+ Update-MgUser -UserId <user ID> -PasswordPolicies DisablePasswordExpiration

+ Get-MGuser -All | Update-MgUser -PasswordPolicies DisablePasswordExpiration

+ Update-MgUser -UserId <user ID> -PasswordPolicies None

+ Get-MGuser -All | Update-MgUser -PasswordPolicies None

+## Privacy and security in Basic Mobility and Security

+Microsoft Intune sends information to Microsoft 365 about the compliance status of each managed device, and then you can generate reports that show whether managed devices in your organization are compliant based upon the policies that were set. To learn more about Microsoft's commitment to the privacy and security, see the [Microsoft Trust Center](https://www.microsoft.com/trust-center).

+**Step 3:** Create device policies and apply them to groups of users. When you do this, your users get an enrollment message on their device, and when they've completed enrollment, their devices are restricted by the policies you've set up for them. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md).

+Need help setting up the records? Find your domain registrar and select the registrar name to go to step-by-step help for creating DNS records in the list provided in [Add DNS records to connect your domain](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider). Use the following details to create CNAME records:

+| Type | Host name | Points to | TTL |

+| | | | |

+| CNAME | EnterpriseEnrollment.company_domain.com | EnterpriseEnrollment-s.manage.microsoft.us | 1 hour|

+|CNAME | EnterpriseRegistration.company_domain.com | EnterpriseRegistration.windows.net | 1 hour |

+ You can view available add-ins by categories: **Suggested for you**, **Rating**, or **Name**. Only free add-ins are available from the Office Store. Paid add-ins aren't supported currently. After you select an add-in, accept the terms and conditions to proceed. <br/>

+

+## Add a marketing campaign ID to a Bookings page URL

+Keep track of your Bookings marketing campaigns by adding a campaign ID to the end of your Booking page URL.

+Use a campaign ID to see how your marketing campaigns are doing. Add a campaign ID you choose to the end of your Bookings page URL and use the campaign ID in your different marketing platforms to see which of your campaigns are connecting with customers.

+## Add campaign ID

+1. In Microsoft 365, select the App launcher, and then select **Bookings**.

+2. Choose your calendar and in the left navigation pane, select **Booking page** and copy your booking page URL and paste it into a text editing program, like Notepad.

+ :::image type="content" source="../media/copy-booking-page-url.png" alt-text="Screenshot: Copy Bookings page URL so you can add a campaign ID for marketing":::

+3. Add a campaign ID to the end of the Booking page URL. For example, if your booking page URL looks like this, [https://outlook.office365.com/owa/calendar/TailspinToys@contosopetscom.onmicrosoft.com/bookings/](https://outlook.office365.com/owa/calendar/TailspinToys@contosopetscom.onmicrosoft.com/bookings/), you would choose an ID to add to the end. For example, if you wanted to track your booking details from your Twitter page, you could add Twitter to the end of the URL. The new URL that you would add to your Twitter page would look like this: [https://outlook.office365.com/owa/calendar/TailspinToys@contosopetscom.onmicrosoft.com/bookings/?RefID=Twitter](https://outlook.office365.com/owa/calendar/TailspinToys@contosopetscom.onmicrosoft.com/bookings/?RefID=Twitter). Use different campaign IDs to track the marketing campaigns you're running.

+> [!NOTE]

+> Characters in the campaign ID must be one of the following: alphanumeric characters, underscore or hyphen. Make sure you test your Campaign ID url by copying and pasting into a web browser.

+### Track campaign IDs

+You can track how your campaigns are doing by downloading a report (TSV file) that shows you the last four months of activities of your Bookings calendar. The TSV file will show you four months of data, but you can select different four month periods over the course of a year. For more information on how to download the report, see [Reporting info for Bookings](reporting-info.md).

+> [!NOTE]

+> Text message notifications in Bookings requires a Teams Premium license.

+**Enable text message notifications for your customer** If selected, SMS messages are sent to the customer, but only if they opt in.

+**Reminders and notifications** are sent out to customers, staff members, or both, at a specified time before the appointment. Multiple messages can be created for each appointment, according to your preference.

+## Language translation for Service health dashboard

+Service health dashboard posts are written in English-only due to the timeliness of the information we are posting, but can be automatically displayed in the language specified by your personal language settings for Microsoft 365. If you set your preferred language to anything other than English, you'll see an option in the Service health dashboard to automatically translate posts. The messages are machine translated to your preferred language, meaning that a computer did the translation. This option controls the default view, but you can also use the drop-down menu to translate and display posts in any of the languages we support for translation. If you select English, we'll revert the message to the original English version.

+Before you can choose your language settings, you have to set your preferred language. No translation options are shown when your language is set to English. You can't specify a preferred language for others, each person has to change this setting for themselves.

+## Set your preferred language

+1. Go to the Microsoft 365 admin center [https://admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2024339), or home page, select the settings icon in the upper-right corner of the page.

+1. Under **Language and time zone**, select **View all** to show the available options. Select your desired language from the drop-down menu, and then select **Save**. Microsoft 365 will try to refresh and display the new language. If that doesn't happen immediately or if it seems that it's taking too long, you can either refresh your browser or sign out and then sign back in.

+## Machine translation in Service health dashboard

+When your preferred language isn't set to English, the translation options are available.

+To set Service health dashboard posts to automatically machine-translate and display in your preferred language, go to Health > Service health dashboard. You'll see a switch at the top of the view to toggle automatic translation on or off. When this setting is off, posts are shown in English. When this setting is on, messages display in your preferred language. The setting you choose will persist for each visit.

