit**, and then click **Done**.

+> :::image type="content" source="../../media/admin-submission-file-block.png" alt-text="Submit a false negative (bad) email attachment to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-file-block.png":::

+ > To report a file as **Should not have been blocked (False positive)**, see [Use the Microsoft 365 Defender portal to create allow entries for files in the Submissions portal](allow-block-files.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-files-in-the-submissions-portal).

+## Report questionable URLs to Microsoft

+2. On the **Submissions** page, select the **URLs** tab.

+3. On the **URLs** tab, click  **Submit to Microsoft for analysis**.

+4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

+ - **Select the submission type**: Verify the value **URL** is selected.

+ - **URL**: Enter the full URL (for example, `https://www.fabrikam.com/marketing.html`), and then select it in the box that appears.

+ > [!NOTE]

+ > URL submissions are not available in clouds that do not allow for data to leave the environment. **URL** is greyed out.

+ - **Select a reason for submitting to Microsoft**: Verify **Should have been blocked (False negative)** is selected.

+ - **The email should have been categorized as**: Select **Phish** or **Malware**. If you're not sure, use your best judgement.

+ - **Block this URL**: Select this option to create a block entry for the sender in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+ After you select this option, the following settings are available:

+ - **Remove block entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **90 days**

+ - **Never expire**

+ - **Specific date**

+ - **Block entry note**: Enter optional information about why you're allowing this email.

+ When you're finished, click **Submit**, and then click **Done**.

+> :::image type="content" source="../../media/admin-submission-url-block.png" alt-text="Submit a false negative (bad) URL to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-url-block.png":::

+ > [!NOTE]

+ > To report a URL as **Should not have been blocked (False positive)**, see [Use the Microsoft 365 Defender portal to create allow entries for URLs in the Submissions portal](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-in-the-submissions-portal).

+ - You can sort the entries by clicking on an available column header.

+ - Click  **Customize columns** to select the columns that you want to view. The default values are marked with an asterisk (\*):

+ :::image type="content" source="../../media/admin-submission-email-customize-columns.png" alt-text="Customize columns option for email admin submissions." lightbox="../../media/admin-submission-email-customize-columns.png":::

+ - To filter the entries, click  **Filter**. The following values are available in the **Filter** flyout that appears:

+ - **Date submitted**: **Start date** and **End date** values.

+ - **Reason for submitting**: The values **Not junk**, **Phish**, **Malware**, and **Spam**.

+ - **Status**: The values **Pending** and **Completed**.

+ - **Tags**: The default value is **All** or select a [user tag](user-tags.md) from the drop down list.

+ When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

+ :::image type="content" source="../../media/admin-submission-email-filters.png" alt-text="Filter options for email admin submissions." lightbox="../../media/admin-submission-email-filters.png":::

+ - To group the entries, click  **Group** and select one of the following values from the dropdown list:

+ - To export the entries, click  **Export**. In the dialog that appears, save the .csv file.

+ - You can sort the entries by clicking on an available column header.

+ - Click  **Customize columns** to select the columns that you want to view. The default values are marked with an asterisk (\*):

+ - **Attachment filename**^\*

+ :::image type="content" source="../../media/admin-submission-file-customize-columns.png" alt-text="Customize column options for email attachment admin submissions.":::

+ - To filter the entries, click  **Filter**. The following values are available in the **Filter** flyout that appears:

+ - **Tags**: The default value is **All** or select a [user tag](user-tags.md) from the drop down list.

+ :::image type="content" source="../../media/admin-submission-file-filters.png" alt-text="Filter options for email attachment admin submissions.":::

+ - To group the entries, click  **Group** and select one of the following values from the drop down list:

+ - To export the entries, click  **Export**. In the dialog that appears, save the .csv file.

+ - You can sort the entries by clicking on an available column header.

+ - Click  **Customize columns** to select the columns that you want to view. The default values are marked with an asterisk (\*):

+ :::image type="content" source="../../media/admin-submission-url-customize-columns.png" alt-text="Customize column options for URL admin submissions.":::

+ - To filter the entries, click  **Filter**. The following values are available in the **Filter** flyout that appears:

+ - **Tags**: The default value is **All** or select a [user tag](user-tags.md) from the drop down list.

+ When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

+ :::image type="content" source="../../media/admin-submission-url-filters.png" alt-text="Filter options for URL admin submissions.":::

+ - To group the entries, click  **Group** and select one of the following values from the dropdown list:

+ - To export the entries, click  **Export**. In the dialog that appears, save the .csv file.

+## Admin submission result details

+Messages that are submitted in admin submissions are reviewed by Microsoft and results shown in the submissions detail flyout:

+ - Click  **Customize columns** to select the columns that you want to view. The default values are marked with an asterisk (\*):

+ - To filter the entries, click  **Filter**. The following values are available in the **Filter** flyout that appears:

+ - **Reported reason**: The values **Not junk**, **Phish**, or **Spam**.

+ - **Reported from**: The values **Microsoft add-in** or **Third party add-in**.

+ - **Phish simulation**: The values **Yes** or **No**.

+ - **Converted to admin submission**: The values **Yes** or **No**.

+ - **Tags**: The default value is **All** or select a [user tag](user-tags.md) from the drop down list.

+ When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

+ > :::image type="content" source="../../media/admin-submission-user-reported-filters.png" alt-text="Filter options for user submissions." lightbox="../../media/admin-submission-user-reported-filters.png":::

+ - To group the entries, click  **Group** and select one of the following values from the dropdown list:

+ - To export the entries, click  **Export**. In the dialog that appears, save the .csv file.

+ - To notify users, see [Admin Review for Reported messages](admin-review-reported-message.md)

+> If organizations are configured to send user reported messages to the [custom mailbox only](user-submission.md), reported messages will appear in **User reported messages** but their results will always be empty (as they would not have been rescanned).

+Once a user submits a suspicious email to the custom mailbox, the user and admin don't have an option to undo the submission. If the user would like to recover the email, it's available for recovery in their Deleted Items or Junk Email folders.

+On the **User reported messages** tab, select a message in the list, click  **Submit to Microsoft for analysis**, and then select one of the following values from the dropdown list:

+ :::image type="content" source="../../media/admin-submission-user-reported-submit-button-options.png" alt-text="The New options on the Action button" lightbox="../../media/admin-submission-user-reported-submit-button-options.png":::

+This article describes how to create and manage allow and block entries for domains and email addresses (including spoofed senders) that are available in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+You manage allow and block entries for email in the Microsoft 365 Defender Portal or in Exchange Online PowerShell.

+## What do you need to know before you begin?

+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).

+- For domains and email addresses, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 domain and email address entries total).

+- For spoofed senders, the maximum number of entries is 1024.

+- Entries for spoofed senders never expire.

+- For details about the syntax for spoofed sender entries, see the [Domain pair syntax for spoofed sender entries](#domain-pair-syntax-for-spoofed-sender-entries) section later in this article.

+- An entry should be active within 30 minutes, but it might take up to 24 hours for the entry to be active.

+- You need to be assigned permissions in Exchange Online before you can do the procedures in this article:

+ - To add and remove values from the Tenant Allow/Block List, you need to be a member of one of the following role groups:

+ - **Organization Management** or **Security Administrator** role group (**Security admin role**)

+ - **Security Operator** role group (**Tenant AllowBlockList Manager**).

+ - For read-only access to the Tenant Allow/Block List, you need to be a member of one of the following role groups:

+ - **Global Reader** role group

+ - **Security Reader** role group

+ - **View-Only configuration** role group

+ For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).

+ **Notes**:

+ - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions *and* permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).

+ - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.

+## Domains and email addresses in the Tenant Allow/Block List

+### Create block entries for domains and email addresses

+You have the following options to create block entries for domains and email addresses:

+- [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-domains-and-email-addresses-in-the-submissions-portal)

+- The Tenant Allow/Block List in [the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list) or in [PowerShell](#use-powershell-to-create-block-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list)

+To create block entries for spoofed senders, see the [Use the Microsoft 365 Defender portal to view allow or block entries for spoofed senders in the Tenant Allow/Block List](#use-the-microsoft-365-defender-portal-to-view-allow-or-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list) section later in this article.

+#### Use the Microsoft 365 Defender portal to create block entries for domains and email addresses in the Submissions portal

+When you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report email messages as **Should have been blocked (False negative)**, you can select **Block all emails from this recipient** to add a block entry for the domain or sender in the Tenant Allow/Block List.

+For instructions, see [Report questionable email to Microsoft](admin-submission.md#report-questionable-email-to-microsoft).

+#### Use the Microsoft 365 Defender portal to create block entries for domains and email addresses in the Tenant Allow/Block List

+You create block entries for domains and email addresses directly in the Tenant Allow/Block List.

+> Email messages from these blocked domains and email addresses are identified as *high confidence spam* (SCL = 9) and is moved to the Junk Email folder by default.

+> Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): `5.7.1 Your message can't be delivered because one or more recipients are blocked by your organization's tenant allow/block list policy.`

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. On the **Tenant Allow/Block List** page, verify that the **Domains & addresses** tab is selected.

+3. **Domains & addresses** tab, click  **Block**.

+4. In the **Block domains & addresses** flyout that appears, configure the following settings:

+ - **Domains & addresses**: Enter one email address or domain per line, up to a maximum of 20.

+ - **Remove block entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **Never expire**

+ - **Specific date**: The maximum value is 90 days from today.

+ - **Optional note**: Enter descriptive text for the entries.

+5. When you're finished, click **Add**.

+##### Use PowerShell to create block entries for domains and email addresses in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+New-TenantAllowBlockListItems -ListType Sender -Block -Entries "DomainOrEmailAddress1","DomainOrEmailAddress1",..."DomainOrEmailAddressN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]

+This example adds a block entry for the specified email address that expires on a specific date.

+New-TenantAllowBlockListItems -ListType Sender -Block -Entries "test@badattackerdomain.com","test2@anotherattackerdomain.com" -ExpirationDate 8/20/2022

+### Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions portal

+You can't create allow entries for domains and email addresses directly in the Tenant Allow/Block List. Instead, you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report the message as a false positive. For more information about admin submissions, see [Use the Submissions portal to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](admin-submission.md).

+> [!NOTE]

+> Because Microsoft manages allow entries for you, unneeded allow entries for domains and email addresses will be removed. This behavior protects your organization and helps prevent misconfigured allow entries. If you disagree with the verdict, you might need to open a support case to help determine why a message is still considered bad.

+>

+> If the domain or email address has not already been blocked, an allow entry for the domain or email address won't be created.

+>

+> In most cases where the message was determined to be a false positive that was incorrectly blocked, the allow entry will be removed on the specified expiration date.

+>

+> To create allow entries for spoofed senders, see the [Create allow entries for spoofed senders](#create-allow-entries-for-spoofed-senders) section later in this article.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, verify that the **Emails** tab is selected.

+3. On the **Emails** tab, click  **Submit to Microsoft for analysis**.

+4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

+ - **Select the submission type**: Verify the value **Email** is selected.

+ - **Add the network message ID or upload the email file**: Select one of the following options:

+ - **Add the email network message ID**: This is a GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header in the message or in the **X-MS-Office365-Filtering-Correlation-Id** header in quarantined messages.

+ - **Upload the email file (.msg or .eml)**: Click **Browse files**. In the dialog that opens, find and select the .eml or .msg file, and then click **Open**.

+ - **Choose a recipient who had an issue**: Specify the recipient that you would like to run a policy check against. The policy check will determine if the email was blocked due to user or organization policies.

+ - **Select a reason for submitting to Microsoft**: Select **Should not have been blocked (False positive)**, and then configure the following settings:

+ - **Allow emails with similar attributes (URL, sender, etc.)**: Turn on this setting .

+ - **Remove allow entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **Specific date**: The maximum value is 30 days from today.

+ - **Allow entry note**: Enter optional information about why you're allowing this email.

+ When you're finished, click **Submit**, and then click **Done**.

+ :::image type="content" source="../../media/admin-submission-email-allow.png" alt-text="Submit a false positive (good) email to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-email-allow.png":::

+5. After a few moments, the allow entry will appear on the **Domains & addresses** tab on the **Tenant Allow/Block List** page.

+> - Allows are added during mail flow, based on which filters determined the message to be malicious. For example, if the sender and a URL in the message were determined to be bad, an allow entry is created for the sender, and an allow entry is created for the URL.

+> - During mail flow, if messages from the domain or email address pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-validation-and-authentication.md) passes, a message from a sender in the allow entry will be delivered.

+### Use the Microsoft 365 Defender portal to view allow or block entries for domains and email addresses in the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Verify the **Domains & addresses** tab is selected. The following columns are available:

+ - **Value**: The domain or email address.

+ - **Action**: The value **Allow** or **Block**.

+ - **Modified by**

+ - **Last updated**

+ - **Remove on**: The expiration date.

+ - **Notes**

+ You can click on a column heading to sort in ascending or descending order.

+ Click  **Group** to group the results by **None** or **Action**.

+ Click  **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click  **Clear search**.

+ Click  **Filter** to filter the results. The following values are available in the **Filter** flyout that appears:

+ - **Action**: **Allow** and **Block**.

+ - **Never expire**:  or 

+ - **Last updated**: Select **From** and **To** dates.

+ - **Remove on**: Select **From** and **To** dates.

+ When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

+#### Use PowerShell to view allow or block entries for domains and email addresses in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+Get-TenantAllowBlockListItems -ListType Sender [-Allow] [-Block] [-Entry <Domain or Email address value>] [<-ExpirationDate Date | -NoExpiration>]

+This example returns all allow and block entries for domains and email addresses.

+```powershell

+Get-TenantAllowBlockListItems -ListType Sender

+```

+This example filters the results for block entries for domains and email addresses.

+Get-TenantAllowBlockListItems -ListType Sender -Block

+For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).

+### Use the Microsoft 365 Defender portal to modify allow or block entries for domains and email addresses in the Tenant Allow/Block List

+When you modify an allow or block entry for domains and email addresses in the Tenant Allow/Block list, you can only modify the expiration date and notes.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Verify the **Domains & addresses** tab is selected.

+3. On the **Domains & addresses** tab, select the check box of the entry that you want to modify, and then click the  **Edit** button that appears.

+4. The following settings are available in the **Edit domain & addresses** flyout that appears:

+ - **Remove allow entry after** or **Remove block entry after**:

+ - You can extend allow entries for a maximum of 30 days after the creation date.

+ - You can extend block entries for a maximum of 90 days after the creation date or set them to **Never expire**.

+ - **Optional note**

+ When you're finished, click **Save**.