+|Delivered|Notification delivered to the recipientΓÇÖs phone.|

+A graph export API that can access Loop content stored in [Syntex repository services](https://devblogs.microsoft.com/microsoft365dev/introducing-syntex-repository-services-microsoft-365-superpowers-for-your-app/) is not yet available.

+| summarize EventCount=count() by ActionType

+|**On-premises**|For enterprises that want to take advantage of the cloud-based capabilities of Microsoft Defender for Endpoint while also maximizing their investments in Configuration Manager or Active Directory Domain Services, we recommend this architecture.|

+ > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from the above link is: 'F0C48E4FF92851ED8FF2E70E80AB278399C893AD45E70F20B53672D5463AF61D'

+ echo 'F0C48E4FF92851ED8FF2E70E80AB278399C893AD45E70F20B53672D5463AF61D XMDEClientAnalyzerBinary.zip' | sha256sum -c

+ echo 'D21A5DD6705589705227B0E773EDAB86CB31E7FC8DB5F52EE23F581759838AD2 XMDEClientAnalyzer.zip' | sha256sum -c

+| - |Added accurate EOS details for Outlook (2010 & 2013) and Office build versions: </br> (2304,2305,1902,1908,2008,2202)| 10-Aug-23

+|Inaccuracy report ID |Description |Fix date |

+|24162 |Fixed inaccuracy in MYSQL Workbench| 04-Jul-23|

+|25736 | Fixed inaccuracy in KeePass | 04-Jul-23|

+|24598 | Fixed inaccuracy in Adobe Flash Player plugins |04-Jul-23|

+| - |Lenovo CVEs not currently supported by Defender Vulnerability Management: </br> CVE-2021-3519, CVE-2021-22499, CVE-2021-22500, CVE-2021-22514| 03-Jul-23|

+| - |Added Microsoft Defender Vulnerability Management support for Arcserve UDP | 05-Jul-23|

+| - |Added accurate EOS details for Log4j versions| 05-Jul-23|

+|27379 | Fixed inaccuracy in Adobe Animate | 06-Jul-23|

+| - |Added Arcserve UDP affected product details in CVE-2023-26258 |05-Jul-23|

+|26391 | Fixed inaccuracy in CVE-2020-26941 | 09-Jul-23|

+|25245 | Fixed inaccuracy in CVE-2022-40011 | 11-Jul-23|

+| - |Added Defender Vulnerability Management support for </br> Microsoft PowerBi Desktop | 13-Jul-23|

+| - |Added zero-day details for CVE-2023-36884 | 12-Jul-23|

+|26421 |Defender Vulnerability Management does not currently support: </br> ThinkCentre M75q Gen 2 & ThinkPad l390 Firmware| 14-Jul-23|

+|23876 |Fixed inaccurate recommendation in Microsoft Teams CVE-2023-24881 | 20-Jul-23|

+|25969 |Fixed inaccuracy in Siemens Sinec NMS | 24-Jul-23|

+| - |Added EOS details for Windows Server 2012 & Windows Server 2012 R2 | 25-Jul-23|

+|29096 | Fixed inaccurate detection of Slack version 1.0.0.0 | 25-Jul-23|

+|27941 | Defender Vulnerability Management doesn't currently support </br> Application Performance Management| 25-Jul-23|

+|26116 | Fixed inaccuracy in HP CVEs: </br> CVE-2021-33159, CVE-2022-26845, CVE-2022-27497, CVE-2022-29893 | 27-Jul-23|

+|25809 | Defender Vulnerability Management doesn't currently support: </br> Visio 2010, 2013, 2016 & 2019 | 31-Jul-23|

+|25810 | Defender Vulnerability Management doesn't currently support Project 2019| 31-Jul-23|

+|28176 | Fixed inaccuracy in VMWare Tools CVE-2021-31693 | 31-Jul-23|

+|29089 | Fixed inaccuracy in CVE-2023-24329| 31-Jul-23|

+|28489 | Fixed inaccuracy in CVE-2020-9484 | 31-Jul-23|

+|28385 | Fixed inaccuracy in CVE-2023-28759| 31-Jul-23|

+- **Act on managed responses in a timely manner** ΓÇô For any suspicious incidents and alerts, our experts provide a detailed investigation summary and managed responses for remediation. We expect your SOC team to act on these managed responses in a timely manner to prevent further impact from any malicious attempts.

+In addition to the constantly updated research and intelligence tailored for the threats currently seen across the various Microsoft 365 Defender signals, you'll receive managed response from our security analysts and support from Microsoft's security-focused service delivery managers (SDMs). This service lets you enjoy the following capabilities:

+ Title: FAQs related to Microsoft Defender Experts for XDR incident notifications

+description: Frequently asked questions related to Defender Experts for XDR incident notifications

+keywords: XDR, XDR incidents, Xtended detection and response, FAQ's related to XDR, defender experts for xdr, XDR incident notifications, defender experts analyst, managed threat hunting, managed detection and response (MDR) service, real-time visibility with XDR experts, DEX-XDR FAQ's

+search.product: Windows 10

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security

+ - tier1

+search.appverid: met150

+# Understanding and managing Defender Experts for XDR incident updates

+**Applies to:**

+- [Microsoft 365 Defender](microsoft-365-defender.md)

+The following section lists down questions your SOC team might have regarding the receipt of [incident notifications](start-using-mdex-xdr.md).