+> [!NOTE]

+> For allow entries only, if you select the entry by clicking anywhere in the row other than the check box, you can select  **View submission** in the details flyout that appears to go to the **Submissions** page at <https://security.microsoft.com/reportsubmission>.

+#### Use PowerShell to modify allow or block entries for domains and email addresses in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+Set-TenantAllowBlockListItems -ListType Sender <-Ids <Identity value> | -Entries <Value value>> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]

+```

+This example changes the expiration date of the specified block entry for domains and email addresses.

+```powershell

+Set-TenantAllowBlockListItems -ListType Sender -Entries "julia@fabrikam.com" -ExpirationDate "9/1/2022"

+```

+For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).

+### Use the Microsoft 365 Defender portal to remove allow or block entries for domains and email addresses in the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Verify the **Domains & addresses** tab is selected.

+3. On **Domains & addresses** tab, do one of the following steps:

+ - Select the check box of the entry that you want to remove, and then click the  **Delete** icon that appears.

+ - Select the entry that you want to remove by click anywhere in the row other than the check box. In the details flyout that appears, click  **Delete**.

+4. In the warning dialog that appears, click **Delete**.

+> You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the **Value** column header.

+#### Use PowerShell to remove allow or block entries for domains and email addresses from the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+Remove-TenantAllowBlockListItems -ListType Sender <-Ids <Identity value> | -Entries <Value value>>

+This example removes the specified block entry for domains and email addresses from the Tenant Allow/Block List.

+```powershell

+Remove-TenantAllowBlockListItems -ListType Sender -Entries "adatum.com"

+```

+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems).

+## Spoofed senders in the Tenant Allow/Block List

+### Create allow entries for spoofed senders

+You have the following options to create block entries for spoofed senders:

+- [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal)

+- The Tenant Allow/Block List in [the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) or in [PowerShell](#use-powershell-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list)

+> Allow entries for spoofed senders take care of intra-org, cross-org, and DMARC spoofing.

+> Only the combination of the spoofed user *and* the sending infrastructure as defined in the [domain pair](#domain-pair-syntax-for-spoofed-sender-entries) is allowed to spoof.

+>

+> When you configure an allow entry for a domain pair, messages from that domain pair no longer appear in the [spoof intelligence insight](learn-about-spoof-intelligence.md).

+>

+> Allow entries for spoofed senders never expire.

+#### Use the Microsoft 365 Defender portal to create allow entries for spoofed senders in the Submissions portal

+Submitting messages that were blocked by [spoof intelligence](learn-about-spoof-intelligence.md) to Microsoft from the **Submissions** page adds the sender as an allow entry on the **Spoofed senders** tab in Tenant Allow/Block List.

+> [!NOTE]

+> When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List.

+>

+> If the sender has not been blocked by spoof intelligence, submitting the email message to Microsoft won't create an allow entry in the Tenant Allow/Block List.

+The instructions to report the message are nearly identical to the steps in [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions portal](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal).

+The only differences are:

+- The **Remove allow entry after** setting in Step 4 is meaningless, because entries for spoofed senders never expire.

+- The **Allow entry note** setting in Step 4 doesn't apply to entries for spoofed senders in the Tenant Allow/Block List.

+#### Use the Microsoft 365 Defender portal to create allow entries for spoofed senders in the Tenant Allow/Block List

+In the Tenant Allow/Block List, you can create allow entries for spoofed senders before they're detected and blocked by [spoof intelligence](learn-about-spoof-intelligence.md).

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+ - **Add domain pairs with wildcards**: Enter domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see the [Domain pair syntax for spoofed sender entries](#domain-pair-syntax-for-spoofed-sender-entries) section later in this article.

+ - **Action**: Select **Allow** or **Block**.

+ When you're finished, click **Add**.

+##### Use PowerShell to create allow entries for spoofed senders in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+New-TenantAllowBlockListSpoofItems -Identity Default -Action Allow -SpoofedUser <Domain | EmailAddress> -SendingInfrastructure <Domain | IPAddress/24> -SpoofType <External | Internal>

+```

+This example creates an allow entry for the sender bob@contoso.com from the source contoso.com.

+```powershell

+New-TenantAllowBlockListSpoofItems -Identity Default -Action Allow -SendingInfrastructure contoso.com -SpoofedUser bob@contoso.com -SpoofType External

+```

+For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems).

+### Use the Microsoft 365 Defender portal to create block entries for spoofed senders in the Tenant Allow/Block List

+You create block entries for spoofed senders directly in the Tenant Allow/Block List.

+> [!NOTE]

+> Email messages from these senders are blocked as *phishing*.

+>

+> Only the combination of the spoofed user *and* the sending infrastructure as defined in the [domain pair](#domain-pair-syntax-for-spoofed-sender-entries) is blocked from spoofing.

+>

+> When you configure a block entry for a domain pair, messages from that domain pair no longer appear in the [spoof intelligence insight](learn-about-spoof-intelligence.md).

+>

+> Block entries for spoofed senders never expire.

+The instructions to report the message are nearly identical to the steps in [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions portal](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal).

+The only difference is: for the **Action** value in Step 4, choose **Block** instead of **Allow**.

+#### Use PowerShell to create block entries for spoofed senders in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+New-TenantAllowBlockListSpoofItems -Identity Default -Action Block -SpoofedUser <Domain | EmailAddress> -SendingInfrastructure <Domain | IPAddress/24> -SpoofType <External | Internal>

+```

+This example creates a block entry for the sender laura@adatum.com from the source 172.17.17.17/24.

+New-TenantAllowBlockListSpoofItems -Identity Default -Action Allow -SendingInfrastructure 172.17.17.17/24 -SpoofedUser laura@adatum.com -SpoofType External

+### Use the Microsoft 365 Defender portal to view allow or block entries for spoofed senders in the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Verify the **Spoofed senders** tab is selected. The following columns are available:

+ - **Spoofed user**

+ - **Sending infrastructure**

+ - **Spoof type**: The value **Internal** or **External**.

+ - **Action**: The value **Block** or **Allow**.

+ You can click on a column heading to sort in ascending or descending order.

+ Click  **Group** to group the results by **None**, **Action**, or **Spoof type**.

+ Click  **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click  **Clear search**.

+ Click  **Filter** to filter the results. The following values are available in the **Filter** flyout that appears:

+ - **Action**: **Allow** and **Block**.

+ - **Spoof type**: **Internal** and **External**.

+ When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

+#### Use PowerShell to view allow or block entries for spoofed senders in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+### Use the Microsoft 365 Defender portal to modify allow or block entries for spoofed senders in the Tenant Allow/Block List

+When you modify an allow or block entry for spoofed senders in the Tenant Allow/Block list, you can only change the entry from **Allow** to **Block**, or vice-versa.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the **Spoofed senders** tab.

+3. On the **Spoofed senders** tab, select the entry that you want to modify, and then click the  **Edit** button that appears.

+4. In the **Edit spoofed sender** flyout that appears, choose **Allow** or **Block**.

+5. When you're finished, click **Save**.

+#### Use PowerShell to modify allow or block entries for spoofed senders in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+Set-TenantAllowBlockListSpoofItems -Identity Default -Ids <Identity value> -Action <Allow | Block>

+Set-TenantAllowBlockListItems -Identity Default -Ids 3429424b-781a-53c3-17f9-c0b5faa02847 -Action Block

+### Use the Microsoft 365 Defender portal to remove allow or block entries for spoofed senders in the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the **Spoofed senders** tab.

+3. On the **Spoofed senders** tab, select the entry that you want to remove, and then click the  **Delete** icon that appears.

+4. In the warning dialog that appears, click **Delete**.

+> [!NOTE]

+> You can select multiple entries by selecting each check box, or selecting all entries by selecting the check box next to the **Spoofed user** column header.

+#### Use PowerShell to remove allow or block entries for spoofed senders from the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+Remove-TenantAllowBlockListSpoofItems -Identity domain.com\Default -Ids <Identity value>

+```powershell

+Remove-TenantAllowBlockListSpoofItems -Identity domain.com\Default -Ids d86b3b4b-e751-a8eb-88cc-fe1e33ce3d0c

+```

+This example removes the specified spoofed sender. You get the Ids parameter value from the Identity property in the output of Get-TenantAllowBlockListSpoofItems command.

+### Domain pair syntax for spoofed sender entries

+A domain pair for a spoofed sender in the Tenant Allow/Block List uses the following syntax: `<Spoofed user>, <Sending infrastructure>`.

+- **Spoofed user**: This value involves the email address of the spoofed user that's displayed in the **From** box in email clients. This address is also known as the `5322.From` address. Valid values include:

+ - An individual email address (for example, chris@contoso.com).

+ - An email domain (for example, contoso.com).

+ - The wildcard character (for example, \*).

+- **Sending infrastructure**: This value indicates the source of messages from the spoofed user. Valid values include:

+ - The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address (for example, fabrikam.com).

+ - If the source IP address has no PTR record, then the sending infrastructure is identified as \<source IP\>/24 (for example, 192.168.100.100/24).

+ - A verified DKIM domain.

+Here are some examples of valid domain pairs to identify spoofed senders:

+- `contoso.com, 192.168.100.100/24`

+- `chris@contoso.com, fabrikam.com`

+- `*, contoso.net`

+Adding a domain pair only allows or blocks the *combination* of the spoofed user *and* the sending infrastructure. It does not allow email from the spoofed user from any source, nor does it allow email from the sending infrastructure source for any spoofed user.

+For example, you add an allow entry for the following domain pair:

+- **Domain**: gmail.com

+- **Infrastructure**: tms.mx.com

+Only messages from that domain *and* sending infrastructure pair are allowed to spoof. Other senders attempting to spoof gmail.com aren't allowed. Messages from senders in other domains originating from tms.mx.com are checked by spoof intelligence.

+> [!NOTE]

+> You can't use wildcards in the sending infrastructure.

+## About impersonated domains or senders

+In organizations with Microsoft Defender for Office 365, you can't create allow entries in the Tenant/Allow/Block List for messages that were detected as impersonation by [domain or sender impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).

+Reporting a message that was incorrectly blocked as impersonation in the Submissions portal at <https://security.microsoft.com/reportsubmission> does not add the sender or domain as an allow entry in the Tenant Allow/Block List.

+Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](configure-mdo-anti-phishing-policies.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.

+The instructions to report the message are identical to the steps in [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions portal](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal).

+> Currently, Graph Impersonation is not taken care from here.

+- [Use the Submissions portal to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](admin-submission.md)

+This article describes how to manage file allow and block entries that are available in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+You manage allow and block entries for files in the Microsoft 365 Defender Portal or in Exchange Online PowerShell.

+## What do you need to know before you begin?

+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).

+- You specify files by using the SHA256 hash value of the file. To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt:

+ ```DOS

+ certutil.exe -hashfile "<Path>\<Filename>" SHA256

+ ```

+ An example value is `768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a`. Perceptual hash (pHash) values are not supported.

+- For files, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 file entries total).

+- You can enter a maximum of 64 characters in a file entry.

+- An entry should be active within 30 minutes, but it might take up to 24 hours for the entry to be active.

+- You need to be assigned permissions in Exchange Online before you can do the procedures in this article:

+ - To add and remove values from the Tenant Allow/Block List, you need to be a member of one of the following role groups:

+ - **Organization Management** or **Security Administrator** role group (**Security admin role**)

+ - **Security Operator** role group (**Tenant AllowBlockList Manager**).

+ - For read-only access to the Tenant Allow/Block List, you need to be a member of one of the following role groups:

+ - **Global Reader** role group

+ - **Security Reader** role group

+ - **View-Only configuration** role group

+ For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).

+ **Notes**:

+ - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions *and* permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).

+ - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.

+## Create block entries for files

+You have the following options to create block entries for files:

+- [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-files-in-the-submissions-portal)

+- The Tenant Allow/Block List in [the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-files-in-the-tenant-allowblock-list) or in [PowerShell](#use-powershell-to-create-block-entries-for-files-in-the-tenant-allowblock-list)

+### Use the Microsoft 365 Defender portal to create block entries for files in the Submissions portal

+When you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report files as **Should have been blocked (False negative)**, you can select **Block this file** to add a block entry for the file in the Tenant Allow/Block List.

+For instructions, see [Report questionable email attachments to Microsoft](admin-submission.md#report-questionable-email-attachments-to-microsoft).

+### Use the Microsoft 365 Defender portal to create block entries for files in the Tenant Allow/Block List

+You create block entries for files directly in the Tenant Allow/Block List.

+> [!NOTE]

+> Email messages that contain these blocked files are blocked as *malware*.

+2. On the **Tenant Allow/Block List** page, select the **Files** tab.

+3. On the **Files** tab, click  **Block**.

+4. In the **Block files** flyout that appears, configure the following settings:

+ - **Remove block entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **Never expire**

+ - **Specific date**: The maximum value is 90 days from today.

+5. When you're finished, click **Add**.

+#### Use PowerShell to create block entries for files in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+## Use the Microsoft 365 Defender portal to create allow entries for files in the Submissions portal

+You can't create allow entries for files directly in the Tenant Allow/Block List. Instead, you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report the message as a false positive. For more information about admin submissions, see [Use the Submissions portal to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](admin-submission.md).

+Reporting the file as a false positive on the **Submissions** page adds an allow entry for the file in the Tenant Allow/Block List.

+> [!IMPORTANT]

+> Because Microsoft manages allow entries for you, unneeded allow entries for files will be removed. This behavior protects your organization and helps prevent misconfigured allow entries. If you disagree with the verdict, you might need to open a support case to help determine why a file is still considered bad.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, select the **Email attachments** tab.

+3. On the **Email attachments** tab, click  **Submit to Microsoft for analysis**.

+4. On the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

+ - **Select the submission type**: Verify the value **Email attachment** is selected.

+ - **File**: Click **Browse files** to find and select the file to submit.

+ - **Select a reason for submitting to Microsoft**: Select **Should not have been blocked (False positive)**, and then configure the following settings:

+ - **Allow this file**: Turn on this setting .

+ - **Remove allow entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **Specific date**: The maximum value is 30 days from today.

+ - **Allow entry note**: Enter optional information about why you're allowing this file.

+ When you're finished, click **Submit**, and then click **Done**.

+ :::image type="content" source="../../media/admin-submission-file-allow.png" alt-text="Submit a false positive (good) email attachment to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-file-allow.png":::

+5. After a few moments, the allow entry will appear on the **Files** tab on the **Tenant Allow/Block List** page.

+> When the file is encountered again, it's not sent for [Safe Attachments](safe-attachments.md) detonation or file reputation checks, and all other file-based filters are skipped. During mail flow, if messages containing the file pass other non-file checks in the filtering stack, the messages will be delivered.