+## In Microsoft 365 Defender portal and Graph Security API

+| Questions | Answers |

+|||

+| **How do I know whether a Defender Experts analyst has started working on an incident?** | When a Defender Experts analyst starts working on an incident, the incident's **Assigned to** field is updated to _Defender Experts_.|

+| **How do I know whether a Defender Experts analyst has resolved an incident?** | When a Defender Experts analyst has resolved an incident, the incident's **Status** field is updated to _Resolved_. |

+| **How do I know what conclusion led a Defender Experts analyst to resolve an incident?** | When Defender Experts analysts resolve an incident, they modify the incident's **Classification** and **Determination** fields and provide a concise summary in its **Comments** section.<br><br>If an incident is classified as a True Positive, a comprehensive **Investigation summary** appears in the **Managed response** flyout panel in your Microsoft 365 Defender portal.|

+| **How do I know what actions a Defender Experts analyst took in my tenant when investigating an incident?** | For each incident they investigate, the Defender Experts analyst summarizes any actions they performed within your tenant in the incident's **Investigation summary** located in the **Managed response** flyout panel in your Microsoft 365 Defender portal.<br><br>You can also retrieve information about these actions, and the times they signed into your tenant, by [searching your audit logs](/microsoft-365/security/defender/auditing#create-a-rule-for-email-notifications) either on the Microsoft Purview compliance portal or through the Office 365 Management Activity API.|

+| **How do I know whether a Defender Experts analyst has sent any response actions for my SOC team?** | The Defender Experts analyst publishes the [response actions](/microsoft-365/security/defender/start-using-mdex-xdr#actions) they recommend your SOC team to perform on an incident in an incident's **Managed response** flyout panel in your Microsoft 365 Defender portal.<br><br>At this time, the incident's **Assigned to** field is updated to _Customer_ and its **Status** is updated to _Awaiting Customer Action_.<br><br>Your incident contacts, which you have [designated](/microsoft-365/security/defender/get-started-xdr#tell-us-who-to-contact-for-important-matters) in **Settings** > **Defender Experts** > **Notification contacts** in your Microsoft 365 Defender portal, also receive a corresponding email notification if there are response actions requiring your attention. |

+| **How do I ask a Defender Experts analyst questions about an investigation or response action?** | After a Defender Experts analyst publishes their investigation summary and recommended response actions in the **Managed response** flyout panel of a True Positive incident, you can use the **Chat** tab in the same panel to ask the Defender Experts team questions about the incident and their investigation.<br><br>Alternatively, your designated incident contacts can directly respond to the email they received from Defender Experts to ask any questions you might have.|

+| **How do I know which incidents have pending response actions?** | The Defender Experts card in your Microsoft 365 Defender portal home page includes a link that displays a message (for example, _3 incidents awaiting your action_). Selecting this link directs you to a filtered list of incidents specifically requiring your attention.<br><br>You can filter the incident queue in your Microsoft 365 Defender portal by selecting **Assigned to** as _Customer_ or **Status** as _Awaiting Customer Action_.|

+## In Microsoft Sentinel

+| Questions | Answers |

+|||

+| **How do I get Defender Experts updates in Sentinel?** | If you have enabled the data connector between Microsoft 365 Defender and Microsoft Sentinel, updates made by Defender Experts in Defender to incidents are synchronized with Microsoft Sentinel. [Learn more](/articles/sentinel/connect-microsoft-365-defender).<br><br>The **Assigned to**, **Status**, and **Classification** fields in Microsoft 365 Defender incidents are mapped to the corresponding fields in Sentinel, namely **Owner**, **Status**, and **Reason for closing**.|

+| **How do I get Defender Experts updates in Sentinel to automatically trigger a playbook?** | To get Defender Experts updates, first, set up automation rules in Sentinel that are triggered with the following Defender Experts updates:<ul><li>When the **Owner** field in Microsoft Sentinel is updated to _Defender Experts_ or _Customer_.</li><li> When the **Status** field in Microsoft Sentinel is updated to _Active_ or _Closed_, which corresponds to Microsoft 365 Defender **Status** _Active_ and _In Progress_ respectively.</li><li>When Sentinel **Tag** _Awaiting Customer Action_ gets added, which corresponds to Microsoft 365 Defender **Status** _Awaiting Customer Action_.</li></ul>Next, set up playbooks in Microsoft Sentinel to automatically sync incident updates or [send incident notifications into other apps](/articles/sentinel/tutorial-respond-threats-playbook).<ul><li>Send email, or Teams message, or Slack message to your SOC team when a Defender Experts analyst is assigned to an incident.</li><li>Send SMS or phone call via Azure Communications Services or Twilio connector to your SOC lead when Defender Experts publishes response action for your team.</li><li>Create a task or ticket in apps such as Azure DevOps, ServiceNow, Jira, ZenDesk, FreshService, PagerDuty, etc. for your IT Ops team. </li></ul>|

+| **How can I access managed response actions published by Defender Experts from Sentinel?** | Once Defender Experts publish managed response actions for an incident in your Microsoft 365 Defender portal, the **Owner** field is updated to _Customer_ automatically, and the tag _Awaiting Customer Action_ is available in Sentinel. You can use these field changes as a trigger to review the managed response panel for the corresponding incident in the Microsoft 365 Defender portal.|

+## In third-party SIEM, SOAR, or ITSM apps

+| Questions | Answers |

+|||

+| **How do I get Defender Experts updates from Microsoft 365 Defender to sync into third-party security information and event management (SIEM), security orchestration, automation and response (SOAR), or ITSM apps?** | You can get Defender Experts updates from Microsoft 365 Defender through the _Graph Security API_ ([_microsoft.graph.security.incident_](/graph/api/resources/security-incident).<br></br>To initiate the synchronization process:<ol><li>Establish the mapping between fields in Microsoft 365 Defender and the corresponding fields in the desired application. Determine whether the sync should be uni- or bi-directional and ensure that the other application supports that. <li>Develop, test, and deploy your sync integration. In most cases, it's recommended to periodically poll the Graph Security API every minute or so to check for updates.<li>Periodically validate that the field mapping is up to date.</ol>|

+| **Can I sync managed response actions published by Defender Experts in Microsoft 365 Defender portal to third-party SIEM, SOAR, or ITSM apps?** | Once Defender Experts publish managed response actions for an incident in your Microsoft 365 Defender portal, the **Assigned to** field is changed to _Customer_ and the **Status** field is updated to _Awaiting Customer Action_. You can sync these fields via the Graph Security API and then use these changes as a trigger to review the managed response actions in the Microsoft 365 Defender portal.<br><br>Managed response actions are expected to be available in the Graph Security API later this year, at which time it will be possible to sync them with your third-party apps.|

+## In other communication services

+| Questions | Answers |

+|||

+| **Can I get Defender Experts updates from Microsoft 365 Defender in email?** | Once a Defender Experts analyst publishes recommended response actions to an incident, your designated incident contacts will receive a corresponding email notification to the email addresses specified in **Settings** > **Defender Experts** > **Notification contacts** in your Microsoft 365 Defender portal.<br><br>Additionally, you can [configure a Logic App](/connectors/connector-reference/connector-reference-logicapps-connectors) to send all incident updates to your designated email address(es) automatically.|

+| **Can I get Defender Experts updates from Microsoft 365 Defender in Microsoft Teams?** | A two-way chat functionality is accessible through an incident's **Managed response** flyout panel in your Microsoft 365 Defender portal.<br><br>Additionally, you can [configure a Logic App](/connectors/connector-reference/connector-reference-logicapps-connectors) to send all incident updates to your designated email address(es) automatically.|

+| **Can I get Defender Experts updates from Microsoft 365 Defender as SMS or phone call updates, or in third-party communications services such as Slack?** | You can [configure a Logic App](/connectors/connector-reference/connector-reference-logicapps-connectors) to do this to send notifications from communication services such as Slack, Twilio, Azure Communication Services, etc.|

+### See also

+[How Microsoft Defender Experts for XDR permissions work](dex-xdr-permissions.md)

+# General information on Defender Experts for XDR service

+| **What actions can your experts take during incident investigation?** | Our expert analysts can take actions based on the roles granted to them in your Microsoft 365 Defender portal. If our analysts are granted a security reader role, they can investigate and provide managed response for your SOC team to act on. If our analysts are granted a security operator role, they can also take specific remediation actions agreed upon with your SOC team. |

+1. In the same Defender Experts settings step-by-step guide, under **Incident contact**, search for and add your contact persons or teams that we can notify for managed response actions or any communication that requires a prompt response.

+|Microsoft Defender for Identity|Full support for all identity data and actions. </br></br> **Note:** Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).|

+Through a combination of automation and human expertise, Defender Experts for XDR triages Microsoft 365 Defender incidents, prioritizes them on your behalf, filters out the noise, carries out detailed investigations, and provides actionable managed response to your security operations center (SOC) teams.

+- If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the recommended response actions on the incident on your behalf. These actions, along with an **Investigation summary**, show up in the incident's [Managed response](#how-to-use-managed-response-in-microsoft-365-defender) flyout panel in your Microsoft 365 Defender portal for you or your SOC team to review. Once our experts conclude their work on the incident, its **Status** field is then updated to _Resolved_ and the **Assigned to** field is updated to _Unassigned_.

+- If you have granted Defender Experts for XDR the default Security Reader access, then the recommended response actions, along with an **Investigation summary**, show up in the incident's **Managed response** flyout panel in your Microsoft 365 Defender portal for you or your SOC team to perform. To identify this handover, the incident's **Status** field is updated to _Awaiting Customer Action_ and **Assigned to** field is updated to _Customer_.

+### How to use managed response in Microsoft 365 Defender

+In the Microsoft 365 Defender portal, an incident that requires your attention using managed response has the **Assigned to** field set to _Customer_ and a task card on top of the **Incidents** pane. Your designated incident contacts also receives a corresponding email notification with a link to the Defender portal to view the incident. [Learn more about notification contacts](get-started-xdr.md#tell-us-who-to-contact-for-important-matters).

+Select **View managed response** on the task card or on the top of the portal page (**Managed response** tab) to open a flyout panel where you can read our experts' investigation summary, complete pending actions identified by our experts, or engage with them through chat.

+Defender Experts for XDR currently supports the following one-click managed response actions:

+Apart from these one-click actions, you can also receive managed responses from our experts that you need to perform manually.

+> Before performing any of the recommended managed response actions, make sure that they are not already being addressed by your automated investigation and response configurations. [Learn more about automated investigation and response capabilities in Microsoft 365 Defender](m365d-autoir.md).

+**To view and perform the managed response actions:**

+> The chat option is only available for incidents where we issued managed response.

+> The status of Defender Experts investigated incidents in Microsoft 365 Defender typically transitions from _Active_ to _In progress_ to _Awaiting Customer Action_, while in Sentinel, it follows the _New_ to _Active_ to _Resolved_ path. The Microsoft 365 Defender Status _Awaiting Customer Action_ does not have an equivalent field in Sentinel, instead a tag _Awaiting Customer Action_ is available in Sentinel.ΓÇ¥

+1. An incident being investigated by our experts has the **Status** listed as _Active_ and the **Owner** listed as _Defender Experts_.