+## Use the Microsoft 365 Defender portal to view allow or block entries for files in the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the **Files** tab. The following columns are available:

+ - **Value**: The file hash.

+ - **Action**: The value **Allow** or **Block**.

+ - **Modified by**

+ - **Last updated**

+ - **Remove on**: The expiration date.

+ - **Notes**

+ You can click on a column heading to sort in ascending or descending order.

+ Click  **Group** to group the results by **None** or **Action**.

+ Click  **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click  **Clear search**.

+ Click  **Filter** to filter the results. The following values are available in the **Filter** flyout that appears:

+ - **Action**: **Allow** and **Block**.

+ - **Never expire**:  or 

+ - **Last updated**: Select **From** and **To** dates.

+ - **Remove on**: Select **From** and **To** dates.

+ When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

+### Use PowerShell to view allow or block entries for files in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+Get-TenantAllowBlockListItems -ListType FileHash [-Allow] [-Block] [-Entry <FileHashValue>] [<-ExpirationDate Date | -NoExpiration>]

+```

+This example returns all allowed and blocked files.

+Get-TenantAllowBlockListItems -ListType FileHash

+This example filters the results by blocked files.

+```powershell

+Get-TenantAllowBlockListItems -ListType FileHash -Block

+```

+## Use the Microsoft 365 Defender portal to modify allow or block entries for files in the Tenant Allow/Block List

+When you modify an allow or block file entry in the Tenant Allow/Block list, you can only modify the expiration date and notes.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the **Files** tab

+3. On the **Files** tab, select the check box of the entry that you want to modify, and then click the  **Edit** button that appears.

+4. The following settings are available in the **Edit file** flyout that appears:

+ - **Remove allow entry after** or **Remove block entry after**:

+ - You can extend allow entries for a maximum of 30 days after the creation date.

+ - You can extend block entries for a maximum of 90 days after the creation date or set them to **Never expire**.

+ - **Optional note**

+ When you're finished, click **Save**.

+> [!NOTE]

+> For allow entries only, if you select the entry by clicking anywhere in the row other than the check box, you can select  **View submission** in the details flyout that appears to go to the **Submissions** page at <https://security.microsoft.com/reportsubmission>.

+### Use PowerShell to modify allow or block entries for files in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+Set-TenantAllowBlockListItems -ListType <FileHash> <-Ids <Identity value> | -Entries <Value value>> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]

+```

+This example changes the expiration date of the specified file block entry.

+Set-TenantAllowBlockListItems -ListType FileHash -Entries "27c5973b2451db9deeb01114a0f39e2cbcd2f868d08cedb3e210ab3ece102214" -ExpirationDate "9/1/2022"

+## Use the Microsoft 365 Defender portal to remove allow or block entries for files from the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the **Files** tab.

+3. On the **Files** tab, do one of the following steps:

+ - Select the check box of the entry that you want to remove, and then click the  **Delete** icon that appears.

+ - Select the entry that you want to remove by click anywhere in the row other than the check box. In the details flyout that appears, click  **Delete**.

+4. In the warning dialog that appears, click **Delete**.

+> [!NOTE]

+> You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the **Value** column header.

+### Use PowerShell to remove allow or block entries for files from the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+Remove-TenantAllowBlockListItems -ListType FileHash <-Ids <Identity value> | -Entries <Value value>>

+```

+This example removes the specified file block from the Tenant Allow/Block List.

+Remove-TenantAllowBlockListItems -ListType FileHash -Entries "27c5973b2451db9deeb01114a0f39e2cbcd2f868d08cedb3e210ab3ece102214"

+- [Use the Submissions portal to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](admin-submission.md)

+This article describes how to create and manage URL allow and block entries that are available in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+You manage allow and block entries for URLs in the Microsoft 365 Defender Portal or in Exchange Online PowerShell.

+## What do you need to know before you begin?

+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).

+- For URL entry syntax, see the [URL syntax for the Tenant Allow/Block List](#url-syntax-for-the-tenant-allowblock-list) section later in this article.

+- For URLs, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 URL entries total).

+- You can enter a maximum of 250 characters in a URL entry.

+- An entry should be active within 30 minutes, but it might take up to 24 hours for the entry to be active.

+- You need to be assigned permissions in Exchange Online before you can do the procedures in this article:

+ - To add and remove values from the Tenant Allow/Block List, you need to be a member of one of the following role groups:

+ - **Organization Management** or **Security Administrator** role group (**Security admin role**)

+ - **Security Operator** role group (**Tenant AllowBlockList Manager**).

+ - For read-only access to the Tenant Allow/Block List, you need to be a member of one of the following role groups:

+ - **Global Reader** role group

+ - **Security Reader** role group

+ - **View-Only configuration** role group

+ For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).

+ **Notes**:

+ - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions *and* permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).

+ - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.

+## Create block entries for URLs

+You have the following options to create block entries for URLs:

+- [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-submissions-portal)

+- The Tenant Allow/Block List in [the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list) or in [PowerShell](#use-powershell-to-create-block-entries-for-urls-in-the-tenant-allowblock-list)

+### Use the Microsoft 365 Defender portal to create block entries for URLs in the Submissions portal

+When you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report URLs as **Should have been blocked (False negative)**, you can select **Block this file** to add a block entry for the URL in the Tenant Allow/Block List.

+For instructions, see [Report questionable URLs to Microsoft](admin-submission.md#report-questionable-urls-to-microsoft).

+### Use the Microsoft 365 Defender portal to create block entries for URLs in the Tenant Allow/Block List

+You create block entries for URLs directly in the Tenant Allow/Block List.

+> [!NOTE]

+> Email messages that contain these blocked URLs are blocked as *phishing*.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. On the **Tenant Allow/Block List** page, select the **URLs** tab.

+3. On the **URLs** tab, click  **Block**.

+4. In the **Block URLs** flyout that appears, configure the following settings:

+ - **Add URLs with wildcards**: Enter one URL per line, up to a maximum of 20. For details about the syntax for URL entries, see the [URL syntax for the Tenant Allow/Block List](#url-syntax-for-the-tenant-allowblock-list) section later in this article.

+ - **Remove block entry after**: The default value is **30 days**, but you can select from the following values:

+ - **Never expire**

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **Specific date**: The maximum value is 90 days from today.

+ - **Optional note**: Enter descriptive text for the entries.

+5. When you're finished, click **Add**.

+#### Use PowerShell to create block entries for URLs in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+New-TenantAllowBlockListItems -ListType Url -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate <Date> | -NoExpiration> [-Notes <String>]

+```

+This example adds a block URL entry for contoso.com and all subdomains (for example, contoso.com and xyz.abc.contoso.com). Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days.

+```powershell

+New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com

+```

+For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).

+## Use the Microsoft 365 Defender portal to create allow entries for URLs in the Submissions portal

+You can't create URL allow entries directly in the Tenant Allow/Block List. Instead, you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report the message as a false positive. For more information about admin submissions, see [Use the Submissions portal to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](admin-submission.md).

+Reporting the URL as a false positive on the **Submissions** page adds an allow entry for the URL in the Tenant Allow/Block List.

+> [!IMPORTANT]

+> Because Microsoft manages allow entries for you, unneeded URL allow entries will be removed. This behavior protects your organization and helps prevent misconfigured allow entries. If you disagree with the verdict, you might need to open a support case to help determine why a URL is still considered bad.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, select the **URLs** tab

+3. On the **URLs** tab, click  **Submit to Microsoft for analysis**.