+1. An incident that our experts have confirmed as a _True Positive_ has a managed response posted in Microsoft 365 Defender, and a **Tag** _Awaiting Customer Action_ and the **Owner** is listed as _Customer_. You need to act on the incident based on using the provided managed response.

+1. Once our experts have concluded their investigation and closed an incident as _False Positive_ or _Informational_, _Expected Activity_, the incident's **Status** is updated to _Resolved_, **Owner** is listed as _Customer_, and a **Reason for closing** is provided.

+- **Resolved with your help** ΓÇô The number of investigated incidents that were resolved because of your action on one or more managed response tasks.

+The **Average incident resolution time** section displays a bar chart of the average time, in minutes, our experts spent investigating and closing incidents in your environment and the average time you spent performing the recommended managed response actions.

+If you've set Defender Experts for XDR to have **Security Reader** access, the **Average incident resolution time** section also displays the estimated **Potential time savings** you could realize if you let our experts take managed remediation actions on your behalf by [providing them the permissions](get-started-xdr.md#grant-permissions-to-our-experts) to do so. The potential time savings are derived by calculating the total time it took you to complete recommended managed response actions after our experts issued them to you during your selected date range. Otherwise, if the service has **Security Operator** access, this report section displays the estimated time you already saved by granting us permission to take managed remediation actions on your behalf. To change access levels, select **Edit permissions**.

+- The **Guided response** feature in Microsoft Defender Experts for XDR has been renamed to **[Managed response](start-using-mdex-xdr.md#how-to-use-managed-response-in-microsoft-365-defender)**. We have also added a [new FAQ section](faq-incident-notifications-xdr.md#understanding-and-managing-defender-experts-for-xdr-incident-updates) on incident updates.

+ Title: Understanding overrides within the email entity page in Microsoft Defender for Office 365

+description: Shows the different overrides in the email entity page in Microsoft Defender for Office 365 to help admins troubleshoot configurations.

+audience: ITPro

+- m365-guidance-templates

+- m365-security

+- tier3

+# Understanding overrides within the email entity page in Microsoft Defender for Office 365

+Within the Microsoft Defender for Office 365 *[email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page)*, there's a wealth of useful information about an email, including if applicable the **overrides** which affected that message, and potentially the location that the message was delivered or moved to post delivery.

+

+This article is all about helping you **understand the different overrides**, how they're triggered, and helpful information for diagnosing when the effect of an override was unexpected, such as an email being blocked when no threats were found.

+## Overrides details table

+The following table lists all overrides, a description of what that override means and some starting points for troubleshooting. Not all overrides are honored, depending on the circumstance. For example an email that contains malware is automatically blocked regardless if an end user set the sender as a "safe sender". To learn more about how overrides are applied see [this table](/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined).

+| Override |Description|Notes|

+| -- | -- | -- |

+| Third Party Filter |We detected you're using a third party for your MX record and have an SCL-1 transport rule, overriding filtering and Secure by Default.||

+|Admin initiated time travel|Admin triggered investigation, which lead to zero-hour autopurge (ZAP) modifying the delivery location of messages.||

+|Antimalware policy block by file type|The file extension for an attachment within the message matched a banned file type listed in the anti-malware policy for the recipient|You may wish to tweak the file extensions listed in the Common attachments filter section of the anti-malware policy. change|

+|Antispam policy settings|The message matched a custom option in the anti-spam policy for the recipient. For example: "SPF record: hard fail" or "Empty messages".|Check the "Mark as spam" options in the anti-spam policy for the affected recipient.|

+|Connection policy|The message originated from an allowed / blocked IP within your connection filter policy.|Check the "Connection filter policy" within the anti-spam policies section of the security portal.|

+|Exchange transport rule|The message matched a custom transport rule that affected the final delivery location.|You can use the email entity page, or Exchange message trace to highlight which transport rule was triggered.|

+|Exclusive mode (User override)|The recipient has chosen to mark all messages as spam unless they're received from a sender in their trusted contact list.|The recipient has likely configured: "Don't trust email unless it comes from someone in my Safe Senders and Recipients list" within the Junk email settings in Outlook or OWA.|

+|Filtering skipped due to on-premises organization|The message was marked as nonspam by your Exchange on-premises environment before being delivered to Exchange Online|You should review your on-premises environment to locate the source of the override.|

+|IP region filter from policy|The message was detected as coming from a country/region that an admin has selected to block in the anti-spam policy for the recipient.|Modify the "From these countries/regions" option within the anti-spam policy applied to the affected recipient.|

+|Language filter from policy|The message was detected as containing a language that an admin has selected to block in the anti-spam policy for the recipient.|Modify the "Contains specific languages" option within the anti-spam policy to the affected recipient.|

+|Phishing simulation|The message met the criteria defined by an administrator to be considered a phishing simulation message.|Criteria are within the "Phishing simulation" tab within Advanced delivery in the security portal.|

+|Quarantine release| The recipient or an administrator released this message from quarantine.||

+|SecOps Mailbox|The message was sent to the specific security operations mailbox defined by an administrator.|Mailboxes are defined within the "SecOps mailbox" tab within Advanced delivery in the security portal.|

+|Sender address list (Admin Override)|The message matched an entry in the allowed/blocked senders within the anti-spam policy for the recipient.|Check the "Allowed and blocked senders and domains" section of the relevant anti-spam policy. (allows with this method aren't recommended).|