+4. In the **Submit to Microsoft for analysis** flyout that appears, enter the following information:

+ - **Select the submission type**: Verify the value **URL** is selected.

+ - **URL**: Enter the full URL (for example, `https://www.fabrikam.com/marketing.html`), and then select it in the box that appears.

+ - **Select a reason for submitting to Microsoft**: Select **Should not have been blocked (False positive)**, and then configure the following settings:

+ - **Allow this URL**: Turn on this setting .

+ - **Remove allow entry after**: The default value is **30 days**, but you can select from the following values:

+ - **1 day**

+ - **7 days**

+ - **30 days**

+ - **Specific date**: The maximum value is 30 days from today.

+ - **Allow entry note**: Enter optional information about why you're allowing this URL.

+ When you're finished, click **Submit**, and then click **Done**.

+ :::image type="content" source="../../media/admin-submission-url-allow.png" alt-text="Submit a false positive (good) URL to Microsoft for analysis on the Submissions page in the Defender portal." lightbox="../../media/admin-submission-url-allow.png":::

+5. After a few moments, the URL allow entry will appear on the **URL** tab on the **Tenant Allow/Block List** page.

+> [!NOTE]

+>

+> - When the URL is detected again, it's not sent for [Safe Links](safe-links.md) detonation or URL reputation checks, and all other URL-based filters are skipped.

+> - During mail flow, if messages containing the URL pass other non-URL checks in the filtering stack, the messages will be delivered.

+## Use the Microsoft 365 Defender portal to view allow or block entries for URLs in the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the **URL** tab. The following columns are available:

+ - **Value**: The URL.

+ - **Action**: The value **Allow** or **Block**.

+ - **Modified by**

+ - **Last updated**

+ - **Remove on**: The expiration date.

+ - **Notes**

+ Click on a column heading to sort in ascending or descending order.

+ Click  **Group** to group the results by **None** or **Action**.

+ Click  **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click  to clear the search.

+ Click  **Filter** to filter the results. The following values are available in the **Filter** flyout that appears:

+ - **Action**: **Allow** and **Block**.

+ - **Never expire**:  or 

+ - **Last updated**: Select **From** and **To** dates.

+ - **Remove on**: Select **From** and **To** dates.

+ When you're finished, click **Apply**. To clear existing filters, click  **Clear filters** in the **Filter** flyout.

+### Use PowerShell to view allow or block entries for URLs in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+Get-TenantAllowBlockListItems -ListType Url [-Allow] [-Block] [-Entry <URLValue>] [<-ExpirationDate <Date> | -NoExpiration>]

+```

+This example returns all allowed and blocked URLs.

+```powershell

+Get-TenantAllowBlockListItems -ListType Url

+```

+This example filters the results by blocked URLs.

+```powershell

+Get-TenantAllowBlockListItems -ListType Url -Block

+```

+For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).

+## Use the Microsoft 365 Defender portal to modify allow or block entries for URLs in the Tenant Allow/Block List

+When you modify an allow or block URL entry in the Tenant Allow/Block list, you can only modify the expiration date and notes.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the **URLs** tab

+3. On the **URLs** tab, select the check box of the entry that you want to modify, and then click the  **Edit** button that appears.

+4. The following values are available in the **Edit URL** flyout that appears:

+ - **Remove allow entry after** or **Remove block entry after**:

+ - You can extend allow entries for a maximum of 30 days after the creation date.

+ - You can extend block entries for a maximum of 90 days after the creation date or set them to **Never expire**.

+ - **Optional note**

+ When you're finished, click **Save**.

+> [!NOTE]

+> For allow entries only, if you select the entry by clicking anywhere in the row other than the check box, you can select  **View submission** in the details flyout that appears to go to the **Submissions** page at <https://security.microsoft.com/reportsubmission>.

+### Use PowerShell to modify allow or block entries for URLs in the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+Set-TenantAllowBlockListItems -ListType Url <-Ids <Identity value> | -Entries <Value value>> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]

+```

+This example changes the expiration date of the specified block URL entry.

+```powershell

+Set-TenantAllowBlockListItems -ListType Url -Entries "~contoso.com" -ExpirationDate "9/1/2022"

+```

+For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).

+## Use the Microsoft 365 Defender portal to remove allow or block entries for URLs from the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the **URLs** tab.

+3. On the **URLs** tab, do one of the following steps:

+ - Select the check box of the entry that you want to remove, and then click the  **Delete** icon that appears.

+ - Select the entry that you want to remove by click anywhere in the row other than the check box. In the details flyout that appears, click  **Delete**.

+4. In the warning dialog that appears, click **Delete**.

+> [!NOTE]

+> You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the **Value** column header.

+### Use PowerShell to remove allow or block entries for URLs from the Tenant Allow/Block List

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+```powershell

+Remove-TenantAllowBlockListItems -ListType Url <-Ids <Identity value> | -Entries <Value value>>

+```

+This example removes the specified block URL entry from the Tenant Allow/Block List.

+```powershell

+Remove-TenantAllowBlockListItems -ListType Url -Entries "~cohovineyard.com

+```

+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems).

+- [Use the Submissions portal to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](admin-submission.md)

+- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](manage-tenant-allow-block-list.md).

+> The following anti-spam technologies are useful when you want to allow or block messages based on the message envelope (for example, the sender's domain or the source IP address of the message). To allow or block messages based on payload (for example, URLs in the message or attached files), then you should use the [Tenant Allow/Block List portal](manage-tenant-allow-block-list.md).

+- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](manage-tenant-allow-block-list.md).

+ - Create inbox rules in your email client to move messages to the Inbox. You can also ask your admins to configure overrides as described in [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md) and [Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+ - Use the Tenant Allow/Block List to create an override for the mailing list to treat it as legitimate. For more information, see [Create allow entries for spoofed senders](allow-block-email-spoof.md#create-allow-entries-for-spoofed-senders).

+ - **Simulation URLs to allow**: Expand this setting and optionally enter specific URLs that are part of your phishing simulation campaign that should not be blocked or detonated by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. You can add up to 10 entries. For the URL syntax format, see [URL syntax for the Tenant Allow/Block List](allow-block-urls.md#url-syntax-for-the-tenant-allowblock-list). These URLs are wrapped at the time of click, but they aren't blocked.

+## PowerShell procedures for SecOps mailboxes in the advanced delivery policy

+In PowerShell, the basic elements of SecOps mailboxes in the advanced delivery policy are:

+## PowerShell procedures for third-party phishing simulations in the advanced delivery policy

+In PowerShell, the basic elements of third-party phishing simulations in the advanced delivery policy are:

+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:

+For details about the URL syntax, see [URL syntax for the Tenant Allow/Block List](allow-block-urls.md#url-syntax-for-the-tenant-allowblock-list)

+> You can now manage block URL entries in the [Tenant Allow/Block List](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.

+> - To allow a domain to send unauthenticated email (bypass anti-spoofing protection) but not bypass anti-spam and other protections, you can use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+You can also use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](manage-tenant-allow-block-list.md) to permit senders to transmit unauthenticated messages to your organization.

+|Anti-spoofing protection|[Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md) <p> [Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md)|

+|Tenant Allow/Block List|[Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md)|

+> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](manage-tenant-allow-block-list.md).