+|Sender address list (User override)|The recipient has manually set this sender address to be delivered to the inbox (allowed) or junk email folder (blocked).|The recipient has likely configured "Safe senders and domains" or "Blocked senders and domains" within the Junk email settings in Outlook or OWA.|

+|Sender domain list (Admin Override)|The message matched an entry in the allowed/blocked domains within the anti-spam policy for the recipient.|Check the "Allowed and blocked senders and domains" section of the relevant anti-spam policy. (allows with this method aren't recommended).|

+|Sender domain list (User override)|The recipient has manually set the sending domain to be delivered to the inbox (allowed) or junk email folder (blocked).|The recipient has likely configured "Safe senders and domains" or "Blocked senders and domains" within the Junk email settings in Outlook or OWA.|

+|Tenant Allow/Block List file|An entry was matched for a file hash listed in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal.|

+|Tenant Allow/Block List sender email address|An entry was matched for a sender address listed in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal.|

+|Tenant Allow/Block List spoof|An entry was matched for spoof detection in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal.|

+|Tenant Allow/Block List URL| An entry was matched for a URL listed in the Tenant allow/block list.|Review the entires within the "Tenant Allow/Block Lists" page within the security portal.|

+|Trusted contact list (User override)|The recipient has chosen to mark contacts in their contacts folder as trusted senders automatically.|The recipient has likely configured: "Trust email from my contacts" within the Junk email settings in Outlook or OWA.|

+|Trusted domain (User override)|The recipient has added this domain to their safe recipients list within Outlook, emails sent to this domain aren't treated as junk email.|The recipient has likely configured "Safe Recipients" within Outlook's Junk email options.|

+|Trusted recipient (User override)|The recipient has added this sender to their safe recipients list within Outlook, emails sent to this sender aren't treated as junk email.|The recipient has likely configured "Safe Recipients" within Outlook's Junk email options.|

+|Trusted senders only (User override)|This override has same behavior as the Exclusive mode (User override), primarily used in outlook.com.|See "Exclusive mode (User override)"|

+## Next steps

+You can find a similar detailed table covering all the different detection technologies at [aka.ms/emailtech](/microsoft-365/security/office-365-security/step-by-step-guides/understand-detection-technology-in-email-entity).

+In Microsoft Syntex, you can create a rule to automatically set the content type for a file when it's added to a document library.

+## Syntex processing rules

+[Create a rule to move or copy a file from one document library to another](content-processing-create-rules.md)

+[Create a rule to set a content type when a file is added to a document library](content-processing-content-type.md)

+ Title: Microsoft Syntex Optical Character Recognition (ΓÇ£OCRΓÇ¥) Feature Preview Agreement

+audience: admin

+search.appverid:

+ms.localizationpriority: medium

+description: Read the Microsoft Syntex Optical Character Recognition (ΓÇ£OCRΓÇ¥) Feature Preview Agreement.

+# Microsoft Syntex Optical Character Recognition (ΓÇ£OCRΓÇ¥) Feature Preview Agreement

+**<ins>The purpose of this Agreement</ins>**. We intend to enter discussions in which Company may provide input in connection with Microsoft offerings as described below. This Agreement clarifies our respective rights and obligations regarding that input. We agree that Company providing or Microsoft using input is voluntary.

+Input is all suggestions, comments, feedback, ideas, or know how, in any form, that Company provides to Microsoft. It doesn't include sales forecasts, financial results, future release scheduled, marketing plans and high-level product plans or feature lists for anticipated products.

+**MICROSOFT OFFERING:**

+The optical character recognition (OCR) service in Microsoft Syntex lets you extract printed or handwritten text from images, such as posters, drawings, and product labels, as well as from documents like articles, reports, forms, and invoices. Syntex OCR uses AI to extract text from customers' images, whether in OneDrive and SharePoint, Exchange emails, or Teams messages. This text extraction is done on a pay-as-you-go basis (each page of an image costs $0.001) using the latest tech from Azure Cognitive Services. Global and SharePoint admins can configure Syntex OCR in the Microsoft Admin Center, and Compliance admins can also configure OCR in Microsoft Purview as they may need the capability for different scenarios and/or not want to leave Purview admin. The Syntex OCR service will honor settings from either admin experience, keeping the extracted text and not charging the customer twice even if it's configured in multiple places within admin.

+The OCR service supports more thanΓÇ»[150 languages](/azure/ai-services/language-support).

+**FEATURE PREVIEW:** Company agrees that by using this Preview Feature Company has accepted these terms. To terminate this Preview, don't use the Preview Feature. Microsoft may change or discontinue the Preview Feature at any time with or without notice. Microsoft may also choose not to make the Preview Feature generally commercially available.

+No SLA applies to this Feature Preview.

+THE PREVIEW FEATURE IS PROVIDED ΓÇ£AS-IS,ΓÇ¥ ΓÇ£WITH ALL FAULTS,ΓÇ¥ AND ΓÇ£AS AVAILABLE.ΓÇ¥ Microsoft provides no performance guarantee for the Feature Preview (including accompanying URLs provided for embedded or unauthenticated viewing) and Company bears the risk of using it. The Feature Preview isn't included in the SLA for Microsoft Syntex and may not be covered by customer support.

+**<ins>LICENSE</ins>**

+If Company provides Input, including feedback, Company grants to Microsoft, without charge, the nonexclusive License to make, modify, distribute, or otherwise commercialize the Input as part of any Microsoft offering.

+Company retains all right, title and interest in and to the Input. The above License doesn't extend to any technologies that may also be necessary to make or use any offering or portion thereof that incorporates the Input but aren't themselves expressly part of the Input (for example, enabling technologies).

+**<ins>PAYMENT TERMS</ins>**

+Syntex OCR services use pay-as-you-go billing through an Azure subscription. Syntex OCR services billing is determined the number of pages processed for images (JPEG, JPG, PNG, or BMP); the number of pages processed for PDF, TIF, or TIFF; or the number of embedded images in Teams chats and email messages. Each of these counts as one transaction. Processing occurs every time the file is edited. Company will be able to view this usage as meter events through the Azure subscription it chooses.

+Syntex OCR services Feature Preview pricing is as follows:

+|OCR Meters |Meter |Price |

+|||--|

+|Pages Processed |Optical character recognition (Preview) |$0.001/Transaction |

+Prerequisites to enable Syntex OCR services pay-as-you-go are:

+&emsp;(i) An Azure subscription with admin access as owner or contributor on the subscription;ΓÇ»

+&emsp;(ii) A SharePoint tenant ID;

+&emsp;(iii) An Azure resource group;

+&emsp;(iv) The ability to run PowerShell cmdlets to configure billing; and

+&emsp;(v) A Microsoft Entra appID in the same tenancy.ΓÇ»

+**<ins>INFORMATION USE AND DISCLOSURE</ins>**

+With respect to the Syntex OCR services, Microsoft may access or disclose information about Company, its account, and the content of its communications in order to:

+&emsp;a) provide, operate, and improve Microsoft services;

+&emsp;b) comply with the law or respond to lawful requests or legal process; or

+&emsp;c) protect the rights or property of Microsoft or our customers, including the enforcement of MicrosoftΓÇÖs agreements or policies governing the use of the Syntex OCR services.

+**<ins>Data Processing and Transfers</ins>**

+To the extent Microsoft is a processor of Personal Data subject to the European UnionΓÇÖs General Data Protection Regulation (ΓÇ£GDPRΓÇ¥), the GDPR Terms set forth in Attachment 1 govern that processing and the parties also agree to the following terms. For the purpose of this section, the term ΓÇ£Personal DataΓÇ¥ means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person:

+a) Processing Details. The parties acknowledge and agree that:

+&emsp;i. The subject-matter of the processing is limited to Personal Data within the scope of GDPR;

+&emsp;ii. The duration of the processing shall be for the duration of the CompanyΓÇÖs right to participate in the Feature Preview Program and until all Personal Data is deleted or returned in accordance with Company instructions or this Agreement;

+&emsp;iii. The nature and purpose of the processing shall be to provide the Syntex OCR services pursuant to the Agreement;

+&emsp;iv. The types of Personal Data processed by the Feature Preview Program include those expressly identified in Article 4 of the GDPR to the extent included by CompanyΓÇÖs data; and

+&emsp;v. The categories of data subjects are CompanyΓÇÖs representatives and end users, such as employees, contractors, collaborators, and customers.

+b) Data Transfers.

+&emsp;i. CompanyΓÇÖs data, and Personal Data that Microsoft processes on CustomerΓÇÖs behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. Company appoints Microsoft to perform any such transfer of Company data and Personal Data to any such country and to store and process data and Personal Data to provide the Syntex OCR services.

+&emsp;ii. Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.

+&emsp;iii. In addition, Microsoft is certified to meet the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify Company in the event that it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.

+**<ins>Acknowledgments and Consent by Company</ins>**

+If Company collects, stores, or processes Personal Data when using Syntex OCR services, Company agrees to comply with all privacy and data protection laws, taking into account the nature of the information to be processed, as well as the features and limitations of the Feature Preview Program as described in this Agreement or as otherwise provided to Company.

+**<ins>Pre-Release Service Features and Privacy Choice</ins>**

+Company affirms that it has obtained or will obtain any required consents from data subjects who may participate in CompanyΓÇÖs use of the Feature Preview Program. Company must not allow Personal Data to be collected through use of the Syntex OCR services in jurisdictions or industries where the Feature Preview attributes described herein would make such use contrary to applicable law. The Feature Preview may employ lesser or different security measures than those present in MicrosoftΓÇÖs existing commercial versions of Microsoft software or Online Services or expected to be present in future commercial versions of the software and Online Services. Without limiting the foregoing, security disclosures or independent security certifications applicable to existing commercial versions of the software and Online Services don't apply to the Feature Preview.

+**<ins>LENGTH OF OBLIGATIONS; DISCLOSURE</ins>**

+**Termination.** This Agreement continues in effect until <ins>December 31, 2023, or until the Preview Feature is generally commercially available to the public</ins>. Either of us may terminate this Agreement, or any input schedule, for any reason by 1) by Microsoft providing Company with 10 daysΓÇÖ advance notice, or 2) Company stops using the Preview Feature. Termination of this Agreement or any Input schedule won't change any of the rights, licenses granted, or duties made while this Agreement or input schedule is in effect.

+**Effects upon Termination.** Once terminated, Company will no longer use Syntex OCR services.

+This Agreement can't be extended. Microsoft may also choose not to make the Preview Feature generally commercially available.

+**Disclosure.** The Parties agree to keep confidential the terms of this Agreement and only disclose information to relevant parties limited to the extent necessary for the good execution of this Agreement, as well as the source of the Input.

+**Disclosing if required by law; or other action.** Each of us may disclose the confidential information described above if required to comply with a court order or other government demand that has the force of law or if in the context of an actual or threatened infringement or other action related to this Agreement or the Input. Before doing so, each of us must seek the highest level of protection available and, when possible, give the other enough prior notice to provide a reasonable chance to seek a protective order.