+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Spoofed senders** tab on the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. To go directly to the **Spoof intelligence insight** page, use <https://security.microsoft.com/spoofintelligence>.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Tenant Allow/Block Lists** in the **Rules** section. To go directly to the **Spoofed senders** tab on the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>.

+In PowerShell, you use the **Get-SpoofIntelligenceInsight** cmdlet to **view** allowed and blocked spoofed senders that were detected by spoof intelligence. To manually allow or block the spoofed senders, you need to use the **New-TenantAllowBlockListSpoofItems** cmdlet. For more information, see [Use PowerShell to manage spoofed sender entries to the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow for incoming messages form external senders (does not apply to intra-org messages) and at the time of user clicks.

+The Tenant Allow/Block list is available in the the Microsoft 365 Defender portal at <https://security.microsoft.com> \> **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. To go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+For entry creation and configuration instructions, see the following topics:

+- **Domains and email addresses** and **spoofed senders**: [Allow or block emails using the Tenant Allow/Block List](allow-block-email-spoof.md)

+- **Files**: [Allow or block files using the Tenant Allow/Block List](allow-block-files.md)

+- **URLs**: [Allow or block URLs using the Tenant Allow/Block List](allow-block-urls.md).

+These articles contain procedures in the Microsoft 365 Defender Portal and in PowerShell.

+## Block entries in the Tenant Allow/Block List

+Use the Submissions portal (also known as *admin submission*) at <https://security.microsoft.com/reportsubmission> to create block entries for the following types of items as you report them as false positives to Microsoft:

+- **Domains and email addresses**:

+ - Email messages from these senders are blocked as *high confidence spam* (SCL = 9) and moved to the Junk Email folder.

+ - Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): `5.7.1 Your message can't be delivered because one or more recipients are blocked by your organization's tenant allow/block list policy.`

+- **Files**: Email messages that contain these blocked files are blocked as *malware*.

+- **URLs**: Email messages that contain these blocked URLs are blocked as *phishing*.

+In the Tenant Allow/Block List, you can also directly create block entries for the following types of items:

+- **Domains and email addresses**, **Files**, and **URLs**.

+- **Spoofed senders**: If you manually override an existing allow verdict from [spoof intelligence](learn-about-spoof-intelligence.md), the blocked spoofed sender becomes a manual block entry that appears only on the **Spoofed senders** tab in the Tenant Allow/Block List.

+By default, block entries for **domains and email addresses**, **files** and **URLs** expire after 30 days, but you can set them to expire up 90 days or to never expire. Block entries for **spoofed senders** never expire.

+## Allow entries in the Tenant Allow/Block List

+In most cases, you can't directly create allow entries in the Tenant Allow/Block List:

+- **Domains and email addresses**, **files**, and **URLs**: You can't create allow entries directly in the Tenant Allow/Block List. Instead you use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report the **email**, **email attachment**, or **URL** to Microsoft as **Should not have been blocked (False positive)**.

+- **Spoofed senders**:

+ - If spoof intelligence has already blocked the message as spoofing, use the Submissions portal at <https://security.microsoft.com/reportsubmission> to report the **email** to Microsoft as **Should not have been blocked (False positive)**.

+ - You can proactively create an allow entry for a spoofed sender on the **Spoofed sender** tab in the Tenant Allow/Block List before [spoof intelligence](learn-about-spoof-intelligence.md) identifies and blocks the message as spoofing.

+The following list describes what happens in the Tenant Allow/Block List when you report something to Microsoft as a false positive in the Submissions portal:

+- **Email attachments** and **URLs**: An allow entry is created and it appears on the **Files** or **URLs** tab in the Tenant Allow/Block List.

+- **Email**: If a message was blocked by the Microsoft 365 filtering stack, an allow entry might be created in the Tenant Allow/Block List:

+ - If the message was blocked by [spoof intelligence](learn-about-spoof-intelligence.md), an allow entry for the sender is created and it appears on the **Spoofed senders** tab in the Tenant Allow Block List.

+ - If the message was blocked by by [domain or user impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in Defender for Office 365, an allow entry is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](configure-mdo-anti-phishing-policies.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.

+ - If the message was blocked for other reasons, an allow entry for the sender is created and it appears on the **Domains & addresses** tab in the Tenant Allow Block List.

+ - If the message was not blocked, and allow entry for the sender is not created, so it won't on the **Spoofed senders** tab or the **Domains & addresses** tab.

+By default, allow entries for **domains and email addresses**, **files** and **URLs** expire after 30 days, which is also the maximum. Allow entries for **spoofed senders** never expire.

+> [!NOTE]

+> Because Microsoft manages allow entries for you, unneeded allow entries for **domains and email addresses**, **URLs**, or **files** will be removed. This behavior protects your organization and helps prevent misconfigured allow entries. If you disagree with the verdict, you might need to open a support case to help determine why a message is still considered bad.

+>

+> Allows are added during mail flow, based on which filters determined the message to be malicious. For example, if the sender and a URL in the message were determined to be bad, an allow entry is created for the sender, and an allow entry is created for the URL.

+>

+> When that entity (domain or email address, URL, file) is encountered again, all filters associated with that entity are skipped.

+>

+> During mail flow, if messages from the domain or email address pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-validation-and-authentication.md) passes, a message from a sender in the allow entry will be delivered.

+## What to expect after you add an allow or block entry

+After you add an allow entry through the Submissions portal or a block entry in the Tenant Allow/Block List, the entry should start working immediately.

+We recommend letting entries automatically expire after 30 days to see if the system has learned about the allow or block. If not, you should make another entry to give the system another 30 days to learn.

+- The [Tenant Allow/Block List](manage-tenant-allow-block-list.md)

+ - **Tenant AllowBlockList Manager**: Manage allow and block entries in the [Tenant Allow/Block List](manage-tenant-allow-block-list.md). Blocking URLs, files (using file hash) or senders is a useful response action to take when investigating malicious email that was delivered.

+For the short-term mitigation of false negatives, security teams can directly manage block entries for files, URLs, and domains or email addresses in the [Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+For the short-term mitigation of false positives, security teams can't directly manage allow entries for domains and email addresses in the Tenant Allow/Block List. Instead, they need to use [admin submissions](admin-submission.md) to report the email message as a false positive. For instructions, see [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions portal](allow-block-email-spoof.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal).

+- You can block undetected malicious files, URLs, or senders using the [Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+ Report any false positives to Microsoft as early as possible through admin submissions, use the [Tenant Allow/Block List](manage-tenant-allow-block-list.md) feature to configure safe overrides for those false positives.

+|Allowed sender domains <br><br> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <br><br> Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](manage-tenant-allow-block-list.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|

+|**If message is detected as spoof** <br><br> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Quarantine the message** <br><br> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](manage-tenant-allow-block-list.md). <br><br> If you select **Quarantine the message**, an **Apply quarantine policy** box is available to select the quarantine policy that defines what users are allowed to do to messages that are quarantined as spoofing. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as spoofing (DefaultFullAccessPolicy with no quarantine notifications). <br><br> Standard and Strict preset security policies use the default quarantine policy (DefaultFullAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users in the default or custom anti-phishing policies. For more information, see [Quarantine policies](quarantine-policies.md).|

+|**Block the following URLs** <br><br> _ExcludedUrls_|Blank <br><br> `$null`|Blank <br><br> `$null`|We have no specific recommendation for this setting. <br><br> For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links). <br><br> **Note**: You can now manage block URL entries in the [Tenant Allow/Block List](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.|

+|**Do not rewrite the following URLs in email** <br><br> _DoNotRewriteUrls_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`|We have no specific recommendation for this setting. <br><br> **Note**: Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [allow URL entries in the Tenant Allow/Block List](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-in-the-submissions-portal) so URLs are not scanned or wrapped by Safe Links during mail flow _and_ at time of click.|

+> You can now manage block URL entries in the [Tenant Allow/Block List](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.