+**<ins>REPRESENTATIONS AND LIMITATIONS</ins>**

+**Input.** Company represents that it will not give any Input that:

+ 1. Violates any copyright or trade secret claim or right of any third party;

+ 2. It has reason to believe violates any patent claim or right of any third party; or

+ 3. Is subject to an excluded license.

+**Authority.** Company represents it has all rights and authority necessary to sign this Agreement and grant the rights in it for itself and its affiliates.

+**Limitations.** All information, materials and input are provided ΓÇ£as-isΓÇ¥ and Microsoft bears the risk of using them; Company gives no express warranties, guarantees or conditions as to its Input; and to the extent permitted under local law, Company excludes the implied warranties of merchantability, fitness for a particular purpose, title and non-infringement as to its Input.

+**<ins>LIMITATIONS ON AND EXCLUSIONS OF REMEDIES AND DAMAGES</ins>**

+Except as described herein, the only remedy either of us has for claims relating to this Agreement is to terminate it. Neither of us can recover any damages, including direct, consequential, lost profits, special, punitive, indirect or incidental damages from the other. This limitation applies:

+ 1. To claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

+ 2. Even if one of us knew or should have known about the possibility of the damages.

+The limitations in this section doesn't apply to claims arising from or in connection with any infringement, misuse or misappropriation by one of us of the otherΓÇÖs intellectual property rights.

+**<ins>GENERAL RIGHTS AND OBLIGATIONS</ins>**

+**Notices.** Notices may be provided either by electronic or physical mail. Each of us designates the persons specified on the last page of this Agreement to receive notices. Each of us may specify changes by giving notice to the other.

+**Law that applies; jurisdiction and venue.** The laws of the State of Washington govern this Agreement. If federal jurisdiction exists, each of us consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If not, each of us consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington.

+**Waiver.** Any delay or failure of either of us to exercise a right or remedy won't result in a waiver of that, or any other, right or remedy.

+**Breach.** Each of us agrees that the other may seek court orders to stop any breach of this Agreement.

+**AttorneysΓÇÖ fees.** In any dispute relating to this Agreement the prevailing party will be entitled to recover reasonable attorneys' fees and costs.

+**No Assignment.** Neither of us may assign this Agreement, by operation of law, or otherwise, without the prior, written approval of the other.

+**Enforceability.** If any provision of this Agreement is unenforceable, the parties (or, if we can't agree, a court) will modify this Agreement to revise it so that it can be enforced. Even if no revision is possible, the rest of this Agreement will remain in place.

+**Entire Agreement.** This Agreement includes all exhibits and schedules. If Company has entered into a license agreement for use of any Microsoft offering, that license agreement will govern its use of the Microsoft offering, and any feedback given to Microsoft under that license agreement. With these exceptions, this is the entire agreement between us regarding the Input. It replaces all other agreements and understandings regarding the subject matter of this Agreement.

+&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;**Attachment 1 ΓÇô GDPR Terms**

+For purposes of these GDPR Terms, Company and Microsoft agree that Company is the controller of Personal Data and Microsoft is the processor of such data, except when Company acts as a processor of Personal Data, in which case Microsoft is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on behalf of Company. These GDPR Terms don't limit or reduce any data protection commitments Microsoft makes to Company in other agreements between Microsoft and Company. These GDPR Terms don't apply where Microsoft is a controller of Personal Data.

+**Relevant GDPR Obligations: Articles 28, 32, and 33**

+1) Microsoft shall not engage another processor without prior specific or general written authorization of Company. In the case of general written authorization, Microsoft shall inform Company of any intended changes concerning the addition or replacement of other processors, thereby giving Company the opportunity to object to such changes. (Article 28(2))

+2) Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter ΓÇ£UnionΓÇ¥) or Member State law and are binding on Microsoft with regard to Company. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Company are set forth in the Agreement, including these GDPR Terms. In particular, Microsoft shall:

+&emsp;&emsp;&emsp;a. process the Personal Data only on documented instructions from Company, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform Company of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

+&emsp;&emsp;&emsp;b. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

+&emsp;&emsp;&emsp;c. take all measures required pursuant to Article 32 of the GDPR;

+&emsp;&emsp;&emsp;d. respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;

+&emsp;&emsp;&emsp;e. taking into account the nature of the processing, assist Company by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the CompanyΓÇÖs obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;

+&emsp;&emsp;&emsp;f. assist Company in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft;

+&emsp;&emsp;&emsp;g. at the choice of Company, delete or return all the Personal Data to Company after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;

+&emsp;&emsp;&emsp;h. make available to Company all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company.

+3) Microsoft shall immediately inform Company if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))

+4) Where Microsoft engages another processor for carrying out specific processing activities on behalf of Company, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfill its data protection obligations, Microsoft shall remain fully liable to the Company for the performance of that other processor's obligations. (Article 28(4))

+5) Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company and Microsoft shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

+&emsp;&emsp;&emsp;a. the pseudonymization and encryption of Personal Data;

+&emsp;&emsp;&emsp;b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

+&emsp;&emsp;&emsp;c. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

+&emsp;&emsp;&emsp;d. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1))

+6) In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. (Article 32(2))

+7) Company and Microsoft shall take steps to ensure that any natural person acting under the authority of Company or Microsoft who has access to Personal Data doesn't process them except on instructions from Company, unless he or she is required to do so by Union or Member State law. (Article 32(4))

+8) Microsoft shall notify Company without undue delay after becoming aware of a Personal Data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microsoft.

+Before you configure the OCR service, read the [Syntex OCR preview terms and conditions](ocr-preview-terms.md).