+- For a truly universal list of URLs that are blocked everywhere, see [Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+> Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [allow URL entries in the Tenant Allow/Block List](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-in-the-submissions-portal) so URLs are not scanned or wrapped by Safe Links during mail flow _and_ at time of click.

+ For a truly universal list of URLs that are allowed everywhere, see [Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md). However, note that URLs added there will not be excluded from Safe Links rewriting, as that must be done in a Safe Links policy.

+ - [Manage the Tenant Allow/Block List in EOP](manage-tenant-allow-block-list.md)

+- Allow the spoofed sender in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually in the [Tenant Allow/Block List](manage-tenant-allow-block-list.md). Allowing the spoofed sender will prevent the via tag from appearing in messages from the sender, even if the **Show "via" tag** setting is turned on in the policy.

+ > Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [URL allow entries in the Tenant Allow/Block List](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-in-the-submissions-portal) so URLs are not scanned or wrapped by Safe Links during mail flow _and_ at time of click.

+|**Anti-phishing**|Yes|Configure the default anti-phishing policy as described here: [Configure anti-phishing protection settings in EOP and Defender for Office 365](protect-against-threats.md#part-2anti-phishing-protection-in-eop-and-defender-for-office-365). <p> More information: <ul><li>[Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md)</li><li>[Recommended anti-phishing policy settings in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365)</li><li> [Impersonation insight](impersonation-insight.md)</li><li>[Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)</li><li>[Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md).</li></ul>|

+- Safe Links will detonate URLs in mail flow. To prevent specific URLs from being detonated, use the Tenant Allow/Block List. For more information, see [Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md).

+- Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as phishing in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](learn-about-spoof-intelligence.md), the **Spoofed senders** tab in the [Tenant Allow/Block List](manage-tenant-allow-block-list.md), and the [Spoof detections report](view-email-security-reports.md#spoof-detections-report). Once you have reviewed allowed and blocked spoofed senders and made any necessary overrides, you can be confident to [configure spoof intelligence in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder.

+- Admins can use the [spoof intelligence insight](learn-about-spoof-intelligence.md) or the [Tenant Allow/Block List](manage-tenant-allow-block-list.md) to allow messages from the spoofed sender.

+[Use trusted ARC Senders for legitimate mailflows](/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders?view=o365-21vianet&preserve-view=true)

+> Spoofed sender management in the Microsoft 365 Defender portal is now available only on the **Spoofed senders** tab in the Tenant Allow/Block List. For current procedures in the Microsoft 365 Defender portal, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).

+> - [Use PowerShell to view allow or block entries for spoofed senders in the Tenant Allow/Block List](allow-block-email-spoof.md#use-powershell-to-view-allow-or-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list)

+> - [Use PowerShell to create allow entries for spoofed senders](allow-block-email-spoof.md#use-powershell-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list)

+> - [Use PowerShell to create block entries for spoofed senders](allow-block-email-spoof.md#use-powershell-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list)

+> - [Use PowerShell to modify allow or block entries for spoofed senders in the Tenant Allow/Block List](allow-block-email-spoof.md#use-powershell-to-modify-allow-or-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list)

+> - [Use PowerShell to remove allow or block entries for spoofed senders from the Tenant Allow/Block List](allow-block-email-spoof.md#use-powershell-to-remove-allow-or-block-entries-for-spoofed-senders-from-the-tenant-allowblock-list)

+## August 2022

+**Automatic redirection from Office 365 Security and Compliance Center to Microsoft 365 Defender portal:** Automatic redirection begins for users accessing the security solutions in Office 365 Security and Compliance center (protection.office.com) to the appropriate solutions in Microsoft 365 Defender portal (security.microsoft.com). This is for all security workflows like: Alerts, Threat Management, and Reports.

+- Redirection URLs:

+ - GCC Environment:

+ - From Office 365 Security & Compliance Center URL: protection.office.com

+ - To Microsoft 365 Defender URL: security.microsoft.com

+ - GCC-High Environment:

+ - From Office 365 Security & Compliance Center URL: scc.office365.us

+ - To Microsoft 365 Defender URL: security.microsoft.us

+ - DoD Environment:

+ - From Office 365 Security & Compliance Center URL: scc.protection.apps.mil

+ - To Microsoft 365 Defender URL: security.apps.mil

+- Items in the Office 365 Security and Compliance Center that are not related to security aren't redirected to Microsoft 365 Defender. For compliance solutions redirection to Microsoft 365 Compliance Center, see Message Center post 244886.

+- This is a continuation of [Microsoft 365 Defender delivers unified XDR experience to GCC, GCC High and DoD customers - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-365-defender-delivers-unified-xdr-experience-to-gcc/ba-p/3263702), announced in March 2022.

+- This change enables users to view and manage additional Microsoft 365 Defender security solutions in one portal.

+- This change impacts all customers who use the Office 365 Security and Compliance Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection. For the full list, see [Security & Compliance Center - Service Descriptions | Microsoft Docs](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)

+- This change impacts all users who log in to the Office 365 Security and Compliance portal (protection.office.com), including security teams and end-users who access the Email Quarantine experience, at the **Microsoft Defender Portal** > **Review** > **Quarantine**.

+- Redirection is enabled by default and impacts all users of the Tenant.

+- Global Administrators and Security Administrators can turn on or off redirection in the Microsoft 365 Defender portal by navigating to **Settings** > **Email & collaboration** > **Portal redirection** and switch the redirection toggle.

+- [Introducing actions into the email entity page](mdo-email-entity-page.md): Admins can take preventative, remediation and submission actions from email entity page.

+- [Use the Microsoft 365 Defender portal to create allow entries for spoofed senders in the Submissions portal](allow-block-email-spoof.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-submissions-portal): Create allowed spoofed sender entries using the Tenant Allow/Block List.

+- [Impersonation allows using admin submission](allow-block-email-spoof.md#about-impersonated-domains-or-senders): Add allows for impersonated senders using the Submissions page in Microsoft 365 Defender.

+- [Simplifying the quarantine experience (part two) in Microsoft 365 Defender for office 365](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/simplifying-the-quarantine-experience-part-two/ba-p/3354687): Highlights additional features to make the quarantine experience even easier to use.

+- ou can now add allow entries to the Tenant Allow/Block List if the blocked message was submitted as part of the admin submission process. Depending on the nature of the block, the submitted URL, file, and/or sender allow will be added to the Tenant Allow/Block List. In most cases, the allows are added to give the system some time and allow it naturally if warranted. In some cases, Microsoft manages the allow for you. For more information, see:

+ - [Use the Microsoft 365 Defender portal to create allow entries for URLs in the Submissions portal](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-in-the-submissions-portal)

+ - [Use the Microsoft 365 Defender portal to create allow entries for files in the Submissions portal](allow-block-files.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-files-in-the-submissions-portal)

+ - [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions portal](allow-block-email-spoof.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal)

+- New first contact safety tip setting within anti-phishing policies. This safety tip is shown when recipients first receive an email from a sender or don't often receive email from a sender. For more information on this setting and how to configure it, see the following articles: